I have TP-Link Archer C9 HW ver 5.0.
In openwrt there is no support for this HW revision, but there is support for HW ver 1.0
The differecnce is not so big.
Just to make sure that you're aware of this, BCM4360 (both of your wlan cards) has only very basic support in b43, this means 54 MBit/s (802.11g) at most.
I understand about WiFi module, after installing OpenWRT I will try to install DD-WRT up on it.
DD-WRT has proprietary driver from broadcom.
But there is DD-WRT archer-c9v4-webflash.bin only for C9 HW ver. 4
And original TPL-Link WEB UI tells: Invalid file type.
So, I have access to CFE and have root access to original firmware that has mtd tool.
Do you router that is supported in open wrt? I do. I'm going to build firmware it from the source files of open wrt. We could do it together. Let me know.
Hi, I know OpenWrt will probably never support this router (Archer C9 v5), however I spent some time recovering the config backup encryption key and here are the commands to decode it:
Config is actually a tar archive with a couple of files - the interesting one is called ori-backup-user-config.bin.
As you can see, the key is ArcherC9 - which is actually extracted at runtime from the product_name uci configuration variable (look for enc_file in /usr/lib/lua/luci/controller/admin/firmware.lua). Next step, reencoding and possibly enabling full root access by adding <RemoteSSH>on</RemoteSSH> to the Dropbear configuration section!
Well, this was an interesting rabbit hole! I can confirm that it works and I now have SSH root access without opening the device!
On a Linux machine, create a new directory called archerc9conf and download a router config backup into it. Its file name will be backup-ArcherC9-YYYY-MM-DD.bin . Open a terminal and cd to the archerc9conf directory. Run the following commands, make sure to replace YYYY-MM-DD with the values from your actual file.
# Decrypt the backup file
$ openssl aes-256-cbc -d -k ArcherC9 -md md5 -in backup-ArcherC9-YYYY-MM-DD.bin -out backup-ArcherC9-YYYY-MM-DD.decrypted.bin
# Decompress using zlib
$ unpigz < backup-ArcherC9-YYYY-MM-DD.decrypted.bin > backup-ArcherC9-YYYY-MM-DD.tar
# Create a subdir for the extracted files
$ mkdir extracted
# The files in the tar archive must have the same permissions, owner info and timestamp as the original. This requires invoking the next commands as sudo.
# Uncompress the tar archive
$ sudo tar --transform 's,^.,extracted,' -xf backup-ArcherC9-YYYY-MM-DD.tar
# Add the line to enable SSH access
$ sudo sed -i '/^<PasswordAuth>.*<\/PasswordAuth>/i <RemoteSSH>on<\/RemoteSSH>' extracted/ori-backup-user-config.bin
# Recreate the tar archive
$ sudo tar -b1 -cvf backup-ArcherC9-YYYY-MM-DD.repack.tar --transform 's,^extracted,.,' --no-recursion --owner=root:0 --group=root:0 extracted/ extracted/ori-backup-user-config.bin extracted/ori-backup-certificate.bin
# Make sure we can access the newly created archive
$ sudo chown $USER: backup-ArcherC9-YYYY-MM-DD.repack.tar
# Recompress using zlib
$ pigz -z -6 < backup-ArcherC9-YYYY-MM-DD.repack.tar > backup-ArcherC9-YYYY-MM-DD.tar.zlib
# Encrypt the archive again
$ openssl aes-256-cbc -e -k ArcherC9 -md md5 -in backup-ArcherC9-YYYY-MM-DD.tar.zlib -out backup-ArcherC9-YYYY-MM-DD.reencrypted.bin
Now restore router config from the backup-ArcherC9-YYYY-MM-DD.reencrypted.bin file and wait a minute or two after reboot. Run ssh admin@YOUR-ROUTER-IP and login with your router admin password.
The admin user does not have uid 0 but it's in the root group and has root privileges: