I have flash0.os image from my C1200 v1 eu version if you would like to try
I'd flash it with flash -noheader ipaddr:filename flash0.os
Otherwise you can try to boot my WIP LEDE image, same command just replace last arg with flash0.trx
(for now no WiFi, only cabel works, also gots corrupted after few reboots - some jffs2 errors)
You can find those files on my Google Drive
If both doesn't help you, tell me as I'm still able to flash back to stock and dump whole flash.
Good luck!
//EDIT uploaded mtdblocks:
0 should be boot
1 kernel w/ squash
2 squash
3 partition table
4 IDK
Unfortunately neither flashing flash0.os or your LEDE image seemed to help.
Maybe my CFE is corrupted or something?
Here's the output after trying to flash flash0.os:
Summary
CFE> flash -noheader 192.168.0.2:flash0.os flash0.os
flash -noheader 192.168.0.2:flash0.os flash0.os
Reading 192.168.0.2:flash0.os: Done. 16187392 bytes read
Programming...done. 16187392 bytes written
*** command status = 0
CFE> reboot
reboot
Decompressing...done
CFE version 9.10.178.27 (r584393) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: 2016年 05月 24日 星期二 10:29:15 EDT (seal@localhost.localdomain)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 533 MHz
Info: DDR frequency set from clkfreq=900,*533*
bcm_robo_enable_switch: EEE is disabled
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 9.10.178.27 (r584393)
CPU type 0x0: 900MHz
Tot mem: 131072 KBytes
CFE mem: 0x00F00000 - 0x02FB70C4 (34304196)
Data: 0x00F69888 - 0x00F6EBCC (21316)
BSS: 0x00F6EBD8 - 0x00FB50C4 (287980)
Heap: 0x00FB50C4 - 0x02FB50C4 (33554432)
Stack: 0x02FB50C4 - 0x02FB70C4 (8192)
Text: 0x00F00000 - 0x00F5DC14 (384020)
Committing NVRAM...done
Waiting for reset button release...done
˙Decompressing...done
CFE version 9.10.178.27 (r584393) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: 2016年 05月 24日 星期二 10:29:15 EDT (seal@localhost.localdomain)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 533 MHz
Info: DDR frequency set from clkfreq=900,*533*
bcm_robo_enable_switch: EEE is disabled
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 9.10.178.27 (r584393)
CPU type 0x0: 900MHz
Tot mem: 131072 KBytes
CFE mem: 0x00F00000 - 0x02FB70C4 (34304196)
Data: 0x00F69888 - 0x00F6EBCC (21316)
BSS: 0x00F6EBD8 - 0x00FB50C4 (287980)
Heap: 0x00FB50C4 - 0x02FB50C4 (33554432)
Stack: 0x02FB50C4 - 0x02FB70C4 (8192)
Text: 0x00F00000 - 0x00F5DC14 (384020)
Device eth0: hwaddr XX-XX-XX-XX-XX-XX, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
[NM_Error](nm_api_readPtnFromNvram) 00134: partition name not found.
factory boot check integer read flag partition fail.
Device eth0: hwaddr XX-XX-XX-XX-XX-XX, ipaddr 192.168.0.1, mask 255.255.255.0
gateway not set, nameserver not set
CFE>
The only thing I changed about that output is that I censored the MAC address.
It seems like the router reboots, tries to load the OS, and fails. Before the second "Decompressing..." message, there's almost always a garbage character - usually a u with an accent over it on my machine.
Do you think a whole-flash dump would help here? It may be worth it if there's a chance it could repair any CFE errors.
Again, thank you so much!
EDIT: Maybe just a dump of flash1 would work, I think that's where the CFE lives
Hi again, I've dumped all partitions from flash0 (no idea how to select flash1 addr), they are in same directory on drive.
I don't recommend to flashing the boot partitions though, even firmware recovery skips them. The error speaks about nvram, so I'd start there.
I first flashed the NVRAM partition and reset NVRAM, no change. I then flashed the entire flash0 file to the router, and I think I killed it. I'm not getting any serial data from the router any more, and the only LED that was on previously (the WPS one) is now off. One of the LEDs is very dimly glowing, but I think it's a lost cause at this point.
I don't know if there's any way to directly access the flash memory on the router - I have access to hot-air rework tools, as well as logic analyzers (maybe I can find a Bus Pirate).
In any case, thank you for your help! It was worth a shot!
My C1200 v2 (EU) on the latest official firmware is actually running a custom version of OpenWRT 12.09rc1. I managed to enable dropbear and SSH into it and escalated to root to take a look around as I was running into some issues that I wanted to debug. I don't have experience with porting and developing on LEDE/OpenWRT (just as user on my previous routers). Anyone can point me in the right direction to make something out of it?
Hi! Take a look at mine github - this should point you in right direction. There's also wiki link with steps for adding new device.
//EDIT:
These routers are indeed using customized version of old OpenWRT and I'd suggest you stick with them for now. They're on old kernel (2.6 I think) with proprietary drivers. If you still want change, you'll lose your Wi-Fi (mine V1 can't even toggle 2,4GHz).
