Sunday, July 3, 2011

Firmware flashing and brick recovery over TFTP

Though the whole flashing process can be done via web interface without getting your hands dirty, there are cases that the web upgraded is not practical or possible. One common scenario is a semi-bricked router (no web access and no ping response due to bad flash or invalid operation, or you just want to try other firmware like OpenWrt). Luckily that the WZR-HP-G300NH has a robust bootloader and the router can be recovered by using TFTP, either in Windows, Linux or OSX. Flashing via TFTP isn't pretty, so read the appropriate section carefully at least once before attempting.

It's a little tricky comparing to traditional Broadcom routers, as the WZR-HP-G300NH will not broadcast its MAC during initial bootup process. As a result, we must tell the computer how to communicate with the router by manipulating its arp table.

TFTP recovery in Windows
*Untested, credit goes to ermax at DD-WRT forum
  1. Launch Command Prompt and run 'route print' to get a list of your NIC(s). Write down the interface number for the LAN card, in my case, it's 12.

  2. Get your router's MAC, its the 12 digit default SSID printed on the sticker at the back of the router, starting with 00. Then you'll need to separate every two digits by inserting : or - between pairs.

  3. Download the desired firmware. If using OpenWRT, you must use a firmware labeled with TFTP, not sysupgrade.
  4. Also download the Linksys TFTP utility.

  5. Unplug all ethernet cables and the power cable.Connect the computer directly to the router's topmost LAN port (leave the power unplugged).

  6. Set the computer's static IP to, netmask, and gateway/DNS

  7. Open a Windows command prompt as Administrator. This is default on Windows XP, under Windows Vista/7, type cmd in the search box from the Start menu, then press Ctrl+Shift+Enter (or right click and select Run as Administrator). You will be prompted with the User Account Control dialog.

  8. Now type the command below to get the ARP binding:

    netsh interface ipv4 add neighbors 12 00-1d-12-34-56-78

    Replacing the number 12 with the interface number and 00-1d-12-34-56-78 with the router's MAC address.

  9. Turn off the Windows Firewall by clicking the start orb and searching for 'firewall' and selecting Windows Firewall. In the column on the right select Turn Off Windows Firewall.

  10. Run the Linksys TFTP utility. Put as Server address, leave password empty, set file to the downloaded .bin firmware image, set the retry time to 60.

  11. Click "Upgrade" in the TFTP utility and quickly plug the power back to turn on the router. There might be few failed attempts but the flash process should start eventually. Wait patiently the router will reboot itself when the upgrade is done.The router can take a long time when installing via TFTP.
    TFTP recovery in Linux
    *Most of this is from DD-WRT wiki with some tweak. TESTED WORKING

    Will use Ubuntu Live CD as an example but other distro should also work. The Ubuntu LiveCD can be booted from a USB flash drive. See here.
    1. Do Step 1-4 in "TFTP recovery in Windows" except we don't need Linksys TFTP utility here. So we have MAC address ready, router unpowered and the computer is directly connected to the router.

    2. After booting into Ubuntu, open a terminal and type:

      sudo apt-get update
      sudo apt-get install tftp-hpa
      sudo /etc/init.d/networking stop
      sudo ifconfig eth0
      sudo ifconfig eth0 netmask
      sudo arp -s 00:1D:12:34:56:78
    3. Change to the folder where you put the firmware image, if it's on desktop then it's "/home/ubuntu/Desktop".

      cd /home/ubuntu/Desktop

      *from this point, you're under tftp command prompt, the "tftp>" is the prompt tftp gives you, you just need to type the command AFTER that.

      tftp> verbose
      tftp> binary
      tftp> trace
      tftp> rexmt 1
      tftp> timeout 60
      tftp> put wzrg300nh-firmware.tftp

      Replace the fictional MAC in red with the router's. All command you need to input is in italic. Also replace wzrg300nh-firmware.tftp with the firmware you need, in case of stock firmware, its wzrhpg300nh-174.

      Also, at this point, the router is still unpowered and that's OK. Tftp will keep trying to send the firmware to the router and when it fails (because the router isn't yet on or hasn't yet brought up it's tftp interface) it will wait 1 second and retry, up to 60 times as that's how we set up the tftp client.

    4. Now quickly plug the power cord back to the router. The router will start up and you will see some lights blinking (possibly). About 10-20 seconds in, you should notice that tftp is sending the file. instead of the retry message over and over you will see some progress scrolling down the screen and at the end it will tell you how many blocks or bytes were transferred in how many second.

    5. After the transfer is complete, wait about 5-10 minutes the router will reboot itself. When the wireless LED is on you're good to go.

    6. Bring the network back in Linux by typing

      sudo service networking start
    TFTP recovery in OSX
     *Untested, credit goes to BDawg at DD-WRT forum
    1. Do Step 1-4 in "TFTP recovery in Windows" except we don't need Linksys TFTP utility here. So we have MAC address ready, router unpowered and the computer is directly connected to the router.

    2. Set the computer's static IP to, netmask, gateway/DNS

    3. Open a terminal and type

      sudo arp -s 00:1D:12:34:56:78 ifscope en0

      Replace with your own router's MAC.

    4. Type


      tftp> binary
      tftp> trace
      tftp> put wzrhpg300nh-174
      Don't press Enter!!!

    5. Now plug the power cord back and hit Enter to start tftp transfer.


    Post a Comment