Netgear R6300v2 Advanced Debrick Notes By Sploit

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3 ... 9, 10, 11  Next
Author Message
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 266
Location: California

PostPosted: Mon Sep 19, 2016 4:23    Post subject: Netgear R6300v2 Advanced Debrick Notes By Sploit Reply with quote
Please leave comments on this to help other users and keep the thread active once it works for you. It helps other users having your same problems.... Very Happy


Advanced Debrick Guide for the r6300v2 by sploit

Let’s start by saying that I have thoroughly dissected this router. I have had hours and hours of tweaking on this router via serial cable and know all of its habits and caveats.

That being said, without going into gory details, this router was thought to be only able to be debricked by a serial cable. Turns out that is very, very wrong. (Although I made a guide for serial cable debricking as well that I will release later on)

This router actually has a very sophisticated smart boot process.
On boot, “if” you are running Netgear Stock firmware and after passing a quick CRC check it will boot the Netgear Firmware and Never attempt to start a TFTP Daemon no matter what you do with the buttons.

The reset button, being held down also does not start a TFTP Daemon for a Generic File Upload like other routers, but will attempt to load a file called vmlinuz from a tftp server @ 192.168.1.2 (we will get to that later)

However, “IF” there is Generic Firmware that doesn’t CRC check to Netgear Genie Firmware Values that has been loaded to the NAND, it listens for about 5 seconds on boot for a file called “vmlinuz” from a tftp srver of 192.168.1.2 during the first 20 seconds of power on to the router.

This was interesting to me because I have seen this before in other rare routers and not just Broadcom.

So then I tried to rename various firmwares (Tomato, advancedtomato, ddwrt, Netgear genie, and openwrt) to vmlinuz and I dropped them into the root folder of my tftp server and my Ethernet Adapter on that TFTP server is assigned 192.168.1.2. Sure enough it tried to grab the files but was not able to load them because they were are compressed images.

I finally got the idea to try the Initframfs from Openwrt (I compiled it myself using the opewrt image builder) and sure enough it loaded the r6300v2 initramfs OpenWRT into the RAM.

The vmlinuz File will be available in this thread.

Once openwrt was loaded, I was able to flash other firmware to the router permanently by using ssh and accessing the command line interface and then using the standard:

Cd /tmp
wget http://192.168.1.2/firmware.chk
mtd erase nvram
mtd write firmware.chk firmware

(of course firmware.chk represented whatever r6300v2 Firmware I was using)

Now here is the funny part. While SSH’d into Openwrt You can simply erase the firmware partition using:

mtd erase firmware

Then simply reboot

It will intentionally brick the router (This for the first time in router history … A Good thing)

Why on earth would I do this you say???

Once the router Bricks… and you reboot it…. The router activates the TFTP Daemon that has been missing and it waits for a tdtp File Transfer of any compatible CHK File. Notice the “Reading::”

It will wait for a good firmware to flash. If any bad firmware gets uploaded it simply wont load it to the NAND and Ignore it.

From Windows you would have the firmware in a folder and using your command line type (tftp -i 192.168.1.1 put ddwrtr6300v2initialfile.chk ddwrtr6300v2initialfile.chk) while in that folder or using linux use regular tftp methods.

I was able to flash every Initial load from all Firmware (OpenWRT, DDWRT, Tomato, AdvancedTomato, Netgear Genie).

On the r6300v2CH model I was able to flash Kongs Initial CH Load, Advanced Tomato and The Netgear Genie CH Firmware. To flash Regular Tomato you have to install AdvancedTomato first then flash Tomato as an Upgrade on the CH Model. OpenWRT requires a CH Build.

The End Result is that anyone who thinks they have permanently bricked this router is more than likely wrong.

I use linux for all of this but I did it on windows also.
That Being said, I have given you the tools to recover from any brick on this router with the openwrt vmlinuz file to boot openwrt to load whatever firmware or use it to brick the router which will launch the recovery tftp daemon and you can load it that way also

For any of you who doubt this hook up a serial cable and watch it. 

