Flashing the Netgear WN3500RP

I'm trying to figure out what I could use to flash a new firmware to the Netgear WN3500RP. It's a really cool little plug router, and it even has a headphone jack. I have a root shell over the UART, but I'm not sure which of these programs I could use to flash a new image. Do any of these seem like clear contenders to you guys?

# ls bin sbin usr/bin usr/sbin
bin:
ash          echo         ip           ls           ntfs-3g      rmdir
busybox      egrep        ipaddr       mkdir        ping         sh
cat          fgrep        iplink       mknod        ping6        sleep
chmod        grep         iproute      mount        printenv     umount
cp           gunzip       iprule       mv           ps           usleep
df           gzip         iptunnel     netstat      pwd          wps_monitor
eapd         hostname     kill         nice         rm           zcat

sbin:
acos_init              gpio                   read_bd
acos_service           halt                   reboot
bd                     hotplug                reset_no_reboot
burn5gpass             hotplug2               resolve_domain
burn5gssid             ifconfig               restart_all_processes
burn_hw_rev            init                   rmmod
burnboardid            insmod                 route
burnethermac           leddown                routerinfo
burnpass               ledup                  showconfig
burnpin                lsmod                  sysctl
burnrf                 mount.ntfs-3g          udevtrigger
burnsku                ntpclient              uptime
burnsn                 parser                 version
burnssid               poweroff               write
erase                  preinit
getchksum              rc

usr/bin:
find      killall   tftp      uptime    xargs
free      nslookup  top       wget

usr/sbin:
audioplayer    et             nas            telnetenabled  wanled
bcmmrenderer   ftpc           nvram          testUtility    wl
brctl          heartbeat      outputimage    timesync       wlanconfigd
check_fw       httpd          pot            udhcpc         wlconf
check_pass     igs            swresetd       udhcpd         wpsd
emf            lld2d          telnetd        vconfig

the bootloader's console is what you need

look for an option to boot from TFTP

if you enter a full console, command help lists commands usually

I see printenv in what you posted

this tells me the bootloader is uboot (very common)

and that information is useful
you should run that command and keep the output, also post here

Surprisingly, it's not U-Boot; it's CFE. printenv just prints all of the shell's environment variables. The issue is I can't get into the CFE prompt, since there's no countdown at boot. Here's the boot output:

Decompressing..........done


CFE for WN3500RP version: v1.0.9
Build Date: Wed Aug 29 11:38:17 CST 2012 
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found a 8MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.127.3205 @VERSION_TYPE@
CPU type 0x19749: 530MHz
Tot mem: 65536 KBytes

