Imaging a Netgear R6250 that TFTP boots to openwrt, but can't image

Salutations,

I have a Netgear N6250 that needs reflashing to OpenWrt.

Currently,

• It currently doesnt boot to a firmware.
• When powered-on, it tries to TFTP netboot a vmlinuz, and I have it booting to a ramdisk image.
• That image allows ssh and lets me see the following

root@OpenWrt /etc [#]# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "boot"
mtd1: 00180000 00020000 "nvram"
mtd2: 00020000 00020000 "board_data"
mtd3: 00020000 00020000 "POT"
mtd4: 00080000 00020000 "POT"
mtd5: 00020000 00020000 "ML"
mtd6: 00020000 00020000 "ML"
mtd7: 00020000 00020000 "ML"
mtd8: 00020000 00020000 "ML"
mtd9: 00020000 00020000 "ML"
mtd10: 07ca0000 00020000 "ML"

I have to believe that if I can boot it, I can image it. Can anyone provide a recipe for a command line flash, either to OpenWRT or back to stock?

Thanks in a van!

ND

It is not supported by OpenWrt and its close cousin R6250 is only partly supported.

Thanks for asnwerint, trendy.

My error, it is an R6250 (subject changed), and while I know it will be limited in wifi support to 54g, that should be enough to stretch my network a bit in the short term if I can get it up--or I could reflash to another router distro if ti came to that.

Can you suggest an approach for the flashing part of my challenge?

Might be useful if you explain what you did to the device?

From a laymans glance, your flash parts look stuffed... so zapping a rom dump is the most viable option... Do you have an mtd backup?

The device had a (properly booting) Tomato variant on it when I trash-picked it, and my goal was to reflash it to stock, install OpenWRT, and use it in an 802.11s mesh. I would be using 2.4 anyway for the range I want to stretch the WLAN. I have no backups for it.

However, because the box does not TFTP boot as the Netgear docs indicate, as a TFTP server that will accept a PUT, but instead as a client looking for a vmlinuz boot image, I could not use the vendor-proscribed method for reflashing to stock.

Finding here Netgear R6300v2 Advanced Debrick Notes By Sploit the observation that if the firmware is clobbered that the device should do a full TFTP, I recklessly deleted the linux MTD partition (#mtd-erase2 linux from the tomato shell), hoping to find it reverting to the factory TFTP imaging. Nope.

I can consistently TFTP netboot the OpenWRT R6300 vmlinuz from the post i referred to, so I was ignorantly hoping there is a straightfoward way to image the device from the shell.

Most Netgear models have a separate TFTP recovery activated by holding down the reset button while booting. In that mode the router is a TFTP server and waits for a client to put a file to it. If that file passes integrity checks (i.e. it is stock firmware or looks like stock firmware) the bootloader will flash it and reboot.

There may also be nmrpflash mode in the bootloader.

Simply flashing from an OpenWrt shell requires having a build for the exact same model being flashed, so that the sysupgrade script will place the firmware in the correct location in flash. Do not run sysupgrade on the wrong model.

It is on Dec 12, 2020. I had met my trouble on Netgear R6250.
Previously I did installation openwrt 19.07.3 and then 19.07.4 and latest 19.07.5, all are working well except the poor wifi. and it seems no future to fix the Wifi.
So I hope to return Netgear stock, and after diable my firewall, verify the download R6250-V1.0.0.62_1.0.62.chk and try to flash on upgrade page, during that action, I keep ping 192.168.1.1 and really wait almost 6 minuts.
The result is bricked. cannot ping 192.168.1.1 again. the only light is power amber and no blicking.
So the tftp from netgear official way to return is impossible.
I guess it seems only the way is CFE TFTP + serial recovery.
r6300v2 vmlinuz initramfs boot loader for bricked Netgear R6300v2 Recovery, I can see. But I wonder whether the same file for R6250 available ?

Anyway, it is my mistakes. I hope everyone must be careful to avoid this one-way...

Almost every modern Netgear model has the same relatively simple recovery mechanism. If the router is bricked the power LED will probably stay yellow instead of turning green. If the light is not yellow, plug in the power with the reset button held down and keep holding the button until the power LED is solid or blinking yellow.

In recovery mode, the router is a TFTP server at 192.168.1.1. It will answer pings but it does not run a DHCP server, so you will need to static IP your PC. Download and unzip the official R6250 firmware from Netgear. Push that file to the router with TFTP. As you found out it does not work to install it from OpenWrt like an upgrade.

1.If the router is bricked the power LED will probably stay yellow instead of turning green.
Yes, it is only yellow for the power LED.
2. My linux or Windows has seted IP is 192.168.1.10 instead of DHCP, and even arp -s 192.168.1.1 MAC-address (which is valid for buffalo old WHR-G301N).
3. Of course Netgear official R6250 zip has been extracted as *.CHK to be uploaded.
4. Openwrt 19.07.5 has been replaced to official, but it is bricked now. The USB3.0 is not valid before openwrt works well.
5. Netgear official Tftpd64-4.64-setup.exe installed on windows, and disable windows firewall, do the uploading to put, nothing is going.....
6. I wonder some vmlinuz.zip for R6250 ? of course, if it exist, I will unzip at my pc.

Thank every friend giving any idea !
Thank Mr/Ms. MK24

Does the router answer pings? Router IP may be 192.168.0.1.

The CLI TFTP client included with Linux (and built into Windows 10 after enabling as a Windows Feature) should be sufficient. Firewall does not need to be disabled since it's an outgoing connection.

Many Broadcom CFE bootloaders have a recovery web page accessed with http to the router.

Setup my IP 192.168.1.2, and connect the ether cable from pc to the R6250 lan port, after power-on R6250, enter the ping 192.168.1.1, the result is :

From 192.168.1.2 icmp_seq=2 Destination Host Unreachable    x 6
64 bytes from 192.168.1.1: icmp_seq=9 ttl=100 time=1011 ms
64 bytes from 192.168.1.1: icmp_seq=10 ttl=100 time=1.71 ms
64 bytes from 192.168.1.1: icmp_seq=11 ttl=100 time=1.39 ms
64 bytes from 192.168.1.1: icmp_seq=12 ttl=100 time=1.38 ms
64 bytes from 192.168.1.1: icmp_seq=13 ttl=100 time=1.39 ms
64 bytes from 192.168.1.1: icmp_seq=14 ttl=100 time=2.08 ms
From 192.168.1.2 icmp_seq=19 Destination Host Unreachable   x NNNN
--- 192.168.1.1 ping statistics ---
62 packets transmitted, 6 received, +48 errors, 90.3226% packet loss, time 407ms
rtt min/avg/max/mdev = 1.383/169.862/1011.228/376.270 ms, pipe 4

So I will try the r6300v2 vmlinuz initramfs boot loader for bricked Netgear R6300v2 Recovery.
I had to read full contents on dd-wrt about R6250 cases.
Anyway, I will follow my steps and report the best openwrt.org.

Thank Mr. mk24.

It looks like the recovery service starts up and runs for 6 seconds, then stops. You would need to try your tftp or http during that period. Run ping in another window and start your client when you see the first successful ping.

The service may run constantly if you force it into recovery by powering on with the reset button held down instead of just waiting for the regular boot to fail.

Your best, and likely only, chance of success is with R6250 stock firmware. Not sure why you'd try anything else.

The dd-wrt people do have more experience with Broadcom devices like this one.

Thank Mr. mk24, you are right.
If I do not press reset then boot, it will be only 6 times ping success.
If I press the reset for booting and keep press, it will be 20 times ping success.

I have setup tftpd-hpa on my debian, and I tested tftpd-hpa works normal. how ever, any files like ddwrt vmlinuz or R6250-V1.0.0.62_1.0.62.chk in the tftpboot folder is not uploaded R6250 automatically by R6250, according to DDWRT Mr.sploit pasted on https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=304398&postdays=0&postorder=asc&start=0.

tftp2 or netgear recommend tftp64 did not work at all in Windows, for http that time is too short to deal.

I agreed openwrt is better than ddwrt, but the wifi is so poor that I would try whether ddwrt on R6250 like broadcom wifi works normal or not. or give up to return the stock firmware, it is stranger that even the initial R6250-V1.0.0.62_1.0.62.chk did not work.

I am lucky in the afternoon on Dec 14,2020 to unbrick R6250.
I found a software nmrpflash on https://github.com/jclehner/nmrpflash in the early morning, also checked https://openwrt.org/docs/guide-user/installation/recovery_methods/nmrpflash.
From these info, nothing related for R6250, is it true ?

My trouble status in detail on R6250 is that after power-on, it locked and only left light keep amber never blicking no more. if ping, can find 6 times ping success only.
No matter how I set tftpd server on linux or tftp/tftp2 upload in Windows, and negative way (tftpd@192.168.1.2 for vmlinuz auto fetch), they all failed. I readed lots of content on DDWRT, but very few about R6250.

Anyway, I need a risk until the final way via USB2TTL & terminal.
Set NIC IP 192.168.1.2/24 and make sure 1G with Full-duplex.
(Because I have only maxium 5 seconds to keep on live)
Cable connected on LAN1 port to my PC Windows.
The stock firmware I chosed is R6250-V1.0.1.84_1.0.78.chk because it is smallest (9,513KB).
Under administrator command execute:
E:\nmrpflash-0.9>nmrpflash.exe -i net8 -f R6250-V1.0.1.84_1.0.78.chk
Waiting for phyiscal connection.
Error: Ethernet cable is unplugged.
Again !
E:\nmrpflash-0.9>nmrpflash.exe -i net8 -f R6250-V1.0.1.84_1.0.78.chk
Waiting for phyiscal connection.
Advertising NMRP server on net8 ... |
Received configuration request from 6c:b0:ce:9b:99:1d.
Sending configuration: 10.164.183.252/24.
Timeout while waiting for TFTP_UL_REQ.

No way but try again ! power-off R6250 and keep press reset button to power-on.
E:\nmrpflash-0.9>nmrpflash.exe -i net8 -f R6250-V1.0.1.84_1.0.78.chk
Waiting for phyiscal connection.
Advertising NMRP server on net8 ... -
Received configuration request from 6c:b0:ce:9b:99:1d.
Sending configuration: 10.164.183.252/24.
Timeout while waiting for TFTP_UL_REQ.

Release reset button and again
E:\nmrpflash-0.9>nmrpflash.exe -i net8 -f R6250-V1.0.1.84_1.0.78.chk
Advertising NMRP server on net8 ... /
Received TFTP_UL_REQ while waiting for CONF_REQ!
Received upload request without filename.
Uploading R6250-V1.0.1.84_1.0.78.chk ... OK
Waiting for remote to respond.
Received keep-alive request (9).
Remote finished. Closing connection.
Reboot your device now.

I cannot believe but it is true, because I really watched the left light changed from amber to green and final blicking-amber. I worried about reboot immediately so wait 6 minuets enough.
During the whole operation, I keep an extra normal windows to keep ping 192.168.1.1 -t.
No good news, same 6 times success ping only at the beginning.

Power-off then power-on R6250 again, and it is
E:\nmrpflash-0.9>ping 192.168.1.1 -t

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.2: Destination host unreachable.
Reply from 192.168.1.1: bytes=32 time=3918ms TTL=100
Reply from 192.168.1.1: bytes=32 time=1ms TTL=100
Reply from 192.168.1.1: bytes=32 time=2ms TTL=100
Reply from 192.168.1.1: bytes=32 time=1ms TTL=100
Reply from 192.168.1.1: bytes=32 time=1ms TTL=100
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Request timed out.
General failure.
General failure.
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 95, Received = 86, Lost = 9 (9% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 3918ms, Average = 46ms

So it should be worked normal, open http://192.168.1.1 and works!
What I used is 0.9.15-rc3-win32, and need to be installed npcap.

I hope to share my expreience for anybody.
Because there is nothing about openwrt return stock firmware, even on youtube.

Maybe https://openwrt.org/docs/guide-user/installation/recovery_methods/nmrpflash should added R6250 now ?

Bonne nuit!

Done, nmrpflash added as recovery method.

Thank Mr. tmoas.
My pleasure.