Posted: Wed Feb 07, 2018 15:49 Post subject: Re: Try this to recover from bad builds and jffs2
!asdf wrote:
Hey,
thank you for your response
my situation seems similar to ZaphodB73s:
initially i was on
Archer_C9(EU)_V4_161018_1479287836363l stock
went to
10-17-2017-r33525/factory-to-ddwrt.bin
via webflash
after confirming dd-wrt webgui and changing admin user & pass
i went for
01-31-2018-r34777/archer-c9v4-webflash.bin
via dd-wrt webflash, it did fine, until 300sec reboot timeout
and from there I also got the "dreaded WPS led"
please find attached a log as verbose as i could make,
the C9-V3-Fix-R5_v2.bin is just with patched MAC-Address
cheers
I'll make it a weekend project to get a EU version of TP-LIINK to load, bring it up to 34777 and try to recover it.
The last test to try beforehand would be loading C9-V3-Fix-R5.bin without changing the MAC address.
Request for aid: A person with a working C9 V4 EU router can help by providing some information. SSH into the unit and save the results of these commands:
dd if=/dev/mtd1 skip=14912 bs=1024 count=1 | hexdump -C
dd if=/dev/mtd1 skip=14936 bs=1024 count=1 | hexdump -C
A unit with TP-LINK firmware is best. However, a working unit with DD-WRT will suffice.
Posted: Wed Feb 07, 2018 20:52 Post subject: Re: Try this to recover from bad builds and jffs2
TheDoc wrote:
!asdf wrote:
Hey,
thank you for your response
my situation seems similar to ZaphodB73s:
initially i was on
Archer_C9(EU)_V4_161018_1479287836363l stock
went to
10-17-2017-r33525/factory-to-ddwrt.bin
via webflash
after confirming dd-wrt webgui and changing admin user & pass
i went for
01-31-2018-r34777/archer-c9v4-webflash.bin
via dd-wrt webflash, it did fine, until 300sec reboot timeout
and from there I also got the "dreaded WPS led"
please find attached a log as verbose as i could make,
the C9-V3-Fix-R5_v2.bin is just with patched MAC-Address
cheers
I'll make it a weekend project to get a EU version of TP-LIINK to load, bring it up to 34777 and try to recover it.
The last test to try beforehand would be loading C9-V3-Fix-R5.bin without changing the MAC address.
Request for aid: A person with a working C9 V4 EU router can help by providing some information. SSH into the unit and save the results of these commands:
dd if=/dev/mtd1 skip=14912 bs=1024 count=1 | hexdump -C
dd if=/dev/mtd1 skip=14936 bs=1024 count=1 | hexdump -C
A unit with TP-LINK firmware is best. However, a working unit with DD-WRT will suffice.
Thanks,
Doc
Hey,
i went for your last advice and flashed the unmodified fix C9-V3-Fix-R5.bin
after that a reboot with pressed wps-button
and it took the Archer_C9(EU)_V4_161018_1479287836363l renamed as ArcherC9v3_tp_recovery.bin
attached is the log of the successful flash
also a screenshot of hex modified C9-V3-Fix-R5_v2.bin that did not work.
as well as a bad photo of Serial-Console Pinout from TP-LINK Archer C9 V4 EU since i have not found any when i searched for it:
from left to right on the router-board
1. not connected: 3.3V
2. grey: ground
3. violet: RX
4. blue: TX
Posted: Wed Feb 07, 2018 21:58 Post subject: Re: Try this to recover from bad builds and jffs2
!asdf wrote:
Hey,
i went for your last advice and flashed the unmodified fix C9-V3-Fix-R5.bin
after that a reboot with pressed wps-button
and it took the Archer_C9(EU)_V4_161018_1479287836363l renamed as ArcherC9v3_tp_recovery.bin
attached is the log of the successful flash
also a screenshot of hex modified C9-V3-Fix-R5_v2.bin that did not work.
as well as a bad photo of Serial-Console Pinout from TP-LINK Archer C9 V4 EU since i have not found any when i searched for it:
from left to right on the router-board
1. not connected: 3.3V
2. grey: ground
3. violet: RX
4. blue: TX
Great! It looks like the hex editor inserted the 6 bytes of the MAC address. Looking at address E there is a AA and at address F there is a BB (and so on for the 6 bytes.) Those values were originally at address 8 and 9. The hex editor needs to be in overwrite mode. The entire file shifted up by 6 bytes which places data at the wrong addresses. You can do the procedure again with a corrected file and your MAC address will be back to your original value. You should recover with TP-LINK again after loading the fix file.
Posted: Wed Feb 07, 2018 22:50 Post subject: Re: Try this to recover from bad builds and jffs2
TheDoc wrote:
!asdf wrote:
Hey,
i went for your last advice and flashed the unmodified fix C9-V3-Fix-R5.bin
after that a reboot with pressed wps-button
and it took the Archer_C9(EU)_V4_161018_1479287836363l renamed as ArcherC9v3_tp_recovery.bin
attached is the log of the successful flash
also a screenshot of hex modified C9-V3-Fix-R5_v2.bin that did not work.
as well as a bad photo of Serial-Console Pinout from TP-LINK Archer C9 V4 EU since i have not found any when i searched for it:
from left to right on the router-board
1. not connected: 3.3V
2. grey: ground
3. violet: RX
4. blue: TX
Great! It looks like the hex editor inserted the 6 bytes of the MAC address. Looking at address E there is a AA and at address F there is a BB (and so on for the 6 bytes.) Those values were originally at address 8 and 9. The hex editor needs to be in overwrite mode. The entire file shifted up by 6 bytes which places data at the wrong addresses. You can do the procedure again with a corrected file and your MAC address will be back to your original value. You should recover with TP-LINK again after loading the fix file.
oh my..,
its all right there in the screenshot..., the INS in the corner and the suspicious AABBCCCCBBAA right behind the MAC...
directly after the fix i did TFTP-recover to TP-LINKs Archer_C9(EU)_V4_161018.
from there again via
10-17-2017-r33525\factory-to-ddwrt.bin
to now DD-WRT v3.0-r33986 std (12/04/17)
interestingly enough without reflashing the MAC is already correct... i.e. not AA-BB-CC-CC-BB-AA
Posted: Thu Feb 08, 2018 12:50 Post subject: Re: Try this to recover from bad builds and jffs2
TheDoc wrote:
!asdf wrote:
Hey,
thank you for your response
my situation seems similar to ZaphodB73s:
initially i was on
Archer_C9(EU)_V4_161018_1479287836363l stock
went to
10-17-2017-r33525/factory-to-ddwrt.bin
via webflash
after confirming dd-wrt webgui and changing admin user & pass
i went for
01-31-2018-r34777/archer-c9v4-webflash.bin
via dd-wrt webflash, it did fine, until 300sec reboot timeout
and from there I also got the "dreaded WPS led"
please find attached a log as verbose as i could make,
the C9-V3-Fix-R5_v2.bin is just with patched MAC-Address
cheers
I'll make it a weekend project to get a EU version of TP-LIINK to load, bring it up to 34777 and try to recover it.
The last test to try beforehand would be loading C9-V3-Fix-R5.bin without changing the MAC address.
Request for aid: A person with a working C9 V4 EU router can help by providing some information. SSH into the unit and save the results of these commands:
dd if=/dev/mtd1 skip=14912 bs=1024 count=1 | hexdump -C
dd if=/dev/mtd1 skip=14936 bs=1024 count=1 | hexdump -C
A unit with TP-LINK firmware is best. However, a working unit with DD-WRT will suffice.
Thanks,
Doc
Here is a dump from a successfully recovered EU v4 Archer C9 running 2017-12-04 r33986 release.
Thanks TheDoc for C9-V3-Fix-R5 and instructions, also !asdf for tip the Archer_C9(EU)_V4_161018_1479287836363 stock version was successful. I got back my V3 EU after jffs disaster.
My experience:
C9-V3-Fix-R5 worked for me, but I was not able to install of V3 stock FW (I tried latest two). It starts to reboot every 10 second and reason was something like unable mounting FS.
Archer_C9(EU)_V4 was successful, thanks !asdf.
I tried go back to DD-WRT, but found only latest factory-to-ddwrt (from october 2017) firmware in this forum. Still, it was successful. Then I tried to update latest beta update 02-10-2018-r34886 > tplink_archer-c9v3 > archer-c9v3-webflash, but it starts to restart every 10s with mounting trouble again.
BTW, I had often to apply C9-V3-Fix-R5 again, caused by factory bootcheck fail, after almost every new FW.
Can somebody suggest DD-WRT build could work, later factory-to-ddwrt from this forum? I need 5G Wifi, OpenVPN and SSH for port forward.
Posted: Sun Feb 25, 2018 20:26 Post subject: Re: Try this to recover from bad builds and jffs2
!asdf wrote:
TheDoc wrote:
!asdf wrote:
Hey,
i went for your last advice and flashed the unmodified fix C9-V3-Fix-R5.bin
after that a reboot with pressed wps-button
and it took the Archer_C9(EU)_V4_161018_1479287836363l renamed as ArcherC9v3_tp_recovery.bin
attached is the log of the successful flash
also a screenshot of hex modified C9-V3-Fix-R5_v2.bin that did not work.
as well as a bad photo of Serial-Console Pinout from TP-LINK Archer C9 V4 EU since i have not found any when i searched for it:
from left to right on the router-board
1. not connected: 3.3V
2. grey: ground
3. violet: RX
4. blue: TX
Great! It looks like the hex editor inserted the 6 bytes of the MAC address. Looking at address E there is a AA and at address F there is a BB (and so on for the 6 bytes.) Those values were originally at address 8 and 9. The hex editor needs to be in overwrite mode. The entire file shifted up by 6 bytes which places data at the wrong addresses. You can do the procedure again with a corrected file and your MAC address will be back to your original value. You should recover with TP-LINK again after loading the fix file.
oh my..,
its all right there in the screenshot..., the INS in the corner and the suspicious AABBCCCCBBAA right behind the MAC...
directly after the fix i did TFTP-recover to TP-LINKs Archer_C9(EU)_V4_161018.
from there again via
10-17-2017-r33525\factory-to-ddwrt.bin
to now DD-WRT v3.0-r33986 std (12/04/17)
interestingly enough without reflashing the MAC is already correct... i.e. not AA-BB-CC-CC-BB-AA
So I did the exact same thing as above, but my mac adress is still on AA-BB etc..
Is there a way to change it to the one that is on the back of the router? Running r33986 currently.
I've tried to re-apply the C9-V3-Fix-R5_v2.bin file (modified with hex editor) using serial interface but I have no idea how to enter cfe command after the bootup process (at the login prompt).
Posted: Mon Feb 26, 2018 5:53 Post subject: Re: Try this to recover from bad builds and jffs2
Magician1981 wrote:
!asdf wrote:
TheDoc wrote:
!asdf wrote:
Hey,
i went for your last advice and flashed the unmodified fix C9-V3-Fix-R5.bin
after that a reboot with pressed wps-button
and it took the Archer_C9(EU)_V4_161018_1479287836363l renamed as ArcherC9v3_tp_recovery.bin
attached is the log of the successful flash
also a screenshot of hex modified C9-V3-Fix-R5_v2.bin that did not work.
