OpenWrt Forum Archive

Topic: Going back to stock firmware on Netgear DGN3500

The content of this topic has been archived on 31 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
sherover
27 Sep 2017, 21:51

I am trying to flash the stock firmware on my DGN3500 router.
I have followed the instructions on "Back to original firmware" page.
after running the mtd command and waiting for few minutes I get the : "Failed to erase block" message.
The stock firmware file has .img extension file. Is this a problem?

I tried to reboot (I thought it will brick the router) and after setting the ip address 192.168.1.1 I could get to a basic page with Netgear text that allowed me to upload a new firmware. Uploading the stock firmware did not work but again I could upload the OpenWrt firmware and it works now!
I still could not revert to original firmware. I don't know how I can get around the error message that I receive.

Thanks for any input in advance.

Post #2
Antek
28 Sep 2017, 16:34

Reboot your router, open an SSH prompt, type 'dmesg' and post the result. Then use 'cat /proc/mtd' and post that result as well. Use the 'code' formatting element for clear output.

The stock firmware file (DGN3500-V1.1.00.37_1.00.37NA.img) seems to have four distinct sections:
- 0x00000000 - 0x0000e1b7 Unknown content (~57 kB in size)
- 0x00040000 - 0x00048a80 Unknown content; probably some sort of recovery (~35 kB in size)
- 0x00050000 - 0x0017b5d4 "MIPS Linux 2.6.2 kernel" (~1,2 MB in size)
- 0x001a0000 - 0x0086104d Unknown; probably rootfs (~7,1 MB in size)

Now we just need to find out which piece goes where.

OpenWRT installations usually do not require fiddling with the bootloader settings such as load addresses or kernel parameters, so simply by placing correct snips from the original firmware file into correct slots on the flash memory chip should get us pretty far.

Or it might brick your router totally. But you were open to suggestions, so... smile

Post #3
sherover
28 Sep 2017, 19:16

Thanks for your fast reply!

Here is the output of "cat /proc/mtd":

root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00010000 "uboot"
mtd1: 00010000 00010000 "uboot-env"
mtd2: 00010000 00010000 "calibration"
mtd3: 00fa0000 00010000 "firmware"
mtd4: 00160c6d 00010000 "kernel"
mtd5: 00e3f393 00010000 "rootfs"
mtd6: 00bb0000 00010000 "rootfs_data"
root@OpenWrt:~#

and here is the output of dmesg:

[    0.000000] Linux version 3.18.20 (buildbot@builder1) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r46450) ) #1 Fri Sep 4 17:16:20 CEST 2015
[    0.000000] SoC: AR9 rev 1.2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001954c (MIPS 34Kc)
[    0.000000] MIPS: machine is DGN3500 - Netgear DGN3500
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Initmem setup node 0 [mem 0x00000000-0x03ffffff]
[    0.000000] On node 0 totalpages: 16384
[    0.000000] free_area_init_node: node 0, pgdat 803fc2f0, node_mem_map 810061e0
[    0.000000]   Normal zone: 128 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 16384 pages, LIFO batch:3
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 32 bytes
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: root=/dev/mtdblock0 ip=192.168.1.1:192.168.1.15::::eth0:on console=ttyS1,115200 ethaddr=e0:91:f5:5a:5c:15 phym=64M mem=64M panic=1 root= console=ttyLTQ0,115200
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=0006a395
[    0.000000] Readback ErrCtl register=0006a395
[    0.000000] Memory: 60340K/65536K available (3475K kernel code, 154K rwdata, 556K rodata, 148K init, 195K bss, 5196K reserved)
[    0.000000] NR_IRQS:256
[    0.000000] CPU Clock: 333MHz
[    0.040000] Calibrating delay loop... 221.18 BogoMIPS (lpj=442368)
[    0.040000] pid_max: default: 32768 minimum: 301
[    0.044000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.048000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.056000] pinctrl core: initialized pinctrl subsystem
[    0.064000] NET: Registered protocol family 16
[    0.072000] pinctrl-xway 1e100b10.pinmux: Init done
[    0.076000] dma-xway 1e104100.dma: Init done - hw rev: 6, ports: 5, channels: 20
[    0.084000] PCI host bridge /fpi@10000000/pci@E105400 ranges:
[    0.088000]  MEM 0x0000000018000000..0x0000000019ffffff
[    0.092000]   IO 0x000000001ae00000..0x000000001affffff
[    0.096000] ath9k,eeprom ath9k_eep: failed to load eeprom address
[    0.112000] usbcore: registered new interface driver usbfs
[    0.116000] usbcore: registered new interface driver hub
[    0.120000] usbcore: registered new device driver usb
[    0.124000] PCI host bridge to bus 0000:00
[    0.128000] pci_bus 0000:00: root bus resource [mem 0x18000000-0x19ffffff]
[    0.132000] pci_bus 0000:00: root bus resource [io  0xffffffff]
[    0.136000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.140000] pci 0000:00:0e.0: [168c:ff1d] type 00 class 0x020000
[    0.140000] pci 0000:00:0e.0: reg 0x10: [mem 0x00000000-0x0000ffff]
[    0.140000] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00
[    0.140000] pci 0000:00:0e.0: BAR 0: assigned [mem 0x18000000-0x1800ffff]
[    0.144000] Switched to clocksource MIPS
[    0.148000] NET: Registered protocol family 2
[    0.156000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.160000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.168000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.176000] TCP: reno registered
[    0.176000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.184000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.192000] NET: Registered protocol family 1
[    0.196000] PCI: CLS 0 bytes, default 32
[    0.196000] gptu: totally 6 16-bit timers/counters
[    0.200000] gptu: misc_register on minor 63
[    0.204000] gptu: succeeded to request irq 126
[    0.208000] gptu: succeeded to request irq 127
[    0.212000] gptu: succeeded to request irq 128
[    0.216000] gptu: succeeded to request irq 129
[    0.224000] gptu: succeeded to request irq 130
[    0.228000] gptu: succeeded to request irq 131
[    0.232000] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.240000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.248000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.272000] msgmni has been set to 117
[    0.284000] io scheduler noop registered
[    0.288000] io scheduler deadline registered (default)
[    0.292000] 1e100c00.serial: ttyLTQ0 at MMIO 0x1e100c00 (irq = 112, base_baud = 0) is a lantiq,asc
[    0.300000] console [ttyLTQ0] enabled
[    0.308000] bootconsole [early0] disabled
[    0.332000] m25p80 spi32766.0: found mx25l12805d, expected s25fl129p0
[    0.340000] m25p80 spi32766.0: mx25l12805d (16384 Kbytes)
[    0.344000] 4 ofpart partitions found on MTD device spi32766.0
[    0.352000] Creating 4 MTD partitions on "spi32766.0":
[    0.356000] 0x000000000000-0x000000010000 : "uboot"
[    0.360000] 0x000000010000-0x000000020000 : "uboot-env"
[    0.368000] 0x000000020000-0x000000030000 : "calibration"
[    0.372000] 0x000000050000-0x000000ff0000 : "firmware"
[    1.404000] 2 uimage-fw partitions found on MTD device firmware
[    1.408000] 0x000000050000-0x0000001b0c6d : "kernel"
[    1.416000] 0x0000001b0c6d-0x000000ff0000 : "rootfs"
[    1.420000] mtd: device 5 (rootfs) set to be root filesystem
[    1.428000] 1 squashfs-split partitions found on MTD device rootfs
[    1.432000] 0x000000440000-0x000000ff0000 : "rootfs_data"
[    2.528000] Realtek RTL8366RB ethernet switch driver version 0.2.4
[    2.532000] rtl8366rb rtl8366rb: using GPIO pins 491 (SDA) and 493 (SCK)
[    2.540000] rtl8366rb rtl8366rb: RTL5937 ver. 3 chip found
[    2.632000] libphy: rtl8366rb: probed
[    2.636000] libphy: ltq_mii: probed
[    2.640000] eth0 (uninitialized): no PHY found
[    2.644000] etop: mdio probe failed
[    2.648000] wdt 1f8803f0.watchdog: Init done
[    2.656000] TCP: cubic registered
[    2.656000] NET: Registered protocol family 17
[    2.660000] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[    2.672000] Bridge firewalling registered
[    2.676000] 8021q: 802.1Q VLAN Support v1.8
[    2.772000] ath9k,eeprom ath9k_eep: endian check enabled.
[    2.776000] ath9k,eeprom ath9k_eep: pci slot: 14
[    2.780000] pci 0000:00:0e.0: fixup device configuration
[    2.788000] pci 0000:00:0e.0: fixup info: [168c:0029] revision 01 class 0x028000
[    2.792000] ath9k,eeprom ath9k_eep: loaded ath9k eeprom
[    2.812000] UBIFS error (pid 1): ubifs_mount: cannot open "ubi0:rootfs", error -19
[    2.964000] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[    2.968000] Freeing unused kernel memory: 148K (8041b000 - 80440000)
[   20.588000] init: Console is alive
[   20.592000] init: - watchdog -
[   33.000000] random: nonblocking pool is initialized
[   39.240000] IFXUSB: ifxusb_hcd: version 3.2 B110801
[   39.744000] IFXUSB: USB core #0 soft-reset
[   39.944000] IFXUSB: USB core #0 soft-reset
[   39.948000] ifxusb_hcd ifxusb_hcd: IFX USB Controller
[   39.952000] ifxusb_hcd ifxusb_hcd: new USB bus registered, assigned bus number 1
[   39.960000] ifxusb_hcd ifxusb_hcd: irq 62, io mem 0xbe101000
[   39.968000] IFXUSB: Init: Power Port (0)
[   39.976000] hub 1-0:1.0: USB hub found
[   39.976000] hub 1-0:1.0: 1 port detected
[   40.972000] init: - preinit -
[   47.692000] jffs2: notice: (284) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[   47.740000] mount_root: switching to jffs2 overlay
[   47.828000] procd: - early -
[   47.828000] procd: - watchdog -
[   48.600000] procd: - ubus -
[   49.608000] procd: - init -
[   51.140000] NET: Registered protocol family 10
[   51.148000] NET: Registered protocol family 8
[   51.152000] NET: Registered protocol family 20
[   51.164000] PPP generic driver version 2.4.2
[   51.176000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   51.200000] IFX MEI Version 5.00.00
[   51.208000] Infineon CPE API Driver version: DSL CPE API V3.24.4.4
[   51.224000] Loading modules backported from Linux version master-2015-03-09-0-g141f155
[   51.232000] Backport generated by backports.git backports-20150129-0-gdd4a670
[   51.240000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   51.256000] ATM1.0.26    ATM (A1) firmware version 0.16
[   51.260000] ifxmips_atm: ATM init succeed
[   51.268000] Infineon Technologies DEU driver version 2.0.0
[   51.276000] IFX DEU DES initialized (multiblock).
[   51.284000] IFX DEU AES initialized (multiblock).
[   51.288000] IFX DEU ARC4 initialized (multiblock).
[   51.296000] IFX DEU SHA1 initialized.
[   51.296000] IFX DEU MD5 initialized.
[   51.304000] IFX DEU SHA1_HMAC initialized.
[   51.304000] IFX DEU MD5_HMAC initialized.
[   51.320000] nf_conntrack version 0.5.0 (945 buckets, 3780 max)
[   51.376000] NET: Registered protocol family 24
[   51.404000] xt_time: kernel timezone is -0000
[   51.564000] cfg80211: Calling CRDA to update world regulatory domain
[   51.584000] cfg80211: World regulatory domain updated:
[   51.584000] cfg80211:  DFS Master region: unset
[   51.592000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   51.600000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   51.608000] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   51.616000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[   51.624000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   51.632000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[   51.640000] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   51.648000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   51.656000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[   51.868000] PCI: Enabling device 0000:00:0e.0 (0000 -> 0002)
[   51.880000] ath: EEPROM regdomain: 0x0
[   51.880000] ath: EEPROM indicates default country code should be used
[   51.880000] ath: doing EEPROM country->regdmn map search
[   51.880000] ath: country maps to regdmn code: 0x3a
[   51.880000] ath: Country alpha2 being used: US
[   51.880000] ath: Regpair used: 0x3a
[   51.896000] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[   51.900000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb8000000, irq=30
[   51.908000] cfg80211: Calling CRDA for country: US
[   51.916000] cfg80211: Regulatory domain changed to country: US
[   51.920000] cfg80211:  DFS Master region: FCC
[   51.924000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   51.932000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[   51.940000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A)
[   51.952000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s)
[   51.960000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[   51.968000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[   72.892000] device eth0.1 entered promiscuous mode
[   72.896000] device eth0 entered promiscuous mode
[   72.908000] br-lan: port 1(eth0.1) entered forwarding state
[   72.912000] br-lan: port 1(eth0.1) entered forwarding state
[   74.916000] br-lan: port 1(eth0.1) entered forwarding state
[   86.884000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   86.924000] device wlan0 entered promiscuous mode
[   86.972000] br-lan: port 2(wlan0) entered forwarding state
[   86.976000] br-lan: port 2(wlan0) entered forwarding state
[   86.984000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   88.980000] br-lan: port 2(wlan0) entered forwarding state

How do we know which part goes where?

Post #4
Antek
29 Sep 2017, 08:46

Looking at a few samples of the stock firmware's bootlog (https://wiki.openwrt.org/toh/netgear/dgn3500b/stockboot), and comparing it to the bootlog that you provided, it seems that the bootloader does not supply the 'mtdparts' parameter. This means that the partitions on the flash memory are either auto-detected or specified in a device tree file.

Anyhow, the number of partitions in the stock firmware's bootlog (10) does not match the number of distinct sections that I identified in the original firmware file. There might be more sections in the firmware file that I simply missed, though. You can take a hex editor and review the file. Perhaps you have more luck?

It seems a bit too error-prone to write blindly into the flash memory since there doesn't seem to be a clear pattern between the snippets in the original firmware file and the regions of the flash memory in the stock firmware's bootlog. We might be missing out some crucial data that needs to be in a specific location of the flash memory in order for the original firmware to operate correctly. The result might be a complete brick where it is impossible to use even the recovery page that you mentioned in your first post.

I can't help you beyond this point. Hopefully someone else who knows this router in more detail can help you forward with the data we have so far.

Post #5
sherover
30 Sep 2017, 08:24

Thanks for your answer. I'm afraid I am not good with the hex editors!
I never thought that it would be this tricky to go back to the stock firmware. I have used dd-wrt before(other routers) and reverting to stock firmware has been easy.
I think I have to leave it as it is if no one has an idea what to do sad.

The discussion might have continued from here.