Flashing ART partition WNDR3800

Hello all,
I'd like to attempt a fix for a WNDR3800 I've kept that has a erased ART partition. Related to my old thread here.

I'm planning on using the ART files found from this github thread. I believe they're originally from @hnyman dump of firmware for other projects. I realize this will not be great for wifi but still better than none in my reasoning.

I'm planning on following these instructions. Any things to watch out for or unexpected things to watch out for?

My original art copies are still available in the original place, in the download site for my WNDR3700v1/v2/3800 community build. See link at:

There in the directory "art partition binary contents" you can find the original art copy taken from my own routers.

It also contains a subdirectory "firmware_with_no_write_protection" that has a WNDR3800 firmware image with art partition unlocked (or actually, available for unlocking). See "firmware_with_no_write_protection" directory...
(That firmware is Chaos Calmer from 2015, but should still work for this purpose. Better to flash it using default config, without saving settings...)

There is also a walk-through/example of the process of unlocking "art" for writing:

root@OpenWrt2:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00050000 00010000 "u-boot"
mtd1: 00020000 00010000 "u-boot-env"
mtd2: 00780000 00010000 "firmware"
mtd3: 00118440 00010000 "kernel"
mtd4: 00667bc0 00010000 "rootfs"
mtd5: 00190000 00010000 "rootfs_data"
mtd6: 00010000 00010000 "art"

Behaviour in normal write-protected firmware:
---------------------------------------------

root@OpenWrt2:~# mtd unlock u-boot
Could not open mtd device: u-boot
Could not open mtd device: u-boot

root@OpenWrt2:~# mtd unlock firmware
Unlocking firmware ...

root@OpenWrt2:~# mtd unlock art
Could not open mtd device: art
Could not open mtd device: art


Behaviour in this firmware:
---------------------------

root@OpenWrt2:~# mtd unlock u-boot
Unlocking u-boot ...

root@OpenWrt2:~# mtd unlock firmware
Unlocking firmware ...

root@OpenWrt2:~# mtd unlock art
Unlocking art ...

Then you can flash art by using mtd.

EDIT:
I should maybe compile an updated year 2020 version of the firmware with ath79, to replace the ancient ar71xx CC15.05 based one. But the old firmware is still adequate for the single task of being able to write into "art" partition.

3 Likes

alright @hnyman as usual thanks for the detailed information, I've read what you wrote and grabbed the appropriate files you pointed to. I noticed a "firmware_Dec2020_no_write_protection" folder in the dropbox which I can only assume is you updating the firmware to ath79 like you mentioned.

As far as the actual flashing the openwrt page is correct?
something like:

mtd -r write /tmp/art.backup art

after moving the file over to the unit's tmp storage right?
What sort of risks should I be aware of if I do this wrong? Considering there's no functioning Art partition currently, worst I'd have is a bricked router right?
which I should be able to serial boot still right?

stupid question but which file do I want to flash the art partition back for the WNDR3800 ?

Looks ok. Although there is no actual need to force an immediate reboot with "-r".
(and remember to unlock art first)

In addition to the wifi calibration, the early part of art contains the router's serial number, MACs etc. Like I explain in the art_header_explanation.txt readme file.

All that data is just device-specific ID data, but nothing that would prevent you from booting. art does not contain any binaries to be run, or similar. So, the risks are rather small, I think.

Naturally a copy of an WNDR3800's art (and not 3700v1 or 3700v2).
Just grab the wndr3800_mtd5_art_edit.bin file from the art partition binary contents dir.

It is a copy of my own WNDR3800, except the MACs and pws that I slightly edited. See the explanation of the first few bytes from art_header_explanation.txt copied below.

You can hexedit the file if you want the Netgear firmware config values (wifi name, pw, serial) to match the stickers on your router. If you know your original MACs, you could also edit them.

00000000  74 44 01 02 a3 e7 74 44 01 02 a3 e8 74 44 01 02 a3 e9 31 32 33 34 35 36  tD  £çtD  £ètD  £é123456
00000018  37 38 32 4d 31 32 33 43 34 56 35 36 37 38 45 00 02 32 39 37 36 33 36 35  782M123C4V5678E  2976365
00000030  34 2b 31 36 2b 31 32 38 57 4e 44 52 33 38 30 30 00 00 4e 45 54 47 45 41  4+16+128WNDR3800  NETGEA
00000048  52 30 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  R03                     
00000060  00 00 63 6c 6f 75 64 79 70 6f 6e 64 33 33 33 00 00 00 00 00 00 00 00 00    cloudypond333         
00000078  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                          

Explanations:
74 44 01 02 a3 e7         ETH0 MAC  / WLAN0 MAC   (also in the label in router's bottom)
74 44 01 02 a3 e8         ETH1 MAC
74 44 01 02 a3 e9         WLAN1 MAC
31 32 33 34 35 36 37 38   WPS PIN code
32 4d 31 32 33 43 34 56 35 36 37 38 45   Router serial number (in the label in router's bottom)
00 02
32 39 37 36 33 36 35 34 2b 31 36 2b 31 32 38   Magic? Part of firmware image ID
57 4e 44 52 33 38 30 30                  Router type (Openwrt uses for identification)
00 00
4e 45 54 47 45 41 52 30 33               Netgear firmware WLAN network default name (also in label)
00 ...
63 6c 6f 75 64 79 70 6f 6e 64 33 33 33   Netgear firmware WLAN network default keyphrase (also in label)
1 Like

Newer versions have the package kmod-mtd-rw. This can be used to unlock the ART partition without special firmware.

opkg update
opkg install kmod-mtd-rw
insmod mtd-rw i_want_a_brick=1

This makes all mtd writeable(*) until the next reboot. After you're done it would be a good idea to opkg remove kmod-mtd-rw to reclaim the flash space and prevent unintended activation. (even though it needs to be manually loaded with the special parameter).

