Can't Flash Netgear R6850

badrouter · September 4, 2021, 3:40pm

I can't seem to get a Netgear R6850 flashed to OpenWrt.

Symptoms - Can't ping router at 192.168.1.1 after flashing and switch port keeps flapping connected/disconnected. LED blinking makes it look like a bootloop. I can only recover to stock using nrmpflash at this point.

Things I've tried:

Flashed from stock gui version R6850_V1.1.0.84_1.0.1.img which was only released a couple days ago.
Flashed from stock gui version R6850-V1.1.0.76_1.0.1.img since maybe something changed in the latest version.
Flashed from nrmpflash to see if that would be successful.
Confirmed file hashes were correct on the firmware in case my downloads were corrupt.
Originally I was trying the latest release image: openwrt-21.02.0-ramips-mt7621-netgear_r6850-squashfs-factory.img
Then I tried an older RC in case that was that might be successful: openwrt-21.02.0-rc4-ramips-mt7621-netgear_r6850-squashfs-factory.img

In all cases except for stock firmware I get the results I listed in the symptoms. The router has worked fine on stock for several weeks now so the hardware should be fine.

Anyone have any ideas? Thanks!

bobafetthotmail · September 4, 2021, 7:48pm

you can try with development snapshot images https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/ as that is using more recent code than 21.02 release and hope that it was fixed there. Development snapshot has no Luci web interface but will still answer to ping and you can connect with ssh https://openwrt.org/docs/guide-quick-start/sshadministration to install Luci web interface later.

Otherwise it's a bit difficult to know what is going on without serial console access, to see the error messages printed on console.

You can also report this as a bug https://bugs.openwrt.org/

badrouter · September 4, 2021, 9:37pm

I just tried snapshot and I get the exact same behavior.

Is this worthy of a bug report? I agree that there isn't much that can be done without a serial console so I don't know know how the bug report will help.

Thanks for your help though.

badrouter · September 5, 2021, 6:59am

After some more research, I'm wondering if I've encountered this problem. Given that the R6350 has similar (identical?) firmware to the R6850, I was able to use the process referenced in the R6350 hardware page to enable debug mode and telnet into the stock firmware. The MTD layout looks similar to the one in the R6350 thread. From my R6850 on stock firmware:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "Bootloader"
mtd1: 00100000 00020000 "SC_PART_MAP"
mtd2: 00420000 00020000 "Kernel"
mtd3: 02800000 00020000 "Rootfs"
mtd4: 00200000 00020000 "English UI"
mtd5: 00200000 00020000 "ML1"
mtd6: 00200000 00020000 "ML2"
mtd7: 00200000 00020000 "ML3"
mtd8: 00200000 00020000 "ML4"
mtd9: 00200000 00020000 "ML5"
mtd10: 00200000 00020000 "ML6"
mtd11: 00200000 00020000 "ML7"
mtd12: 00200000 00020000 "ML8"
mtd13: 00200000 00020000 "ML9"
mtd14: 00200000 00020000 "ML10"
mtd15: 00200000 00020000 "ML11"
mtd16: 00220000 00020000 "Factory"
mtd17: 00200000 00020000 "SC Private Data"
mtd18: 00200000 00020000 "POT"
mtd19: 00200000 00020000 "Traffic Meter"
mtd20: 00200000 00020000 "SC PID"
mtd21: 00220000 00020000 "SC Nvram"
mtd22: 00200000 00020000 "Ralink Nvram"
mtd23: 00200000 00020000 "Reserved Block1"
mtd24: 00200000 00020000 "Reserved Block2"
mtd25: 00200000 00020000 "Reserved Block3"
mtd26: 00200000 00020000 "Reserved Block4"
mtd27: 00200000 00020000 "Reserved Block5"
mtd28: 02120000 00020000 "Reserved Block6"

Any thoughts?

kar200 · September 29, 2021, 6:03am

Hi @badrouter ,

Do you have access to the console by any chance? This is to confirm my thoughts.

I am trying to find on the openwrt forums people with Sercomm Netgear devices to test a patch for the partition parser found here.

