Daily Archives: 12/09/2016


Hack The TMobile TM-AC1900 Router Into An Asus RT-AC68U

tm-ac1900

WARNING: YOU COULD BRICK YOUR ROUTER BY INCORRECTLY FLASHING. THIS SHOULD ONLY BE PERFORMED ON A SPARE ROUTER, NOT YOUR EXPENSIVE MAIN ACCESS POINT. I AM NOT RESPONSIBLE FOR ANY DAMAGES.

My experience comes from the original Slickdeals forums on this subject. My guide is a simplified, modified version of the various guides found there. I’ve done a few routers, so have simplified the process to what you see below.

  • The older firmware versions and mtd_write can be found here
  • The default router IP out of the box is 192.168.29.1
  • I wound up using IE and clearing its cache every reboot. Clearing the browser cache is optional, but it might save you some time with cached error pages making it seem as though the router is unresponsive.

Download these files first:

  1. Boot the router into restore mode by holding the reset button and then powering on the router.
    1. The router is in restore mode when the front power indicator light is slowly blinking. The rear ASUS logo will blink as well.
  2. In a CMD window, TFTP the older Tmobile firmware, version 1703, to the router (install TFTP via Windows add remove programs if not already installed):
    tftp -i 192.168.29.1 put TM-AC1900_3.0.0.4_376_1703-g0ffdbba.trx
  3. Reboot the router, log into the browser GUI and verify the firmware is now at 376_1703.
  4. Enable SSH under Administration/System.
  5. Putty to router and make a copy of the current CFE:
    cat /dev/mtd0 > original_cfe.bin

    1. By default, you will land in /tmp/home/root in both Putty and WinSCP
  6. Winscp to the router and copy original_cfe.bin to your desktop.
  7. Use a hex edit app to open original_cfe.bin from your desktop and find the 3 MAC addresses and secret_code number and copy to a file for the next step.
    1. The first 2 MACs should be the same. The second is different.
    2. The secret_code is an 8 digit code which is also on the back of the router listed as the WPS Pin Code.
  8. Hex edit the rt-ac68u_1.0.2.0_us.bin file and replace the 3 Mac addresses and secret_code with the ones copied above from your original_cfe.bin.
  9. Save as new_cfe.bin and copy it and mtd_write to the router via Winscp.
  10. Putty to the router and run the command:
    mtd-write -i new_cfe.bin -d boot
  11. Type exit to close the Putty session.
  12. Hold down the WPS button on the side of the router, unplug the power for 5 seconds, then plug it back in while continuing to hold the WPS button for 20 seconds.
  13. Release the WPS button. This clears your nvram, effectively a factory reset.
  14. Optional: Clear your browser cache.
  15. Once the router is back up, log into the browser GUI and verify that the title of the router is now ASUS RT-AC68U and not TM-AC1900.
  16. IMPORTANT: Install the ASUS firmware version 376.3626.
    1. The file is FW_RT_AC68U_30043763626.trx
    2. You can download it from Asus’ support site at:
      https://www.asus.com/us/Networking/RTAC68U/HelpDesk_Download/
    3. You must install this exact version in order to expand the bootfs partition from ~30M to ~60M
      1. Boot into restore mode – see step 1.
      2. Optional: Clear your browser cache.
      3. Navigate to the router GUI.
      4. You should see a ‘CFE MiniWeb Server’ page.
      5. Browse to the 376.3626 firmware and upload it.
      6. The router should upload and install the firmware, then reboot itself.
  17. Putty into the router when it comes up and run two commands:
    mtd-erase2 nvram
    reboot
  18. Optional: Clear your browser cache.
  19. Once the router reboots, log into the browser GUI and re-enable SSH in the Administration/System section.
  20. Putty into the router once more and run the command:
    df -h
  21. Verify that /dev/mtdblock is ~63M
  22. If so, you are done. Download and install the latest firmware from Asus via the GUI or pick another firmware distribution.