Important Notes:
1) After OpenWRT Loads from the vmlinuz file, remove it (or rename it) from the tftp server folder or it will keep loading it every time the router reboots UNLESS you are going back to Netgear Genie in which it ignores it.

2) You cannot recover the firmware using the TFTP2 or TFTP Windows Tool available online (The Linksys and Netgear one). You must upload either using Linux or Windows at the Command Line. This is because the above mentioned tools timeout on certain large binary transfers. I tried them out of lazyness and found out after watching the serial console that it was breaking. Once the router is bricked it will wait for firmware indefinately on boot until good firmware or the vmlinuz file is loaded.

3) There are probably other windows tftp clients that can upload without timing out. I use linux for everything tech related because windowz is limited.

4) Further noted (Brainslayers Builds for the R6300v2 After 08/16/2016 to 09/16/2016) will no longer install on this router, as they are broken incase any of you have been going crazy trying to install it, and if you force them they brick the router. Stick with Kong for now.

Any mistakes I have made, please message me and I will correct them. No one is perfect. :p

Also, after it loads this image.... Be Patient and Wait!!! Just to be safe about 5 minutes and then openWRT will be loaded. You can the telnet in and do what ya gotta do.

*** Note that this may not work for everyone.... Requires settin up a tdtp SERVER



vmlinuz.zip
 Description:
r6300v2 vmlinuz initramfs boot loader for bricked Netgear R6300v2 Recovery

Download
 Filename:  vmlinuz.zip
 Filesize:  8.14 MB
 Downloaded:  786 Time(s)



Last edited by sploit on Sun Mar 19, 2017 19:08; edited 1 time in total
Sponsor
txvln
DD-WRT Novice


Joined: 22 Sep 2016
Posts: 1

PostPosted: Thu Sep 22, 2016 22:03    Post subject: Reply with quote
Can anyone point the way to an Initramfs file like this for the WNDR3700v3, or a (newbie-friendly[-ish]) guide on how to build one that wouldn't wreck the router?

Thanks!
merrow75
DD-WRT User


Joined: 28 Jan 2016
Posts: 128

PostPosted: Wed Sep 28, 2016 5:39    Post subject: Reply with quote
Thank you for the detailed information.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 266
Location: California

PostPosted: Thu Sep 29, 2016 1:31    Post subject: Your welcome :) Reply with quote
Your welcome.

There is actually a bunch of other very techie things you can do with this router that I am not even sure Kong is aware of that I will be releasing eventually.

A serial cable is almost never going to be required to debrick this router (and possibly a few other netgear R series)

My guides are actually usually very visual with Screenshots of everything so I will more than likely upload PDF's.

Also for people visiting outside of Google or Yahoo you have to register and become a member to see and download a file from this forum.
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 3993
Location: Germany

PostPosted: Thu Sep 29, 2016 20:15    Post subject: Re: Your welcome :) Reply with quote
sploit wrote:
Your welcome.

There is actually a bunch of other very techie things you can do with this router that I am not even sure Kong is aware of that I will be releasing eventually.

A serial cable is almost never going to be required to debrick this router (and possibly a few other netgear R series)

My guides are actually usually very visual with Screenshots of everything so I will more than likely upload PDF's.



You just made me laugh:-)

Quote:

However, “IF” there is Generic Firmware that doesn’t CRC check to Netgear Genie Firmware Values that has been loaded to the NAND, it listens for about 5 seconds on boot for a file called “vmlinuz” from a tftp srver of 192.168.1.2 during the first 20 seconds of power on to the router.


For one:

If the crc is wrong, then netgear fw will start tftpd server which allows you to send a image via tftp client.

You made a simple mistake, you reordered the lines in your mind:-) The crc comes after the tftp pull, thus it should be clear, that it has nothing to do with crc:

Code:
Loader:raw Filesys:tftp Dev:eth0 File:192.168.1.2:vmlinuz Options:(null)                                               
Loading: TFTP error 1: File not found                                               Failed.                                             
Could not load 192.168.1.2:vmlinuz: Network protocol error                                               
Checking crc...Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)


What you see here is a cfe feature called boot_wait. If boot_wait=on it will wait and grab a vmlinuz from the predefined ip. If it is off, then it boots right away. We even have a gui setting for it:-)

Regarding your openwrt trick, some years ago I explained how to use this feature to boot a custom kernel from a tftp server that can boot rootfs from usb.

But this is basic fw development knowledge, and useful if you want to work on the kernel without flashing the whole time. I'm sure rmerlin,tomato guys etc. also know this.

There are other things which are more interesting, but I do not spread them:-)

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 266
Location: California

PostPosted: Thu Sep 29, 2016 20:49    Post subject: The Great Kong Has Spoken Reply with quote
Well, atleast I made you laugh :p

However, I wasn't talking about that CRC error, I am talking about the CRC error that occurs once you intentionally brick the router and it goes into TFTPD Mode.

I should have specified that.

Anyway, Yes I agree on the spread them part. Trade Secrets...

Anyway, Thanks for your post Kong and Your Work.


Also ad far as the Boot Wait GUI I just created a Linux Script for it using the BootP/Tftp works great.

Dont know if its worth my time to make a GUI for it. Can understand your needs for it though as much testing as you do.
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 3993
Location: Germany

PostPosted: Thu Sep 29, 2016 21:28    Post subject: Re: The Great Kong Has Spoken Reply with quote
sploit wrote:
Well, atleast I made you laugh :p

However, I wasn't talking about that CRC error, I am talking about the CRC error that occurs once you intentionally brick the router and it goes into TFTPD Mode.

I should have specified that.

Anyway, Yes I agree on the spread them part. Trade Secrets...

Anyway, Thanks for your post Kong and Your Work.


Also ad far as the Boot Wait GUI I just created a Linux Script for it using the BootP/Tftp works great.

Dont know if its worth my time to make a GUI for it. Can understand your needs for it though as much testing as you do.


No these are your words:

Quote:
However, “IF” there is Generic Firmware that doesn’t CRC check to Netgear Genie Firmware Values that has been loaded to the NAND, it listens for about 5 seconds on boot for a file called “vmlinuz” from a tftp srver of 192.168.1.2 during the first 20 seconds of power on to the router.


This is wrong, it listens for 5 seconds if boot_wait is on and set to 5s. This has nothing to do wth crc.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 266
Location: California

PostPosted: Fri Sep 30, 2016 3:14    Post subject: Boot Wait Isnt Enabled By default Reply with quote
I can show you the logs of any of my Box of 150 R6300v2 booting with stock netgear Genie on it and BootWait is not enabled on stock Netgear Genie installed.
ONLY if a generic firmware is loaded does BootWait Appear.

AND only on a "Brick" with bad firmware does the CRC check fail and default to TFTPD.

Try this.

Load Netgear Genie and boot and watch on the serial console what happens. No Boot Wait.

Maybe I am saying things wrong?
OneMoar
DD-WRT Novice


Joined: 15 Jan 2011
Posts: 46

PostPosted: Mon Oct 03, 2016 2:52    Post subject: Reply with quote
does somebody have a image for the r6250 this unit doens't have serial pins
it still kind of boots but a reset isn't touching it
OneMoar
DD-WRT Novice


Joined: 15 Jan 2011
Posts: 46

PostPosted: Mon Oct 03, 2016 6:37    Post subject: Reply with quote
ok against what I thought was better judgement I tried the vmlinuz sploit posted
and it worked on my R250
it wasn't very stable basicly crashing every 30 seconds to a min
but it was up long enough for me to ssh in issue a mtd erase firmware
which let me flash back to stock
kudos to sploit
<Kong>
DD-WRT Guru


Joined: 15 Dec 2010
Posts: 3993
Location: Germany

PostPosted: Mon Oct 03, 2016 7:02    Post subject: Re: Boot Wait Isnt Enabled By default Reply with quote
sploit wrote:
I can show you the logs of any of my Box of 150 R6300v2 booting with stock netgear Genie on it and BootWait is not enabled on stock Netgear Genie installed.
ONLY if a generic firmware is loaded does BootWait Appear.

AND only on a "Brick" with bad firmware does the CRC check fail and default to TFTPD.

Try this.

Load Netgear Genie and boot and watch on the serial console what happens. No Boot Wait.

Maybe I am saying things wrong?


I have no idea, why it is so difficult for you to understand, probably the reason why you also had trouble reading the boot lines.

boot_wait is an nvram var, netgear sets it to off, we set it to on, that's the only reason why it waits for 5s and tries to pull an vmlinuz, see my nvram war:

root@r6400:~# nvram show | grep wait
boot_wait=on
size: 43446 bytes (87626 left)
wait_time=5

Now, set this to off:

nvram set boot_wait=off
nvram commit
reboot

and magically the tftp pull for vmlinuz is gone.

_________________
KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
OneMoar
DD-WRT Novice


Joined: 15 Jan 2011
Posts: 46

PostPosted: Mon Oct 03, 2016 22:24    Post subject: Reply with quote
I was getting the exact same symptoms as sploit after a botched flash to tomato on my R6250

it would't accept a TFTP from anything other then vmlinuz
thankfully the vmlinuz he provided for his 6300V2 seemed to work enough to get me to a webui but it wasn't stable for more then a few min and I could't flash anything but a openwrt image from the webui

but it was enough for me to ssh in and issue a mtd erase nvram / firmware which let me tftp2.exe the stock netgear firmware after a couple of tries

ill look into building a more generic recovery image at some point seems like it would be a useful thing to have should't be to difficult at all to make a generic recovery image for all the R6xxx and R7000 family units
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 266
Location: California

PostPosted: Tue Oct 04, 2016 6:29    Post subject: Well.. Reply with quote
I am not debating whether setting a boot wait variable to the nvram from ddwrt is possible or not.

The purpose to the VMLINUZ InitRamFS is for people who have bricked their routers and don't have to a serial cable OR have the ability to TFTP because the TFTP Daemon isn't started.

The only reason I created this thread was to help people who need a easier way to debrick. Simply put, this router always has Bootwait or the TFTP Daemon running. One or the other, but in the case that TFTPD isn't running then you can recover using a InitRamFS Image to boot into the RAM and mtd write the new image OR mtd erase the image and force brick the router for TFTP Daemon to start after reboot.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 266
Location: California

PostPosted: Tue Oct 04, 2016 6:35    Post subject: Good Idea Reply with quote
OneMoar wrote:
I was getting the exact same symptoms as sploit after a botched flash to tomato on my R6250

it would't accept a TFTP from anything other then vmlinuz
thankfully the vmlinuz he provided for his 6300V2 seemed to work enough to get me to a webui but it wasn't stable for more then a few min and I could't flash anything but a openwrt image from the webui

but it was enough for me to ssh in and issue a mtd erase nvram / firmware which let me tftp2.exe the stock netgear firmware after a couple of tries

ill look into building a more generic recovery image at some point seems like it would be a useful thing to have should't be to difficult at all to make a generic recovery image for all the R6xxx and R7000 family units


Probably just need to strip some drivers out for the wifi and a few other files not necessary to do anything but load openwrt to the console, especially LUCI is not needed.

Atleast we know it works enough to recover quickly on the 6250
OneMoar
DD-WRT Novice


Joined: 15 Jan 2011
Posts: 46

PostPosted: Tue Oct 04, 2016 6:49    Post subject: Reply with quote
I was able to flash a openwrt image from the webui but I decided to mtd erase anyway just for testings sake

keeping a minimal luci ui would be good incase you run into a situation where you where unable to wget a image (like I initally had because it keept crashing)

when I am feeling better maby ill look at it
and yea you could probly save a ton of space by stripping out all the wifi/usb drivers

and just have minimal luci webui that lets you select a image
Goto page 1, 2, 3 ... 9, 10, 11  Next Display posts from previous:    Page 1 of 11
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum