Posted: Thu Apr 13, 2017 21:31 Post subject: Re: You can brick recover it during that window
sploit wrote:
You can recover it during that window by using a real tftp upload app. Dont use the Linksys Crap app (tftp2) it times out too soon.
Use windows tftp or pumpkin or linux
Brainslayers Builds are busted for flashing as they are too big for some reason for the partitions.
Once you see the ping for ttl=100 that is your gate to flash.
Thanks, sploit,
I have been using Tftpd32 as a client to put vmlinuz to 192.168.1.1 port 69 when the four LEDs light up (the router responds to a ping with TTL=100 roughly four times after the four LEDs flash). Unfortunately, I've tried dozens of times, varying the timing slightly, and the router never accepts the file transfer. Tftpd32 responds with block #0, but no data is transferred. Perhaps there is something wrong with how I am doing this?
I'm wondering if a hardware serial flash may be the only way to bring it back now? If so, I have a USB=>TTL cable and a Bluetooth=>RS-232/TTL adapter on their way. I might also try fabricating a two transistor RS-232=>TTL adapter (my PC is old enough to have a DB9 serial port).
Use 30432 build or older. Anything newer will brick it. Unless it's a kong build.
BS Build 31690 flashes fine on R6300v2 and works well too
I was talking to Lemming. R6300 is a different story _________________ R6400v2 (boardID:30) - Kong 36480 running since 03/09/18 - (AP - DNSMasq - AdBlocking - QoS) R7800 - BS 31924 running since 05/26/17 - (AP - OpenVPN Client - DNSMasq - AdBlocking - QoS) R7000 - BS 30771 running since 12/16/16 - (AP - NAS - FTP - SMB - OpenVPN Server - Transmission - DDNS - DNSMasq - AdBlocking - QoS) R6250 - BS 29193 running since 03/20/16 - (AP - NAS - FTP - SMB - DNSMasq - AdBlocking)
Posted: Sat Apr 15, 2017 20:32 Post subject: Re: You can brick recover it during that window
LemmingFactory wrote:
I have been using Tftpd32 as a client to put vmlinuz to 192.168.1.1 port 69 when the four LEDs light up (the router responds to a ping with TTL=100 roughly four times after the four LEDs flash).
That's your problem. You need to set up a tftp server on 192.168.1.2, not a client.
the server will host vmlinuz, and the router will issue its own pull request automatically.
once you see the 4 lights flash, it will start asking the server for the file. Eventually, you will see the power light start flashing. Wait patiently for the power light to turn solid green. Once it does, the firmware will be loaded. At this point, you will be able to launch a web browser and connect to 192.168.1.1. the username is root and the password is admin.
When you can connect to the web page, you can then connect via ssh, erase the bad firmware, and then continue on with the recovery process where you "put" the firmware on using the tftp client command.
Posted: Sun Apr 16, 2017 7:03 Post subject: Re: You can brick recover it during that window
compu829 wrote:
That's your problem. You need to set up a tftp server on 192.168.1.2, not a client.
the server will host vmlinuz, and the router will issue its own pull request automatically.
once you see the 4 lights flash, it will start asking the server for the file. Eventually, you will see the power light start flashing. Wait patiently for the power light to turn solid green. Once it does, the firmware will be loaded. At this point, you will be able to launch a web browser and connect to 192.168.1.1. the username is root and the password is admin.
Thanks! Obviously I'm not very familiar with this stuff. Thought that the router was running a tftp server and I had to put the vmlinuz file on to it from a tftp client. Apparently had that reversed.
I've tried setting Tftpd32 up as a server on my desktop PC but the router will not connect to it, and does not appear to even try; it does, however, continue to respond briefly to a constant ping of 192.168.1.1 when the four LEDs flash. I've confirmed that the Tftpd32 server is working by sending a file from my laptop Tftpd32 client to the desktop server through my local network. Tftpd32 server is set up as suggested here: http://www.tricksguide.com/how-to-setup-a-tftp-server-tftpd32-windows.html In my case, I'm binding the server to the IP address of the desktop PC (192.168.1.3).
The router just keeps going through the boot loop as if the tftp server is not even there. Is there something wrong with the server configuration that I should change or is the router simply not connecting to the tftp server?
Posted: Tue Apr 18, 2017 1:21 Post subject: Re: You can brick recover it during that window
ghoffman wrote:
i have had to disable windows 7 firewall to get routers to connect to tftpd server.
Windows 7 firewall is disabled. Does not appear to make any difference.
compu829 wrote:
You are very close! You need to set the IP of your desktop pc to 192.168.1.2. The router only asks that specific address for the file.
Also, just be patient. the router will auto-reboot and try again if it doesn't receive a response from the tftp server the first time.
OK, first I've heard of that.
The PC's IP has been changed to 192.168.1.2. While in the reboot loop, the R6250 does briefly respond to a constant ping at 192.168.1.1. However, I've left it running for a few minutes and it still does not connect to the Tftpd32 server. Are there any other settings which I should be changing?
Posted: Tue Apr 25, 2017 13:44 Post subject: R6300v2 Bricked - Plz Help
I just ordered a refurbished R6300v2 from Amazon. When it arrived I Ethernet connected and was refused a connection to the gateway (192.168.1.1 verified from cmd). Before FR'ing I check to see if it was broadcasting wifi as the icon was lit. I could not find a 2.4/5 SSID. I FR'd still no connection to the gateway, "Connection Refused". Tried 30-30-30 Connection still refused. I have contacted Amazon and am waiting for the seller to contact me. In the meantime is there something else I can try?
Posted: Tue Apr 25, 2017 15:14 Post subject: Re: R6300v2 Bricked - Plz Help
marcustheadore wrote:
I just ordered a refurbished R6300v2 from Amazon. When it arrived I Ethernet connected and was refused a connection to the gateway (192.168.1.1 verified from cmd). Before FR'ing I check to see if it was broadcasting wifi as the icon was lit. I could not find a 2.4/5 SSID. I FR'd still no connection to the gateway, "Connection Refused". Tried 30-30-30 Connection still refused. I have contacted Amazon and am waiting for the seller to contact me. In the meantime is there something else I can try?
I'm trying to use tftp to unbrick it. I have PumpKIN and the vmlinuz file that Spoilt uploaded. The router will look at 192.168.1.2 while booting up and if I've set my PC and PumpKIN to 192.168.1.2 it should find the vmlinuz file, right?
Posted: Tue May 09, 2017 7:57 Post subject: Re: R6300v2 - Findings
merrow75 wrote:
So I spent some time today looking at my R6300v2 in further detail.
I have been running Kong's builds and they have been working very well.
I wanted to recreate the situation that kwyeung has been facing.
Firstly, I loaded the latest stock Netgear firmware (R6300v2-V1.0.4.6_10.0.76.chk).
The router was operational on the stock firmware so onto the next step.
I loaded Brainslayer's build (12-15-2016-r30949 - factory-to-dd-wrt.chk) via the Netgear GUI and the router went into a reboot loop.
Problem recreated so good news.
I hooked up the serial connection to monitor the status.
No matter what I tried (reboot, reboot while holding down the reset button, reboot while holding down the WPS and then the WIFI button - just in case there was some hidden gem of firing up the TFTP session) from then on the router did not wait for a TFTP session (looking for vmlinuz on server 192.168.1.2) as it had done previously when it was running Kong's builds.
To get the router working again, I had to break into the boot up by using CTRL+C and start TFTPD to send Kong's build.
I really wish a serial connection was not required but there was no other option I could find in order to fix this particular problem. Again, this seems to match the one exception that sploit encountered when trying to brick and test the recovery procedures.
So as experienced it is wise to stop loading Brainslayer's builds for this router and instead load Kong's build (http://desipro.de/ddwrt/K3-AC-Arm/dd-wrt.K3_R6300V2.chk) directly from the stock Netgear firmware.
At the moment I am unsure why Brainslayer's builds are failing albeit some have said the image is too big. Anyway, I've got the data from the serial connection so I'll open a new ticket on trac or update an existing one.
Hope this helps.
I got boneheaded today by downloading factory-to-dd-wrt.chk r31924 (yes latest build) for this router anticipating an easy install of netgear-ac1450-webflash.bin (same release) - I have to say that what Merrow75 confirmed is correct - PUT (by windows command line) and SERVER methods do not seem to work to recover this router. The router never polls the server I setup with two (including Pumpkin and another one) and tried various PUT utilities and windows built in by command line - nothing doing. The only thing I noticed interesting is that when you leave continuous ping going you get 4 with TTL 100 before it reboots itself endlessly but if you hold down the reset button during power on it will stay in pingable mode about twice as long 7 to 8 successful pings on average so I assume it is doing something different. Sploit seems to think otherwise but I have encountered the exact same issue.
So before I order the USB/TTL cable has anyone figured out any way to get around this? I find it hard to believe that the beta posts are still being put up for this router (in this case AC1450) - too bad I didn't see this thread beforehand!
Posted: Tue May 09, 2017 7:59 Post subject: Re: R6300v2 Bricked - Plz Help
marcustheadore wrote:
marcustheadore wrote:
I just ordered a refurbished R6300v2 from Amazon. When it arrived I Ethernet connected and was refused a connection to the gateway (192.168.1.1 verified from cmd). Before FR'ing I check to see if it was broadcasting wifi as the icon was lit. I could not find a 2.4/5 SSID. I FR'd still no connection to the gateway, "Connection Refused". Tried 30-30-30 Connection still refused. I have contacted Amazon and am waiting for the seller to contact me. In the meantime is there something else I can try?
I'm trying to use tftp to unbrick it. I have PumpKIN and the vmlinuz file that Spoilt uploaded. The router will look at 192.168.1.2 while booting up and if I've set my PC and PumpKIN to 192.168.1.2 it should find the vmlinuz file, right?
that is supposed to how it works but apparently the later builds do something to mess this up - i cannot recover this way - everything Merrow75 said is correct so I hope Sploit or someone has come up with a way around it w/o resorting to the USB/TTL serial connection. If not then I guess we have to go that route - just re-read your earlier post - if you didn't flash the dd-wrt .chk file past a certain built point it should still be working to recover using the method you listed - let us know if it worked - for the others who put in the latter builds has anyone found a way to get us back?
Posted: Tue May 09, 2017 8:03 Post subject: Re: You can brick recover it during that window
compu829 wrote:
LemmingFactory wrote:
I have been using Tftpd32 as a client to put vmlinuz to 192.168.1.1 port 69 when the four LEDs light up (the router responds to a ping with TTL=100 roughly four times after the four LEDs flash).
That's your problem. You need to set up a tftp server on 192.168.1.2, not a client.
the server will host vmlinuz, and the router will issue its own pull request automatically.
once you see the 4 lights flash, it will start asking the server for the file. Eventually, you will see the power light start flashing. Wait patiently for the power light to turn solid green. Once it does, the firmware will be loaded. At this point, you will be able to launch a web browser and connect to 192.168.1.1. the username is root and the password is admin.
When you can connect to the web page, you can then connect via ssh, erase the bad firmware, and then continue on with the recovery process where you "put" the firmware on using the tftp client command.
it doesn't seem to work once you flashed one of the chk files that is past a certain build
Posted: Tue May 09, 2017 8:23 Post subject: Re: That may be true in the past but...
sploit wrote:
I can erase the nvram manually from the cfe and it will still load the vmlinuz file on this router. It is built into the default cfe. I have purposely bootlooped using brainslayers current defective builds and vmlinuz still loads. Only way I have seen this fail is if the CFE gets damaged.
If I get time I will create a video of this.
Got bigger fish to fry right now
hi sploit - i have the same issue going on that merrow75 recreated - did you find a workaround for this that doesn't require console/usb/ttl cable? thanks!