2017-02-25

WHR-G300N v1 Boot Log

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.02.24 14:24:07 =~=~=~=~=~=~=~=~=~=~=~=

U-Boot 1.1.3 for BUFFALO AIRSTATION (Aug 26 2008 - 13:08:44)

Board: Ralink APSoC DRAM:  32 MB
Top of RAM usable for U-Boot at: 82000000
Stack Pointer at: 81f4ff98
relocate_code Pointer at: 81fa0000
Now running in RAM - U-Boot at: 81fa0000
FLASH ID : 00h=[0xc2], 01h=[0x22a8], 0Eh=[0x0], 0Fh=[0x19]
 Set info->start[0]=BF000000
flash_protect ON: from 0xBF000000 to 0xBF02B84F
protect on 0
protect on 1
protect on 2
protect on 3
protect on 4
protect on 5
protect on 6
protect on 7
protect on 8
protect on 9
flash_protect ON: from 0xBF030000 to 0xBF03FFFF
protect on 10
flash_protect ON: from 0xBF040000 to 0xBF04FFFF
protect on 11
uboot use  81F4FFB0 - 82000000
Memory Test start(80000000) end(81F00000) size(01F00000)
Pattern 55555555  Writing...            Reading...
Pattern AAAAAAAA  Writing...            Reading...
Pattern 00000000  Writing...            Reading...

Memory Test OK

### buf_ver=[1.09] U-Boot Ver.=[1.09]
### build_date(env)=[Aug 26 2008 - 13:08:44] build_date(bin)=[Aug 26 2008 - 13:08:44]

============================================

Ralink UBoot Version: 3.1

--------------------------------------------

ASIC 3052_MP2 (MAC to GigaMAC Mode)
DRAM COMPONENT: 256Mbits
DRAM BUS: 32BIT
Total memory: 64 MBytes
Date:Aug 26 2008  Time:13:08:44

============================================

icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 384 MHZ ####

 SDRAM bus set to 32 bit
 SDRAM size =32 Mbytes

Please choose the operation:

   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP.
 0

Net:
 eth_register
Eth0 (10/100-M)
 enetvar=ethaddr,Eth addr:00:AA:BB:CC:DD:19
 00:AA:BB:CC:DD:19:

 eth_current->name = Eth0 (10/100-M)

6: System Load Linux Kernel then write to Flash via TFTP Server.

 netboot_common, argc= 2
 *************buf = 0x81fcb9e0
 **********NexTxPacket = 81fe3ac0
 NetTxPacket = 0x81FE3AC0
 NetRxPackets[0] = 0x81FE40C0
 NetRxPackets[1] = 0x81FE46C0
 NetRxPackets[2] = 0x81FE4CC0
 NetRxPackets[3] = 0x81FE52C0
 NetRxPackets[4] = 0x81FE58C0
 NetRxPackets[5] = 0x81FE5EC0
 NetRxPackets[6] = 0x81FE64C0
 NetRxPackets[7] = 0x81FE6AC0
 NetRxPackets[8] = 0x81FE70C0
 NetRxPackets[9] = 0x81FE76C0
 NetRxPackets[10] = 0x81FE7CC0
 NetRxPackets[11] = 0x81FE82C0
 NetRxPackets[12] = 0x81FE88C0
 NetRxPackets[13] = 0x81FE8EC0
 NetRxPackets[14] = 0x81FE94C0
 NetRxPackets[15] = 0x81FE9AC0
 NetRxPackets[16] = 0x81FEA0C0
 NetRxPackets[17] = 0x81FEA6C0
 NetRxPackets[18] = 0x81FEACC0
 NetRxPackets[19] = 0x81FEB2C0
 KSEG1ADDR(NetTxPacket) = 0xA1FE3AC0
 NetLoop,call eth_halt !
 NetLoop,call eth_init !

