How to Debrick or Recover NETGEAR R7000, R6300v2, or R6250 Wi-Fi Routers

 

In case you have bricked your unit, or in case you need more debugging info from your router you can setup a serial console.

Prerequisites for this procedure:

  • 1 x Router either R7000/R6300v2/R6250 which have the same serial connection pins on board
  • 1 x Ethernet cable if you want to flash a new firmware in recovery mode
  • 1 x USB-TTL 3.3 V adapter cable e.g. FTDI TTL-232R-3V3
  • 1 x appropriate Screewdrivers
  • Windows or Linux with installed TFTP client
  • Windows or Linux with installed serial client e.g. Putty,Minicom

This article does not cover taking apart the routers, this is fairly easy and should not cause any trouble even for beginners. The guide applies to the R7000, R6300v2 and R6250 from NETGEAR, although pictures from the R7000 are shown.

After you open up the case you can start connecting your USB-TTL Adapter. The picture below displays the pins and how you connect them to the serial adapter. In my case, I added a 3.5" stereo jack for easier connecting. This way it can be connected without the need to open it up again. Make sure you read the documentation of your serial adapter; it will tell you which pin needs to be connected to GND/TX/RX.

Once you hook up the serial adapter you can install and setup your serial communication program.. If you are using PuTTY, you can just use the guide from the older debricking guide for the WNR3500L:

http://myopenrouter.com/article/how-debrick-your-wnr3500lv2-using-window...

If you are on Linux, you might want to use minicom. See minicom guide:

http://mstempin.free.fr/linux-ipaq/html/minicom-setup.html

Serial line: /dev/ttyUSB0

Speed: 115200

Stopbits: 8-N-1

Once your serial communication program is set up, start hooking up your TTL adapter. In order to flash a new firmware to the router you need to attach an ethernet cable to one of the switch ports. See picture below.

The default IP of you router is 192.168.1.1, thus you need to setup your computer's ethernet adapter to use an IP in the same network e.g. 192.168.1.2. If you have attached your ethernet cable and setup your computers IP you are now ready to power on your router.

You should see the following messages when you router starts booting:

 

Once you see these messages start pressing CTRL-C. If everything works out the boot process should stop at the CFE> prompt. Now type tftpd followed by enter. The routers power led will be flashing which signals it is ready for a fw upload via tftp client.

If you are on Windows, just follow this guide to flash a new image via tftp client:
http://myopenrouter.com/article/how-debrick-your-netgear-wnr3500l-using-...

 

On Linux you can use the following command:

tftp -m binary 192.168.1.1 -c put

e.g.:

tftp -m binary 192.168.1.1 -c put dd-wrt.K3_R7000.chk

After the new firmware is transferred, the router will start flashing and rebooting the unit automatically. You will be able to follow the whole boot process in your serial communication program.

Tags: 

Kong
Kong's picture
Sergios said: Can you provide

Sergios said: Can you provide more detailed photo with the GND/TxD/RxD pins of the device (not GND/TxD/RxD wires connected)?

If you right click on the board picture and select show image you will see the full sized image 4000x2400px:-)

 

blogthis
blogthis's picture
Yes transmit to receive. And

Yes transmit to receive. And receive to transmit. Do not cross the ground or it will short. If using a 3.5mm stereo jack for serial, as Kong said, be sure to confirm pinouts on your particular manufacturer (this can be different from the pictures). For example, here's my R7000 using Kong's guide and note my brand of jack has a different pinout:

http://www.myopenrouter.com/download/discussion/52699/Hallelujah-the-new...

Sean C
Sean C's picture
Does anyone know what is the

Does anyone know what is the function/purpose of the SW252 and SW251 buttons (to the the lower right under the GND/TxD/RxD J252 Jumper)?

Lou
Lou's picture
Can you let me know exactly

Can you let me know exactly the parts and cables you used? Did you drill a hole in the side to add that stereo jack?

tsaylor
tsaylor's picture
.

.

tsaylor
tsaylor's picture
Does the R6250 really have

Does the R6250 really have this header? I'm facing a bricked R6250 but I can't see anything that looks like a header on my board. Mine looks like the photos in this review: http://www.tuicool.com/articles/AJZRju. Am I failing to spot some useful pins?

tsaylor
tsaylor's picture
tsaylor said: Does the R6250

tsaylor said: Does the R6250 really have this header?

I can answer my question now: The R6250 has a rectangular area labelled J252, which contains four solder points. There's no convenient header but by soldering to those points (2=Gnd, 3=Rx, 4=Tx) you can get the job done.

gnu_B
gnu_B's picture
I initially had the same

I initially had the same problem finding the serial attachment points, but I finally located the area mentioned by tsaylor.

Here are some photos of the board...

Whole board with circle indicating area of interest:

http://i1336.photobucket.com/albums/o646/two2tangle/R56250-boardjpg_zpsd...

Detailed shot of serial attachment points:

http://i1336.photobucket.com/albums/o646/two2tangle/R56250-serial-connec...

Only GND, TX and RX are used.

Best,

-gnu_B

hippy
hippy's picture
Sean C said: Does anyone know

Sean C said: Does anyone know what is the function/purpose of the SW252 and SW251 buttons (to the the lower right under the GND/TxD/RxD J252 Jumper)?

i'd like to know this also :)

hippy
hippy's picture
Sean C said: Does anyone know

Sean C said: Does anyone know what is the function/purpose of the SW252 and SW251 buttons (to the the lower right under the GND/TxD/RxD J252 Jumper)?

Buttons for wireless and WPS :)

 

Just got my router back to life with the command

nvram erase

reboot

Used a USB-TTL raspberry PI cable

Dustin C
Dustin C's picture
I just successfully soldered

I just successfully soldered some pins onto the WNDR4500 mainboard and connected a USB-TTL adapter to it. Here are my results:

Decompressing...done

CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes

Device eth0: hwaddr 84-1B-5E-E0-08-23, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
load default!
Decompressing...done

CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes

Committing NVRAM...done
Waiting for reset button release...

==========

I'm not pressing the reset button at all, but this message makes me believe that the reset button is broken and stuck on. What do you think?

BillOH
BillOH's picture
I am trying to recover a

I am trying to recover a r6300v2, but I don't get any indicator lights. Acts like it is not getting any power at all, but the power cord is definitely hot.

I think it is heading to the recycling pile.

boydefect0
boydefect0's picture
I am trying to debrick my

I am trying to debrick my R7000 and when I get to the putty screen and hit ctrl c, it never cancels the operation. No matter at what time I hit it. I tried holding ctrl, power on the router, then tapping "c" repeatedly and get the same result.

gnoK
gnoK's picture
First, thanks to everyone for

First, thanks to everyone for posting, and to Kong for making the firmware builds for the R6300v2.

 

Here's what I've got working on the R6300v2:

On J252:

Pin1: +3.3-5V Note: Do not attach a TTL +5V output to this pin if you are simultaneously powering the router from the standard power source. You will fry the power handling chips..

Pin2: Ground

Pin3: DTE/Serial adapter/Laptop Rx (for the standard FTDI USB-Serial adapter, this is the Yellow wire)

Pin4: DTE/Serial adapter/Laptop Tx (for the standard FTDI USB-Serial adapter, this is the Orange wire)

Connection is 115200 8-N-1 Noflo.

But here is my problem: I seem to have fully bricked my unit to the point that even the bootloader is gone. I get nothing from the verified good serial connection.

When I power on the unit, I see the R6300v2 attempt to perform a TFTP download of "vmlinuz" from 192.168.1.2, but it ignores all TFTP Put attempts. When I rename the standard Netgear .CHK file to "vmlinuz", I get nothing...

Does anyone have have "vmlinuz" image that can be loaded by the unit at this point, or am I stuck putting an ARM buildchain together and compiling my own kernel from the Netgear source? Kong? Anyone?

Thanks in advance if you can help.

 

R6300v2 Serial Pinout

hyw2458
hyw2458's picture
I need your help

I need your help
My 6300 is bad
I need your cfe
Can you send your cfe file by mail
send it to my mail
My mail number is hyw2458@163.com
THANK YOU EVERY PLAYER

axeman
axeman's picture
Hi All, forgive me for not

Hi All, forgive me for not knowing where to ask this question. Someone gave me a netgear r6400 v1 for parts and in the hopes of getting it up and running with DD-WRT i gave it a try. Not knowing WHAT has been done I attached serial and it reads the first line, sets the digital core voltage, second line decompressing....error-1 stops goes no further. ok Im sure the cfe is corrupt. Then I found another r6400 at garage sale for $5 they said boots but some functions not working. loaded latest stock firmware on router #2 all is fine except no wifi from either band. Putty serial console complains 1l: 1l wireless driver adaptor not found.

 Had DD-WRT running with both wifi bands working, but unstable and lan mac address not correct. Did edit cfe to correct mac address saved and replaced but to no avail. I belive something is amuck with current cfe. It tries to pull the vmlinuz fie every boot also except with stock FW, is this normal?

So i ask here is anyone here willing to share a copy of stock cfe for r6400 v-1 .....or point me in the direction i can get one please and thanks in advance.  I have searched the internet and cfe collection project for a month now but i can't seem to find a copy for the r6400. I know its not the most popular router, but it was given to me so i said what the heck. If it works i might try to jtag that same copy into the first router also.

  Can someone post it here or link or if not send it to me?

 and Thank You in advance

cbp0229
cbp0229's picture
I bricked my R7000 by

I bricked my R7000 by stupidly playing with the over-clocking feature in DD-WRT. These instructions saved my router! I just wanted to say thank you very much for these instructions.

yl
yl's picture
I'm new to TTL, can I use

I'm new to TTL, can I use this cable to start TFTP server on R6300v2? I'm not sure if this has the correct voltage.

http://www.ebay.com/itm/310742466145?_trksid=p2059210.m2749.l2649&ssPage...

Thank you
yl

soundsofscience
soundsofscience's picture
Best I can guess my r6250

Best I can guess my r6250 bricked during heavy winds and rains. Power light is solid amber and it's not pingable. Is this one worth my time or likely to be fried? Will this cable do the job? http://amzn.com/B009T2ZR6W

Thanks!
SoS

toddsay
toddsay's picture
Yes SoS, that is the same

Yes SoS, that is the same interface I bought to fix my R6250. I'm not sure whether the unit is fried or recoverable, but for 6.99 it seems worth a try. I'm actually selling mine (just upgraded to an R8000), but that interface did the trick in my case.

Meatrkt
Meatrkt's picture
Hey guys, thanks for your

Hey guys, thanks for your help in all this. I have putty installed and it is reading the router start up, which I am able to interrupt to start the TFTP "reading" When I start the TFTP in the command prompt I get "timeout occured connection request failed" I have checked my firewall and made sure trivial file transfer app was checked and insured the directory is right. Do you all have any other suggestion to get these two talking?

cdb8457
cdb8457's picture
What are the sodered

What are the sodered connection that you put on there?

cdb8457
cdb8457's picture
gnoK said: First, thanks to

gnoK said: First, thanks to everyone for posting, and to Kong for making the firmware builds for the R6300v2. Here's what I've got working on the R6300v2: On J252: Pin1: +3.3-5V Note: Do not attach a TTL +5V output to this pin if you are simultaneously powering the router from the standard power source. You will fry the power handling chips.. Pin2: Ground Pin3: DTE/Serial adapter/Laptop Rx (for the standard FTDI USB-Serial adapter, this is the Yellow wire) Pin4: DTE/Serial adapter/Laptop Tx (for the standard FTDI USB-Serial adapter, this is the Orange wire) Connection is 115200 8-N-1 Noflo. But here is my problem: I seem to have fully bricked my unit to the point that even the bootloader is gone. I get nothing from the verified good serial connection. When I power on the unit, I see the R6300v2 attempt to perform a TFTP download of "vmlinuz" from 192.168.1.2, but it ignores all TFTP Put attempts. When I rename the standard Netgear .CHK file to "vmlinuz", I get nothing... Does anyone have have "vmlinuz" image that can be loaded by the unit at this point, or am I stuck putting an ARM buildchain together and compiling my own kernel from the Netgear source? Kong? Anyone? Thanks in advance if you can help. R6300v2 Serial Pinout

Which colors go to what? 

soundsofscience
soundsofscience's picture
Best I can guess my r6250

Best I can guess my r6250 bricked during heavy winds and rains. Power light is solid amber and it's not pingable. Is this one worth my time or likely to be fried? Will this cable do the job? http://amzn.com/B009T2ZR6W

Thanks!
SoS

toddsay
toddsay's picture
Yes SoS, that is the same

Yes SoS, that is the same interface I bought to fix my R6250. I'm not sure whether the unit is fried or recoverable, but for 6.99 it seems worth a try. I'm actually selling mine (just upgraded to an R8000), but that interface did the trick in my case.

Meatrkt
Meatrkt's picture
Hey guys, thanks for your

Hey guys, thanks for your help in all this. I have putty installed and it is reading the router start up, which I am able to interrupt to start the TFTP "reading" When I start the TFTP in the command prompt I get "timeout occured connection request failed" I have checked my firewall and made sure trivial file transfer app was checked and insured the directory is right. Do you all have any other suggestion to get these two talking?

cdb8457
cdb8457's picture
What are the sodered

What are the sodered connection that you put on there?

cdb8457
cdb8457's picture
gnoK said: First, thanks to

gnoK said: First, thanks to everyone for posting, and to Kong for making the firmware builds for the R6300v2. Here's what I've got working on the R6300v2: On J252: Pin1: +3.3-5V Note: Do not attach a TTL +5V output to this pin if you are simultaneously powering the router from the standard power source. You will fry the power handling chips.. Pin2: Ground Pin3: DTE/Serial adapter/Laptop Rx (for the standard FTDI USB-Serial adapter, this is the Yellow wire) Pin4: DTE/Serial adapter/Laptop Tx (for the standard FTDI USB-Serial adapter, this is the Orange wire) Connection is 115200 8-N-1 Noflo. But here is my problem: I seem to have fully bricked my unit to the point that even the bootloader is gone. I get nothing from the verified good serial connection. When I power on the unit, I see the R6300v2 attempt to perform a TFTP download of "vmlinuz" from 192.168.1.2, but it ignores all TFTP Put attempts. When I rename the standard Netgear .CHK file to "vmlinuz", I get nothing... Does anyone have have "vmlinuz" image that can be loaded by the unit at this point, or am I stuck putting an ARM buildchain together and compiling my own kernel from the Netgear source? Kong? Anyone? Thanks in advance if you can help. R6300v2 Serial Pinout

Which colors go to what? 

FuShiLu
FuShiLu's picture
Hello, tried over clocking,

Hello, tried over clocking, bad boy, no cookie.

I can access the TFTPD server on the R7000, I can get my TFTP client to put the dd-wrt.K3_R7000.chk and the system reboots. BUT right back to Red Power LED on strong. The last instruction it seems to have sent was "Uncompressing Linux... done, booting the kernel." And just hangs at that point.

It also seems it "Could not load 192.168.1.2:vmlinuz: Timeout occurred", so perhaps someone has suggestions that I'm obviously missing.

Thanks in advance.

FuShiLu
FuShiLu's picture
Well apparently it was

Well apparently it was staring me in the face the whole time. Frequency was still set at 1600, Dadnabut! Oh well simply resetting that inn cram and comitting got things rolling again. Anyhoo all is well again, all services up, ;) Love the work done here.

Pages