Wrong checksume when loading original firmware via TFTP

5 posts / 0 new
Last post
majess's picture
Wrong checksume when loading original firmware via TFTP


I've managed to solder USB->TTL converter to my WNR3500L router.
I'm able to stop the router boot process and get an access to the serial console (CFE>)
First question:
Is there available list of the CFE prompt commands? In other bootloaders I can type "help", and I know everything. Here such hint is not available.

Another issue. I was working with DD-WRT at WNR3500L. Then I've realized, that it would be nice to give a try to OpenWRT (8.09 from myopenrouter site). Unfortunately Web GUI for dd-wrt only support bin images. So I decided to flash the router with the "USB-TTL cable less" method. 

My lack of timing has caused that, I bricked my router :-)
Now I have access to the router's serial console.
I can stop boot process and see the prompt: CFE>
I'm able to start TFTP and download the WNR3500L-V1.0.2.50_31.1.25.chk image.
Unfortunately my router doesn't want to flash this image since the checksum is different.
Console output:
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller
CPU type 0x19740: 453MHz
Tot mem: 65536 KBytes

Device eth0: hwaddr C0-3F-0E-XX-YY-ZZ, ipaddr, mask
gateway not set, nameserver not set
Checksum mismatch:
Image chksum: 0xFFFFFFFF
Calc chksum: 0x09F603FC
Invalid boot block on disk

Above is after power-on. It is obvious, that I've erased MTD flash (with erase linux command), but not uploaded any new firmware.

Reading :: Done. 5330293 bytes read
Checksum mismatch:
Image chksum: 0xDC96E81D
Calc chksum: 0x248F2119

Any hint on that? It is the comparison of checksum from image and the one calculated by Broadcom CPU. They should match, but for some reason they did not. 

Any help?

This problem is a bit different for those presented widely on the forum. I have a serial cable. I can ping the router, download the *.chk image via TFTP, but then checksum is different. I'm using debian Linux.


Thanks in advance for any help,


Sudipta's picture
Have you loaded "openwrt

Have you loaded "openwrt_wnr3500l_8.09.2.chk" on your board? There is no checksum issue with this version.

majess's picture


Thank you for your reply.

I was trying to restore default Netgear firmware (WNR3500L-V1.0.2.50_31.1.25.chk) before changing to OpenWRT. I read that it is the "appropriate" way to do this.

Do you know why there is the "checksum issue" as you wrote? I assumed, that checksum should be correct for the Netgear's original *.chk firmware. Why it MAY not be correct?

I remember, that I was trying to download via TFTP dd-wrt bin image, but after transmitting it to router, it hangs (no visible progress on the serial console nor blinking any led despite this indicating connection with host PC). I'm not sure, but the same was with the aforementioned "openwrt_wnr3500l_8.09.2.chk" from the OpenWRT /bin directory. I've build OpenWRT with default settings after following guidlines from myopenrouter website to build OpenWRT.

Any idea how to fix the router?
Why there is a problem with checksum only at my router? Other guys asking for help haven't got similar problems.

Sudipta's picture
After loading openwrt image

After loading openwrt image when you boot for first time a checksum for the image on the flush is calculated and saved on bootsector. From the next time when you boot your router, it will will calcutale the checksum and match it with previously calculated checksum.

If you see the source code for openwrt then there is a directory named as "netgear_flush" under "package" directory. This package is used for calculating the checksum. This is called from "package/base-files/files/sbin/mount_root" script. There is a command "netgear_flash -u 1" on this script.

majess's picture
Thank you for the answer.

Thank you for the answer.

Unfortunately yesterday I've gone one step further and probably flash the entire memory with wrong image:

I've used: CFE> flash openwrt_wnr3500l_8.09.2.chk flash0

Unfortunately after reboot the router is really dead (only the orange and blue leds are emitting diminish, constant light) and the serial console is not working anymore.

I guess, that I've erased/reflashed the entire flash including CFE partition (names as flash0.boot).

I think that I need to use JTAG to fix it (I have access to Olimex JTAG running under control of OpenOCD). I haven't read the schematic yet, but I've spotted near the place where I've solder the serial a connector resemble to the JTAG standard connector.

What are the voltage levels of JTAG? Has anyone tried to use OpenOCD with this chip? Is there any special "secure code" needed to have access to the chip's JTAG interface? Which JTAG hardware should I use? Where can I find the CFE binary or source?