Serial Recovery WNDR4300

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
View previous topic :: View next topic  
Author Message
notorious.dds
DD-WRT User


Joined: 24 May 2012
Posts: 376
Location: Michigan
PostPosted: Sun Oct 02, 2016 16:50    Post subject: Serial Recovery WNDR4300 Reply with quote
I bought this WNDR4300 off of eBay which was listed as "not working". Essentially, it just boots directly to recovery mode. In other words: it's bricked, but I don't know by what means.
I attached my serial cable and was able to extract some info. The following is the output from boot:

Code:
find_hif: bootstrap = 0xaf055a
WASP BootROM Ver. 1.1
Nand Flash init
ONFI: Control setting = 0xb44
hdr: [0xbd004000 : 0xbd004000 : 0x3000 : 0xc200e86c]
nand_load_fw: read 6 pages
nand_load_fw: 0x10000 0x800 0xbd0047f0
nand_load_fw: 0x20000 0x800 0xbd004ff0
nand_load_fw: 0x30000 0x800 0xbd0057f0
nand_load_fw: 0x40000 0x800 0xbd005ff0
nand_load_fw: 0x50000 0x800 0xbd0067f0
f/w 0 read complete, jumping to 0xbd004000
initialize PLL & DDR

sri
Wasp 1.2
Wasp (32bit) ddr2 init
setting for 40
fw1: Nand Init
leave FW1
f/w 0 execution complete
hdr: [0xa0100000 : 0xa0100000 : 0x11000 : 0x26e9875d]
nand_load_fw: read 34 pages
nand_load_fw: 0x70000 0x800 0xa01007f0
nand_load_fw: 0x80000 0x800 0xa0100ff0
nand_load_fw: 0x90000 0x800 0xa01017f0
nand_load_fw: 0xa0000 0x800 0xa0101ff0
nand_load_fw: 0xb0000 0x800 0xa01027f0
nand_load_fw: 0xc0000 0x800 0xa0102ff0
nand_load_fw: 0xd0000 0x800 0xa01037f0
nand_load_fw: 0xe0000 0x800 0xa0103ff0
nand_load_fw: 0xf0000 0x800 0xa01047f0
nand_load_fw: 0x100000 0x800 0xa0104ff0
nand_load_fw: 0x110000 0x800 0xa01057f0
nand_load_fw: 0x120000 0x800 0xa0105ff0
nand_load_fw: 0x130000 0x800 0xa01067f0
nand_load_fw: 0x140000 0x800 0xa0106ff0
nand_load_fw: 0x150000 0x800 0xa01077f0
nand_load_fw: 0x160000 0x800 0xa0107ff0
nand_load_fw: 0x170000 0x800 0xa01087f0
nand_load_fw: 0x180000 0x800 0xa0108ff0
nand_load_fw: 0x190000 0x800 0xa01097f0
nand_load_fw: 0x1a0000 0x800 0xa0109ff0
nand_load_fw: 0x1b0000 0x800 0xa010a7f0
nand_load_fw: 0x1c0000 0x800 0xa010aff0
nand_load_fw: 0x1d0000 0x800 0xa010b7f0
nand_load_fw: 0x1e0000 0x800 0xa010bff0
nand_load_fw: 0x1f0000 0x800 0xa010c7f0
nand_load_fw: 0x200000 0x800 0xa010cff0
nand_load_fw: 0x210000 0x800 0xa010d7f0
nand_load_fw: 0x220000 0x800 0xa010dff0
nand_load_fw: 0x230000 0x800 0xa010e7f0
nand_load_fw: 0x240000 0x800 0xa010eff0
nand_load_fw: 0x250000 0x800 0xa010f7f0
nand_load_fw: 0x260000 0x800 0xa010fff0
nand_load_fw: 0x270000 0x800 0xa01107f0
f/w 1 read complete, jumping to 0xa0100000


U-Boot 1.1.4 (Jun 28 2012 - 10:12:47)

U-boot dni29 V0.3 for DNI HW ID: 29763948 flash 128MB RAM 128MB 1st Radio 2x2 2nd Radio 3x3


