DM200 pulled from D8500 Modem router

Hi all,

I'm in need of a little help.
I recently purchased a faulty D8500 Netgear router to try and repair. It didn't work out and the whole board has been condemned to the scrapper.

However, I was looking at the VDSL modem PCB and googled some of the part numbers. Turns out, the D8500 modem is the same board from DM200 modem with a few differences like no WAN port or LAN transformer or switches etc as everything is done over a ribbon cable.

I thought it would be a good idea to try and get this working like a proper DM200 and hack something together.

For a start, I've got the unit powering on as the switch only set the enable pin for the initial buck converter, bypassed the switch, resistor across to the enable pin, unit turns on.

However, plugging a serial adapter into the port reveals nothing, no activity.
Thought it might be a firmware issue as it would be daft to use the production DM200 firmware and it looks like I was right.

Backed up the flash from onboard SPI ROM only to find it's very short, not a lot in it so most likely just a boot loader and the rest perhaps loaded from the ribbon port.
Flashed the DM200 firmware hoping for some action and still nothing on the serial port.

The unit does have power as it gets warm and all the necessary voltages from the various supplies are there too so what else could it be?

EDIT:
Forgot to mention, it was flashed with the original Netgear firmware.

Perhaps more luck with openwrt?

EDIT 2:
What a mungbeam, just realised, I flashed the firmware image file. Pretty certain in doing so I've over written the bootloader.

Need to flash back the backup I took, solder a RJ45 and Lan transformer and see if there's anything on that.

Don't suppose anyone has got a full uboot for a DM200?

Or know how I might get one?

Suspect the uboot on mine is a special version designed to boot from ethernet rather than flash

Ok, so obviously what I'm doing here has been rarely attempted so I'll at least use this space to document my efforts.

Flashed the original backup back to the unit and booted again only this time probing the serial port for activity. Turns out the Rx and TX I had been following was backwards.

Get a nice serial output now so I know it's working and also know it's classed as a DM201 for the obvious fact it's part of a router.

Unfortunately, the device boots and is looking for a tftp image to boot. I reckon I can do that by soldering in an RJ45 jack and jumping across from the existing transformer to the pins on the board.

However it's not useful if I want to flash a permanent openwrt image because it'll always automatically try to boot from tftp. Awkward.

Can get to the VR9 CLI prompt however.

Perhaps someone can instruct if it's possible to change uboot boots method?

ROM VER: 1.1.4
CFG 05

DDR autotuning Rev 1.0
DDR size from 0xa0000000 - 0xa3ffffff
DDR check ok... start booting...



U-Boot 2010.06-12292-gb1ec1c1 (Apr 25 2016 - 10:58:40)

DM201 (hw29765392p8p0p64p0p0) UBoot-v2010.06 dni1 V0.11
CLOCK CPU 500M RAM 250M
DRAM:  64 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
8192 KiB W25Q64 at 0:3 is now current device
Net:   Internal phy(GE) firmware version: 0x8435
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0
VR9 #
VR9 #
VR9 #
VR9 # ?
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
chk_dniimg- check integrity of dni firmware image.
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
echo    - echo args to console
exit    - exit script
false   - do nothing, unsuccessfully
fw_recovery- fw_recovery - start tftp server to recovery dni firmware image.

go      - start application at address 'addr'
help    - print command description/usage
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
nmrp    - nmrp - start nmrp mechanism to upgrade firmware-image or string-table.

ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
set_hw_id- Set hw_id
set_mac - Set ethernet MAC address
set_model_id- Set model_id
set_parameters- Set <serial number>, <lan mac>, <wan mac>,
set_region- Set region number
set_serial- Set serial number
setenv  - set environment variables
sf      - SPI flash sub-system
show_hw_id- Show hw_id
show_mac- Show ethernet MAC addresses
show_model_id- Show model_id
show_parameters- Show hw_id, model_id, region number, serial number, MAC address.
show_region- Show <region number> on Board
show_serial- Show <serial number> on Board
showvar - print local hushshell variables
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
true    - do nothing, successfully
upgrade - upgrade - forward/backward copy memory to pre-defined flash location

version - print monitor version
VR9 #

TFTP from server 169.254.201.1; our IP address is 169.254.201.201
Filename 'DM201.img'.
Load address: 0x80800000
Loading: T T T T T T T T T T

@Dazmatic following with interest, any chance you could paste the uboot environment variables with printenv?

It may be using RARP not TFTP to try and boot the dm201.img, as wikipedia states:

The Reverse Address Resolution Protocol (RARP) is an obsolete computer networking protocol used by a client computer to request its Internet Protocol (IPv4) address from a computer network, when all it has available is its link layer or hardware address, such as a MAC address.

So the other part of the D8500 may offer the DM201 firmware via RARP/TFTP.
This would suggest two MAC addresses.
Binwalk of D8500 firmware may produce the needed DM201.img or it may be on the netgear sourcecode

Hit any key to stop autoboot:  0
VR9 # printenv
bootcmd=tftpboot $loadaddr DM201.img;bootm $loadaddr
bootdelay=2
baudrate=115200
preboot=echo;echo Type \"run flash_nfs\" to mount root filesystem over NFS;echo
bootfile="uImage"
mem=62M
phym=64M
ipaddr=169.254.201.201
serverip=169.254.201.1
ethaddr=00:01:01:c9:c9:c9
netdev=eth0
console=ttyLTQ0
tftppath=
loadaddr=0x80800000
rootpath=/mnt/full_fs
rootfsmtd=/dev/mtdblock3
nfsargs=
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):on
addmisc=setenv bootargs $(bootargs) console=$(console),$(baudrate) ethaddr=$(ethaddr) mem=$(mem) panic=1 mtdparts=$(mtdparts) init=/etc/preinit vpe1_load_addr=0x83f00000 vpe1_mem=1M ubootver=$(ver)
flash_nfs=
net_nfs=
net_flash=
net_ram=tftp $(loadaddr) $(tftppath)$(bootfile);run ramargs addip addmisc;bootm
u-boot=u-boot.ltq
rootfs=rootfs.img
firmware=firmware.img
fullimage=fullimage.img
totalimage=totalimage.img
load=tftp $(loadaddr) $(u-boot)
update=protect off 1:0-2;era 1:0-2;cp.b $(loadaddr) B0000000 $(filesize)
flashargs=setenv bootargs root=$(rootfsmtd) ro rootfstype=squashfs quiet
flash_flash=sf probe 3;sf read $(loadaddr) $(f_kernel_addr) $(f_kernel_size);run flashargs addip addmisc;bootm $(loadaddr); run update_fullimage; reset
update_uboot=tftpboot $(loadaddr) $(tftppath)$(u-boot);sf probe 0:3;sf erase 0 10000;sf write $(loadaddr) 0 $(filesize);run reset_sysconfig;reset
update_kernel=tftpboot $(loadaddr) $(tftppath)$(bootfile);upgrade $(loadaddr) $(filesize)
update_bootloader=run update_uboot;run update_gphyfirmware
update_rootfs=tftpboot $(loadaddr) $(tftppath)$(rootfs);upgrade $(loadaddr) $(filesize)
update_firmware=tftpboot $(loadaddr) $(tftppath)$(firmware);upgrade $(loadaddr) $(filesize)
update_fullimage=tftpboot $(loadaddr) $(tftppath)$(fullimage);upgrade $(loadaddr) $(filesize)
update_totalimage=tftpboot $(loadaddr) $(tftppath)$(totalimage);upgrade $(loadaddr) $(filesize)
reset_uboot_config=sf probe 3; sf write 80400000 $(f_ubootconfig_addr) $(f_ubootconfig_size)
reset_ddr_config=sf probe 3; sf write 80400000 $(f_ddrconfig_addr) $(f_ddrconfig_size)
reset_sysconfig=sf probe 3;sf erase $(f_sysconfig_addr) 10000
mtdparts=ltq_sflash:64k(uboot),64k(gphyfirmware),512k(firmware),13568k(rootfs),2048k(data),64k(sysconfig),8k(ubootconfig),4k(dectconfig),8k(wlanconfig),-(res)
part0_begin=0x00000000
part1_begin=0x00020000
part2_begin=0x000A0000
total_part=3
flash_end=0x007FFFFF
data_block0=uboot
data_block1=firmware
data_block2=rootfs
data_block3=kernel
data_block4=sysconfig
data_block5=ubootconfig
data_block6=dectconfig
data_block7=wlanconfig
total_db=8
f_uboot_addr=0x00000000
f_uboot_size=0
f_ubootconfig_addr=0x007F0000
f_ubootconfig_size=0x2000
f_ubootconfig_end=0x007F1FFF
f_gphy_firmware_addr=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_START_ADDR
f_gphy_firmware_size=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_SIZE
f_gphy_firmware_end=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_END_ADDR
f_kernel_addr=0x007DFFFF
f_kernel_size=0
f_kernel_end=IFX_CFG_FLASH_KERNEL_IMAGE_END_ADDR
f_rootfs_addr=0x000A0000
f_rootfs_size=0
f_rootfs_end=IFX_CFG_FLASH_ROOTFS_IMAGE_END_ADDR
f_firmware_addr=0x00020000
f_firmware_size=0
f_fwdiag_addr=IFX_CFG_FLASH_FIRMWARE_DIAG_START_ADDR
f_fwdiag_size=IFX_CFG_FLASH_FIRMWARE_DIAG_SIZE
f_sysconfig_addr=0x007E0000
f_sysconfig_size=0x10000
f_dectconfig_addr=0x007F2000
f_dectconfig_size=0x1000
f_wlanconfig_addr= 0x007F3000
f_wlanconfig_size=0x2000
f_ddrconfig_addr=0x0001FFE0
f_ddrconfig_size=32
f_ddrconfig_end=0x0001ffff
f_data_addr=IFX_CFG_FLASH_DATA_IMAGE_START_ADDR
f_data_size=IFX_CFG_FLASH_DATA_IMAGE_SIZE
f_data_end=IFX_CFG_FLASH_DATA_IMAGE_END_ADDR
dni_tftp_uboot=tftpboot $loadaddr u-boot.ltq;crc32 $loadaddr $filesize
dni_burn_uboot=sf probe 0:3;sf write $loadaddr 0 $filesize;sf erase 0x007e0000 10000;sf erase 0x007f0000 0x02000
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot-2010.06-12292-gb1ec1c1
ethact=vr9 Switch

Environment size: 3916/8188 bytes
VR9 #

I'm struggling to get an ethernet port working.

Looks like there's 2 on the device, 1x 1gbit over the FPC connector and 1x 10/100T RJ45 port.

I've nicked an RJ45 port from the dead D8500 and soldered that but I cannot for the life of me find a 12 pin LAN transformer anywhere online, like they don't exist anymore. Well, at least those that have a separate center tapping on the transformers, everything I've found have joined center taps and pins 6/7 aren't connected.

Tried jumpering from the traffo on the 1gbit directly to the RJ45 but no luck there.

So I've managed to bodge the ethernet port to work. Nicked a traffo off another board and bent the pins into the correct orientation and now I've got a working ethernet port.

Been able to get the TFTP client on the board to download a DM200 firmware image but it won't take because the board ID is different.

Mad thing is, it then goes into a TFTP server firmware recovery mode to write the firmware to flash and goes from client mode to server so I can then push files to it.

Tried changing the board ID in hex but obviously that then messes with the CRC.

Need a DM200 image with the DM201 board ID, or change the board ID in uboot

Filename 'DM201.img'.
Load address: 0x80800000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ############################################
done
Bytes transferred = 7311489 (6f9081 hex)
Wrong Image Format for bootm command

The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 169.254.201.201 ...
Done!
Bytes transferred = 20963169 (13fdf61 hex)
HW ID on board: 29765392+8+0+64+0+0
HW ID on image: 29765233+8+0+64+0+0
Firmware Image HW ID do not match Board HW ID
Board HW ID mismatch,it is forbidden to be written to flash!!

So, I managed to find the DM201 firmware image from the D8500 firmware I binwalked a while ago and set up a tftp server on my machine and as soon as the unit is turned on it it pulls the image down and boots!

Only issue is, after it's booted I can no longer communicate with it over ethernet. I can get to a Busybox prompt and query the IP addresses but there's 13 interfaces and none of them have an address which is bizarre unless it's expecting to receive one from DHCP in the D8500 router itself and my linux skills are limited in that I'd need to figure out how to set one.

On the flipside however, I browsing directories I think there's a web interface as the www directory is cramed with files. Unfortuantely I can't connect without an IP.

Also, obviously, there's 2 ethernet interfaces, one on the ribbon and one on the jack but I've not idea which bridge goes to where so I'll need to figure that out, whether it automatically bridges the wan to both lan ports or what.