Device eth0:  hwaddr 20-E5-2A-23-C4-1A, ipaddr 192.168.1.250, mask 255.255.255.0
        gateway not set, nameserver not set
Linux version 2.6.22 (max@sunshine) (gcc version 4.2.3) #2 PREEMPT Thu Aug 30 14:20:34 CST 2012
CPU revision is: 00019749
Found a 8MB ST compatible serial flash
Determined physical RAM map:
 memory: 03fff000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 16256
Kernel command line: root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 256 (order: 8, 1024 bytes)
CPU: BCM5357 rev 2 at 530 MHz
Using 265.000 MHz high precision timer.
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 61352k/65532k available (2631k kernel code, 4124k reserved, 540k data, 180k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
SCSI subsystem initialized
PCI: no core
PCI: Fixing up bus 0
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
fuse init (API version 7.8)
io scheduler noop registered (default)
Serial: 8250/16550 driver $Revision: 1.1.1.1 $ 4 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 8) is a 16550A
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
sflash: squash filesystem with lzma found at block 1410
Creating 15 MTD partitions on "sflash":
0x00000000-0x00040000 : "boot"
0x00040000-0x00740000 : "linux"
0x0016088c-0x00740000 : "rootfs"
0x00740000-0x00750000 : "ML1"
0x00750000-0x00760000 : "ML2"
0x00760000-0x00770000 : "ML3"
0x00770000-0x00780000 : "ML4"
0x00780000-0x00790000 : "ML5"
0x00790000-0x007a0000 : "ML6"
0x007a0000-0x007b0000 : "ML7"
0x007b0000-0x007c0000 : "T_Meter1"
0x007c0000-0x007d0000 : "T_Meter2"
0x007d0000-0x007e0000 : "POT"
0x007e0000-0x007f0000 : "board_data"
0x007f0000-0x00800000 : "nvram"
Advanced Linux Sound Architecture Driver Version 1.0.14 (Thu May 31 09:03:25 2007 UTC).
ASoC version 0.13.1
WM8955: WM8955 Audio Codec 0.12
ALSA device list:
  No soundcards found.
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 180k freed
Warning: unable to open an initial console.
Failed to execute /init
[sighandler]: No more events to be processed, quitting.
[cleanup]: Waiting for children.
[cleanup]: All children terminated.
Reading board data...
WSC UUID: 0xe85de802902488bf30145d7f80bb482a
NTP synchronized date/time: Sun Apr 21 12:37:33 2013
MAC address of 1st STA connected: 00-00-00-00-00-00
--> In security, turn on WPS led.
wl: wl driver adapter not found
wl: wl driver adapter not found
wl: wl driver adapter not found
wl: wl driver adapter not found
invalid RF magic!
insmod: emf.ko: no module by that name found
insmod: igs.ko: no module by that name found
wl1 is up in 0 sec
insmod: soundcore.ko: no module by that name found
insmod: snd.ko: no module by that name found
insmod: snd-timer.ko: no module by that name found
insmod: snd-page-alloc.ko: no module by that name found
insmod: snd-pcm.ko: no module by that name found
insmod: snd-pcm-oss.ko: no module by that name found
insmod: snd-soc-core.ko: no module by that name found
insmod: i2c-core.ko: no module by that name found
insmod: snd-soc-bcm947xx-i2s.ko: no module by that name found
insmod: snd-soc-bcm947xx-pcm.ko: no module by that name found
insmod: snd-soc-wm8750.ko: no module by that name found
insmod: snd-soc-wm8955.ko: no module by that name found
insmod: snd-soc-bcm947xx.ko: no module by that name found
Hit enter to continue...wlconf: PHYTYPE: 4
wlconf: PHYTYPE: 4
wlconf: PHYTYPE: 4
wlconf: PHYTYPE: 4
killall: upnp: no process killed
upnp: No such file or directory
WARNING: console log level set to 1
killall: wps_monitor: no process killed
killall: wps_ap: no process killed
killall: wps_enr: no process killed
Reading board data...
WSC UUID: 0xe85de802902488bf30145d7f80bb482a
insmod: acos_nat.ko: no module by that name found
rmmod: br_dhcp_filter
NF_BR_LOCAL_OUT registered: filter_dhcpd_if:0x1, filter_dhcpc_if:0x16, filter_arp_if:0x1.
rmmod: br_dns_hijack
dnsRedirectReplyd: No such file or directory
shm ID: 0
 Get a correct Segment_ID: 0 and semaphore ID:32769
Can't find handler for ASP command: tra_get_param("button_grayed");
Can't find handler for ASP command: rst_cgi_get_bpa_status();
Can't find handler for ASP command: fw_get_ReadyShare_supported_level();
Can't find handler for ASP command: usb_cgi_get_register_state();
Can't find handler for ASP command: check_is_index()
Can't find handler for ASP command: get_warning_message();
dnsmasq: No such file or directory
ddnsd: No such file or directory
insmod: MultiSsidCntl.ko: no module by that name found
ioctl(BRCTL_SET_MSSIDPROFILE): Operation not supported
/tmp/samba/private/smb.conf: no files!
killall: bftpd: no process killed
add active user:192.168.0.129
httpd: socket bound in 0.0.0.0:80.
Can't open device file: /dev/acos_nat_cli
upnpd: No such file or directory
sh: /usr/sbin/email: not found
POT integrity check OK.
POT time is up.
insmod: cannot insert '/lib/modules/2.6.22/kernel/drivers/usb/core/usbcore.ko': Success (17)
insmod: cannot insert '/lib/modules/2.6.22/kernel/drivers/usb/host/ehci-hcd.ko': Success (17)
insmod: cannot insert '/lib/modules/2.6.22/kernel/drivers/usb/storage/usb-storage.ko': Success (17)
mount: mounting none on /proc/bus/usb failed: Device or resource busy
mkdir /tmp/media failed
Can't open device file: /dev/acos_nat_cli
Start DHCP client daemon
info, udhcp client (v0.9.8) started
br0: No such process
killall: dnsmasq: no process killed
Start bcmmrenderer.
Hit enter to continue...new a xid:629839f .
Hit enter to continue...


