Need help unbricking a Netgear RAX120 router

anon80727944 · July 18, 2021, 11:13pm

I run a TFTP server on my TrueNAS CORE NAS pointing to a particular folder just for the purpose of re-flashing router firmware. Google search for a TFTP server for your specific host OS.

I find it easier to pull the firmware image than push it from some OEM tool/application.

I don't have a Netgear, but Linksys U-boot should be similar.

Open up router and connect serial console. Set the baud rate to 115200, 8N1
Power up router
Hit enter at Hit any key to stop autoboot: 2 1 0
Connect LAN cable between router and your network. Some routers specifically use LAN1 for TFTP.
env print to find the environment variables for ipaddr, netmask, serverip, and something pointing to the default firmware image name.
setenv ipaddr {ip address}
setenv netmask 255.255.255.0
setenv serverip {tftp server ip}
setenv {firmware env variable} {filename.extension on your tftp server}
ping {tftp server ip}
run flash_pri_image # or run flash_sec_image or run update_both_images

Gin1AK-tion1 · July 18, 2021, 11:28pm

U-Boot 2016.01-23637-g6be947d (Sep 26 2018 - 10:21:39 +0800)



Model: QCA, IPQ807x-HK01

U-boot dni1 V1.2 for DNI HW ID: 29765589; NAND flash 512MB; RAM 1024MB .

developed based on 'qsdk-ipq807x.ilq.8.0-spf.8.0.CS' 

DRAM:  smem ram ptable found: ver: 1 len: 4

1 GiB

NAND:  ONFI device found

ID = 1590acef

Vendor = ef

Device = ac

SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000

ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)

512 MiB

MMC:   <NULL>: 0

*** Warning - bad CRC, using default environment



In:    serial@78B3000

Out:   serial@78B3000

Err:   serial@78B3000

machid: 8010000

Net:   MAC0 addr:38:94:ed:ae:65:05

PHY ID1: 0x4d

PHY ID2: 0xd0b1

EDMA ver 1 hw init

Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)

RxDesc:1 (15-15) RxFill:1 (7-7)

ipq807x_edma_alloc_rings: successfull

ipq807x_edma_setup_ring_resources: successfull

ipq807x_edma_configure_rings: successfull

ipq807x_edma_hw_init: successfull

eth0

Hit any key to stop autoboot:  2  0 

IPQ807x# 


IPQ807x# print     env print


baudrate=115200

bootargs=console=ttyMSM0,115200n8

bootcmd=mii write 0x4 0x0 0x800; sleep 1; nmrp; echo Loading DNI firmware for checking...; loadn_dniimg 0 0x1980000 0x44000000; calc_rootadd 0x1980000 0x44000000; iminfo 0x44000000; if test $? -ne 0; then echo linux checksum error; fw_recovery; fi;iminfo $rootfs_addr_for_fw_checking; if test $? -ne 0; then echo rootfs checksum error; fw_recovery; fi;nand read 0x44000000 0x1980000 0x06400000; dnibootm

bootdelay=2

eth1addr=38:94:ed:ae:65:6

eth2addr=38:94:ed:ae:65:7

eth3addr=ff:ff:ff:ff:ff:ff

eth4addr=31:30:32:31:34:32

eth5addr=31:33:35:56:45:33

ethact=eth0

ethaddr=38:94:ed:ae:65:5

fdtcontroladdr=4a959a30

ipaddr=192.168.1.1

machid=8010000

netmask=255.255.255.0

serverip=192.168.1.10

stderr=serial@78B3000

stdin=serial@78B3000

stdout=serial@78B3000



Environment size: 842/262140 bytes

IPQ807x# setenmv    env rax120.i g  mg


IPQ807x# ping 192.168.1.1


ipq807x_eth_halt: done

eth0 PHY0 Down Speed :10 Half duplex

eth0 PHY1 Down Speed :10 Half duplex

eth0 PHY2 Down Speed :10 Half duplex

eth0 PHY3 up Speed :10 Full duplex

eth0 PHY4 Down Speed :10 Half duplex

10M speed not supported

ipq807x_eth_init: done

Using eth0 device



ARP Retry count exceeded; starting again

ipq807x_eth_halt: done

ping failed; host 192.168.1.1 is not alive

IPQ807x#

this is all i got so far

anon80727944 · July 18, 2021, 11:40pm

env print or printenv

This is the default IP address of the TFTP server. Do you have one set up?

You need to PING the IP of the TFTP server, not the router itself

This looks like a mangled command. There should be an environment variable with the default image name. Either name the file the same on your TFTP server or use the setenv command to change the filename it looks for.

Gin1AK-tion1 · July 19, 2021, 12:09am

Hit any key to stop autoboot:  0
IPQ807x#
IPQ807x#
IPQ807x#
IPQ807x#
IPQ807x# env print
baudrate=115200
bootargs=console=ttyMSM0,115200n8
bootcmd=mii write 0x4 0x0 0x800; sleep 1; nmrp; echo Loading DNI firmware for checking...; loadn_dniimg 0 0x1980000 0x44000000; calc_rootadd 0x1980000 0x44000000; iminfo 0x44000000; if test $? -ne 0; then echo linux checksum error; fw_recovery; fi;iminfo $rootfs_addr_for_fw_checking; if test $? -ne 0; then echo rootfs checksum error; fw_recovery; fi;nand read 0x44000000 0x1980000 0x06400000; dnibootm
bootdelay=2
eth1addr=38:94:ed:ae:65:6
eth2addr=38:94:ed:ae:65:7
eth3addr=ff:ff:ff:ff:ff:ff
eth4addr=31:30:32:31:34:32
eth5addr=31:33:35:56:45:33
ethact=eth0
ethaddr=38:94:ed:ae:65:5
fdtcontroladdr=4a959a30
ipaddr=192.168.1.1
machid=8010000
netmask=255.255.255.0
serverip=192.168.1.10
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000

Environment size: 842/262140 bytes
IPQ807x# setenv
setenv - set environment variables

Usage:
setenv [-f] name value ...
    - [forcibly] set environment variable 'name' to 'value ...'
setenv [-f] name
    - [forcibly] delete environment variable 'name'
IPQ807x# setenv rax120.img
IPQ807x# ping 192.168.1.10
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :10 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done
Using eth0 device

ARP Retry count exceeded; starting again
ipq807x_eth_halt: done
ping failed; host 192.168.1.10 is not alive
IPQ807x# <INTERRUPT>
IPQ807x# tftpput
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :10 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done
*** Warning: no boot file name; using 'C0A80101.img'
Using eth0 device
TFTP to server 192.168.1.10; our IP address is 192.168.1.1
Filename 'C0A80101.img'.
Save address: 0x0
Save size:    0x0
Saving: *
ARP Retry count exceeded; starting again
ipq807x_eth_halt: done
IPQ807x# <INTERRUPT>
IPQ807x# ping 127.0.0.1
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :10 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done
Using eth0 device
## Warning: gatewayip needed but not set
## Warning: gatewayip needed but not set
## Warning: gatewayip needed but not set
ipq807x_eth_halt: done

Abort
ping failed; host 127.0.0.1 is not alive
IPQ807x# setenv gateway 192.168.1.1
IPQ807x# ping 127.0.0.1
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :10 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done
Using eth0 device
## Warning: gatewayip needed but not set
## Warning: gatewayip needed but not set
ipq807x_eth_halt: done

Abort
ping failed; host 127.0.0.1 is not alive
IPQ807x# setenv gatewayip 192.168.1.1
IPQ807x# ping 127.0.0.1
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :10 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done
Using eth0 device

ARP Retry count exceeded; starting again
ipq807x_eth_halt: done
ping failed; host 127.0.0.1 is not alive
IPQ807x# ping 192.168.1.10
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :10 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done
Using eth0 device

ARP Retry count exceeded; starting again
ipq807x_eth_halt: done
ping failed; host 192.168.1.10 is not alive
IPQ807x#

port 1 on the router is plugged into a gigabit connection. Forced to 100 or 1000 it just will not connect at all. only 10m. I have already change ethernet cables. tried changing to a different port on switch. nothing wants to work. will try a dummy switch in a moment.

Gin1AK-tion1 · July 19, 2021, 12:14am

Just tested with a dummy switch. did not work either.

switch is showing that the port the router is connected to is stuck at 10/100m

anon80727944 · July 19, 2021, 12:19am

Seems there is no environment variable for the default image name, so you may be stuck with pushing (tftp put) the image to the router.

But if you can't get past getting one of the lan ports working with a simple ping, you may be hosed.

Looks like it tried to use this default image filename.

Gin1AK-tion1 · July 19, 2021, 12:21am

This router has shown its capable of booting via USB drive. I was checking it a while ago but I didnt seem to have much luck with it.

Then again it was a late night and I was feeling tired.

any luck with usb booting?

I mean all i can think of is trying to boot with the firmware file by itself on there

Gin1AK-tion1 · July 19, 2021, 12:28am

Can you clarify on how to set firmware name? maybe show an example?

anon80727944 · July 19, 2021, 12:42am

Form the environment variables it does not appear Netgear U-boot supports pulling the firmware. You have to push it from the TFTP server like you have been trying, but you have to get past getting a working LAN connection from the router and your TFTP server.

Gin1AK-tion1 · July 19, 2021, 12:45am

Just got it to at least attempt at booting from USB. idk what I can put on the usb drive that would allow usb booting.

Hit any key to stop autoboot:  0
IPQ807x#
IPQ807x#
IPQ807x# usb start
starting USB...
USB0:   Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus 0 for devices... 1 USB Device(s) found
USB1:   Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus 1 for devices... 2 USB Device(s) found
IPQ807x# usb dev 0

USB device 0:
    Device 0: Vendor: PNY      Rev: 1100 Prod: USB 2.0 FD
            Type: Removable Hard Disk
            Capacity: 7788.3 MB = 7.6 GB (15950592 x 512)
... is now current device
IPQ807x# usbboot dev 0

Loading from usb device 0, partition 1: Name: usbda1  Type: U-Boot
data abort
pc : [<4a92edfa>]          lr : [<4a9010a9>]
reloc pc : [<4a92edfa>]    lr : [<4a9010a9>]
sp : 4a77f668  ip : 4a77f618     fp : 00000024
r10: 00000002  r9 : 4a77fea0     r8 : 4a78b820
r7 : 4a78d5e0  r6 : 00000002     r5 : 4a78d5e0  r4 : 4a788e40
r3 : 00000001  r2 : 00009d1d     r1 : 00000000  r0 : 00000000
Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
Resetting CPU ...

resetting ...

And then it goes on to boot looping as usual.

If USB booting will not do either, then I am going to try to RMA it to netgear for fun. just to see if they are willing to do anything.

unless someone else here has answers.

anon80727944 · July 19, 2021, 12:50am

The only other option is to try TFTP boot the file off your TFTP server. Of course this assumes you have a working connection between router and TFTP server

In U-boot tftp {filename.img}

Gin1AK-tion1 · July 19, 2021, 12:52am

Hit any key to stop autoboot:  0
IPQ807x#
IPQ807x# tftp rax120.img
Unknown command 'tftp' - try 'help'
IPQ807x# uboot
U-boot dni1 V1.2 for DNI HW ID: 29765589; NAND flash 512MB; RAM 1024MB .
developed based on 'qsdk-ipq807x.ilq.8.0-spf.8.0.CS'
IPQ807x# tftp rax120.img
Unknown command 'tftp' - try 'help'
IPQ807x#

anon80727944 · July 19, 2021, 12:57am

is there a tftpget or tftpboot command

Gin1AK-tion1 · July 19, 2021, 1:07am

IPQ807x# tftpget
Unknown command 'tftpget' - try 'help'
IPQ807x# tftpboot
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :10 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
10M speed not supported
ipq807x_eth_init: done
*** Warning: no boot file name; using 'C0A80101.img'
Using eth0 device
TFTP from server 192.168.1.10; our IP address is 192.168.1.1
Filename 'C0A80101.img'.
Load address: 0x44000000
Loading: ipq807x_eth_halt: done

Abort
IPQ807x# <INTERRUPT>
IPQ807x# tftpboot
Unknown command 'tftpboot' - try 'help'
IPQ807x#

Gin1AK-tion1 · July 19, 2021, 1:14am

still stuck at 10m even when the internet network adapter on my desktop is connected directly to my desktop.

it looks like the only way to fix this is to see if there is anyway to restore uboot using USB boot recovery.

if that is not possible at all, then yeah. I guess I am hosed. This is what i get for buying a broken used router that I thought I could fix myself.

EDIT: will check solution if no one else has anything else to give me to try by tomrrow morning. which should be around 7-8am MST

erdoukki · July 20, 2021, 6:03am

Have you tried help command ? You will get all command of your uboot !
Have you tried to reset uboot env settings with env defaults -a ? This will get the env beeing all reset to the default from uboot…
Make a backup with printenv BEFORE !
It looks like your in a factory mode…
You tried to boot from usb with usbboot, not load any uboot or firmware…
Where do you get the firmware you want to flash ?
Is there any official recovery procedure ?

erdoukki · July 20, 2021, 6:12am

https://kb.netgear.com/000063673/RAX120-RAX120v2-Firmware-Version-1-2-1-22

https://kb.netgear.com/000059633/How-to-upload-firmware-to-a-NETGEAR-router-using-TFTP-client

You need to understand what the bootcmd command line want to flash from…
To give the .img file loaded in the right place…

Then the factory flash will (may) work.

Edit: from this https://gist.github.com/hnyman/45d06e62ce30fa3b08a299955a4a5d2e
Looks like the load address is 0x44000000

You may try to load from usb the firmware.img to this address with load usb command (use help to find the correct parameters, help and help load or loadfat or …)
Then use bootm or bootm 0x44000000 to load and boot into the image…
May be incorrect but give it a try…

It depends if the img given by NetGear is flashable or bootable !

erdoukki · July 20, 2021, 6:41am

Your device is still booting to OpenWrt ?
You can interrupt the OpenWrt boot with f + return when prompted to :

[    8.473973] init: - preinit -
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Before mount_root

The reset to factory mode of OpenWrt !
Reboot and test…

Gin1AK-tion1 · July 21, 2021, 8:53am

Read the thread more carefully. Cannot do TFTP transfer or recovery if ports are stuck at 10mbps.

I will try the your uboot commands though. it looks like it might get me some where. As for the USB drive, I just copied the factory stock firmware on the flash drive and made an attempt to boot it. Of course, it did not work. was worth a try though.

I want to remind you, I am a feeble person. weakest of the weak. Like, "I use windows 10 as my main operating system" weak.

Specifically "hehe video games" weak.

More specifically, "I have a job where I sometimes work full days at my WISP job and only care to watch shows and listen to music off the NAS thats attached to my router running in AP mode" weak.

So right after you start talking about some hexadecimal stuff, I am going to have to ask you to help me learn how to modify/do this stuff. I have tried to learn it, but it seems like I have to be running linux just to do it.

Also, I tried to interrupt the openwrt boot process but I keep missing it.

erdoukki · July 21, 2021, 9:10am

???

Good luck !