Errors I've encountered with my build:
Wi-Fi gone
Lower speed (no NAT boost)
Corrupting flash storage (sometimes few reboots fix that, but it still throws jffs2 errors on boot)
Unplugging USB causes boot loop after reboot
Thank you for your suggestion, I'd look a bit more into it as root user on their custom firmware, and if I don't debug the issues I'm getting I'll buy a supported router (this is the first one in years, got it on sale on Amazon, so I'll probabily return it for something that I can play with if the original firmware is not worth it). Again, thanks.
You should have two files in the archive, the "certificate" partition and the config partition. The latter is just an XML file, I edited the file to contain "< RemoteSSH >on< /RemoteSSH >" in Dropbear (as I had previously analysed the modified version they ship, thanks to the GPL code they released).
You're done. Now you can enter as admin/your_router_password.
<SysAccountLogin>off</SysAccountLogin>
Is another one. If it's off (default) it uses a custom authentication process where you can only login as admin (it doesn't matter what user you select, you end up logging in as user with UID 1000, and the password is the one stored in LUCI.
If it's on it uses PAM (but the passwords are not the same and if you have a blank system password it doesn't let you login!).
Hope it helps.
EDIT: obviously when "you're done", you have to repack the tar file, recompress it with zlib, encrypt it again, and upload it to the router using "config restore".
You could use cygwin on Windows, but if the command didn't work is because you don't have openssl installed. Mine wasn't a guide, just an explanation. Anyways, if you're not fully aware of what you're doing I'd recommend not messing with it because you could end up with a bricked router.
I was able to upload modifed config.bin to the router successfully (verified based on wifi channel modification at config.bin), however, when I used Putty to SSH into the router, I can't seem to login.
I tried username admin with my router password, but it keeps displaying access denied.
It is port 22. I tried :
admin admin
admin (my own password)
root root
blank blank
blank admin
admin blank
No luck. Previously before I enable SysAccountLogin to 'on', putty will display "PTY allocation request failed on channel 0" and "shell request failed on channel 0" after I typed admin as username and my router password.
SysAccountLogin needs to be off. You may want to try to enable RootLogin and also be sure to type the router password correctly. Download the backup again and check there. Also please note that whatever you need to copy into the router won't work unless you escalate from admin to root, there's no su executable. What I did is I changed the cgi-bin directory of the webserver (that run as root) to be on the USB mounted pendrive and went from there...
The above is what I got from second config.bin backup dump. Wait...didn't you said I must set 'SysAccountLogin' to 'On'?
Edit: Can you help me to test? By putting this wireless.region.json to /www/webpages/data , you can have access to all 5Ghz wifi channels. (If it works.....) I am talking about 5ghz channel 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 149, 153, 157, 161, 165.
My bad "< RemoteSSH >" needs to be on. I missed a word in my previous message because of formatting:
You should have two files in the archive, the “certificate” partition and the config partition. The latter is just an XML file, I edited the file to contain RemoteSSH “on” in Dropbear (as I had previously analysed the modified version they ship, thanks to the GPL code they released).
Regarding your file... Well wireless.region.json is not a configuration file, it doesn't exists. Is a dynamic file generated by luci on the fly.
You should still edit the XML and it will go in /etc/config/wireless during a config restore.
By editing wireless.region.json at /www/webpages/data , one can make use of extra wifi 5ghz channels which is hidden away. The problem is.....one needs a method to copy the .json into the router.......
The Malaysia firmware has TR-069 enabled by default (can't be disabled) and additional suffix @unifi at guest wifi (heard it is a advertisement agreement between the telco and TP-Link Malaysia).
Official EU firmware version only has 5ghz channel 36, 40 , 44 and 48.
The Malaysia version has channel 36,40,44,48,100,120,161 and 165.
From what I can see, the webui (luci) load will try to find the configuration at /www/webpages/data , if it can't find wireless.region.json, then it will load default EU value. If it can find that .json file, then it will load MY value.
I'm sorry is not like that. The scripts will load the config from the files in /etc/ where uci stores the data.
You just need to edit /etc/config/wireless (if you downloaded the GPL source just take a look at ./IPlatform/platform/ibase/luci/src/contrib/uci/hostfiles/etc/config/wireless for an example).
To do so, simply add the values in XML format in your config file.
Now, I agree that then you potentially loose the ability to manipulate this from the web interface. It depends what you want to do.
I see....pardon my ignorance....still new in learning these stuff.
Anyway, I tried to edit config.bin and add channel 165 (currently using official EU firmware), however I am sad to say it didn't work. It rebooted and automatically select channel 48. (Android Wifi Analyser also indicates channel 48 being used)
Hmm....turning txbf on for 2.4ghz in config.bin doesn't seem to do anything (no dbm improvement when streaming video to my phone and laptop) unlike 5ghz (GUI available for 5ghz only)