Is it safe to buy a used router?

Hello everyone,

I currently have a good offer for a used TP-Link Archer C2600. This is device with powerful hardware, unfortunately you can't buy new ones of them (at least not for an affordable price).

So I'm thinking about buying this used one, but how can I be sure it isn't compromised regarding software? Currently the stock firmware is installed, so will I be safe when installing openwrt because everything in the flash is overwritten anyway?

Sorry if that's an boob question, but I'm a bit anxious about my personal network being compromised.

Best regards,
Chris

It's safe, depending on the size of your tinfoil hat you might want to reflash it instead of just doing a factory reset.

I have a vague memory of some quirks specific for this model but you have to do your own research.

1 Like

And what about a brand new one ??????

Almost everything is overwritten. Usually the bootloader is left intact (but you can assume it to be genuine if it boots stock firmware and if the PCB hasn't been tampered with) and some models also have some sort of vendor config partition which is sometimes left alone by OpenWrt. This partition might contain settings from a previous OEM firmware install like wifi keys similar. But if at all that wouldn't be a problem for you but for the person selling the device.

1 Like

If YOU are the one who installs openwrt from a known good source, then you are pretty much good to go.

2 Likes

Thank you very much @jow! That's what I was hoping to hear.

Just in case - is there a way to restore the bootloader partition? Maybe by flashing the stock firmware?

@Pferdebockwurst I bought an used C2600 some months ago, and is working great (in my case is working as dumb AP, not as router). If you want (I did it!!!), you can reflash it with stock firmware before installing OpenWRT, follow the guide found here [Solved] Reset Archer C2600 to original firmware

After that, get the lastest dev OpenWRT firmware version found here https://downloads.openwrt.org/snapshots/targets/ipq806x/generic/openwrt-ipq806x-tplink_c2600-squashfs-factory.bin and flash it (directly from stock GUI), then "enjoy" your new router!!!

1 Like

Thanks for linking these interesting topics. But how do you flash it via stock GUI, I thought openwrt wouldn't be accepted as a valid firmware update?

The OpenWrt wiki isn't very informative about this question. Try it with the OEM web gui, and if it doesn't work, use the TFTP method which the wiki suggests will work:

https://openwrt.org/toh/tp-link/tp-link_archer_c2600_v1#oem_installation_using_the_tftp_method

It works in C2600, tested by myself many times.

Well that would really surprise, as I've read this nowhere else. But you might simply have another revision or something like that. You're lucky because you obviously don't have to solder to get a serial connection.

If it's rejecting it, rename the file to "ArcherC2600_1.0_tp_recovery.bin" before flashing.

To prevent misunderstanding, do you mean flashing via GUI or TFTP?

Safe sure! Will it provide privacy and security? No, that is on you and your network configuration to a large degree. Will you be spied on? Yes, every day advertisers collect your data and they sell it. The NSA has backdoor keys to your windows PC since the advent of windows 95. As of windows 7 and forward 8, 8.1, 10 data collections is done by default in windows! https://i.imgur.com/zPF2k89.png it is right in your face. Prism program then collects that data. How this data is used? This data is used for many things but initially it can not be used as admissible evidence in a court of law many say but this is simply Not true. The NSA is allowed to profile and then flag you at which point I believe you can be spied on legally depending no one knows what this flag means for sure! It could mean a request for FISA permission to spy which would make any and all things collected admissible. However, not one person could say either way with absolute certainty because policy at this level is not even public but you can bet your bottom dollar that this likely holds true to some degree. If they can get a warrant on a president for PPGATE scandal they can surely get a warrant on you due to being flagged automatically for using the wrong keywords online. It really is a shame but it is true. The problem is economics is the root cause behind this all it all boils down to dollars in the end. You may not use Microsoft good for you but their are similar policies elsewhere be it google, facebook and many other online services. It is possible you could be flagged for simply watching something crazy on Netflix. It is a bit duplicitous in nature and spells disaster for the mental state of our great nation.

It is not just software based data collection their are hardware based data collection vectors which exist as well and have existed since the mid 2000's and even earlier than that in our most prized processors. The Intel Management Engine, and Trust Zone for AMD and arm variants https://libreboot.org/faq.html#amd to learn more!

There has also been a rash of hardware companies implementing other things into firmware in recent years to compromise your PC and collect sensitive data sometimes even bad actors steal your financials in this way. hXXps: backslash backslashwww dot sfgate dot com/g00/business/article/Virus-from-China-the-gift-that-keeps-on-giving-3227869.php?i10c.encReferrer=&i10c.ua=1&i10c.dv=6 I remember reading articles on numerous occasions where Chinese or Russian manufacturers have sold products with software or firmware when this first started surfacing and I took note was the advent of a pretty cool gift item at the time called a digital picture frame.

The truth is we are in the middle of a cyber war and have been in the middle of it for about the last couple of decades or so. I understand to a degree that we must protect against enemies both foreign and domestic but, the definition of what constitutes an enemy has been greatly overstepped.

Does this mean that everything is a Zero Sum Gain? NO! What can you do? Take all appropriate measures to secure your network the best you can. Support projects that involve cryptographic schemes in open source. Support organizations that wage legal battles against these types of activities like the EFF. One way of supporting these groups is through Amazon smile it costs you nothing to do so! Read every petition that has to do with privacy and if there is no covert crap put in the petition sign it! It costs you very little time and effort to do so. Elect officials that have clear records of supporting your rights as a free citizen. Often times officials that get elected say a lot that sounds good to you but their records of what they have said and how they voted or where they stand is a bit shaky. Support companies who are opposed to this and have good data collections policies.

Finally, DO NOT GIVE IN! There is a concerted effort right now that wants you to believe that you have no voice, what you think is crazy, and you are a certain type of person for wanting your constitutional rights to freedom, privacy, life, and liberty coming at you from both sides of the isle from every media outlet. Keep up the pressure with very little effort steps in the right direction will be made.

Remember, it is not on everyone else to save us it is our duty to save ourselves from ourselves essentially. While you may have no reason to suspect that any of it matters to you now, that could change later. What is socially acceptable is a constantly changing landscape and data collected from you early in your lifetime could at some point bear bad news for you later in your lifetime as things become more strict and stringent. Many people have unwittingly experienced this in their professional careers believing that their identity and information was safe on an open social media platform on the contrary it is not and what made people believe that is beyond me to a large degree. But the very fact that people do believe this is a problem they believe in something that should have been but has changed without them knowing. It is the equal to pulling up to a drive-in speaker and reading the board and the board says a hamburger is a dollar but by the time they go to pay the hamburger costs 5 dollars because the price has changed in that time unbeknownst to them.

In closing, not all things are nefarious either it is important to discern this as well. For instance the 7COT (7 Cups Of Tea) program is a program that provides emotional support for people who become distressed online. It is there with good intention and preliminary evidence that people in emotional distress may find non-professionals support delivered through the use of technology to be helpful. A simple example of a good use case of data collection to provide psychotherapy with tax dollars to those in need. However, this could be used to negatively influence people as well it is important to note this! The real problem here is we must reserve absolute power for the collective only decentralized nodes with limits on how much pull they have on the total picture.

At this point we have not reached a point in our social acceptance to realize that there is no evil or good or duality there is only indifference and we are not grown up enough to accept that our actions, our words, and how we treat ourselves and others has been a resultant cause of the indifference. Essentially, we are all divided through our indifference and we should remain United as a network of endless possibility.

Sorry for the long response but I think your concern is important and I addressed it the best way I know how a long drawn out response to try to leave little question on the table. There may be run on sentences, bad missed punctuation I did not proofread or edit anything but the response is free to read and copy and edit as you see fit.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.