Build for TP-Link Archer C1200-AC1200

Hi,

I first flashed the NVRAM partition and reset NVRAM, no change. I then flashed the entire flash0 file to the router, and I think I killed it. I'm not getting any serial data from the router any more, and the only LED that was on previously (the WPS one) is now off. One of the LEDs is very dimly glowing, but I think it's a lost cause at this point.

I don't know if there's any way to directly access the flash memory on the router - I have access to hot-air rework tools, as well as logic analyzers (maybe I can find a Bus Pirate).

In any case, thank you for your help! It was worth a shot!

Hi,
This isn't really good. Maybe you can figure out how to access the memory directly onboard and flash it. (JTAG?)
Fingers crossed!

My C1200 v2 (EU) on the latest official firmware is actually running a custom version of OpenWRT 12.09rc1. I managed to enable dropbear and SSH into it and escalated to root to take a look around as I was running into some issues that I wanted to debug. I don't have experience with porting and developing on LEDE/OpenWRT (just as user on my previous routers). Anyone can point me in the right direction to make something out of it?

Thanks.

(x-post to the OpenWRT forum)

Hi! Take a look at mine github - this should point you in right direction. There's also wiki link with steps for adding new device.

//EDIT:
These routers are indeed using customized version of old OpenWRT and I'd suggest you stick with them for now. They're on old kernel (2.6 I think) with proprietary drivers. If you still want change, you'll lose your Wi-Fi (mine V1 can't even toggle 2,4GHz).
Errors I've encountered with my build:
Wi-Fi gone
Lower speed (no NAT boost)
Corrupting flash storage (sometimes few reboots fix that, but it still throws jffs2 errors on boot)
Unplugging USB causes boot loop after reboot

1 Like

Thank you for your suggestion, I'd look a bit more into it as root user on their custom firmware, and if I don't debug the issues I'm getting I'll buy a supported router (this is the first one in years, got it on sale on Amazon, so I'll probabily return it for something that I can play with if the original firmware is not worth it). Again, thanks.

May I ask how do you enable dropbear?

I downloaded the configuration from the router (backup configuration on the original firmware).

Then I unpacked it. The backup_config.bin is basically a zlib compressed, aes encrypted tar file with the router name as key.

So, I go by memory, but you can get the gist:

openssl zlib -d -in config.bin | openssl aes-256-cbc -d -k 'Archer C1200' -out config.tar
tar xf config.tar

You should have two files in the archive, the "certificate" partition and the config partition. The latter is just an XML file, I edited the file to contain "< RemoteSSH >on< /RemoteSSH >" in Dropbear (as I had previously analysed the modified version they ship, thanks to the GPL code they released).

You're done. Now you can enter as admin/your_router_password.

<SysAccountLogin>off</SysAccountLogin> 

Is another one. If it's off (default) it uses a custom authentication process where you can only login as admin (it doesn't matter what user you select, you end up logging in as user with UID 1000, and the password is the one stored in LUCI.

If it's on it uses PAM (but the passwords are not the same and if you have a blank system password it doesn't let you login!).

Hope it helps.

EDIT: obviously when "you're done", you have to repack the tar file, recompress it with zlib, encrypt it again, and upload it to the router using "config restore".

Err....:sweat_smile: .....any method for doing it in Windows?

I tried Ubuntu, but the command didn't work. (Yes, I renamed it to config.bin)

You could use cygwin on Windows, but if the command didn't work is because you don't have openssl installed. Mine wasn't a guide, just an explanation. Anyways, if you're not fully aware of what you're doing I'd recommend not messing with it because you could end up with a bricked router. :open_mouth:

had to do command other way round (i have v2) but dropbear is already on in config

openssl aes-256-cbc -d -in config.bin -k 'Archer C1200' | openssl zlib -d -out config.tar
tar xf config.tar

I found out why. Ubuntu openssl doesn't come with zlib support.
So, i manually configure-make-install zlib with openssl.

Can I have the command to recompress and re-encrypt? Thanks.

EDIT: I need to gain SSH admin access. Need to copy something into the router to test wifi functionality.

EDIT2: After some trial and error, I was able to find out the command to compress and encrypt

openssl zlib -in config.tar | openssl aes-256-cbc -out config.bin -k 'Archer C1200'

I was able to upload modifed config.bin to the router successfully (verified based on wifi channel modification at config.bin), however, when I used Putty to SSH into the router, I can't seem to login.

I tried username admin with my router password, but it keeps displaying access denied.

It is port 22. I tried :
admin admin
admin (my own password)
root root
blank blank
blank admin
admin blank

No luck. Previously before I enable SysAccountLogin to 'on', putty will display "PTY allocation request failed on channel 0" and "shell request failed on channel 0" after I typed admin as username and my router password.

SysAccountLogin needs to be off. You may want to try to enable RootLogin and also be sure to type the router password correctly. Download the backup again and check there. Also please note that whatever you need to copy into the router won't work unless you escalate from admin to root, there's no su executable. What I did is I changed the cgi-bin directory of the webserver (that run as root) to be on the USB mounted pendrive and went from there...

