Netgear WNR3500 v2.0 Brick (solved)

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Fri Jan 13, 2012 18:54    Post subject: Reply with quote
Unless I'm seeing it the wrong way, the permanent fix I see is:

1- Extract board_data somehow (in the other thread tsanga used Tomato)

2- Edit board_data to match the stock firmware unedited

3- Flash the edited board_data

4- Flash stock firmware unedited (tsanga had to flash it twice I think)

5- From there you can flash anything you want
Sponsor
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 20:08    Post subject: Reply with quote
Well the router was given to me, sooooooooo, Looks like more fun with TJTAG tonight. I will edit the board data file and TJTAG it back on the router and see if that solves the problem of flashing the OEM firmware unedited.


I am not worried if I trash the router. I am purely having fun and trying to learn me somethin and maybe help others along the way. Very Happy

_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Fri Jan 13, 2012 20:10    Post subject: Reply with quote
If you look at that thread again, you can either use tftp server on your computer or dd. You don't need TJTAG in this case Smile
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 20:18    Post subject: Reply with quote
fggs wrote:
Unless I'm seeing it the wrong way, the permanent fix I see is:

1- Extract board_data somehow (in the other thread tsanga used Tomato)

2- Edit board_data to match the stock firmware unedited

3- Flash the edited board_data

4- Flash stock firmware unedited (tsanga had to flash it twice I think)

5- From there you can flash anything you want
I can do that, just have to get ~T to byte swap the file, this router is just like the E1000 concerning flash.
_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 20:20    Post subject: Reply with quote
fggs wrote:
If you look at that thread again, you can either use tftp server on your computer or dd. You don't need TJTAG in this case Smile
Ahhhhh damnit, you take all the fun out of it.


We must be posting at the same times, LoL

_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Fri Jan 13, 2012 20:38    Post subject: Reply with quote
This forum is like playing a game for me.. I just cannot stop!

For some Call of Duty 3: Modern Warfare, for me it's this forum Very Happy
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Fri Jan 13, 2012 20:59    Post subject: Reply with quote
fggs wrote:
This forum is like playing a game for me.. I just cannot stop!

For some Call of Duty 3: Modern Warfare, for me it's this forum Very Happy

that would make you a dd-wrt "ho" Smile

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=47340

_________________
[Moderator Deleted] Shocked
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 21:11    Post subject: Reply with quote
I have done this

LOM wrote:
You can't dump the partition from within a dd-wrt shell because it doesn't exist as a partition in dd-wrt, you'll have to do it from the bootloader via the save memory command, ie
"save [-options] host:filename startaddr length" where startaddr is 0xbc3e0000 and length is 0x20000.
host is the ipaddress of your tftp server and no options needed.


Issued "mtd erase linux" through ssh, rebooted.

I edited it to 00 from 70, now how do i get it back on there through serial (don't have JTAG adapter here at work) and will it take in consideration the the data on this flash chip is byte swapped?

_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 21:12    Post subject: Reply with quote
barryware wrote:
fggs wrote:
This forum is like playing a game for me.. I just cannot stop!

For some Call of Duty 3: Modern Warfare, for me it's this forum Very Happy

that would make you a dd-wrt "ho" Smile

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=47340
So would purposefully screwing up your router just to see if you can recover it. Shocked
_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 21:22    Post subject: Reply with quote
Dark_Shadow wrote:
I have done this

LOM wrote:
You can't dump the partition from within a dd-wrt shell because it doesn't exist as a partition in dd-wrt, you'll have to do it from the bootloader via the save memory command, ie
"save [-options] host:filename startaddr length" where startaddr is 0xbc3e0000 and length is 0x20000.
host is the ipaddress of your tftp server and no options needed.


Issued "mtd erase linux" through ssh, rebooted.

I edited it to 00 from 70, now how do i get it back on there through serial (don't have JTAG adapter here at work) and will it take in consideration the the data on this flash chip is byte swapped?



I have tryed using tftp2.exe and results

Code:
CFE> flash -offset=0xbc3e0000 -size=0x20000 : bd_00.bin
bd_00.bin: Device not found
*** command status = -6
CFE> flash -offset=0xbc3e0000 -size=0x20000 :  flash1.trx
Reading :: Done. 131072 bytes read
Reading ::


saved that offset and length again and its still the same 70 not 00 like i edited.

_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Fri Jan 13, 2012 22:04    Post subject: Reply with quote
Are you running Tomato?

LOM explains in the other thread to use flash file:your_tftp_server flash1.board_data

I think this is it.. but I guess it will only work when you have Tomato because dd-wrt doesn't have board_data partition.
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Fri Jan 13, 2012 23:17    Post subject: Reply with quote
fggs wrote:
Are you running Tomato?

LOM explains in the other thread to use flash file:your_tftp_server flash1.board_data

I think this is it.. but I guess it will only work when you have Tomato because dd-wrt doesn't have board_data partition.
No i have not attempt to put tomato on he, too many people report bricking LOL

EDIT: oh yea, with the command in ssh "mtd erase linux" means there is no dd-wrt on there ether hehehe

_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Sat Jan 14, 2012 1:16    Post subject: Reply with quote
"Tada" with the help of Tornado, Made the edit to the board data, byte swapped it, then TJTAGed it on.


OEM firmware loaded without issue. So this beast can be reverted in the future.


@LOM you need anything off the OEM before I upgrade?

_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Sat Jan 14, 2012 1:31    Post subject: Reply with quote
That other thread was only one and a half year ago and I had completely forgotten about it, evidence that I've lost another marble to Dr Alzheimer. Crying or Very sad

The router identifier in the boarddata partition gets updated under certain circumstances, I'll see if I can find out what they are.
I remember that the whole length of the identifier is usually checked but there is a condition where only the 7 first bytes are checked and then the identifier is rewritten.

_________________
Kernel panic: Aiee, killing interrupt handler!
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Sat Jan 14, 2012 1:37    Post subject: Reply with quote
fggs wrote:
Are you running Tomato?

LOM explains in the other thread to use flash file:your_tftp_server flash1.board_data

I think this is it.. but I guess it will only work when you have Tomato because dd-wrt doesn't have board_data partition.


That is not firmware dependent since it is done through the cfe, flash1.trx and flash1.board_data are cfe device names.

_________________
Kernel panic: Aiee, killing interrupt handler!
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 4 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum