R7000 bricked? Flashed DD-WRT to Tomato - cannot login: user/pw denied

60 posts / 0 new
Last post
kamaaina
kamaaina's picture
R7000 bricked? Flashed DD-WRT to Tomato - cannot login: user/pw denied

I might have managed to brick/damage the r7000 router. I was wondering if anyone has a good idea to get back into the config portal. 

I had the latest Kong build installed. Saw Shibby has a Tomato version out and wanted to try that. Problem: I was too eager, I did not flash from Netgenie to Tomato but from DD-WRT instead of going back first. My bad. Screwed up.

1) Logged into DD-WRT and erased NVRAM/reset to default

2) Flashed "successfully" from within DD-WRT GUI to Tomato initial version, let the router reboot.

3) Wanted to log back in and flash with full Tomato. However, now it asks me for login popup with DD-WRT. (Should be Tomato already)

4) So looks like it still runs DD-WRT (sort of), but I cannot access the GUI. Router broadcasts open SSID "dd-wrt" and provides DHCP service both wireless and through cable.  

I tried a 30/30/30 and get an IP address within 192.168.1.x, the router is at 192.168.1.1. The router broadcasts dd-wrt wireless SSID. Should be on Kong version 990.

I get denied for any default combo I can think of:

admin/admin
admin/password
root/admin
admin/blank
root/blank
root/password

Left the router offline for a few minutes, tried different browsers, pressed the reset button. Booted with WPS button pressed. Booted with reset pin pressed for 5 sec. Former passwords don't work either. All I get is:
The user name or password you entered for area “DD-WRT” on 192.168.1.1:80 was incorrect. Make sure you’re entering them correctly, and then try again. 

The r7000 just sits there and laughs at me. :(

For real dd-wrt I should not have the login pop-up but rather the page that tells you the router is not secure and asks me to set a new password. Anyway to get back into this?

I am more of an end-user enthusiast and cannot solder stuff, and don't have a serial cable either. But if there is some TFTP option or anything similar, I did that once to flash a former Vonage box into an RTP300 open adapter. If the only way would be a serial cable and some terminal commands and it's easy to access once you open the box, I might consider that. As long as it's easy to plug stuff. I can work off a Mac or PC if needed.

Any thoughts? Thanks. 

Subhra
Subhra's picture
Which firmware are you using

Which firmware are you using ??

kamaaina
kamaaina's picture
Latest DD-WRT Kong build

Latest DD-WRT Kong build 24990 or so from mid April.

kamaaina
kamaaina's picture
I guess there is hope. After

I guess there is hope. After reading the 3500 de-brick guide including all comments and Kongs post on how to de-brick the R7000 the USB serial cable has been ordered… Cool

simol
simol's picture
I caught myself into the same

I caught myself into the same situation... So far no luck to find the solution. Does anybody know how to put the router into recovery mode, so that it would be possible to TFTP a stock firmware? Any advice is appreciated. Thanks

kamaaina
kamaaina's picture
Recovery mode is the tricky

Recovery mode is the tricky part it seems. Everything else is lined up. I ordered a serial cable now. That way one seems to be able to use putty or similar other tools and interrupt the boot loader process with ctrl+c. Then it should be able to tftp the default firmware.

I pinged the box and it starts with the orange power light steady and TTL 64 or so, then switches to TTL 100. I tried to push the firmware a few times but nothing works, all timeouts. Booting with pressing the reset button etc. won't do anything either. I can't get the power light to blink indicating recovery mode. All kind of lights show up in between but no recovery mode. My serial cable should be here sometime next week�?�

PeterM
PeterM's picture
Hello everybody

Hello everybody

Did you also try to use hardware reset more than 3 times? It seems to reset differently after 3 times. I hope it works. Good luck.

Peter

Peter Redmer
Peter Redmer's picture
Hi kamaiina,

Hi kamaiina,

I think we talked about this in another thread, and just wanted to pop in and say that it looks like recovery via serial cable is probably the best option.

Peter's suggestion of resetting multiple times may help; when following the procedure of flash to original -> flash to initial Tomato -> flash to AIO build outlined in Shibby's videos, I found I had to reset multiple times before it would let me log into the original firmware so I could upgrade.

I'll be working on a distilled down installation guide so hopefully this problem can be avoided in the future and will also note this in the downloads once they're posted!

Pete

 

kamaaina
kamaaina's picture
I might try the reset a few

I might try the reset a few more times. Already did twice. When you are saying hardware reset, are you talking about 30/30/30 or booting with pin pressed for 5 secs. etc.? Or booting with WPS button pressed? I read the 30/30/30 might not work with newer devices any longer. So what is the proper hardware reset for the r7000? Thx.

Peter Redmer
Peter Redmer's picture
Not sure on this, actually.

Not sure on this, actually. This would explain why the 30-30-30 didn't seem to work properly.

I simply used the reset button on the back of the unit, and when I did this, I was able to log in. I am not aware of any other procedure and have never tried booting with the WPS button pressed.

 

PeterM
PeterM's picture
I mean the tiny reset button

I mean the tiny reset button on the back of the device.

shibby
shibby's picture
In dd-wrt password is

In dd-wrt password is encrypted and this is why old password does not work after install tomato (or back from dd-wrt to Genie).

Do this:
1) run router and wait 2-3
2) push and hold wifi on/off button for 25 secs - this will enable a "backdoor" access to the router.
3) use putty and connect via telnet on port 233 and log in to router without password
4) run command: nvram get http_password (login`s value: nvram get http_username)
5) use result as password
6) when you log in to tomato remember to erase nvram
7) do other steps from INSTRUCTIONS file.

please let me know is this help you :)

Best Regards.

 

simol
simol's picture
I am so thankful to you

I am so thankful to you Shibby! You helped me to revive my r7000! Now it works perfectly! The only small difference from your instructions which worked for me. I presses and held WIFI button 25 sec after the router fully loads and the second - to get a password I typed: nvram get http_passwd
Entering two crazy strings I got - name and password I was able to log in and reset NVRAM!
Thank you again!!!

kamaaina
kamaaina's picture
Yeah….back in business…

Yeah….back in business… Thanks so much Shibby.
Shibby's instructions:

  1. run router and wait for 2-3 minutes
  2. push and hold wifi on/off button for 25 secs.
  3. use telnet on port 233 and log in to router without password
  4. run command: nvram get http_username (use as username)
  5. run command: nvram get http_passwd (use as password)
  6. when you log in to tomato remember to erase nvram
  7. then flash with the full tomato version 

I did this with putty and it worked.

 

kamaaina
kamaaina's picture
While you are at it, and in

While you are at it, and in the spirit of bricking it again, you could try to over clock the router. ;-) Many people reportedly have success with running it at 1.2 Ghz and even 1.4 Ghz instead of the stock 1 Ghz speeds. This router has a fairly large heat sink and seems to handle it well. In Tomato, under Tools > System Commands, enter:

nvram set clkfreq=1400,800
nvram commit && reboot

then hit execute. Or login via telnet as well. Try 1200,800 for lesser speed if you want to be more careful. Wait for 2-3 min. until the router reboots and the steady amber light goes off and all white again. If that does not happen, unplug and let the router reboot again from scratch for a few minutes. Give it 5-10 min if needed. It should recover.

Otherwise good luck, and of course, use at your own risk

kamaaina
kamaaina's picture
Kudos to Simol who caught the

Kudos to Simol who caught the pw spelling, and Shibby is the one to thank for all of this. Firstly, for building great Tomato firmware, and secondly for bailing us out after we did not follow his instructions. ;-) On that note, he does have a donate button on his website if you want to thank him with drink or so: http://tomato.groov.pl

I am just typing other people's stuff in the console and pray that it works. Now I have a serial cable coming for nothing. I guess I should keep it though, chances are I cannot keep myself from playing with the box again... 

drewidia
drewidia's picture
thank you shibby for the

thank you shibby for the steps to fix... saved my bacon! I found I needed both the encrypted userd is and passwd

does 1400 on overclock really work or should I stick with 1200?

kamaaina
kamaaina's picture
So far (48h) mine has been

So far (48h) mine has been fine running 1400. That said, it's your risk. I read in another forum somebody tried 1600 and it bricked, but he was able to recover and been running 1400 since then. Even 1200 is a huge gain (20%). But if it keeps on running 1400 this might be the best buy since the old Linksys 54 box. 1200/1400 mhz dual core with third party fw support and best in class wireless range, what's not to like.

The router has been running VPN with PIA fine. Uptime 2 days, 01:12:23. No complaints yet. Too early to tell though, let's give that a week. It did run DD-WRT @1400 for about a week before as well.

Babyzone2
Babyzone2's picture
Glad that i found this before

Glad that i found this before i actually flash my r7000 from DD-WRT to Tomato.

DD-WRT to stock ,then Tomato is the right route. Thank you , guys.

Kong
Kong's picture
Would be much more painless

Would be much more painless if tomato just implements the reset button, so you can reset the router as in netgear and dd-wrt firmware.

By the way if you don't want to remember the cryptic password you can just set an empty password before flashing, at least this works when flashing back to netgear firmware you can then login without password.

nvram set http_passwd=""

 

playb0y
playb0y's picture
I had exactly the same

I had exactly the same problem, flashing from dd-wrt to tomato, on a r7000

An enormous thank you to shibby, you saved my router.
A second enormous thank you for your tomato version, which is awesome. The router functionalities went from poor to excellent.

T H A N K Y O U !

Chun
Chun's picture
i think i bricked my r7000.

i think i bricked my r7000.

ive followed shibbys instructions to run the router a few minutes, hold reset button 25 seconds, and try to putty my way into the router via telnet port 233 - but nothing works and connection is always refused. is there a way that the reset button is broken or has been disabled? after holding it down for 5 second, or even more, there is never a blinking power light. nothing about the lights change when im holding it down.

ive tried the 30-30-30 and the 5 second resets and neither has seemed to work.

heeeeeelp

kamaaina
kamaaina's picture
Forget the 30/30/30, that is

Forget the 30/30/30, that is old and does not work here.

Are you getting an IP from the router (dhcp via cable)? When you use that IP to login, does it say DD-WRT? Then you might be stuck in between. Just do a reset (reset button) with DD-WRT that should work. Otherwise, try the steps shabby outlined and that we all did to recover our routers. If it did not work, try again, and maybe again. Otherwise you might need to get a serial cable. But it should work. Make sure you recover both the username and the password in encrypted format!

hippy
hippy's picture
Hi, I stupidly tried the

Hi, I stupidly tried the following
nvram set clkfreq=1400,80

My router now constantly reboots. it is in a loop and will not reset whatever I do. any suggestions aprt from a serial cable

Thank in advance

tonijj
tonijj's picture
Hi,

Hi,

I just tried to flash to .120, by following the instructions.

Problem: I only get a 169.xx.xx.xx IP address from the router. I cant login to the admin GUI page, nor via SSH, I guess cause i get the 169 address then.

Here is what I did;

*Flashed to Netgear OTW firmware downloaded from Shibbys page
*Flashed the initial file - rebooted
*Flashed 120 file.

After that its aint happening!

When searching for the wifi I can only find "Netgear" and "Netgear 05" which If im not mistaken is coming from the original Router FW. However I cant login via the User/PW that came with the router.

Thing is - Ive tried to reset several times, but it doesnt seem to work with Shibbys FW. It works with DD WRT to do a reset though.

I have tried the backdoor solution - thing is, with a 169 IP address i cant get hold of 192.168.1.1

Would appreciate any help, im getting a bit desperate now!!

hippy
hippy's picture
tonijj said: Hi, I just

tonijj said: Hi, I just tried to flash to .120, by following the instructions. Problem: I only get a 169.xx.xx.xx IP address from the router. I cant login to the admin GUI page, nor via SSH, I guess cause i get the 169 address then. Here is what I did; *Flashed to Netgear OTW firmware downloaded from Shibbys page *Flashed the initial file - rebooted *Flashed 120 file. After that its aint happening! When searching for the wifi I can only find "Netgear" and "Netgear 05" which If im not mistaken is coming from the original Router FW. However I cant login via the User/PW that came with the router. Thing is - Ive tried to reset several times, but it doesnt seem to work with Shibbys FW. It works with DD WRT to do a reset though. I have tried the backdoor solution - thing is, with a 169 IP address i cant get hold of 192.168.1.1 Would appreciate any help, im getting a bit desperate now!!

you are not getting a 169.x.x.x from the router.  that is you network card on your pc auto assigning a network address (APIPA = Automatic private IP addressing)

 

Set your network adapter to 192.168.1.2

try again

Mex
Mex's picture
I dont get it?

I dont get it?
i have r7000 bricked i assume.
i did the 1600mhz on ddwrt and it rebooted and all i get are the following lights:

power both orange and while led lit, 2.4 band white, 5 band white, usb 1 and usb 2 white leds. i have plugged in an ethernet cable into port 1 on r7000 and the other into my laptops ethernet port.

did the cmd/ipconfig and ip came up as 169.xxx.xxx.xxx

i have a wireless card as well which i disconnected from a live connection.
i set up the ethernet to ip 192.168.1.5 255.255.255.0 gateway to 192.168.1.1 primary dns 192.168.1.1

i go and ping 192.168.1.5 and get reply of less than 1ms and TTL=128

i downloaded latest oem netgear firmware for r7000, renamed if to frm.chk, put in root of c:/ then enabled tftp and
cmd
cd c:/
tftp -i 192.168.1.1(gateways manual set ip from above)PUT frm.chk
and get "Connection request failed"

is there any secret backdoor of anything else i can try to do thru a console(cmd) of what. by the way i tried 30/30/30 with no resets no blinking lights in recovery mode no nothing, tried to do same style on WPS as well as WiFi buttons with nothing.

i read somewhere that u can short-out 2 pins on the area where u attach a serial cable, but i dono which those 2 pins are(Rx Tx i assume), then try to load up firmware at same time, don't wanna risk destroying the router.
anyone got some kind of cure on how to get into recovery mode while on ddwrt firmware??

i know tomato has a function where for 25 sec u hold the wifi button after ur router been powered for 2-3mins that enables backdoor via ssh on port 233 that u can use to get it working, is there something like so that ddwrt incorporated that im not aware?
thanks in advance

Mex
Mex's picture
Peter Redmer said: Not sure

Peter Redmer said: Not sure on this, actually. This would explain why the 30-30-30 didn't seem to work properly. I simply used the reset button on the back of the unit, and when I did this, I was able to log in. I am not aware of any other procedure and have never tried booting with the WPS button pressed.

http://www.linksysinfo.org/index.php?threads/tomato-for-arm-routers.6971...

 

 

guys name thedak

4th one down

kamaaina
kamaaina's picture
Mex said: I dont get it? i

Mex said: I dont get it? i have r7000 bricked i assume. i read somewhere that u can short-out 2 pins on the area where u attach a serial cable, but i dono which those 2 pins are(Rx Tx i assume), then try to load up firmware at same time, don't wanna risk destroying the router. 

I read this too with the 2 pins shortening, but I believe that was a different router. This kind of stuff might depend on bootloader CFE or whatever it's called. To my knowledge, if you have DD-WRT installed and Kong build the reset button should work and that's all you need. Otherwise probably bricked. If that does not work, you might have to go via serial cable. Post this somewhere as a seperate topic in the forum. Look also at the "debrick via serial" post for the WDR 3500, and I believe the r7000 should have serial pins on the board. I recall I checked the images on SNB. 1600 mhz is 60% OC, quite steep. I read one post before of somebody trying 1600 and stalling but he somehow managed to recover. You're are the second who failed at 1600 with none confirmed yet. Even 1400 is YMMV as far as I know, 1200 seems pretty standard and stable. 

hippy
hippy's picture
I de-bricked my r7000. Used

I de-bricked my r7000. Used a serial USB TTL cable (The one used for raspberry pi)

Goes straight on and connected from my laptop using kitty (putty with extras). deleted NVRAM and was good to go with Shibby's 120 build

Mex
Mex's picture
thanks for the reply guys, ye

thanks for the reply guys, ye i ordered a serial cable, hope its gonna work using it.

ordered this one from ebay

http://www.ebay.com/itm/310742466145

Pages