Buffalo WBMR-HP-G300H
Markings indicate it's an Arcadyan ARV7516.
We need information for debrick this device with JTAG pinout, if you know how to repair full-brick, help us !
Supported Versions
Hardware Highlights
Installation
(Note: the above firmwares are for Annex B (ISDN). For Annex A (POTS) substitute wbmr-hp-g300h-a for wbmr-hp-g300h-b in the above urls.)
→ Install OpenWrt (generic explanation)
Only suitably encrypted images may be flashed from the web interface in the stock Buffalo firmware. It is therefore not possible to install OpenWrt in this way. There are two alternatives:
Option 1: Install from DD-WRT
DD-WRT have a licensing agreement with Buffalo, and can therefore provide encrypted firmware images. So it is possible to proceed as follows:
- Flash the DD-WRT image from the web interface of the stock Buffalo firmware. (Be careful to choose the right image file, ie the one for an initial install, not the one for upgrading from a previous version of DD-WRT.)
- Just a warning before flashing. This OpenWrt image is for annex b not a. The instructions under Configure ADSL imply that you can install annex a after flashing but the package is not included in the image, so you will be stuck with no internet. So check which annex your internet service provider uses before flashing.
- Get on-line. See DD-WRT documentation for this.
- telnet into DD-WRT (When asked for the username, enter root (even if you changed username in web interface)), then download and flash the OpenWrt image file:
For Attitude Adjustment 12.09
cd /tmp wget http://downloads.openwrt.org/attitude_adjustment/12.09/lantiq/ar9/openwrt-lantiq-ar9-WBMR-squashfs.image mtd -r write openwrt-lantiq-ar9-WBMR-squashfs.image linux
For Barrier Breaker 14.07
cd /tmp wget https://downloads.openwrt.org/barrier_breaker/14.07/lantiq/xway/openwrt-lantiq-xway-WBMR-squashfs.image mtd -r write openwrt-lantiq-xway-WBMR-squashfs.image linux
This BB Image comes with the firmware package for Annex B but in /etc/config/network it says Annex A. If you wish to use Annex B you will have to change /etc/config/network. If you wish to use Annex A you will have to uninstall the Annex B package and install the Annex A package, see the Configure ADSL section below for how to do this.
For Chaos Calmer 15.05
cd /tmp wget https://downloads.openwrt.org/chaos_calmer/15.05/lantiq/xway/openwrt-15.05-lantiq-xway-WBMR-squashfs.image sysupgrade openwrt-15.05-lantiq-xway-WBMR-squashfs.image
This CC Image comes with the firmware package for Annex B but in /etc/config/network it says Annex A. If you wish to use Annex B you will have to change /etc/config/network. If you wish to use Annex A you will have to uninstall the Annex B package and install the Annex A package, see the Configure ADSL section below for how to do this.
For OpenWRT v19.07.3 we must use mtd, as long as sysupgrade does not seem to be installed (example for Annex A):
cd /tmp wget http://downloads.openwrt.org/releases/19.07.3/targets/lantiq/xway/openwrt-19.07.3-lantiq-xway-buffalo_wbmr-hp-g300h-a-squashfs-sysupgrade.bin mtd -r write openwrt-19.07.3-lantiq-xway-buffalo_wbmr-hp-g300h-a-squashfs-sysupgrade.bin linux
It does not appear to be possible to flash OpenWrt from the DD-WRT web interface.
Reverting back to DD-Wrt
WARNING: Do not try to revert to DD-WRT using mtd or you may have to debrick (see https://forum.openwrt.org/viewtopic.php?id=43954).
From the OpenWrt WebUI: The latest official DD-Wrt release (Build 21061 / 2013-04-26) for the WBMR, includes a tftp uImage for the device. You can use this uImage to flash from the OpenWrt WebUI to DD-Wrt. Just go to the dd-wrt website, find WBMR in the router database and download the uImage.bin file. Then go to your OpenWrt box and navigate to System -→ Backup / Flash firmware. Browse and find the uImage. Click on “flash image”. You'll see a verification page (the correct md5 hash of the uImage.bin file is 8b2c7024f4a477ef9db9a2d6094d283e). Click “proceed” and after 4-5 minutes DD-Wrt will be installed on the device.
Option 2: Install with TFTP
- Use TFTP to boot a ramdisk image of OpenWrt.
- Set password to enable ssh.
- Download the OpenWrt image you wish to flash and copy it to the /tmp directory on the router using scp.
- Run: sysupgrade imagefilename to flash the image.
2.0
Connect the device via a switch. If your machine doesn't bring it's interface up in time, it may be too late and you'll miss the tftp requests. Connecting with a switch in the middle ensures the interface remains up & configured.
2.1
The router bootloader has a tftp client, which will try to connect to 192.168.11.2 and load a file called firmware.ram. Download https://downloads.openwrt.org/barrier_breaker/14.07/lantiq/xway/openwrt-lantiq-xway-WBMR-uImage and rename it as firmware.ram to your tftp server root folder.
