How to config ASUS RT-AC68U to use AiMesh

More Less
5 min readApr 17, 2019

--

T-Mobile router TM-AC1900 is a cheap alternative model of Asus RT-AC68U. But it is not supported by Asus officially, i.e, it is unable to upgrade to its latest firmware version. To use Asus’s latest fancy feature —Asus AiMesh. To utilize Aimesh, it needs to flash its bootloader to Asus CFE 1.0.2.0 and then erase MTD5 partition. After doing that, it is identical with a genuine RT AC-68U.

To achieve this, First to download this file and extract it to a newly created folder. It contains a firmware to downgrade to, a firmware to upgrade to, and an executable file, mtd-write.

  1. The router is coming with the firmware version 3.0.0.4.376.3108 which has ssh option disabled and hidden, after trying to downgrade it to firmware version 3.0.0.4_376_1703 so that ssh can be enabled.

How to downgrade AC-1900 is really a headache.

1. Place router into Recovery/Restore mode
Hold reset button 10 seconds
Power off router (keep holding reset)
Wait 10 seconds, keep holding reset
Power on router holding reset for 10 more seconds
2. Go to 192.168.29.1 in a web browser
If Mini-CFE webpage won’t load use Asus Restore Utility
If having trouble with this step perform NVRam Reset and try #2 again
not working in my case

Follow this instruction, it will work:

1). holding down three buttons- reset, WPS, and wifi on/off — all at the same time2). powering on3). waiting a few seconds for fast blinking lights4). releasing the WPS and wifi buttons, but still holding down reset,5). as soon as 192.168.29.1 started answered pings, quickly visiting http://192.168.29.1/ to open the mini CFE uploader,6). submitting the 1703 firmware, and waiting for upload success message7). finally releasing the reset button. The rest of the how-to worked just fine.

T-Mobile has made it harder to modify the router, but it’s still possible.

2. Log in to router (admin:password), enable ssh in the administration page

Go to Administration > System > Enable SSH > Yes > Apply

3. using putty ssh to the router, copy bootloader cfe out:

cat /dev/mtd0 > original_cfe.bin

Then use scp to copy it out.

4. Copy original_cfe.bin to a local drive

5. Upload original_cfe.bin to https://cfeditor.pipeline.sh/ > Select 1.0.2.0 US AiMesh as Source CFE for Asus/Merlin builds, (1.0.2.5 recommended for DD-WRT or Tomato) > Download the new .bin > rename it to new_cfe.bin

6. Upload new_cfe.bin & mtd-write & FW_RT_AC68U_30043763626.trx to router through WinSCP

7. In Putty type:

chmod u+x mtd-write
./mtd-write new_cfe.bin boot
mtd-write2 FW_RT_AC68U_30043763626.trx linux

Note: If did not input the correct command format, mtd-write gives the wrong usage info, DON’T follow it, it is wrong.

admin@(none):/tmp/home/root# ./mtd-write
Usage: ./mtd-write -i file -d part <-- wrong format
  • Actually write the ASUS CFE version and overwrite the T-mobile one by typing:
admin@(none):./mtd-write new_cfe.bin boot  <-- correct cmd format

before flash:

admin@(none):/tmp/home/root# nvram get bl_version
2.1.2.6

After flash ASUS CFE, the output looks like this:

admin@(none):/tmp/home/root# nvram get bl_version
1.0.2.0
admin@(none):/# nvram get HW_ver
170
admin@(none):/tmp/home/root# nvram get clkfreq
800,666

8. Perform NVRAM Reset, wait for reboot <5 mins

a. Power off router
b. Wait 10 seconds
c. Press and hold WPS button
d. Power up the router and continue to hold WPS button for 15–20 seconds until power LED starts blinking very quickly.

After flash asus firmware 376, the default gateway IP changes to 192.168.1.1
username:password is now: admin:admin

9. ssh to the switch, remove mtd5 partition, otherwise, Asus will not let you upgrade to its 384 firmware since TM-AC1900 is not official supported by Asus and Asus added a firmware check.

cat /dev/mtd5 > /jffs/mtd5_backup.bin
mkdir /tmp/asus_jffs
mount -t jffs2 /dev/mtdblock5 /tmp/asus_jffs
rm -rf /tmp/asus_jffs/*
sync && umount /tmp/asus_jffs
rm -rf /jffs/.sys/RT-AC68U
nvram unset fw_check && nvram commit && reboot

Next, you can download official Asus firmware from its website, and upgrade to latest version to enjoy AiMesh. After flash to 384.xx,

/tmp/home/root# ln -s /sbin/rc mtd-erase
/tmp/home/root# ./mtd-erase -d asus
Erasing 0x0 - 0x1ffff
Erasing 0x20000 - 0x3ffff
Erasing 0x40000 - 0x5ffff
Erasing 0x60000 - 0x7ffff
Erasing 0x80000 - 0x9ffff
Erasing 0xa0000 - 0xbffff
Erasing 0xc0000 - 0xdffff
Erasing 0xeffff - 0xfffff
Erasing 0x100000 - 0x11ffff
Erasing 0x120000 - 0x13ffff
"asus" successfully erased.

/tmp/home/root#

To check if your on CFE 1.0.2.0 or CFE 1.0.2.0 US AiMesh
As you will notice, doing this command(found from years ago):

nvram get bl_version

It just says 1.0.2.0 not anything about AiMesh.

To check Version verification, use Putty to telnet into router. Click the picture bottom of. this post

strings /dev/mtd0 | grep odmpid

“If it returns “odmpid=RT-AC68U” odds are high you have installed the correct one(1.0.2.0 US AiMesh).
If is says “odmpid=ASUS”, that’s the non-AiMesh one.”

— — -
How do I double check the MTD5 signature
Do you think you didn’t do the MTD5 commands correctly
Lazymocha’s Guide doesn’t explain to do the last two MTD5 commands on firmware 384.xxxxx (preferably 384.20308).
If you didn’t read correctly about the MTD5 command step above, you might not have had the last 2 MTD5 commands effectively done.

To check this, once again, putty in and do the following command:

strings /dev/mtd5

A “real” RT-AC68U has absolutely nothing in /dev/mtd5 except it is filled with 0xff. You should see no result for the command output.(seen in green)

admin@RT-AC68U:/tmp/home/root# strings /dev/mtd5
admin@RT-AC68U:/tmp/home/root#

I did see weird things:

admin@RT-AC68U:/tmp/home/root# strings /dev/mtd5
[tmo-14DDA9xxxxxx.tgz <- router mac address
gNp}ET8
,0|Qtf
x1(a+
YZSl
gEX`
-fY q
m^U=
5:{"
i=V#"sk
\b8n
Jqf(
o$4A?
@8@ 9
L1uH
x)>(~
#zAP
dwTZW
ERs^
/2sU
Y?g9S6'6
P}e3
jzM1s
,Gl:
cgeX
(T{sv
zT#TA7
k'_z
] OW
> Ma$:Y)
(i&*z
`q8y$
^{?!
Y 7n
eKJk
;7#{#
"'F=
/h)z
>!?AZ
,!Y5
"]mt
etpX
[tmo-14DDA9xxxxxx.tgz

If you do see some misc strings, there’s something in mtd5 and you should execute the commands to wipe it when on firmware Version 384.xxxxx

/tmp/home/root# ln -s /sbin/rc mtd-erase
/tmp/home/root# ./mtd-erase -d asus

After this, everything works like a charm. You can sit at the back yard, enjoy a cup of cafe and web browsing at same time offered by Asus AiMesh now.

Reference:

--

--