On some Sercomm devices (like yours with an SC_PART_MAP). If you have bad blocks on your device it might be the issue. I have tested the patch (as well as others) and it seems to work.

If you can compile your own image just add the pull request and add to the DTS something similar to this "note the scpart-id = <0>"

&nand {
	status = "okay";

	partitions {
		compatible = "sercomm,sc-partitions", "fixed-partitions";
		#address-cells = <1>;
		#size-cells = <1>;

		partition@0 {
			label = "bootloader";
			reg = <0x0 0x100000>;
			scpart-id = <0>;
			read-only;
		};

		partition@100000 {
			label = "part_map";
			reg = <0x100000 0x100000>;
			scpart-id = <1>;
			read-only;
		};

		factory: partition@200000 {
			label = "factory";
			reg = <0x200000 0x100000>;
			scpart-id = <2>;
			read-only;
		};

		partition@300000 {
			label = "dual-flag";
			reg = <0x300000 0x100000>;
			scpart-id = <3>;
		};

		partition@400000 {
			label = "kernel";
			reg = <0x400000 0x600000>;
			scpart-id = <4>;
		};

		partition@a00000 {
			label = "uImage2";
			reg = <0xa00000 0x600000>;
			scpart-id = <5>;
			read-only;
		};

		partition@1000000 {
			label = "ubi";
			reg = <0x1000000 0x2000000>;
			scpart-id = <6>;
		};

		partition@3000000 {
			label = "rootfs2";
			reg = <0x3000000 0x2000000>;
			scpart-id = <7>;
			read-only;
		};

		partition@5000000 {
			label = "config-log";
			reg = <0x5000000 0x1400000>;
			scpart-id = <8>;
			read-only;
		};

		partition@6400000 {
			label = "app-tmp";
			reg = <0x6400000 0x1b80000>;
			scpart-id = <9>;
			read-only;
		};

		/*
		 * 512 kB bad block reserved
		 */
	};
};

I

badrouter · September 29, 2021, 4:39pm

I don't have a serial console. I only have telnet access to the stock firmware using the Netgear debug mode.

I started down the path of setting up a VM to build my own image but that has been more complicated then I anticipated so I put that aside for now. I was hoping these patches would get accepted into the nightly or release builds.

kar200 · September 29, 2021, 4:53pm

Telnet should be fine. If you run "dmesg" it should show you in the output if you have bad blocks.

If you are brave enough to flash and untested image I can build an image with the sercomm patch for you to flash and test. I will only include the patch and change the DTS to use it (if it makes sense).

Let me know if you are interested as it would help to add the tested devices that worked with the patch (and did not without) in case the patch is sent upstream for review.

EDIT: Obviously this is if you can recover with nrmpflash

r1m2 · September 30, 2021, 2:17am

Wow I just came across this post. I had to shelf my r6850 because of this exact reason, and getting tired of stock firmware. Every image I tried flashing from snapshot to RCs to final release of 21, all lead to same symptom as you've described. Subsequent nmrp flash works, but doesn't help. I also went a step further and did nmrp flash of an OpenWRT image, and it lead to same place. nmrp method still was able to help recover though.

kar200 · September 30, 2021, 4:38am

Hi @r1m2 ,

Would you be interested to test an image with the patch?
Again this means it might brick (although I am sure it could be restored with nrmpflash)

Let me know if you are.

austin · November 16, 2021, 7:24am

After picking up a new R6350 today (for the sole purpose of installing OpenWrt) I was disappointed to run into the same problem as OP. A couple hours of scouring the internet has led me here... would love to test an image if you have one.

Thanks

kar200 · November 16, 2021, 7:47am

Hi @austin

Before I share the file please understand that this is completely untested on any netgear device (tested only on my own Sercomm device with a different partitioning).

I used factory 21.02 with only the sercomm patch (and modified DTS to use it). I have not changed anything else.

AGAIN THIS MIGHT BRICK YOUR ROUTER

Here you go. I guess you need to use the factory file. Please let me know if it worked (or if it bricked your device).

austin · November 16, 2021, 7:53am

Appreciate it!! Just to be safe, what kind of brick are you warning against? I've been able to restore the stock firmware successfully with nmrpflash so far (after entering boot loops trying to install anything else).

kar200 · November 16, 2021, 7:57am

Technically nothing that the nrmpflash could not recover. Since this is is flashed only in the factory (kernel+rootfs)section and no other partition is touched (bootloader or the rest of the flash device).

But since this is for a device that I don't own or anything netgear related it is impossible for me to know if it would brick (and to what extent) your device.

austin · November 16, 2021, 8:16am

Tried your image and unfortunately the boot-looping persists. I was able to flash back to stock. Guess I'm stuck with Netgear's software for now unless I look for another router. Will continue troubleshooting tomorrow.

Also, I didn't expect a response to my original post so fast. Thank you!

kar200 · November 16, 2021, 8:24am

Thanks for your feedback. I will remove the image.

Did you flash from the web UI? Do you have access to the console by any chance? If yes could you share it please?

I am not sure if you have access to SSH/Telnet through the stock firmware. If yes please check "dmesg" and see if there are bad blocks in the output.

austin · November 16, 2021, 8:40am

I flashed your image with nmrpflash. Should I be using the web UI? As for console access, I did as @badrouter and enabled debug mode.

cat /proc/mtd output:

dev:    size   erasesize  name
mtd0: 00100000 00020000 "Bootloader"
mtd1: 00100000 00020000 "SC_PART_MAP"
mtd2: 00420000 00020000 "Kernel"
mtd3: 02800000 00020000 "Rootfs"
mtd4: 00200000 00020000 "English UI"
mtd5: 00200000 00020000 "ML1"
mtd6: 00200000 00020000 "ML2"
mtd7: 00200000 00020000 "ML3"
mtd8: 00200000 00020000 "ML4"
mtd9: 00200000 00020000 "ML5"
mtd10: 00200000 00020000 "ML6"
mtd11: 00200000 00020000 "ML7"
mtd12: 00200000 00020000 "ML8"
mtd13: 00240000 00020000 "ML9"
mtd14: 00200000 00020000 "ML10"
mtd15: 00200000 00020000 "ML11"
mtd16: 00200000 00020000 "Factory"
mtd17: 00200000 00020000 "SC Private Data"
mtd18: 00220000 00020000 "POT"
mtd19: 00200000 00020000 "Traffic Meter"
mtd20: 00200000 00020000 "SC PID"
mtd21: 00220000 00020000 "SC Nvram"
mtd22: 00200000 00020000 "Ralink Nvram"
mtd23: 00220000 00020000 "Reserved Block1"
mtd24: 00280000 00020000 "Reserved Block2"
mtd25: 00200000 00020000 "Reserved Block3"
mtd26: 00200000 00020000 "Reserved Block4"
mtd27: 00200000 00020000 "Reserved Block5"
mtd28: 02040000 00020000 "Reserved Block6"

dmesg output:
https://paste.sh/NPHtDflB#5NWXutQdQivVv6w3QARr70Jt

kar200 · November 16, 2021, 8:48am

I don't think it makes a difference but you could try. Apparently the factory imahe is for web UI.
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=3c8df280a96bbd81357d6eb52845e6b5fa7162fe

As for dmesg it does not show the Nand part so I can't tell if you have bad blocks.

austin · November 16, 2021, 5:23pm

Is there any way to find earlier logs without cracking the thing open and getting serial access?

EDIT: Decided to return it.

kar200 · December 5, 2021, 7:25pm

Hi @austin

I know this is not needed anymore but I will just leave it here just in case. I think I might have igured out why it did not work with your device. I was using the partition layout of the exisiting DTS in openwrt (which does not match the ones from he stock Netgear device).

austin · December 5, 2021, 11:15pm

Awesome, I hope that helps someone out in the future. I would have investigated further with the R6350 but decided not to void my warranty and sent it back. I'm glad I did as I now have OpenWRT running smoothly on a much better router (Linksys E8450) and for 20 bucks less (thanks Ebay).