WNDR3700v2 RAM mod revisited

Community Builds, Projects & Packages
1

Hi all, I have successfully upgraded the RAM on my WNDR3700v2. I used information and resources provided by the community (a special thanks to hnyman and to jdoering), so I'd like to contribute some information back.

I'll write a brief explanation of the procedure I've used, some considerations I've taken and some available tools.

Preface: Looking at the reports of WNDR3700v1 users, it seems that RAM upgrade is fairly straightforward for that model (as long as you use a compatible RAM). Not so for WNDR3700v2, where a firmware modification is required (as the device won't boot with a different RAM capacity without a firmware mod). The bottom line: certain parts of the MTD partitions from the WNDR3800 firmware can be used to force WNDR3700v2 to work with a larger RAM capacity.

The chips: I read a report of another user successfully employing Hynix H5DU5162ETR-E. The thread is located here:
https://forum.archive.openwrt.org/viewtopic.php?id=32024
The Hynix part was easy to source on Aliexpress so I just bought 2 units.

My background and considerations: Soldering the RAM is not a problem for me as I do component-level repairs for a living. Undocumented firmware modification, on the other hand, could pose a challenge. My goal here was to have the job done with as little effort as possible so I wasn't really interested in educating myself about the nitty-gritty details of the firmware and the bootloader inner works. From the aforementioned thread, I knew that I'd need the MTD partitions from WNDR3800 but I didn't know how to extract them from an image. Also it seems that images provided by OpenWRT, as well as by Netgear, do not actually include these partitions (please correct me if I'm wrong, at least I couldn't find any references to these partitions in the binaries - not sure if some compression obscures them, or are they just omitted). So I was about to build the whole thing from source, hoping that this way, these partitions would have been built. Eventually I browsed through hnyman's repository and to my delight, I found that he already had the partitions there, extracted, plus a useful explanation about the location of the router-specific strings located inside the MTD5 partition.

Method: So eventually this is what I've done for the upgrade. Credit goes to user jdoering whose message in the thread I referenced above gave me some clues. I'm writing this as a guide, but note that I don't really know whether every step here is required, or if there could be some unwanted side-effects. I just did the easiest thing, which is make modifications that someone else reported to work, in a way that was the easiest for me.

Prerequisites:

  • Obviously, the new RAM. I used 2 units of Hynix H5DU5162ETR-E.
  • Flash reader/programmer to read and write firmware directly from/to the flash chip. This is required to modify the firmware easily. I'm using the TL866II Plus. [If you don't have a flash programmer, sounds like it is possible to modify the MTD partitions by issuing some commands through the serial cable. I didn't consider this as much easier way is available].
  • Adapter socket for SOP16 (to connect the flash chip to your flash programmer).
  • Hot air station to desolder the RAM and the flash chip.
  • Hex editor application. I'm using HxD.
  • MTD0, MTD5 partitions from WNDR3800 firmware, and explanation of router-specific strings. Download from hnyman's repository here (inside "art partition binary contents" folder):
    https://www.dropbox.com/sh/t52c02rm20y8x9p/AABwMXTuLX6BGqC8-PDj-F7oa?dl=0

Steps:

  1. Replace the RAM.
  2. Pull the flash chip from the board, read the firmware out of it. That gives you an image of the whole thing, including the original MTD partitions.
  3. Extract WNDR3800 specific strings from "wndr3800_mtd5_art_edit.bin". Strings are explained in the file "art_header_explanation.txt". I extracted specifically the following: "Magic? Part of firmware image ID", "Router type", "Netgear firmware WLAN network default name", "Netgear firmware WLAN network default keyphrase".
  4. Replace the relevant strings in the original firmware dump from your device as obtained in step 1. If you search through the file for the first few bytes of your MAC address (printed on the router), you should find the beginning of the MTD5 partition inside your image. Likely (at least in WNDR3700) it will always be found at the same offset, which is FF0000. Pay special attention to placing the strings at the same offset relatively to the beginning of the MTD5 partition as in "wndr3800_mtd5_art_edit.bin". I just used those strings from the WNDR3800 as-is, including the actual "WNDR3800" part. This might or might not pose issues when upgrading the firmware to newer versions.
  5. Replace the whole MTD0 partition with the contents of "wndr3800_mtd0_u-boot.bin". This is likely located right at the beginning of your image file (offset 0).
  6. Write the modified firmware into the chip, solder the chip back to its place.
  7. Done - the board should boot now. You can tell it's booting before you assemble the device if it's not staying continuously stuck at one amber LED.

Notes:

  • Some RAM chips might prove incompatible so if you are not getting the exact same part as I did, do a research before you order.

  • I don't know a lot about the firmware structure or inner workings so if you encounter issues, I might not be able to help. I'm just here to say what worked for me.

  • I will be happy if more knowledgeable people chime in to correct whatever mistakes I've made or to provide their opinion.

  • The dumped firmware file's size should be exactly 16,384 KB (as this is the total capacity of the flash chip). It should stay exactly the same size after the modification.

  • "Netgear firmware WLAN network default name", "Netgear firmware WLAN network default keyphrase" strings are probably not required as they won't be used by the OpenWRT firmware (?), but I copied them over anyway. I'm not going to use the default keyphrase so I didn't care about it being wrong - if you do, copy the keyphrase from your actual router label.

  • I don't really know whether replacing the MTD0 partition is required. I decided to replace it because this worked for jdoering.

  • I'm wondering whether just using the "+16+128" segment of the MTD5 partition would suffice (as presumably these are the capacities of the flash chip and the RAM). If someone decides to experiment, it would be interesting to hear about the results.

  • Obviously, it is a good idea to perform modification on a copy of the original dump so you have a pre-modification backup, just in case.

  • In my router, I found 2 bulged capacitors that I decided to replace. Both were 470uF 16V 105C parts. One of them measured dramatically out of spec (just about 2uF and a huge ESR). Both were located next to the shielded area of the board, so I believe these might be providing power for the WLAN amplifier or something similar. Actually it is quite amazing that I didn't notice any problems with the router before the replacement. If you decide to replace these caps, note that you will likely need capacitors of more or less exactly the same spec because generally you don't want to use smaller caps, and larger caps won't fit into the available space (usually higher capacity or higher rated voltage makes for a physically larger cap).

3 Likes