Upgrade Your Linksys Router, Literally!


Cisco-Linksys decided to release new routers for their home routers: the “Valet” series and the “E” series. After doing some research, they’re actually just a re-branding of the older models. The only difference is that the “E” series now have double the amount of NVRAM available. In this article, we’ll be looking at the new E2000 and E3000 routers.

The E2000 is actually the WRT320N with a working reset button and E3000 is the new WRT610N v2. But that doesn’t that mean you have to ditch your current router if you own one of these already, especially just to get the extra 32k of NVRAM. You can actually update the CFE of the older model and transform your WRT320N or WRT610N v2 into the E2000 or E3000 respectively. The CFE is basically the BIOS of the router.

I actually found out how after a lot of searching on the DD-WRT forums. Thanks to users barryware and LOM, we have a way to upgrade the CFE. The procedure for both routers are the same, but at the DD-WRT forums, they are on 2 separate threads and buried in the “Broadcom Based Routers” section. So here’s my single article on it to make it easier to find for those of you who want to follow in my footsteps & convert your routers. I did this for 2 WRT610Ns and 5 WRT320Ns and so far, everything works well.

Advantages of converting:

    – You get double NVRAM
    – Future proofing
    – Newer “BIOS” for the same hardware (probably fixes some quirks & enables new features)
    – Fixes the broken reset button for the WRT320N

DISADVANTAGES of converting:

    – Flashing CFE is not like flashing firmware. You fail & your router = brick
    – Advantages not worth the risk for some people

Knowledge required:

    – Using a Hex editor. NOTEPAD, WORDPAD, ETC IS NOT A HEX EDITOR!
    – Use SSH and SCP
    – Flash and use DD-WRT firmware
    – Know how to do a serial port & JTAG recovery on your router

You MUST know how to do the first 3 or YOU WILL FAIL. The last one is extremely helpful if something goes wrong, but you’re taking a big risk if you don’t know how do it.

DISCLAIMER: NOBODY will take responsibility or be liable for anything you do to your router. If you brick it trying these procedures, YOU are solely responsible for your actions. YOU HAVE BEEN WARNED.

Important notes:

    – The WRT320N has a working JTAG, the WRT610N doesn’t. If you fail with the CFE flash, you may be able to recover your WRT320N, but your WRT610N will be dead.
    – Both routers have a working serial console. If you fail to flash the modified firmware before rebooting, you may be able to recover by using the serial console to clear NVRAM and re-flash the firmware.
    – E3000 conversion only works on a WRT610N v2. It will not work, and will brick your v1.
    – Do NOT power cycle your router at any time until you have completely finished and can confirm that the router has booted up into an operational state.
    – READ these instructions completely, a few times, before you proceed. Save them to a safe place. I also suggest you download the files needed in advanced.

1.) Flash you router with DD-WRT (an ordinary K26 big build), reset to defaults, set an admin password, and enable SSH.

2.) Open http://[your router’s ip]/backup/cfe.bin and save your current CFE to a safe place.

3.) Download the appropriate CFE for your router below:

– WRT320N (SHA1 Sum: db2d4cd117faac4c0a330afa4cdcdb5ad133d82a)

– WRT610N v2 (SHA1 Sum: b3cbe0d0ba8088ed3ff0a206b8866a02e8ec5ba4)

4.) Using a Hex editor, modify your CFE so that it has your router’s MAC address, serial number, and 8-digit easy access PIN. All of these numbers are on the sticker under your router. The easy access PIN is the number that is in the white space next to the “synchronize” arrows and looks like XXXX-XXXX. In the CFE, it is a single string XXXXXXXX.

Here are the offsets…

    E2000:
    MAC @ 0x3E098
    SN @ 0x3E0AD
    PIN @ 0x3E0C2

 

    E3000:
    MAC @ 0x1E00
    SN @ 0x3FE30
    PIN @ 0x3FCDC

4.) Connect your router to a reliable power source. REMEMBER: Do NOT power cycle your router at any time until you have completely finished and can confirm that the router has booted up into an operational state.

5.) SCP the modified CFE into /tmp on the router.

6.) SSH into your router using “root”. The password is your web interface password.

7.) Run the following commands:
cd /tmp
mtd unlock cfe
mtd write -f [cfe's file name] cfe

8.) It will only take a few seconds to flash the CFE. But you are not done yet – DO NOT REBOOT. Go back to the router’s web interface and upload the modified firmware, making sure your set the “Reset to defaults” option. This modified firmware tricks your router in thinking its the proper build, but is indeed the build for the converted model so that after a reset, it can boot the proper image. The downloads are here:

E2000 Modified DD-WRT (SHA1 Sum: f6d8b2f8b0f4a6f0d72885f48608046619186aab)

E3000 Modified DD-WRT (SHA1 Sum: efab4812ca602466942d7d0eb81fbfd014ca5789)

9.) The router will reset itself upon flashing this modified firmware. Be patient – it can take up to 10 minutes and a few reboot cycles to complete. If your are successful, you should be able to access the DD-WRT admin page at http://192.168.1.1.

10.) One last thing: set a password, and flash a proper DD-WRT E2000 or E3000 build, making sure you reset to defaults again. You can find them in the “Other Downloads” section on the DD-WRT website.

Done! You should now have a converted E2000 or E3000! You can even flash the stock firmware for the E2000 or E3000 and use it if you’d like.

What I found was that DD-WRT actually likes the extra NVRAM better. YMMV. Cheers!

30 thoughts on “Upgrade Your Linksys Router, Literally!

  1. Thanks for the great instructions! Just did this and then flashed TomatoUSB which supports the E2000 now and is, in my opinion, a much nicer firmware than ddwrt.

    1. It’s your router’s WAN MAC address, serial number and easy access pin that matters. IP addresses are set by firmware, and the rest of the interfaces’ MAC addresses are calculated from the WAN MAC address.

  2. Hi,

    I think I successfully upgraded my 610n v2 to an E3000 using your method. I put stock firmware back on afterward — I just want to make sure that there’s no way I screwed it up. If it’s running E3000 firmware at all, does that mean that the CFE was modified correctly? My router was running fine before but now drops the WAN connection every few days… Just wondering if I did something wrong in the upgrade process. Thanks.

    1. It’s running the E3000 stock firmware = it’s unofficially a complete E3000. Doesn’t mean that the cisco stock firmware for the router isn’t flaky though, so I’d recommend you use the latest DD-WRT K2.6 build from the dd-wrt.com website. (Browse through the downloads section for the latest brainslayer build)

  3. Thanks. I had a little trouble uploading the modified CFE to the router but finally did it using winscp in scp mode.

  4. awesome instructions. worked great. performance went from 8MB/s downloads to 15MB/s downloads. thanks!

    note for mac users I recommend the 0xED hex editor.

  5. Hello,

    same problem over here. I only get a blank bin file. e3000 works but the one i need e2000 doesn’t.
    It seems that IE9 F**k’s up the download. Try using Firefox and you will get a filled bin file.

    cheers

    Burner1977

  6. Hello,

    3 quick questions:

    – Is it a must to have dd-wrt firmware on the router before you flask the CEF:
    – In the .bin file i have two mac adresses et0macaddr and defmacaddr with the same values. Do i have to change them both?
    – What do you mean with:

    Here are the offsets…

    E2000:

    MAC @ 0x3E098
    SN @ 0x3E0AD
    PIN @ 0x3E0C2

    thx

    Burner1977

    1. Yes you need to have DD-WRT on it before the CFE update, and immediately after, you will have DD-WRT. But after the CFE update and the subsequent DD-WRT installation to ensure it is working, you can actually load the stock E_000 firmware in from Cisco-Linksys. You won’t be able to load the WRT-_20N firmware anymore or that will brick the router.

  7. I was looking for a serial recovery to unbrick my router but then I found your website so after some experimenting it’s now unbricked and updated to an E3000! 🙂
    Thanks for sharing!

  8. hi, it says the file no longer exists when i try to download either of the files on here.

    hope you can re-upload them somewhere.

  9. My brother recommended I might like this website. He was totally right.
    This post actually made my day. You can not imagine simply how much time I had spent for this info!

    Thanks!
    Here is my page – vivacom router password

  10. I have two WRT610 V2 routers, currently loaded w/ the latest build of Tomato Shibby firmware. Do I have to install DD-WRT over it, and if so, which build (Standard, Mini, Mega, etc.)?

  11. Thanks a lot for the instruction, just got over successfully with the delivery of the WRT610nv2 reincarnated as E3000, now loading tomato shibby build to exploit it to the fullest.

    🙂

  12. Like others above Thank You. Just got my wrt610n ahem I mean E3000 ;). Barely used a Hex editer before and never scp’d or ssh’d and with your guide it was really easy. Noobs read carefully and do a little research, everything will go ok. On kongs mod nv60 edition, but will try others later.

  13. Hello. Thank you for the great article. I was able to upgrade/update my WRT610Nv2 to a E3000. The only issue I have experienced is that I am not able to flash/load the stock E3000 firmware in from Cisco-Linksys.

    Any ideas on getting this to work. It immediately errors out when trying to flash, as if it realizes it is not a true E3000. I have noticed that DD-WRT is showing my WRT610Nv2 has the Broadcom BCM4716 chip rev 1, and the E3000 has the Broadcom BCM4718 chip. Is this a problem?

  14. Many Thanks. WRT610Nv2 accidentaly bricked by power failure when updating firmware (Tomato).
    Recover http recovery by shorting pin 8&9 on flash chip. flash dd-wrt.v24-15962_NEWD-2_K2.6_mini_wrt610nv2.bin.
    Read your post. Apply = Now working E3000.
    Great!!

  15. I tried to do this and ended up with the following problem:

    The web interface gave me a message about the firmware update being successful and the default settings being restored. The router appeared to have booted normally with LAN, WAN, and power lights flashing. However, I have ‘limited’ internet access (LAN only) and can not access the web interface at 192.168.1.1. I can not SSH or telnet it, but the router does respond to pings.

Leave a Reply

Your email address will not be published. Required fields are marked *