De-bricking WNR3500v2 (not "L") need ideas

3 posts / 0 new
Last post
martinmarty
martinmarty's picture
De-bricking WNR3500v2 (not "L") need ideas

I bricked a WNR3500v2 (not the "L" version) trying to install DD-WRT. It was a year or more ago so I don't remember exactly what release I was trying to install but I probably was using an image for the L version router that was too big for mine. I read about using a serial console cable to recover, which I had never done before. When I opened the case I found no header pins so I put it on the shelf and ordered a cable which eventually arrived, but by then I got sidetracked and left everything sit.

I just got back to that project so I soldered in some header pins and got the serial console talking. When it tries to boot, the boot fails and it starts the tftp server. I have sent lots of different versions of firmware, including stock Netgear, dd-wrt, openwrt and I was just about to try a tomato but I think I got the wrong one so I didn't try the tomato.

No matter what firmware image I try, the upload seems to complete successfully. I see transfer completed msg on the serial console but then it goes back to "Reading". When I have done this successfully (on some WNR3500Lv2 with the "L") I have seen it take off at the end of the upload and install everything and then reboot. This router doesn't do that.

If I power it off/on and watch the console msgs after a successful tftp upload, I see it going through the bootloader process but then it shows a checksum for the image vs. calculated and they are a mismatch and it says "Boot program checksum is invalid" and starts tftp server. This is where I am stuck.

Can anyone please point me in the right direction? All help appreciated! THANKS.

p.s. Thinking image might have been corrupted by transfer, I've tried the tftp2.exe program and also the tftp in Windows 10, same results, seems to work, but no boot.

Here is an excerpt from the console output showing me playing around and then the error at the bottom:

Reading :: Decompressing..........done
Decompressing..........done
CFE for WNR3500v2 version: v1.0.29
Build Date: Fri Jun 12 11:11:15 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 453MHz
Tot mem: 32768 KBytes

Device eth0:  hwaddr 00-26-F2-00-C3-BE, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Startup canceled
CFE> nvram erase <- I tried this along the way but it doesn't seem to help

*** command status = 0
CFE> nvram show <- found this cmd on Internet, thought it might be useful
antswctl2g=0
os_ram_addr=80001000
rxchain=3
boardrev=0x1213
et0macaddr=00:26:f2:00:c3:be
maxp2ga0=0x5C
boot_wait=off
watchdog=3000
maxp2ga1=0x5C
et0mdcport=0
reset_gpio=4
pmon_ver=CFE 5.10.56.28
vlan2ports=0 8u
ofdm2gpo=0x42200000
gpio1=ses_led
gpio5=robo_reset
gpio6=ses_button
mcs2gpo0=0x4220
mcs2gpo1=0xcca6
mcs2gpo2=0x4220
triso2g=0x3
mcs2gpo3=0xcca6
os_flash_addr=bfc40000
sromrev=8
mcs2gpo4=0
mcs2gpo5=0
mcs2gpo6=0
boardtype=0x04CF
mcs2gpo7=0
aa2g=7
et1macaddr=00:26:f2:00:c3:bf
lan_netmask=255.255.255.0
extpagain2g=0x0
tssipos2g=0x1
bw40po=0
itt2ga0=0x20
itt2ga1=0x20
wl0id=0x4329
vlan2hwname=et0
adc_vmid=0x89
ag0=0
ag1=0
pa2gw2a0=0xfa17
ag2=0
pa2gw2a1=0xfa2f
xtalfreq=20000
antswitch=3
boardflags2=0x00000402
cfe_version=v1.0.29
wait_time=3
ledbh0=2
ledbh1=11
bwduppo=0
ledbh2=11
ledbh3=11
txchain=3
leddc=0xFFFF
pa2gw1a0=0x18d6
pa2gw1a1=0x1885
clkfreq=453,226,113
lan_ipaddr=192.168.1.1
vlan1hwname=et0
sdram_config=0x0284
vlan1ports=1 2 3 4 8*
scratch=a0180000
ccode=0
boardflags=0x00001710
sdram_refresh=0x183f
wandevs=et0
sdram_ncdl=0x6a26162a
adc_gain=0x00
macaddr=00:90:4C:09:00:01
pdetrange2g=0
cck2gpo=0x0000
regrev=0
et0phyaddr=30
landevs=vlan1 wl0
pa2gw0a0=0xfeb6
pa2gw0a1=0xfeb3
sdram_init=0x0419
stbcpo=0
dl_ram_addr=a0001000
parefldovoltage=45
cddpo=0
boardnum=01
size: 1307 bytes (31461 left)
*** command status = 0
CFE> tftpd
Start TFTP server
Reading :: Done. 15257600 bytes read <- this image was too big - had to power off/on
Decompressing..........done
CFE for WNR3500v2 version: v1.0.29
Build Date: Fri Jun 12 11:11:15 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 133MHz
Tot mem: 32768 KBytes

Committing NVRAM...done
Waiting for reset button release...done▒Decompressing..........done
Decompressing..........done
CFE for WNR3500v2 version: v1.0.29
Build Date: Fri Jun 12 11:11:15 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 453MHz
Tot mem: 32768 KBytes

Device eth0:  hwaddr 00-26-F2-00-C3-BE, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Checksum mismatch:
Image chksum: 0x5113EC3F
Calc  chksum: 0x4A1114A8
Boot program checksum is invalid
Start TFTP server

Reading :: Decompressing..........done
Decompressing..........done
CFE for WNR3500v2 version: v1.0.29
Build Date: Fri Jun 12 11:11:15 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 453MHz
Tot mem: 32768 KBytes

Device eth0:  hwaddr 00-26-F2-00-C3-BE, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Startup canceled
CFE> ^C
CFE> nvram erase 
*** command status = 0
CFE> tftpd
Start TFTP server
Reading :: Done. 3604538 bytes read 
<- UPLOAD COMPLETES BUT IT DOESN'T INSTALL THE FW. ???
Reading ::

martinmarty
martinmarty's picture
WNR3500v2 back up and running

WNR3500v2 back up and running on stock FW!

For anyone else with this problem, found great post here in DD-WRT forum.

Had to hex edit the stock fw image, changing the header info from "U12H127T00_NETGEAR" to "U12H127T70_NETGEAR". After that, it accepted the fw. I'm not certain what repercussions there could be in subsequent fw update scenarios but at least for the moment I'm back up & running!

DevAdmin
DevAdmin's picture
Thanks for t letting us know!

Thanks for letting us know!