Netgear WNR3500 v2.0 Brick (solved)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4, 5  Next
Author Message
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Tue Jan 10, 2012 16:12    Post subject: Netgear WNR3500 v2.0 Brick (solved) Reply with quote
Recovery instruction in this post below

***Original Post***
Alright, I used TJTAG and got it back to haveing serial output but no matter what image I flash it always say checksum mismatch. How do I get an image with the correct checksum?

serial output

Code:
Decompressing..........done
Decompressing..........done


CFE for WNR3500v2 version: v1.0.29
Build Date: Fri Jun 12 11:11:15 CST 2009
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.56.28
CPU type 0x19740: 453MHz
Tot mem: 32768 KBytes

Device eth0:  hwaddr C0-3F-0E-AB-EC-84, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Checksum mismatch:
Image chksum: 0xFFFFFFFF
Calc  chksum: 0x01B700CF
Invalid boot block on disk
Start TFTP server
Reading ::


And when I TFTP the firmware on i get

Code:
Reading :: Done. 3448890 bytes read
Reading ::


It just sets there. When I breakinto the cfe and issue flash -noheader : flash1.trx and tftp the firmware on I get

Code:
CFE> flash -noheader : flash1.trx
Reading :: Done. 3448890 bytes read
Programming...done. 3448890 bytes written
*** command status = 0
CFE> go
Checksum mismatch:
Image chksum: 0xFFFFFFFF
Calc  chksum: 0x01B700CF
Invalid boot block on disk
Start TFTP server
Reading ::


***Recovery***

Also posted here

I will also add files here


JTAG Recovery

Confirmed Working with North American Unit and Firmware with TJTAG3rc6

1.Power Cycle, tjtag3 -backup:cfe128 /silent /otheroptions

2.Power Cycle, tjtag3 -backup:nvram /silent /otheroptions

3.Power Cycle, tjtag3 -backup:wholeflash /silent /otheroptions

4.Power Cycle, tjtag3 -backup:custom /window:0x1fc00000 /start:0x1c3e0000 /length:0x10000 /silent /otheroptions

5.The last step will backup the board data to "custom.bin, Using a Hex editer, check to make sure all the data looks similar to board_data.bin or post it to your thread in the dd-wrt forums and somebody can check it for you.

6.If it is similar, change "U12H127T70_NETGEAR" to "U12H127T00_NETGEAR". The mac address starts at Hex address 40 in the middle pane, make sure it's correct. The Serial number starts at Dec address 76 in the right pane, make sure it's correct. The Security Pin starts at Dec address 108 in the right pane, make sure it's correct. The actual board data starts at Dec address 256 in the right pane, make sure it matches board_data.bin. If it looks all messed up then start fresh with board_data.bin and make all the changes ti it. When done "save as" "custom.bin" without the quotes. Makes sure it's in the same folder as TJTAG.

7.Now do the same with the cfe128, mac sure mac address match(although not as important with the cfe). Check to see if is similar to cfe128.bin. If not or it's just totally messed up use the reference cfe128.bin. Just edit it to match the information from your router.

8.Power Cycle, tjtag3 -flash:custom /window:0x1fc00000 /start:0x1ffe0000 /length:0x10000 /swap_endian /byte_mode /silent /otheroptions

9.Power Cycle, tjtag3 -flash:cfe128 /swap_endian /byte_mode /silent /otheroptions

10.Have TFTP.exe ready in WindowsXP, with WNR3500v2-V1.2.2.28_25.0.85NA.chk from that zip file. Configure your computer with a static ip address of 192.168.1.10. Connect the router to the pc via network cable. Power on the router when it signals a connection click upgrade.



board_data.BIN
 Description:
caldata/board_data

Download
 Filename:  board_data.BIN
 Filesize:  64 KB
 Downloaded:  583 Time(s)


CFE128.BIN
 Description:
CFE

Download
 Filename:  CFE128.BIN
 Filesize:  128 KB
 Downloaded:  574 Time(s)


_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki


Last edited by Dark_Shadow on Sat Jan 14, 2012 16:08; edited 6 times in total
Sponsor
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Thu Jan 12, 2012 18:57    Post subject: Reply with quote
Bump with new info
_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 12840
Location: Behind The Reset Button

PostPosted: Thu Jan 12, 2012 19:09    Post subject: Reply with quote
interesting..

see the image checksum?? 0xFFF~. That isn't right. The checksum of the image will be embedded in the image. That checksum embedded will be compaired to the checksum calculated.

If they do not match, the flash routine will think is was a bad flash (incomplete, noise, general error, etc)

What are you trying to flash? Have you tried -ctheader?

I don't know a lot about that router other than it has about 15 partitions on the flash chip. Maybe a needed partition is missing? dunno..

_________________
[Moderator Deleted] Shocked
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1716

PostPosted: Thu Jan 12, 2012 19:11    Post subject: Reply with quote
Either it didn't flash or flash chip is bad. Look at Image chksum, it's blank.

Doesn't Netgear have a different way to flash? Like typing tftpd or something?
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 12840
Location: Behind The Reset Button

PostPosted: Thu Jan 12, 2012 19:17    Post subject: Reply with quote
command status -42 is not good either. I don't know what it means.. if a command was good, it will have a command status of 0

type help at the prompt.. fggs is prolly right.. there is prolly a diff command to put it in to tftp listening mode and bypass the checks.

I'm assuming you are flashing stock firmware..

_________________
[Moderator Deleted] Shocked
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1716

PostPosted: Thu Jan 12, 2012 19:29    Post subject: Reply with quote
Let's hope you didn't overwrite a partition that is important..
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Thu Jan 12, 2012 21:45    Post subject: Reply with quote
No important info was over written. The caldata is there and intact. The router is now supported by TJTAG. The Wholeflash was backup and checked, the cfe and caldata was stripped and byteswapped. Then put back on the router.

The infor with -42 is may fault wrong info, I will correct it with

Code:
CFE> flash -noheader : flash1.trx
Reading :: Done. 3448890 bytes read
Programming...done. 3448890 bytes written
*** command status = 0
CFE> go
Checksum mismatch:
Image chksum: 0xFFFFFFFF
Calc  chksum: 0x01B700CF
Invalid boot block on disk
Start TFTP server
Reading ::


@bw i will try your "header" suggestion.

_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1716

PostPosted: Thu Jan 12, 2012 21:47    Post subject: Reply with quote
@Dark_Shadow: Have you tried to type tftpd instead of "flash -noheader : flash1.trx"?
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Thu Jan 12, 2012 22:07    Post subject: Reply with quote
fggs wrote:
@Dark_Shadow: Have you tried to type tftpd instead of "flash -noheader : flash1.trx"?
Just got all set up here, will try that alon with BW's suggection.
_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Thu Jan 12, 2012 22:22    Post subject: Reply with quote
Results for both tries

Code:
CFE> flash -ctheader : flash1.trx
Invalid switch: -ctheader
*** command status = -8
CFE>


Then with tftpd it worked but does the same thing as when simply loading the image upon boot.

Code:
CFE> tftpd
Start TFTP server
Reading :: Done. 3444794 bytes read
Reading ::


and then it just sits there, if i hit upgrade again on tftp it will take the image again and just sit there waiting for another. I need to figure out why the checksums aren't matching.

_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Thu Jan 12, 2012 22:25    Post subject: Reply with quote
Yes i am trying to upload oem firmware


WNR3500v2-V1.2.2.28_25.0.85NA.chk

_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1716

PostPosted: Thu Jan 12, 2012 22:29    Post subject: Reply with quote
If you don't mind asking.. how this router bricked in the first place?
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Thu Jan 12, 2012 22:41    Post subject: Reply with quote
fggs wrote:
If you don't mind asking.. how this router bricked in the first place?
From what I understand the wrong image was put on. I in my stupidity assumed the caldata had been over writen. Now we have TJTAG support for it.
_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1716

PostPosted: Thu Jan 12, 2012 22:58    Post subject: Reply with quote
Well, all the tips I have I told you, unfortunately it was nothing.. but I will be a good spectator now.

Netgear routers are tricky and you know that from your own experience! (Yes, I remember a router of yours that something happened with caldata and it was a pain to put it back in service).
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2430
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 13:58    Post subject: Reply with quote
How dor you remove the header from an image? Is it delete everything before HDR0?
_________________
Peacock Thread-FAQ -- Firmware Recommendations -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum