Debrick netgear WAX218

Installing and Using OpenWrt
1

Hi. I just got one wax218 with stock firmware 2.1.1.3 and followed this guide to flash it to v23.05.2 successfully.
Somehow I tried to flash it back to stock firmware with ssh. But the device was bricked. No LEDs blink anymore after power on. After soldering I get into serial console, but seems the device is in a boot loop with following message again and again:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00148
S - IMAGE_VARIANT_STRING=HAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e5
B -       201 - PBL, Start
B -      2735 - bootable_media_detect_entry, Start
B -      3441 - bootable_media_detect_success, Start
B -      3446 - elf_loader_entry, Start
B -      6107 - auth_hash_seg_entry, Start
B -      6350 - auth_hash_seg_exit, Start
B -     68403 - elf_segs_hash_verify_entry, Start
B -    131099 - PBL, End
B -    212920 - SBL1, Start
B -    290573 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -         0 - Debug Log
B -         0 - GCC_RST=0:r2=371CF444:r3=A6460414:r4=4FC5CAC4:r5=EB6C405E:r6=11690D9D:r7=FFDD0570:r8=13A4440A:r9=96C51643:r10=9FCC0504:r11=475D530C:r12=C6D6342:r13=93F24E8A:r14=EBD64EF5:r15=FF93B341:r16=0:r17=95E2495D:r18=C5C3FE98:r19=11BFAD9F:r20=E508C34D:r21=A1D7C7D9:r22=EFC1F4A9:r23=D78095E1:r24=EBBB0400:r25=79D3741:r26=DB497D01:r27=901BAEF2:r28=22081C7:r29=3B16C7DA:r30=B4106DD8:r31=2BE77DA0:r32=0:r33=0:r34=F15DD3F8:r35=A1FE1D04:r36=0:r37=0:r38=0:r39=0:r40=0:
B -    368989 - pm_device_init, Start
B -    545492 - PM_SET_VAL:Skip
D -    175741 - pm_device_init, Delta
B -    547719 - pm_driver_init, Start
D -      5337 - pm_driver_init, Delta
B -    554246 - clock_init, Start
D -      2074 - clock_init, Delta
B -    558241 - boot_flash_init, Start
B -    5

Any idea how can I debrick this device? Does it mean bootloader is dead?

IMG_0014
IMG_00141920×1080 296 KB

2

Have you tried nmrpflash?

3

I tried nmrpflash, unfortunately timeout.

4

Try different timings between launching the command, and powering off. Each device has its timing. Recently I recovered an old device, and I needed to launch the command twice, after the first one reported timeout. So keep faith, it's only a matter of patience and "try and error". Idealy, you monitor the boot process with a serial link, so you can see when the boot wait for the nmrp command.
On windows, switch off the firewall, and use npcap version 1.60 (not the latest).

5

Tried again on Ubuntu 20.04. Seems ethernet on wax218 doesn't work.

sudo ./nmrpflash -i enp4s0f1 -f WAX218_V2.1.1.3_firmware.bin -t 1000000 -T 1000000 -vvv
Temporarily disabling NetworkManager on interface.
Waiting for Ethernet connection (Ctrl-C to skip).
Error: Ethernet cable is unplugged.

The output from serial console is the same as above, never goes further then 'boot_flash_init, Start'

6

Got some information from other forum, seems only one way can go:
Boot from SPI NOR and dump the NAND. But this version of netgear it's really not easy to get any hardware information.
Need to find where to put a SPI NOR on the PCB and soldering. And also a resistance to force ECU to boot from SPI NOR flash.
No idea how to continue.

1 Like
7

The information I got currently is boot step got stuck at secondary boot loader which trying to load appbootloader.
Two ways to go, but seems both are difficult:

  1. Find a place on PCB and solder SPI NOR also need to find the resistance to force ECU to boot from SPI NOR. A bootable SPI version U-Boot is also needed.
    IMG_0017
    IMG_00171920×1080 252 KB

    IMG_0018
    IMG_00181920×1080 385 KB

    IMG_0019
    IMG_00191920×1080 326 KB
  2. Find a place to solder a JTAG connector and use a hardware debuger to boot the system and load an in memory U-Boot to DDR4.

After one of the two steps above you're in U-Boot. Dump old NAND and try to write appbootloader by TFTP.

Still don't know how to continue.