OpenWrt support for Netgear BR200

xmow49 · January 14, 2023, 11:29am

Hi,
I have a Netgear BR200. I dont see it in the supported list.

But I opened it, connect a FTDI to the 4 pin header.

In Putty at 115200 bit/s I have a lot of boot logs.
After a while, I have a linux shell loged in root.
So I played with some commands:

CPU

So with a shell and a root access, is it possible to install openwrt ?
If yes, which firmware image download ?

I also found a tftp mode with a longpress on reset on boot:

U-Boot 2012.07-g14bd29e [local,local] (Apr 18 2018 - 14:36:32)

U-boot 2012.07 dni1 V0.3 for BR500 DNI HW ID: 29764958 NOR flash 0MB; NAND flash 128MB; RAM 1024MB;
smem ram ptable found: ver: 0 len: 5
DRAM:  1003 MiB
NAND:  SF: Unsupported manufacturer 00
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC:
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
 131072 bytes read: OK
MMC Device 0 not found
cdp: get part failed for 0:HLOS
Net:   MAC1 addr:XX:XX:XX:XX:XX:XX
athrs17_reg_init: complete
athrs17_vlan_config ...done
S17c init  done
MAC2 addr:XX:XX:XX:XX:XX:XX
eth0, eth1
The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1 ...
Upgrade Mode
Abort

Firmware recovering from TFTP server is stopped or failed! :(
Hit any key to stop autoboot:  0

Thanks

frollic · January 14, 2023, 11:34am

If someone would create an image, and the SoC is supported by Linux.

hecatae · January 14, 2023, 12:36pm

Qualcomm atheros ap161, same CPU as the Netgear r7800, same flash memory, twice the ram.

It may be worth trying the r7800 image via tftp and see what messages you see in serial

xmow49 · January 14, 2023, 2:24pm

Ok,
Thanks,
I will test. Its my old router, so if its brick, is it doesn't matter.

hecatae · January 14, 2023, 2:52pm

Oh you will be able to restore stock via tftp if needed

gpl sources are over here:

xmow49 · January 14, 2023, 3:10pm

So, first I start the flash with the r7800 image:

The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1 ...

Rcv:
        .................................................................
        .................................................................
        ......................................................MODEL ID on image: R7800
Firmware Image MODEL ID do not match open source firmware ID
File has bad checksum!

TFTP error: '' (0)
Starting again

So, i open the .img file and I saw this:

I changed the device like this:

now I have this:

The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1 ...

Rcv:
        .................................................................
        .................................................................
        ......................................................MODEL ID on image: BR200
Firmware Image MODEL ID do not match open source firmware ID
File has bad checksum!

TFTP error: '' (0)
Starting again

So the router read the new device name, but still have an error...
I dont know where change the "Firmware Image MODEL ID" and "open source firmware ID"

xmow49 · January 14, 2023, 3:14pm

On the stock netgear image :

hecatae · January 14, 2023, 3:40pm

Your hardware id reads:
29764958 Hardware ID
0 NOR flash
128 NAND flash
1024 ram
0 1st radio
0 2nd radio

Taken from r7800 uboot environment over here:

If you stop the boot process on serial and type printenv what do you see?

xmow49 · January 14, 2023, 3:45pm

I have this:

U-Boot 2012.07-g14bd29e [local,local] (Apr 18 2018 - 14:36:32)

U-boot 2012.07 dni1 V0.3 for BR500 DNI HW ID: 29764958 NOR flash 0MB; NAND flash 128MB; RAM 1024MB;
smem ram ptable found: ver: 0 len: 5
DRAM:  1003 MiB
NAND:  SF: Unsupported manufacturer 00
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC:
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
 131072 bytes read: OK
MMC Device 0 not found
cdp: get part failed for 0:HLOS
Net:   MAC1 addr:XX:XX:XX:XX:XX:XX
athrs17_reg_init: complete
athrs17_vlan_config ...done
S17c init  done
MAC2 addr:XX:XX:XX:XX:XX:XX
eth0, eth1
Hit any key to stop autoboot:  0
(IPQ) #
(IPQ) #
(IPQ) #
(IPQ) # printenv
baudrate=115200
bootargs=console=ttyHSL1,115200n8
bootcmd=sleep 2;   nmrp;  if loadn_dniimg 0 0x1480000 0x44000000 && chk_dniimg 0x44000000; then bootipq2; else fw_recovery; fi
bootdelay=2
eth1addr=XX:XX:XX:XX:XX:XX
ethact=eth0
ethaddr=XX:XX:XX:XX:XX:XX
ipaddr=192.168.1.1
loadaddr=0x42000000
machid=136c
modelid=BR200
serverip=192.168.1.10
stderr=serial
stdin=serial
stdout=serial
updateloader=ipq_nand linux && nand erase 0x01180000 0x00080000 && imgaddr=0x42000000 && source $imgaddr:script

Environment size: 526/262140 bytes
(IPQ) #

hecatae · January 14, 2023, 4:00pm

That's identical to the r7800 save the modelid line.

When booted what do you get from df and cat /proc/mtd and mount?

xmow49 · January 14, 2023, 4:02pm

df:

root@BR200:/# df
Filesystem           1k-blocks      Used Available Use% Mounted on
tmpfs                      512         0       512   0% /dev
ubi0:overlay_volume      51032     35168     13224  73% /overlay
overlayfs:/overlay       51032     35168     13224  73% /
root@BR200:/#

cat /proc/mtd

root@BR200:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00c80000 00020000 "qcadata"
mtd1: 00500000 00020000 "APPSBL"
mtd2: 00080000 00020000 "APPSBLENV"
mtd3: 00140000 00020000 "ART"
mtd4: 00140000 00020000 "ART.bak"
mtd5: 00220000 00020000 "kernel"
mtd6: 01de0000 00020000 "rootfs"
mtd7: 04480000 00020000 "netgear"
mtd8: 02000000 00020000 "firmware"
mtd9: 00080000 00020000 "crashdump"
mtd10: 00380000 00020000 "language"
mtd11: 001e0000 00020000 "config"
mtd12: 00060000 00020000 "pot"
mtd13: 00010000 00001000 "m25p80"
mtd14: 0001f000 0001f000 "cert"
mtd15: 0005d000 0001f000 "pot.bak"
mtd16: 001b2000 0001f000 "traffic_meter"
mtd17: 001b2000 0001f000 "traffic_meter.bak"
mtd18: 001b2000 0001f000 "dongle"
mtd19: 037b4000 0001f000 "overlay_volume"
root@BR200:/#

hecatae · January 14, 2023, 4:02pm

it's looking very much like a r7800 with twice the ram and no wireless, the board looks identical to the r7800 on the wiki just missing lots of wireless components.

xmow49 · January 14, 2023, 4:04pm

Yes, I saw this with printenv and the pcb is the same.
The BR200 pcb miss lot of component compared to the r7800

hecatae · January 14, 2023, 4:07pm

cd /sbin
artmtd -r board_data
artmtd -r board_model_id

What do these show?

xmow49 · January 14, 2023, 4:10pm

invalid name I think ?

root@BR200:/# cd /sbin
root@BR200:/sbin# artmtd -r board_data
Usage: artmtd -r name [<arguments> ...]

************* SN Usage:
SN read:
artmtd -r sn

SN write:
artmtd -w sn number
For instance: artmtd -w sn 1ML1747D0000B
SN should be 0~9 or A~Z

************* REGION Usage:

REGION read:
artmtd -r region

REGION wirte:
Usage: artmtd -w region region name
For instance : artmtd -w region NA
The REGION name only is "NA,WW,GR,PR,RU,BZ,IN,KO,JP,AU,CA,US"

************* LANGUAGE Usage:

Language read:
artmtd -r language

************* SSID Usage:
ssid read:
artmtd -r ssid

ssid read:
artmtd -w ssid SSID


************* PASSPHRASE Usage:
passphrase read:
artmtd -r passphrase

passphrase read:
artmtd -w passphrase PASSPHRASE


************* WPSPIN Usage:
wpspin read:
artmtd -r wpspin

wpspin write:
artmtd -w wpspin 12345670


*************HW MODEL ID Usage:
HW MODEL ID read:
artmtd -r board_hw_id
artmtd -r board_model_id
artmtd -w board_hw_id HW_ID
artmtd -w board_model_id MODEL_ID

*************MAC Usage:ssid read:
artmtd -r mac

ssid read:
artmtd -w mac_lan 00:11:22:33:44:50

ssid read:
artmtd -w mac_wan 00:11:22:33:44:51

ssid read:
artmtd -w mac_5g  00:11:22:33:44:52

root@BR200:/sbin#

root@BR200:/sbin# artmtd -r board_model_id
model_id:BR200
root@BR200:/sbin#

xmow49 · January 14, 2023, 4:13pm

root@BR200:/sbin# artmtd -r board_hw_id
hw_id:29764958+0+128+1024+0+0
root@BR200:/sbin# artmtd -r board_model_id
model_id:BR200
root@BR200:/sbin#

hecatae · January 14, 2023, 4:20pm

So if we go back to the TFTP error, if you changed model_id from BR200 to R7800 using:
artmtd -w board_model_id R7800
You should be able to load Openwrt for the R7800 on your BR200.

Alternatively you could download and make a model specific Openwrt build

xmow49 · January 14, 2023, 4:35pm

BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.3, r20028-43d71ad93e
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#

Its work
just artmtd dont write data in flash.
So I execute:

cd /sbin
artmtd -w board_model_id R7800
artmtd -w board_hw_id 29764958+0+128+512+4x4+4x4+cascade

Then, I push the reset once, wait a bit and push long to get the Tftp mode

Thanks a lot

hecatae · January 14, 2023, 4:38pm

@frollic any idea who the r7800 developer is, as this model should be able to be fully supported with a couple of tweaks, @xmow49 only has access to half the available ram at present, not that it should matter as Openwrt is far more efficient.

xmow49 · January 14, 2023, 4:41pm

Oh yes, I dont saw it, but yes i have only 500Mb