Guide: Flash Linksys EA6300v1, EA6400, EA6500v2, EA6700, EA6900v1.0/1.1 with Tomato


monoton

Serious Server
Member
How to flash Linksys EA6300v1, EA6400, EA6500v2, EA6700, EA6900v1.0/1.1 with Tomato.
The EA6300v1 uses the same firmware as EA6400 since the routers are exactly the same.

WARNING:
If anything goes wrong this can brick your router and I will not be held responsible if that happens. You're doing this at your own risk.


For these router a different CFE needs to be flashed otherwise only 32k of NVRAM can be used and that is not enough but for the most basic setup.

This means that you will not be able to revert back to Linksys stock firmware after the CFE flash. Other 3rd party firmwares can however be flashed.

Since the CFE has to be changed for this router there are some Pros and cons when this is done.

Pros:
Can install 3rd party firmwares (without the 32k NVRAM limit)
Can enter recovery mode (Hold the red "reset" button on the back of the router and power up the router, release it after about 15-20 seconds)
Navigate to 192.168.1.1 and the ”recovery web interface” should come up.

Cons:
Can no longer flash back to Linksys stock firmware (not really sure if this is a con since the stock Linksys firmware is nearly useless)

Download for EA6300v1 & EA6400: https://my.pcloud.com/publink/show?code=kZNb807Z04GYcuqwyxY10A7Ypsd8YHj35b57/
The archive contains:
linksys_ea6400_ddwrt.bin
linksys_ea6400_cfe.bin
WinSCP-5.9.6-Portable
CFEEdit.exe
putty.exe
Tftp2.exe

Download for EA6500v2: https://my.pcloud.com/publink/show?code=kZUbB87Zm3YFpS5jm17pxlLl49R2b5lXvYQV
The archive contains:
linksys_ea6500_ddwrt.bin
linksys_ea6500_cfe.bin
WinSCP-5.9.6-Portable
CFEEdit.exe
putty.exe
Tftp2.exe

Download for EA6700: https://my.pcloud.com/publink/show?code=kZ8beL7Zh4Wmg5YsaGfhw7Lb5Qn2kuR4sA87/
The archive contains:
linksys_ea6700_ddwrt.bin
linksys_ea6700_cfe.bin
WinSCP-5.9.6-Portable
CFEEdit.exe
putty.exe
Tftp2.exe

Download for EA6900v1.0 & EA6900v1.1: https://my.pcloud.com/publink/show?code=kZ5Erm7ZffTAthNzl1Hnv31K35kW7uw3aK4V
The archive contains:
linksys_ea6900_ddwrt.bin
linksys_ea6900_cfe.bin
WinSCP-5.9.6-Portable
CFEEdit.exe
putty.exe
Tftp2.exe

Also remember to download Tomato firmware of your choice.

1.
Reset the router (press and hold the red reset button until the power indicator flashes)

2.
Connect the PC to LAN port1 on the router.

Give the PC a static IP:
IP address: 192.168.1.20
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.1
DNS: 192.168.1.1

Reconnect to make the settings take effect.

Ping the router "ping -t 192.168.1.1" (ttl=64 usually means that the router is ready)

3.
Open a web browser and navigate to 192.168.1.1.

Skip the basic setup (check the "skip" box) and proceed to log in using "admin" as password.

Navigate to Connectivity → Basic and flash "linksys_ea6xxx_ddwrt.bin".

If there’s an error saying the file is invalid this means the stock Linksys firmware is too new and can only flash firmwares signed by Linksys.

In this case do the following: Go to Troubleshooting → Diagnostics and click on "restore previous firmware", if it asks for a file then flash "linksys_ea6xxx_ddwrt.bin".

If it doesn’t ask for a file the flash will have to be done with tftp:

(For Windows)
Disconnect router
Run tftp2.exe
Server: 192.168.1.1
Password: blank (nothing)
File: browse to the dd-wrt file
Retry: 99 times
Connect the router
Immediately when ttl=100 appears in the ping window, press Upgrade to upload the firmware. This has to be excecuted quite fast so that the firmware have time to be uploaded to the router before ttl=64 appears.