BusyBox v1.7.2 (2012-08-30 14:21:10 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# 
# rm: cannot remove '/tmp/udhcpd.leases': No such file or directory
killall: udhcpd: no process killed
killall: udhcpd: no process killed
info, udhcp server (v0.9.8) started
error, unable to parse 'option wins '
error, unable to parse 'option domain '

# help

Built-in commands:
-------------------
	. : break cd chdir continue eval exec exit export false hash
	help local pwd read readonly return set shift source times trap
	true type ulimit umask unset wait

# 

ah ok....I guess its not the first time Netgear is doing weird things...

in this case it would be very difficult to get Openwrt on the device
also Broadcom chips are not very well supported

you would have to load an image over tftp and write directly to partitions

in case of bricking it you would need tools to copy and write to the flash chip directly in SPI protocol
probably not worth the effort...

I guess I'm just not fully convinced that there's no way to do it without specialized hardware. There is a firmware update interface in the web GUI. I bet I could try to look at the backend for that and see what the router is doing when I upload an image through that interface. Alternatively, maybe if I overwrite the OS with random crap, CFE will kick in and open up its web interface? Seems like a longshot, though.

You can certainly "do it" without the extra tools

but theres a good possibility your first attempt of "doing it" can brick the device

either way, make a backup of all partitions and use TFTP transfer to get them to a PC

see the partition table with
cat /proc/mtd

for each partition something like
dd if=/dev/mtd0 of=/tmp/mtd0.bin

tftp command can differ greatly depending on busybox version...or a custom program from netgear...
tftp -l /tmp/mtd0.bin -r mtd0.bin -p 192.168.1.100
tftp -l /tmp/mtd0.bin -p 192.168.1.50:69

of course you need a tftp client on the PC for the transfer

if you are interested in getting a cheap SPI programmer I recommend FT232H breakout from Adafruit

and you can use it with my scripts which I put on github

Thanks. I'll pick one of those up.

Also, it turns out I can get into the CFE by holding Ctrl-C at boot. There's no help command, so I'm not sure what commands are available. Entering flash gives me this:

CFE> flash

     flash [options] filename [flashdevice]

     Copies data from a source file name or device to a flash memory device.
     The source device can be a disk file (FAT filesystem), a remote file
     (TFTP) or a flash device.  The destination device may be a flash or eeprom.
     If the destination device is your boot flash (usually flash0), the flash
     command will restart the firmware after the flash update is complete

     -noerase     Don't erase flash before writing
     -offset=*    Begin programming at this offset in the flash device
     -size=*      Size of source device when programming from flash to flash
     -noheader    Override header verification, flash binary without checking
     -writechksum Write image checksum to the end of partition
     -st_header   Need string table header verification
     -mem         Use memory as source instead of a device

*** command status = -2

Entering boot made the whole thing lock up. I think what that means is I can build an image and boot it over tftp like this. I'll give that a shot now.

nice

here is some reference, however no discussion of loading an image without flashing it...

I went and built the latest snapshot for another netgear router based on the same SoC. I set a static ip of 192.168.1.99, hooked up to ethernet, then ran boot -tftp -elf 192.168.1.99:/vmlinux-initramfs.elf. It told me I was out of dram (idk why, since the elf is 8mb and the router has 64mb of memory)

I then tried to run boot -tftp -elf 192.168.1.99:/vmlinux.elf, which was a few mb smaller, and that actually seems to have worked (except obviously it can't mount a rootfs so it kernel panics)

I'm going to look into other routers on the same SoC. Maybe one of them has an image small enough to be loaded with an initramfs.

try in make menuconfig getting rid of all packages

even network related things...I believe pinging still works with no network stack but not certain...

I got rid of everything that seemed reasonable, but it seems like it's still too big:

CFE> boot -tftp -elf 192.168.1.99:/vmlinux-initramfs.elf
Loader:elf Filesys:tftp Dev:eth0 File:192.168.1.99:/vmlinux-initramfs.elf Options:(null)
Loading: 0x80001000/7459628 Failed.
Could not load 192.168.1.99:/vmlinux-initramfs.elf: Section would load outside available DRAM
*** command status = -17
CFE>

Maybe if I can change the loading address from 0x80001000 to something smaller it would boot. I guess I could also get rid of things like busybox. What are the bare minimum packages necessary to boot?

EDIT: I guess 0x80001000 is just the virtual address that marks the start of available memory in CFE. (Source) so I guess I just need to find a way to make the image smaller. I'm going to try and see if I can get it to mount a usb rootfs.

is it really 7459628 bytes or am I reading the output wrong?

Try to build an image that is lzma compressed by editing whatever profile you're building with
something like
KERNEL_INITRAMFS := $(KERNEL_DTB) | lzma | uImage lzma

You're reading the output correctly. The output is large because so far, I've only been able to get it to boot from a .elf. It seems that no matter what compression I select, the .elf files don't get compressed; only the firmware images (which makes sense). If I don't pass the -elf option to boot, then it says it says Loader:raw instead of Loader:elf. What kind of image do they mean by "raw"? I've tried trx and chk images for routers on the same SoC, and a dump of the nand, but nothing seems to be working.

Also, it seems that the hardware of this device is exactly the same as some other Netgear routers which are supported by OpenWrt (except for the headphone jack). Do you think it's safe to just flash a firmware for one of those devices?

at the very least, the magic number in the header of the image will be different (if it's used)
this is why access to the original flash data is helpful or even necessary

I did dump the original flash data, but I'm not sure about how to construct a flashable firmware. Do you know of any references for the anatomy of one of these images?

you can start by putting the image through binwalk which is available on most linux repositories or here

the magic number is the first 4 bytes in a uImage header

some limited info here, probably another page on the wiki too but idk...

https://oldwiki.archive.openwrt.org/doc/techref/header

I've used binwalk before, but these images don't show a uImage header.

Stock firmware downloaded from Netgear's website:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
58            0x3A            TRX firmware header, little endian, image size: 5472256 bytes, CRC32: 0x5D5D9E7E, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1208CC, rootfs offset: 0x0
86            0x56            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3433512 bytes
1181958       0x120906        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 4284555 bytes, 702 inodes, blocksize: 65536 bytes, created: 2020-07-22 08:06:11

OpenWrt firmware for similar Netgear router:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
58            0x3A            TRX firmware header, little endian, image size: 4329472 bytes, CRC32: 0xAAD2E46D, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x944, rootfs offset: 0x175000
86            0x56            gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2430          0x97E           LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: -1 bytes
1527866       0x17503A        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2514358 bytes, 1177 inodes, blocksize: 262144 bytes, created: 2021-01-19 13:10:02

Stock firmware, dumped from the stock firmware's outputimage utility:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
43956         0xABB4          gzip compressed data, maximum compression, has original file name: "piggy", from Unix, last modified: 2012-08-29 03:38:35
262144        0x40000         TRX firmware header, little endian, image size: 5341184 bytes, CRC32: 0x212215FC, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x12088C, rootfs offset: 0x0
262172        0x4001C         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3433512 bytes
1443980       0x16088C        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 4153870 bytes, 703 inodes, blocksize: 65536 bytes, created: 2012-08-30 06:22:12
7667728       0x750010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7733264       0x760010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7798800       0x770010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7864336       0x780010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7929872       0x790010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)

Stock firmware, dumped from CFE:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
43956         0xABB4          gzip compressed data, maximum compression, has original file name: "piggy", from Unix, last modified: 2012-08-29 03:38:35
262144        0x40000         TRX firmware header, little endian, image size: 5341184 bytes, CRC32: 0x212215FC, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x12088C, rootfs offset: 0x0
262172        0x4001C         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3433512 bytes
1443980       0x16088C        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 4153870 bytes, 703 inodes, blocksize: 65536 bytes, created: 2012-08-30 06:22:12
7667728       0x750010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7733264       0x760010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7798800       0x770010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7864336       0x780010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
7929872       0x790010        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)

I did strings on that piggy stuff before the TRX header, and it had the help and error messages from CFE, so I'm assuming that's the CFE. Correct me if I'm wrong, but it seems like the flash is set up like this:

• CFE
• TRX header (thanks for the link about how these work)
• LZMA-compressed kernel
• squashfs filesystem
• ???

The firmware update files to start with the TRX header. Does that mean they don't include a CFE? If CFE remains untouched, I'm ready to flash pretty much anything, now that I have a backup. I dug through the firmwares with binwalk -Me and couldn't find anything that looks like a CFE. Maybe that means it's compressed, but I'm hoping that means that these updates don't touch CFE. What do you think?

yeah looks like its
0x0 to 0x40000 is CFE
0x40000 to 0x750000 (?) is the firmware

something else at 0x75000 and probably sooner too
you have root access so you should run
cat /proc/mtd
to get the OEM partition table

the build recipe for that similar netgear router handles the header
but if there is a magic number in the openwrt build profile you have to find out the new one
and use that to make a new profile for yours

find the DTS for the similar one and use it to make a new one with any differences you find

BTW what is the similar board?