Skip to content

Instantly share code, notes, and snippets.

@tegila

tegila/ea6900.md

Last active September 11, 2021 23:25
Show Gist options
  • Save tegila/b6a4dbc0ac303b0a22864064cb74806c to your computer and use it in GitHub Desktop.
Save tegila/b6a4dbc0ac303b0a22864064cb74806c to your computer and use it in GitHub Desktop.
Download ZIP
ea6900
Raw
ea6900.md

Downgrade your router if > 1.1.43.182871 back to 1.1.42.161129

  1. Setup local network:

ifconfig eth0 192.168.1.2 netmask 255.255.255.0

  1. Ping your router forever

ping 192.168.1.1

Start ping your router and observe when the TTL change from 100 to 64. That is the transition between the bootloader and the linux image.

  1. TFTP the old firmware version

atftp --option "mode octet" --option "timeout 60" --verbose --trace -p -l **FW_EA6900_1.1.42.161129_prod_DDWRT_upgrade.img** 192.168.1.1

Keep pushing the reset button while in TTL 100 until the TFTP start sending your file.

  1. FLASH THE INITIAL FIRMWARE

If the firmware still in 1.1.46 go ahead and troubleshoting search and downgrade to old firmware until you get able to flash linksys_ea6900_ddwrt.bin

How to mitigate the 32KB bug

  1. Change the bootloader to Vortex CFE (DANGER!!!)

Open "linksys_ea6900_cfe.bin" with "hexeditor" and fill in: MAC Address (found on the bottom of the router) WPS Password (found on the bottom of the router)

Go change 0:macaddr and 1:macaddr to the following: 0:macaddr (same as MAC Address +2) 1:macaddr (same as MAC Address +4)

So if the MAC Address (found on the bottom of the router) is: 3B:00:8F:39:F9:56 then 0:macaddr (same as MAC Address +2) would be: 3B:00:8F:39:F9:58

For EA6300v1 and EA6400 also change clkfreq to: clkfreq=800,533

Save as "linksys_ea6900_cfe.bin"

  1. SCP SEND THE VORTEX CFE TO /TMP

Upload the newly created CFE file "linksys_ea6900_cfe.bin" to the router.

  1. FLASH THE BOOTLOADER USING SSH

To flash the CFE use the following commands:

mtd unlock /dev/mtd0
mtd write linksys_ea6900_cfe.bin /dev/mtd0
  1. Reboot your router

Vortex CFE flash miniWEB server

Now that the new CFE is flashed the "recovery web interface" can be used to flash new firmwares. Hold the red "reset" button on the back of the router and power up the router, release it after about 15-20 seconds.

Navigate to 192.168.1.1 and the "recovery web interface" should come up. Flash Tomato Firmware (this can take up to five minutes, check the ping for ttl=64 to see if it's done.)

EA6900-AT-ARM-3.5-140-AIO-64K.trx

When the flash is done it's time to reset NVRAM (hold the WPS button while powering on the router, hold it until the Linksys logo starts to flash or 15-20 seconds)

Go to 192.168.1.1 and do a reset from within Tomato. Administration ==> Configuration ==> Erase all data in NVRAM memory (thorough).

Reboot router.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment