How To Debrick Your NETGEAR WNR3500L Using A USB-TTL Cable on Windows

So you've gone and done it... you've bricked your WNR3500L.  Nothing sinks the spirits like constantly flashing lights and endless reboot loops.  However, don't lose hope or get frustrated - there's a solution to your woes, and it's called a serial console.

Before you think that this is too complicated for you, read on.  It's actually quite simple, but there are several steps involved that require completion exactly as stated.  Remember, you perform these steps at your own risk, but rest assured that I have followed these exact steps to great success and that you should be able to duplicate them.  The instructions that follow are for use on Windows systems.

[Purchase a NETGEAR WNR3500L]

Materials Needed

  • 1x Bricked WNR3500L 
  • Ethernet cable
  • Windows PC/Laptop
  • Installed TFTP client (Windows XP, 2000, and 7 have this built in.  Otherwise, see step 10 for installation instructions/links)
  • Teeny tiny screwdriver or similar implement
  • Electrical tape (Optional, but recommended)
  • USB-TTL Cable from FTDI.  You can purchase one of these from Mouser ElectronicsEnsure that you have model TTL-232R-3V3 specifically, or you can fry your router! See photo above.
  • Torx T6 or T7 screwdriver
  • Thin flathead screwdriver (Optional, but recommended)
  • NETGEAR Original Firmware for the WNR3500L (Download from here and put into your C: drive).
  • Patience.  Some of these steps may take multiple attempts.

Step 1: Crack Open the Router

Well, don't literally crack it, unless you want a broken router!  It's pretty easy to open, but be careful.  Use the Torx screwdriver to remove the two screws on the bottom of the unit first.

Now, you will have to unsnap the case from the router.  In the photo, look closely at the router's casing.  You may be able to see the tabs on the left and right side.  The panel you need to remove is the "top" panel - look at the back of the router and turn it so the text is right side up.  The top panel, when the router is situated this way, is the one you should need to remove.  Gently put your screwdriver (preferably flathead) in the seam and disconnect these tabs.  Once you are able to slide the case off, put the router aside for now. 

Note: The first time removing it, I needed the screwdriver to pry it loose, but on subsequent tries I discovered that the case "slides" and snaps into place.  Try various methods to find what works best for you.  You may not need an implement to unsnap the tabs at all, if you're lucky!

Step 2: Download PuTTY Program and Install

PuTTY is the nifty, free little program that you will use to program the router, also known as a serial console.  Download it from here, and install it using the self-installing executable.

Step 3: Download Cable Drivers and Install

Now, you'll need to download the drivers for your USB-TTL cable.  In a nutshell, this cable "converts" the USB interface of your PC to a serial output that the board of the WNR3500L can understand, so you can communicate directly with the board (i.e., not over your network.)

Download the proper driver for Windows from here and install it.  A reboot is not required, but recommended.

Step 4: Give your PC a Static IP Address

This step is to ensure that you will be able to communicate with 192.168.1.1, the default address of the bricked router.

Head to Control Panel => Your Internet Connection => TCP/IP => Properties and change your IP address as shown above.  Make sure it does not end in .1, .x1, or .xx1.

Step 5: Plug in Ethernet from Router to PC

Note: Do NOT connect the power to the router just yet.  

Connect the Ethernet cable you have in your possession to an orange port on the WNR3500L to the Ethernet port on your PC.  Note that it must be an orange port, NOT the yellow port... it won't work otherwise.  At least, it didn't for me.

[[page]]

Step 6: Modify the USB-TTL Cable for Use with WNR3500L

Take a look at the photo above.  See how each of the leads is covered by a small plastic tab?  Bust out your tiny screwdriver or whatever it is that you have that's tiny, and pry off the tabs on the black, yellow, and orange leads only.  If you choose to remove all six, you will need to wrap up the unused leads in electrical tape to avoid shorting anything out.  I just left the unused leads inside the plastic harness as shown above.  Once you pry the tabs off, the leads that you will use slip out easily. Now, you can plug the cable in.

Step 7: Find Out What COM Port Your Cable is Using

You installed the cable driver in step 3, right?  If so, head on over to Control Panel => System => Hardware => Device Manager, and click on the "Ports" item as shown in the photo above.  Note the "USB Serial Port" item with a designation of "COM3."  You'll use this information in the next steps. If you don't see that, plug in the cable and the Device Manager should refresh.

Step 8: Connect the USB-TTL Cable to the WNR3500L

Note: Make sure the router is still powered off and unplugged from power when you do this.  Don't touch anything metal either, don't want to take any risks of shock or shorting anything out, which is always a potential concern when tinkering with open electronics.

This part is particularly important, as if you don't connect these cables properly it will be very frustrating for you!   Take a close look at the photo above.  On the pinout on the board, you will see six pins.  Next to one pin it will read "JP1."  That is actually Pin 6.  Pin 1 is labeled with a "1" next to it.  Connect the cables as follows and as shown in the photo:

Black => Pin 6 (next to JP1)

Yellow => Pin 5

Orange => Pin 2

Note: In this photo, the black and yellow leads are seated properly.  I wanted to show you what an improper cable seating looked like; the orange cable is NOT seated properly.  Make sure all the cables are firmly seated to the pins and that they are not touching each other.

Step 9: Configure and Launch PuTTY

Hanging in there?  Do you feel like a geek yet?  It should feel good :)

Fire up PuTTY and you'll see the screen above.  Select the exact options as shown above; click on the Serial radio button, the port to COM3 (or whatever port was revealed in Step 7) and the speed to 115200.

Then, click on the very last item in the menu and choose the options above.  They must be exact: serial line of COM3, speed of 115200, Data bits of 8, Stop bits of 1, and "None" for both parity and flow control.  Once you are confident these settings are correct, click "Open," and you will see a blank window with a green cursor.  Nothing is supposed to be happening in there yet, so don't fret.

Step 9: Power on the WNR3500L and Press Ctrl-C

Now, you can finally connect power to the router.  Press in the power button and immediately press Ctrl-C on your PC, with the PuTTY window active.  This will bring you to what is called the CFE console; essentially, you're interacting directly with the board.  If this does not happen, double and triple check all of the previous steps.

Then, type in "tftpd" (without quotes) to bring up what is called the TFTP interface.  This will ready the router for programming.  If this step performed properly, you'll be left with the screen above.  Almost there...

Step 10: "Put" The Firmware Into Your WNR3500L In The DOS Prompt

Note: If you are on Windows 2000, XP, or 7, you have a TFTP client built in.  However, if you're on Win95, 98, Me, NT, or Vista - you do not.  

Instructions for installing TFTP on Windows Vista can be found here.

Here is one open source TFTP client for Windows that you can try.

Assuming that you have TFTP installed in some form, zoom on over to your DOS prompt. You copied the original NETGEAR fimware to your C: drive, correct?  Good.  Type "cd.." without quotes as shown above to get to your root directory, then type this command:

tftp -i 192.168.1.1 put FIRMWARE_FILE.chk

When you do this, the TFTP command will send the firmware file you indicated to the router, and you will get a confirmation as shown above.  If this doesn't work, make sure your router is connected to your PC properly, you have a static IP that doesn't end in 1, and that you can ping the router.

If this command is successful, your PuTTY console will start to get some action, and it will re-program the router.  Allow this process to finish, it will take several minutes, and wait until it is COMPLETELY finished or you will get a bad flash.  And nobody wants a bad flash!  You'll get a lot more text than is displayed above, but when it's done, you can try accessing your router's GUI via http://192.168.1.1. You will need to enter the "standard" username and password, consult your user manual for this information. (At the time of this writing, "admin" and "password" were used.)

Step 11: Rejoice and Relax... or troubleshoot

Hopefully, not the latter, but unfortunately things don't always go as planned.  If you're struggling with this procedure, have an unsolvable problem with your WNR3500L, or are on another OS let us know.  We're continuing to work on recovery guides for Linux and Mac OS X, so stay tuned!

You can post your questions on the public forums or as a comment below!

Quick Links

femmecanada
femmecanada's picture
[b][url=http://www
femmecanada
femmecanada's picture
Tiffany OnlineTiffany
femmecanada
femmecanada's picture
Tiffany OnlineTiffany
femmecanada
femmecanada's picture
A.lange & Söhne
femmecanada
femmecanada's picture
A.lange & Söhne
femmecanada
femmecanada's picture
sell CosplayBleach
femmecanada
femmecanada's picture
sell CosplayBleach
plfort
plfort's picture
For those who have a

For those who have a RaspberryPi it is also possible to use its serial port to unbrick the router, I tested this on a WNR3500Lv2 and it worked.

plfort
plfort's picture
For those who have a

For those who have a RaspberryPi it is also possible to use its serial port to unbrick the router, I tested this on a WNR3500Lv2 and it worked

scott in seattle
scott in seattle's picture
WOW! It worked!

WOW! It worked!

Couple caveats...you can buy the ttyl cable on ebay from China for a lot less and then you don't have to worry about screwing it up. The one you get, you can pry the heads out of the plastic sleeve by lifting up the stoppers that hold the heads in with an exacto blade, then pull them out. I abandoned the plastic sleeve and stuck the leads onto the pins directly according to the picture.

Getting the CFE prompt up was a LOT more difficult than I thought it was going to be. I must have started and stopped the router a hundred times before getting the CFE. And I wasn't sure whether it was control + c or control + C (control + shift + c) so I alternated between them rapidly.

After a few hours, though, I had my router back! Thanks!

tc
tc's picture
I can't get my WNR3500Lv2

I can't get my WNR3500Lv2 working. When my router boots, it says that it has a corrupted boot block. Yet, it will boot far enough to bring up the ethernet port and start listening on tftp. I can upload firmware after firmware, but nothing happens.

I've tried the 30-30-30 method, but that didn't work.

I've tried using the cable method (on Windows), and have even managed to get a CTRL-C to work and drop me into the CFE command prompt. But, when I try to type "nvram erase", my text is all garbled, and it won't work. I've tried a couple different cables, including the one recommended here, but always have the same result.

Also, as a point to note, I cannot connect the ground wire because that prevents my router from doing anything (just sits there with a very dim green light). To get to the CFE prompt, I have to disconnect the ground, boot, rapidly hit CTRL-C. And then when I get to the CFE prompt, I've tried in vain reconnecting the ground in the hopes that this will clear up the garbled communications enough to let me issue the "nvram erase" command.

I've also tried the pin-shorting method, but I'm not sure which pins to short
because my MoBo looks different from the ones in your photos; especially, I don't see the metal enclosed chip(?) next to the chip with the reset pins. Perhaps there is a slight revision to the 3500Lv2 that isn't be reflected in the model number? Anyhow, I've tried shorting all of the pins possible on the smaller chips on my board, but nothing resets the nvram.

I don't know what to do from here. After spending $30 on cables, I'm thinking that it would be easier and certainly much less frustrating just to pony up the rest of the dough needed to buy a new router. It just seems stupid to spend the money when my router seems to have some life in it yet....

Any help would be appreciated. TIA.

tc
tc's picture
Hey. I brought my router back

Hey. I brought my router back to life. I was doing two things wrong.

1. I was hooking up the ground to the 3.3v pin because I didn't realize that the
v2 pin-out was opposite to the v1 router's pin-out. Now, no more garbage on the screen.

2. Problem two. This one is really stupid and would have saved me some $$ spent on usb2ttl cables. What was it? When I used Linux to tftp the files, I didn't force it into binary mode with the "-m binary" flag. Oy! No wonder none of my uploads had been working! Of course, I only realized this when I got the serial console working, and I saw that uploaded filename had junk prepended to it.

Hindsight is such a kick in the butt! :-)

Peter Redmer
Peter Redmer's picture
Hey tc, thanks for posting

Hey tc, thanks for posting your experiences. Glad you got things working!

I do have a WNR3500Lv2 guide which shows the alternate pinouts, in case anyone needs that: http://www.myopenrouter.com/article/36609/How-to-Debrick-Your-WNR3500Lv2...

The -m flag is what you would use in Linux, correct? For the Windows guide, I have -i. Just want to make sure it's clear for anyone keeping an eye on this thread :)

 

colin
colin's picture
I haven't needed this yet,

I haven't needed this yet, but am fascinated by your article. I know that one day I'm gonna need it. Thanks.

tedd
tedd's picture
I was thinking all would go

I was thinking all would go fine, but putty stops at DRX 0x02 "Hit enter to begin"

any thoughts?

tedd
tedd's picture
I thought all was going swell

I thought all was going swell, but after 4 times trying, each time Putty gets stuck on DRX 0x02 "Hit enter to continue"

any thoughts?

Peter A.
Peter A.'s picture
Hi,

Hi,
thanks for your perfect instruction. The wnr works again perfectly!
Krds from Austria!

Tim1
Tim1's picture
Where are the 2 pins for

Where are the 2 pins for WNR3500lv2?

rxnplc
rxnplc's picture
Thanks!!!!This procedure

Thanks!!!!This procedure worked for me to de-brick netgear r6300....Much appreciated!!!

trueslator
trueslator's picture
I bricked my WNR3500 v.2 -

I bricked my WNR3500 v.2 - would this work also to reinstall the origial firmware? Your tutorials are greate - very detailed!

Peter Redmer
Peter Redmer's picture
Hi trueslator - the

Hi trueslator - the instructions for the v2 are very similar. You can find them here:

http://www.myopenrouter.com/article/36609/How-to-Debrick-Your-WNR3500Lv2...

 

trueslator
trueslator's picture
Peter Redmer said: Hi

Peter Redmer said: Hi trueslator - the instructions for the v2 are very similar. You can find them here: http://www.myopenrouter.com/article/36609/How-to-Debrick-Your-WNR3500Lv2-Usin...

Many thanks, but it isn't the "L" version - it is just the WNR3500 but the v2. I tried to install this version dd-wrt.v24-21061_NEWD-2_K2.6_mini-WNR3500v2.chk to my WNR3500v2 but it failed - I don't know why. I have got a spare but it would be nice to unbrick the WNR3500v2

Many thanks,
Oliver

lambro
lambro's picture
Hey guys, i am having trouble

Hey guys, i am having trouble with the process. I can get into the CFE command but when i tftp the firmware over, it says "programming..." then nothing happens. Ive retried this several times now. any thoughts?

*edit**
I have got the firmware installed and it loads fine the first time, for about 5 mins i can access the utilities but then, the console freezes and the access freezes.

this is what it looks like:

Decompressing..........done
Decompressing..........done

CFE for WNR3500L version: v1.0.36
Build Date: Thu Aug 6 15:48:22 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes

Device eth0: hwaddr 00-FF-FF-FF-FF-FF, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
CPU ProcId is: 0x00019740, options: 0x000021cd
Primary instruction cache 32kb, linesize 32 bytes (4 ways)
Primary data cache 32kb, linesize 32 bytes (4 ways)
Linux version 2.4.20 (water@moonlight) (gcc version 3.2.3 with Broadcom modifications) #206 Tue Jul 21 14:56:49 CST 2009
Found a 8MB ST compatible serial flash
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
On node 0 totalpages: 16384
zone(0): 16384 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4716 rev 1 at 453 MHz
Calibrating delay loop... 226.09 BogoMIPS
Memory: 62732k/65536k available (1593k kernel code, 2804k reserved, 120k data, 60k init, 0k highmem)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Using membase 8000000
PCI: Disabled
PCI: Fixing up bus 0
PCI: Fixing up bus 1
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
NTFS driver v1.1.22 [Flags: R/O]
Squashfs 2.2-r2 (released 2005/09/08) (C) 2002-2005 Phillip Lougher
fuse init (API version 7.5)
fuse distribution version: 2.5.3
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xb8000300 (irq = 8) is a 16550A
PPP generic driver version 2.4.2
SCSI subsystem driver Revision: 1.00
pflash: found no supported devices
sflash: squashfs filesystem found at block 835
Creating 10 MTD partitions on "sflash":
0x00000000-0x00040000 : "boot"
0x00040000-0x00790000 : "linux"
0x000d0f94-0x00790000 : "rootfs"
0x00790000-0x007a0000 : "ML1"
0x007a0000-0x007b0000 : "ML2"
0x007b0000-0x007c0000 : "T_Meter1"
0x007c0000-0x007d0000 : "T_Meter2"
0x007d0000-0x007e0000 : "POT"
0x007e0000-0x007f0000 : "board_data"
0x007f0000-0x00800000 : "nvram"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 8192)
Linux IP multicast router 0.06 plus PIM-SM
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
802.1Q VLAN Support v1.7 Ben Greear
All bugs added by David S. Miller
FAT: bogus logical sector size 15104
FAT: bogus logical sector size 15104
NTFS: Unable to set blocksize 512.
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 60k freed
Reading board data...
PIN number not found!
WSC UUID: 0xd1c9a172b5f7b72f35bb4cf0531b0ec8
invalid RF magic!
No RF parameters! Use default.
Algorithmics/MIPS FPU Emulator v1.5
Using /lib/modules/2.4.20/kernel/drivers/net/emf/emf.o
Using /lib/modules/2.4.20/kernel/drivers/net/igs/igs.o
Using /lib/modules/2.4.20/kernel/drivers/net/et/et.o
Using /lib/modules/2.4.20/kernel/drivers/net/wl/wl.o
Hit enter to continue...WARNING: console log level set to 1
waitpid: No child processes
killall: upnp: no process killed
killall: wps_monitor: no process killed
killall: wps_ap: no process killed
killall: wps_enr: no process killed
Reading board data...
PIN number not found!
WSC UUID: 0xd1c9a172b5f7b72f35bb4cf0531b0ec8
Using /lib/modules/2.4.20/kernel/net/ipv4/acos_nat/acos_nat.o
info, udhcp server (v0.9.8) started
error, unable to parse 'option wins '
error, unable to parse 'option domain '
Info: No FWPT default policies.
POT signature check failed.
Using /lib/modules/2.4.20/kernel/drivers/usb_2.4.36/usbcore.o
Using /lib/modules/2.4.20/kernel/drivers/usb_2.4.36/host/ehci-hcd.o
Using /lib/modules/2.4.20/kernel/drivers/usb_2.4.36/host/usb-ohci.o
Using /lib/modules/2.4.20/kernel/drivers/usb_2.4.36/storage/usb-storage.o
Start DHCP client daemon
info, udhcp client (v0.9.8) started
eth0: No such process
UTX 0x02
URX 0x02
DTX 0x02
DRX 0x02
Hit enter to continue...Oops in fault.c::do_page_fault, line 192:
module: usb-storage c0245000 35648 0 (unused)
module: usb-ohci c023e000 21856 0 (unused)
module: ehci-hcd c0235000 31168 0 (unused)
module: usbcore c021f000 84688 1 [usb-storage usb-ohci ehci-hcd]
module: acos_nat c01a3000 348544 0 (unused)
module: wl c0025000 1556832 0 (unused)
module: et c0018000 48816 0 (unused)
module: igS c0013000 15616 0 [wl]
module: emf c000d000 20080 0 [wl igS]

$0 : 00000000 1000bc00 c00536e0 c00ba748 83874400 00000002 00000000 83884708
$8 : 00000001 80190108 00001d5a 00000002 83e292c4 83e292c8 83e292c0 00000008
$16: 838840d0 00000000 83884000 83874400 83d660d4 80191dc0 000000c7 83d660ec
$24: 00000000 2ac20330 80190000 80191d28 00000000 c0030764
Hi : 00000010
Lo : 00000001
epc : c005370c Not tainted
Status: 1000bc03
Cause : 00000008
Process swapper (pid: 0, stackpage=80190000)
Stack: 83884000 80191dc0 801e4800 c0030764 838632e0 c0030150 838840d0
00000010 83884000 00000001 c0030764 c00307ac 801e53f0 c006032c c00c4fec
00000018 838632e0 00000001 00000000 c002b594 8114fdc0 8015a914 00000001
8020fda0 838632e0 00000000 c002b530 8015a99c 838894a0 83863ca8 00000000
8011be28 8001b7b4 8001b7b4 00017700 801fb4b0 80191ea8 00000007 838632e0
838632e0 ...
Call Trace: [] [] [] [] []
[] [] [] [] [] []
[] [] [] [] [] []
[] [] [] [] [] []
[] [] [] [] [] []
[] []

Code: 00809821 3c03c00c 2463a748 27a40010 8e7403a4 0060f809 8c450000 8e221c28
Kernel panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing
Rebooting in 3 seconds..Please stand by while rebooting the system...
Decompressing..........

crc error

-- System halted

Thanks!

Lava
Lava's picture
Thanks so much for this

Thanks so much for this superb tutorial!! Did it's magic at first attempt.

SurfnDuck
SurfnDuck's picture
I have bricked my wnr3500

I have bricked my wnr3500 router. After opening my case I don't see the jumpers that will allow me to use the USB-TTL. I was going to try to short the pins but the board design is different from what is posted online for shorting the pins. Can you guide me where to look for how to short the pins.

puremalt
puremalt's picture
Thank's a loot!!! I finally

Thank's a loot!!! I finally got my 3500V2 up and running :)

Dukejan
Dukejan's picture
Hello,

Hello,

I am trying to debrick this device, but I need to put jumper cables manually on the pin headers. Can you tell me what each pin does so I can select te correct ones?

Oseias
Oseias's picture
What hardware do you use for

What hardware do you use for serial connection?
Do not close the circuit on router serial port with jumper. You can damage it.
Everything you need is a serial adapter (usb2ttl, arduino etc).
If you will use a PC serial port(db9), do not connect it directly to the router.
Remember that the voltage of the PC is usually 12V while the serial router uses 3.3V. If you connect, it's likely that will burn the router serial port.

Dukejan
Dukejan's picture
I figured it out in the

I figured it out in the meanwhile. What I meant where the layout of the pins. They are as follows beginning from the pin with jp1 next to it

1 = ground, 2= RX and 5 is TX

Oseias
Oseias's picture
 

 

Dukejan said: I figured it out in the meanwhile. What I meant where the layout of the pins. They are as follows beginning from the pin with jp1 next to it 1 = ground, 2= RX and 5 is TX

 

[VCC] [RX] [ ] [ ] [TX] [GND]

http://wiki.openwrt.org/toh/netgear/wnr3500l#serial

Only needs TX, RX and GND.
You can use a multimeter to not confuse VCC and GND.
If RX and TX are inverse don't work.

Pages