So I read through this entire post because I have 2 of these T mobile routers.
I hacked both of them in about 1 hour and i forgot to lock the MD5 check on the second one.
After being on the net for 50 mins the router rebooted and reverted to the T Mobile firmware, but this time to the new firmware that locks you out.
I tested flashing it several different ways from the recovery mode with zero success. Tried the Asus restore utility and that did nothing.
After doing more research I successful downgraded back to TM-AC1900_3.0.0.4_376_1703-g0ffdbba.trx - enabled SSH and reflashed
I stumbled across this document which outlines a few different methods to achieve this.
Not too hard to follow but you have to read it carefully. This helped me so I hope it helps you. It is possible to fix a unit that is locked out.
https://docs.google.com/document/d/1NsZMONmJ70zMmoAKKQJXbTVKytaPJptWTpqih1TD5n8/edit#
* The exploit below does not work on the latest Firmware Version:3.0.0.4.384_45708 , which allows you to use the wget function and write the firmware.
I did test the current firmware to see if the following exploit would work: It failed
validForm = function(){document.form.SystemCmd.value = "ping\necho hello world";return true;}
Now press the Diagnose button, and you should see the output from the command "hello world".
For the record, the reason I have two of these so i could play with the Airmesh features.
It's been running for 12 hours without issues.
I learned something today!!
The exploit below does not work on the latest Firmware Version:3.0.0.4.384_45708 , which allows you to use the wget function and write the firmware.
THAT guy is GREAT !!
User17347427
/grin.
-----------------------------------------
The trick to getting 1703 installed is timing!
Sometimes it doesn't work....
Post #36 here you see the firmware restoration tool UI window.
Following Lazymocha's Guide
CLICK HERE
Step: 6 & 7
Mini-CFE webpage
If you are having problems accessing the mini-CFE webserver see if this works:
- Power off the router using the power button
- Set your PC's IP as explained in Step 4
- Navigate to 192.168.29.1 using your browser -- the browser continue to try and access the page until it is available
- Press and hold the reset button while powering-on the router
- When the mini-CFE webpage appears on the browser, release the reset button
- As long as the browser status is still spinning -- looking for a webpage. If it stops refresh the page -- the mini CFE web page will load.
Some have said to keep holding the reset button down for 10 seconds after you start to load the firmware.
So, browser searching status spinning for 192.168.29.1- holding reset, power on router - if browser spins, the mini-CFE opens and you click firmware - keep holding reset for 10 seconds while firmware uploads.. let go reset.
Don't waste any time finding that firmware to load to mini-CFE as that web browser must be searching trying to connect to 192.168.29.1. If browser gives up searching (stops spinning) you have to click refresh.. it can stop the process. That is why ping is mentioned on some guides.
It helps to tape on a 'zip tie end' on top of the reset button so it's easy to press, you have a few things to do at once during this one step.
If this doesn't work,
Try Google Chrome
incognito mode.
Some mention to turn on
AP mode in the router, then try.
If accessing the mini-CFE webserver doesn't work at all for you...
You are experiencing the effects of a locked firmware...
You have to change Guides.
" Directions for rolling back to AC68 after AC1900 rollback: "
Direct Google Docs Link. We call this the
Google Doc. Guide. You can
download it here
What is wrong with the T-Mobile 3199 firmware
The Cellspots are
USUALLY now shipped out with firmware 3199, that makes it harder for you to downgrade that firmware. Sometimes you get lucky with the above steps, sometimes you don't.
This is also caused if you have a converted a Cellspot -TM-AC1900 to RT-AC68U, that did
not do the MTD5 commands, and
attempted to do a firmware update past 3.0.0.4.384.20308.
Why is my converted Cellspot rolled back to 3199??
Those that changed a Cellspot to RT-AC68U in the past might experience this because the ASUS Firmware 3.0.0.4.384.20624
and newer is a 'smart firmware' that identifies converted Cellspots and revert them back to a T-Mobile Cellspots with T-Mobile firmware- 3199. (You could say ASUS put in a virus/trojan to sniff out Cellspots)
Note: Merlin's is made off of ASUS firmware and will stop you updating firmware to 384.6 because it is triggering the 'cellspot rollback'... (or trying to)
To stop this from happening, you must complete the guide and
do the MTD5 commands to make your router immune to this 'ASUS type smart firmware'.
IF you don't do these MTD5 commands, the
safest highest version of firmware you can use of ASUS's is
384.20308.
The first MTD5 commands erases T-Mobile certificates and solves this issue. These first commands should be done on (according to Lazymocha's Guide instructions) 376.3626.
The last 2 MTD5 commands fills in that missing area to the regular size of the normal RT-AC68U. (Ahh haaa! MUST be done on firmware 384.xxxxx. that is why 384.20308 is the last safest firmware.. and you should install this to do the last 2 MTD5 commands)
IF you need to use this
Google Doc. Guide,I recommend using the (
No CFE USB Instructions). IF you still have your old 'original_cfe.bin' from converting THIS router in the past (not one from another router),
then you can
use the (
USB Instructions).