Similar steps can be used under Linux, I have no idea how to Windows anymore. This will probably work for similar Buffalo WZR routers, though your milage may vary. These directions flash the router back to stock Buffalo branded DDWRT.
When these routers brick they tend to go into a kind of reboot mode. At the begining of the reboot, the TFTP server is available for a brief period of time, then all of the lights flash and the unit reboots. We're exploiting the short period of time where the router is in TFTP mode at the start of the reboot. You can try to do a put via TFTP at the begining of this cycle, even if your router has been plugged in for awhile.
Download the latest Buffalo Stock tftp binary. If this link is dead, just search for the model number in Support.
Downloads for AirStation High Power N300 Gigabit Wireless Router & AP
I selected DD-WRT (Professional) Beta firmware for the WZR-HP-G300NH (Version 1).
You can download with curl if you'd like. Open your terminal and copy/paste:
curl -O http://3865dc10959fb7ba66fc-382cb7eb4238b9ee1c11c6780d1d2d1e.r18.cf1.rackcdn.com/wzrhpg300nh-pro-v24sp2-19484-beta-download.zip
unzip wzrhpg300nh-pro-v24sp2-19484-beta-download.zip
ls -la wzrhpg300nh-pro-v24sp2-19484-beta-Download/
This should show something like this:
total 15800
drwxr-xr-x 6 pjobson staff 192 Aug 7 2012 .
drwxr-xr-x 7 pjobson staff 224 May 21 22:07 ..
-rw-r--r-- 1 pjobson staff 1383 Aug 3 2012 Readme.txt
-rw-r--r-- 1 pjobson staff 7905 Aug 7 2012 howto_update_ap.html
drwxr-xr-x 11 pjobson staff 352 Aug 3 2012 images
-rw-r--r-- 1 pjobson staff 16163324 Jul 15 2012 wzrhpg300nh-pro-v24sp2-19484-beta.enc
We are going to flash wzrhpg300nh-pro-v24sp2-19484-beta.enc onto the router later on.
Plug your router into your Mac's ethernet port and the other end into Port 1 on the router.
For the easiest way to figure out which network interface to use, open Network Utility in /System/Library/CoreServices/Applications/.
Find your network adapter and take note of the interface en#, it is usually en0, though mine is en7, because I'm using a Belkin USB-C adapter. Take note of this, you will need it shortly.
Close Network Utility.
You will need the SSID off of the back of your router. It should have a sticker which shows SSID: mine for example is: 0024A5AFFC55.
Open System Preferences and go to Network, select your network interface and set:
- Configure IPv4: Manually
- IP Address: 192.168.11.2
- Subnet Mask: 255.255.255.0
- Router: 192.168.11.1
Click Apply and then disable your wifi and/or any other network adapters which have connections.
I do everything as root, just be careful not to mess stuff up.
sudo su -
Setup your arp command. _INTERFACE_ID_ is your particular network interface that you found in Network Utility. Mine would be en7. _COLON_DELIMITED_SSID_ your SSID split up with colons for every two characters.
arp -s 192.168.11.1 _COLON_DELIMITED_SSID_ ifscope _INTERFACE_ID_
For my router this would be:
arp -s 192.168.11.1 00:24:A5:AF:FC:55 ifscope en7
Before you hit the enter key, plug your router in. If you press it too quickly, it'll throw this error message.
arp: writing to routing socket: No such process
arp: 192.168.11.1: No such process
If you get an error, press the up arrow and hit enter again until you do not get a message back.
If you're having a lot of trouble getting it to work, you can make a shell script called setarp.sh and paste the below in, then do chmod +x setarp.sh, then do ./setarp.sh. You'll need to use your SSID and interface.
#!/bin/bash
arp -s 192.168.11.1 00:24:A5:AF:FC:55 ifscope en7
while [ $? -ne 0 ]; do
arp -s 192.168.11.1 00:24:A5:AF:FC:55 ifscope en7
done
Then plug the router in, it'll keep trying to add the record until it succeeds.
Now verify that it worked.
arp -a |grep 192.168.11.1
Should return something like this.
? (192.168.11.1) at 0:24:a5:af:fc:55 on en7 ifscope permanent [ethernet]
Unplug your router.
You'll want to cd into wherever you downloaded the zip file, probably Downloads.
cd wzrhpg300nh-pro-v24sp2-19484-beta-Download/
Start up tftp, it will prompt you with tftp>. Enter each of the commands listed. After you type in the put wzrh... line, hit enter then immediately plug the router in.
TFTP will start trying to send the file and because you have the rexmt 1 option set will continue trying. Eventually it'll start showing sent DATA messages and then a completion message.
root# tftp 192.168.11.1
tftp> verbose
Verbose mode on.
tftp> binary
mode set to octet
tftp> trace
Packet tracing on.
tftp> rexmt 1
tftp> timeout 60
tftp> put wzrhpg300nh-pro-v24sp2-19484-beta.enc
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
....
sent DATA <block=23757, 512 bytes>
received ACK <block=23757>
sent DATA <block=23758, 512 bytes>
received ACK <block=23758>
sent DATA <block=23759, 512 bytes>
received ACK <block=23759>
sent DATA <block=23760, 512 bytes>
received ACK <block=23760>
....
