We need information for debrick this device with JTAG pinout, if you know how to repair full-brick, help us !
Only suitably encrypted images may be flashed from the web interface in the stock Buffalo firmware. It is therefore not possible to install OpenWRT in this way. There are two alternatives:
DD-WRT have a licensing agreement with Buffalo, and can therefore provide encrypted firmware images. So it is possible to proceed as follows:
- Flash the DD-WRT image from the web interface of the stock Buffalo firmware. (Be careful to choose the right image file, ie the one for an initial install, not the one for upgrading from a previous version of DD-WRT.)
- Just a warning before flashing. This OpenWRT image is for annex b not a. The instructions under Configure ADSL imply that you can install annex a after flashing but the package is not included in the image, so you will be stuck with no internet. So check which annex your internet service provider uses before flashing.
- Get on-line. See DD-WRT documentation for this.
- telnet into DD-WRT, then download and flash the OpenWRT image file:
cd /tmp wget http://downloads.openwrt.org/attitude_adjustment/12.09/lantiq/ar9/openwrt-lantiq-ar9-WBMR-squashfs.image mtd -r write openwrt-lantiq-ar9-WBMR-squashfs.image linux
Do not try to revert to DD-WRT using mtd or you may have to debrick (see https://forum.openwrt.org/viewtopic.php?id=43954).
Revert back to DD-Wrt from the OpenWrt WebUI
The latest official DD-Wrt release (Build 21061 / 2013-04-26) for the WBMR, includes a tftp uImage for the device. You can use this uImage to flash from the OpenWrt WebUI to DD-Wrt. Just go to the dd-wrt website, find WBMR in the router database and download the uImage.bin file. Then go to your OpenWrt box and navigate to System –> Backup / Flash firmware. Browse and find the uImage. Click on "flash image". You'll see a verification page (the correct md5 hash of the uImage.bin file is 8b2c7024f4a477ef9db9a2d6094d283e). Click "proceed" and after 4-5 minutes DD-Wrt will be installed on the device.
It does not appear to be possible to flash OpenWRT from the DD-WRT web interface.
- Use TFTP to boot a ramdisk image of OpenWRT.
- Set password to enable ssh.
- Download the OpenWRT image you wish to flash and copy it to the /tmp directory on the router using scp.
- Run: sysupgrade imagefilename to flash the image.
The router bootloader has a tftp client, which will try to connect to 192.168.11.2 and load a file called firmware.ram. Download https://downloads.openwrt.org/barrier_breaker/14.07/lantiq/xway/openwrt-lantiq-xway-WBMR-uImage and rename it as firmware.ram to your tftp server root folder.
Install and start a tftp server. For linux there is a package called tftp-server, tftpd-hpa or similar and on MacOS X TftpServer Version 3.4.1 was used.
Some people have reported tftpd-hpa not working as tftp server in debricking. Wireshark shows the server complaining 'must use absolute filename' and the transfer does not start. Others have reported that at least tftp-hpa versions released year 2013 and after work. To be sure use tftpd with the default configuration.
Check that the file exists in your tftp server root folder e.g. /srv/tftp or /var/lib/tftp or your current directory depending on your software.
Setup your interface. It doesn't matter which port of the router you use. Set your tftp server IP to 192.168.11.2/24.
Optional for Linux using tftpd. Confirm the server is available with:
nmap -p 69 192.168.11.2
If running correctly you will see something like:
PORT STATE SERVICE 69/tcp closed tftp
Otherwise try restarting inetd:
For Debian Wheezy root@Hostname:~# /etc/init.d/openbsd-inetd restart
Push the AOSS button and power on the router. Keep the AOSS button for about 5 seconds pushed. When the AOSS button is pushed the LED below power will also light up on start. You can verify with wireshark, if everything works as expected. There should be a tftp request from 192.168.11.1 to 192.168.11.2 for a file firmware.ram. Then This file will be transmitted and after that the ip 192.168.11.1 vanishs, because you see your computer asking to whom this ip belongs.
Ping 192.168.1.1 You may also do a DHCP request, which will be answered if your router booted fine. Router may not necessarily give any signal via LED if it is ready or not.
Flash a working image: Telnet to device, set ssh password, copy squashfs image to your device with scp and sysupgrade squashfsimage.
Although the WBMR-HP-G300H is supported in the current stable Attitude Adjustment 12.9 release, the pre-compiled image is fairly basic and must be tuned to work properly (ADSL, wifi, LUCI web interface and LEDs).
The ADSL interface is disabled in the Attitude Adjustment 12.09 image so turn it on:
/etc/init.d/br2684ctl enable /etc/init.d/br2684ctl start
With Barrier Breaker 14.07 this is not necessary.
Precompiled image contains ADSL annex B only (for ISDN lines). For POTS (old-fashioned telephone line), you need annex A. Remove kmod-ltq-dsl-firmware-b-ar9 and install kmod-ltq-dsl-firmware-a-ar9 instead.
Add suitable configuration in /etc/config/network
- PPPoA example: PPPoA ADSL internet connection
- PPPoE example:
config adsl-device 'adsl' option fwannex 'a' option annex 'a2p' config atm-bridge 'atm' option vpi '8' option vci '35' option encaps 'llc' option payload 'bridged' option unit '0' config interface 'wan' option ifname 'nas0' option proto 'pppoe' option username 'firstname.lastname@example.org' option password 'XXXXXXXXX'
fwannex a is for normal telephone lines, fwannex b is for ISDN. Option annex a2p means ADSL2+, annex a is standard ADSL. Username and password options are often not needed.
