Build for TP-Link Archer C1200-AC1200

Привет Артур! :wink:

As I was too lazy to fulfill the full build system configuration, so I used this simple bash script executed on Ubuntu to build the busybox for AC1200.

#/bin/bash

# Cross-compiller toolchain base path
toolchain=/var/tmp/hndtools-arm-linux-2.6.36-uclibc-4.5.3

export PATH=$toolchain/bin:$PATH
export LD_LIBRARY_PATH=$toolchain/lib 

host=arm-brcm-linux-uclibcgnueabi

export CROSS_COMPILE=$host-

# Enter the directory with busybox sources
cd opensource/busybox/src

# create busybox applets configuration or use some default
make menuconfig
#make defconfig
#
# build application
#
make

$host-readelf -a busybox > busybox.elf

Now you can transfer the application to the destination system. I did it just 'scp' busybox file to /tmp directory of the router. If you need permanent update, then you'll probably have to rebuild rootfs squashfs, replacing the files you wish and then flash it into the ROM

Regards
D

2 Likes

Hello,sir.
Mine is C1200 V2(EU) same as yours.
The file you shared now is not available.

Would you please share it again,I'll be really appreciate that.
I really need my router have 5Ghz channel 36-165

Have anyone try to change the wifi country code to US or AU? Both are well-known strongest txpower for many routers, not sure if it runs the same in C1200 V1

wl show maximum txpower for the US country as 22.50(dbm), for some channel configurations it is less. Maximum txpower for AU is 22.00(dbm)
EU is less: 21.00(dbm) maximum, and limited to 16.00(dbm) for wide channels

PS you need to achieve root access to change the country code without rebooting the router.

1 Like

What about EU and MY?

I wasn't able to build anything with your script (maybe something different in toolchain), but I was able to build executable that works! (And yes, I wasn't able to create proper Makefile, so building manually)
Thank you!
out

Next point is to compile something like htop.
And figure out hot to properly rebuild rootfs squashfs or connect overlayfs.

toolchain variable in the script should point to the root directory of the unpacked tar archive with tool chain.
I'd used the busybox sources, distributed with the firmware, only had changed the configuration.
busybox sources are located one level below - in the src directory. Script enter this directory first, then run make menuconfig and then make.
It shouldn't be difficult to rebuild rootfs itself, but firmware update binary. There is some tool in the OpenWrt distribution, but I'm not sure that TPLink web GUI will accept the file it produce.
If you have ssh root access, then you can flash rootfs image file directly with nvrammanager utility into the nvram partition.
Why you need htop, as there is the top applet included in the busybox?
No way for the overlay at least on the AC1200, as the kernel version they provided is just one step before the kernel overlay support. It was introduced in the 2.6.37, but the version from TPLink is 2.6.36 :rage:, and rebuilding the whole kernel will be a separate story...

1 Like

I need that,too:cold_sweat:

Dose anyone could teach me how to change the country code,I can't use 5Ghz

in WiFi 3dBm=100% more power, so if we use US means we will have 50% more txpower than EU, not bad

There is probably additional variable needed like CC or CXX. I don't know exactly yet...

I just like it more.
But for it I need to build ncurses, and then htop. And I hade some difficulties with it...
Also I've tried to build openwrt sources that is provided by GPL license, but it just stuck on make menuconfig in some point.

In nvrammanager I can see different partitions, logs are here and I'm not sure which one I should use (there is no nvram partition)...

Yes... Kernel is old and same version as in AC1200 Linux Akronite 2.6.36.4brcmarm #32 SMP PREEMPT Tue Dec 15 13:55:41 CST 2015 armv7l GNU/Linux
Also please check private messages on site. I've sent some text in russian :wink:

There is probably additional variable needed like CC or CXX

No, not for busybox.

But for it I need to build ncurses

The is pre-built ncurses library, you can find it in GPL codes

In nvrammanager I can see different partitions

Your target is one of the file-system -s. Only one such partition exists in my router.

1 Like

Can u please show us how to change the region? I mean step by step, bcoz we have no idea how to do it, thanks ya

Hello,
If anyone is interested in editing rootfs here's how:

To enable root account I used 10-usb method

  • passwd and set new one
  • copy /etc/shadow to usb or your PC

Read rootfs:

  • nvrammanager --read=/tmp/yourfilenamehere --partition=file-system
  • copy to your Linux distro

Editing rootfs:

  • unsquash it, replace shadow
  • mksquashfs squashfs-root/ yournewrootfs -noappend -all-root
    (for making rootfs I used mksquashfs from GPL source code, you can get it here)

I had an issue replacing stock binaries (busybox/proftpd...) with newer ones as this drove system unbootable so to obtain busybox with more features I simply copied it under /root directory with permissions 4755, after that I log in to root with /root/busybox login

If the result is bigger than 13 107 200 bytes, it won't fit into flash, I gained space by removing unwanted languages under /www/webpages/locale and linking them to en_US

To copy new file-system back, use scp (write under /tmp)

Rewriting file-system:

  • nvrammanager --write=/tmp/yournewfilesystem --partition=file-system
  • reboot

If everything went well, you should have working busybox and passworded root.
If not, reflash firmware via recovery.
I also removed startup of few modules from init.d/ and modules.d/ (you can experiment with that if you feel for it)

About overlay:
I was going through uci config and noticed fstab mentioning it

root@Akronite:~# uci show fstab
fstab.automount=global
fstab.automount.from_fstab=1
fstab.automount.anon_mount=1
fstab.autoswap=global
fstab.autoswap.anon_swap=0
fstab.autoswap.from_fstab=1
fstab.@mount[0]=mount
fstab.@mount[0].enabled_fsck=0
fstab.@mount[0].options=rw,sync
fstab.@mount[0].device=/dev/sda1
fstab.@mount[0].fstype=ext4
fstab.@mount[0].target=/overlay
fstab.@mount[0].enabled=0
fstab.@swap[0]=swap
fstab.@swap[0].device=/dev/sda2
fstab.@swap[0].enabled=0

I haven't tested it out, but it looks like formatting usb drive with ext4 fs and setting enabled to 1 might do the trick (although it's not the jffs2 overlay)

I tried to port my old patches to new kernel, but I quickly found out that my serial is no longer working (I can send commands, but I can't see anything) so I can't debug and progress. I built both squashfs and initramfs (both in drive), but only the latter might boot. None of them has working ethernet link out of the box. You can send me dmesg log if there is an issue, I can't really tell. I recommend doing full flash backup before proceeding. (I managed to overwrite tp-link partition once and had to write my backup directly to the unsoldered flash...)

2 Likes

There is any progress?
Thank you

1 Like

i know this is a dead topic but maybe someone will answer. :grinning: i have a tp-link Archer AX10 / AX1500 and i want to decrypt the backup config file so i can get ssh access (because the default firmware blocks all incoming ipv6 connections and my personal web server is inaccessible over ipv6). I tried the described method (from c1200) but nothing, from what i could find out, my router is from the same "generation" as c1200 (new logo, they both have this recovery method: https://www.tp-link.com/us/support/faq/1482/, like c1200 the ax10/ax1500 also uses custom openwrt 12.09-rc1).
Do you guys have any idea how to crack the backup config file?

Could you re-upload dropbear.tar.bz2? It contained 3 blank files. Thanks!

Hi, lot of useful information there. I've got a TP-Link Archer C1200 EU V2.1 . And I just found out that I can get a root shell by plugging my pc to the board's serial port (as described there: https://openwrt.org/toh/tp-link/tp-link_archer_c1200_2). I guess that might be helpful for others interested in playing with their device.

I used the following command on my pc:

$ minicom -D /dev/ttyUSB0 -b 115200

Then by pressing enter, I get a root shell:

BusyBox v1.19.4 (2018-01-18 10:20:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

     MM           NM                    MMMMMMM          M       M
   $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
  MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
  MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
    MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
     MMMM          M                    MMMMMMM        M       M
       M
 ---------------------------------------------------------------
   For those about to rock... (Attitude Adjustment, r12067)
 ---------------------------------------------------------------
root@Akronite:/#

Enjoy !

Well, I just bricked my "tp-link Archer C1200 EU V2" router.

I flashed the "Tenda AC9 OpenWrt" firmware on my router (as the chips seem to be the same), and could sucessfully boot OpenWrt on the Archer C1200 once.

After a long story(*), I basically failed to backup my factory firmware and flashed my trx and nvram partitions with garbage. Now, I can't get the bootloader to pass a partition check whatever firmware I would then flash:

...
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
[NM_Error](nm_api_readPtnFromNvram) 00134: partition name not found.
...

Full log:

�Decompressing...doneton release...done


CFE version 9.10.178.50 (r635252) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Thu Sep  8 14:49:19 CST 2016 (seal@seal-pc)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 533 MHz
Info: DDR frequency set from clkfreq=900,*533*
No GPIO defined for BBSI interface
No BBSI device
bcm_robo_enable_switch: EEE is disabled
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 9.10.178.50 (r635252)
CPU type 0x0: 900MHz
Tot mem: 131072 KBytes

CFE mem:    0x00F00000 - 0x02FB912C (34312492)
Data:       0x00F6B754 - 0x00F70C04 (21680)
BSS:        0x00F70C10 - 0x00FB712C (288028)
Heap:       0x00FB712C - 0x02FB712C (33554432)
Stack:      0x02FB712C - 0x02FB912C (8192)
Text:       0x00F00000 - 0x00F5F4F4 (390388)

Device eth0:  hwaddr AA-BB-CC-DD-EE-00, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Reading Partition Table from NVRAM ... OK
Parsing Partition Table ... OK
[NM_Error](nm_api_readPtnFromNvram) 00134: partition name not found.

factory boot check integer read flag partition fail.
Device eth0:  hwaddr AA-BB-CC-DD-EE-00, ipaddr 192.168.0.1, mask 255.255.255.0
        gateway not set, nameserver not set
CFE>

If anyone happens to be able to dump their factory firmware or knows how to extract the trx binary from the firmware available on tp-link official page or has any other idea, I'd be happy to try to unblock my router. And ideally try to have OpenWrt work on it !

(*) Long story there: http://www.florentflament.com/blog/openwrt-and-tp-link-archer-c1200-eu-v2.html
Regards

2 Likes

Current versions of openssl require an md5 flag. The following worked for me on a C1200v2.0:

encrypt:
openssl aes-256-cbc -md md5 -k 'Archer C1200' -d -in config.bin | openssl zlib -d > config.tar
decrypt:
openssl zlib -in config_new.tar | openssl aes-256-cbc -md md5 -k 'Archer C1200' -out config_new.bin