Trying Eth0 (10/100-M)
 Waitting for RX_DMA_BUSY status Start... done
 Mac to giga Mac mode
 rx_ring = A1FCBE00, tx_ring0 = A1FCBCC0
 Header Payload scatter function is Disable !!
 RT2880_PDMA_GLO_CFG=00000020
 *************************************************
 RX_CALC_IDX0=19
 RX_DRX_IDX0 = 0
 *************************************************
 ETH_STATE_ACTIVE!!

tftp server(receive) go, waiting:4[sec]
Trying Eth0 (10/100-M)
 ETH_STATE_ACTIVE!!

Load address: 0x81000000
TftpServer Timeout;

Trying Eth0 (10/100-M)
 ETH_STATE_ACTIVE!!

no file was loaded.
 netboot_common, argc= 3
 KSEG1ADDR(NetTxPacket) = 0xA1FE3AC0
 NetLoop,call eth_halt !
 NetLoop,call eth_init !
Trying Eth0 (10/100-M)
 ETH_STATE_ACTIVE!!

Using Eth0 (10/100-M) device

TFTP from server 192.168.11.2; our IP address is 192.168.11.1

Filename 'firmware.ram'.
 TIMEOUT_COUNT=10,Load address: 0x81000000

Loading: *T T T T
Retry count exceeded; starting again

3: System Boot system code via Flash.

## Booting image at bf050000 ...
   Image Name:   DD-WRT v24 Linux Kernel Image
   Created:      2017-02-07   7:24:39 UTC
 System Control Status = 0x20440000
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    860072 Bytes = 839.9 kB
   Load Address: 80000000
   Entry Point:  80004d70
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

No initrd
## Transferring control to Linux (at address 80004d70) ...
## Giving linux memsize in MB, 32

Starting kernel ...

Linux version 3.2.84 (root@linux) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.01 r39555) ) #25643 Tue Feb 7 08:23:48 CET 2017
bootconsole [early0] enabled
CPU revision is: 0001964c (MIPS 24KEc)
Ralink RT3052 id:1 rev:2 running at 384.00 MHz
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS1,57600n8 root=/dev/mtdblock4 rootfstype=squashfs noinitrd
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=00000007
Readback ErrCtl register=00000007
Memory: 29700k/32768k available (2046k kernel code, 3068k reserved, 307k data, 156k init, 0k highmem)
NR_IRQS:48
console [ttyS1] enabled, bootconsole disabled
console [ttyS1] enabled, bootconsole disabled
Calibrating delay loop... 255.59 BogoMIPS (lpj=1277952)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
msgmni has been set to 58
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x10000500 (irq = 13) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
Ralink gpio driver initialized
system type: RT3052
boot type: 0
ralink flash device: 0x1000000 at 0xbf000000
Ralink SoC physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank. Manufacturer ID 0x0000c2 Chip ID 0x0022a8
Amd/Fujitsu Extended Query Table at 0x0040
  Amd/Fujitsu Extended Query version 1.1.
number of CFI chips: 1

found squashfs at 122000
Creating 6 MTD partitions on "Ralink SoC physically mapped flash":
0x000000000000-0x000000030000 : "uboot"
0x000000030000-0x000000040000 : "uboot-config"
0x000000040000-0x000000050000 : "factory-defaults"
0x000000050000-0x0000003f0000 : "linux"
0x000000122000-0x0000003f0000 : "rootfs"
mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
0x0000003f0000-0x000000400000 : "nvram"
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP Deflate Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
Ralink APSoC Hardware Watchdog Timer
u32 classifier
    Performance counters on
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (464 buckets, 1856 max)
ctnetlink v0.93: registering with nfnetlink.
IPv4 over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
IPP2P v0.8.2 loading
ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
TCP bic registered
TCP cubic registered
TCP westwood registered
TCP highspeed registered
TCP hybla registered
TCP htcp registered
TCP vegas registered
TCP scalable registered
NET: Registered protocol family 17
Bridge firewalling registered
8021q: 802.1Q VLAN Support v1.8
searching for nvram
nvram size = 0
MAC_ADRH -- : 0x0000001d
MAC_ADRL -- : 0x73111112
MAC_ADRH -- : 0x0000001d
MAC_ADRL -- : 0x73111112
Ralink APSoC Ethernet Driver Initilization. v2.0  256 rx/tx descriptors allocated, mtu = 1500!
NAPI enable, Tx Ring = 256, Rx Ring = 256
MAC_ADRH -- : 0x0000001d
MAC_ADRL -- : 0x73111112
rt3052 access driver initialization.
VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
Freeing unused kernel memory: 156k freed
start service
starting Architecture code for rt2880
Jan  1 00:00:01 udevtrigger[45]: parse_config_file: can't open '/etc/udev/udev.conf' as config file: No such file or directory

Started WatchDog Timer.

phy_tx_ring = 0x01433000, tx_ring = 0xa1433000

phy_rx_ring0 = 0x01f68000, rx_ring0 = 0xa1f68000
RT305x_ESW: Link Status Changed
CDMA_CSG_CFG = 81000007
GDMA1_FWD_CFG = 710000
switch reg write offset=14, value=405555
switch reg write offset=50, value=2001
switch reg write offset=90, value=7f7f
switch reg write offset=98, value=7f3f
switch reg write offset=e4, value=3f
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1002
switch reg write offset=70, value=ffff506f
device br0 entered promiscuous mode
device vlan1 entered promiscuous mode
device eth2 entered promiscuous mode
/bin/sh: ead: not foundbr0: port 1(vlan1) entering forwarding state
br0: port 1(vlan1) entering forwarding state
device br0 left promiscuous mode
device br0 entered promiscuous mode
device br0 left promiscuous mode
rt2860v2_ap: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
0x1300 = 00064380
0x1300 = 00064380
br0: port 1(vlan1) entering forwarding state
device ra0 entered promiscuous mode
br0: port 2(ra0) entering forwarding state
br0: port 2(ra0) entering forwarding state
br0: port 2(ra0) entering forwarding state
0x1300 = 00064380
br0: port 2(ra0) entering forwarding state
br0: port 2(ra0) entering forwarding state
wland: No such file or directory
Key is a ssh-rsa key
Wrote key to '/tmp/root/.ssh/ssh_host_rsa_key'
device vlan2 entered promiscuous mode
device vlan2 left promiscuous mode
switch reg write offset=14, value=405555
switch reg write offset=50, value=2001
switch reg write offset=90, value=7f7f
switch reg write offset=98, value=7f3f
switch reg write offset=e4, value=3f
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1002
switch reg write offset=70, value=ffff506f
vlan2: No such process
br0: port 2(ra0) entering forwarding state
ba0       no private ioctls.
ba0       no private ioctls.
ba0       no private ioctls.
ba0       no private ioctls.

/opt/etc/init.d/rcS: No such file or directory
/jffs/etc/init.d/rcS: No such file or directory
/mmc/etc/init.d/rcS: No such file or directory
/etc/config/conntrack.startup: line 8: can't create /proc/sys/net/ipv4/ip_conntrack_max: nonexistent directory
K

== Reboot and then select option 4 ===============================


U-Boot 1.1.3 for BUFFALO AIRSTATION (Aug 26 2008 - 13:08:44)

Board: Ralink APSoC DRAM:  32 MB
Top of RAM usable for U-Boot at: 82000000
Stack Pointer at: 81f4ff98
relocate_code Pointer at: 81fa0000
Now running in RAM - U-Boot at: 81fa0000

FLASH ID : 00h=[0xc2], 01h=[0x22a8], 0Eh=[0x0], 0Fh=[0x19]
 Set info->start[0]=BF000000
flash_protect ON: from 0xBF000000 to 0xBF02B84F

protect on 0
protect on 1
protect on 2
protect on 3
protect on 4
protect on 5
protect on 6
protect on 7
protect on 8
protect on 9
flash_protect ON: from 0xBF030000 to 0xBF03FFFF
protect on 10
flash_protect ON: from 0xBF040000 to 0xBF04FFFF
protect on 11
uboot use  81F4FFB0 - 82000000

Memory Test start(80000000) end(81F00000) size(01F00000)


Pattern 55555555  Writing...            Reading...
Pattern AAAAAAAA  Writing...            Reading...
Pattern 00000000  Writing...            Reading...

Memory Test OK

### buf_ver=[1.09] U-Boot Ver.=[1.09]

### build_date(env)=[Aug 26 2008 - 13:08:44] build_date(bin)=[Aug 26 2008 - 13:08:44]

============================================

Ralink UBoot Version: 3.1

--------------------------------------------

ASIC 3052_MP2 (MAC to GigaMAC Mode)
DRAM COMPONENT: 256Mbits
DRAM BUS: 32BIT
Total memory: 64 MBytes
Date:Aug 26 2008  Time:13:08:44

============================================

icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 384 MHZ ####

 SDRAM bus set to 32 bit
 SDRAM size =32 Mbytes


Please choose the operation:

   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP.

You choosed 4

 0

Net:
 eth_register
Eth0 (10/100-M)
 enetvar=ethaddr,Eth addr:00:AA:BB:CC:DD:19
 00:AA:BB:CC:DD:19:
 eth_current->name = Eth0 (10/100-M)

4: System Enter Boot Command Line Interface.


U-Boot 1.1.3 for BUFFALO AIRSTATION (Aug 26 2008 - 13:08:44)

 main_loop !!


 In main_loop !!

 CONFIG_BOOTDELAY

### main_loop entered: bootdelay=1


### main_loop: bootcmd="tftp"

RT3052 #
RT3052 #
RT3052 # printenv

bootcmd=tftp
bootdelay=1
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=192.168.11.1
serverip=192.168.11.2

preboot=echo;echo
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
tmp_ram=81000000
fw=firmware.bin
fw_eaddr=BF050000 BF3FFFFF
uboot=uboot.bin
uboot_eaddr=BF000000 BF02FFFF
uboot_prot=BF000000 BF02FFFF
u_fw=erase $(fw_eaddr); cp.tftps_fw
ut_fw=tftp $(tmp_ram) $(fw); erase $(fw_eaddr); cp.linux; reset
u_uboot=protect off $(uboot_prot); erase $(uboot_eaddr); cp.tftps_uboot; reset
ut_uboot=tftp $(tmp_ram) $(uboot); protect off $(uboot_prot); erase $(uboot_eaddr); cp.uboot; reset
melco_id=RD_BB07081
tftp_wait=4
buf_ver=1.09
hw_rev=0
custom_id=0
DEF-p_wireless_ra0_11bg-authmode=psk
DEF-p_wireless_ra0_11bg-crypto=aes
DEF-p_wireless_ra0_11bg-authmode_ex=wpa-psk
build_date=Aug 26 2008 - 13:08:44
inspection=1
pincode=13240561
DEF-p_wireless_ra0_11bg-wpapsk=x6skk9xp811p3
SUP_MBSSID=4
stdin=serial
stdout=serial
stderr=serial
ethact=Eth0 (10/100-M)

Environment size: 1223/65532 bytes

RT3052 #
RT3052 #
RT3052 # ?

?       - alias for 'help'

TFTPS   - boot image via network as TFTP server
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp- boot image via network using BootP/TFTP protocol
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
echo    - echo args to console
erase   - erase FLASH memory
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
iminfo  - print header information for application image
ledb    - LED test blink
ledoff  - LED test off
ledon   - LED test on
ledt    - LED test toggle
loadb   - load binary file over serial line (kermit mode)
loop    - infinite loop on address range
loopback   - Ralink eth loopback test !!
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
set_inspection - set/unset inspection mode
setenv  - set environment variables
sleep   - delay execution for some time
spicmd- read/write data from/to eeprom or vtss
tftpboot- boot image via network using TFTP protocol
version - print monitor version

RT3052 #
RT3052 #

2017-02-20

WHR-G300N (v1)

主要参考文件 :
Flash from Buffalo stock firmware to DD-WRT
Refer WHR-G300N on DD-WRT WIKI

------------------------------------------------------------
主機板訊息: WRTR-237GN_V02; 190-k05-7700R

------------------------------------------------------------
Wireless MAC (SSID): 00-24-a5-3d-9f-e8
LAN MAC : 00-1d-73-11-11-12
WAN MAC : 00-1d-73-11-11-13

------------------------------------------------------------
原廠 firmware 換成 DD-WRT 的過程:

1) 設定網路 IP : 192.168.11.2, NETMASK : 255.255.255.0, gateway : 192.168.11.1
2) 使用 "arp -a", 確認 192.168.11.1 有出現, ping 192.168.11.1 也正常回應
3) power off router
3) dos command> tftp -i 192.168.11.1 PUT firmware.tftp, 並立即 power on router. 通常 router 只等你幾秒的時間

------------------------------------------------------------
DD-WRT 啟動上有些困難, 原因還不是很清楚, 暫時解法如下:

使用 "arp -a", 確認 192.168.1.1 有出現
若無 (192.168.1.1 cannot link with 00-1d-73-11-11-12),
1) ipconfig /flushdns
2) ipconfig /release
3) ipconfig /renew
4) "route print" 找出 INTERFACE ID
5) netsh interface ipv4 add neighbors %INTERFACE% %ROUTERIP% %ROUTERMAC%

事後, netsh interface ipv4 delete neighbors %INTERFACE%

LED display/Reset Button 不太正常, 暫時不理會

------------------------------------------------------------
如何進入 U-BOOT command mode,
USB 轉 TTL+putty, speed : 57600, 啟動後立即按 "4", 而不是一般所說的 Ctl+C

不穩定, 不是每次都可進入? 應該是焊接工夫有問題

------------------------------------------------------------
Serial port pin layout:
pin 1 : 3.3V (square pad)
pin 2 : Tx
pin 3 : Rx
pin 4 : GND

------------------------------------------------------------
(未測過)
You can install the original encrypted buffalo firmware by decrypting it first. To do so follow these steps (on linux, will probably work on other systems too):

Decrypt original Buffalo firmware:
1) get the files buffalo-enc.c buffalo-lib.c buffalo-lib.h from firmware-mod-kit
2) Compile: gcc -o buffalo-enc buffalo.c buffalo-enc.c
3) Get the encrypted, original firmware from the buffalo website
4) Open the file in a binary editor and remove the first few bytes to just before "the second start(?)" section
./buffalo-enc -d -i infile.enc -o firmware.bin
5) follow the procedure on [Guide] Recovering a bricked Buffalo Airstation N450 Router (WZR-HP-G450H)

2017-02-15

WZR-HP-G300NH2 migrate from OpenWRT to Buffalo factory firmware

參考文件
1: WZR-HP-G450H and TFTP original firmware

----------------------------------------------------------------------
Steps:

1. Download the openwrt source files and look for buffalo-enc.c, buffalo-lib.c, and buffalo-lib.h.

2. Open buffalo-enc.c and add the line to the top:

#include "buffalo-lib.c"

3. Use whatever C/C++ compiler you want, but I used gcc:

gcc -o buffalo-enc.prog buffalo-enc.c

4. Now you have the decryption program, but you'll need to strip off the first "start" section of the firmware using a hex editor. I used wxhexedit 0.22 (0.21 has a bug that disallows saving truncated files). You must highlight and delete the first 208 bytes of the firmware file up to the second "start" word in the file.

5. After saving this, run buffalo-enc.prog -d -i wzrhpg450h-pro-v24sp2-20025.enc -o decrypted.bin

6. This will produce feedback text in your terminal indicating the decryption was successful.

7. You may now use the Openwrt (or any firmware flash gui running from your router) and it won't complain of an invalid firmware image.

2017-02-10

WZR-HP-G300NH2 migrate from OpenWRT to DD-WRT

以 wzr-hp-g300nh2-dd-wrt-webupgrade-Multi_r31221.bin 為例:

strip first 28 bytes
dd bs=1 skip-28 if=wzr-hp-g300nh2-dd-wrt-webupgrade-Multi_r31221.bin of=myfirmware.bin
Use open WebGUI to flash myfirmware.bin.

It would take about 20 mins to fully reflash and boot.


OpenWRT webgui 能接受的是以 27 05 19 56 .... 為首的非加密檔案

-----------------------------------------------------------------
TFTP and WebGUi are the best way for flash fw. mtd command is tricky and we should have enough space on the router to contain fw file, enable telnet or sshd, maybe external usb... so better avoid it.
1. If you can still on with openwrt WebGUI:
Use file wzr-hp-g300nh-dd-wrt-webupgrade-MULTI.bin, strip first 28 bytes
dd bs=1 skip=28 if=wzr-hp-g300nh-dd-wrt-webupgrade-MULTI.bin of=myfirmware.bin
Use open WebGUI to flash myfirmware.bin. I've reverted back to dd-wrt by this way. It took 20 mins to fully reflash and boot.
2. TFTP
Use openwrt tftp images. Those files have 32 bytes header.
Actual flash starts at 0x20 offset
0020  27 05 19 56 8C 8E 20 49  4C 70 96 52 00 0D 86 F1  -'..V.. ILp.R....-
0030  80 06 00 00 80 06 00 00  13 72 3C FB 05 05 02 03  -.........r<.....-
0040  4D 49 50 53 20 4F 70 65  6E 57 72 74 20 4C 69 6E  -MIPS OpenWrt Lin-
0050  75 78 2D 32 2E 36 2E 33  32 2E 31 36 00 00 00 00  -ux-2.6.32.16....-
Now I can back and forth any firmware I want, just remember
openwrt WebGUI accepts RAW fw image, that starts with above bolded 5 bytes
openwrt tftp require a 28-bytes header. Spend some time to look at those files and you can modify headers as your needs.
The best way to start new upgrade path is back to factory firmware 1.60 first. Then flash it with buffalo-to-ddwrt followed by dd-wrt-webupgrade.
Hope it helps



WZR-HP-G300NH2 migrate from DD-WRT to OpenWRT

參考文件 : procedure for flashing OpenWRT to wzr-hp-g300nh2

Enable SSH on the router
Login to the router via SSH
Change directory to /tmp and download OpenWrt firmware image file:
cd /tmp
wget http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/openwrt-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin
Overwrite current firmware with the downloaded one:
mtd -r write openwrt-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin linux
After flashing, the router should go down for a reboot and return running OpenWrt.

WZR-HP-G300N2 + OpenWRT

IPV6 : Network>WAN 設定好就啟動了(當然, 必需先向中華電信申請使用 IPV6)

---------------------------------------------------
NNDS :

主要參考文件
1. DDNS client (openwrt ddns howto)
2. openwrt on GITHUB
3. Configuring your dynDNS Client

必須先安裝軟件及準備工作,
opkg update
opkg install wget
opkg install ddns-scripts luci-app-ddns-scripts
opkg install ddns-scripts_no-ip_com (若使用 no-ip.com 的服務)
mkdir -p -m0755 /etc/ssl/certs
wget  --no-check-certificate -O /etc/ssl/certs/ca-certificates.crt http://curl.haxx.se/ca/cacert.pem

1. NO-IP.com : IPV4 ... OK; IPV6 ... 試不出來

2. deSEC.io : IPV4 ... 沒試; IPV6 ... OK
DDNS Service provider [IPV6] ... [-custom-]
update url = https://update.dedyn.io/update?username=[USERNAME]&password=[PASSWORD]&myipv6=[IP]
先在 chrome browser 上, 執行一遍 "https://update.dedyn.io/update?username=[USERNAME]&password=[PASSWORD]&myipv6=[IP]"
並確認 /usr/bin/nslookup [DOMAIN], 正確執行無誤. 否則執行 /usr/lib/ddns/dynamic_dns_updater.sh xxx (xxx=configuration_name) 會有錯誤產生.
Use HTTP Secure : enabled
Path to CA-Certificate : /etc/ssl/certs/ca-certificates.crt

3. mydns.jp : IPV4 ... 沒試; IPV6 ... OK
DDNS Service provider [IPV6] ... mydns.jp
先在 chrome browser 上, 執行一遍 "http://www.mydns.jp/directip.html?MID=[USERNAME]&PWD=[PASSWORD]&IPV6ADDR=[IP]"
並確認 /usr/bin/nslookup [DOMAIN], 正確執行無誤. 否則執行 /usr/lib/ddns/dynamic_dns_updater.sh xxx (xxx=configuration_name) 會有錯誤產生.
-------------------------------------------------