I have swapped out my NOR chip for a bigger one. What next? Netgear WNDR3700v5 / R6220 HARDWARE MODIFICATIONS

Hardware Questions and Recommendations
1

Good afternoon,

A few weeks ago I purchased a Netgear WNDR3700v5 after deeming it good enough for my modest needs. I was running Gargoyle on it which was great, but I had a desire to VPN into from outside. Being that I am behind a CGNAT at both ends, Gargoyle's bundled Wireguard and OpenVPN options were no help to me. That's when I discovered Tailscale and Netbird, which are the correct tools to help me.

As you can probably guess, the 16MB NOR Flash was already pretty much full with the Gargoyle image, so there was virtually no scope for installing more packages.

What I have done so far is to revert back to stock Netgear firmware, de-solder the 16MB NOR chip, use a CH134A programmer with AsProgrammer software to extract a bit-for-bit BIN file from it. I have flashed that data using the same setup to a brand new 32MB NOR chip from the exact same manufacturer and series. I have soldered that back into the router, and it still boots the stock firmware and works as normal.

Now I am wishing to flash OpenWRT onto the device, but confused about whether doing that will either brick the device, as presumably the OpenWRT image only expects this model to have 16MB of NOR, or it might flash OK, but just leave an inaccessible chunk of empty blocks at the end of the NOR that won't gain me any benefit.

After being disappointed with the lack of space on the WNDR3700v5, I went and purchased a R6220, which I can confirm is the same PCB inside. Both of these models use the same board which actually has pads for either a NOR or a NAND chip (it can't have both as the footprints overlap and presumably use at least some of the same connections back to the SoC) and a few SMD capacitors that are either there or missing depending on which chip is utilised. As widely documented, the R6220 does indeed have a 128MB NAND chip, so I thought this would be the solution to my lack of storage. As it turns out, OpenWRT (and consequently Gargoyle) only uses a small portion of the 128MB NAND chip leaving a large portion of unused, and inaccessible space at the end of the chip. I think it is something like 90MB unused, but inaccessible, so once again, no useable free space to play with.

By the time I discovered this, I had already ordered the 32MB blank NOR chips for the WNDR3700v5 so I went ahead and fitted one as described above, as I had nothing to lose really.

I guess the question is how can I install OpenWRT without bricking the device AND gain access to the extra unused space and make it useable for package installations?

One user in the Gargoyle forums suggests there was some way called MTD-CONCAT that can create another partition in the unused space, and somehow 'merge' it with whatever free space is in the normal partition that packages get installed to, so that the system recognises it as one large partition.

While I'm pretty confident with hardware mods, I am certainly not confident with software, least of all with embedded linux as I have mostly used only Windows and DOS in my life. I have been reading and learning a great deal about OpenWRT recently though from this forum and website which I have to say is very impressive and a great community.

I have swapped out my NOR chip for a bigger one. What next? Netgear WNDR3700v5
2

Use this extra space as extroot? then you probably wouldn't have to modify the standard images.

3

There is a big difference going past 16 MB NOR as the hardware has to send an extra address byte to the chip. Most 32 MB chips power up in 3 byte compatibility mode, which only allows access to the first 16 MB.

On the NAND model you should be able to write a new dts file with larger partitions. OpenWrt's default partitioning is designed not to clobber anything that you would need in order to go back to stock. This can result in only a small part of the chip being used.

Look at Zerotier VPN. It is also quite large, but being written in C++ instead of Go like Tailscale and Netbird it can fit in 16 MB flash. The functionality of all three is about the same-- centrally controlled and works through NAT as it does not require open incoming ports.

If your ISP (and that at the remote site) supports IPv6 you could use that as the outer tunnel for Wireguard. There should be no NAT with IPv6.

4

If you're happy to compile your own firmware
you can use concat to include the extra memory in the pool
below if from a while ago but can pull concat memory stuff out
the R6220 is only a dual-core version where most or the MT7621’s are quad

// SPDX-License-Identifier: GPL-2.0-only

#include "mt7621_netgear_sercomm_ayx.dtsi"

/ {
	compatible = "netgear,r6220", "mediatek,mt7621-soc";
	model = "Netgear R6220";

	aliases {
		label-mac-device = &gmac0;
	};
};

&nand {
	status = "okay";

	partitions {
		compatible = "fixed-partitions";
		#address-cells = <1>;
		#size-cells = <1>;

		partition@0 {
			label = "u-boot";
			reg = <0x0 0x100000>;
			read-only;
		};

		partition@100000 {
			label = "SC PID";
			reg = <0x100000 0x100000>;
			read-only;
		};

		partition@200000 {
			label = "kernel";
			reg = <0x200000 0x400000>;
		};

		partition@600000 {
			label = "ubi";
			reg = <0x600000 0x1c00000>;
		};

		partition@2e00000 {
			label = "factory";
			reg = <0x2e00000 0x100000>;
			read-only;

			nvmem-layout {
				compatible = "fixed-layout";
				#address-cells = <1>;
				#size-cells = <1>;

				eeprom0: eeprom@0 {
					reg = <0x0 0x400>;
				};

				macaddr_factory_4: macaddr@4 {
					compatible = "mac-base";
					reg = <0x4 0x6>;
					#nvmem-cell-cells = <1>;
				};

				eeprom1: eeprom@8000 {
					reg = <0x8000 0x200>;
				};
			};
		};

		partition@4200000 {
			label = "reserved";
			reg = <0x4200000 0x3c00000>;
			read-only;
		};
	};
};

&gmac0 {
	nvmem-cells = <&macaddr_factory_4 0>;
	nvmem-cell-names = "mac-address";
};

&gmac1 {
	nvmem-cells = <&macaddr_factory_4 1>;
	nvmem-cell-names = "mac-address";
};
5

Thank you all for your reponses so far. I think I am confusing the matter somewhat in my long intro. I'm not really very concerned about the R6220 at the moment, as I have just put that in place as a temporary solution while I try to sort the WNDR3700v5 out. For the moment the R6220 is working fine with Netbird on it. Yes it is full, but I don't plan on installing anything else on it, so it will do me for now. I might revist that later.

I think it is best if I start a new thread to concentrate solely on the WNDR3700v5 so that it is not as confusing for myself and anyone else who is reading. There doesn't seem to be as much information on this model, which I hope we can work on filling in some blanks about it. I am very grateful for the support here and would be very honoured if you could contribute in the new thread that I will make now.

6

From your initial post, you were modifying your WNDR3700v5
to be a R6220 by changing the flash chip as they share the same PCB
one would expect you copied over your ART “radio calibration” from old NOR flash
and inserted it into a new flash chip same as in the R6220 using the R6220 bootloader
and changing the jumper “solder blob or resister” to boot from NAND not NOR Flash

7

Hi Lucky1. Sorry if I was confusing matters by mentioning the R6220. I was merely stating my observation that I own both, both use the same PCB, both use a different kind of chip, yet even the R6220 is woefully short of space, not due to lack of flash memory (it has 128mb!), but due to the way it is partitioned.

All my soldering is done by hand with a simple iron (not hot air). Rather than take a big risk on soldering a NAND chip to make the WNDR3700v5 into an R6220 I took the coward's option of simply swapping out the 16mb NOR chip for a 32mb of the same type. A SOP16 package IC is pretty easy to solder, and meant I didn't have to try moving the miniscule caps and resistors around it either. I also read another thread somewhere that put me off wanting NAND as it was explaining that NAND chips come from the factory with bad sectors and require error correction to shift data around to keep it away from known bad or failing sectors. I thought that sounded too complicated and would lower the chances of success. Maybe I'm wrong, but it is my first time doing this stuff and wanted to keep things as simple as possible at first. I've started a new thread focussing solely on the WNDR3700v5 for now to avoid any more confusion.