  • also making it possible to clobber the bootloader by writing the wrong partition, which would be really bad.

seems like it was successful! I've got wifi interfaces on this device again, and now slightly more breathing room before I need to change out my network setup (time to finally retire the WNDR3700v1).

thank you @hnyman and @mk24 for your help.

I'd like to try out wireguard if it's finally mature enough as well as get proper lets-encrypt certificates working for LuCI.

Would anyone recommend the particular best fw for day to day use on the WNDR3800 ? I'd go for one of your builds @hnyman but they're mostly built around ipv6 and my ISP STILL isn't supporting it yet.

Ten years ago, when I started publishing my community build for wndr3700, including IPv6 was one of the reasons and special features. But right now IPv6 is there by default. It is merely a sidenote.

I think that pretty much only alternatives for wndr3800 are the official builds and my builds.

Ps. Great that restoring art brought back your wifi.

So this would be the Mac of the WAN interface I would communicate to my ISP for them to white-list at the modem side, correct?

re-reading this I noticed in order to change it I'd need to also pass along the correct checksum (or is that only for the radio devices?)

Is there any benefit to changing the Mac however? Other than maybe the cool factor of whitelisting 00:00:00:00:00:00 at my ISP and freaking them out?

I don't think that the checksum covers the MAC / serial number part of the partition.

Note that you already now have slightly changed Macs (without any changes to any checksums)

Actually I've noticed that ALL Mac addresses are the same now for interfaces.

root@OpenWrt:~# ifconfig 
br-lan    Link encap:Ethernet  HWaddr 74:44:01:02:A3:E7  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::7644:1ff:fe02:a3e7/64 Scope:Link
          inet6 addr: fdca:f233:398c::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:703 errors:0 dropped:0 overruns:0 frame:0
          TX packets:734 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:72909 (71.2 KiB)  TX bytes:455249 (444.5 KiB)

eth0      Link encap:Ethernet  HWaddr 74:44:01:02:A3:E7  
          inet6 addr: fe80::7644:1ff:fe02:a3e7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:713 errors:0 dropped:0 overruns:0 frame:0
          TX packets:749 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:86535 (84.5 KiB)  TX bytes:459627 (448.8 KiB)
          Interrupt:4 

eth0.1    Link encap:Ethernet  HWaddr 74:44:01:02:A3:E7  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:703 errors:0 dropped:0 overruns:0 frame:0
          TX packets:734 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:72909 (71.2 KiB)  TX bytes:455249 (444.5 KiB)

eth1      Link encap:Ethernet  HWaddr 74:44:01:02:A3:E8  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:5 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:48 errors:0 dropped:0 overruns:0 frame:0
          TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3730 (3.6 KiB)  TX bytes:3730 (3.6 KiB)

wlan0     Link encap:Ethernet  HWaddr 74:44:01:02:A3:E7  
          inet addr:192.168.1.237  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::7644:1ff:fe02:a3e7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2905 (2.8 KiB)  TX bytes:1970 (1.9 KiB)

wlan0-1   Link encap:Ethernet  HWaddr 76:44:01:02:A3:E7  
          inet6 addr: fe80::7444:1ff:fe02:a3e7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:1280 (1.2 KiB)

wlan1     Link encap:Ethernet  HWaddr 74:44:01:02:A3:E9  
          inet6 addr: fe80::7644:1ff:fe02:a3e9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:872 (872.0 B)

Unfortunately I've also noticed that while my phone seems able to connect to the wifi interfaces my laptop is having trouble connecting successfully. I guess the Art partition restore didn't go as smoothly as I thought.

??????
br-lan / eth0 / eth0.1 / wlan0 = 74:44:01:02:A3:E7
eth1 = 74:44:01:02:A3:E8
wlan1 = 74:44:01:02:A3:E9

Just like I wrote above:

Explanations:
74 44 01 02 a3 e7         ETH0 MAC  / WLAN0 MAC   (also in the label in router's bottom)
74 44 01 02 a3 e8         ETH1 MAC
74 44 01 02 a3 e9         WLAN1 MAC

Is that.......okay then?

UPDATE oops yea I'm a lil overtired.......didn't noticed the last value is iterating ++1

You have any idea how to begin troubleshooting the wifi problem I described too?

Sorry, no idea about that debugging.
Test both 2.4 and 5 GHz radios, use simple settings (narrow bands) etc.