Archive

Tag Archives: DD-WRT

In my previous post I showed you how to install OpenWrt 14.07 on the Buffalo WBMR-HP-G300H. In this post I’ll show you how you can restore the original Buffalo firmware. Numerous posts on the internet claim that going back to the original firmware is impossible once you’ve installed OpenWrt or DD-WRT. This is not true. If you’ve installed OpenWrt or DD-WRT on your WBMR-HP-G300H and you wish to go back to the original Buffalo firmware, keep reading.

Note to DD-WRT users: to restore the original Buffalo firmware you need to switch to OpenWrt first. You can check my previous post for instructions on installing OpenWrt.

With OpenWrt installed on the WBMR-HP-G300H, what prevents you from restoring the original Buffalo firmware once you’ve downloaded it from Buffalo’s site is that the firmware is encrypted. You need to decrypt the firmware (and also remove a header) before you try flashing it. The whole process is outlined by n0r1n0x in his excellent post here and I’ll be following it below. Briefly, here’s what needs to be done: to decrypt the firmware we’re going to get OpenWrt’s source files, compile the decryption program, modify the firmware, decrypt it and, lastly, flash it. Let’s begin.

1. Download the OpenWrt source files

Open a terminal window and issue the following command:

git clone git://git.openwrt.org/14.07/openwrt.git

This will download the OpenWrt source files in the openwrt directory (the directory will be created for you).

2. Locate, edit and compile buffalo-enc.c

The file buffalo-enc.c should be in /openwrt/tools/firmware-utils/src. Open it with a text editor and add the following line to the top:

#include "buffalo-lib.c"

Save the file and compile it with the command below:

gcc -o buffalo-enc buffalo-enc.c

We will use buffalo-enc to decrypt the firmware image in a moment.

3. Edit the encrypted firmware

Before decrypting the Buffalo firmware we need to strip off the first start section (if you haven’t already downloaded the original firmware, you can download it from here). Open wbmrhpg300h-179 with a hex editor, select the first 228 bytes (up until but not including the second start) and delete them.

Removing the first start section from the encrypted firmware.

Removing the first start section from the encrypted firmware.

Save the edited firmware as encrypted_fw and close the hex editor.

4. Decrypt the firmware

Decrypt the firmware by issuing:

buffalo-enc -d -i encrypted_fw -o decrypted.bin

The decrypted firmware will be saved as decrypted.bin.

For your convenience I have uploaded the decrypted firmware to OneDrive.You can find it here.

MD5: b4318c88e1aa472a1c299281e16061a0 – SHA1: 6f69f931d1bd09de2e516ee42fd8b780ee726a4a

5. Flash

Login to the OpenWrt admin page and go to System –> Backup/Flash Firmware. Under the “Flash new firmware image” section choose the decrypted firmware image and press Flash image.

About to flash the original firmware.

About to flash the original firmware.

You will be asked to verify that you uploaded the correct image. Click proceed and the flash process will begin. The modem will reboot after a few minutes once or twice. Do not power off the modem. The process will take a few minutes to complete. Renew your ethernet connection and reconnect to the modem (default ip now is 192.168.11.1). The original Buffalo firmware is now restored!

Buffalo WBMR-HP-G300H firmware v1.79 restored.

Buffalo WBMR-HP-G300H firmware v1.79 restored.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

Advertisements

The Buffalo WBMR-HP-G300H is a little beast of a modem/router, based on the Lantiq AR9 SoC family, and built on the following hardware:

Type Part Notes
CPU Lantiq XWAY ARX168 PSB 50810 EL MIPS 34Kc @ 333MHz
Flash Macronix MX29GL256ELT2I-90Q 32MB
RAM Samsung K4H511638F-LCCC 64MB @ 166MHz
Switch Atheros AR8316 ?
WiFi Atheros AR9223  IEEE 802.11 b/g/n

The modem officially supports DD-WRT but we will be installing OpenWrt Barrier Breaker.

There are two ways of getting OpenWrt on the WBMR-HP-G300H. You can either install OpenWrt through DD-WRT (provided, of course, you’ve installed DD-WRT first) or you can talk to the modem’s bootloader via TFTP and upload an OpenWrt image. In this post I’ll be taking the DD-WRT route, which is really simple. Let’s begin.

Step 1: Install DD-WRT

If DD-WRT is not already installed on the modem (i.e. the modem is running the official Buffalo firmware), you need to install it. Download buffalo_to_dd-wrt_MULTI.enc from DD-WRT’s website and save it on your hard-drive. Turn on the modem and connect to 192.168.11.1. The default username is root, the password is blank. (Note: use IE or Opera, otherwise the pages won’t render properly). Now navigate to Admin Config/Update. Choose the file you just downloaded from DD-WRT’s website and press Update Firmware.

Updating to DD-WRT.

Updating to DD-WRT.

After you press Update Firmware you need to wait for about 6-7 minutes. A progress bar will be displayed in the browser to let you know how far along the process has got. Once the update is complete you should renew your ethernet connection. The new router ip will be 192.168.1.1.

Step 2: Flash OpenWrt

With DD-WRT installed we can proceed to flashing OpenWrt. From OpenWrt’s website download openwrt-lantiq-xway-WBMR-squashfs.image and save it on a USB stick (formatted either as ext2/3 or FAT32). Login to the DD-WRT admin page at 192.168.1.1 (on first access you will be prompted to set a new password) and navigate to Services/USB. We will enable USB support in order to copy the OpenWrt image from the USB stick to the modem’s internal storage. To do so, enable Core USB Support, USB Storage Support and Automatic Drive Mount, as pictured below, and apply settings.

Enabling USB support.

Enabling USB support on DD-WRT.

With USB support enabled, plug-in your USB stick to the modem. Telnet to the modem at 192.168.1.1 and login with username root (even if you have changed the username!) and the password you previously set. You can see below that, in my case, my USB stick has been mounted on /tmp/mnt/sda_part1.

The USB stick has been mounted on /tmp/mnt/sda_part1/.

We are now ready to flash OpenWrt. Change to the directory where the stick is mounted and issue the following command:

mtd -r write openwrt-lantiq-xway-WBMR-squashfs.image linux

This will write OpenWrt to the modem’s flash storage.

Writing OpenWrt.

Writing OpenWrt.

The telnet connection will be closed once the write is complete. At this point you have to wait while the modem boots OpenWrt for the first time. Do not turn off the modem. Once the modem is ready you will be able to ping it and telnet to it at 192.168.1.1 again.

Connecting to OpenWrt for the first time.

Connecting to OpenWrt for the first time.

Congratulations, OpenWrt Barrier Breaker is now installed.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.