Debricking WNR2000v3 with Raspberry PI and a serial connection?

I don't actually need to debrick this WNR2000v3, I'm just trying to learn how to connect to an embedded device using a serial connection to see if I can do it. I'm not planning on using this thing as a router; just a switch! I'd like to use it's access ports and setup a trunk port into the switch in from another router with OpenWRT 19.07 on it.

I believe I have setup the wires so that they correspond to the following diagram (please let me know if I have not)...

I found this in a blog about serial connecting to another router using minicom.

pi@raspberrypi:~$ sudo -i
root@raspberrypi:~# ps -ef | grep ttyAMA0
root       818     1  0 19:34 ttyAMA0  00:00:00 /sbin/getty -L ttyAMA0 115200 vt100
root       920   913  0 19:36 pts/0    00:00:00 grep ttyAMA0
root@raspberrypi:~# kill 818
root@raspberrypi:~# minicom -b 115200 -o -D /dev/ttyAMA0

Then it says to power on the router...

Found additional information about which pin was which on the UART of the router from this page:

WNR2000v3

The serial port is at JP1: 115200 8N1 at 3.3V. Pads are, from left to right with the ethernet ports on right: [Vcc] [Tx] [Rx] [GND]

And here is the resistor I am using:

When I used minicom I did receive a bit of output, and I needed to adjust some of the settings in $HOME/.minirc.dfl to get it to work...it makes it legible by adding CR (carriage returns aka '\r') where there are NL (newlines aka '\n') see below:

# Machine-generated file - use setup menu in minicom to change parameters.
pu baudrate      115200
pu bits          7
pu parity        E
pu stopbits      1
pu addcarreturn  Yes

NOTE: (I only added the line at the bottom, the other settings were defaults from minicom)

It still doesn't seem quite right as there are extra lines...but deleting all the blank ones with vim I get this:

Login incorrect
Login incorrect
Login incorrect
Login incorrect
Login incorrect
otherpi.leerdomain.lan login: 
Login incorrect
Loading data from /dev/mtd/3 ...
The data configuration is Valid
The data center is Running ...
/etc/net6conf/6proc: /etc/net6conf/6proc: 31: cannot create /proc/sys/net/ipv6/conf/br1/accept_dad: Directory nonexistent
/etc/net6conf/6proc: /etc/net6conf/6proc: 31: cannot create /proc/sys/net/ipv6/neigh/br1/not_send_neighbor_solicitation: Directory nonexistent
ipt_CONENAT: module license 'unspecified' taints kernel.
ip_conntrack_rtsp v0.6.21 loading
ip_nat_rtsp v0.6.21 loading
ip_conntrack_proto_esp loaded
ip_nat_proto_esp loaded
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
Generating Rules...
Done!
rmmod: ip_nat_dnisip.ko: Success
rmmod: ip_conntrack_dnisip.ko: Success
POT is Running...
POT is Finished!!!
The POT-(Get/Set) Demo is Running ...
SN: 34W2255F001A3
WAN MAC: 84:1B:5E:73:15:7D
BOARD_HARDWARE_ID: 29763551+04+32
BOARD_MODEL_ID: wnr2kv3vc
dni-qos module init at dev:eth0, real_dev:eth0
AG7240: Length per segment 1536
AG7240: Max segments per packet 1
AG7240: Max tx descriptor count    40
AG7240: Max rx descriptor count    252
AG7240: fifo cfg 3 01f00140
AG7240CHH: Mac address for unit 0
AG7240CHH: 84:1b:5e:73:15:7d 
AG7240: init the QOS
AG7240CHH: Mac address for unit 1
AG7240CHH: 84:1b:5e:73:15:7c 
Loading DNI-ENET driver
INIT-SWITCH: Default WAN MAC is : 84:1b:5e:73:15:7d
eth1
ag7240_ring_alloc Allocated 640 at 0x81c8d800
ag7240_ring_alloc Allocated 4032 at 0x81392000
Virian MDC CFG Value ==> 4
ATHRS26: resetting s26
ATHRS26: s26 reset done
enabling the header of S26
Setting PHY...
ADDRCONF(NETDEV_UP): eth1: link is not ready
ifconfig eth1 up
vconfig add eth1 1
vconfig add eth1 2
ADDRCONF(NETDEV_UP): eth1.1: link is not ready
device eth0 entered promiscuous mode
device eth1.2 entered promiscuous mode
ag7240_ring_alloc Allocated 640 at 0x81d20c00
ag7240_ring_alloc Allocated 4032 at 0x81d26000
Virian MDC CFG Value ==> 4
Setting PHY...
ADDRCONF(NETDEV_UP): eth0: link is not ready
eth1.2: dev_set_promiscuity(master, 1)
device eth1 entered promiscuous mode
ADDRCONF(NETDEV_UP): eth1.2: link is not ready
eth1.1: dev_set_promiscuity(master, 1)
device eth1.1 entered promiscuous mode
device pas0 entered promiscuous mode
vlan-set 0
Modules already unloaded
cat: /tmp/ipv6_auto_output: No such file or directory
Sorry, rule does not exist.
Sorry, rule does not exist.
grep: /proc/pci: No such file or directory
Args: 1
ath_hal: 0.9.17.1 (AR5416, REGOPS_FUNC, WRITE_EEPROM, 11D)
wlan: 0.8.4.2 (Atheros/multi-bss)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
insmod: ath_dfs.ko: no module by that name found
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_pci: 0.9.4.5 (Atheros/multi-bss)
wifi0: Atheros 9287: mem=0x10000000, irq=48 hw_base=0xb0000000
wlan: mac acl policy registered
wlan_me: Version 0.1
Copyright (c) 2008 Atheros Communications, Inc. All Rights Reserved
wifi1     no private ioctls.
Creating ap for NETGEAR47 on
Added ath0 mode master
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
IGMP_ENABLE OR NOT is: 0 ***
Invalid command : ampdumin
Created ath0 mode ap for NETGEAR47
lo        no wireless extensions.
sit0      no wireless extensions.
br0       no wireless extensions.
eth0      no wireless extensions.
eth1      no wireless extensions.
pas0      no wireless extensions.
eth1.1    no wireless extensions.
eth1.2    no wireless extensions.
br1       no wireless extensions.
wifi0     no wireless extensions.
device ath0 entered promiscuous mode
arping: interface br0 is down
>>>>> WPS MODE, 1
>>>>> WPS ENABLED, PSK
cat: /etc/wpa2/WSC_ath0.conf: No such file or directory
>>>>> WPS Translate, Index:0
Making Topology File . . .
Reading topology file /var/run/topology.conf ...
Reading bss configuration file /etc/wpa2/WSC_ath0.conf ...
$Shutting down igmpproxy: 
killall: igmpproxy: no process killed
Could not connect to kernel driver.
Using interface ath0 with hwaddr 84:1b:5e:73:15:7c and ssid 'NETGEAR47'
Sorry, rule does not exist.
Sorry, rule does not exist.
killall: igmpproxy: no process killed
device ath0 is not a slave of br1
device ath0 is already a member of a bridge; can't enslave it to bridge br0.
interface ath1 does not exist!
interface ath1 does not exist!
Country ie is US 
upnp_wps_device_init called
add_ssdp_network() ioctl errno 19 (No such device)
upnp_wps_device_stop ENTER
upnp_wps_device_deinit called
upnp_wps_device_stop ENTER
Failed to initialize UPnP state machine
Continuing with WPS UPnP disabled.
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
br0: port 3(ath0) entering learning state
br0: port 2(pas0) entering learning state
br0: topology change detected, propagating
br0: port 3(ath0) entering forwarding state
br0: topology change detected, propagating
br0: port 2(pas0) entering forwarding state
br0: port 3(ath0) entering disabled state
br0: port 2(pas0) entering disabled state
l2_packet_receive - recvfrom: Network is down
/etc/rc.common: eval: 13: cannot create /proc/sys/net/ipv6/neigh/eth1/not_send_neighbor_solicitation: Directory nonexistent
br0: port 3(ath0) entering learning state
br0: port 2(pas0) entering learning state
br0: topology change detected, propagating
br0: port 3(ath0) entering forwarding state
br0: topology change detected, propagating
br0: port 2(pas0) entering forwarding state
/etc/rc.common: eval: 13: cannot create /proc/sys/net/ipv6/neigh/eth1/not_send_neighbor_solicitation: Directory nonexistent
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
udhcp server (v0.9.8) started
The attached devices demo is Running ...
killall: utelnetd: no process killed
killall: telnetenable: no process killed
The telnetenable is running ...
Deleting static route ... Done!
Adding static route ... Done!
ag7240_ring_free Freeing at 0x81d20c00
ag7240_ring_free Freeing at 0x81d26000
br1: port 1(eth0) entering disabled state
ag7240_ring_alloc Allocated 640 at 0x81d20c00
ag7240_ring_alloc Allocated 4032 at 0x819a0000
Virian MDC CFG Value ==> 4
Setting PHY...
ADDRCONF(NETDEV_UP): eth0: link is not ready
Terminated
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
udhcp client (v0.9.8) started
killall: pppd: no process killed
Deleting static route ... Done!
Deleting static route ... Done!
Adding static route ... Done!
start rip process
start initial data
Sending discover...
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Sending discover...
Sending discover...
No lease, forking to background.
killall: ntpclient: no process killed
time zone index is : 21
Run NTP Client with setting: pri:time-b.netgear.com sec:time-c.netgear.com
cat: /tmp/WAN_status: No such file or directory
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
killall: miniupnpd: no process killed
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Jan  1 00:01:18 miniupnpd[1900]: listening on 192.168.1.1:5555
cp: cannot stat '/usr/www/*': No such file or directory
The region number is: 0x0001
REGION: NA
The abbreviation of English is Eng!
Didn't find the language table we need!
gui_region = English
region = English, download_region =  
 Update string table successfully, memory usage: 308KB.
The httpd server is running ...
/etc/rc.common: eval: 13: detplc: not found
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
Malformed netlink message: len=304 left=256 plen=288
256 extra bytes in the end of netlink message
AP is already up
$Shutting down igmpproxy: 
killall: igmpproxy: no process killed
Sorry, rule does not exist.
Sorry, rule does not exist.
killall: igmpproxy: no process killed
Starting Firewall...
Done!
/etc/rc.common: eval: 13: /bin: Permission denied
dnsmasq: failed to create listening socket: Address already in use
Start utelnetd by telnetenable
traffic_meter start : .
[coldplug]: Coldplug exec ('/sbin/udevtrigger') failed: No such file or directory.
[cleanup]: Waiting for children.
[cleanup]: All children terminated.
[remove_child_by_pid]: Invalid child list passed (NULL).
killall: igmpproxy: no process killed
System startup completed!
/etc/init.d/rcS: /etc/init.d/rcS: 35: cannot cr
otherpi.leerdomain.lan login: 
Boot up procedure is Finished!!!
Please press Enter to activate this console. 
BusyBox v1.4.2 (2012-05-14 13:12:36 EDT) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (7.09) -----------------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@WNR2000v3:/# 
root@WNR2000v3:/# 

However...I am unable to send input to the console. It seems as though minicom is doing that for me, as the prompt continue on and on for ever and ever....until you kill the program. You may also notice at the top it reads Login incorrect several times as well.

I'm unsure if I need to change how I am wiring this or if instead it has something to do again with minicom's $HOME/.minirc.dfl file.

That is stock firmware not OpenWrt running. I don't know if stock firmware accepts any input from the serial console.

If you disconnect the Tx and Rx wires from the router and connect them together, whatever you type should echo back on the screen. And if you break that connection no text should echo back. If that test works, the Pi is configured correctly.

2 Likes

Can you scroll to the bottom? At the bottom there is a prompt and an OpenWRT logo.

I believe it is OpenWRT because I get a prompt at the very end, see below:

...
Boot up procedure is Finished!!!
Please press Enter to activate this console. 
BusyBox v1.4.2 (2012-05-14 13:12:36 EDT) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (7.09) -----------------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@WNR2000v3:/# 
root@WNR2000v3:/# 

But I don't believe it's me pressing the enter key; it's something else.

I have a transmit wire; you'd think it would work.

That is the stock firmware. It was (even for that time) a very old version of OpenWrt with a bunch of closed-source substitutions, including the wifi drivers.

I would try a USB to serial converter to be closer to the metal. Another test would be to hit a key to interrupt the bootloader (early in the process, when it says "hit any key to stop autoboot").

1 Like

USB to serial being like an RS232?

No they're usually called USB to TTL or 3.3 volt. RS-232 operates at the wrong voltage level to connect directly to a SoC.

The connection should be separate wires and pins, not a 9 pin connector.

2 Likes

Okay, so I noticed some things...since you posted that.

In the diagram the raspberry pi has (rbpi) "3v3 Power" (3.3 volts?) <-> (rbpi) "UART RXD" <-> (router) UAR TXD; I believe this would supply the power to receive the text incoming to the pi? (is that right?)

But the (rbpi) UART TXD <-> (router) UART RXD doesn't have any power going to it from "3v3 Power", so would that result in a low signal all the time? Causing some key to always be pressed, and thus the repeating prompts?

(I don't know I'm just speculating)

Correct.

The router gets the power from its power adapter.

1 Like

I still don't understand why the prompt keeps having the enter key pressed repeatedly. That should be a tx no?

You could maybe disconnect the Tx and see what happens.

But generally and to narrow things down, I suggest that you minimize your jumper-wire connections. if you can just have one female-female for each connection, that could be cleaner.

As for the diagram, I don't know about your particular device so I can't be of specific help.

1 Like