Sent 12423420 bytes in 19.4 seconds [5123060 bits/sec]
tftp> quit
This should make the circle red light on the router flash on and off. At this point, the router is flashing the firmware, you can leave it alone for some period of time. I took a nap, so I'm not sure how long it will take.
Delete your arp routes, this deletes all of them.
arp -d -a
Exit back to your normal user.
exit
Download the latest version of OpenWRT. It'll be something like this.
wget https://archive.openwrt.org/releases/19.07.8/targets/ar71xx/generic/openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin
At the time of this writing 19.07.8 is the latest. Be sure to get the sysupgrade version.
Lastly we need to generate a public ssh key for the next step. Open Terminal and type:
cat ~/.ssh/id_rsa.pub
Generate your SSH keys if this throws an error.
cat: ~/.ssh/id_rsa.pub: No such file or directory
ssh-keygen
Just hit enter 3 times at the prompts of the key generator.
cat ~/.ssh/id_rsa.pub
Should display something like the following without the ...., copy this key.
ssh-rsa AAAAB3NzaC1yc2E....lP3hD user@hostname
Disable your LAN connection in Network in you System Preferences. Unplug the router for 30 seconds and plug it back in. Enable your LAN connection.
You should be able to browse to 192.168.11.1. It'll prompt you to change the password, I'm going to flash back to OpenWRT now.
Go to the Services tab, scroll down to Secure Shell and enable SSHd.
- SSHd: Enable
- SSH TCP Forwarding: Disable
- Password Login: Enable
- Port: 22
- Authorized Keys: your key from the previous step
Hit Save button and select the Administration tab, go down to Remote Access.
- SSH Management: Enable
- SSH Remote Port: 22
Hit Save then Apply Settings buttons.
You may have to reboot the router if you have trouble SSH'ing in in the next step.
These routers use a legacy version of SSH which is deprecated. You'll need to pass the diffie-hellman-group1-sha1 algorithm to login at all.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
This should show a prompt.
The authenticity of host '192.168.11.1 (192.168.11.1)' can't be established.
RSA key fingerprint is SHA256:TTx+R0zPSSe2SCgo7jVVztvf0CeQbL6wA5n7f225pig.
Are you sure you want to continue connecting (yes/no)?
Type yes and hit enter this will add the IP to your known hosts.
Warning: Permanently added '192.168.11.1' (RSA) to the list of known hosts.
Now it should show you the login message.
DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH
Release: 08/19/10 (SVN revision: 14998)
==========================================================
____ ___ __ ______ _____ ____ _ _
| _ \| _ \ \ \ / / _ \_ _| __ _|___ \| || |
|| | || ||____\ \ /\ / /| |_) || | \ \ / / __) | || |_
||_| ||_||_____\ V V / | _ < | | \ V / / __/|__ _|
|___/|___/ \_/\_/ |_| \_\|_| \_/ |_____| |_|
DD-WRT v24-sp2
http://www.dd-wrt.com
==========================================================
BusyBox v1.13.4 (2010-08-19 15:28:04 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
root@DD-WRT:~# exit
Connection to 192.168.11.1 closed.
Type exit and it'll show the connection is closed.
If you have SSH'd into this IP before you may get an error.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:jaCqvfDqvXg0rTVW2/UasUoS6JCsxaH5lcWrVPcdrhA.
Please contact your system administrator.
Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/root/.ssh/known_hosts:1
RSA host key for 192.168.11.1 has changed and you have requested strict checking.
Host key verification failed.
You can clear the error with ssh-keygen, then repeat the ssh steps.
ssh-keygen -R 192.168.11.1
Now we're going to SCP the firmware.
scp -oKexAlgorithms=+diffie-hellman-group1-sha1 openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin [email protected]:/tmp
Should show the following.
DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH
Release: 08/19/10 (SVN revision: 14998)
openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin 100% 3328KB 1.6MB/s 00:02
SSH back into the router.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
Migrate from DDWRT to OpenWRT.
cd /tmp
ls openwrt*
Should display.
-rw-r--r-- 1 root root 3801092 Jan 1 00:16 openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin
Write the firmware.
mtd -r write openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin linux
Should display.
Unlocking linux ...
Writing from openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin to linux ... [w/e]
Connection to 192.168.11.1 closed by remote host.
Connection to 192.168.11.1 closed.
This will drop you back to your Mac's terminal. Now wait for some period of time for the router to finish flashing, this could take over 10 minutes. Unplug your ethernet and take a nap.
Plug your ethernet back in and you should get an IP address from the freshly flashed OpenWRT, it should be 192.168.1.1.
@pyed
There were a couple of variants of this router made and all buffalo routers, which made them kind of annoying to deal with. There are 4 firmware files listed in their directory, perhaps try a different one. The "Disk Full" message means the firmware you are trying to flash is too large for the space available.
https://www.buffalotech.com/support/downloads/airstation-high-power-n300-wireless-router-ap