Bootlog

U-Boot 2010.06-12292-gb1ec1c1 (Apr 25 2016 - 10:58:40)

DM201 (hw29765392p8p0p64p0p0) UBoot-v2010.06 dni1 V0.11
CLOCK CPU 500M RAM 250M
DRAM:  64 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
8192 KiB W25Q64 at 0:3 is now current device
Net:   Internal phy(GE) firmware version: 0x8435
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0
Using vr9 Switch device
TFTP from server 169.254.201.1; our IP address is 169.254.201.201
Filename 'DM201.img'.
Load address: 0x80800000
Loading: T #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ######################################################
done
Bytes transferred = 6510992 (635990 hex)
## Booting kernel from Legacy Image at 80800000 ...
   Image Name:   MIPS LTQCPE Linux-3.10.12
   Created:      2016-10-10  13:18:08 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    6510928 Bytes = 6.2 MiB
   Load Address: 80002000
   Entry Point:  8000a970
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 3.10.12 (roger.luo@dni-l-sw02) (gcc version 4.8.1 2                                     0130401 (prerelease) (Linaro GCC 4.8-2013.04) ) #2 Mon Oct 10 09:18:01 EDT 2016
[    0.000000] SoC: xRX200 rev 1.2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019556 (MIPS 34Kc)
[    0.000000] adding memory size:66060288 from DT
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 03f00000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 03e00000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03dfffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03dfffff]
[    0.000000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32                                      bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pag                                     es: 15748
[    0.000000] Kernel command line: root=/dev/mtdblock4 ro rootfstype=squashfs i                                     p=192.168.1.1:192.168.1.10::::eth0:on console=ttyLTQ0,115200 ethaddr=00:E0:92:00                                     :01:40 mem=62M panic=1 mtdparts=ltq_sflash:128k(uboot),64k(gphyfirmware),1600k(k                                     ernel),960k(firmware),4672k(rootfs),7232k@0x30000(image),64k(dniconfig),64k(log)                                     ,512k(language),64k(sysconfig),8k(ubootconfig),4k(ART),4k(pot),-(ret) init=/etc/                                     preinit vpe1_load_addr=0x83f00000 vpe1_mem=1M ubootver=U-Boot-2010.06-LANTIQ-v-2                                     .3.16.1
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00001970
[    0.000000] Readback ErrCtl register=00001970
[    0.000000] allocated 126976 bytes of page_cgroup
[    0.000000] please try 'cgroup_disable=memory' option if you don't want memor                                     y cgroups
[    0.000000] Memory: 52760k/63488k available (3730k kernel code, 10728k reserv                                     ed, 957k data, 4900k init, 0k highmem)
[    0.000000] NR_IRQS:256
[    0.000000] Setting up vectored interrupts
[    0.000000] CPU Clock: 500MHz
[    0.000000] Calibrating delay loop... 331.77 BogoMIPS (lpj=1658880)
[    0.060000] pid_max: default: 32768 minimum: 301
[    0.060000] Mount-cache hash table entries: 512
[    0.070000] Initializing cgroup subsys memory
[    0.070000] pinctrl core: initialized pinctrl subsystem
[    0.080000] NET: Registered protocol family 16
[    0.090000] dma-xway 1e104100.dma: Init done - hw rev: 7, ports: 7, channels:                                      28
[    0.100000] pinctrl-xway 1e100b10.pinmux: Init done
[    0.100000] Init done
[    0.110000] gpio-stp-xway 1e100bb0.stp: Init done
[    0.110000] !!!! WAVE400 system registeration not needed !!!!
[    0.120000] dcdc-xrx200 1f106a00.dcdc: Core Voltage : 1016 mV
[    0.730000] pcie_wait_phy_link_up port 0 timeout
[    1.240000] pcie_wait_phy_link_up port 0 timeout
[    1.750000] pcie_wait_phy_link_up port 0 timeout
[    2.260000] pcie_wait_phy_link_up port 0 timeout
[    2.770000] pcie_wait_phy_link_up port 0 timeout
[    2.780000] pcie_rc_initialize port 0 link up failed!!!!!
[    2.780000] Lantiq PCIe Root Complex Driver - 2.0.3
[    2.790000] Copyright(c) 2009 - 2013 LANTIQ DEUTSCHLAND GMBH
[    2.810000] bio: create slab <bio-0> at 0
[    2.820000] SCSI subsystem initialized
[    2.820000] NET: Registered protocol family 8
[    2.830000] NET: Registered protocol family 20
[    2.830000] Switching to clocksource MIPS
[    2.840000] NET: Registered protocol family 2
[    2.840000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    2.840000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    2.850000] TCP: Hash tables configured (established 512 bind 512)
[    2.850000] TCP: reno registered
[    2.860000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    2.860000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    2.870000] NET: Registered protocol family 1
[   10.650000] gptu: totally 6 16-bit timers/counters
[   10.650000] gptu: misc_register on minor 63
[   10.660000] gptu: succeeded to request irq 126
[   10.660000] gptu: succeeded to request irq 127
[   10.670000] gptu: succeeded to request irq 128
[   10.670000] gptu: succeeded to request irq 129
[   10.680000] gptu: succeeded to request irq 130
[   10.680000] gptu: succeeded to request irq 131
[   10.710000] vpe1_mem = 100000
[   10.720000] Wired TLB entries for Linux read_c0_wired() = 0
[   10.750000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[   10.760000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORIT                                     Y) (c) 2001-2006 Red Hat, Inc.
[   10.770000] msgmni has been set to 103
[   10.780000] io scheduler noop registered
[   10.780000] io scheduler deadline registered (default)
[   10.810000] lantiq,asc 1e100c00.serial: pins are not configured from the driv                                     er
[   10.820000] 1e100c00.serial: ttyLTQ0 at MMIO 0x1e100c00 (irq = 112) is a lant                                     iq,asc
[   10.840000] console [ttyLTQ0] enabled, bootconsole disabled
[   10.840000] console [ttyLTQ0] enabled, bootconsole disabled
[   10.890000] loop: module loaded
[   10.930000] Lantiq SoC SSC controller rev 8 (TXFS 8, RXFS 8, DMA 1)
[   10.940000] 14 cmdlinepart partitions found on MTD device ltq_sflash
[   10.940000] Creating 14 MTD partitions on "ltq_sflash":
[   10.950000] 0x000000000000-0x000000020000 : "uboot"
[   11.000000] 0x000000020000-0x000000030000 : "gphyfirmware"
[   11.020000] 0x000000030000-0x0000001c0000 : "kernel"
[   11.040000] 0x0000001c0000-0x0000002b0000 : "firmware"
[   11.060000] 0x0000002b0000-0x000000740000 : "rootfs"
[   11.080000] mtd: partition "rootfs" set to be root filesystem
[   11.200000] 0x000000030000-0x000000740000 : "image"
[   11.200000] 0x000000740000-0x000000750000 : "dniconfig"
[   11.230000] 0x000000750000-0x000000760000 : "log"
[   11.260000] 0x000000760000-0x0000007e0000 : "language"
[   11.290000] 0x0000007e0000-0x0000007f0000 : "sysconfig"
[   11.300000] 0x0000007f0000-0x0000007f2000 : "ubootconfig"
[   11.330000] 0x0000007f2000-0x0000007f3000 : "ART"
[   11.350000] 0x0000007f3000-0x0000007f4000 : "pot"
[   11.370000] 0x0000007f4000-0x000000800000 : "ret"
[   11.390000] ltq_sflash ver 1.2.3
[   11.440000] IMQ driver loaded successfully. (numdevs = 3, numqueues = 1)
[   11.440000]  Hooking IMQ after NAT on PREROUTING.
[   11.450000]  Hooking IMQ after NAT on POSTROUTING.
[   11.520000] Lantiq VRX318 Version 2.0.0
[   11.530000] LTQ ETH SWITCH API, Version 2.0.1.
[   11.530000] SWAPI: Registered char device [switch_api] with major no [81]
[   11.540000] Switch API: PCE MicroCode loaded !!
[   11.560000] phy_port_nos[0]:0, phy_fw_type[0]:0
[   11.560000] phy_port_nos[1]:0, phy_fw_type[1]:0
[   11.570000] gphy_driver_init: fw_mode:11G-FW, no of phys:2, mode:0
[   11.580000] PPP generic driver version 2.4.2
[   11.590000] PPP BSD Compression module registered
[   11.590000] PPP Deflate Compression module registered
[   11.600000] PPP MPPE Compression module registered
[   11.600000] NET: Registered protocol family 24
[   11.600000] res = 8394a300
[   11.610000] wdt 1f8803f0.watchdog: Init done
[   11.630000] leds-gpio gpio-leds.9: pins are not configured from the driver
[   11.690000] Lantiq DEU driver version 2.0.0
[   11.690000] LTQ DEU DES initialized.
[   11.700000] LTQ DEU AES initialized.
[   11.700000] LTQ DEU ARC4 initialized
[   11.710000] LTQ DEU SHA1 initialized
[   11.710000] LTQ DEU MD5 initialized
[   11.710000] LTQ DEU SHA1_HMAC initialized
[   11.720000] LTQ DEU MD5_HMAC initialized
[   11.720000] DEU driver initialization complete!
[   11.730000] nf_conntrack version 0.5.0 (824 buckets, 3296 max)
[   11.730000] nf_conntrack_rtsp v0.6.21 loading
[   11.740000] xt_time: kernel timezone is -0000
[   11.740000] ipip: IPv4 over IPv4 tunneling driver
[   11.760000] nf_nat_rtsp v0.6.21 loading
[   11.760000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   11.770000] TCP: cubic registered
[   11.770000] Initializing XFRM netlink socket
[   11.780000] NET: Registered protocol family 10
[   11.780000] sit: IPv6 over IPv4 tunneling driver
[   11.790000] NET: Registered protocol family 17
[   11.790000] NET: Registered protocol family 15
[   11.800000] Bridge firewalling registered
[   11.800000] Ebtables v2.0 registered
[   11.800000] lec:lane_module_init: lec.c: initialized
[   11.810000] mpoa:atm_mpoa_init: mpc.c: initialized
[   11.810000] KOAM is loaded successfully.
[   11.820000] 8021q: 802.1Q VLAN Support v1.8
[   11.880000] Freeing unused kernel memory: 4900K (80497000 - 80960000)
rootdir=/
table='/etc/device_table.txt'
makedevs: line 40: can't create node dev/pts/0: Operation not permitted
makedevs: line 40: can't create node dev/pts/1: Operation not permitted
makedevs: line 59: can't create node dev/null: File exists
makedevs: line 60: can't create node dev/zero: File exists
makedevs: line 61: can't create node dev/random: File exists
makedevs: line 62: can't create node dev/urandom: File exists
makedevs: line 64: can't create node dev/ram: File exists
makedevs: line 67: can't create node dev/console: File exists
makedevs: line 68: can't create node dev/tty: File exists
makedevs: line 69: can't create node dev/tty0: File exists
makedevs: line 69: can't create node dev/tty1: File exists
makedevs: line 108: can't create node dev/vcc/: File exists
makedevs: line 110: can't create node dev/vc/: File exists
starting pid 334, tty '': '/etc/init.d/rcS S boot'

Please press Enter to activate this console. [   12.140000] ltq_swreset_driver_p                                     robe !!
[   12.150000] ltq_swreset driver_probe: swreset_pin = 207, swreset_bit = 1
[   12.150000] Initializing swreset
[   12.180000] sw_reset_open is invoked
Loading data from /dev/mtd6 ...

Fail!

Resetting to default values ...

The data center is Running ...

sn:NPE16C5X0019D
SN: NPE16C5X0019D
LAN MAC is invalid, please set in in bootloader
WAN MAC is invalid, please set in in bootloader
DM201 do not save the changed data...
Done!

Generating Rules...
Done!
user obj count 2
[   13.320000] Loading E5 (MII0/1) driver ...... Succeeded!
[   13.360000] PPE datapath driver info:
[   13.360000]   Version ID: 64.3.3.1.0.1.1
[   13.360000]   Family    : VR9
[   13.360000]   DR Type   : Normal Data Path | Indirect-Fast Path
[   13.360000]   Interface : MII0 | MII1
[   13.360000]   Mode      : Routing
[   13.360000]   Release   : 0.1.1
[   13.390000] PPE 0 firmware info:
  Version ID: 7.3.2.16.0
  Family    : VR9
  FW Package: E1
  Release   : 2.16.0
PPE 1 firmware info:
  Version ID: 7.5.2.16.1
  Family    : VR9
  FW Package: D5
  Release   : 2.16.1
PPE firmware feature:
  ATM/PTM TC-Layer Bonding        Support
  L2 Trunking                     Support
  Packet Acceleration             Support
  IPv4                            Support
  IPv6                            Support
  6RD                             Support
  DS-Lite                        PPA API --- init successfully
 Polling Interval = 60
 Priority Threshold = 7
 Byte Rate based Management = 1
 Packet Rate based Management = 0
 Poll history = 1
 Maximum delete sessions = 30
 Mode = 0

 [do_ioctl_cmd] : ioctl failed. (errno=14)

 [do_ioctl_cmd] : ioctl failed. (errno=14)

 [do_ioctl_cmd] : ioctl failed. (errno=14)

 [do_ioctl_cmd] : ioctl failed. (errno=14)

 [do_ioctl_cmd] : ioctl failed. (errno=14)
[   14.800000] echo: The scan_unevictable_pages sysctl/node-interface has been d                                     isabled for lack of a legitimate use case.  If you have one, please send an emai                                     l to linux-mm@kvack.org.
Cgroups related daemons started
set mcast listen ok
[   17.490000] gphy-fw gphy-fw.10: proc_write_phy_fw:   Found:VR9 V1.2 GPHY GE                                       FW
[   17.500000] gphy-fw gphy-fw.10: booting GPHY0 firmware at 14E0000 for VR9
[   17.510000] gphy-fw gphy-fw.10: booting GPHY1 firmware at 14E0000 for VR9
[   17.520000] ltq_gphy_firmware_config: fw_mode:11G-FW, no of phys:2,data_ptr:1                                     4E0000
[   17.720000] IFXOS, Version 1.5.19 (c) Copyright 2009, Lantiq Deutschland GmbH
[   17.950000] ppa_init - init succeeded
BR_MAC_ADDR= 00:01:01:c9:c9:c9
[   18.270000] IPv6: ADDRCONF(NETDEV_UP): br0: link is not ready
[   18.320000] device eth0 entered promiscuous mode
[   18.340000] br0: port 1(eth0) entered forwarding state
[   18.340000] br0: port 1(eth0) entered forwarding state
[   18.340000] IPv6: ADDRCONF(NETDEV_CHANGE): br0: link becomes ready
[   18.610000] br0: port 1(eth0) entered disabled state
[   18.680000] br0: port 1(eth0) entered forwarding state
[   18.690000] br0: port 1(eth0) entered forwarding state
Switch Init done
disable ppa for DM201
disable ppa for DM201
[   19.690000] br0: port 1(eth0) entered forwarding state
[   20.120000] Lantiq (VRX) DSL CPE MEI driver, version 1.4.8.5, (c) 2013 Lantiq                                      Deutschland GmbH
[   20.780000]
[   20.780000]
[   20.780000] Lantiq CPE API Driver version: DSL CPE API V4.16.6.3
[   20.780000]
[   20.780000] Predefined debug level: 3
DM201 do not save the changed data...
Done!

ltq_cpe_control_init.sh: DSL related system status:
ltq_cpe_control_init.sh:   L2 vectoring = 1
ltq_cpe_control_init.sh:   bonding      = 0
sh: 2: unknown operand
ltq_cpe_control_init.sh: ERROR processing LAN IP-Address  (no test and debug fun                                     ctionality available)!
sh: 2: unknown operand
ltq_cpe_control_init.sh: TestCfg: xTSE=05_00_04_00_0C_01_00_07
ltq_cpe_control_init.sh: TestCfg: RETX_ENA_DS=1
ltq_cpe_control_init.sh: TestCfg: RETX_ENA_US=1
ltq_cpe_control_init.sh: Problem with pipe handling, exit dsl_cpe_control startu                                     p!!!
nReturn=0

ltq_cpe_control_init.sh: G.Vector (best fitting, automatic MEI Driver mode)
ltq_cpe_control_init.sh: Setting PLL offset to -30 ppm (VRX220)
nReturn=0

ltq_cpe_control_init.sh: TestCfg: xDSL_Cfg_VdslProfileVal=7F
ltq_cpe_control_init.sh: Firmware ready wait time 0 sec.
nReturn=0

nReturn=0 nDirection=0
nReturn=0 nDirection=1
mkdir: can't create directory '/dev/pts': File exists
mknod: /dev/ptmx: File exists
mknod: /dev/pts/0: Operation not permitted
mknod: /dev/pts/1: Operation not permitted
Can't open the socket!
[   35.370000] IPv6: ADDRCONF(NETDEV_UP): brwan: link is not ready
WAN mode 'vdsl_ptm' already configured.
To force configure the WAN, execute with option 'start_wan_configure'
Written 'wan_mode=vdsl_ptm' to config file.
Written 'conn_type=dhcp' to config file.
Written 'vlan=' to config file.
Written 'pri=' to config file.
To start the WAN with these values, execute with the option 'start_connection'.
Creating connection..
disable ppa for DM201
[   36.850000] device ptm0 entered promiscuous mode
[   36.850000] br0: port 2(ptm0) entered forwarding state
[   36.860000] br0: port 2(ptm0) entered forwarding state
DM201 do not save the changed data...
Done!