2.2
Install and start a tftp server. For linux there is a package called tftp-server, tftpd-hpa or similar and on MacOS X TftpServer Version 3.4.1 was used.
Some people have reported tftpd-hpa not working as tftp server in debricking. Wireshark shows the server complaining 'must use absolute filename' and the transfer does not start. Others have reported that at least tftp-hpa versions released year 2013 and after work. To be sure use tftpd with the default configuration.
2.3
Check that the file exists in your tftp server root folder e.g. /srv/tftp or /var/lib/tftp or your current directory depending on your software.
2.4
Setup your interface. It doesn't matter which port of the router you use. Set your tftp server IP to 192.168.11.2/24.
Optional for Linux using tftpd. If you've installed tftp, confirm the server is available with
tftp localhost
Otherwise try restarting inetd:
For Debian Wheezy root@Hostname:~# /etc/init.d/openbsd-inetd restart
2.5
Push the AOSS button and power on the router. Keep the AOSS button for about 5 seconds pushed. When the AOSS button is pushed the LED below power will also light up on start. You can verify with wireshark, if everything works as expected. There should be a tftp request from 192.168.11.1 to 192.168.11.2 for a file firmware.ram. Then This file will be transmitted and after that the ip 192.168.11.1 vanishs, because you see your computer asking to whom this ip belongs.
2.6
Ping 192.168.1.1 You may also do a DHCP request, which will be answered if your router booted fine. Router may not necessarily give any signal via LED if it is ready or not.
2.7
Flash a working image: Telnet to device, set ssh password, copy squashfs image to your device with scp and sysupgrade squashfsimage.
Hardware
Info
Architecture: | MIPS32 |
Vendor: | soc.lantiq Lantiq |
bootloader: | U-Boot 1.00 |
System-On-Chip: | Lantiq AR9 |
CPU/Speed | MIPS 34Kc / 333MHz Lantiq PSB 50810 |
Flash-Chip: | |
Flash size: | 32MB |
RAM: | 64MB |
Wireless: | Atheros AR9280 Rev:2 |
Ethernet: | 4 x Gigabit Atheros AR8316 |
Modem: | Lantiq ADSL2+ |
USB: | Yes 1 x 2.0 (driver dwc_otg) |
Serial: | Yes |
JTAG: | Yes |
Hardware Photos
Disassemble
For disassembling the device you need a Torx T8 screwdriver WITH HOLE that is AT LEAST 16mm long (with some pressure Torx T9 works too). A normal torx bit won't fit because the screws are sunk very deep so you won't reach them.
Serial
A male-strip is on board to connect your TTL capable serial converter. PIN 1 is marked with a arrow.
Serial port pinout:
PIN 1: VCC +3.3V
PIN 2: GND
PIN 3: TX
PIN 4: RX
Use the following settings: 115200 8N1
.
Caution: Be very careful with the serial interface! It is very fragile! Therefore never use the Vcc Pin. I destroyed my Buffalo by applying all four cables (works fine) and then unplug the main power supply. This will destroy the router electrically! So never ever use Vcc aka Pin1!!!
Also with only GND, TX and RX without VCC I destroyed the router electrically. So is better unplug serial before unplug the main power.
JTAG
The pinout use the standard MIPS
Flash
Layout
# cat /proc/mtd dev: size erasesize name mtd0: 00040000 00020000 "uboot" mtd1: 00020000 00020000 "uboot_environ" mtd2: 00140000 00020000 "kernel" mtd3: 01da0000 00020000 "rootfs" mtd4: 00040000 00020000 "firmware" mtd5: 00020000 00020000 "user_property" mtd6: 00020000 00020000 "fwdiag" mtd7: 00020000 00020000 "boardcfg" mtd8: 00020000 00020000 "calibration" mtd9: 01ee0000 00020000 "cmbfirmware"
There seems to be different layouts. My flash layout looks like this (revision dependent?):
# cat /proc/mtd dev: size erasesize name mtd0: 00040000 00020000 "uboot" mtd1: 00020000 00020000 "uboot-env" mtd2: 01f20000 00020000 "linux" mtd3: 00100000 00020000 "kernel" mtd4: 01e20000 00020000 "rootfs" mtd5: 00020000 00020000 "calibration"
As of 15.05.1 the layout looks like this:
# cat /proc/mtd dev: size erasesize name mtd0: 00040000 00020000 "uboot" mtd1: 00020000 00020000 "uboot_env" mtd2: 01f20000 00020000 "firmware" mtd3: 00160bf3 00020000 "kernel" mtd4: 01dbf40d 00020000 "rootfs" mtd5: 01b00000 00020000 "rootfs_data" mtd6: 00020000 00020000 "board" mtd7: 00020000 00020000 "calibration"
Bugs
Barrier Breaker 14.07
A bug with the Atheros driver causes Wifi under heavy use to disconnect clients, see https://dev.openwrt.org/ticket/11862 and https://dev.openwrt.org/ticket/12372.
Chaos Calmer 15.05
Ticket 11862 (https://dev.openwrt.org/ticket/11862#comment:339) suggests that the bug has been fixed in another device. Testing for this device and feedback to the tickets would be nice.
Configuration
Although the WBMR-HP-G300H is supported in the current stable Attitude Adjustment 12.9 release, the pre-compiled image is fairly basic and must be tuned to work properly (ADSL, wifi, LUCI web interface and LEDs).
Turn on ADSL nas0 interface in Attitude Adjustment 12.09
The ADSL interface is disabled in the Attitude Adjustment 12.09 image so turn it on:
/etc/init.d/br2684ctl enable /etc/init.d/br2684ctl start
From Barrier Breaker 14.07 onwards this is not necessary.
Configure ADSL
Attitude Adjustment 12.09
Precompiled image contains ADSL annex B only (for ISDN lines). For POTS (old-fashioned telephone line), you need annex A. Remove kmod-ltq-dsl-firmware-b-ar9 and install kmod-ltq-dsl-firmware-a-ar9 instead.
Add suitable configuration in /etc/config/network
- PPPoA example: Example
- PPPoE example:
config adsl-device 'adsl' option fwannex 'a' option annex 'a2p' config atm-bridge 'atm' option vpi '8' option vci '35' option encaps 'llc' option payload 'bridged' option unit '0' config interface 'wan' option ifname 'nas0' option proto 'pppoe' option username 'user@isp.net' option password 'XXXXXXXXX'
fwannex a is for normal telephone lines, fwannex b is for ISDN. Option annex a2p means ADSL2+, annex a is standard ADSL. Username and password options are often not needed.
Barrier Breaker 14.07
In /etc/config/network setup ADSL type. For analog telephone lines use annex a and for ISDN use annex b, see example below.
config adsl 'dsl' option annex 'b' option firmware '/lib/firmware/adsl.bin'
The preinstalled ADSL firmware is annex b. To use annex a remove the firmware package and install the annex a firmware https://downloads.openwrt.org/barrier_breaker/14.07/lantiq/xway/packages/base/kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk. VPI and VCI values can be defined in the same /etc/config/network file or in web interface under Network, Interfaces.
Chaos Calmer 15.05
Follow instructions as per Barrier Breaker 14.07. The package to download is at https://downloads.openwrt.org/chaos_calmer/15.05/lantiq/xway/packages/base/kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk.
Configure switch
LEDs
Barrier breaker 14.07 and above
Go to the web interface System → LED configuration to define the LEDs. For DSL use nas0 and check “Linkon, Transmit and Receive”. (Is there a better way to define ADSL LED? If linkon is defined on nas0 ADSL light will be always on, transmit and receive will blink it.)
Troubleshooting
Broken setup
If the device does not boot you can recover using the “Install with tftp” option.
DSL Firmware
If PPP discovery is failing:
Sep 8 15:50:01 OpenWrt daemon.warn pppd[2172]: Timeout waiting for PADO packets Sep 8 15:50:01 OpenWrt daemon.err pppd[2172]: Unable to complete PPPoE Discovery Sep 8 15:50:01 OpenWrt daemon.info pppd[2172]: Exit. Sep 8 15:50:01 OpenWrt daemon.notice netifd: Interface 'wan' is now down
it way be worth checking that the correct firmware is loaded for your DSL annex, POTS (normal telephone lines) is annex a and ISDN is annex b. Under LEDE 18, two different install images are available with “a” and “b” in their file names. Under previous releases you may have to uninstall one firmware and install the alternative.
To check which firmware you have, execute
opkg list-installed | grep kmod-ltq
You should see something like “kmod-ltq-adsl-ar9-fw-a - 0.1-1” for Annex A or “kmod-ltq-adsl-ar9-fw-b - 0.1-1” for Annex B.
Under previous releases, if the b firmware is loaded and you need a, “opkg remove kmod-ltq-adsl-ar9-fw-b” and install the “opkg install ./kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk”.
Useful commands
Check DSL line status:
/etc/init.d/dsl_control status
Update firmware:
sysupgrade openwrt-lantiq-xway-WBMR-squashfs.image
Feedback
2013-08-29 admax: “Good instructions, tftp flashing works well, stable device. Configuring took some time but has been running well ever since.”
2013-08-30 kitsunemura: “Really well written wiki. Device is really stable, I used the recovery method once and it worked fine. I don't really recommend using Transmission on this router because it is not really stable. Using NFS is the fastest way to transfer files from/to USB(EXT4).”
2014-10-09 admax: “Barrier breaker is even better.”
2015-01-01 drsound: “If you experience frequent DSL disconnections, try using an alternate DSL modem firmware, see ticket #18105.”
2015-08-15 Goble: “The latest Chaos Calmer OpenWrt and alternative DSL(annex-a) modem firmware combination works great. CC OpenWrt image compiled using GIT pulled sources (2015-08-10 source status). Only Win10 laptop had occational WLAN dropouts after idling 10 minutes, but it could be a problem in Win10 because Android tablet didn't drop WLAN connection. Disabling power saving of WLAN adapter in Win10 laptop solved that problem. Wired LAN connection never dropped connection. All in all, very happy with Chaos Calmer OpenWrt and WBMR-HP-G300H modem”