Resetting tomato initial to defaults

2 posts / 0 new
Last post
zahgrim's picture
Resetting tomato initial to defaults

I had an older DD-WRT v24 build on my R6250.  I figured I would try out tomato and downloaded the newest appropriate firmware and the initial.  I've flashed many different routers in the past and have always flashed an initial when departing from the factory flash.  

I selected the reset to defaults option in DD-WRT while flashing the tomato initial.  When it came back up, it was still occupying my old IP address, which suggests that my request to reset to defaults didn't get processed.  However, now it responds to HTTPS and SSH.  The web UI doesn't display a status like DD-WRT and immediately asks for authentication.  It sounds like tomato made it on the router and it's able to parse the same nvram options as DD-WRT.

I realized later that where I downloaded from didn't include the warning that I should have jotted down the http_password and http_username from the nvram.

Lacking credentials, I'm locked out.

It appears that CFE must still be in tact, that is, if the CFE is hard-coded to tftp vmlinuz from  I don't have a vmlinuz to feed it, but in the past, to debrick a different NETGEAR, I followed advice to rename the firmware to vmlinuz.  

So far I've tried

1. renaming a firmware to vmlinuz.  It pulls down the file, and stays online at the bootloader IP of until I power cycle it.

2. 30/30/30 has no effect, it resumes at my IP.

3. I've tried a 10 second WPS and wait for it settle.  

4. I've tried a 10 second WIFI button, and wait for it settle.

None of these seem to do any kind of reset.  2-4 end up back at the booted tomato initial (I guess) with HTTPS and SSH live.  

I know it's not my previous DD-WRT firmware since the web ui prompts immediately for authentication and SSH wasn't installed on the last firmware.


Aside from buying a 3.3v serial adapter or cross-linking another working router's (RT-N16) serial to it, are there any options to seed a reset of http_password and http_username using a vmlinuz?  I don't even know if vmlinuz would allow for a small ramdisk with the nvram commands.  


zahgrim's picture
I found a procedure for a

I found a procedure for a similar model. Using this as a sort of "live" media allowed me to retrieve the http_username/http_passwd from nvram (ssh in to using his vmlinuz image defaults).  Following a boot back in to tomato "initial" yielded me a successful GUI login, and the ability to set the username and password for both ssh/ui (I set it using root).

After flashing tomato-R6250-initial.chk and subsequently being locked out, I tried to flash dd-wrt.K3_R6250.chk, but it said the header information was corrupt.  I next flashed tomato-R6250-ARM--2017.3-kille72--AIO-64K.trx, and it booted up but couldn't find any wireless wl0 or wl1.  Something wasn't activating quite right.  I then hunted down the advancedtomato downloads and chose tomato-R6250-AT-ARM-3.5-140-AIO-64K.trx.

For more info, head out to the phpBB2 on and follow topic "Netgear R6300v2 Advanced Debrick Notes By Sploit" on both pages 1 to snag vmlinuz, and page 10 for login credentials for the live vmlinuz.