If ping times out or host unreachable before firmware is flashed, ttl=100 doesn't show up, only ttl=64 or something else, just reconnect power to the router and let tftp keep trying. Also try a few resets once in a while.

Whatever you do, do not reconnect power or reset the router if the firmware has started uploading.

Most times it works on the first go, but this can take a bunch of retries (It appears the number of ttl=100 responses is not the same on every powercycle and sometimes there are no ttl=100 response at all, very strange)

Give the router a few minutes untill ttl=64 appears in the Ping window.

If ttl=64 does not appear, make sure that atleast five minutes has passed since the upload and reconnect the power to the router

Go to 192.168.1.1 again and DD-WRT should be there.
If not:
Navigate to Troubleshooting → Diagnostics and restore previous firmware.

DD-WRT should now boot.

(For the Linuxes)
The procedure is the same as for Windows but instead of the tftp2 application, command line is used.

Install tftp from the distro repo if not already installed.

Run tftp from the folder where "linksys_ea6xxx_ddwrt.bin" is located.

$ tftp
tftp> connect
(to) 192.168.1.1
tftp> binary
tftp> rexmt 1
tftp> timeout 180
Reconnect the power to the router.

When ttl=100 appears in the ping window:
tftp> put linksys_ea6xxx_ddwrt.bin

Sent 22765568 bytes in 76.5 seconds
tftp> quit

4.
Once the flash has completed (this takes a couple of minutes) navigate to 192.168.1.1.

Set username/password to admin/admin.

Navigate to the services tab and enable SSHd. Click Save at the bottom, then Apply Settings.

5.
Open "linksys_ea6xxx_cfe.bin" with "CFEEdit.exe" and fill in:
MAC Address (found on the bottom of the router)
WPS Password (found on the bottom of the router)

Go over to the Advanced Mode tab and change 0:macaddr and 1:macaddr to the following:
0:macaddr (same as MAC Address +2)
1:macaddr (same as MAC Address +4)

The HEX sequence from 00H to FFH:
00,01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F
10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F
20,21,22,23,24,25,26,27,28,29,2A,2B,2C,2D,2E,2F
30,31,32,33,34,35,36,37,38,39,3A,3B,3C,3D,3E,3F
40,41,42,43,44,45,46,47,48,49,4A,4B,4C,4D,4E,4F
50,51,52,53,54,55,56,57,58,59,5A,5B,5C,5D,5E,5F
60,61,62,63,64,65,66,67,68,69,6A,6B,6C,6D,6E,6F
70,71,72,73,74,75,76,77,78,79,7A,7B,7C,7D,7E,7F
80,81,82,83,84,85,86,87,88,89,8A,8B,8C,8D,8E,8F
90,91,92,93,94,95,96,97,98,99,9A,9B,9C,9D,9E,9F
A0,A1,A2,A3,A4,A5,A6,A7,A8,A9,AA,AB,AC,AD,AE,AF
B0,B1,B2,B3,B4,B5,B6,B7,B8,B9,BA,BB,BC,BD,BE,BF
C0,C1,C2,C3,C4,C5,C6,C7,C8,C9,CA,CB,CC,CD,CE,CF
D0,D1,D2,D3,D4,D5,D6,D7,D8,D9,DA,DB,DC,DD,DE,DF
E0,E1,E2,E3,E4,E5,E6,E7,E8,E9,EA,EB,EC,ED,EE,EF
F0,F1,F2,F3,F4,F5,F6,F7,F8,F9,FA,FB,FC,FD,FE,FF


So if the MAC Address (found on the bottom of the router) is:
3B:00:8F:39:F9:56
then 0:macaddr (same as MAC Address +2) would be:
3B:00:8F:39:F9:58

If the MAC Address (found on the bottom of the router) is:
3B:00:8F:39:F9:CF
then 0:macaddr (same as MAC Address +2) would be:
3B:00:8F:39:F9.D1

For EA6300v1 and EA6400 also change clkfreq to:
clkfreq=800,533

Save as "new6xxxcfe.bin"

6.
Run WinSCP.exe
File protocol: SFTP
Host name: 192.168.1.1
Port number: 22
Username/Password: root/admin
and Login

Upload the newly created CFE file "new6xxxcfe.bin" to the router.
This is done by dragging the file from the left side to the right (make sure the right side is in the /tmp/root directory)

Close WinSCP

7.
Run Putty.exe
Host name: 192.168.1.1
Port: 22
Connection type: SSH
and Open
login as: root
password: admin

To flash the CFE use the following commands:
mtd unlock /dev/mtd0
mtd write –f /tmp/root/new6xxxcfe.bin /dev/mtd0

If that doesn't work try:
mtd unlock /dev/mtd0
mtd –f write /tmp/root/new6xxxcfe.bin /dev/mtd0
Close Putty

8.
Now that the new CFE is flashed the "recovery web interface" can be used to flash new firmwares.
Hold the red "reset" button on the back of the router and power up the router, release it after about 15-20 seconds.

Navigate to 192.168.1.1 and the "recovery web interface" should come up.
Flash Tomato Firmware (this can take up to five minutes, check the ping for ttl=64 to see if it’s done.)

When the flash is done it's time to reset NVRAM (hold the WPS button while powering on the router, hold it until the Linksys logo starts to flash or 15-20 seconds)

Go to 192.168.1.1 and do a reset from within Tomato. Administration → Configuration → Erase all data in NVRAM memory (thorough).

Reboot router.
 
Last edited:

boooya

Reformed Router
Member
Thank you very much monoton, this worked great!

I guess there is some kind of checksum calculated when using "CFEEdit.exe" to save "new6400cfe.bin" otherwise it would have been nice not having to fire up a Windows VM :)

Firefox (57.0.1, 64-bit) failed to upload the tomato firmware on the ”recovery web interface”, so I had to redo the process (reset to the DD-WRT-step), luckily the second try with Safari worked.
 

monoton

Serious Server
Member
I used the windows tools in WINE under Linux.
I thought about writing the guide for Terminal use for the Linuxes at first but ended up doing it this way instead since Windows have about 90% of the desktop market.
 

iv7777

Serious Server
Member
Thanks for the nice guide. Look like there can be one tiny optimation added to the process if someone likes a faster bootup:

At step 6, before saving as "new6400cfe.bin", go to Advanced Mode and change

clkfreq=800,333

to:

clkfreq=800,533

Save as "new6400cfe.bin" and follow the rest steps.

By doing this, the RAM clock will be set to 533MHz instead of 333MHZ at CFE boot and the boot up time can be cut from 90 down to 60 seconds. For some reason, the CFE doesn't like value 333 at the first boot and reboot again with 533 set as the new value. Setting the value 533 will make it boot only once, thus saving some time. This can be verified by hooking up with a serial cable.

Hope this will help
 

monoton

Serious Server
Member
Thanks for the nice guide. Look like there can be one tiny optimation added to the process if someone likes a faster bootup:

At step 6, before saving as "new6400cfe.bin", go to Advanced Mode and change

clkfreq=800,333

to:

clkfreq=800,533

Save as "new6400cfe.bin" and follow the rest steps.

By doing this, the RAM clock will be set to 533MHz instead of 333MHZ at CFE boot and the boot up time can be cut from 90 down to 60 seconds. For some reason, the CFE doesn't like value 333 at the first boot and reboot again with 533 set as the new value. Setting the value 533 will make it boot only once, thus saving some time. This can be verified by hooking up with a serial cable.

Hope this will help
Thanks.
Didn't know about that one, added it to the guide.
 

lepa71

Addicted to LI
Member
Do we have to have modified CFE if linksys fw is too old(before it was required a signed fw from linksys)?
 

CHuckNasty

Network Noob
Member
Im Noob, so please forgive me question but on step 3 statement: "If there’s an error saying the file is invalid this means the stock Linksys firmware is too new and can only flash firmwares signed by Linksys."

Would I need to contact Linksys or am I SOL?


Router: Linksys EA6900
Firmware: Ver. 1.1.42 (Build 174772)
 

monoton

Serious Server
Member
Do we have to have modified CFE if linksys fw is too old(before it was required a signed fw from linksys)?
To get around the 32k NVRAM issue the modified CFE is needed, doesn't matter if the firmware is old or new.
 

monoton

Serious Server
Member
Im Noob, so please forgive me question but on step 3 statement: "If there’s an error saying the file is invalid this means the stock Linksys firmware is too new and can only flash firmwares signed by Linksys."

Would I need to contact Linksys or am I SOL?


Router: Linksys EA6900
Firmware: Ver. 1.1.42 (Build 174772)
In that case you have to flash by using TFTP wich is also described in step 3.
 

CHuckNasty

Network Noob
Member
@monoton Also another question, I have had this router for about 3 years, its a EA6900 either way, it currently is running version W_EA6900_1.1.42.174776_prod.img would i need to roll it back to an older verison using the TFTP also?
 

monoton

Serious Server
Member
@monoton Also another question, I have had this router for about 3 years, its a EA6900 either way, it currently is running version W_EA6900_1.1.42.174776_prod.img would i need to roll it back to an older verison using the TFTP also?
No, there's no need to roll back to an earlier version when TFTP is the method to be used.

imo the TFTP way is actually the easiest.
ping the router
$ tftp
tftp> connect
(to) 192.168.1.1
tftp> binary

Reconnect the power to the router.

When ttl=100 appears in the ping window:
tftp> put linksys_ea6xxx_ddwrt.bin

Sent 22765568 bytes in 76.5 seconds
tftp> quit

No need to log into stock firmware.

If Linksys stock firmware is too recent i.e if there’s an error saying the file is invalid when trying to flash from stock, then the TFTP method is the only way.
 

CHuckNasty

Network Noob
Member
Hey @monoton I have restarted setup the router directly to my pc via my lan port, Gave the PC a static IP:
IP address: 192.168.1.20, Subnet mask: 255.255.255.0, Default gateway: 192.168.1.1, DNS: 192.168.1.1 and set everything as followed, and it still says unable to get response form the server when using TFTP? Any suggestions?
 

monoton

Serious Server
Member
Hey @monoton I have restarted setup the router directly to my pc via my lan port, Gave the PC a static IP:
IP address: 192.168.1.20, Subnet mask: 255.255.255.0, Default gateway: 192.168.1.1, DNS: 192.168.1.1 and set everything as followed, and it still says unable to get response form the server when using TFTP? Any suggestions?
If you can ping the router there shouldn't be any problem.

Did you open TFTP from the folder where linksys_ea6900_ddwrt.bin is.
and
Did you do tftp> put linksys_ea6900_ddwrt.bin immediately when ttl=100 appears in the ping window (this has to be excecuted fast otherwise the firmware do not have time to be uploaded before ttl=64 appears in the ping window.
 

CHuckNasty

Network Noob
Member
The funny thing is i usually get about 20 ttl=100 pings before the it starts to work then, then it gets to about 65% and then show server cant be reached. I try to do it quickly as soon as i see the ttl=100 but it cant be reached until about 20 pings of the ttl=100, but never has time to finish. can i do something to slow the pings down maybe?
 

monoton

Serious Server
Member
The funny thing is i usually get about 20 ttl=100 pings before the it starts to work then, then it gets to about 65% and then show server cant be reached. I try to do it quickly as soon as i see the ttl=100 but it cant be reached until about 20 pings of the ttl=100, but never has time to finish. can i do something to slow the pings down maybe?
I've now tried three different routers EA6400, EA6700 and EA6900.

EA6400 worked fine, several ttl=100 responses and flashed the firmware.

EA6700 and EA6900 both only had a few ttl=100 responses and TFTP would time out.

I don't know if this is the same issue you have, but in the end I was able to flash both of them with the following procedure:

$ tftp
tftp> connect
(to) 192.168.1.1
tftp> binary
tftp> rexmt 1
tftp> timeout 180
tftp> put linksys_ea6900_ddwrt.bin

This will make TFTP try to upload every second for three minutes.

Then I had to reconnect the power, reset and "tftp> put linksys_ea6900_ddwrt.bin" in no particular order for several times until the firmware finally uploaded with several ttl=100 responses.

I probably had to reconnect power/reset 15 times before it worked, but it is definitely doable.

It's very strange, some of the routers flash the first time, others not so much.
 

CHuckNasty

Network Noob
Member
Ok. this is my procedure and let me know if i am doing it incorrectly. so when I open the cmd prompt:

I have the file stored on my downloads forlder(tftp.exe and linksys_ea6900_ddwrt.bin) in the same folder.



1. Hold the red "reset" button on the back of the router for 30 seconds, and power up the router, release it after about 15-20 seconds.
2. already have ping on 192.168.1.1 in one cmd prompt window
3. second cmd prompt window, have tftp ready to go=C:\Users\CEWJR9842\Downloads\Linksys\Tools (not sure if i need to telnet) because this command just opens the small tftp window below:
upload_2018-5-7_7-51-30.png

4. enter admin password and upgrade. and fail!(sometimes the blue line starts after about 20 ttl=100 have gone by but then fails mid way.) It does not give the the option to run it via cmd window, unless i'm supposed to telnet to it, am i doing something incorrectly.

I am not getting to a point when I can run the tftp.exe via cmd prompt, is this a telnet procedure or do I need to also enable tftp in windows 10, if so then i can see why i'm not at least able to do this below:

$ tftp
tftp> connect
(to) 192.168.1.1
tftp> binary
tftp> rexmt 1
tftp> timeout 180
tftp> put linksys_ea6900_ddwrt.bin


Again thanks for all your help, it is surely appreciated.
 

monoton

Serious Server
Member
Ok. this is my procedure and let me know if i am doing it incorrectly. so when I open the cmd prompt:

I have the file stored on my downloads forlder(tftp.exe and linksys_ea6900_ddwrt.bin) in the same folder.



1. Hold the red "reset" button on the back of the router for 30 seconds, and power up the router, release it after about 15-20 seconds.
2. already have ping on 192.168.1.1 in one cmd prompt window
3. second cmd prompt window, have tftp ready to go=C:\Users\CEWJR9842\Downloads\Linksys\Tools (not sure if i need to telnet) because this command just opens the small tftp window below:
View attachment 5611

4. enter admin password and upgrade. and fail!(sometimes the blue line starts after about 20 ttl=100 have gone by but then fails mid way.) It does not give the the option to run it via cmd window, unless i'm supposed to telnet to it, am i doing something incorrectly.

I am not getting to a point when I can run the tftp.exe via cmd prompt, is this a telnet procedure or do I need to also enable tftp in windows 10, if so then i can see why i'm not at least able to do this below:

$ tftp
tftp> connect
(to) 192.168.1.1
tftp> binary
tftp> rexmt 1
tftp> timeout 180
tftp> put linksys_ea6900_ddwrt.bin


Again thanks for all your help, it is surely appreciated.
I just booted up a Windows machine to test and it turns out TFTP on windows doesn't work the same way as in Linux.

Here's what i did:
1. Download tftp2.exe http://www.3iii.dk/linux/dd-wrt/tftp2.exe
2. Disconnect all routers
3. ping -t 192.168.1.1
4. Run tftp2.exe
Server: 192.168.1.1
Password: blank (nothing)
File: browse to the dd-wrt file
Retry: 99 times
Press Upgrade and let it keep trying.
5. Connect the router
Check the ping window and tftp2. If ping times out or host unreachable before firmware is flashed, ttl=100 doesn't show up, only ttl=64 or something else, just reconnect power to the router and let tftp keep trying. Also try a few resets once in a while.
I had success when tftp2 was on retry 24.

Whatever you do, do not reconnect power or reset the router if the firmware has started uploading.
 

Top