How To Debrick Your NETGEAR WNR3500L Using A USB-TTL Cable on Windows

So you've gone and done it... you've bricked your WNR3500L.  Nothing sinks the spirits like constantly flashing lights and endless reboot loops.  However, don't lose hope or get frustrated - there's a solution to your woes, and it's called a serial console.

Before you think that this is too complicated for you, read on.  It's actually quite simple, but there are several steps involved that require completion exactly as stated.  Remember, you perform these steps at your own risk, but rest assured that I have followed these exact steps to great success and that you should be able to duplicate them.  The instructions that follow are for use on Windows systems.

[Purchase a NETGEAR WNR3500L]

Materials Needed

  • 1x Bricked WNR3500L 
  • Ethernet cable
  • Windows PC/Laptop
  • Installed TFTP client (Windows XP, 2000, and 7 have this built in.  Otherwise, see step 10 for installation instructions/links)
  • Teeny tiny screwdriver or similar implement
  • Electrical tape (Optional, but recommended)
  • USB-TTL Cable from FTDI.  You can purchase one of these from Mouser ElectronicsEnsure that you have model TTL-232R-3V3 specifically, or you can fry your router! See photo above.
  • Torx T6 or T7 screwdriver
  • Thin flathead screwdriver (Optional, but recommended)
  • NETGEAR Original Firmware for the WNR3500L (Download from here and put into your C: drive).
  • Patience.  Some of these steps may take multiple attempts.

Step 1: Crack Open the Router

Well, don't literally crack it, unless you want a broken router!  It's pretty easy to open, but be careful.  Use the Torx screwdriver to remove the two screws on the bottom of the unit first.

Now, you will have to unsnap the case from the router.  In the photo, look closely at the router's casing.  You may be able to see the tabs on the left and right side.  The panel you need to remove is the "top" panel - look at the back of the router and turn it so the text is right side up.  The top panel, when the router is situated this way, is the one you should need to remove.  Gently put your screwdriver (preferably flathead) in the seam and disconnect these tabs.  Once you are able to slide the case off, put the router aside for now. 

Note: The first time removing it, I needed the screwdriver to pry it loose, but on subsequent tries I discovered that the case "slides" and snaps into place.  Try various methods to find what works best for you.  You may not need an implement to unsnap the tabs at all, if you're lucky!

Step 2: Download PuTTY Program and Install

PuTTY is the nifty, free little program that you will use to program the router, also known as a serial console.  Download it from here, and install it using the self-installing executable.

Step 3: Download Cable Drivers and Install

Now, you'll need to download the drivers for your USB-TTL cable.  In a nutshell, this cable "converts" the USB interface of your PC to a serial output that the board of the WNR3500L can understand, so you can communicate directly with the board (i.e., not over your network.)

Download the proper driver for Windows from here and install it.  A reboot is not required, but recommended.

Step 4: Give your PC a Static IP Address

This step is to ensure that you will be able to communicate with 192.168.1.1, the default address of the bricked router.

Head to Control Panel => Your Internet Connection => TCP/IP => Properties and change your IP address as shown above.  Make sure it does not end in .1, .x1, or .xx1.

Step 5: Plug in Ethernet from Router to PC

Note: Do NOT connect the power to the router just yet.  

Connect the Ethernet cable you have in your possession to an orange port on the WNR3500L to the Ethernet port on your PC.  Note that it must be an orange port, NOT the yellow port... it won't work otherwise.  At least, it didn't for me.

[[page]]

Step 6: Modify the USB-TTL Cable for Use with WNR3500L

Take a look at the photo above.  See how each of the leads is covered by a small plastic tab?  Bust out your tiny screwdriver or whatever it is that you have that's tiny, and pry off the tabs on the black, yellow, and orange leads only.  If you choose to remove all six, you will need to wrap up the unused leads in electrical tape to avoid shorting anything out.  I just left the unused leads inside the plastic harness as shown above.  Once you pry the tabs off, the leads that you will use slip out easily. Now, you can plug the cable in.

Step 7: Find Out What COM Port Your Cable is Using

You installed the cable driver in step 3, right?  If so, head on over to Control Panel => System => Hardware => Device Manager, and click on the "Ports" item as shown in the photo above.  Note the "USB Serial Port" item with a designation of "COM3."  You'll use this information in the next steps. If you don't see that, plug in the cable and the Device Manager should refresh.

Step 8: Connect the USB-TTL Cable to the WNR3500L

Note: Make sure the router is still powered off and unplugged from power when you do this.  Don't touch anything metal either, don't want to take any risks of shock or shorting anything out, which is always a potential concern when tinkering with open electronics.

This part is particularly important, as if you don't connect these cables properly it will be very frustrating for you!   Take a close look at the photo above.  On the pinout on the board, you will see six pins.  Next to one pin it will read "JP1."  That is actually Pin 6.  Pin 1 is labeled with a "1" next to it.  Connect the cables as follows and as shown in the photo:

Black => Pin 6 (next to JP1)

Yellow => Pin 5

Orange => Pin 2

Note: In this photo, the black and yellow leads are seated properly.  I wanted to show you what an improper cable seating looked like; the orange cable is NOT seated properly.  Make sure all the cables are firmly seated to the pins and that they are not touching each other.

Step 9: Configure and Launch PuTTY

Hanging in there?  Do you feel like a geek yet?  It should feel good :)

Fire up PuTTY and you'll see the screen above.  Select the exact options as shown above; click on the Serial radio button, the port to COM3 (or whatever port was revealed in Step 7) and the speed to 115200.

Then, click on the very last item in the menu and choose the options above.  They must be exact: serial line of COM3, speed of 115200, Data bits of 8, Stop bits of 1, and "None" for both parity and flow control.  Once you are confident these settings are correct, click "Open," and you will see a blank window with a green cursor.  Nothing is supposed to be happening in there yet, so don't fret.

Step 9: Power on the WNR3500L and Press Ctrl-C

Now, you can finally connect power to the router.  Press in the power button and immediately press Ctrl-C on your PC, with the PuTTY window active.  This will bring you to what is called the CFE console; essentially, you're interacting directly with the board.  If this does not happen, double and triple check all of the previous steps.

Then, type in "tftpd" (without quotes) to bring up what is called the TFTP interface.  This will ready the router for programming.  If this step performed properly, you'll be left with the screen above.  Almost there...

Step 10: "Put" The Firmware Into Your WNR3500L In The DOS Prompt

Note: If you are on Windows 2000, XP, or 7, you have a TFTP client built in.  However, if you're on Win95, 98, Me, NT, or Vista - you do not.  

Instructions for installing TFTP on Windows Vista can be found here.

Here is one open source TFTP client for Windows that you can try.

Assuming that you have TFTP installed in some form, zoom on over to your DOS prompt. You copied the original NETGEAR fimware to your C: drive, correct?  Good.  Type "cd.." without quotes as shown above to get to your root directory, then type this command:

tftp -i 192.168.1.1 put FIRMWARE_FILE.chk

When you do this, the TFTP command will send the firmware file you indicated to the router, and you will get a confirmation as shown above.  If this doesn't work, make sure your router is connected to your PC properly, you have a static IP that doesn't end in 1, and that you can ping the router.

If this command is successful, your PuTTY console will start to get some action, and it will re-program the router.  Allow this process to finish, it will take several minutes, and wait until it is COMPLETELY finished or you will get a bad flash.  And nobody wants a bad flash!  You'll get a lot more text than is displayed above, but when it's done, you can try accessing your router's GUI via http://192.168.1.1. You will need to enter the "standard" username and password, consult your user manual for this information. (At the time of this writing, "admin" and "password" were used.)

Step 11: Rejoice and Relax... or troubleshoot

Hopefully, not the latter, but unfortunately things don't always go as planned.  If you're struggling with this procedure, have an unsolvable problem with your WNR3500L, or are on another OS let us know.  We're continuing to work on recovery guides for Linux and Mac OS X, so stay tuned!

You can post your questions on the public forums or as a comment below!

Quick Links

saitek
saitek's picture
Hi, can i use this instead
saitek
saitek's picture
Hi, can i use this instead
cutebuny
cutebuny's picture
It would be great if they

It would be great if they could just add a built in usb/ ttl port on the router with a easy to use recovery program where you run the program, select the firmware file and when you turn the router on, it will automatically do the work for you.