In /etc/config/network setup ADSL type. For analog telephone lines use annex a and for ISDN use annex b, see example below.
config adsl 'dsl' option annex 'b' option firmware '/lib/firmware/adsl.bin'
The preinstalled ADSL firmware is annex b. To use annex a remove the firmware package and install the annex a firmware https://downloads.openwrt.org/barrier_breaker/14.07/lantiq/xway/packages/base/kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk. VPI and VCI values can be defined in the same /etc/config/network file or in web interface under Network, Interfaces.
For wifi install kmod-ath9k and generate a wireless config.
opkg install kmod-ath9k wifi detect >> /etc/config/wireless
Module is installed by default.
Install the package luci. Then you need to enable and start uhttpd
opkg install luci /etc/init.d/uhttpd enable /etc/init.d/uhttpd start
See below: Wired stations cannot ping each other .
LED configuration must be placed in /etc/config/system. Here is an example:
config led option default '0' option name 'power' option sysfs 'soc:green:power' option trigger 'default-on' config led option default '0' option name 'power2' option sysfs 'soc:red:power' option trigger 'none' config led option default '0' option name 'wifi' option sysfs 'soc:green:wlan' option trigger 'phy0tpt' config led option default '0' option name 'security' option sysfs 'soc:red:security' option trigger 'phy0tpt' config led option default '0' option name 'dsl' option sysfs 'soc:green:adsl' option trigger 'netdev' option dev 'nas0' option mode 'link tx rx' config led option default '0' option name 'online' option sysfs 'soc:green:internet' option trigger 'none' config led option default '0' option name 'online2' option sysfs 'soc:red:internet' option trigger 'netdev' option dev 'nas0' option mode 'tx rx' config led option default '0' option name 'usb' option sysfs 'soc:green:usb' option trigger 'default-on' config led option default '0' option name 'movie' option sysfs 'soc:blue:movie' option trigger 'timer' option delayon '1000' option delayoff '1000'
There are some slightly better LED's in Barrier Breaker (warning: experimental!) trunk.
Go to the web interface System, Led configuration to define the leds. For dsl use nas0 and check "Linkon, Transmit and Receive". (Is there a better way to define adsl led? If linkon is defined on nas0 adsl light will be always on, transmit and receive will blink it.)
|CPU/Speed||MIPS 34Kc / 333MHz Lantiq PSB 50810|
|Wireless:||Atheros AR9280 Rev:2|
|Ethernet:||4 x Gigabit Atheros AR8316|
|USB:||Yes 1 x 2.0 (driver dwc_otg)|
For disassembling the device you need a Torx T8 screwdriver WITH HOLE that is AT LEAST 16mm long (with some preasure Torx T9 works too). A normal torx bit won't fit because the screws are sunk very deep so you won't reach them.
A male-strip is on board to connect your TTL capable serial converter. PIN 1 is marked with a arrow.
Serial port pinout:
PIN 1: VCC +3.3V
PIN 2: GND
PIN 3: TX
PIN 4: RX
Use the following settings:
Caution: Be very careful with the serial interface! It is very fragile! Therefore never use the Vcc Pin. I destroyed my Buffalo by applying all four cables (works fine) and then unplug the main power supply. This will destroy the router electrically! So never ever use Vcc aka Pin1!!!
Also with only GND, TX and RX without VCC I destroyed the router electrically. So is better unplug serial before unplug the main power.
The pinout use the standard MIPS
# cat /proc/mtd dev: size erasesize name mtd0: 00040000 00020000 "uboot" mtd1: 00020000 00020000 "uboot_environ" mtd2: 00140000 00020000 "kernel" mtd3: 01da0000 00020000 "rootfs" mtd4: 00040000 00020000 "firmware" mtd5: 00020000 00020000 "user_property" mtd6: 00020000 00020000 "fwdiag" mtd7: 00020000 00020000 "boardcfg" mtd8: 00020000 00020000 "calibration" mtd9: 01ee0000 00020000 "cmbfirmware"
There seems to be different layouts. My flash layout looks like this (revision dependent?):
# cat /proc/mtd dev: size erasesize name mtd0: 00040000 00020000 "uboot" mtd1: 00020000 00020000 "uboot-env" mtd2: 01f20000 00020000 "linux" mtd3: 00100000 00020000 "kernel" mtd4: 01e20000 00020000 "rootfs" mtd5: 00020000 00020000 "calibration"
None we hope.
If the device does not boot you can recover using the "Install with tftp" option.
If PPP discovery is failing:
Sep 8 15:50:01 OpenWrt daemon.warn pppd: Timeout waiting for PADO packets Sep 8 15:50:01 OpenWrt daemon.err pppd: Unable to complete PPPoE Discovery Sep 8 15:50:01 OpenWrt daemon.info pppd: Exit. Sep 8 15:50:01 OpenWrt daemon.notice netifd: Interface 'wan' is now downit way be worth checking that the correct firmware is loaded for your DSL annex, POTS (normal telephone lines) is annex a and ISDN is annex b.
To check this execute
opkg list-installed | grep kmod-ltq-dsl-firmware
If the incorrect firmware is loaded, remove it and install the other before trying again.
Check DSL line status:
2013-08-29 admax: "Good instructions, tftp flashing works well, stable device. Configuring took some time but has been running well ever since."
2013-08-30 kitsunemura: "Really well written wiki. Device is really stable, I used the recovery method once and it worked fine. I don't really recommend using Transmission on this router because it is not really stable. Using NFS is the fastest way to transfer files from/to USB(EXT4)."
2014-10-09 admax: "Barrier breaker is even better."
toh/buffalo/wbmr-hp-g300h.txt · Last modified: 2014/10/09 14:32 by theoradicus