Need help to debrick Netgear EX6150V2

Tried to roll back to oem firmware but now stuck with orange power light. Cannot detect ethernet or get an IP. In serial mode tried setting IP but still can't seem to tftpboot or fw_recovery.

(IPQ40xx) # printenv
baudrate=115200
bootcmd=sleep 1; nmrp; check_dni_image; bootipq2
bootdelay=2
delenv=sf probe && sf erase 0x000e0000 +0x10000
ethact=eth0
flash_type=0
ipaddr=192.168.1.1
loadaddr=0x84000000
machid=8010000
serverip=192.168.1.10
stderr=serial
stdin=serial
stdout=serial

U-Boot 2012.07 [Barrier Breaker unknown,unknown] (Jun 16 2016 - 11:59:37)

U-boot dni1 V1.1 for DNI HW ID: 29765285; NOR flash 16MB; NAND flash 0MB; RAM 256MB
smem ram ptable found: ver: 1 len: 3
DRAM: 256 MiB
machid : 0x8010000
NAND: SF: Detected W25Q128 with page size 64 KiB, total 16 MiB
ipq_spi: page_size: 0x100, sector_size: 0x10000, size: 0x1000000
16 MiB
MMC:
*** Warning - bad CRC, using default environment

In: serial
Out: serial
Err: serial
machid: 8010000
flash_type: 0
Net: SF: Detected W25Q128 with page size 64 KiB, total 16 MiB
flash_read will run command: sf read 0x871efee8 0x1a0000 0x9
MAC0 addr:cc:40:d0:
PHY ID1: 0x4d
PHY ID2: 0xd0b2
ipq40xx_ess_sw_init done
eth0
Hit any key to stop autoboot: 0
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex

nmrp server is stopped or failed !
Loading DNI firmware for checking...
SF: Detected W25Q128 with page size 64 KiB, total 16 MiB

** sf probe **

** KERNEL partition size, kernel : 0x30770000 **

anyone know how to debrick?

Either this:

or:

https://kb.netgear.com/000059633/How-to-upload-firmware-to-a-NETGEAR-router-using-TFTP-client

For uploading over serial USB the command "fw_recovery" would start a tftp server on netgear devices waiting for an image to push. If I'm correct. But I'm not an expert on flashing over serial. So be aware and research exactly!

I can see this:

I would assume that the connection between your router and your LAN device you are using is not working propberly. Did you set a static IP etc.?

Yes static IP was set.

printenv shows

serverip=192.168.1.10
ipaddr=192.168.1.1

Can you ping router IP from PC? Does PC have link with router?

Nope can't ping it. It's not detecting it via lan.

Try to set 10M half-duplex on PC.

Plug an unmanaged switch in between the router and the PC. Confirm that the link light on the switch comes on.

How did you access the serial console? I cannot identify the serial pins? I am also at the same place. Solid orange power light

I was facing the same problem: Solid orange light.

I do not have a final solution to this problem, because I have erased uboot - I think. This was due to copy and pasting hex values and not realizing i was using the wrong value. But before this had happend I saw i was on the right track and booted openwrt.

I am sorry for this long posting but I would like to explain step by step, so anybody else who focuses this situation might have a better starting point than i had.

First the Serial UART connection:
There are four holes on the board. You need to solder the adapter to them by yourself. They are well hidden under the metal plates. I had to disassemble the hole thing to find them. Netgear made it very complicated to disassemble the device. Also they used glue at some point.

After opening the case, I was not able to take out the board. Perhaps you do better. In the end I decided to use a saw to cut the plastic at the bottom side. After doing so, I was able to pull out the board.
In the following picture you see how the board is plugged in inside the case from the side view. Down right and left you see small little white pins that keep the board inside. Even after cutting it, it took my quit some force to get the board our of the plastic case.
unfortunately I am a new user and not allowed to post so many pictures. so i had to upload them elsewhere here is the link:

At this point you are already able to see the UART connection in the red circle of the following picture.
unfortunately I am a new user and not allowed to post so many pictures. so i had to upload them elsewhere here is the link:

The following picture shows the board with the Serial UART port on the left, the cpu in the center, the glue on the metal plate, and the flash chip down right. The 8 pins down center (CON1) are connected to the power supply board (which you do not see on this picture).

Here is the backside of the board. Therefor i had to remove the metal backplate from it. You can see the backplate on the right side in the backgroud. The Serial UART can be found on the top side of the board.
unfortunately I am a new user and not allowed to post so many pictures. so i had to upload them elsewhere here is the link:

The following picture will show you all components. On the left side you see the plastic case with its connectors for the voltage. In the upper center you see the power supply board with the hole where the 8 pin has to be connected to. In the center you find the cooler that was glued on top of the main board. The main board is down center. At the right side you see the part that i had to cut to take out the board.
unfortunately I am a new user and not allowed to post so many pictures. so i had to upload them elsewhere here is the link:

In the end I came up with the idea to drill holes into the metal plate and the plastic front. This way I could reassemble the device and still be using the Serial port. The drawback are the holes in the plastic front.
unfortunately I am a new user and not allowed to post so many pictures. so i had to upload them elsewhere here is the link:

The last picture shows the final result. The blue cable on the right is connected to ground. Green is RX and Yellow is TX.
unfortunately I am a new user and not allowed to post so many pictures. so i had to upload them elsewhere here is the link:

Connected to the Serial:
Now with the Serial connection established I saw that i had the same result as the author of this thread. The boot process just hangs at a certain point. No message, no reboot, just freeze.

I have to say I am a total noob in this flashing segment. So tried a few things. Read a few manuals and had quite some luck. I was able to boot openwrt but in the end I messed it up.

Abstract
I had setup a tftp server at 192.168.1.10 serving the file openwrt-ipq40xx-generic-netgear_ex6150v2-squashfs-factory.img (which is the snaphot file without luci. Better to compile your own with luci)
Connection was half duplex 100M. With full duplex I had timeouts (T) while transferring.

I used binwalk on that image file openwrt-ipq40xx-generic-netgear_ex6150v2-squashfs-factory.img
and noticed that the device tree image didn't start at 0x00 but with an offset of 0x80.
In the end I booted the img using bootm 0x84000080 which is the loadaddress + the offset from binwalk. For some reason this only worked after manually erasing the flash from 0x1b0000 to 0x8F0000 and than using the onboard recovery mechanics to write the image back to memory.
I think the positon from 0x1b0000 to 0x8F0000 is on the flash chip and values higher 0x84000000 rely in the RAM.

0x84000000 is the same address that the board uses when downloading via bootm or tftpboot or nmrpflash. It is the loadaddress which can be retrieved by issuing the print command.

Step by Step
First I did erase a few block in the flash memory. I did run sf erase 0x1b0000 0x8F0000

0x1b0000 is the value that the bootm command used itself as first block to erase.
The end value 0x8F0000 is a calculated value by myself. To calculate that value I checked the last line that bootm produced when I used bootm or tftopboot to load the image to the board sf erase 0x730000 +0x10000 (=0x8F0000) . Here is a paste bin of the bootm procedure that I am talking about: https://pastebin.com/Mhmim1Ve The beginning of that log shows the recovery process of downloading, erasing and writing and rebooting which unfortunately always ended up with a not booting device. The last line of that log, is the moment when all freezes / hangs.

After erasing I did download the file manually to position 0x84000000 with:
tftp 0x84000000 192.168.1.10:openwrt-ipq40xx-generic-netgear_ex6150v2-squashfs-factory.img
and run bootm 0x84000000 as you can see here https://pastebin.com/FNMf6zvm

Now it was booting openwrt but during the bootup there was a Kernel Panic message regarding to missing root device (rootfs). I guess this is due to the erased and now empty blocks.

After the automatic reboot the bootloader didn't find any image to boot from and was in recovery mode. Than I did send the image file with tftp to the ap. The Recovery process did write the img to the previously erased blocks, rebooted but again it did hang when trying to boot the Kernel: https://pastebin.com/vqt1GGkq

So now I did manually download the image again into ram. Boot it from there and suddenly openwrt came up without any issues regarding to rootfs or mtd partitions.
tftp 0x84000000 192.168.1.10:openwrt-ipq40xx-generic-netgear_ex6150v2-squashfs-factory.img
bootm 0x84000080 https://pastebin.com/sf51mGVE

Rebooting still did result in a not booting system. So at this point after every reboot I had to manually download the image into ram and issue the bootm 0x84000080 command to load it. Unfortunately later that night I did issue the erase command again. But this time I did not pay much atention and issued sf erase 0x1b0000 0x84000000_dont_copy_and_paste_this! thinking that 0x84000000 was the same as 0x8F0000. Now the device does not show any reaction on the Serial port anymore. So i guess I have erased the blocks where uboot was installed.

One thing i wanted to try to boot openwrt automatically was:
check_dni_image; fdt addr 0x84000080; bootm 0x84000080;
No clue if this works, no clue if - in case this boots up - settings made in openwrt are saved permanently or lost after every reboot due to beeing run from ram.

What i found out was: You cannot overwrite flash memory. You first need to erase to be able to write. Perhaps there is / was a problem with the automatic procedure of the factory recovery script when it tried to erase the blocks. Otherwise it makes no sense why it worked after I did manually erase these blocks and let the factory_recovery rewrite the img to these blocks.

1 Like

hi,
i was running on ex6150v2 19.07.07 so i flashed it via luci with file
openwrt-21.02.1-ipq40xx-generic-netgear_ex6150v2-squashfs-factory
and i unlicked keep config.

apparently its bricked? Once i power on the device -> only power led is on in Orange color, ethernet blicks in some intervals for few seconds....

any idea? Not sure why i cant upgrade devices without constant issues....

thx

New thread here...

I was in the exact situation where my EX6150v2 was only showing the amber power light. I was unable to get anywhere with it for a while...until i tried the 30:30:30 method. When using the 30:30:30, this is how I got it working:

  1. In the last 30 of the 30:30:30, my device's amber power flashed and then became a flashing green light.
  2. While it was a flashing green light, i configured my IP to be 192.168.1.251, 255.255.255.0, 192.168.1.250.
  3. I then used Tftpd64 to send to 192.168.1.1 (since I was able to ping that IP), and I used the Stock Netgear .img file.

From there I let the unit sit for a while, and did a factory reset after about 15 mins. After the factory reset, it was as if it just came out of the box, and ready to be setup.

I'd like to move it back to OpenWrt, but I need to read more about configuring an extender as an access point. But in any case, my device is working again!

I hope this helps someone out there, sometime in the future.

1 Like