DRAM:  128 MB
Atheros on-chip NAND FLash Controller Driver, Version 0.1 (c) 2010 Atheros Communications, Ltd.
Ath Nand ID[87ff0178]: 2c:f1:80:95:02
ONFI MICRON      MT29F1G08ABADAWP   
Micron NAND 128MiB 3,3V 8-bit [128MB]
set ns -0x80020000-0x800
====== NAND Parameters ======
sc = 0x87ff0158 bbt = 0x87f68008 bbt_size = 0x100 nf_ctrl = 0x304
page = 0x800 block = 0x80020000 oob = 0x40
size = 128MB
Setting 0xb8116290 to 0x54a82d0f
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ag934x_enet_initialize...
 4096 bytes read: OK
Fetching MAC Address from 0x87fe7928
 wasp  reset mask:c02300
WASP  ----> S17 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 10:0d:7f:43:bd:13
athrs17_reg_init: complete
eth0 up
eth0
Hit any key to stop autoboot:  2  1  0
dup 1 speed 1000

 Client starts...[Listening] for ADVERTISE...TTT
Retry count exceeded; boot the image as usual

 nmrp server is stopped or failed !

Loading from device 0: ath-nand (offset 0x6c0000)

** check kernel image **
   Verifying Checksum ... OK

** check rootfs image **
   Verifying Checksum ...    Bad Data CRC

The Router is in TFTP Server Firmware Recovery mode NOW!

It appears that the boot fails verifying a checksum. The router then automatically goes into recovery mode. I've tried tftp'ing the stock firmware (initial release), only to get the following:

Code:
The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1...
Upgrade Mode
Rcv:
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   .................................................................
   ...............................................
Done!
Bytes transferred = 10223749 (9c0085 hex)
 131072 bytes read: OK
HW ID on board: 29763948+0+128+128+2x2+3x3
HW ID on image: 29763948+0+128+128+2x2+3x3
Firmware Image HW ID matched Board HW ID

 131072 bytes read: OK
MODEL ID on board: WNDR4300
MODEL ID on image: WNDR4300
Firmware Image MODEL ID matched Board model ID

** FAIL !! too many bad blocks, no enough space for firmware image.

The result is the same if I boot the router directly into recovery mode. And, even though the failure suggests that it's due to bad blocks, running the following command:

Code:
ar7240> nand bad

Device 0 bad blocks:

... tells me that I have no bad blocks.

Digging further...

Code:
ar7240> printenv
bootargs=console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ath-nand:128k(u-boot),384k(u-boot-env),1280k(uImage),7m(rootfs),128k(dummy),128k(caldata)
bootcmd=nmrp;if loadn_dniimg 0 0x6c0000 0x81000000 && chk_dniimg 0x81000000; then bootm 0x81000000;else fw_recovery; fi
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.1.1
serverip=192.168.1.7
dir=
lu=tftp 0x80060000 ${dir}2fw.bin&&nand erase 0x0 0x20000&&nand write $fileaddr 0x0 $filesize
lf=tftp 0x80060000 ${dir}db12x${bc}-nand-jffs2${ns}&&nand erase 0x1c0000 0x700000&&nand write $fileaddr 0x1c0000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&nand erase 0x80000 0x140000&&nand write $fileaddr 0x80000 $filesize
ns
stdin=serial
stdout=serial
stderr=serial
bootdelay=2
ethact=eth0

Environment size: 795/262140 bytes


I'm not entirely sure where to go next. I've considered tyring to modify the serial recovery methed described here:

However, I don't entirely undertand the meaning of the tftp "loadaddr" parameter. I'm also unsure if going down this road is even wise.

Any thoughts would be appreciated.

Thanks!
Back to top View user's profile Send private message
Sponsor
notorious.dds
DD-WRT User


Joined: 24 May 2012
Posts: 376
Location: Michigan
PostPosted: Sun Oct 02, 2016 22:29    Post subject: Reply with quote
UPDATE:
If I bypass the checksum test and simply issue the following command from the uboot prompt:

Code:
bootm 0x81000000

It boots right up!

I've tried to flash via the gui both the stock firmware as well as the DD-WRT initial flash for this routher ( ftp://ftp.dd-wrt.com/betas/2014/02-04-2014-r23503/netgear-wndr4300/wndr4300-factory.img ), but all attempts to flash this thing fail to save. It's like there's some sort of write protection in place.

Here's the output from the serial console when trying to flash via the gui:
Code:
current version: 0, new version: 1000000119

Sending discover...
Sending discover...
Sending discover...

incorrect language table file, cannot find the region name.

FILE: /tmp/uhttp-upgrade.img is download successfully!

Saving Data...
Fail!

Restarting system.


One bit of new info that I was able to learn with the router booting is that it's running stock firmware version 1.0.1.34.

Again, any advice is appreciated.

Thanks!
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum