Category: Routers

How to restore the Netgear DG834GT CFE bootloader (unbrick)

I occasionally brick my Netgear DG834GT when I try to flash an image bigger than its flash size and unfortunately the CFE bootloader has not any size check before flashing. This happens when I add too much stuff in the OpenWrt configuration before compiling.

To restore the original CFE bootloader you need:

  • – a parallel port (/dev/parport0)
  • – an eJTAG interface (like one of these http://www.t-hack.com/wiki/index.php/EJTAG)
  • – the CFE binary image called CFE.BIN (remember to make it before flashing new firmware images)
  • – the Telsey MAGIC EJTAG Debrick Utility application

Solder a header connector 6+6 located at J201 (add pic) and connect the eJTAG interface.

dg834gt_ejtag_connector_soldered

Note that the eJTAG is different from the standard JTAG. I tried also to upload the CFE image using my JLink JTAG interface without success. The interface I have built is the unbuffered version which is the simplest, here the schematic I found on the net:

ejtag_unbuffered_interface_schematic

Check if the interface is working:

sudo ./Telsey -probeonly

If the flash memory is detected correctly you should get

============================================
Telsey MAGIC EJTAG Debrick Utility v0.9beta2
============================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done

Probing Flash at (Flash Window: 0x1fc00000) ... Done

Flash Vendor ID: 00000000000000000000000000000001 (00000001)
Flash Device ID: 00000000000000000010001000000000 (00002200)
*** Found a AMD 29lv320MB 2Mx16 BotB   (4MB) Flash Chip ***

    - Flash Chip Window Start .... : 1f800000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 00000000
    - Selected Area Length ....... : 00000000

 *** REQUESTED OPERATION IS COMPLETE ***

 

but if you get instead

Failed to open /dev/parport0: Permission denied

it means the parallel port is already taken by the lp module. So unload it manually:

sudo rmmod lp

Now we are ready to flash. As far as I can understand the unbuffered eJTAG interface uses only TDI, TDO, TCK, TMS while the reset signals, SRST and TRST, are not connected so that the hardware reset command through eJTAG doesn’t work properly, and you have to power cycle the DG834GT every time you issue a command otherwise it will not be able to accept a new eJTAG command.

The original bootloader CFE.BIN must be put in the working directory. I had to use the /nodma because the dma mode is not working for me. Note that you can’t change the parallel port device, if you want to use a different /dev/parportX you have to manually recompile the source.

Start the flash process:

sudo ./Telsey -flash:cfe /nodma

After the previous initial information it will keep you updated till the end. Be ready to wait several minutes.

=========================
Flashing Routine Started
=========================
Total Blocks to Erase: 11
Erasing block: 1 (addr = 1fc00000)...Done
Erasing block: 2 (addr = 1fc02000)...Done
Erasing block: 3 (addr = 1fc04000)...Done
Erasing block: 4 (addr = 1fc06000)...Done
Erasing block: 5 (addr = 1fc08000)...Done
Erasing block: 6 (addr = 1fc0a000)...Done
Erasing block: 7 (addr = 1fc0c000)...Done
Erasing block: 8 (addr = 1fc0e000)...Done
Erasing block: 9 (addr = 1fc10000)...Done
Erasing block: 10 (addr = 1fc20000)...Done
Erasing block: 11 (addr = 1fc30000)...Done
Loading CFE.BIN to Flash Memory...
[  0% Flashed]   1fc00000: 02781000 00000000 00000000 00000000
[  0% Flashed]   1fc00010: 00050000 00000000 00000000 00000000
...
[ 99% Flashed]   1fc3ffd0: ffffffff ffffffff ffffffff ffffffff
[ 99% Flashed]   1fc3ffe0: ffffffff ffffffff ffffffff ffffffff
[ 99% Flashed]   1fc3fff0: ffffffff ffffffff ffffffff ffffffff
Done  (CFE.BIN loaded into Flash Memory OK)
=========================
Flashing Routine Complete
=========================
elapsed time: 1005 seconds

Power cycle the router and your router is ready for a new firmware image.

 

Netgear WNR3500L v2 unbrick

I was playing with this router till I bricked it. Following is the recovery procedure it worked for me, tested on Xubuntu 12.04.

Firstly set your lan interface to obtain a fixed IP in the subnet 192.168.1.x subnet, such as 192.168.1.10, netmask 255.255.255.0 as usual.

 

Firmware download

Visit www.myopenrouter.com to have a look to the best firmwares available, this time I decided for the Tomato 093-AIO (All In One), all versions are here.

Download and extract the firmware with chk extension in a temporary directory.

 

The terminal

Built a TTL cable to use the terminal through the internal connector JP1 which has this pin out:

[1] VCC

[2] RX

[3] NC

[4] NC

[5] TX

[6] GND

 

Open a terminal emulator such as putty and configure the serial for a speed or 115200 baud and leave the other options set to default (8N1). On Xubuntu you can install it with a simple

sudo apt-get install putty

 

Enter the bootloader

Power cycle the router, press immediately and continuously  CTRL+C to interrupt the bootloader and get the CFE prompt (this assumes you have the TTL serial adapter connected and ready to go)

 

Decompressing...done

CFE for WNR3500Lv2 version: v1.0.9
Build Date: Fri May  6 11:54:17 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
NFLASH Boot partition size = 524288(0x80000)
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.136
CPU type 0x19749: 480MHz
Tot mem: 131072 KBytes

Device eth0:  hwaddr 74-44-01-33-BD-C2, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Startup canceled
CFE> ^C
CFE>

 

Nvram erase

Clear the nvram, missing this operation is often the cause of bricked routers

CFE> nvram erase
*** command status = 0
CFE> nvram commit
*** command status = 0

 

TFTP server

Start the TFTP server

CFE> tftpd
Start TFTP server
Reading ::

 

Firmware upload and upgrade

Move to the directory where the firmware was previously extracted and upload it to the router using a TFTP client

tftp -m binary 192.168.1.1 -c put tomato-Netgear-3500Lv2-K26USB-1.28.RT-N5x--093-AIO.chk

The procedure is quite silent, so don’t touch anything and after some minutes the router will reboot successfully

 

Open your browser to http://192.168.1.1 and enjoy your new firmware.

 

References

http://tomatousb.org/

http://www.myopenrouter.com


WordPress Themes