How To Debrick Your NETGEAR WNR3500L Using A USB-TTL Cable on Windows

So you've gone and done it... you've bricked your WNR3500L.  Nothing sinks the spirits like constantly flashing lights and endless reboot loops.  However, don't lose hope or get frustrated - there's a solution to your woes, and it's called a serial console.

Before you think that this is too complicated for you, read on.  It's actually quite simple, but there are several steps involved that require completion exactly as stated.  Remember, you perform these steps at your own risk, but rest assured that I have followed these exact steps to great success and that you should be able to duplicate them.  The instructions that follow are for use on Windows systems.

[Purchase a NETGEAR WNR3500L]

Materials Needed

  • 1x Bricked WNR3500L 
  • Ethernet cable
  • Windows PC/Laptop
  • Installed TFTP client (Windows XP, 2000, and 7 have this built in.  Otherwise, see step 10 for installation instructions/links)
  • Teeny tiny screwdriver or similar implement
  • Electrical tape (Optional, but recommended)
  • USB-TTL Cable from FTDI.  You can purchase one of these from Mouser ElectronicsEnsure that you have model TTL-232R-3V3 specifically, or you can fry your router! See photo above.
  • Torx T6 or T7 screwdriver
  • Thin flathead screwdriver (Optional, but recommended)
  • NETGEAR Original Firmware for the WNR3500L (Download from here and put into your C: drive).
  • Patience.  Some of these steps may take multiple attempts.

Step 1: Crack Open the Router

Well, don't literally crack it, unless you want a broken router!  It's pretty easy to open, but be careful.  Use the Torx screwdriver to remove the two screws on the bottom of the unit first.

Now, you will have to unsnap the case from the router.  In the photo, look closely at the router's casing.  You may be able to see the tabs on the left and right side.  The panel you need to remove is the "top" panel - look at the back of the router and turn it so the text is right side up.  The top panel, when the router is situated this way, is the one you should need to remove.  Gently put your screwdriver (preferably flathead) in the seam and disconnect these tabs.  Once you are able to slide the case off, put the router aside for now. 

Note: The first time removing it, I needed the screwdriver to pry it loose, but on subsequent tries I discovered that the case "slides" and snaps into place.  Try various methods to find what works best for you.  You may not need an implement to unsnap the tabs at all, if you're lucky!

Step 2: Download PuTTY Program and Install

PuTTY is the nifty, free little program that you will use to program the router, also known as a serial console.  Download it from here, and install it using the self-installing executable.

Step 3: Download Cable Drivers and Install

Now, you'll need to download the drivers for your USB-TTL cable.  In a nutshell, this cable "converts" the USB interface of your PC to a serial output that the board of the WNR3500L can understand, so you can communicate directly with the board (i.e., not over your network.)

Download the proper driver for Windows from here and install it.  A reboot is not required, but recommended.

Step 4: Give your PC a Static IP Address

This step is to ensure that you will be able to communicate with 192.168.1.1, the default address of the bricked router.

Head to Control Panel => Your Internet Connection => TCP/IP => Properties and change your IP address as shown above.  Make sure it does not end in .1, .x1, or .xx1.

Step 5: Plug in Ethernet from Router to PC

Note: Do NOT connect the power to the router just yet.  

Connect the Ethernet cable you have in your possession to an orange port on the WNR3500L to the Ethernet port on your PC.  Note that it must be an orange port, NOT the yellow port... it won't work otherwise.  At least, it didn't for me.

[[page]]

Step 6: Modify the USB-TTL Cable for Use with WNR3500L

Take a look at the photo above.  See how each of the leads is covered by a small plastic tab?  Bust out your tiny screwdriver or whatever it is that you have that's tiny, and pry off the tabs on the black, yellow, and orange leads only.  If you choose to remove all six, you will need to wrap up the unused leads in electrical tape to avoid shorting anything out.  I just left the unused leads inside the plastic harness as shown above.  Once you pry the tabs off, the leads that you will use slip out easily. Now, you can plug the cable in.

Step 7: Find Out What COM Port Your Cable is Using

You installed the cable driver in step 3, right?  If so, head on over to Control Panel => System => Hardware => Device Manager, and click on the "Ports" item as shown in the photo above.  Note the "USB Serial Port" item with a designation of "COM3."  You'll use this information in the next steps. If you don't see that, plug in the cable and the Device Manager should refresh.

Step 8: Connect the USB-TTL Cable to the WNR3500L

Note: Make sure the router is still powered off and unplugged from power when you do this.  Don't touch anything metal either, don't want to take any risks of shock or shorting anything out, which is always a potential concern when tinkering with open electronics.

This part is particularly important, as if you don't connect these cables properly it will be very frustrating for you!   Take a close look at the photo above.  On the pinout on the board, you will see six pins.  Next to one pin it will read "JP1."  That is actually Pin 6.  Pin 1 is labeled with a "1" next to it.  Connect the cables as follows and as shown in the photo:

Black => Pin 6 (next to JP1)

Yellow => Pin 5

Orange => Pin 2

Note: In this photo, the black and yellow leads are seated properly.  I wanted to show you what an improper cable seating looked like; the orange cable is NOT seated properly.  Make sure all the cables are firmly seated to the pins and that they are not touching each other.

Step 9: Configure and Launch PuTTY

Hanging in there?  Do you feel like a geek yet?  It should feel good :)

Fire up PuTTY and you'll see the screen above.  Select the exact options as shown above; click on the Serial radio button, the port to COM3 (or whatever port was revealed in Step 7) and the speed to 115200.

Then, click on the very last item in the menu and choose the options above.  They must be exact: serial line of COM3, speed of 115200, Data bits of 8, Stop bits of 1, and "None" for both parity and flow control.  Once you are confident these settings are correct, click "Open," and you will see a blank window with a green cursor.  Nothing is supposed to be happening in there yet, so don't fret.

Step 9: Power on the WNR3500L and Press Ctrl-C

Now, you can finally connect power to the router.  Press in the power button and immediately press Ctrl-C on your PC, with the PuTTY window active.  This will bring you to what is called the CFE console; essentially, you're interacting directly with the board.  If this does not happen, double and triple check all of the previous steps.

Then, type in "tftpd" (without quotes) to bring up what is called the TFTP interface.  This will ready the router for programming.  If this step performed properly, you'll be left with the screen above.  Almost there...

Step 10: "Put" The Firmware Into Your WNR3500L In The DOS Prompt

Note: If you are on Windows 2000, XP, or 7, you have a TFTP client built in.  However, if you're on Win95, 98, Me, NT, or Vista - you do not.  

Instructions for installing TFTP on Windows Vista can be found here.

Here is one open source TFTP client for Windows that you can try.

Assuming that you have TFTP installed in some form, zoom on over to your DOS prompt. You copied the original NETGEAR fimware to your C: drive, correct?  Good.  Type "cd.." without quotes as shown above to get to your root directory, then type this command:

tftp -i 192.168.1.1 put FIRMWARE_FILE.chk

When you do this, the TFTP command will send the firmware file you indicated to the router, and you will get a confirmation as shown above.  If this doesn't work, make sure your router is connected to your PC properly, you have a static IP that doesn't end in 1, and that you can ping the router.

If this command is successful, your PuTTY console will start to get some action, and it will re-program the router.  Allow this process to finish, it will take several minutes, and wait until it is COMPLETELY finished or you will get a bad flash.  And nobody wants a bad flash!  You'll get a lot more text than is displayed above, but when it's done, you can try accessing your router's GUI via http://192.168.1.1. You will need to enter the "standard" username and password, consult your user manual for this information. (At the time of this writing, "admin" and "password" were used.)

Step 11: Rejoice and Relax... or troubleshoot

Hopefully, not the latter, but unfortunately things don't always go as planned.  If you're struggling with this procedure, have an unsolvable problem with your WNR3500L, or are on another OS let us know.  We're continuing to work on recovery guides for Linux and Mac OS X, so stay tuned!

You can post your questions on the public forums or as a comment below!

Quick Links

fandaor
fandaor's picture
Double post

Double post

fandaor
fandaor's picture
Hello,

Hello,
I have bricked my WNR3500L while attempting to install tomato.
I have tried the USB/TTL system. I have tftp-ed the WNR3500L-V1.0.0.74_12.0.64NA.chk (even tried with the one on the CD)and sound working as it installed the firmwares every time but I still can't access the console : 192.168.1.1 or even www.myrouterlogin.net. It just don't answer... :'(

Does anybody can give me an advice how to unbrick my router please, I am kinda stuck with it and the USB/TTL doesn't seem to be enough to solve my problem.
Thank you in advance.

Brandon C
Brandon C's picture
fandaor said: Hello, I have

fandaor said: Hello, I have bricked my WNR3500L while attempting to install tomato. I have tried the USB/TTL system. I have tftp-ed the WNR3500L-V1.0.0.74_12.0.64NA.chk (even tried with the one on the CD)and sound working as it installed the firmwares every time but I still can't access the console : 192.168.1.1 or even www.myrouterlogin.net. It just don't answer... :'( Does anybody can give me an advice how to unbrick my router please, I am kinda stuck with it and the USB/TTL doesn't seem to be enough to solve my problem. Thank you in advance.

You received the notice that the transfer was succesful?

After this happens you have to wait for it to load, run and reboot. It takes about 10 mins. Then try to connect.

fandaor
fandaor's picture
Hello Brandon BC, and thanks

Hello Brandon BC, and thanks a lot for the reply,

It indeed uploaded right, and also programming is ok too. I waited about 10 minutes (got like a reconnection from putty), I also performed a cold reboot, waited for the Blue light to blink, and even that : cannot connect to 192.168.1.1 or even www.myrouterlogin.net

I got a error like 'connection reset' or something like this.
If someone tells me how to, I can turn on the log on Putty and copy/paste it when I perfom the whole thing.

Fandaor

Brandon C
Brandon C's picture
What happens when you try to

What happens when you try to ping 192.168.1.1?
Also did you give your PC a static address like 192.168.1.2?

fandaor
fandaor's picture
My pc has 192.168.1.106 as

My pc has 192.168.1.106 as described in the Howto
When I try the 192.168.1.1 I have a connection reset error

MigueDuarte
MigueDuarte's picture
Hello People

Hello People
I've just debricked my WNR3500 v2 with the exact same procedure explained in this forum.
I followed all the steps as explained, but I needed to do some welding since my router does not have any pins.
I used DD-WRT software instead of the source Netgear .chk firmware.

Thanks very much for this information

MigueDuarte
MigueDuarte's picture
Hello

Hello

Does anyone know the difference in the DD-WRT firmware between the models WNR3500 v2 and the WNR3500 v2_VC? Is the WNR3500 v2_VC a different model?. In the netgear website the second one does not exist, but there's DD-WRT firmware available specifically for the WNR3500 v2_VC in the DD-WRT website?

Any Idea?

Thanks

tsanga
tsanga's picture
MigueDuarte said: Hello Does

MigueDuarte said: Hello Does anyone know the difference in the DD-WRT firmware between the models WNR3500 v2 and the WNR3500 v2_VC? Is the WNR3500 v2_VC a different model?. In the netgear website the second one does not exist, but there's DD-WRT firmware available specifically for the WNR3500 v2_VC in the DD-WRT website? Any Idea? Thanks

Yes, the VC is firmware for a different model. It has a different header in the .chk file and if you install it onto a regular v2, it will cause checksum verification to fail and prevent you from installing the factory stock firmware in the future. Netgear has a built-in checksum in the CFE that gets verified when you try to install factory firmware.

