Archive

Removing OpenWrt

In my previous post I showed you how to install OpenWrt 14.07 on the Buffalo WBMR-HP-G300H. In this post I’ll show you how you can restore the original Buffalo firmware. Numerous posts on the internet claim that going back to the original firmware is impossible once you’ve installed OpenWrt or DD-WRT. This is not true. If you’ve installed OpenWrt or DD-WRT on your WBMR-HP-G300H and you wish to go back to the original Buffalo firmware, keep reading.

Note to DD-WRT users: to restore the original Buffalo firmware you need to switch to OpenWrt first. You can check my previous post for instructions on installing OpenWrt.

With OpenWrt installed on the WBMR-HP-G300H, what prevents you from restoring the original Buffalo firmware once you’ve downloaded it from Buffalo’s site is that the firmware is encrypted. You need to decrypt the firmware (and also remove a header) before you try flashing it. The whole process is outlined by n0r1n0x in his excellent post here and I’ll be following it below. Briefly, here’s what needs to be done: to decrypt the firmware we’re going to get OpenWrt’s source files, compile the decryption program, modify the firmware, decrypt it and, lastly, flash it. Let’s begin.

1. Download the OpenWrt source files

Open a terminal window and issue the following command:

git clone git://git.openwrt.org/14.07/openwrt.git

This will download the OpenWrt source files in the openwrt directory (the directory will be created for you).

2. Locate, edit and compile buffalo-enc.c

The file buffalo-enc.c should be in /openwrt/tools/firmware-utils/src. Open it with a text editor and add the following line to the top:

#include "buffalo-lib.c"

Save the file and compile it with the command below:

gcc -o buffalo-enc buffalo-enc.c

We will use buffalo-enc to decrypt the firmware image in a moment.

3. Edit the encrypted firmware

Before decrypting the Buffalo firmware we need to strip off the first start section (if you haven’t already downloaded the original firmware, you can download it from here). Open wbmrhpg300h-179 with a hex editor, select the first 228 bytes (up until but not including the second start) and delete them.

Removing the first start section from the encrypted firmware.

Removing the first start section from the encrypted firmware.

Save the edited firmware as encrypted_fw and close the hex editor.

4. Decrypt the firmware

Decrypt the firmware by issuing:

buffalo-enc -d -i encrypted_fw -o decrypted.bin

The decrypted firmware will be saved as decrypted.bin.

For your convenience I have uploaded the decrypted firmware to OneDrive.You can find it here.

MD5: b4318c88e1aa472a1c299281e16061a0 – SHA1: 6f69f931d1bd09de2e516ee42fd8b780ee726a4a

5. Flash

Login to the OpenWrt admin page and go to System –> Backup/Flash Firmware. Under the “Flash new firmware image” section choose the decrypted firmware image and press Flash image.

About to flash the original firmware.

About to flash the original firmware.

You will be asked to verify that you uploaded the correct image. Click proceed and the flash process will begin. The modem will reboot after a few minutes once or twice. Do not power off the modem. The process will take a few minutes to complete. Renew your ethernet connection and reconnect to the modem (default ip now is 192.168.11.1). The original Buffalo firmware is now restored!

Buffalo WBMR-HP-G300H firmware v1.79 restored.

Buffalo WBMR-HP-G300H firmware v1.79 restored.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

Advertisements

In my previous post we installed OpenWrt 10.03.1 on D-Link’s DSL-G624T. In this post I’ll show you, just in case you’re not happy with OpenWrt, how you can uninstall it and go back to the original D-Link firmware. The procedure is simple. You connect to the bootloader again, open an ftp connection, flash the original D-Link firmware and reset the mtd variables to their original values (you did make a note of the original mtd values, didn’t you?).

Before we begin we need to grab the original DSL-G624T firmware. You can find v3.10 of the original firmware on the router’s product support page (I’ve also uploaded it to OneDrive in case D-Link decides to remove it. SHA1: 73867582db7120ed1a3d5a59afb4ad395dda21f8). Download the zip archive and extract the firmware image ‘DLinkEU-A_DSL-G624T_singleimage_kernel_fs_-V3.10B01T02.EU–A.20070613’. Rename the image to something more manageable like ‘original.bin‘.

Now that we have the firmware let’s connect to the modem. Connect your USB-to-UART converter to the modem’s serial port as before:

  • Converter GND to modem pin 4 or pin 2 (either one will do)
  • Converter Rx to modem pin 1
  • Converter Tx to modem pin 5

Launch your preferred terminal emulator (I’ll be using PuTTY) and open the serial connection. Power on the router (I use the terms ‘modem’ and ‘router’ interchangeably) and stop the bootloader from running the OS (just press any key). Set an ip address in the 192.168.1.x range for your NIC and connect to the router via UTP. Next, if you’re running Ubuntu, make sure that F-RTO is disabled (more info in my previous post), change to the directory where you extracted the original firmware and open an ftp connection to 192.168.1.199.

With the ftp connection established, issue, as before, the following commands:

ftp> binary
200 Type set to I.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> quote MEDIA FLSH
200 Media set to FLSH.
ftp>

Finally execute:

ftp> put original.bin "fw mtd1"

Just like when we flashed OpenWrt, the memory will be erased first, and then the transfer will begin. You can monitor the progress of the erase in PuTTY.

With the transfer of the original firmware completed, we need to reset mtd1 to its original value. At the bootloader prompt issue the following command:

Adam2_AR7RD > setenv mtd1 0x90010090,0x900a1000

Make sure that the mtd variables now have the values given below:

Adam2_AR7RD > printenv
mtd0  0x900a1000,0x903f0000
mtd1  0x90010090,0x900a1000
mtd2  0x90000000,0x90010000
mtd3  0x903f0000,0x90400000
mtd4  0x90010000,0x903f0000

At this point we are ready to run the original D-Link firmware. Disconnect the UTP cable. Switch to PuTTY and enter go:

Adam2_AR7RD > go

Good job, your modem is now running the original D-Link firmware.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.