USB to ttl adapters are really cheap, I bought one from ebay for $2.50 and it works great

I bet it would have been even cheaper if it didn't have to be shipped from china to the US

I bet netgear could have it built in for probably 5-10 cents at most

 

It should not be that hard for netgear to simply get one of these, solder on a mini USB female  connector, then dremel out a hole and glue the adapter to the case.

or better yet, work the adapter into the motherboard of the router and add the connector on the outside.

 

Pictures of USB to ttl adapter


cutebuny
cutebuny's picture
image from a thread I made a

image from a thread I made a while back asking the same question of the pinout rather spend under $5 for a serial adapter instead of paying $20 for one with less features

http://www.myopenrouter.com/forum/thread/28766/WNR3500L-serial-ttl-pinout/

Oseias
Oseias's picture
Because I have one Arduino

Because I have one Arduino (http://www.arduino.cc), I just can try use this.
I had sucess using this sketch above.
Just compile and upload to arduino card.

void setup ()
{
pinMode (0, INPUT);
pinMode (1, INPUT);
}
void loop ()
{
}

Then I connected the ports (http://wiki.openwrt.org/toh/netgear/wnr3500l).
Just puted in the TX and RX between the arduino and router, a 1K resistor, to preserve a arduino inputs.

Arduino | WNR3500L
---------------------
RX(0) -----1KΩ---- TX
TX(1) -----1KΩ---- RX
GND ------------ GND

Open prefer serial console. I use screen on *nix. (screen /dev/tty.usbmodem411 115200,8,n,1)

And voila.
CFE for WNR3500L version: v1.0.38
Build Date: Wed Dec 15 16:40:04 CST 2010
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes

Device eth0: hwaddr XX-XX-XX-XX-XX-XX, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Startup canceled
CFE>

Now my wnr3500L works fine again.
Thanks.

mickaeltai
mickaeltai's picture
Merci bien...Cette méthode

Merci bien...Cette méthode apprend des choses et surtout dépanne bien...*

tutorial parfait

Encore merci

Ammilgaoul ^_^....

bhoefer
bhoefer's picture
oseias you're my hero -

oseias you're my hero - thought about such a solution - found your post - tried it - tried it again - worked!

Many many thanks from vienna!

Björn

Random Stranger
Random Stranger's picture
Thanks so much for taking the

Thanks so much for taking the time to write and post this. Using this guide I managed to reflash my router, save some money and also learn a great deal!

france
france's picture
bonjour voila le dernier

bonjour voila le dernier message que j ai

gateway not set, nameserver not set
Checksum mismatch:
Image chksum: 0x00000000
Calc chksum: 0x02C0010E
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3768 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000

j ai tous fais comme tentative rien y fait a par la poubelle y a plus rien a faire non ??

merci

Sazn86
Sazn86's picture
http://s42.radikal.ru/i095

http://s42.radikal.ru/i095/1112/5e/f657849c8d81.jpg
http://s60.radikal.ru/i169/1112/84/974f4b3f57f0.jpg
http://s004.radikal.ru/i207/1112/40/c7b0fd3271a2.jpg
Здравствуйте. Помогите пожалуста. Вот фотографии как я Hello Help please. Here are some photos as I plugged my router. All of the cases according to the instructions, but Putti, nothing happens.

pelco
pelco's picture
IT WORKS THANKS

IT WORKS THANKS

Fredrik Ludl
Fredrik Ludl's picture
Thanks, thats a real reset :)

Thanks, thats a real reset :)

Fredrik

Roger_
Roger_'s picture
Hi, I am trying to debrick my

Hi, I am trying to debrick my 3500L as indicated in your tutorial but I'm finding a problem at the moment I start step 9, when powering on the router. I will put my findings after typing CTRL-C in here below and I hope you can give me instructions on how to proceed. Thanking you in advance, Roger

Decompressing..........done
Decompressing..........done

CFE for WNR3500L version: v1.0.36
Build Date: Tue Aug 11 15:09:14 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes

Device eth0: hwaddr 20-4E-7F-22-F2-A0, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:192.168.1.2:vmlinuz Options:(null)
Loading: Failed.
Could not load 192.168.1.2:vmlinuz: Timeout occured
Checksum mismatch:
Image chksum: 0xE9950927
Calc chksum: 0x895989DB
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 5192 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.22.19 (root@tomato) (gcc version 4.2.4) #7 Sun Mar 4 21:23:05 ICT 2012
CPU revision is: 00019740
Found a 8MB ST compatible serial flash
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Zone PFN ranges:
Normal 0 -> 16384
HighMem 16384 -> 16384
early_node_map[1] active PFN ranges
0: 0 -> 16384
Built 1 zonelists. Total pages: 16384
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 512 (order: 9, 2048 bytes)
CPU: BCM4716 rev 1 pkg 10 at 453 MHz
Using 226.500 MHz high precision timer.
console [ttyS0] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 61360k/65536k available (33k kernel code, 4112k reserved, 2669k data, 124k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
PCI: Using membase 8000000
PCI: Disabled
PCI: Fixing up bus 0
PCI: Fixing up bus 1
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered (default)
HDLC line discipline: version $Revision: 4.8 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb8000300 (irq = 8) is a 16550A
PPP generic driver version 2.4.2
MPPE/MPPC encryption/compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.17
PPTP driver version 0.8.5
pflash: found no supported devices
Creating 6 MTD partitions on "sflash":
0x00000000-0x00040000 : "pmon"
0x00040000-0x00790000 : "linux"
0x00124400-0x006f0000 : "rootfs"
0x006f0000-0x00780000 : "jffs2"
0x007f0000-0x00800000 : "nvram"
0x007e0000-0x007f0000 : "board_data"
u32 classifier
OLD policer on
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (512 buckets, 4096 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_account 0.1.21 : Piotr Gasidlo , http://www.barbara.eu.org/~quaker/ipt_account/
net/ipv4/netfilter/tomato_ct.c [Mar 4 2012 21:19:54]
NET: Registered protocol family 1
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 124k freed
Warning: unable to open an initial console.

Whatshisface
Whatshisface's picture
I'm out of ideas, been trying

I'm out of ideas, been trying everything in this thread.. The only thing I can't do which would work is to shortcut those two pins but I've got a newer version apparently so there are no pins!.

I get a connection to the router but I can't CTRL+C in putty. The ping responds two times before going into request timed out.

Tried to use another CMD window with pint -t to slow down the boot process but no result.

What can I do when I've got no pins to shortcut! :)

Roger_
Roger_'s picture
Hi, regarding the CTRL+C in

Hi, regarding the CTRL+C in putty I found out that you need to adjust a setting which enables this command within putty itself (maybe calles special commands?) As for the other part of your problem I'm not able to help you.

I'm waiting for some help myself as I was able to connect the pins, get the putty to work but unfortunately I can't get the commands to work which are mentioned in the tutorial above.

Good luck and hope someone will answer our questions.

Whatshisface
Whatshisface's picture
I managed to fix this, I had

I managed to fix this, I had the wrong cable on PIN 2... Now I can break the bootloader and get into CFE. The router is restored finally.

I thought the router wouldn't give any life signs unless the cables were correctly in place, but apparently you can mix the cables and still looks like everything is ok.

So you can break and get into CFE but not TFTP?

Roger_
Roger_'s picture
Nice to hear you have been

Nice to hear you have been able to resolve the problem, one gets crazy not finding the solution.

Yes I get into CFE (please see my earlier message with cfe console message) but I'm not able to get in tftpd and I don't know how to fix this

Any clue?
Thanks

gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:192.168.1.2:vmlinuz Options:(null)
Loading: Failed.
Could not load 192.168.1.2:vmlinuz: Timeout occured
Checksum mismatch:
Image chksum: 0xE9950927

Roger_
Roger_'s picture
Hello all, just to close my

Hello all, just to close my previous threads I'd like to inform that I have been able to resolve the problem which at the end was connected to my firewall/virus scanners. Disabling all of them (disconnecting from the internet as well) I've been able to tfpd the firmware to the router and all works.

plfort
plfort's picture
For those who have a

For those who have a RaspberryPi it is also possible to use its serial port to unbrick the router, I tested this on a WNR3500Lv2 and it worked.

plfort
plfort's picture
For those who have a

For those who have a RaspberryPi it is also possible to use its serial port to unbrick the router, I tested this on a WNR3500Lv2 and it worked

scott in seattle
scott in seattle's picture
WOW! It worked!

WOW! It worked!

