Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

https://forum.openwrt.org/viewtopic.php?id=19951 sorry if its a double repost but the system didnt look like it posted. And if that isn't the locations I can try to find some more documentation.

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Allaun wrote:

https://forum.openwrt.org/viewtopic.php?id=19951 sorry if its a double repost but the system didnt look like it posted. And if that isn't the locations I can try to find some more documentation.

IMHO these are the pins of the serial interface. Talked about JTAG above.

I started a separate thread about JTAG on WNR2000 here.

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

I have a WNR2000 that a client gave me, and I'm willing to potentially brick it with that modified u-boot binary if you want to send it over. I don't have the JTAG info, but it has to be there so I figure it the modified u-boot bricks it I can just toss it in the pile of N routers I have that are waiting for future updates or debrick info.

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Does anyone know how to handle (erase/program) the SPI flash from the U-Boot prompt, except by the tftp recovery?
The u-boot of WNR2000 seems to miss the eeprom commands.

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Does anyone know how to overwrite the bootloader from the command line?
mtd gives an error for mtd0, but works happily for mtd3:

root@OpenWrt:/tmp# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00240000 00010000 "rootfs"
mtd3: 00010000 00010000 "user-config"
mtd4: 00120000 00010000 "uImage"
mtd5: 00020000 00010000 "language_table"
mtd6: 00010000 00010000 "rootfs_checksum"
mtd7: 00010000 00010000 "art"
root@OpenWrt:/tmp# mtd -e mtd3 write zeros mtd3
Unlocking mtd3 ...
Erasing mtd3 ...
Writing from zeros to mtd3 ...     
root@OpenWrt:/tmp# mtd -e mtd0 write u-boot.new.bin mtd0
Could not open mtd device: mtd0
Can't open device for writing!

The above with svn trunk r20534.

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

jal2 wrote:

Does anyone know how to overwrite the bootloader from the command line?
...

This was hard-coded in mach-wnr2000.c. With the patch below I can overwrite mtd0.

diff --git a/target/linux/ar71xx/files/arch/mips/ar71xx/mach-wnr2000.c b/target/linux/ar71
index b0c5470..3dec579 100644
--- a/target/linux/ar71xx/files/arch/mips/ar71xx/mach-wnr2000.c
+++ b/target/linux/ar71xx/files/arch/mips/ar71xx/mach-wnr2000.c
@@ -37,7 +37,6 @@ static struct mtd_partition wnr2000_partitions[] = {
                .name           = "u-boot",
                .offset         = 0,
                .size           = 0x040000,
-               .mask_flags     = MTD_WRITEABLE,
        } , {
                .name           = "u-boot-env",
                .offset         = 0x040000,

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Nice jal2, let us know if your modified u-boot works!

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Hello, folks! Any update on fixing the bootloader? Thanks.

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Just for a referb from TigerDirect, I wanted to use it as wireless repeater (read online that factory firmware had this option).
What no one mentioned is that it will only connect to another WNR2000 and I have a Belkin upstairs :-(
I looked into dd-wrt and of course it's a wnr2000-V1 so that's a no go.

What are the chances of a flashable .img file becoming available in the near future?

Thanks!

60 (edited by path0s 2010-08-08 05:28:12)

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Netgear is coming out with v3 of this router very soon. No idea of the differences yet.

**Edit: Would any of the devs have a use for a firmware image in .img format for the wnr2000v3? PM me.

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

I was given a v1 by a friend, and seeing as I had no need for it, I decided to take the plunge and risk bricking it in the name of science. So far this has been successful - I've built and successfully flashed in a modified version of u-boot that doesn't perform the checksum verification. This was tested by writing zeroes to the "rootfs_checksum" part of the MTD. It's still loading Netgear's stock firmware. Next stop OpenWrt big_smile

-fuhry

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

This sounds great. Any chance of detailing how you modified u-boot (versions, step by step instructions etc)?

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Would love to have this too! Glad to hear there is still hope for this one.

64 (edited by fuhry 2010-09-14 16:42:35)

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

So, here's the deal with the u-boot modifications:

In order to change kernel parameters, you have to do one of the two following things:

* Edit the u-boot environment
* Edit the default environment in the u-boot configuration files, then intentionally wipe the u-boot environment partition from the NOR.

The first doesn't seem to be supported under the stock firmware - thus, to do this, you need a serial console.
The second doesn't require a serial console, as long as you don't screw it up. If you screw it up, the stock firmware's TFTP restore WILL NOT restore the u-boot environment.

So, either way, right now what you're doing probably means the router will be bricked until you have a serial console. This in mind, here's the patch:

diff -Naur u-boot-1.1.4/common/main.c u-boot-1.1.4-mod/common/main.c
--- u-boot-1.1.4/common/main.c    2008-05-13 01:42:25.000000000 -0400
+++ u-boot-1.1.4-mod/common/main.c    2010-09-04 21:56:10.797970925 -0400
@@ -447,7 +447,8 @@
     #if CFG_NMRP
            StartNmrpClient();
         #endif           
-        
+
+#ifdef CONFIG_ROOTFS_CHECKSUM        
     if ( check_rootfs_checksum() != 0){
 #if FIRMWARE_RECOVER_FROM_TFTP_SERVER
         /*Enter tftp recovery mode when rootfs checksum is not correct*/
@@ -455,6 +456,7 @@
 #endif
         return;
     }
+#endif
 
 # ifdef CONFIG_AUTOBOOT_KEYED
         int prev = disable_ctrlc(1);    /* disable Control C checking */
diff -Naur u-boot-1.1.4/include/configs/ap81.h u-boot-1.1.4-mod/include/configs/ap81.h
--- u-boot-1.1.4/include/configs/ap81.h    2008-05-13 01:42:35.000000000 -0400
+++ u-boot-1.1.4-mod/include/configs/ap81.h    2010-09-14 10:29:07.565673313 -0400
@@ -22,7 +22,7 @@
  */
 #define FIRMWARE_RECOVER_FROM_TFTP_SERVER         1
 #define CFG_NMRP         1
-#define ROOTFS_CHECKSUM           1
+/* #define ROOTFS_CHECKSUM           1 */
 #define RESET_BUTTON             1
 #define CFG_FLASH_BASE            0xbf000000
 #define CFG_FLASH_UBOOT_BASE            0xbf000000
@@ -52,11 +52,11 @@
 
 #undef CONFIG_BOOTARGS
 /* XXX - putting rootfs in last partition results in jffs errors */
-#define    CONFIG_BOOTARGS     "console=ttyS0,115200 root=31:02 rootfstype=jffs2 init=/sbin/init mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),5120k(rootfs),1024k(uImage)"
+#define    CONFIG_BOOTARGS     "console=ttyS0,115200 root=/dev/mtdblock2 noinitrd rootfstype=squashfs,jffs2 init=/etc/preinit mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),2304k(rootfs),64k(user-config),1152k(uImage),128k(language_table),64k(rootfs_checksum),64k(ART) mem=32M"
 
 /* default mtd partition table */
 #undef MTDPARTS_DEFAULT
-#define MTDPARTS_DEFAULT    "mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),5120k(rootfs),1024k(uImage)"
+#define MTDPARTS_DEFAULT    "mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),2304k(rootfs),64k(user-config),1152k(uImage),128k(language_table),64k(rootfs_checksum),64k(ART)"
 
 #undef CFG_PLL_FREQ
 #define CFG_PLL_FREQ    CFG_PLL_400_400_100
@@ -125,7 +125,7 @@
 #define CFG_ENV_ADDR        0xbf040000
 #define CFG_ENV_SIZE        0x10000
 
-#define CONFIG_BOOTCOMMAND "bootm 0xbf550000"
+#define CONFIG_BOOTCOMMAND "bootm 0xbf2a0000"
 //#define CONFIG_FLASH_16BIT
 
 #define CONFIG_NR_DRAM_BANKS    2

My RS232 converter came in last night. I've hacked on the router a bit. Currently there are problems with the kernel finding the MTD and loading partitions from it.

EDIT: Fixed it, booting with "board=WNR2000" really does do the trick. It has booted! Now I need to repartition the flash so that I have some free space...

-fuhry

65 (edited by fuhry 2010-12-27 06:32:01)

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

I have successfully loaded OpenWRT (svn r22909) on to my WNR2000.

EDIT: I tested how well the kernel held up against the stock firmware's incorrect parameters. In short: it doesn't. I'm going to re-post my images shortly along with a pre-built dump of the u-boot environment that you can flash to. This will include [s]repartitioning[/s] flashing your bootloader's preferences!

What does not work:
  - Wireless. This happens after CRDA sends the list of allowed bands to the card. Makes me wonder if something might be screwing up there. EDIT: nope. It's because I accidentally destroyed my ART partition (sector 63 of the flash). Far as I know this isn't a dual-band chip. Anyway, relevant dmesg output:

ath9k ath9k: failed to initialize device
ath9k: probe of ath9k failed with error -22

- VLANs sad
  - LuCI is not in my config/prebuilt images. Hope you like telnet/ssh wink

What DOES work:
  - Basic functionality. You can log into it, it switches packets, it can probably route stuff.
  - squashfs + jffs2 overlay (make sure lua and uhttpd go into the squashfs. 1 it saves space, and 2 some symbols they need are otherwise stripped)
  - writable root (my patch knocks out the checksum thing in u-boot)

This in mind, here are the approximate steps I followed:

- Build a custom u-boot. Apply the patch above to the sources in Netgear's GPL package, add staging_dir_mips/bin/ to your PATH, make ap81_config and make. The resulting u-boot.bin file can be flashed onto your device. Here's a binary build: http://fuhry.co.cc/b/wnr2000/u-boot.bin
- Install this u-boot image by telnetting into the device running the default firmware (telnetenable). Read other posts in this thread for information on how to do that. I found the easiest way to get the u-boot image to the device was via the "snarf" program Netgear kindly provides to download the image file from my webserver. Just run: snarf http://yourserver/u-boot.bin (if your router has web access you can even use my direct url above). Then install it: mtd -e mtd0 write u-boot.bin mtd0. Be patient, if you're not careful, you will brick your device right here, and the only way to get it back is likely JTAG. Any other part you screw up can be recovered with a serial console, but if you screw up the bootloader you are in trouble.
- Build OpenWrt. My config: http://fuhry.co.cc/b/wnr2000/config (beware there are some things in here you probably don't want like custom IP address defaults and ppp disabled). I'd recommend also editing target/linux/ar71xx/config-* and setting CONFIG_CMDLINE="rootfstype=squashfs console=ttyS0,115200 board=WNR2000 panic=10 init=/etc/preinit rootdelay=2 -- " which *should* eliminate the need to mess around with u-boot's environment (not easy to do under the default firmware unless you have a serial console). Otherwise you'll need to use a serial console to edit U-Boot's environment (which also breaks the ability to flash back to the default firmware). Binary images are at the end of this post.
- Install it. You can flash from the default firmware by snarfing the lzma uImage and root fs, then flashing: mtd -e mtd2 write root.sqfs mtd2 && mtd -e mtd4 write uImage mtd4
- Install OpenWrt's u-boot preferences. I'm waiting until this point, because this will likely break your ability to go back to the default firmware. Using the same format as the above commands but while still booted into the default firmware, flash [s]hxxp://fuhry.co.cc/b/wnr2000/ubootenv.img[/s] (UPDATE: DO NOT USE unless you have serial console access! I didn't realize this environment image was repartitioned! I will post a U-Boot environment file later in this thread that uses the stock partition layout.) into mtd1 using the same format of command as above.
- If you built OpenWRT from source, use the squashfs 4k image. Ensure it's <2304k. Anything left over will go to your jffs2 space.
- Reboot!

I'm not responsible if anything done here bricks your router. These exact images haven't been tested, because I repartitioned my router to maximize the space I got in jffs2. But the general process has been pretty thoroughly tested. If you're interested in hacking the kernel sources and messing with the u-boot environment, my mtdparts are: "mtdparts=ar7100-nor0:256k(u-boot),64k(u-boot-env),2816k(rootfs),896k(uImage),64k(ART)". Please note that repartitioning should NOT be required. You get about an additional 500k of space out of it though.

-fuhry

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

This is really great, thanks for putting up the details.
I've got a few questions:

1) I assume in your patch in the previous post you are patching against u-boot-1.1.4.tar.gz (0115a53e0e56c247c6eb4f01cc2f4a31) which is in the dl directory of the WNR2000_V1.2.3.7_src.zip archive. The initial part of your patch refers to a define CONFIG_ROOTFS_CHECKSUM, to essentially omit the calling of  check_rootfs_checksum(). I cannot seem to find this define, are you sure it's not meant to be ROOTFS_CHECKSUM ? I think it has accidentally had the same effect since the define name is not defined anywhere in the build process.

2) If the OpenWrt specific kernel parameters can be supplied via CONFIG_CMDLINE, surely the best thing for backwards compatibility is to minimise the modifications u-boot; hence the CONFIG_BOOTARGS section of the u-boot patch perhaps should be omitted, so that the original kernel could be booted if the user so wanted?

Anyway... I'm off to try this soon and I will get back with some feedback. Once again, thanks for the great work!

67 (edited by fuhry 2010-09-17 20:50:55)

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

1) Correct
2) It's going to be difficult to allow the user to boot the original firmware at all. If you patch u-boot, you'll want to ensure it can handle a corrupted environment and assume it's on the default firmware. Then from OpenWRT you would need to make sure that a re-flashing includes destroying mtd1 and make absolutely sure that the u-boot defaults boot the stock firmware properly.

Additionally, I've corrupted my ART (sector 63), and I would appreciate it if someone could send me a dump of theirs as this partition contains the wireless firmware. It's /dev/mtdblock7 under the default partition layout. Full disclosure, this does contain your WPS PIN, serial number and MAC addresses as well, so don't post it publicly here. I'll modify it so that it has my own information, flash it, then delete what you sent. My e-mail address is <dan at enanocms dot org>.

EDIT: The MAC and WPS pin are stored at offset 0x1000 on the ART partition, if you want to edit them out. Not sure where the serial number goes.
EDIT 2: Someone kindly sent me a dump of their ART. Thanks! My wireless is working again under both the stock firmware and OpenWRT.

-fuhry

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Hi guys,

first off, I am a beginner with OpenWRT, and, for that matter, am not 100% sure I need to flash it on my WNR2000v1 for my purposes, even though it is enticing to have this open and developed system on my router.
I have read this thread and gotten the telnet enable part to work, and, since I am pretty familiar with linux, been playing around with the configuration (wlanconfig, udhcpc, brctl, etc). However, I am confused with the "stock" device setup - I would like to achieve something very simple like this:

AccessPoint (non-admin) <----> wireless <----> WNR2000 in client mode <----> wired <----> computer

My Questions are:
1. Do I need OpenWRT for that configuration?
2. Are the images posted by fuhry generic enough to run in this mode?
3. Can I go back to the "stock" firmware should something go wrong (fuhry seems to be capable of, but can a newbie)?
4. Will the OpenWRT wiki be updated at some point to reflect fuhry's advances described here?

Thank you very much for your input. At this point, I am willing to try it out, as other wise the router has not much use...

Cheers,
Blind55

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Hi,

I'm read http://wiki.openwrt.org/toh/netgear/wnr2000#info

But, can't understand, where I'm can get "openwrt-ar71xx-uImage-initramfs-lzma.bin" ?

Help !

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Blind55 wrote:

AccessPoint (non-admin) <----> wireless <----> WNR2000 in client mode <----> wired <----> computer

My Questions are:
1. Do I need OpenWRT for that configuration?

I'm not sure. The stock firmware supports some range extender thingy. That might be enough for you, or it might not.

Blind55 wrote:

2. Are the images posted by fuhry generic enough to run in this mode?

Probably.

Blind55 wrote:

3. Can I go back to the "stock" firmware should something go wrong (fuhry seems to be capable of, but can a newbie)?

I'd say that without a serial console your chances of successfully going back are slim. However if you are very careful, you can probably do it by saving your u-boot environment before flashing. Use dd to copy down the contents of mtdblock1 - get creative by tricking the webserver into serving out /tmp using mount -o bind, so you can get the backup copied down to your PC. Once OpenWRT is running, to restore, flash back the u-boot environment, reboot the router, and do a TFTP restore. If this doesn't work, you're bricked, grab a serial console. It is pretty straightforward to rescue the thing from anything other than bootloader corruption (mtd0 zeroed) if you have a serial console.

Beware that the platform drivers mark certain MTD partitions as read-only, and I think the U-Boot environment is among them. I'm not sure if my images should have this failsafe check disabled... I would say probably not, in which case you'll probably need to modify your kernel sources in order to flash mtd1 from within OpenWRT.

Blind55 wrote:

4. Will the OpenWRT wiki be updated at some point to reflect fuhry's advances described here?

I feel disinclined to update the wiki until we can figure out a reliable flashing method that doesn't risk bricking routers to the point of needing a serial console to fix it. I'm sure the majority of the OpenWRT community would agree.

Remidalv wrote:

Hi,

I'm read http://wiki.openwrt.org/toh/netgear/wnr2000#info

But, can't understand, where I'm can get "openwrt-ar71xx-uImage-initramfs-lzma.bin" ?

Help !

Build it from source. smile
I have a working config posted above if you want to use it.

-fuhry

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Hallo.

Hey fuhry, thanks for ur nice step by step guide. I followed your step with some minor changes (which was maybe the mistake) and now I'm stuck in the tftp recoverymode.
Maybe you could give me a little advice to get out of this mess (will try to solder a rs232 soon, but my solder experience is limited to jtaging my 360) maybe without the need of a serial console.

First here is was I've done.
1. Flashed ur uboot http://fuhry.co.cc/b/wnr2000/u-boot.bin via mtd. I guess that worked out well, otherwise I doubt I would even get a tftp response.
2. I built a openWRT image with the Imagebuilder using the AP81 profile with "board=WNR2000" added to CONFIG_CMDLINE.
3. Flashed rootfs and uImage of my build via mtd.
4. Flashed ur ubootenv.img via mtd.
5. Reboot

What I get:
Green Blinking Powerled
TFTP Response on 192.168.1.1

What works:
Uploading stock firmware. It uploads fine, but I still get green blinking power led. I guess thats because of the openwrt  u-boot preferences.

Not working:
Uploading anything else than an original stock firmware.
For some reason I cannot upload a modified rootfs or uImage(ok, I need both together anyways). Transfer always fails. Is there some check in the tftp server?

So what I'm wondering is.
Taken the case the modifierd u-boot is working and the openwrt uboot env is as well.
Shoudn't it be possible to create an image to the tftp server that works?

Or does the fact, that the tftp server is always loaded ( I do not need to hold reset for 30 secs!) mean, that there is other trouble?

Thanks in advance!

Jarvid

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Alike to Jarvid, I do appreciate the time contributed by Fuhry, and the many others who are far more competent at this than myself.... not to mention sharing this info with the masses.
Knowing that I like to play with, and learn about, flashing various routers, a friend of mine passed me this WNR2000 V1 - it's been set at defaults since day one.  With the firmware that came on it, I'd always receive an "error: *filename* -  filesystem read-only" sort of message when I'd try to snarf in anything... rather perplexed I went and updated the wnr2000's firmware to 1.2.3.7(netgear), rather hoping they may have addressed such an "issue?". What's funnier now, though, is that the telnet connect & login will not accept the U/N & Pass(Gearguy Geardog) - with the older firmware(1.2.0.8), and after initial "telnetenable" I could telnet connect without it asking me for any U/N or Pass.
Aside from just thinking it was the firmware, I did try to snarf in files from different locations(fuhry's link, my own Abyss Web Server & file hosting) and no difference.
So, 1. What am I screwing up or missing regarding SNARF-ing, or  2. Should I use a different firmware version than 1.2.3.7; or what's the U/N & pass for 1.2.3.7 telnet connect?
Thanks for your time in reading this at least.

73 (edited by Jarvid 2010-11-29 08:27:12)

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Hello mazade,

try snarfing into the /tmp directory. That should work. smile
Telnetenable(on gentoo) did work for me on 1.2.3.7 with the credentials u also used.

Not sure thu if they were needed.

Jarvid

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

OK... still new to the behaviors of non-WRT systems.  For some reason the telnetenable wasn't going through(even though I tried it many times) and that's why it wasn't accepting any U/N & Pass...
Snarfed things into the /tmp dir, thanks for the dumb-ME pointer Jarvid ^_^,  and the mtd-ing went just fine... but now I seem to find myself in the same position as Jarvid  o.0
Blinking power, normal/on lan light - only getting ping responses, no DHCP, no browser-type page(a babied person I am)
I suppose I'm curious to see what comes down the pipe since it's not an isolated incident now tongue
I hope to not be a burden - I'll be tinkering with things as time goes on.
Thanks for the help so far.  smile

Re: Netgear WNR2000 OpenWRT (Atheros AP81, AR9103 chip, u-boot)

Most importantly, do you have any console access at all?