Support for Archer C9 HW ver 5.0

oslyak · August 6, 2018, 1:31am

Hello!

I have TP-Link Archer C9 HW ver 5.0.
In openwrt there is no support for this HW revision, but there is support for HW ver 1.0
The differecnce is not so big.

wikidev TP-LINK Archer C9 v1
wikidev TP-LINK Archer C9 v5

Downloaded openwrt-18.06.0-bcm53xx-tplink-archer-c9-v1-squashfs.bin
But firmware WEB interface upgrade tells that wrong file type.
TFTP doesn't works too.

But I have UART console root access.
So, I made backup from all /proc/mtd

And now try:
mtd write /tmp/openwrt-18.06.0-bcm53xx-tplink-archer-c9-v1-squashfs.bin rootfs

Could not open mtd device: rootfs
Can't open device for writing!

mtd unlock /dev/mtd3

Could not open mtd device: /dev/mtd3
Could not open mtd device: /dev/mtd3

Please, help me to install OpenWRT on this device.

As I understand, it should works but witout WiFi or LAN drivers - it will be my next issue.

P.S. Also have acces to CFE loader. May be install through CFE bootloader?

slh · August 6, 2018, 1:44am

Just to make sure that you're aware of this, BCM4360 (both of your wlan cards) has only very basic support in b43, this means 54 MBit/s (802.11g) at most.

oslyak · August 6, 2018, 4:39pm

Thank You!

I understand about WiFi module, after installing OpenWRT I will try to install DD-WRT up on it.
DD-WRT has proprietary driver from broadcom.
But there is DD-WRT archer-c9v4-webflash.bin only for C9 HW ver. 4
And original TPL-Link WEB UI tells: Invalid file type.

So, I have access to CFE and have root access to original firmware that has mtd tool.

Please, help me to install it.

P.S. HW ver. 4 and ver. 5 are identical.

goden1357 · February 28, 2019, 11:18pm

Could you dump your cfe of 5.0 verion for me ? Because my c9 was earsed cfe by myself and it has been brick for a long time. could you help me ?

denischang · April 2, 2019, 8:06am

I hope openwrt support to Archer c9 v5.

oslyak · April 15, 2019, 3:17pm

No, OpenWRT has no support of TP-Link Archer c9 v5

tmomas · April 15, 2019, 5:24pm

With which git-commit has OpenWrt support been added for v5?

oslyak · April 15, 2019, 6:14pm

I'm sorry, I confused C9 and C7.

vreppeto · April 15, 2019, 10:03pm

Do you router that is supported in open wrt? I do. I'm going to build firmware it from the source files of open wrt. We could do it together. Let me know.

libmuy · November 4, 2021, 11:16am

@oslyak Hi, could you tell me where is the serial pin in the PCB board?
Thank you

oslyak · November 8, 2022, 12:02pm

Sorry, I no longer have this router

l.scorcia · March 14, 2023, 6:12pm

Hi, I know OpenWrt will probably never support this router (Archer C9 v5), however I spent some time recovering the config backup encryption key and here are the commands to decode it:

openssl aes-256-cbc -d -k ArcherC9 -in backup-ArcherC9-2023-03-14.bin -out decrypted.bin -md md5
openssl zlib -d decrypted.bin -out uncompressed.tar

or if you are using openssl without zlib:

sudo apt install pigz
unpigz < decrypted.bin > uncompressed.tar

Config is actually a tar archive with a couple of files - the interesting one is called ori-backup-user-config.bin.

As you can see, the key is ArcherC9 - which is actually extracted at runtime from the product_name uci configuration variable (look for enc_file in /usr/lib/lua/luci/controller/admin/firmware.lua). Next step, reencoding and possibly enabling full root access by adding <RemoteSSH>on</RemoteSSH> to the Dropbear configuration section!

l.scorcia · March 16, 2023, 2:38am

Well, this was an interesting rabbit hole! I can confirm that it works and I now have SSH root access without opening the device!

On a Linux machine, create a new directory called archerc9conf and download a router config backup into it. Its file name will be backup-ArcherC9-YYYY-MM-DD.bin . Open a terminal and cd to the archerc9conf directory. Run the following commands, make sure to replace YYYY-MM-DD with the values from your actual file.

# Decrypt the backup file
$ openssl aes-256-cbc -d -k ArcherC9 -md md5 -in backup-ArcherC9-YYYY-MM-DD.bin -out backup-ArcherC9-YYYY-MM-DD.decrypted.bin

# Decompress using zlib
$ unpigz < backup-ArcherC9-YYYY-MM-DD.decrypted.bin > backup-ArcherC9-YYYY-MM-DD.tar

# Create a subdir for the extracted files
$ mkdir extracted

# The files in the tar archive must have the same permissions, owner info and timestamp as the original. This requires invoking the next commands as sudo.

# Uncompress the tar archive
$ sudo tar --transform 's,^.,extracted,' -xf backup-ArcherC9-YYYY-MM-DD.tar

# Add the line to enable SSH access
$ sudo sed -i '/^<PasswordAuth>.*<\/PasswordAuth>/i <RemoteSSH>on<\/RemoteSSH>' extracted/ori-backup-user-config.bin

# Recreate the tar archive
$ sudo tar -b1 -cvf backup-ArcherC9-YYYY-MM-DD.repack.tar --transform 's,^extracted,.,' --no-recursion --owner=root:0 --group=root:0 extracted/ extracted/ori-backup-user-config.bin extracted/ori-backup-certificate.bin

# Make sure we can access the newly created archive
$ sudo chown $USER: backup-ArcherC9-YYYY-MM-DD.repack.tar

# Recompress using zlib
$ pigz -z -6 < backup-ArcherC9-YYYY-MM-DD.repack.tar > backup-ArcherC9-YYYY-MM-DD.tar.zlib

# Encrypt the archive again
$ openssl aes-256-cbc -e -k ArcherC9 -md md5 -in backup-ArcherC9-YYYY-MM-DD.tar.zlib -out backup-ArcherC9-YYYY-MM-DD.reencrypted.bin

Now restore router config from the backup-ArcherC9-YYYY-MM-DD.reencrypted.bin file and wait a minute or two after reboot. Run ssh admin@YOUR-ROUTER-IP and login with your router admin password.

The admin user does not have uid 0 but it's in the root group and has root privileges:

I hope it will be useful for others or maybe to port OpenWrt to this or other TP-Link devices!

tonyotonio · July 8, 2023, 9:15am

It seems Archer C9 v5 is using Openwrt under the hood.

frollic · July 8, 2023, 9:18am

it's like saying it runs on electricity, even the unsupported ones do.