Hi Guys,

I have a bricked Netgear WGT634 V2 which I am wanting to unbrick and then try running OpenWRT / Kamikaze on it.

The specs of my WGT624 are :-

CPU :

ATHEROS
AR2313A-00
BA16185B
0604
TAIWAN

FLASH :

MX 8042072
29LV160ABTC-90
2J334400
TAIWAN

RAM :

SAMSUNG    419
K4S281632F-TC75
16 WQC4598A

SWITCH CHIPSET :

(STICKER)
U12H023T00
41000180-01

(CHIP)
88E6060-RCJ
A17567.4
0408 B00
TAIWAN

PCB BOARD :

U12H018
REV.1
19.1686.01

First thing I did was build a serial interface so that I could connect to the console.  Upon the WGT624 booting, all I got through the serial console was :-

Pressing escape during the boot process allowed me to get access to the VxWorks boot console.  From here I was able to set the boot parameters to tftp.  I was hoping that if I set the tftp function to receive the original Netgear firmware, then this would unbrick the WGT624.  Unfortunately, all I got was :-

I did a bit of research and found that I might need to boot from a .elf file.  I found a .elf called "art", configured the tftp function to receive it and got the following output.

This .elf art file is apparently meant for a D-link DWL-2100AP (which shares the same cpu as the WGT624) which I am guessing is why a few errors are reported.  Once at the shell, I have access to a whole lot of commands.  Doing a directory listing, I can see the problem I have.

The boot file apimg1 is empty.  No worries I think to myself, I'll just copy the file from a working WGT624 and copy it across to my bricked WGT624 using a ftp command.  I try to use some of the network commands to test the ftp function, but they all fail with an "undefined symbol:" error message.  I'm guessing that the ethernet module is not working properly with this .elf file.  I managed to find a second .elf file called "openwrt-atheros-2.6-vmlinux.elf".  I reconfigure the tftp function to boot from the new .elf file, but receive this error message when it tries to load it.

I'm now currently stuck and can see only two options from here.   1, build a jtag cable and copy the flash memory from a working WGT624 to my bricked WGT624 or 2, build a linux kernal for the WGT624 in .elf format so that it will boot via tftp and allow the network side of things to work.   I have no experience in doing either, but like the idea of the 2nd option as it would help other people who have bricked their WGT624's or want to install alternative software to replace the Netgear system.

Can anyone offer me some advice or point me in the right direction please?

Funny. Google must be pretty quick at that crawling thing, because I was looking for just this kind of topic.

On my lap is a bricked WGT624 V2, the cause of which was a genuine Netgear firmware update for this exact model. Blink of doom. The crappy, unstable VxWorks OS hung while it was updating the firmware and voila, glorious brick.

TFTP, no luck at all - it doesn't respond to TCP/IP at all. I'm not a total network n00b but nowheres near Cisco-router-programming net-savvy. I set up a static IP that didn't conflict with the router's IP, tried 192.168.0.1 and .1.1 for subnet and router/ping IP, it's totally dead. The light on the router for the port does blink though, as if there's something coming through. I also tried putting a switch between the router and the computer to keep the connection alive - no dice. Port-scanned both the .0.1 and .1.1 subnets, no devices respond to ping.

I made a quickie serial crossover cable and attached the wires to the pins on the board, for lack of a more descriptive "how-to" guide. When I power up the router with the right combination of wires and settings, I get a computer-istic readout of gibberish on the terminal - as if it's trying to list off lines to the screen, but some bits are getting shifted or something and I'm left with garbage on the screen. I read something about a MAX232 chip or something along those lines...? Is there something else I need to do with the wire than just basically "plug it in" to my computer?

I got a replacement router (a cheapie TrendNet) and just recently bought a (Linksys) WRT54G V5 on eBay (VxWorks didn't see more than 5 minutes on that thing before I dumped DD-WRT on it!), but yet this darn Netgear router keeps mocking me on my desk. What can I do with the thing?

Hey Falcon4, I now have a working solution and a newly revived / unbricked WGT624 v2 router.  I'm in the process of writing up an easy to use guide with lots of photos and screen shots to make life easy.  Give me a day or two and I will have the guide finished and then I will post the link here.

Cheers,

xga.

Awesome!! Does it involve buying extra parts/cables? (lol)

I'd owe you one if I can sell this '624 on eBay if I can get it unbricked...

edit: Funny, the numbers you posted in the original post almost exactly match the numbers on my board - the board, CPU, and switch chip numbers match, but the Flash and RAM chips are different... I have MX E042905 / 29LV160BTTC / 2K254000 for my Flash, and a Winbond RAM chip W981216DH-75 / 0423W / 4421D0109 slightly offset from another chip pad (blank, of course) with a denser pin arrangement. I guess so long as the CPU and board numbers match... >.>

(Last edited by Falcon4 on 26 Sep 2007, 12:12)

Yes.  It cost me about $5 in parts to make up the simple serial console interface cable using a max232 chip.  I'll include details on making this in my guide.  I did not have to resort to making and using a JTAG cable (a lot more complicated and time consuming process IMHO) to unbrick my WGT624.

Your Flash chip should be fine.  The only thing to be concerned about is the size of the Flash chip which is 16 Megabit / 2 Megabyte, the same as the one in my WGT624.

(Last edited by xga on 26 Sep 2007, 16:25)

any one have a secess flash the netgear wgt624v2 via jtag ?

Well, I just burned $25 (how'd you get away with $5?!) on the various components needed to build a basic MAX232 circuit, including a 2-pack of MAX232 chips (they didn't have singles), a breadboard, and various other components to build the only other thing I know uses a MAX232 chip, an ALDL-to-serial reader for my car. I bought all the components on that list, including 9 10k resistors, 6 10µF ceramic capacitors, 4 "2222" transistors (I still need to grab those, d'oh), a 7805 voltage regulator IC, and a small length of solid wire.

Now where's that guide?

... Well? That guide?

I'd like to at least get the serial console working! So far all the MAX232 has been able to give me is bupkis!

Woot! I finally got the serial console working! I was thinking there would be a clue in there as to what's going on, but it's the equivalent of about 400 pages of alien text.
(First one to get that reference gets a cookie.)

FOR THOSE CURIOUS AND BANGING THEIR HEAD FOR HOURS ON END:

The system seems to use a separate ground circuit for the serial's 3.3v as opposed to the case/adapter's ground. So if you ground your serial to the case instead of fighting with the ground pin right next to the TX pin, you'll get bupkis as I got for hours on end until noticing that the 3.3v pin was producing zero volts (started at about 2.2 then crawled down to 0) when grounded to the case!

Here's my setup!


(The resistor seen above is going to be later used when I use this MAX232 circuit for reading my car's ALDL data. The 3-pin IC is a 5-volt regulator IC, which converts 12v from a Linksys AC adapter to 5v for the MAX232.)

Awesomeness in a can. Here's Hyperterminal.

... And that also explains why I couldn't TFTP the thing. Why is it using 192.168.1.20?!

Now. Guide!

I'm RDC'ing another computer to use its serial port, so it's not connected to my laptop (main computer, also serial-less).

edit: Here's what I get when I start it up and hit Esc after the error (it auto-reboots):

(Last edited by Falcon4 on 30 Sep 2007, 09:45)

Sorry for the delay with the guide.  Life got busy.

http://www.embraceit.com.au/wgt624/

Oh - and the missing element (I guess you forgot to add, lol) is that you need to strip the garbage before the "?ELF" header (one character, then the letters ELF) from the TRENDnet firmware first using a hex editor. That way the router can boot the firmware upgrade file

Isn't it ironic that TRENDnet can provide true support for recovering a router (through simple laziness, I imagine), yet NETGEAR seems to go out of their way to make that impossible? That we have to boot another company's firmware in order to restore the original? Shame, shame!

But THANKS for the information! I said that in email, but I'm now publicly exclaiming it. THANKS!!

Nup, I was going to try flashing my WGT624 v2 via JTAG (I even purchased the parts to make an unbuffered wiggler cable) if I was unable to restore it using the serial console and TFTP.  From what I have read, flashing via JTAG is a lot more involved and lengthy process.

I only had to purchase a single MAX232 chip and 5 capacitors, hence only costing ~$5.  I cut an old serial cable and idc cable in half and already had an old breadboard and wires.  It seems that your serial console interface is a lot more complex than mine as mine only uses a total of 6 components.  They both seem to do the job well enough though. :-)  See here for my circuit diagram http://www.embraceit.com.au/wgt624/WGT6 … iagram.jpg .

Is that line from SG-1?

That's just what the VxWorks OS sets it as by default.

Step 4 of my guide now has info on stripping the header from the TRENDnet firmware as well as the actual stripped file itself to be downloaded. 

Very ironic!  But Netgear really should have designed a failsafe recovery method IMHO.  I guess they've learnt from this now anyway.

No worries at all!  Sorry it took me a bit longer than what I originally said to get up.  Just glad I was able to help resurrect another WGT624!

(Last edited by xga on 3 Oct 2007, 18:52)

Hah, I forgot about that cookie! *gives cookie* Yeah, it's from the well known SG-1 episode "Window of Opportunity". But you knew that. I love that episode. XD

To this day I'm STILL trying to help some total n00b understand how to build the MAX232 circuit to unbrick his router, over MSN. It's like he can't even grasp the simplest of electrical concepts like how a breadboard works, or what a voltmeter is (I spent hours trying to explain where to find 5 VDC - in a computer, in a USB power supply, in 4 AA batteries... he finally settled on 4 AA's). Then I had to explain how to connect to the pins, etc...

But I think we're finally wrapping things up and might actually get some input in Hyperterminal soon! =o

So with that, I think you've helped 3 people now

(Edit: My unbricked WGT624 is now my apartment's/complex's access point )

(Last edited by Falcon4 on 12 Mar 2008, 05:27)

Hey Falcon4,

Thanks for the cookie! *Tastes yumm* ;-)

Seems as though a lot of people have difficulty with making the interface.  :-(

I'm sure the noob is very thankful for your assistance.

looking for some help re-flashing my DWL-2100ap, i can get it to load art over tftp, but how would i get it to load the apimg over tftp?

Hey Guys,
Is it possible to update my WGT624v2 with openwrt?
Or will it be possible in the future?
thanks Mike

Hi,

I know that this is an *old* thread, but for those that are still interested in unbricking Netgear WGT624 routers (and potentially others), you can now buy on eBay for a few pounds a USB to TTL converter that will nicely do the job of the serial console, and is a *lot* easier to wire up and use.

Just surf up "USB TTL" in fleaBay and make sure you pick one that has 3.3v and 5v capabilities.  These usually have six pins.  TX, RX, 3.3v, 5v, Ground and RST.  Here is an example of the one I bought ...

http://cgi.ebay.co.uk/ws/eBayISAPI.dll? … 0399285596

Have fun ...

Cheers,
Ripface.

I tried resurrecting my netgear wgt264 v2 router with trendnet firmware as explained.

But this firmware is not accepting blank user name and "admin" as password. Any clues what might be wrong? Any way to do anonymous login or single user login?

Also trying to get an old WGT624 going and stuck at the login to the Trendnet web interface, the recommended user = <blank> , password = admin doesn't work for me either. I notice there is a console prompt as well, unfortunately it doesn't take any of the credentials I'm aware of either.

(Netgear web interface: admin/password, Netgear telnet: Gearguy/Geardog, Trendnet web: <blank>/admin) ... anyone know of others to try ?

Pointers to any further explanation of the bootloader would be useful

I see a note someone has loaded Kamikaze via tftp, any images available to try ? While I understand the Flash is too small, using tftp as a permanent solution would work for me.

Hi Niallp,

I successfully resurrected my netgear router. Following is my email conversation with Cameron who helped me with it till end. Hope it helps you. Let me know if you have any further doubts.

Thanks,
Vishal Soni.

--- On Tue, 8/11/09, Vishal Soni <justvsoni@yahoo.com> wrote:

> From: Vishal Soni <justvsoni@yahoo.com>
> Subject: RE: Help
> To: c.sanderson@embraceit.com.au
> Date: Tuesday, August 11, 2009, 2:40 PM
> Hi Cameron,
>
> Thanks for your quick reply and sorry for long Silence .
> My laptop did not have serial port and so was waiting for my
> friend's laptop over weekend.
>
> I'm glad to inform you that your new image worked with
> some hacks.!!
>
> You might like to include following two points in your
> original post.
>
> 1) If user don't want to go through pain of building
> serial connector, he can borrow/buy the connector like one
> available at
> http://cgi.ebay.co.uk/RS232-Serial-Port … 1|294%3A50
> I don't know whats technical name of it, but I got one
> from my friend who works in broadcom.
>
> 2) Password issue what I faced was resolved in following
> way.
> - Tried booting
>  with your image (art.elf), it did give me access to flash
> without asking for password.
> - Removed apcfg and tried booting with original firmware.
> No progress and it took configuration from apcfg.bak file
>
> - again booted with art.elf and removed both apcfg and
> apcfg.bak file and tried booting with original firmware.
> Still no progress. So thought configuration would be stored
> somewhere else.
> - removed NVRAM file which was only suspicious file and
> tried booting with original firmware. Woila !!! It worked!!
>
>
> So the culprit was NVRAM file (might be).
>
> Rest all steps worked fine as mentioned in your post.
>
> Thanks for your help. I appreciate it.
>
> Regards,
> Vishal Soni.
>
>
> --- On Wed, 7/29/09, Cameron Sanderson
> <c.sanderson@embraceit.com.au> wrote:
>
> From: Cameron Sanderson
>  <c.sanderson@embraceit.com.au>
> Subject: RE: Help
> To: justvsoni@yahoo.com
> Date: Wednesday, July 29, 2009, 4:13 PM
>
>
>
> 
> Hi Vishal,
> 
> Try booting from
> this .elf file and deleting the files from the /fl
> directory.  This should
> then clear the username and password information.
>
> http://www.embraceit.com.au/wgt624/art.elf
>
> This .elf file
> will allow you to boot into the
> router with file access.  This art.elf file is
> apparently meant for a
> D-link DWL-2100AP (which shares the same cpu as the WGT624)
> which I am guessing
> is why a few errors are reported during the boot process,
> just  ignore
> those though.  Once at the shell, you'll have
> access to a whole lot of
> commands, either typing '?' or 'help'
> (minus the quotation marks) followed by
> enter should give you a list of your available
> commands.  If you type 'll'
> (two letter l's not number 1's) followed by enter,
> this should list the files in
> the /fl (flash memory) folder.  Now you need to remove
> one or all of the
> files using the remove command, it could be 'rm' or
> 'del', I can't remember the
> exact command off the top of my head unfortunately.  I
> can't remember which
> file(s) to remove either, but you might want to start with
> the "apcfg" file and
> then reboot and reconfigure the wgt624 to boot off the
> trendnet .elf file and
> try the default username and password again.  If that
> fails, boot back
> using the art.elf file and try deleting another file and
> see how you go.  I
> don't think you can do any damage by deleting these
> files from the flash memory
> as they get rebuilt when the router boots successfully for
> the first
> time.
>
> Let me know how you go.  I'll do my best to help
> you if you
> get stuck.
>
> Cheers,
>
> -Cameron.
>
>
>
> From: Vishal Soni
> [mailto:justvsoni@yahoo.com]
>
> Sent: Thursday, 30 July 2009 6:45 AM
> To: Cameron
> Sanderson
> Subject: Help
>
>
>
>
>   
>   
>     Hi sanderson,
>
> Thanks for such a wonderful post
>       http://www.embraceit.com.au/wgt624/
>
> I tried all steps as you
>       suggested, but STEP 9 is not accepting user name as
> blank and password as
>       admin. Any clue where I went wrong? Or what user name
> /password to
>       use?
>
> Thanks in advance,
>
> Regards,
> Vishal
>   Soni.
>

Hi,

sorry but i cant open a new Thread.

I have the same Router and flashed it one year ago with openwrt. After a few month of successful use, i buy a new Router and put the old Netgear into my cellar.

Now, a half year later, i want to use it again for my Sister. I connect it with my PC and want to access at root via Putty (telnet). But all what i get is "Connection closed by remote host". I try it with SSH but a Timeout occurs. The IP is definitely correct but i can't connect with putty.

Then i tried to connect to the LuCi Webinterface. The Password-Prompt pops up but it seems that i don't know the Password anymore.

I had try to reset the Router by pushing the Reset-Button on the rear - then the WLAN SSID is switched to the old original "NETGEAR". IP is also reset to stock (192.168.0.1). But the Problems are the same. I can't connect with Putty nor LuCi.

Please can anybody help me to solve this issue?

Big Thx and Regards,
Andy