Couple caveats...you can buy the ttyl cable on ebay from China for a lot less and then you don't have to worry about screwing it up. The one you get, you can pry the heads out of the plastic sleeve by lifting up the stoppers that hold the heads in with an exacto blade, then pull them out. I abandoned the plastic sleeve and stuck the leads onto the pins directly according to the picture.

Getting the CFE prompt up was a LOT more difficult than I thought it was going to be. I must have started and stopped the router a hundred times before getting the CFE. And I wasn't sure whether it was control + c or control + C (control + shift + c) so I alternated between them rapidly.

After a few hours, though, I had my router back! Thanks!

tc
tc's picture
I can't get my WNR3500Lv2

I can't get my WNR3500Lv2 working. When my router boots, it says that it has a corrupted boot block. Yet, it will boot far enough to bring up the ethernet port and start listening on tftp. I can upload firmware after firmware, but nothing happens.

I've tried the 30-30-30 method, but that didn't work.

I've tried using the cable method (on Windows), and have even managed to get a CTRL-C to work and drop me into the CFE command prompt. But, when I try to type "nvram erase", my text is all garbled, and it won't work. I've tried a couple different cables, including the one recommended here, but always have the same result.

Also, as a point to note, I cannot connect the ground wire because that prevents my router from doing anything (just sits there with a very dim green light). To get to the CFE prompt, I have to disconnect the ground, boot, rapidly hit CTRL-C. And then when I get to the CFE prompt, I've tried in vain reconnecting the ground in the hopes that this will clear up the garbled communications enough to let me issue the "nvram erase" command.

I've also tried the pin-shorting method, but I'm not sure which pins to short
because my MoBo looks different from the ones in your photos; especially, I don't see the metal enclosed chip(?) next to the chip with the reset pins. Perhaps there is a slight revision to the 3500Lv2 that isn't be reflected in the model number? Anyhow, I've tried shorting all of the pins possible on the smaller chips on my board, but nothing resets the nvram.

I don't know what to do from here. After spending $30 on cables, I'm thinking that it would be easier and certainly much less frustrating just to pony up the rest of the dough needed to buy a new router. It just seems stupid to spend the money when my router seems to have some life in it yet....

Any help would be appreciated. TIA.

tc
tc's picture
Hey. I brought my router back

Hey. I brought my router back to life. I was doing two things wrong.

1. I was hooking up the ground to the 3.3v pin because I didn't realize that the
v2 pin-out was opposite to the v1 router's pin-out. Now, no more garbage on the screen.

2. Problem two. This one is really stupid and would have saved me some $$ spent on usb2ttl cables. What was it? When I used Linux to tftp the files, I didn't force it into binary mode with the "-m binary" flag. Oy! No wonder none of my uploads had been working! Of course, I only realized this when I got the serial console working, and I saw that uploaded filename had junk prepended to it.

Hindsight is such a kick in the butt! :-)

Peter Redmer
Peter Redmer's picture
Hey tc, thanks for posting

Hey tc, thanks for posting your experiences. Glad you got things working!

I do have a WNR3500Lv2 guide which shows the alternate pinouts, in case anyone needs that: http://www.myopenrouter.com/article/36609/How-to-Debrick-Your-WNR3500Lv2...

The -m flag is what you would use in Linux, correct? For the Windows guide, I have -i. Just want to make sure it's clear for anyone keeping an eye on this thread :)

 

colin
colin's picture
I haven't needed this yet,

I haven't needed this yet, but am fascinated by your article. I know that one day I'm gonna need it. Thanks.

tedd
tedd's picture
I was thinking all would go

I was thinking all would go fine, but putty stops at DRX 0x02 "Hit enter to begin"

any thoughts?

tedd
tedd's picture
I thought all was going swell

I thought all was going swell, but after 4 times trying, each time Putty gets stuck on DRX 0x02 "Hit enter to continue"

any thoughts?

Peter A.
Peter A.'s picture
Hi,

Hi,
thanks for your perfect instruction. The wnr works again perfectly!
Krds from Austria!

Tim1
Tim1's picture
Where are the 2 pins for

Where are the 2 pins for WNR3500lv2?

rxnplc
rxnplc's picture
Thanks!!!!This procedure

Thanks!!!!This procedure worked for me to de-brick netgear r6300....Much appreciated!!!

Pages