| Comments

Unbricking a Buffalo WHR-HP-G300N

Last week I attended the first Freifunk meeting in my hometown. The decision was made to participate to FFBsee with my old Buffalo WHR-HP-G300N router.

Before flashing the latest Freifunk firmware I tried to install a vanilla OpenWrt image for this router. But the outdated DD-WRT image on this router refused to get updated.

After several retries I gave up on the suggested tftp method. I tried several combinations of MAC-Addresses and interfaces always without success. Luckily Kevin Cave on Scarygliders pointed out that the U-Boot on the router can be interrupted with CTRL-C when it tries to request a firmware by tftp.

He also pointed out that the OpenWrt image is prefixed with some 0x20 byte header. So I tweaked the U-Boot environment a bit so I could skip to alter the firmware.

1
2
3
4
5
6
7

tftp server(receive) go, waiting:4[sec]
Load address: 0x80f00000

Abort
no file was loaded.
ar7240> <INTERRUPT>
ar7240>

There are some interesting environment variables related to firmware update

1
2
3
4
5
6

ar7240> printenv
[...]
u_fw=erase $fw_eaddr; cp.b $fileaddr BF040000 $filesize; bootm BF040000;
ut_fw=tftp $tmp_ram firmware.bin; erase $fw_eaddr; cp.b $fileaddr BF040000 $filesize; bootm BF040000;
ut_uboot=tftp $tmp_ram u-boot.bin; protect off $uboot_eaddr; erase $uboot_eaddr; cp.b $fileaddr BF000000 $filesize;
[...]

After setting up a TFTP server and changing your host system to the IPv4 address off 192.168.11.2 You can download a firmware image right from the U-BOOT command prompt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

ar7240> tftp $tmp_ram openwrt-ar71xx-generic-whr-hp-g300n-squashfs-tftp.bin
Using eth1 device
TFTP from server 192.168.11.2; our IP address is 192.168.11.1
Filename 'openwrt-ar71xx-generic-whr-hp-g300n-squashfs-tftp.bin'.
Load address: 0x80f00000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##############################
done
Bytes transferred = 3145764 (300024 hex)

So let’s check if the image also suffer from this 0x20 bytes offset

1
2
3
4
5

ar7240> iminfo $fileaddr

## Checking Image at 80f00000 ...
   Bad Magic Number
ar7240>

Of course it is as-well padded by this 0x20 byte offset. Just out of curiosity

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

ar7240> md $fileaddr
80f00000: 23204169 72737461 74696f6e 20507562    # Airstation Pub
80f00010: 6c696320 466d7431 00000000 00000000    lic Fmt1........
80f00020: 27051956 d3488451 56acca20 00115622    '..V.H.QV.. ..V"
80f00030: 80060000 80060000 b3e42d50 05050203    ..........-P....
80f00040: 4d495053 204f7065 6e577274 204c696e    MIPS OpenWrt Lin
80f00050: 75782d33 2e31382e 32330000 00000000    ux-3.18.23......
80f00060: 6d000080 00344934 00000000 0000006f    m....4I4.......o
80f00070: fdffffa3 b77f4c34 f7f8df51 7a6edb3c    ......L4...Qzn.<
80f00080: ec7d4ea1 71788f3e 662e5921 bcf0be72    .}N.qx.>f.Y!...r
80f00090: a6181f38 843f1584 43cbe578 c27d99b4    ...8.?..C..x.}..
80f000a0: b9a7b99a d79b850d 10e56023 bc86313d    ..........`#..1=
80f000b0: f4653466 dd6085ac b5474b05 33efbdb7    .e4f.`...GK.3...
80f000c0: 76abd394 bebfacf4 f08fe76a db6961b8    v..........j.ia.
80f000d0: d341676a 67864eb5 e28b8dbd 3dbb489e    .Agjg.N.....=.H.
80f000e0: 978fb0a7 01f8fcc8 a0ebe5e4 54e07d07    ............T.}.
80f000f0: 05175829 289f8be8 6ac6d14c ece8db8a    ..X)(...j..L....

In the line starting with 80f00020 we can see the magic 27051956 ,the expected uImage header, which Kevin Cave on Scarygliders pointed out. So let’s skip this header

1

ar7240> setenv fileaddr 80F00020

Please do not save the environment after this modification otherwise your router will may not work properly after this. This is just a temporary modification!

After this modification the test should past fine

1
2
3
4
5
6
7
8
9
10
11

ar7240> iminfo $fileaddr

## Checking Image at 80f00020 ...
   Image Name:   MIPS OpenWrt Linux-3.18.23
   Created:      2016-01-30  14:35:12 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1136162 Bytes =  1.1 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
ar7240>

Bingo! This looks promising. We now have to erase the flash and copy the image to it’s new place.

1
2
3
4
5
6
7
8
9

ar7240> erase $fw_eaddr
Erase Flash from 0xbf040000 to 0xbf3effff in Bank # 1
First 0x40 last 0x3ef sector size 0x1000                                                                                                                                                                  992
Erased 944 sectors
ar7240> cp.b $fileaddr BF040000 $filesize
Copy to Flash...
 Copy 3145764 byte to Flash... write addr: bf040000
done
ar7240>

Now it is time to check if everything went fine or if we have created something for the dust bin.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

ar7240> bootm BF040000
## Booting image at bf040000 ...
   Image Name:   MIPS OpenWrt Linux-3.18.23
   Created:      2016-01-30  14:35:12 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1136162 Bytes =  1.1 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 33554432

Starting kernel ...

[    0.000000] Linux version 3.18.23 (chris@quadros) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r48532) ) #1 Sat Jan 30 15:35:03 CET 2016
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR7240 rev 2
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x01ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[...]
BusyBox v1.23.2 (2016-01-30 15:30:41 CET) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 CHAOS CALMER (Chaos Calmer, r48532)
 -----------------------------------------------------
  * 1 1/2 oz Gin            Shake with a glassful
  * 1/4 oz Triple Sec       of broken ice and pour
  * 3/4 oz Lime Juice       unstrained into a goblet.
  * 1 1/2 oz Orange Juice
  * 1 tsp. Grenadine Syrup
 -----------------------------------------------------
root@OpenWrt:/#

This looks like full success to me. Next step will be increasing the flash size to 8 MB to provide enough space for the FFBsee firmware.

Comments