unzip, place tftpserver next to the bin and run with sudo

Hi Yoq,

A big thanks for your work.

But I have an error when I want to transfer the file ArcherC2V1_tp_recovery.bin from my TFTP to the router.

I have tried with your simple tftp server from a laptop with linux mint and tftp32.exe from a Windows 10.
Always the same error : timeout detected and timeout waiting for ack block.

My router firmware version ::0.9.1 4.1 v0032.0 Build 160512 Rel.40318n
Hardware Version:Archer C2 v1 00000002 (it's an EU version)

Can you help me ?

Thanks you

@halucigenia
The procedue is on the archive file (readme.txt) :
start with sudo / root, needed for port 69:
yoq@yoq-mc17 ~/c2_recovery/back_to_stock $ sudo ../linuxTFTP/tftpserver

Calanto59

OK

OK - bin and tftpserver  in same folder
cd to that folder

sudo tftpserver?
that just gives "command not found"

I feel thick, what is it that I am missing?

Add the exec permission.

chmod +x tftpserver

It was executable already using chmod +x did not help

Ok

just go to the directory where there are the exec and the file file ArcherC2V1_tp_recovery.bin.
and launch:

./tftpserver

Do not forget "./" before tftpserver

(Last edited by calanto59 on 24 Dec 2016, 17:02)

That did not work either.

I am working from a 32bit netbook maybe that is the issue?
I have now compiled tftpserver from github.com/lanrat/tftp myself and it seems to run.

Now, I am flashing my C2 back to stock (as my router has the locked firmware) before using the C2s firmware upgrade menu to flash openwrt-ramips-mt7620-ArcherC2-squashfs-sysupgrade.bin
Right or wrong?

Yes, I compiled it as x64, it's fixed now if you redownload c2_recovery.zip
If you are in the same folder, start with

sudo ./tftpserver

If you compile the server yourself, make sure to use the -p option to set port 69, or change the default in the source code.

And you can go directly to OpenWrt by TFTP-flash, no need to flash stock in your case.

@calanto59: can you send me a  copy of the log output during flashing (with pastebin as it's probably quite long)?

(Last edited by yoq on 25 Dec 2016, 01:24)

Hi Yoq,

First of all : Merry christmas 

I have juste made 2 attempts :

First try
pastebin.com/wLA6CGL8

Second try
pastebin.com/ZvYqeF6J

The transfer seems to be blocked and never at the same packet number.

I have done many attempts on differents OS and devices.
The problem seems to be on the router.

Thanks

Calanto59

Thank you for the latest Xmas present yoq
I re-downloaded c2_recovery.zip.
I still had to

cd [directory containing tftpserver]
chmod +x tftpserver

before it would work though

OK, but just to be quite sure and for the benefit of any lurkers trying to do the same thing;
That means copying both
openwrt-ramips-mt7620-ArcherC2-squashfs-sysupgrade.bin
(or should that be openwrt_r50020/ArcherC2V1_tp_recovery.bin and then once that is flashed, from within openwrt upgrade to openwrt-ramips-mt7620-ArcherC2-squashfs-sysupgrade.bin?)
and
tftpserver
to the same directory

cd [that same directory as the files have been copied to]

running

sudo ./tftpserver

holding down the WPS/Reset button on the C2
(is that both buttons, WPS or reset?)
turning the C2 on and releasing WPS/Reset after 10 sec
and just waiting for the flash to take place.
Then I will have the latest version of openwrt for the C2 on my C2 ready to use?

That just sounds far too simple after what I have been reading on this thread and trying to do what has been suggested.
(Sorry to be so pedantic about this but I have to write user instructions at work and I just can't help myself.)

you copy tftpserver and the openwrt recovery bin to the same folder, cd into it and start it.
the button is labelled "wps/reset" the other one is for wifi on/off.
it really is that simple
the recovery and the sysupgrade are almost identical, but with different headers. so never try to flash a sysupgrade by tftp, or a recovery by WebUI.

@Calanto59: is there anything else connected to the C2? if it is, try unplugging everthing but your machine during flashing. how long does it take to transfer the ~100 packets before it stops? slow enough to watch, or basically in an instant and then timeout?

(Last edited by yoq on 25 Dec 2016, 11:51)

Thanks yoq that clears things up greatly.
I think that I need reading glasses - I mistook the wifi on/off for the WPS button.
It's bad design to have the WPS and reset functions on the same button, I wonder how many users using WPS have reset by mistake?

So, if you don't have a locked C2 you would use the WebUI of the C2 and select the sysupgrade file to flash?
I thought that I had tried that on another C2 that was not locked and thought that it bricked it. Maybe I did something else wrong with that one?

I've successfully installed openwrt via stock webui about a year ago, but that was an old stock firmware and the openwrt image generation has changed a bit too since then.
I would recommend to always use TFTP when switching between stock and openwrt.
I suspect you can revive your bricked one by TFTP too.

(Last edited by yoq on 25 Dec 2016, 12:55)

No, only the laptop where tftp is running.

After about 5 seconds => When I use tftp32 => transfer progress bar only 1%.

calanto59

I'm running out of ideas
As far as I know, there has been no change in the bootloader in the newer firmwares. You could verify that, if this old exploit still works, by running

md5sum /dev/mtd0

My device is running bootloader version U-Boot 1.1.3 (Aug 31 2015 - 16:32:16) with an md5 of 41378a5657bfff8718f390d5fa805e88

Hi all.

See my post #122. I had no trouble at all with tftpd-hpa and the recovery ArcherC2V1_tp_recovery.bin from post #90.

Trick is to power up the Archer C2 with the wps button down, and keep it down for 10 seconds while it's booting up.

The tftpd trick gave me an old openwrt. I then flashed the firmware with the latest from yoq.

My device is running the same bootloader version as yoq's:

openwrt@OpenWrt:~$ md5sum /dev/mtd0
41378a5657bfff8718f390d5fa805e88  /dev/mtd0

@halucigenia, no, the order of things is correct.

In c. I save my old /etc/interfaces to /etc/interfaces.old because I need to update the file with a static address and I want to preserve the dynamic settings.

In i. I save the static address into /etc/interfaces.fixed before setting back the old dynamic settings from /etc/interfaces.old. I then reboot/restart networking so that my pc gets the dynamic address from my router. After rebooting/restarting I go to 192.168.1.1, log in, and update the firmware with the latest openwrt-ramips-mt7620-ArcherC2-squashfs-sysupgrade.bin from yoq.

Greetings

gargle, I understand the order now, I was expecting ArcherC2V1_tp_recovery.bin to take me back to stock, but unlocked, not that, as explained by yoq "the recovery and the sysupgrade are almost identical, but with different headers. "

I still have no luck flashing with tftpd-hpa or tftpserver though.

The bug seems to be fixed on my C2 router, it gives "Error code: 5652 No ethernet link configuration!" when entering "$(echo 127.0.0.1)" in the diagnostic tools window and selecting the Start button.

What now?

If it helps when using tftpserver I get
Sending Data: [xx] Sent
Waiting for response..done
up until 
Sending Data: [79] Sent
then I get
Timeout detected
after
Sending Data: [79] Sent

(Last edited by halucigenia on 25 Dec 2016, 17:15)

Try set netmask to 255.255.0.0 on network interface

(Last edited by Heinz on 25 Dec 2016, 19:06)

That did not help for me.

It seems to be the same problem than halucigenia : timeout ...
I try with netmask 255.255.0.0 and 255.0.0.0 and it's same issue

the old exploit still works for me.
I can enter in a telnet session but I don't known if this trick can help me.

df
Filesystem           1024-blocks    Used Available Use% Mounted on
/dev/root                 5248      5248         0 100% /

the root directory is full ?

calanto59

I just realised that there's no md5sum on stock - but you can dump it by tftp: start the server on your pc and run this command:

tftp -p -l /dev/mtd0 -r uboot.bin 192.168.0.XYZ

If it's different than mine, can you send me a copy?

The filesystem on stock is set up differently, it's built to be read-only with the exact size of the contents, and all config is stored in a separate partition.

(Last edited by yoq on 26 Dec 2016, 13:36)

drive.google.com/file/d/0B6IvNZFPDitAcENqMVdDYkVJeEk/view?usp=sharing

thanks

calanto59

that's exactly the same bootloader as on my C2, at least we can rule out that

you could capture the flashing with wireshark, maybe there's a clue in there

EDIT: others on this forum reported more success with pumpkin tftp or the 3com tftp server

(Last edited by yoq on 26 Dec 2016, 16:20)