MAC of br-lan and wan interface is not matching the real hardware address (Archer C5 v2)

Thats going something weird.

HxD tells me for for Offset e40000 that this offset is not existing. The last offset I have is 001AFFF0
Also for searching somewhat part of the MAC I haven't found anything.
Only one MAC is listed on the device with A4:2B:B0:EA:11:FA.
I guess, for all MACs I need to flash the factory image.

For reference, here is the tplink.bin file I have exported via dd if=/dev/mtd4 of=/tmp/tplink.bin and copied via winscp to my windows machine.
https://drive.google.com/open?id=0B6yS6HoT-MRKNG53bTdLTVFvRTQ

1 Like

That's because mtd4 partition is a shortcut that points to address 0xe40000 from the base flash directly. Reading position 0x0 from mtd4 would be equal to read position 0xe40000 from base flash. So your dump file position 0x0 is in fact a dump from memory position 0xe40000.

You mean on the label or in the tplink's partition? Because after downloading your partition, there is effectively only one MAC present. I think that this base mac address is meant to be derived from for other interfaces, that's why there is only one.

No you don't have to. LEDE doesn't overwrite the specials partitions. So the tplink partition is untouched. But if you mean to find out really how the stock firmware attributes its MAC, that could be interesting. My guess is that it will be A4:2B:B0:EA:11:FA for WAN, then A4:2B:B0:EA:11:FB, then A4:2B:B0:EA:11:FC and so on.

You were so close to find it, tplink + 0x8: :yum:

@MaSt is 27050385 your PIN for WPS by the way ?

1 Like

Very interesting facts about the MTD technology. I have never thought about :sweat_smile:

I meant on the label.

YES it is listed as wireless password/pin on the label.

Now with all these good informations and research, I think that it could be a good time to post a bug report and linking to this thread.

Could an owner of an Archer C5 v2 post such a bug report please? I can't do bug report as I don't own such device :grin:

Cc: @guidoa, @ssnake, @Klingon excuse me for inviting you indirectly, but it would really be appreciated if you were able to confirm Martin's findings about MAC address location in partition tplink.

1 Like

Hello,
Sorry if the question is very basic, but how do I do the MTD4 dump to my HD and so can edit the same as the factory MAC and then record it again in the FIRMWARE of the router, in my case an Archer C50.

Thank you all for the help.

From your post history, I see that you have good knowledge about reprogramming using EPROM and soldering, so I assume that you are after the instructions about editing your actual mtd4 partition, wright?

  • The first step is to dump your mtd4 partition on /tmp:
    dd if=/dev/mtd4 of=/tmp/tplink.bin
  • Download it to your computer (using FileZilla for instance)
  • Use your favourite Hex editor (I'm using HxD under Windows) to replace MAC from address in offset 0xf100 with yours, using only the hexadecimals values from the MAC printed on your label:

I'm just pointing you out to the instructions as I haven't done that...

@DjiPi

Thank you for help, i'am will read posts and instala aplicativos.

Are you familiar with compiling LEDE ? Because it will involve modifying the source code and compiling it, unless there are already available tools for that.

@DjiPi No,

I never compiled one vs of the LEDE, so I will have a lot to study and learn to walk to get me, for this reason all information and help on the subject and welcome.

I have been researching on all the forums and websites how to do it, because the subject matter was very interesting, and I must first try to use the LEDE and finished brick my Archer C50, but how did I get it back from the dead, although not 100%, error Which I will not repeat with the new Archer C7 I bought.

Thank you and I count on the help of friends.

Guedes

Ok I'll try to help you on that on my spare time.

Since it's related to your bricked Archer C50, I'll post that into your thread.

Please keep a watch on this, It will be really interesting to modify accordingly using a script, and be able to make an image for TP-LINKs that reads not just the macaddress to make SSID look like factory one "TP-LINK_XXXXXX" also with your PIN (also printed on bottom label) use that as a default password too.

This was a post from me some time ago: https://forum.openwrt.org/viewtopic.php?id=69509

I reposted here: How to read TP-Link factory wireless pin from flash - art

Meanwhile your wan mac is fixed, you can use mac address cloning for the wan interface and specify your own. This would allow you to have a working interconnected network maybe. As for the lan mac this would still be a problem since I don't think that you can specify a custom one.

Yes, I thought already about. But don't worry. It is an absolute non-critical mission in a youth club. Currently, I am running one device successfully in the network. Sure, with less coverage in the distance, but nobody cares. They are happy that there is a wireless internet access at all :smiling_imp:

@braian87b: Is there something I can share with you? Or something to test? I have still two TP-Link C5 on the bench.

Yes! I have several Routers around to test, but not your model:
Please try to run (replace 80091905 with your Pin)

cat /dev/mtd0 | grep 80091905
cat /dev/mtd1 | grep 80091905
cat /dev/mtd2 | grep 80091905
cat /dev/mtd3 | grep 80091905
cat /dev/mtd4 | grep 80091905
cat /dev/mtd5 | grep 80091905
cat /dev/mtd6 | grep 80091905

try /dev/mtd0ro instead or /dev/mtdblock0 if /dev/mtd0 if you dont found anything

info here: How to read TP-Link factory wireless pin from flash - art

1 Like

as DjiPi already determined correctly from the dump, my WDS Pin is is located in mtd4 (tplink -partition, as the Archer C5 v2 does not have an art partition) on several positions. The first hit is on Hex address 0x208

root@NODE04:~# hexdump -C -s 0x208 /dev/mtd4  | head -n 1

returns this output:

00000208  32 37 30 35 30 33 38 35  ff ff ff ff ff ff ff ff  |27050385........|

In Hex, 32 37 30 35 30 33 38 35 is exactly the WDS Pin printed on the device label.
I have confirmed this on two other devices.

By the way, in the meantime I have found my mistake why I was unable to find my device mac address.
I have searched in HxD only in the text strings, but I had to search in the hex values instead. With this in mind, the mac was easy to find. The first hit on 0x8 was only the LAN-MAC, but there is another position which is containing the other ones.

The further positions are:
0x50138 --> A4 2B B0 EA 11 FA
0x50140 --> A4 2B B0 EA 11 FB
0x50146 --> A4 2B B0 EA 11 FC

1 Like

Do you know which one is associated with what? Finally maybe you'll need to install stock tp-link firmware to know what is what...

So A4:2B:B0:EA:11:FA is not your WAN MAC? The WAN MAC is printed on the label.

I have flashed the stock image
archer_c5v2_en-up-ver3-17-3-P1[20150130-rel33049].bin

It shows me on the status page following MACs

LAN
MAC Address: A4-2B-B0-EA-11-FA

Wireless 2.4GHz
MAC Address: A4-2B-B0-EA-11-F9

Wireless 5GHz
MAC Address: A4-2B-B0-EA-11-F8

WAN
MAC Address: A4-2B-B0-EA-11-FB

But I was not able to login into the stock firmware via SSH, it seems in the stock firmware the SSH feature is limited to a TP-Link App called 'Tether'

To bad that there was no more progress in the meantime. I have tried to open a bug by myselve, but it seems to impossible for not insiders. For my current project, I am going to look for another hardware base. Maybe also with full support of the wireless chipsets in the 5ghz band. I was fully aware that the Archer C5 was not fully supported, but it was the nearest available device.

Nevertheless, I want to say thank you to everyone helped me so far.

hello Martin
would you plz send me full dump from your router "c5 v2 "
i want full dump