OpenWrt Forum Archive

Topic: unbricking a DG834G v3 is possible

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,
I had a bricked DG834G v3 router, ftp, tftp and telnet were disabled so i did't know how to restore it.
As last resort i powered it on while pressing reset and in the serial console i readed:

Download.
Copying download from b0017000 to b4020000
psys_printf=90005bd0

so installed the windows recovery utility and launched it on a
windows machine while sniffing with wireshark on my Linux box.


Basically the utility communicates with the router with RAW ethernet frames.
The utility sends a broadcast ethernet frame with 50 zero bytes, and the router replies with some info about itself:

0000   00 00 00 00 00 00 00 00 38 00 01 00 00 01 44 47  ........8.....DG
0010   38 33 34 56 33 00 00 00 00 00 00 00 00 00 00 00  834V3...........
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 42 06 00 00  ............B...
0040   00 08                                            ..

Then starts the flashing still with RAW ethernet frames.
Here there is a full capture file and the uploaded firmware image: http://teknoraver.campuslife.it/software/DG834Gv3/

I think that we should write a perl utility to do this under linux, that will be very useful.

Greets,
Matteo Croce

Hi,
When playing with my DG834G v3 I ran into the problem that ADAM2 didn't like ftp or serial break or anything, so I tried replacing it with another which I knew worked (same version) major nono so now my box is bricked and I'm hoping that a JTAG will revive it.... but like a fool I didn't backup mtd2, would it be possible for you to dump it somewhere?
So I atleast have a tiny chance of getting it working smile

On a note about this find, do you think it would be possible to get custom firmwares on using this method? that is if the router just belives what is being sent to it and flashes it in.

Wipster

I'm writing this tool: http://teknoraver.campuslife.it/software/nftp.c

[~/src/openwrt/target/linux/ar7/src]$ sudo ./nftp eth1
Sending frame on eth1 (0:50:8d:d5:be:94)
Found a bricked router at 0:1b:2f:71:5a:72
Router is a DG834V3
Current version is 411e
Max upgrade size is 65572 kb
[~/src/openwrt/target/linux/ar7/src]$

but I really guess that it would be a duplicate of upslug2, so I'll try to add Netgear support to that one.

Created ticket #2897 to support such update method

I have the same issue with dg834 and I couldn't fix it.
The problem is due to corrupted boot configuration partition, and netgear recovery utility doesn't write to this area, it only write the bootloader and the firmware which doesn't solve the problem.
I guess a possible solution is to modify adam2 bootloader and use a default configuration instead of the corrupted one.

Also I noticed that this raw ethernet update module is stored in rom and not in the flash, as even with corrupted bootloader this utility work.

Could anyone complete this nftp.c file to upload the provided image file if its not too much trouble? or explain how id use upslug2 to upload an image to the router as mine died as windows goes bsod everytime i run the firmware recovery tool just after erasing the eprom.
So far i get a similar output from this stub implementation as mentioned, appart from Im using a DG834GT so no OpenWRT for me at the moment, but I was hoping to use it to upload the default netgear binary for now atleast.

FWIW I completed the tool now and attached it to the ticket mentioned above. Works on my v4, may work with others, use at your own risk. Thanks for putting that online, rootkit. Getting the raw sockets to work was definitely the hard (or definitely tedious) part, after that implementing the whole protocol was peanuts.

Right. so how do I actually use this? its been a long time since iv been here and thought about all this, and my initial attempt to compile this file as is shows i no longer have a compiler installed. lol. does this get built against any non standard libraries or anyting?

No special dependencies/libraries or anything like that. I was too lazy to make the tool work with big endian machines though, so don't run it on a PowerPC or something. :-P

@Wilmer

For what its worth I just flashed an unbricked (but SKY locked) DG834GT using that little program and Netgear's V1.02.16  firmware (my problem was that I had no idea what the password was set to and was stuck with Sky's modified firmware, oh and being on Linux - no windows boxes and thus no easy way to grab and try the various netgear utilities.), all worked wonderfully (although I removed your firmware image verification...) and reset the username/password combination back to the default (admin/sky).

So, thanks.

Great, I'm glad the tool worked for you! Yeah, the verification is pure guess work. Maybe I should make it easier to disable it. OTOH keeping it like this will hopefully keep people more aware of what they're doing. :-)

The discussion might have continued from here.