How to Unbrick the Buffalo WZR-HP-G300NH

Unbrick_Buffalo_WZR-HP-G300NH.md

Unbricking a Buffalo WZR-HP-G300NH

TFTP recovery in OSX 10.13

Similar steps can be used under Linux, I have no idea how to Windows anymore. This will probably work for similar Buffalo WZR routers, though your milage may vary. These directions flash the router back to stock Buffalo branded DDWRT.

When these routers brick they tend to go into a kind of reboot mode. At the begining of the reboot, the TFTP server is available for a brief period of time, then all of the lights flash and the unit reboots. We're exploiting the short period of time where the router is in TFTP mode at the start of the reboot. You can try to do a put via TFTP at the begining of this cycle, even if your router has been plugged in for awhile.

Back to Stock Buffalo Branded DDWRT

Download the latest Buffalo Stock tftp binary. If this link is dead, just search for the model number in Support.

Downloads for AirStation High Power N300 Gigabit Wireless Router & AP

I selected DD-WRT (Professional) Beta firmware for the WZR-HP-G300NH (Version 1).

You can download with curl if you'd like. Open your terminal and copy/paste:

curl -O http://3865dc10959fb7ba66fc-382cb7eb4238b9ee1c11c6780d1d2d1e.r18.cf1.rackcdn.com/wzrhpg300nh-pro-v24sp2-19484-beta-download.zip 
unzip wzrhpg300nh-pro-v24sp2-19484-beta-download.zip
ls -la wzrhpg300nh-pro-v24sp2-19484-beta-Download/

This should show something like this:

total 15800
drwxr-xr-x  6 pjobson staff      192 Aug  7  2012 .
drwxr-xr-x  7 pjobson staff      224 May 21 22:07 ..
-rw-r--r--  1 pjobson staff     1383 Aug  3  2012 Readme.txt
-rw-r--r--  1 pjobson staff     7905 Aug  7  2012 howto_update_ap.html
drwxr-xr-x 11 pjobson staff      352 Aug  3  2012 images
-rw-r--r--  1 pjobson staff 16163324 Jul 15  2012 wzrhpg300nh-pro-v24sp2-19484-beta.enc

We are going to flash wzrhpg300nh-pro-v24sp2-19484-beta.enc onto the router later on.

Get Your Network Interface and SSID

Network Interface

Plug your router into your Mac's ethernet port and the other end into Port 1 on the router.

For the easiest way to figure out which network interface to use, open Network Utility in /System/Library/CoreServices/Applications/.

Find your network adapter and take note of the interface en#, it is usually en0, though mine is en7, because I'm using a Belkin USB-C adapter. Take note of this, you will need it shortly.

Close Network Utility.

SSID

You will need the SSID off of the back of your router. It should have a sticker which shows SSID: mine for example is: 0024A5AFFC55.

Set Static IP Address

Open System Preferences and go to Network, select your network interface and set:

• Configure IPv4: Manually
• IP Address: 192.168.11.2
• Subnet Mask: 255.255.255.0
• Router: 192.168.11.1

Click Apply and then disable your wifi and/or any other network adapters which have connections.

Set Your arp Route

I do everything as root, just be careful not to mess stuff up.

sudo su -

Setup your arp command. _INTERFACE_ID_ is your particular network interface that you found in Network Utility. Mine would be en7. _COLON_DELIMITED_SSID_ your SSID split up with colons for every two characters.

arp -s 192.168.11.1 _COLON_DELIMITED_SSID_ ifscope _INTERFACE_ID_

For my router this would be:

arp -s 192.168.11.1 00:24:A5:AF:FC:55 ifscope en7

Before you hit the enter key, plug your router in. If you press it too quickly, it'll throw this error message.

arp: writing to routing socket: No such process
arp: 192.168.11.1: No such process

If you get an error, press the up arrow and hit enter again until you do not get a message back.

If you're having a lot of trouble getting it to work, you can make a shell script called setarp.sh and paste the below in, then do chmod +x setarp.sh, then do ./setarp.sh. You'll need to use your SSID and interface.

#!/bin/bash

arp -s 192.168.11.1 00:24:A5:AF:FC:55 ifscope en7
while [ $? -ne 0 ]; do
    arp -s 192.168.11.1 00:24:A5:AF:FC:55 ifscope en7
done

Then plug the router in, it'll keep trying to add the record until it succeeds.

Now verify that it worked.

arp -a |grep 192.168.11.1

Should return something like this.

? (192.168.11.1) at 0:24:a5:af:fc:55 on en7 ifscope permanent [ethernet]

TFTP The Firmware

Unplug your router.

You'll want to cd into wherever you downloaded the zip file, probably Downloads.

cd wzrhpg300nh-pro-v24sp2-19484-beta-Download/

Start up tftp, it will prompt you with tftp>. Enter each of the commands listed. After you type in the put wzrh... line, hit enter then immediately plug the router in.

TFTP will start trying to send the file and because you have the rexmt 1 option set will continue trying. Eventually it'll start showing sent DATA messages and then a completion message.

root# tftp 192.168.11.1
tftp> verbose
Verbose mode on.
tftp> binary
mode set to octet
tftp> trace
Packet tracing on.
tftp> rexmt 1
tftp> timeout 60
tftp> put wzrhpg300nh-pro-v24sp2-19484-beta.enc
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
....
sent DATA <block=23757, 512 bytes>
received ACK <block=23757>
sent DATA <block=23758, 512 bytes>
received ACK <block=23758>
sent DATA <block=23759, 512 bytes>
received ACK <block=23759>
sent DATA <block=23760, 512 bytes>
received ACK <block=23760>
....
Sent 12423420 bytes in 19.4 seconds [5123060 bits/sec]
tftp> quit

This should make the circle red light on the router flash on and off. At this point, the router is flashing the firmware, you can leave it alone for some period of time. I took a nap, so I'm not sure how long it will take.

Delete your arp routes, this deletes all of them.

arp -d -a

Exit back to your normal user.

exit

Flash to OpenWRT

Download OpenWRT Latest

Download the latest version of OpenWRT. It'll be something like this.

wget https://archive.openwrt.org/releases/19.07.8/targets/ar71xx/generic/openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin

At the time of this writing 19.07.8 is the latest. Be sure to get the sysupgrade version.

SSH Keygen and Setup

Lastly we need to generate a public ssh key for the next step. Open Terminal and type:

cat ~/.ssh/id_rsa.pub

Generate your SSH keys if this throws an error.

cat: ~/.ssh/id_rsa.pub: No such file or directory
ssh-keygen

Just hit enter 3 times at the prompts of the key generator.

cat ~/.ssh/id_rsa.pub

Should display something like the following without the ...., copy this key.

ssh-rsa AAAAB3NzaC1yc2E....lP3hD user@hostname

Login to Buffalo DDWRT

Disable your LAN connection in Network in you System Preferences. Unplug the router for 30 seconds and plug it back in. Enable your LAN connection.

You should be able to browse to 192.168.11.1. It'll prompt you to change the password, I'm going to flash back to OpenWRT now.

Go to the Services tab, scroll down to Secure Shell and enable SSHd.

• SSHd: Enable
• SSH TCP Forwarding: Disable
• Password Login: Enable
• Port: 22
• Authorized Keys: your key from the previous step

Hit Save button and select the Administration tab, go down to Remote Access.

• SSH Management: Enable
• SSH Remote Port: 22

Hit Save then Apply Settings buttons.

You may have to reboot the router if you have trouble SSH'ing in in the next step.

SSH Into The Router

These routers use a legacy version of SSH which is deprecated. You'll need to pass the diffie-hellman-group1-sha1 algorithm to login at all.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.11.1

This should show a prompt.

The authenticity of host '192.168.11.1 (192.168.11.1)' can't be established.
RSA key fingerprint is SHA256:TTx+R0zPSSe2SCgo7jVVztvf0CeQbL6wA5n7f225pig.
Are you sure you want to continue connecting (yes/no)?

Type yes and hit enter this will add the IP to your known hosts.

Warning: Permanently added '192.168.11.1' (RSA) to the list of known hosts.

Now it should show you the login message.

DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH
Release: 08/19/10 (SVN revision: 14998)
==========================================================

 ____  ___    __        ______ _____         ____  _  _
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|

                       DD-WRT v24-sp2
                   http://www.dd-wrt.com

==========================================================


BusyBox v1.13.4 (2010-08-19 15:28:04 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~# exit
Connection to 192.168.11.1 closed.

Type exit and it'll show the connection is closed.

If you have SSH'd into this IP before you may get an error.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:jaCqvfDqvXg0rTVW2/UasUoS6JCsxaH5lcWrVPcdrhA.
Please contact your system administrator.
Add correct host key in /var/root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /var/root/.ssh/known_hosts:1
RSA host key for 192.168.11.1 has changed and you have requested strict checking.
Host key verification failed.

You can clear the error with ssh-keygen, then repeat the ssh steps.

ssh-keygen -R 192.168.11.1

Now we're going to SCP the firmware.

scp -oKexAlgorithms=+diffie-hellman-group1-sha1 openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin root@192.168.11.1:/tmp

Should show the following.

DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH
Release: 08/19/10 (SVN revision: 14998)
openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin                                                           100% 3328KB   1.6MB/s   00:02

SSH back into the router.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.11.1

Migrate from DDWRT to OpenWRT.

cd /tmp
ls openwrt*

Should display.

-rw-r--r--    1 root     root      3801092 Jan  1 00:16 openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin

Write the firmware.

mtd -r write openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin linux

Should display.

Unlocking linux ...
Writing from openwrt-19.07.8-ar71xx-generic-wzr-hp-g300nh-squashfs-sysupgrade.bin to linux ...  [w/e]
Connection to 192.168.11.1 closed by remote host.
Connection to 192.168.11.1 closed.

This will drop you back to your Mac's terminal. Now wait for some period of time for the router to finish flashing, this could take over 10 minutes. Unplug your ethernet and take a nap.

Plug your ethernet back in and you should get an IP address from the freshly flashed OpenWRT, it should be 192.168.1.1.

Figured I'd say thanks, this guide has saved me so much headache with trying how to remember to do this when my OpenWRT builds break my router.

@Doom4535 - Happy to help!

First of all thank you for writing this guide, but I believe I bricked my WZR-HP-G300NH so hard it won't work anymore,
I followed all the steps and everything went flawlessly up until the step where I TFTP the image to the router, I got the following message (from the router I suppose) msg=Disk Full

tftp> put wzrhpg300nh-pro-v24sp2-19484-beta.enc
putting wzrhpg300nh-pro-v24sp2-19484-beta.enc to 192.168.11.1:wzrhpg300nh-pro-v24sp2-19484-beta.enc [octet]
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
sent WRQ <file=wzrhpg300nh-pro-v24sp2-19484-beta.enc, mode=octet>
received ACK <block=0>
sent DATA <block=1, 512 bytes>
received ERROR <code=3, msg=Disk Full>
Error code 768: Disk Full
tftp>

I tried to reset the router from the pin hole at the bottom but it doesn't seem to respond, the state that the router is in is what you described at the beginning what you called "rebooting mode", but after I got that Error code message it stayed on with the lowest light flashing red (labeled DIAG).
I googled around but it seems no one has written anything about this error code anywhere, any thoughts ?

@pyed

There were a couple of variants of this router made and all buffalo routers, which made them kind of annoying to deal with. There are 4 firmware files listed in their directory, perhaps try a different one. The "Disk Full" message means the firmware you are trying to flash is too large for the space available.

https://www.buffalotech.com/support/downloads/airstation-high-power-n300-wireless-router-ap

@pjobson I just tried all the firmwares, they'll give me the same error, and it comes out immediately, maybe I did a terrible thing to brick this router (I don't remember well since it was long time ago, but I think I flashed the wrong firmware through webui).

I don't know what else to try, any ideas ?
Thank you again for helping, much appreciated, cheers!

@pyed What is the exact model number on the label?

Edit: Buffalo WZR-HP-G300NH2

@pyed it is not the same router. Note the "there were a couple of variants" I mentioned above. WZR-HP-G300NH2 != WZR-HP-G300NH ... because why make a new product number and make stuff easy for customers to figure out?

The downloads for that are on the Japanese site, here: http://buffalo.jp/support_ap/support/products/wzr_hp_g300nh2.html

I can't thank you enough for your effort, but it seems my router is gone for good :( I tried the ones you linked and nothing seems to work

tftp> put wzrhpg300nh2-pro-r30356.enc
putting wzrhpg300nh2-pro-r30356.enc to 192.168.11.1:wzrhpg300nh2-pro-r30356.enc [octet]
sent WRQ <file=wzrhpg300nh2-pro-r30356.enc, mode=octet>
sent WRQ <file=wzrhpg300nh2-pro-r30356.enc, mode=octet>
sent WRQ <file=wzrhpg300nh2-pro-r30356.enc, mode=octet>
received ACK <block=0>
sent DATA <block=1, 512 bytes>
received ERROR <code=3, msg=Disk Full>
Error code 768: Disk Full
tftp> 

tftp> put wzrhpg300nh2-pro-v24sp2-19154d.enc
putting wzrhpg300nh2-pro-v24sp2-19154d.enc to 192.168.11.1:wzrhpg300nh2-pro-v24sp2-19154d.enc [octet]
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154d.enc, mode=octet>
tftp: sendto: Network is unreachable
tftp> put wzrhpg300nh2-pro-v24sp2-19154d.enc
putting wzrhpg300nh2-pro-v24sp2-19154d.enc to 192.168.11.1:wzrhpg300nh2-pro-v24sp2-19154d.enc [octet]
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154d.enc, mode=octet>
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154d.enc, mode=octet>
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154d.enc, mode=octet>
received ACK <block=0>
sent DATA <block=1, 512 bytes>
received ERROR <code=3, msg=Disk Full>
Error code 768: Disk Full
tftp> 

tftp> put wzrhpg300nh2-pro-v24sp2-19154.enc
putting wzrhpg300nh2-pro-v24sp2-19154.enc to 192.168.11.1:wzrhpg300nh2-pro-v24sp2-19154.enc [octet]
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154.enc, mode=octet>
tftp: sendto: Network is unreachable
tftp> put wzrhpg300nh2-pro-v24sp2-19154.enc
putting wzrhpg300nh2-pro-v24sp2-19154.enc to 192.168.11.1:wzrhpg300nh2-pro-v24sp2-19154.enc [octet]
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154.enc, mode=octet>
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154.enc, mode=octet>
sent WRQ <file=wzrhpg300nh2-pro-v24sp2-19154.enc, mode=octet>
received ACK <block=0>
sent DATA <block=1, 512 bytes>
received ERROR <code=3, msg=Disk Full>
Error code 768: Disk Full
tftp> 

And I've noticed that my router is version 2, and there's a firmware for it in the original link you pointed to in the OP, but it seems to refuse to even receive the firmware to the internal memory to flash it, seems like the wrong firmware that I tried to flash before is stuck in there :(

@pyed sorry I couldn't help more buddy :(

I haven't messed with my buffalo probably since I wrote this several years ago.

Good news! I managed to flash a small openwrt firmware for it 😄 after googling around I found a comment from someone saying that they de-bricked it with openwrt-ar71xx-generic-wzr-hp-g300nh2-squashfs-tftp.bin and I found it here, makes sense since it only weight around ~3Mb.

I can't thank you enough ❤️

@pyed HELL YEAH! I'm glad you got it working!

@pjobson is probably going to kill me, but I'm writing this for someone (could be me in the future) who will run into the same problem, I had 2 routers and 1 modem/router all of them are Buffalo branded and mounted on the wall with no stickers since 2012, and they named their devices so funny that for like 4 hours I thought that the one I bricked is called WZR-HP-G300NH, then for like another 4 more hours I thought it was called WBMR-HP-G300H which turned out to be the modem/router, then I figured finally that the one I bricked is named WHR-HP-G300N and to unbrick it I needed to follow the same TFTP guide as above (the Mac address is unnecessary by the way put in anything) with the firmware called buffalo-to-dd-wrt_webflash-MULTI.bin from here, I flashed at least 10 wrong firmware from all kinds and sizes, saw all kinds of error messages, which makes this router very hard to permanently brick (if possible).
sorry @pjobson  😅 and thank you for being a good sport.

@pyed you're doing F*ing great! I'd rather have more information here for someone to find and fix their stuff rather than less.

Thanks for the great documentation, however I have the following problem:
after setting the arp route, I tested the connection using arping 192.168.11.1 which is working well.
However, the transfer with tftp wont start and gets stuck waiting vor an Ack from the router. Do you have an idea on what could be the problem?

@bread-on-toast

It is hacky sometimes. I recall fighting with mine for awhile before getting it to actually upload, I think I gave up on mine for like a month, because I was frustrated with it. Reboot everything, swap out your ethernet cables, etc. Try again like 20 times, I'm really not joking. Lastly your router could be toast in a way it cannot be fixed this way; for context on that, I started with 4 of these I have 2 now.