Stopping Firewall...
Failed to stop the firewall!
ls: /etc/net-wall/scripts/*.rule: No such file or directory
Generating Rules...
Done!
Starting Firewall...
ls: /etc/net-wall/scripts/*.rule: No such file or directory
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
[   37.860000] br0: port 2(ptm0) entered forwarding state
POT is Running...
POT is Finished!!!
The POT-(Get/Set) Demo is Running ...
[   43.650000] ltq_temp: Lantiq Temperature Sensor Driver, Version 1.0.5 (c) Cop                                     yright 2014, Lantiq Deutschland GmbH
[   43.870000] ltq_pmcu: PMCU Lantiq Power Management Control Unit, Version 1.2.                                     2 (c) Copyright 2014, Lantiq Deutschland GmbH
Create PMCU device node
PM_UTIL Version 1.3.3
[ipc init](5): [ipc/ipc.c:60] bind successfully ...
[ipc get_hwaddr](4): [ipc/ipc.c:144] if_name:eth0
[DM201]***boot done***
[   95.240000] DSL[00]: Reboot on training timeout (60)!!!
xDSL Leave SHOWTIME!!
nReturn=0 nDirection=0
nReturn=0 nDirection=1
[  278.360000] DSL[00]: Reboot on training timeout (180)!!!
xDSL Leave SHOWTIME!!
nReturn=0 nDirection=0
nReturn=0 nDirection=1
[  361.750000] DSL[00]: Reboot on training timeout (60)!!!
xDSL Leave SHOWTIME!!
nReturn=0 nDirection=0
nReturn=0 nDirection=1
[  545.860000] DSL[00]: Reboot on training timeout (180)!!!
xDSL Leave SHOWTIME!!
nReturn=0 nDirection=0
nReturn=0 nDirection=1
[  610.250000] DSL[00]: Reboot on training timeout (60)!!!
xDSL Leave SHOWTIME!!
nReturn=0 nDirection=0
nReturn=0 nDirection=1
BusyBox v1.17.1 (2016-10-10 06:44:22 EDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 ATTITUDE ADJUSTMENT (Attitude Adjustment, 12.09_ltq)
 -----------------------------------------------------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@DM201:/# ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
       ip [ -force ] -batch filename
where  OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
                   tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm }
       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
                    -f[amily] { inet | inet6 | ipx | dnet | link } |
                    -l[oops] { maximum-addr-flush-attempts } |
                    -o[neline] | -t[imestamp] | -b[atch] [filename] |
                    -rc[vbuf] [size]}
root@DM201:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether ce:0d:a8:02:58:49 brd ff:ff:ff:ff:ff:ff
3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether 5e:c6:fe:b9:4a:65 brd ff:ff:ff:ff:ff:ff
4: imq0: <NOARP> mtu 16000 qdisc noop state DOWN qlen 11000
    link/void
5: imq1: <NOARP> mtu 16000 qdisc noop state DOWN qlen 11000
    link/void
6: imq2: <NOARP> mtu 16000 qdisc noop state DOWN qlen 11000
    link/void
7: tunl0: <NOARP> mtu 0 qdisc noop state DOWN
    link/ipip 0.0.0.0 brd 0.0.0.0
8: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
9: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0                                      state UNKNOWN qlen 1000
    link/ether 00:01:01:c9:c9:c9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::201:1ff:fec9:c9c9/64 scope link
       valid_lft forever preferred_lft forever
10: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:20:da:86:23:75 brd ff:ff:ff:ff:ff:ff
11: ptm0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0                                      state UNKNOWN qlen 1000
    link/ether 00:03:7f:dc:24:18 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::203:7fff:fedc:2418/64 scope link
       valid_lft forever preferred_lft forever
12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:01:01:c9:c9:c9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::201:1ff:fec9:c9c9/64 scope link
       valid_lft forever preferred_lft forever
13: brwan: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN```

I'm stumped.

I need to change the Uboot to allow me to boot the DM200 image and I don't know how. Or, obtain a DM200 Uboot from source but setting up a system to compile on is a lot of effort.

All this flashing about has resulted in me killing the W25Q64FV flash, so I've bought some more but to be honest I'm out of my depth here.

Thought this would be fun to get a working modem out of this dead router but it's just turning into a pain.

So as crazy as this is, I've built an old Ubuntu 14.04 machine and compiled the Netgear firmware from source.

I've got a Uboot.ltq file which presumably is the Uboot. Is it enough to flash this Uboot to the SPI flash and then flash the firmware image from Uboot directly?

Or do I need the gphy firmware as well?

Looks like the image I took of the original DM201 contains the Uboot and gphy with a config partition towards the end.

I'm not sure how firmware images work so would appreciate a little help. Ideally need an image with all of the partitions pre assembled including Uboot that I can just flash to the SPI flash and go.

Programming the uboot.ltq to the flash didn't work, granted it booted as far as the DDR timing section and just got stuck in a loop.

Edit:

Weird, the uboot.ltq should work as a standalone bootloader.

I'll try compiling an older version of the DM200 firmware and see if there's a bootloader to come from that and if there is, program it and try it.