5GHz Wireless Client Bridges & Turning back the clock: Convert a WRT610N v2 to E3000

My Linksys E3000 dual radio wireless router was finally retired last week for a Netgear Nighthawk R7000. In the early days I ran DD-WRT exclusively, but in the last two years I have split between Tomato (Shibby) and DD-WRT depending on application (i.e. Tomato as router, DD-WRT for wireless briges, repeaters).

E3000 vs. R7000(Table courtesy of Wiki Devi).
For a router released in early 2010 (over 5 years old), the E3000 still holds it own. You can overclock it to 532mhz, has a 2.4GHz and a 5.8GHz radio (simultaneous), it supports both DD-WRT & Tomato, and the throughput is still impressive; ~130mbps routed on Shibby v130.

As part of designing a campus wireless solution, we searched-and-searched for a cost effective way to create per room/apartment VLANs; e.g. residents and students have a wireless printer, a Roku, an Apple TV, and mobile devices that all need to talk mDNS & UPnP on a “local” network. Typical client-to-client isolation on campus wireless APs make this difficult. Currently we have older integrated DOCSIS cable modems with wireless routers providing this “local” network (e.g. Motorola SBG901)

So, after many hours with vendors and internal discussions, we made a decision: the best, simplest, easiest option is to create wireless routed bridges. Refer to this DD-WRT wiki page on “Linking Routers“; specifically “Client Bridged“. Not all residents will need this solution; only those with wired desktop(s) and those needing a “local” network for devices.

That solution leads us back to the Linksys E3000. For ~$35 on eBay, with its open-source firmware support and having two radios, it is an ideal candidate to create cost-effective, high performing, wireless routed client bridges. The 5GHz radio in client mode as the WAN connection, connected to our campus wireless dual-band APs. The 2.4GHz radio and LAN switch ports providing a local, routed private network for resident devices (e.g. 192.168.1.X).

Turning back the clock: Convert a WRT610N v2 to E3000

It just so happens that Linksys also made the WRT610N v2 with identical hardware to the E3000.  Here are the steps (loosely based on this post):

  1. Flash to DD-WRT from the Linksys web interface: get the WRT610N v2 image “dd-wrt.v24-15962_NEWD-2_K2.6_mini_wrt610nv2.bin”. I am assuming the IP address of the WRT610N v2 is 192.168.1.1.
  2. Download this complete pacakge of WinSCP portable, HxD portable hex editor, Putty portable, the latest E3000 firmware, and latest Shibby VPN (v130) firmware for the E3000. Feel free to go compare MD5 hashes before flashing or go download the apps individually: WinSCP portableHxD hex editor portable (go down on the page for the portable version), & Putty portable.
  3. Make a copy of the e3000_cfe_V21_COPY_ME_BEFORE_EDITING.bin
  4. Using HxD, open the duplicate copy of e3000_cfe_V21.bin
  5. With the .bin open, hit “Search” on the top menu bar, then “Goto”.
    1. Search for “1E00” and hit “OK”.  This will show you the MAC address location. Flip over your WRT610N v2, find the MAC address on the back, and type in the MAC address delimited by colons (:); e.g 00:00:00:00:00:00. HxD will prompt you if make a mistake (e.g. “this operation changes the file-size”); DO NOT hit OK. You do not want to change the file-size. Hit “Cancel”.
      hxd_cfe_e3000_editing
    2. Do the same for the serial number. Search for “3FE30” and fill in the serial number.
    3. And the same for the PIN; search for “3FCDC” and enter the PIN number from the back without the dash (-).
  6. Save your newly customized CFE .bin.
  7. Login to DD-WRT, go to the Services tab, and “Enable” the SSHd. Hit “Apply”.
  8. Open WinSCP, “File Protocol”, choose SCP, type in the router address, and hit connect. Browse to “/tmp” (or pick your preferred folder).
    winscp_cfe_e3000_transfer
  9. Copy over the customized CFE .bin to “/tmp”. Do not reboot.
  10. Using Putty, connect to 192.168.1.1 and login.
  11. Type the following commands and DO NOT reboot:
    cd /tmp
    mtd unlock cfe
    mtd write -f [CFE .bin's filename] cfe
  12. Go to the web interface, “Administration” at the top. Then “Factory Defaults“. Hit “Factory Defaults” and hit “Apply”. The router will reboot.
  13. After reboot, login to the web interface and go to “Administration” and then “Firmware Upgrade“.
  14. Flash the OEM factory “FW_E3000_1.0.06.002_US_20140409_code.bin” firmware contained in the .zip file.
  15. Wait. A-long-time. The router will reboot a couple of times. Then retry to login to the web interface. You will not be able to login (NVRAM still contains the encoded DD-WRT password). Get a pen or paperclip, push and hold the reset button for 30 seconds, while holding the reset button, pull the power, count to 5, and plug it back all while holding the reset button. Keep holding the reset button for another 30 seconds and finally release. The router will reboot one final time.
  16. You should now be able to login to the OEM firmware with “admin” as the username and “admin” as the password.

Flashing DD-WRT or Tomato Firmware (non-OEM)

  1. Get on OEM factory firmware. Follow the prior three steps above to get to the factory E3000 firmware from Linksys. Make sure you also clear the NVRAM and be patient while it resets.
  2. Login to the OEM firmware at 192.168.1.1; username: admin / password: admin
  3. Go the “Administration” link at the top.
  4. Then to “Firmware Upgrade”
  5. (As of 7/5/2016, my preferred firmware choice) For DD-WRT, contrary to a lot of conflicting information, you can flash directly to:
    dd-wrt.v24-30082_NEWD-2_K3.x_mega-e3000.bin

    but you must use a paperclip and clear NVRAM after waiting 5 minutes for the flash to write. NOTE: be patient and wait a full 5 minutes to be safe!

  6. For Tomato, I recommend Shibby v132 (before MultiWAN was introduced):
    tomato-E3000USB-NVRAM60K-1.28.RT-MIPSR2-132-VPN.zip
  7. After flashing either Tomato or DD-WRT, login to the web interface and clear the NVRAM (again). In Tomato, go to “Administration” then “Configuration”, and do a “Thorough” NVRAM erase. In DD-WRT, go to “Administration” then under “Factory Default”, select “Yes” and hit “Apply”.

Wireless Client Bridged: DD-WRT

  1. On “Setup” tab, set Timezone & NTP:
    Time Zone:
  2. US/Eastern

    Server:

  3. 0.north-america.pool.ntp.org

    Hit “Save”

  1. Go to the “Wireless” tab.
    Set the bottom wireless adapter (5GHz) mode to “Client”.Set Network Name to the wireless network/SSID you want to connect the bridge. For example, “BV”. In a wireless client bridge, think of this as a WAN connection replacing the hard-wired physical WAN port.Set the top wireless adapter (2.4GHz) to the local network/SSID. For example, “Resident Network”. Choose 20MHz. Pick a channel (do not leave auto).
    dd-wrt client bridge wifi setup
  2. Go to “Wireless Security” sub-tab (in the “Wireless” tab).Set both to WPA2-Personal, AES (Do not use the TKIP+AES).
    Wireless Security for 2.4GHz radio; whatever password you want for the local network.
    Wireless Security for 5GHz radio; password for the network you are connecting to as your WAN.
    Hit “Save”.
  3. Go to “Services” tab
    Under DNSMasq disable “No DNS Rebind”.  A must!
    Disable ttraff Daemon (last option – trying to limit the number of NVRAM writes over time)
    Hit “Save”.
  4. Go to “Security” tab
    Uncheck all options and disable “SPI Firewall” at the top.
    Hit “Save”.
  5. Go to “Administration” tab. Under “Management” tab.
    Under Remote Access, Web GUI Management “Enable” (choosing NOT to use HTTPS to keep it simple). Port 8080 is default.
  6. Go to “Administration” tab. Then “Keep Alive” subnet.
    Reboot at least weekly at 2am (keep the client bridge “fresh”)
    Hit “Save”.
  7. Reboot router for changes to apply (or click “Apply”; full reboot preferred).
    After reboot, login to DD-WRT (192.168.1.1) again and look upper right; it should show a WAN IP in the range of the wireless network you are bridging.

Wireless Client Bridged: Tomato

This assumes Tomato; DD-WRT can be a client AND a repeater (which means you can be a 5GHz client and be an AP for 5GHz clients). But in the interest of keeping this simple, the 5GHz radio will be the client, the 2.4GHz radio would be the AP for “local” clients. I also had issues getting “Repeater” or “Repeater Bridge” mode working on DD-WRT (newer builds have issues).

Log into the web interface and go to the “Basic” then “Network”. Refer to the screenshot below.

  1. Type: DHCP assuming the AP you are connecting to assigns IPs
  2. Under “Wireless (2.4 GHz / eth1)” this is the setup of the “local” wireless connection in a private subnet to be routed out of the 5GHz WAN/internet connection.
  3. Under “Wireless (5 GHz / eth2)” set to “Wireless Client”. Enter the exact SSID and password/key used to connect to the exiting 5GHz network. Be careful: everything is case sensitive.

e3000_tomato_client_bridge

In conclusion…

For $20-$35, you have a very fast (upwards of ~130mbps) routed wireless 2.4GHz repeater with a 5GHz uplink (client) for the WAN/internet. The irony is that it is less then similarly performing USB dual band wireless adapter and its much more versatile. Enjoy.

TL-WR841N v9 DD-WRT to OEM Factory Firmware to Gargoyle

This post is to revert from DD-WRT back to OEM firmware and then to Gargoyle.

As a long-time user and sporadic contributor to the open-source router communities, here is a quick post in converting a TL-WR841N v9 from DDWRT back to factory TP-Link firmware and then flashing the latest Gargoyle build.

Most of the steps come courtesy of this OpenWRT forum post (FYI – Gargoyle is based on OpenWRT).

Step 1: You must know first your hardware version as described here from TP-Link or here from OpenWRT wiki.  In this example, I am running v9 (same as v9.2).  Only do the following steps via Ethernet; not wireless.

Step 2: Download “stripped” TP-Link firmware here.  Stripped firmware removes the bootloader allowing the factory firmware to fit in place of DD-WRT (in this example).  Please pay careful attention to download the proper build for your version of the router (v5 vs v9, etc).  Extract the zip file after downloading.

Step 3: Get a copy of WinSCP and Putty .  I prefer portable versions.  You can also use telnet in place of Putty.

Step 4: Login to DD-WRT, under the “Services” tab and enable both telnet and SSH.  Save settings and reboot the router.

Step 5: Open WinSCP and use the following settings:
Host name (assuming default): 192.168.1.1
Port: 22
File Protocol: SCP
Username: root
Password: <your DD-WRT password>

Step 6: Copy the stripped firmware.
On the right side, browse to /tmp/
Drag-n-drop from left to right the extracted firmware image.  In this example it was “TL-WR841ND-V9-FW0.0.3-stripped.bin”.  It should show up in the /tmp/root folder.  Rename “TL-WR841ND-V9-FW0.0.3-stripped.bin” to “1.bin” to make life easier.

Step 7: Login with Putty or Telnet using the same host and credentials as above.

Step 8: Flash the stripped firmware.  Type the following commands:
cd /tmp/root
Confirm the file is uploaded correctly. Run:
ls
Hit the “Enter”. Confirm the 1.bin file is in the directory.
Next run:
mtd -e linux -r write 1.bin linux
Use whatever name you copied/renamed in Step 6.

Wait and be patient as the new firmware is flashed.  It should take ~3 minutes and I was able to see the progress via Putty/telnet.  Once the flashing is complete the Putty/telnet session should close and the router should reboot.

Step 9: Disable/re-enable your network adapter to get a new IP from the TP-Link firmware.  v9 had a default IP of 192.168.0.1.

Step 10: Flash Gargoyle firmware from the TP-Link firmware.  In the TP-Link firmware, go to “System Tools” on the right side and “Firmware”.  Then browse to the proper Gargoyle firmware.  In this case it was the current Gargoyle factory build for v9: “gargoyle_1.7.1-ar71xx-generic-tl-wr841n-v9-squashfs-factory.bin”.  Hit “Upgrade”.  Wait and again be patient for ~3 minutes which Gargoyle flashes.

Step 11: Enjoy!  Disable/re-enable your network adapter to get a new IP from the Gargoyle firmware which should be 192.168.1.1.  Remember: Gargoyle does not by default turn on wireless; you have to login to enable the wireless radio.