as well as a bad photo of Serial-Console Pinout from TP-LINK Archer C9 V4 EU since i have not found any when i searched for it:
from left to right on the router-board
1. not connected: 3.3V
2. grey: ground
3. violet: RX
4. blue: TX
Great! It looks like the hex editor inserted the 6 bytes of the MAC address. Looking at address E there is a AA and at address F there is a BB (and so on for the 6 bytes.) Those values were originally at address 8 and 9. The hex editor needs to be in overwrite mode. The entire file shifted up by 6 bytes which places data at the wrong addresses. You can do the procedure again with a corrected file and your MAC address will be back to your original value. You should recover with TP-LINK again after loading the fix file.
oh my..,
its all right there in the screenshot..., the INS in the corner and the suspicious AABBCCCCBBAA right behind the MAC...
directly after the fix i did TFTP-recover to TP-LINKs Archer_C9(EU)_V4_161018.
from there again via
10-17-2017-r33525\factory-to-ddwrt.bin
to now DD-WRT v3.0-r33986 std (12/04/17)
interestingly enough without reflashing the MAC is already correct... i.e. not AA-BB-CC-CC-BB-AA
So I did the exact same thing as above, but my mac adress is still on AA-BB etc..
Is there a way to change it to the one that is on the back of the router? Running r33986 currently.
I've tried to re-apply the C9-V3-Fix-R5_v2.bin file (modified with hex editor) using serial interface but I have no idea how to enter cfe command after the bootup process (at the login prompt).
Thanx in advance
You have to hit enter to interrupt the boot process in the very first seconds of the boot if you want to have access to the CFE prompt.....
Posted: Wed Feb 28, 2018 14:32 Post subject: Re: Try this to recover from bad builds and jffs2
ZaphodB73 wrote:
You have to hit enter to interrupt the boot process in the very first seconds of the boot if you want to have access to the CFE prompt.....
Regards, ZaphodB73
That should work. I've been holding down ctrl-C during the reboot process. I end up with a long series of ctrl-C's on the terminal but they don't hurt anything. The window to stop the boot process in CFE seems small.
After redoing the flashing of C9-V3-Fix-R5, be safe do a full recovery of the stock TP-LINK firmware again.
Not recommended but will work: If you have trouble stopping the boot process in CFE load the version of DD-WRT that previously corrupted your unit. Once the unit is corrupted, it stops in CFE because of the corruption.
thanx for helping me out. I've managed to ''unbrick'' my C9 multiple times now. There is still one problem however! The MAC adress is stuck on AA-BB etc. Even after a hex editing of the R5 file. I've double checked if the file was saved correctly with a different editor and the desired MAC adress is in the correct ''offset'' line as described in earlier posts. Any ideas??
Here is the current serial output:
CFE version 6.37.14.93 (r469350) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Wed Jan 13 15:52:58 UTC 2016 (leven@leven)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 800 MHz
Info: DDR frequency set from clkfreq=1000,*800*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.14.93 (r469350)
CPU type 0x0: 1000MHz
Tot mem: 131072 KBytes
Device eth0: hwaddr AA-BB-CC-CC-BB-AA, ipaddr 192.168.0.1, mask 255.255.255.0
gateway not set, nameserver not set
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
factory boot check integer ok.
factory boot load fs boot len 262144 to addr 0x3f00000.
Closing network.
Starting program at 0x03f00000
Decompressing(LZMA inbase:0x1e064004)...done
CFE version 6.37.14.93 (r469350) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Fri Jul 22 09:27:53 UTC 2016 (leven@leven)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 800 MHz
Info: DDR frequency set from clkfreq=1000,*800*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.14.93 (r469350)
CPU type 0x0: 1000MHz
Tot mem: 131072 KBytes
thanx for helping me out. I've managed to ''unbrick'' my C9 multiple times now. There is still one problem however! The MAC adress is stuck on AA-BB etc. Even after a hex editing of the R5 file. I've double checked if the file was saved correctly with a different editor and the desired MAC adress is in the correct ''offset'' line as described in earlier posts. Any ideas??
Here is the current serial output:
Send me the modified R5.bin file and I'll look at it.