Hi, there should not be any boot loop just from changing IP and/or resetting to default values... Anyway, tftp recovery can be activated by pressing reset button for a while when power-cycling a device, then uploading img file via tftp. Uart cable (aka USB TTL serial) is a great tool and a must if you are experimenting with device. Using such cable and terminal emulator, entering recovery mode for that model is as simple as typing 'fw_recovery' command in u-boot loader prompt .
1 Like
Looking back at it now i may have double clicked the reset button and interrupted the reset by powering off too soon, tftp is not working for me the boot loop does not allow the full file to be uploaded, reset button has no effect on power led it shows a wierd ip for about 5secs then loops so im waiting on TTL for unbrick. Anyone have a pinout i believe the sqaured off pin is 3.3v the two center pins rx or tx and the last pin closest to the front of the router is the ground pin but just wanna make sure?
This is kind of weird as tftp recovery is run in u-boot phase so there is no interaction with OS at that moment. It works as long as bootloader is in place. Procedure waits forever in loop for factory IMG file (not sysupgrade BIN!) to be uploaded via tftp client to default address of 192.168.1.1 then device resets itself automatically.
UART pinout is correct, going from pin 1 is 3.3V, TX, RX, GND - just remember to leave pin 1 (3.3V) unconnected and use 2, 3 and 4 only.
1 Like
ok fixed the ttl cable issue and this is what comes out how do i stop the loop?
j
0E(.
debian) (gcc version 8.3.0 (OpenWrt GCC 8.3.0 r11979+4-28080d54d2)) #0 Tue Jan 14 07:29:34 2020
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] MIPS: machine is Netgear WNDR4300 v2
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x98/0x4b0 with crng_init=0
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 121836K/131072K available (4791K kernel code, 172K rwdata, 1096K rodata, 1228K init,
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 51
[ 0.000000] CPU clock: 775.000 MHz
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns
[ 0.000008] sched_clock: 32 bits at 387MHz, resolution 2ns, wraps every 5541893118ns
[ 0.008232] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[ 0.074771] pid_max: default: 32768 minimum: 301
[ 0.079845] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.086839] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.098749] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000
[ 0.109151] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.115711] pinctrl core: initialized pinctrl subsystem
[ 0.122426] NET: Registered protocol family 16
[ 0.133812] PCI host bridge /ahb/pcie-controller@18250000 ranges:
[ 0.140245] MEM 0x0000000012000000..0x0000000013ffffff
[ 0.145801] IO 0x0000000000000000..0x0000000000000000
[ 0.170030] PCI host bridge to bus 0000:00
[ 0.174357] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[ 0.181652] pci_bus 0000:00: root bus resource [io 0x0000]
[ 0.187520] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 0.194680] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 0.204364] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x1201ffff 64bit]
[ 0.212125] pci 0000:00:00.0: BAR 6: assigned [mem 0x12020000-0x1202ffff pref]
[ 0.222774] clocksource: Switched to clocksource MIPS
[ 0.229094] NET: Registered protocol family 2
[ 0.234574] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes)
[ 0.242678] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.250077] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.256794] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.263624] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.269793] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.276739] NET: Registered protocol family 1
[ 0.284247] Crashlog allocated RAM at address 0x3f00000
[ 0.291265] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 0.304192] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.310336] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, I
[ 0.334500] io scheduler noop registered
[ 0.338633] io scheduler deadline registered (default)
[ 0.344769] ar7200-usb-phy usb-phy: phy reset is missing
[ 0.351947] pinctrl-single 1804002c.pinmux: 544 pins, size 68
[ 0.359063] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 0.367925] console [ttyS0] disabled
[ 0.371716] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 9, base_baud = 1562500) is a 16550A
[ 0.380855] console [ttyS0] enabled
[ 0.380855] console [ttyS0] enabled
[ 0.388419] bootconsole [early0] disabled
[ 0.388419] bootconsole [early0] disabled
[ 0.406709] m25p80 spi0.0: mx25l1606e (2048 Kbytes)
[ 0.411799] 8 fixed-partitions partitions found on MTD device spi0.0
[ 0.418413] Creating 8 MTD partitions on "spi0.0":
[ 0.423391] 0x000000000000-0x000000040000 : "u-boot"
[ 0.429256] 0x000000040000-0x000000050000 : "u-boot-env"
[ 0.435489] 0x000000050000-0x000000060000 : "caldata_backup"
[ 0.442044] 0x000000060000-0x000000070000 : "config"
[ 0.447912] 0x000000070000-0x000000080000 : "traffic_meter"
[ 0.454421] 0x000000080000-0x000000090000 : "pot"
[ 0.459950] 0x000000090000-0x0000001f0000 : "reserved"
[ 0.466036] 0x0000001f0000-0x000000200000 : "caldata"
[ 0.478394] spi-nand spi0.1: GigaDevice SPI NAND was found.
[ 0.484212] spi-nand spi0.1: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
[ 0.492663] 2 fixed-partitions partitions found on MTD device spi0.1
[ 0.499256] Creating 2 MTD partitions on "spi0.1":
[ 0.504227] 0x000000000000-0x000000400000 : "kernel"
[ 0.515898] 0x000000400000-0x000008000000 : "ubi"
[ 0.700484] libphy: Fixed MDIO Bus: probed
[ 1.383164] libphy: ag71xx_mdio: probed
[ 1.390207] switch0: Atheros AR8337 rev. 2 switch registered on mdio-bus.0
[ 2.044240] ag71xx 19000000.eth: connected to PHY at mdio-bus.0:00 [uid=004dd036, driver=Atheros AR8216/
[ 2.055907] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: sgmii
[ 2.064965] NET: Registered protocol family 10
[ 2.074934] Segment Routing with IPv6
[ 2.078818] NET: Registered protocol family 17
[ 2.083539] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your script
[ 2.096937] 8021q: 802.1Q VLAN Support v1.8
[ 2.107616] UBI: auto-attach mtd9
[ 2.111068] ubi0: attaching mtd9
[ 2.572784] random: fast init done
[ 6.171541] ubi0 warning: ubi_attach: valid VID header but corrupted EC header at PEB 991
[ 6.180021] ubi0 error: ubi_add_to_av: two LEBs with same sequence number 1
[ 6.187219] eraseblock attaching information dump:
[ 6.192161] ec 1
[ 6.194707] pnum 990
[ 6.197410] lnum 0
[ 6.199928] scrub 0
[ 6.202446] sqnum 1
[ 6.204976] Volume identifier header dump:
[ 6.209203] magic 55424921
[ 6.212445] version 1
[ 6.215066] vol_type 1
[ 6.217678] copy_flag 1
[ 6.220285] compat 5
[ 6.222905] vol_id 2147479551
[ 6.226324] lnum 0
[ 6.228932] data_size 22528
[ 6.231897] used_ebs 0
[ 6.234516] data_pad 0
[ 6.237130] sqnum 1
[ 6.239738] hdr_crc 54de2e3b
[ 6.242982] Volume identifier header hexdump:
[ 6.247876] ubi0 error: ubi_attach_mtd_dev: failed to attach mtd9, error -22
[ 6.255279] UBI error: cannot attach mtd9
[ 6.260368] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[ 6.268144] Please append a correct "root=" boot option; here are the available partitions:
[ 6.276797] 1f00 256 mtdblock0
[ 6.276799] (driver?)
[ 6.283564] 1f01 64 mtdblock1
[ 6.283566] (driver?)
[ 6.290313] 1f02 64 mtdblock2
[ 6.290315] (driver?)
[ 6.297070] 1f03 64 mtdblock3
[ 6.297072] (driver?)
[ 6.303829] 1f04 64 mtdblock4
[ 6.303831] (driver?)
[ 6.310581] 1f05 64 mtdblock5
[ 6.310583] (driver?)
[ 6.317338] 1f06 1408 mtdblock6
[ 6.317340] (driver?)
[ 6.324096] 1f07 64 mtdblock7
[ 6.324098] (driver?)
[ 6.330849] 1f08 4096 mtdblock8
[ 6.330851] (driver?)
[ 6.337606] 1f09 126976 mtdblock9
[ 6.337608] (driver?)
[ 6.344362] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[ 6.353711] Rebooting in 1 seconds..
It may indicate that you happened to have a NAND flash with some bad blocks (that's normal as long as they come in small numbers). On this router OpenWrt uses all available flash memory while original firmware leaves more than a half unused, so errors are probably located in this new region.
Please try the following:
-
Reboot router and enter u-boot prompt (press key at the countdown)
-
Update bad block table by entering following commands at the u-boot prompt:
> nand scrub
> nand bad
and for each bad block address listed after running last command (let's name it HEXADDR, should not be more that ten or so), enter one command :
> nand markbad HEXADDR
- Reset router:
> reset
- Enter u-boot again after reset by pressing any key and run tftp recovery mode:
> fw_recovery
- Upload factory.img file to 192.168.1.1 using tftp client - there will be some flashing output on screen, then router resets itself automatically.
2 Likes
ok i actually got to Openwrt recovery just now can i just rename the openwrt .img to factory and reset with sysupgrade or is sysupgrade only for .bin files it was really wierd how i got here but im in the recovery shell
ok back to stock i reached the console interupted boot (when i do this its unlegable) so i typed your nand commands blindly they appeared to work (i guess) it rebooted, i interupted boot again, fw_recovery, then tftp upload on 192.168.1.1, but i only had the latest stock update .img, i did not change the name but it uploaded and booted back up to netgear firmware, my copies of the openwrt img from the debian drive seem to be corrupted on windows as i tried to reinstall openwrt but it bricked again i noticed the firmware file size was at 0kbs my initial install was from the debian drive all the copies i put on windows seem corrputed probly a pc hardware issue ill look into. Thank you for all your help "realmicu" and im glad i ordered a 4 pack of TTL cables the first one was bad.
So if my u-boot text output is garbled is it partially corrupted i have the right baud rate set, i can interupt the boot sequence and type commands but anything being output from the commands is garbled until openwrt starts to boot then i finally get actual words and txt? Is there a way to reinstall the u-boot i cant seem to find much info about it from the netgear website or is it supposed to be like that on boot up?
I had the same problem, WNDR4300 v2 unlike other Netgear routers has problem with low quality USB TTL UART modules (mostly CH340 clones). My advice is to use something based on PL2303.
Pls do not type comands without proper output, 'nand markbad' requires an offset provided by 'nand bad' so if your screen is garbled you may worsen things instead of fixing them.
Sysupgrade is for .bin files only, recovery uses .img files.
is there anyway to scrub the bad nand blocks from stock firmware it appears i cant reinstall the built openwrt image till i fix that i set it to install from stock netgear firmware threw web ui and after reboot it think it stays at uboot possibly to select the correct root= boot partition but i cant see anything, just guessing after reboot it goes back to the same error message posted before kernel panic until i tftp stock firmware again, ill try another ttl or can i identify the bad blocks from the mtd partitions from the errored output above?
I'm afraid there are no tools in vendor OS that will help you to find and mark bad blocks. You should do that from u-boot prompt prior to OpenWrt installation.
1 Like
Thank you. It works!
1 Like
HaHa
Yes, it's my github account, the repo comes from NETGEAR official opensource code library.
I remember you had send me an email, and I have told you these information.
The official code compile environment require very old ubuntu version.
Thanks for you.
@Tech49, I failed to build the img file. Could you please send me the img you have built? Thank you so much in advance! Email: deigwaa@gmail.com
I think I may have bricked my router, can't enter text in the serial console nor can I manage to TFTP into it to restore the original firmware, if only I could find a way to use JTAG...
I bought this router "Netgear WNDR4200 v2" from amazon 5 years ago, there was witten v1 on the description, but they sent me the v2... 3years with the stock firmware, then 2years ago it reboots and it didn't hold the configuration settings on save anymore, bad memory probably... who knows. After reset the login page never appear, showing an ending spinning wheel (url is BT_index.html something like). Unusable, like a bricked router since I cannot log into with a browser from the web ui.
Last week I read this post so I decided to give it a shot. I attached the usb via serial UART with a minicom teminal session. I reflashed the stock firmware via tftp many times with success, but stil the same problem. I've analyzed boot logs: bad memory at first block 0x00000 
when uboot start, but the flashing via tfpt had no problem at all.
Then I tried with the openwrt. I compiled the patched version from @realmicu on a ubuntu20 vm, issued the nand commands (I had 5 bad blocks already listed) and flashed, but I had the result described from @Tech49, kernel panic loop. After another flash openwt did not panic anymore and it worked!!! Then I installed luci with opkg to have access from the browser. In the end I don't know why it worked, probably just the reflash or I issued the right nand command or simply because I recall those damaged areas with md command. It is running from some days now.
Thank you people, especially @realmicu!!
1 Like
Hi Albio,
Thank you for nice words, glad to see it all works!
Thankfully this is a dual flash router with u-boot and all vital hardware data residing on SPI NOR chip (slower but more reliable flash memory) so dead block at 0x00000 on SPI NAND is not a big problem here. WNDR4300(v1) has only NAND chip so everything is loaded there, but I had never experienced any bad blocks on that one, so I guess its flash memory must be of recognizably better quality.
Regards
realmicu
1 Like
I ended up flashing to stock because of the memory issue, but I will try openwrt again now that I know a reflash can fix it!
For those having ubi errors: the error seems identical to the one here with wndr4500v3 (almost identical hardware, too): WNDR4500v3 - Kernel Panic - not syncing: VFS
I was having exact issue too on my wndr4300v2 (first boot after flashing openwrt factory img was fine, then rebooted to bootloop), and sysupgrade solved the problem.
Btw uboot does not work at all with my uart adapter. Switched to breed for wndr4500v3 and it works perfectly.
1 Like
How do i install B.R.E.E.D. to the wndr4300v2?