Shinji
Shinji's picture
Heh... I managed to use this

Heh... I managed to use this cable, tomato firmware, and some other trickery to flash a new board_data onto the router. This cable ended up being the first part and plenty of research.

This is the link where most of the instructions are at:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=514147#514147

The issue when the router had several successive power on/off from electrical issues then me rebooting the router trying to get it to successfully boot. When it did finally I ended up with a mac address of FF:FF:FF:00:00:00 instead of the correct one. The instructions helps to rebuild board_data and flash it back on so that the router is reporting the correct mac and has other key information needed for proper operation.

The thread has links to various source threads. I also posted my corrupted and rebuilt board_data. You can see just how bad the corrupted board_data was when you put it in a hex editor. Nearly all of it was FF. In other words it got formatted somehow.

PhoenixFnX
PhoenixFnX's picture
OMG please help me !!

OMG please help me !!

I bricked my rooter, I bought a TTL cable and when I launch putty and then turn the router on, There are a lots of unprintable characters on putty !!!

http://img152.imageshack.us/img152/5195/putty.png

I really need help this is making my nights like nightmares !!

Thanks in advance !

Peter Redmer
Peter Redmer's picture
@PhoenixFnX--Have you tried a

@PhoenixFnX--Have you tried a 30-30-30 reset? Not sure if it would help, but a good first step to try.

http://www.myopenrouter.com/article/18623/How-to-Hard-Reset-Your-NETGEAR...

PhoenixFnX
PhoenixFnX's picture
Yes of course I tried 30-30

Yes of course I tried 30-30-30, this is my last chance : the 30euro ttl cable

PhoenixFnX
PhoenixFnX's picture
deleted message

deleted message

Peter Redmer
Peter Redmer's picture
@PhoenixFnX--I'm not sure I

@PhoenixFnX--I'm not sure I can help much beyond the basic troubleshooting. I love working with these routers, but am by no means an "expert" or a programmer like so many of the forum members here. Hopefully, one of them will step in and give some more advanced help, since it looks like (sadly) something is definitely scrambled in your router.

PhoenixFnX
PhoenixFnX's picture
Peter Redmer said:

Peter Redmer said: @PhoenixFnX--I'm not sure I can help much beyond the basic troubleshooting. I love working with these routers, but am by no means an "expert" or a programmer like so many of the forum members here. Hopefully, one of them will step in and give some more advanced help, since it looks like (sadly) something is definitely scrambled in your router.

Omg Im so tired ... I need somebody else then ... thank you peter though

 

Somebody ?

Peter Redmer
Peter Redmer's picture
@PhoenixFnX--I suggest you

@PhoenixFnX--I suggest you post your question in the main public forums, that way everybody will see it (right now, you are in the article comments) Good luck!

PhoenixFnX
PhoenixFnX's picture
Ok thank you, I hope I placed

Ok thank you, I hope I placed it in the good place (troubleshot of netgear L)

Rookie071
Rookie071's picture
Hi,

Hi,
I just wanted you share with you how I got my bricked WNR3500v2 working again.
I got mine from my ISP and the update function had been stripped from the menu.

After clearing the nvram and erasing linux, I tried sending the last Netgear firmware with tftp. That seemed to go well but I still got the green blinking powerled.....
After hours of trying I finally opened the case to see if there was header to use with a JTAG cable. There wasn't, but there was a sticker with a number on it and I knew I had seen that number before in the Netgear firmware.

Well it wasn't the same number when I looked closely. In the Netgear firmware it was U12H127T00 and in my router it was U12H127T90. I used a hex-editor to change the original firmware to match my routernumber.

Sending the firmware with tftp -i 192.168.1.1 WNR3500v2.chk worked perfectly. The router rebooted and I can now use it again.

I hope this will work for some of you too.

Georges
Georges's picture
Hello,

Hello,

I followed the procedure and now the router is asking login and password. I'm using the clissical admin / password but it is not working.

Do you have any idea to help me ?

Georges
Georges's picture
HELP !!!!!!!!!

HELP !!!!!!!!!

I cannot flsh anymore my routeur : When I ask tftpd to putty, I have the following log :

Decompressing..........done

CFE for WNR3500L version: v1.0.36
Build Date: Tue Aug 11 15:09:14 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes

Committing NVRAM...done
Startup canceled
CFE> tftpd
Start TFTP server
Reading :: Failed.: Error
Decompressing..........done

CFE for WNR3500L version: v1.0.36
Build Date: Tue Aug 11 15:09:14 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes

Committing NVRAM...done

It seems to fail so I cannot tftp the routeur anymore.

Anyone has an idea.

Thks

RomeyRome
RomeyRome's picture
The pin jumping trick worked

The pin jumping trick worked on my WNR834Bv2. The "MX" branded chip was different size, with way more pins, but I just tried them all until a pair worked. I didn't have to keep them jumped once I got a ping response, and was able to TFTP.

DUHTECH
DUHTECH's picture
I have a WNR3500-100NAS. I

I have a WNR3500-100NAS. I think it maybe a v1.  It does not have the USB plug on it.  I've been trying to use this post to try to unbrick it, but its different from the WNR3500L.  How or can I unbrick it?

se7six
se7six's picture
After a simple mistake I was

After a simple mistake I was unable to access my WNR3500L. I tried the pin jumping workaround and it worked the first time I tried it. Everything is back to normal now.

Thanks for posting that fix information!

starkruzr
starkruzr's picture
So, I have the serial console

So, I have the serial console connected to the router and can send and receive commands to it no problem.

When I send the "special firmware for flashing" dd-wrt .chk, it does this:

Reading :: Done. 3471662 bytes read
Reading ::

Doesn't even attempt to program what it's read. It also stops attempting to read anything else from the tftp daemon, though it says it's "Reading ::".

When I send the factory firmware .chk file, it does this:

Reading :: Done. 5475522 bytes read
Checksum mismatch:
Image chksum: 0x950017CB
Calc chksum: 0x8086AFB6

It will accept another .chk file, but does nothing else.

What the heck?

EDIT: FOUND THE PROBLEM. MAC USERS, PAY ATTENTION!

This occurs when using the tftp client built in to Mac OS X. The client sends files in ASCII mode BY DEFAULT. This means that no matter WHAT you send, it will always be wrong. Before every tftp transfer, you need to send a "binary" command on the tftp command line or it will fail in confusing, confounding and hair-pulling ways.

Caveat emptor!

Hammergott
Hammergott's picture
Thanks alot for this Article!

Thanks alot for this Article! Helps me much to Recover my bricked WNR2000v2 and WNR3500v2. I used a CA-42 Clone for Serial and your Pictures help me to discover the right Pinout on the Routers-Board!

Important for Others:
Pin 6 (Black) is Ground
Pins 2 and 5 (Orange/Yellow) are RX and TX, Which is What, try until Output appears in Console!

Thanks and Regards

Hammergott

Mainer82
Mainer82's picture
...

...

Mainer82
Mainer82's picture
...

...

Mainer82
Mainer82's picture
Hi Peter, I think you should

Hi Peter, I think you should add to the article that is fairly easy to potentially break of pieces from the bottom side of the board when taking the case off. I broke the c219 chip off of mine. :S Just a friendly pointer. Thanks,

SixPesoBurger
SixPesoBurger's picture
starkruzr's fix for mac

starkruzr's fix for mac (setting tftp to binary mode vs ascii mode) also seems to be the fix for ubuntu.

No matter how many times I sent the .chk w/ tftp I always got a "sucessful" transmission but a green blinking light. Setting tftp to 'binary' fixed the problem on the first run.

Ubuntu 10.04
WNR3500L

Pages