If that the case, then I can't test C1200 wifi capabilities because I can't copy a modified version of 'wireless.region.json' into /www/webpages/data

> <dropbear>
> <dropbear>
> <RootPasswordAuth>on</RootPasswordAuth>
> <SysAccountLogin>on</SysAccountLogin>
> <Port>22</Port>
> <PasswordAuth>on</PasswordAuth>
> </dropbear>
> </dropbear>

The above is what I got from second config.bin backup dump. Wait...didn't you said I must set 'SysAccountLogin' to 'On'?

Edit: Can you help me to test? By putting this wireless.region.json to /www/webpages/data , you can have access to all 5Ghz wifi channels. (If it works.....) I am talking about 5ghz channel 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 149, 153, 157, 161, 165.

https://www.sendspace.com/file/y59iey

My bad "< RemoteSSH >" needs to be on. I missed a word in my previous message because of formatting:

You should have two files in the archive, the “certificate” partition and the config partition. The latter is just an XML file, I edited the file to contain RemoteSSH “on” in Dropbear (as I had previously analysed the modified version they ship, thanks to the GPL code they released).

Regarding your file... Well wireless.region.json is not a configuration file, it doesn't exists. Is a dynamic file generated by luci on the fly.

You should still edit the XML and it will go in /etc/config/wireless during a config restore.

I see...so I was missing '< RemoteSSH>' ....:laughing:

wireless.region.json should be a configuration files.
Take a look at this firmware from TP-Link Malaysia.
https://static.tp-link.com/2018/201802/20180215/C1200v1_eu_tm-up-boot-1.0.0%20Build%2020180208%20rel.57928_2018-02-09_10.03.18.rar

By editing wireless.region.json at /www/webpages/data , one can make use of extra wifi 5ghz channels which is hidden away. The problem is.....one needs a method to copy the .json into the router.......

The Malaysia firmware has TR-069 enabled by default (can't be disabled) and additional suffix @unifi at guest wifi (heard it is a advertisement agreement between the telco and TP-Link Malaysia).

Official EU firmware version only has 5ghz channel 36, 40 , 44 and 48.
The Malaysia version has channel 36,40,44,48,100,120,161 and 165.

From what I can see, the webui (luci) load will try to find the configuration at /www/webpages/data , if it can't find wireless.region.json, then it will load default EU value. If it can find that .json file, then it will load MY value.

Have a look at \www\webpages\pages\userrpm\wirelessSettings.1516775402233.html from official EU C1200 V1 firmware https://static.tp-link.com/2018/201801/20180129/Archer%20C1200(EU)_V1_180124.zip

I'm sorry is not like that. The scripts will load the config from the files in /etc/ where uci stores the data.

You just need to edit /etc/config/wireless (if you downloaded the GPL source just take a look at ./IPlatform/platform/ibase/luci/src/contrib/uci/hostfiles/etc/config/wireless for an example).

To do so, simply add the values in XML format in your config file.

Now, I agree that then you potentially loose the ability to manipulate this from the web interface. It depends what you want to do.

I see....pardon my ignorance....still new in learning these stuff. :zipper_mouth_face:

Anyway, I tried to edit config.bin and add channel 165 (currently using official EU firmware), however I am sad to say it didn't work. It rebooted and automatically select channel 48. (Android Wifi Analyser also indicates channel 48 being used)

Hmm....turning txbf on for 2.4ghz in config.bin doesn't seem to do anything (no dbm improvement when streaming video to my phone and laptop) unlike 5ghz (GUI available for 5ghz only)

As far as I know the hw has not bf capabilities on the 2,4 Ghz spectrum. Regarding the channel there are other config options and files at play and you can use various tricks to set it, but you'd need to be creative about it.

I suggest you study how the various files work to bring up the wireless interface (e.g. tplink_brcm.sh) in the original firmware. I can't give you a pre-made solution because I don't have one. :slight_smile:

Good luck!

When I try to decrypt the config.bin I renamed from backup-Archer C1200-2018-01-03.bin, I got the error below, am I doing anything wrong? Running Ubuntu 16.04 on VMWare with my own compiled openssl including zlib from this guide:

Running the command:

openssl zlib -d -in config.bin | openssl aes-256-cbc -d -k ‘Archer C1200’ -out config.tar

I get the error below:

892:error:29065064:lib(41):BIO_ZLIB_READ:zlib inflate error:c_zlib.c:548:zlib error:data error
error reading input file

.....Did you configure your openssl with.....

./config --prefix=/usr
--openssldir=/etc/ssl
--libdir=lib
shared
zlib-dynamic &&
sudo make install

....after you ....

$ ./config zlib
$ make
$ sudo make install

...?

Note: beware of the apostrophe symbol for 'Archer C1200' if you copy paste the command from this forum. For some unknown reason, the apostrophe changes to another symbol after one copied/pastes from this forum. Better retype the apostrophe symbol.