Well I bricked my brand new router! How thrilling!
Of course, I also unbricked it which was fun, too, I guess.
I bought a Buffalo WZR-HP-G300NH router from newegg.com because I wanted to put a free custom firmware called Gargoyle on it. Gargoyle is a front end for OpenWRT and specializes in simplifying the process of configuring bandwidth limitations. You can throttle down those bandwidth hoggers that are killing your internet, etc. So basically you h@ck your router to do more things than it was designed to do. Fun. This is my first time to venture into custom firmware and here's my brick story:
When my router arrived in the mail it turned out to be a WZR-HP-G300NH2 instead of a WZR-HP-G300NH and I was distracted and kinda just didn't care/notice too much I guess. (dur...) I logged into the router via telnet and HTTP and was very impressed by the ridiculous amount of features. The router comes with a Buffalo branded (weird!) version of DD-WRT which is sort of a cousin to OpenWRT and it was pretty cool stuff!
Of course, I wanted Gargoyle instead so after browsing around on the firmware a bit for fun, I used this (warning: do not use) method to update the firmware. However, I used the wrong firmware image because the wiki I was going by was designed for the router that was supposed to have been shipped to me by newegg.com and not the one that actually came. The commands I ran while telneted into the router were as follows (DO NOT RUN THESE COMMANDS):
cd /tmp
wget http://www.gargoyle-router.com/downloads/images/ar71xx/gargoyle_1.4.4-ar71xx-wzr-hp-g300nh-squashfs-sysupgrade.bin
mtd -e linux -r write gargoyle_1.4.4-ar71xx-wzr-hp-g300nh-squashfs-sysupgrade.bin linux
DO NOT USE THESE COMMANDS for this router, however. Unless you wanna brick it, of course. I'll show you the right way in a bit here. (If I would have just used the correct file, I probably would have been okay.) After this, the router came up with a solid red light and would not ping at either its old IP of 192.168.11.1 or the default Gargoyle IP of 192.168.1.1. Oopsy........
After a lot of research, forum advice, blood, sweat and tears, I successfully unbricked it using TFTP. I learned that there is a short 4 second window about 10 seconds or so into boot in which the router will accept a TFTP PUT from a specific IP address only. There also must be a static ARP entry on your computer for a generic MAC address that the router has during boot.
Below are the details on how I unbricked it using my Macbook Pro, though this can be done with Windows or Linux as well. To prepare for the unbricking, I downloaded gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin (experimental) and put it in my Downloads folder. So...
1. I turned off WiFi, just to make sure my computer wouldn't try to talk to the router through the wireless connection
2. Then I gave my wired Ethernet connection en0 the IP address of 192.168.11.2 and the subnet mask of 255.255.255.0. This can be done through System preferences>Network>Configure IPv4 = Manually. Just leave the router space blank.
3. Next, I went to a Terminal and confirmed that the IP for interface en0 took by running: ifconfig en0
4. Then it was time to create a static ARP entry for the router and change to the Downloads folder:
sudo arp -da (clears ARP cache)
sudo arp -s 192.168.11.1 02:aa:bb:cc:dd:1a (create a static ARP entry for the generic MAC address that the router defaults to)
arp -a (make sure that the static entry took)
cd Downloads (This is case-sensitive and changes us to the directory where I downloaded the firmware to.)
5. I then unplugged everything from the router and plugged a network cable from my Mac to the LAN port that is right next to the blue WAN port on the router -- but left the power to the router unplugged.
sudo arp -s 192.168.11.1 02:aa:bb:cc:dd:1a (create a static ARP entry for the generic MAC address that the router defaults to)
arp -a (make sure that the static entry took)
cd Downloads (This is case-sensitive and changes us to the directory where I downloaded the firmware to.)
5. I then unplugged everything from the router and plugged a network cable from my Mac to the LAN port that is right next to the blue WAN port on the router -- but left the power to the router unplugged.
6. This next part was the most tricky. You have to boot up the router and then start barraging it with PUT commands via TFTP until it connects. The router will only listen on 192.168.11.1 and will only listen to your computer if your computer has the address 192.168.11.2. Fussy! It starts listening at about 10 seconds into boot and only listens for about 4 seconds. It can be tricky to catch it at just the right time. I first tried it with a couple of Mac TFTP applications but that didn't work. I then tried it from the command line, as shown below. However, it still wouldn't work after many, many attempts. I must admit that I became very frustrated at this point. Hack1ng was no longer feeling quite as fun, especially knowing that I may have permanently bricked my brand new router! Finally, I replaced my network cable and tried again and again some more until I got it. Still can't believe that my network cable was apparently bad. Crazy. I had even tried putting a switch between them earlier. (I read somewhere that sometimes there can be an issue with Windows taking a long time to bring up the NIC and ruining the timing for this and I thought it might apply to Mac. The way to get around this is to put a switch between the router and the computer and let the computer successfully negotiate its switchport connection before powering the router on. A low-grade dumb switch will likely do better at quick negotiation, as opposed to a super-duper switch with too many features, fyi.) So here are the Mac TFTP commands I ran from the terminal and their results...Right after the first PUT command is where I plugged the router's power in immediately and then kept hitting up arrow and then enter over and over again on my Mac until it finally took:
tftp 192.168.11.1
tftp> binary
tftp> rexmt 1
tftp> timeout 30
tftp> trace
Packet tracing on.
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin (Plug the router in immediately after this command! Then keep hitting up-arrow and enter over and over again to repeat the command!!)
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
^[[A
^[[A
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
^[[A
^[[A
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
^[[A
^[[Asent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
received ACK <block=0> (Here it started working so I quit repeating the command.)
sent DATA <block=1, 512 bytes>
received ACK <block=1>
sent DATA <block=2, 512 bytes>
received ACK <block=2>
etc., etc.….
sent DATA <block=5120, 512 bytes>
received ACK <block=5120>
sent DATA <block=5121, 36 bytes>
received ACK <block=5121>
Sent 2621476 bytes in 8.1 seconds
6. Once the TFTP was complete, I deleted the static ARP entry on my Mac:
tftp> binary
tftp> rexmt 1
tftp> timeout 30
tftp> trace
Packet tracing on.
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin (Plug the router in immediately after this command! Then keep hitting up-arrow and enter over and over again to repeat the command!!)
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
tftp: sendto: Can't assign requested address
tftp> put gargoyle_1.5.8-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
^[[A
^[[A
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
^[[A
^[[A
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
^[[A
^[[Asent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
sent WRQ <file=openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin, mode=octet>
received ACK <block=0> (Here it started working so I quit repeating the command.)
sent DATA <block=1, 512 bytes>
received ACK <block=1>
sent DATA <block=2, 512 bytes>
received ACK <block=2>
etc., etc.….
sent DATA <block=5120, 512 bytes>
received ACK <block=5120>
sent DATA <block=5121, 36 bytes>
received ACK <block=5121>
Sent 2621476 bytes in 8.1 seconds
6. Once the TFTP was complete, I deleted the static ARP entry on my Mac:
$ sudo arp -da
192.168.11.1 (192.168.11.1) deleted
192.168.11.255 (192.168.11.255) deleted
224.0.0.251 (224.0.0.251) deleted
255.255.255.255 (255.255.255.255) deleted
224.0.0.251 (224.0.0.251) deleted
255.255.255.255 (255.255.255.255) deleted
7. ...And changed my IP from Manual to DHCP again (reverse of step 2)
8. I then set ping to sound an alert when the router came up:
ping -a 192.168.1.1
9. When the router came up I logged in via HTTP and SSH at 192.168.1.1!
If you want to try it before committing, there's a really awesome online read-only version of the webUI you can try!:
http://router-firmware-test.gamma.nu/Gargoyle/
Gargoyle isn't for everybody, but free custom firmware is! Or at least it's for everybody who wants to get super-duper business-grade features on a home router!!
Gargoyle isn't for everybody, but free custom firmware is! Or at least it's for everybody who wants to get super-duper business-grade features on a home router!!
Awesome guide - thanks James
ReplyDelete