OpenWrt Forum Archive

Topic: I've Bricked My Netgear DG834G v3 - Please Help.

The content of this topic has been archived on 15 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Good Day All.

I am hoping someone here more wise then me can help me unbrick my Netgear DG834G v3 Router.

Here are some details I have pulled from the router before I bricked it.

--------------------------------------------------------------------------------------------

Make: Netgear
Model: DG843G v3
Firmware: v4.01.40

--------------------------------------------------------------------------------------------

BusyBox v0.61.pre (2008.06.11-10:37+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (root@Build_Server) (gcc version 2.95.3 20010315 (release/MontaVista)) #2 Mon Jun 25 15:11:54 CST 2007

# cat /proc/cpuinfo
processor               : 0
cpu model               : MIPS 4KEc V4.8
BogoMIPS                : 211.35
wait instruction        : no
microsecond timers      : yes
extra interrupt vector  : yes
hardware watchpoint     : yes
VCED exceptions         : not available
VCEI exceptions         : not available


# cat /proc/meminfo
        total:    used:    free:  shared: buffers:  cached:
Mem:  14680064 14270464   409600        0  1097728  5152768
Swap:        0        0        0
MemTotal:        14336 kB
MemFree:           400 kB
MemShared:           0 kB
Buffers:          1072 kB
Cached:           5032 kB
SwapCached:          0 kB
Active:           3388 kB
Inactive:         4288 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        14336 kB
LowFree:           400 kB
SwapTotal:           0 kB
SwapFree:            0 kB

--------------------------------------------------------------------------------------------

mtd0.bin 3136 kb - MD5: 0a28fdd0c7daf1b9d5e2f08ec1f5b5aa
mtd1.bin  704 kb - MD5: d915619057b3f9e0729d6a9762fd53b8
mtd2.bin  128 kb - MD5: 999ce96c3393b7eaf7b3e6367bea882b
mtd3.bin   64 kb - MD5: 06907252db7d7b952676df909b9daf7d
mtd4.bin   64 kb - MD5: acef71faa8e211656ceb857fd43df344

--------------------------------------------------------------------------------------------

The new firmware I was trying to load failed so I tried the Netgear Recovery Program.

I pressed and held the reset button wile pluging in the power to the router, then you get the two flashing led's on the front, I then ran the Netgear Recovery Program, it found the router, and started to run, then the program bluescreened and the computer restarted.

Now I can't get the router into Recovery mode.

So I built a Serial Interface so I can connect the router to my computer, and see what is going on.

Heres what I get when the router is powered up.

--------------------------------------------------------------------------------------------
ADAM2 Revision 0.22.02
(C) Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved.
(C) Copyright 2003 Telogy Networks, Inc.
memsize == 0x01000000Usage: setmfreq [-d] [-s sys_freq, in MHz] [cpu_freq, in MHz]
maca                  xx:xx:xx:xx:xx:xx
macb                  xx:xx:xx:xx:xx:xx
memsize               0x01000000
flashsize             0x00400000
modetty0              115200,n,8,1,hw
modetty1              115200,n,8,1,hw
bootserport           tty0
cpufrequency          211968000
sysfrequency          105984000
bootloaderVersion     0.22.02
ProductID             DG834
HWRevision            Unknown
SerialNumber          none
my_ipaddress          192.168.0.1
prompt                DG834
firstfreeaddress      0x9401bd20
req_fullrate_freq     125000000
mtd0                  0x900d0000,0x903e0000
mtd1                  0x90020000,0x900d0000
mtd2                  0x90000000,0x90020000
mtd3                  0x903e0000,0x903f0000
mtd4                  0x903f0000,0x90400000
oam_lb_timeout        100
DSL_FEATURE_CNTL_1    0x00000020
mtd5                  0x90020000,0x903e0000

DG834 > addr=90020000
File for wrong Endian!
gocommand even2
Download.
Copying download from b0017000 to b4020000

CAUSE    = 0x30808028  Reserved Instruction
STATUS   = 0x00400002      EPC      = 0xb4020000
BADVADDR = 0xbfc00000      ERROREPC = 0x90000000

$ 0(zr):0x00000000  $ 8(t0):0x94010b0c  $16(s0):0x00000001  $24(t8):0x00000000
$ 1(at):0x00000001  $ 9(t1):0x00000020  $17(s1):0x00000001  $25(t9):0x00000000
$ 2(v0):0xffffffff  $10(t2):0x94010ad4  $18(s2):0x94010cb4  $26(k0):0x00000000
$ 3(v1):0xffffffff  $11(t3):0x00000010  $19(s3):0xb03f070b  $27(k1):0x00000000
$ 4(a0):0x00000001  $12(t4):0x00000078  $20(s4):0x9000889c  $28(gp):0x94008d70
$ 5(a1):0x90005bd0  $13(t5):0x94010b0c  $21(s5):0x00000000  $29(sp):0x94010c4c
$ 6(a2):0x00006000  $14(t6):0x00000000  $22(s6):0x00000000  $30(s8):0x01000000
$ 7(a3):0xfffffff9  $15(t7):0x00000061  $23(s7):0x00000000  $31(ra):0x9000235c
--------------------------------------------------------------------------------------------

This happens in a endless loop.

I guess I am going to have to built a new interface cable to use with the JTAG port so that I can reprogram my router.

Can anyone please confirm the JTAG Pin Data on my DG834G v3.
-----------------------------
(2)(4)(6)(8)(10)(12)(14)
[1](3)(5)(7)(9)(11)(13)
-----------------------------
JTAG Pin1: nTRST
JTAG Pin2: GND
JTAG Pin3: TDI
JTAG Pin4: GND
JTAG Pin5: TDO
JTAG Pin6: GND
JTAG Pin7: TMS
JTAG Pin8: GND
JTAG Pin9: TCK
JTAG Pin10: GND
JTAG Pin11: nSRST
JTAG Pin12: N/A
JTAG Pin13: N/A
JTAG Pin14: VCC

Can someone please advice me how and if I can unbrick my router.

Thanks for your time.

Hello Professor,

You'll need to build the following cable: http://ciclamab.altervista.org/JTAG_Circ.htm and use Ciclamab suite http://ciclamab.altervista.org/ to flash the bootloader into the box.

If I understood you correctly you tried to load OpenWRT into this box? It's going to be dead end if you keep ADAM2 bootloader - OpenWRT willl boot but the ethernet interface will not work. So far I discovered the only way of having working copy of OpenWRT on this box is by substituting ADAM2 with PSPBoot.

https://dev.openwrt.org/ticket/3782
https://dev.openwrt.org/ticket/3124

Download http://mcmcc.bat.ru/dlinkt/acorp-russia … .4.0.4.rar and flash it into 0x90000000,0x90010000. Then you can continue by using ftp interface of PSPBoot.

I ended up making two JTAG cables.

Xilinx
http://ciclamab.altervista.org/Interfaces/JTag-Xilinx.gif

"Very Poor Man" Wiggler
http://ciclamab.altervista.org/Interfaces/JTag-Wiggler.gif

When using the Xilinx cable both "HairyDairyMaid Debrick Utility v4.8" and "EJTAG Debrick Utility v2.1.4" can now detect my router, but after Probing Flash for a few min's it comes back with "Unknow or No Flash Chip Detected".

I have also download yet another program this one is called "CICLaMaB" this will detect my router with the Xilinx or "Very Poor Man" Wiggler cable.
But each time I try and backup any data using it after a few sec's of it running it will just crash on me.

I only have one laptop with a Printer port, and that is a old Sony Vaio running Windows XP SP3, as the program was crashing I even formated the hard drive and reinstalled windows xp just encase it was a problem with the OS.

I guess my next step should be to find another computer or laptop with a printer port and try again.

Unless there is any other programs I can try.

Thanks for your time.

With your Xilinx cable you can try to specify the flash type manually, it is MX29LV320B 2Mx16 BotB (4MB) [/fc:29]

Here is some details from a few of the main chips in my router.

-----------------
Infineon
PSB7200ZDW
7CA087W
-----------------
SPANSION
S29GL032A90TFIR4
735RBP64 MM
(C)04 SPANSION
-----------------
EtronTech
EM639165TS-6G
L238129ADJ42621ZM
-----------------

Am I right in saying that the "Spansion S29GL032A90TFIR4" is my flash chip?

Yes, that's correct.

But is looks like you have DG934G - a modified DG834G for Sky community.

(Last edited by nas on 20 Jan 2009, 09:16)

The router was supplied by AOL.

I have just looked at the list of flash chips in the programs and the closest match I could find was.

/fc:74 S29GL032M BotB
/fc:75 S29GL032M TopB

As my flash chip is S29GL032A and the one in the program is S29GL032M are thease compatible, and if so how can I tell if it's BotB or TopB?

Thanks again for your time.

Well, I might be wrong but the difference between BotB and TopB is the start and the end of flash. The TopB starts from 0 and goes till 31, and BotB starts at 1 and goes to 32. This is where my knowledge ends, as I don't know when you need to choose one over another, but you can try to save flash using both of them (trials and errors path).

P.S. In order to ressurect the router the only partition you need to recover is bootloader. Simply recover the mtd2 (0x90000000,0x90020000) parition and after that you must be able to use Netgear Recovery Utility.

I am running a backup as I type "tjtagv2.exe -backup:cfe /fc:74" most of the data is just zero's, I will also run the same command with /fc:75, and compair the start and end address, file size, and MD5.

As I already have backup's of the mtd's, is it just a case of renaming the need mtd and using the program to reprogram that block of the router.

mtd0.bin 3136 kb - MD5: 0a28fdd0c7daf1b9d5e2f08ec1f5b5aa
mtd1.bin  704 kb - MD5: d915619057b3f9e0729d6a9762fd53b8
mtd2.bin  128 kb - MD5: 999ce96c3393b7eaf7b3e6367bea882b
mtd3.bin   64 kb - MD5: 06907252db7d7b952676df909b9daf7d
mtd4.bin   64 kb - MD5: acef71faa8e211656ceb857fd43df344

you say that mtd2 is the bootloader, in the program what would that be called, cfe, nvram, kernel, custom, bsp, wholeflash?

The mtd0 and mtd1 could be zeroed by Netgear Recovery Utility, but as you see a lot of zeros inside mtd2 partition (particulary the first 64k of it) then something is not working right.

The tjtagv2.exe -backup:cfe /fc:74 command might not work well, because CFE bootloader usually occupies the 64k of flash, while ADAM2 on this unit is 128k.

So it might be better to use the following commands:
tjtagv2.exe -backup:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /fc:74 /f:mtd2-74
tjtagv2.exe -backup:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /fc:75 /f:mtd2-75

I have just run your custom command line.

mtd2-74.bin - 128KB (131,072bytes) - MD5: 940F6167298FE4866491C1490AC5B034.
mtd2-75.bin - 128KB (131,072bytes) - MD5: B1E1969D43EFE171ADB3CACACAB42DF5.

With your command there was alot more data upto around the half way mark then there was alot of zero's and f's.

When I was talking about my flash chip I forgot to add that when I was "CICLaMaB" and told it to probe my router it comes up with the following.

JTag info - Port: "LPT1:", Interface: "Xilinx"
CPU Chip:
- ID 00000000000000000001000000001111 (0x0000100F)
- Instruction Length set to 5
- TI AR7WRD TNETD7300GDU Rev 1 CPU
EJTAG
- IMPCODE: 0x41404000
- Version: 2.6
Issuing Processor / Peripheral Reset... Done!
Halting processor... Done!
Clearing watchdog... Done!
Probing "Flash" at (Flash Window: 0x90000000)... Done!
- Vendor ID: 00000000000000000000000000000001 (0x00000001)
- Device ID: 00000000000000000010001000000000 (0x00002200)
- AMD 29lv320MB 2Mx16 BotB (4MB)
- Window Start/Length         : 0x90000000 / 0x00400000
- BootLoader Area Start/Length: 0x90000000 / 0x00010000
- MTD3 Area Start/Length      : 0x901f0000 / 0x00010000
- MTD0/1 Area Start/Length    : 0x90010000 / 0x003f0000

Good, that means your JTAG is working.

I would suggest you to backup another two partitions mtd3 (0x903e0000,0x903f0000) and mtd4 (0x903f0000,0x90400000) before going further.

I don't know which flash type worked for you, so here is examples for both.

tjtagv2.exe -backup:custom /start:0x903e0000 /length:0x00010000 /window:0x90000000 /fc:74 /f:mtd3-74
tjtagv2.exe -backup:custom /start:0x903e0000 /length:0x00010000 /window:0x90000000 /fc:75 /f:mtd3-75

tjtagv2.exe -backup:custom /start:0x903f0000 /length:0x00010000 /window:0x90000000 /fc:74 /f:mtd4-74
tjtagv2.exe -backup:custom /start:0x903f0000 /length:0x00010000 /window:0x90000000 /fc:75 /f:mtd4-75

And then you can flash the copy of your bootloader back to the unit, you will need to flash the whole 128k because the recovery instructions are located somewhere between 0x90010000 and 0x90020000.

tjtagv2.exe -flash:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /fc:74 /f:mtd2-74.bin
tjtagv2.exe -flash:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /fc:75 /f:mtd2-75.bin

P.S. There no sense to give the md5 sum of any partition on this unit, the only hash that makes a sense must be computed over first 64k of mtd2 partition (0x90000000,0x90010000). The problem with computing hash for the whole mtd2 partition (0x90000000,0x90020000) is that something constantly changing bytes there and will not get stable result. So here is mine hash for 0x90000000,0x90010000: 561933ff0782ee624ab7831aa6799044

Assuming that Ciclamab detects the flash as 29lv320MB type (which is 29) you can use debrick-mod.exe to back things up:

debrick-mod.exe -backup:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /f:mtd2
debrick-mod.exe -backup:custom /start:0x903e0000 /length:0x00010000 /window:0x90000000 /f:mtd3
debrick-mod.exe -backup:custom /start:0x903f0000 /length:0x00010000 /window:0x90000000 /f:mtd4

And then flash the bootloader:

debrick-mod.exe -flash:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /f:mtd2.bin

P.S. Remember you need to flash the data you saved before using Netgear Recovery Utility.

(Last edited by nas on 20 Jan 2009, 12:34)

I have to add /xilinx to the end of the command for it to work.

I have made the extra backups. and moved them into a new folder.

I then copy the backup copy of mtd2.bin before the router messed up into the same folder as debrick-mod.exe

I then run "debrick-mod.exe -flash:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /f:mtd2.bin /xilinx"

The process keeps on stopping, it starts programing the blocks, and can get as far as 2% or it might only do a few blocks then just sits there.

I have waited upto 10 min's just to see if it will carry on, but it just sit's there.

Does it matter how I have the printer port setup, Normal, SPP, ECP, EPP, Ect?

I haven't had any successful expirience with Xilinx type cables, so I can't tell you what it might be because of.

But if you try it with tjtag?

tjtagv2.exe -flash:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /fc:74 /f:mtd2-74.bin

It does matter how the printer port is configured, but as you're able to detect CPU and flash it looks like not an issue to me.

(Last edited by nas on 20 Jan 2009, 14:21)

nas: Thanks for all your help.

It now looks like I have unbricked my router.

I remade the "Xilinx" cable with more grounds, and made a little batch file.

"nas-reflash.bat"

@ECHO OFF
cls
debrick-mod.exe -flash:custom /start:0x90000000 /length:0x00020000 /window:0x90000000 /f:mtd2.bin /xilinx
debrick-mod.exe -flash:custom /start:0x903e0000 /length:0x00010000 /window:0x90000000 /f:mtd3.bin /xilinx
debrick-mod.exe -flash:custom /start:0x903f0000 /length:0x00010000 /window:0x90000000 /f:mtd4.bin /xilinx

I put all my backups mtd's into the same folder as "debrick-mod.exe".
I ran the "nas-reflash.bat" and ran fine no halting, errors, ect.
Once it was finished I powered down the router and held the reset button wile connecting the power, ran the Netgear Recovery Utility in windows xp not vista this time, once again no problems.
Disconnected the power and powered up the router again, network came back to life, and I can now get into the router via the web interface.

I have yet to set it all backup to make sure eveything is working ok, but I will report back as soon as I know.

Thanks again for your time and help with debricking my router.

I owe you a beer or two.

You are welcome and congratulations!

But didn't you want to put OpenWRT into this box?

P.S. Be forewarned that wireless most likely will not work.

Well I am back online using my bricked / debricked router.

Eveything seems to be working fine atm, all the lan ports, and wifi is also working.

Yes I did indeed want to install OpenWRT on this router, but I am just glad to have my internet back again, it was a royal pain in the back side to keep going round a mates house to use there internet when I needed to reply or read a post.

With nearby JTAG and experience you gained, you'll be able to be up and running in 40 minutes next time.

In any case, as I said if plan to install OpenWRT into this this box note that most likely the wireless card will not work, and you will need to replace bootloader to PSPBoot.

nas wrote:

Hello Professor,

You'll need to build the following cable: http://ciclamab.altervista.org/JTAG_Circ.htm and use Ciclamab suite http://ciclamab.altervista.org/ to flash the bootloader into the box.

If I understood you correctly you tried to load OpenWRT into this box? It's going to be dead end if you keep ADAM2 bootloader - OpenWRT willl boot but the ethernet interface will not work. So far I discovered the only way of having working copy of OpenWRT on this box is by substituting ADAM2 with PSPBoot.

https://dev.openwrt.org/ticket/3782
https://dev.openwrt.org/ticket/3124

http://mcmcc.bat.ru/dlinkt/acorp-russia … arDownload http://mcmcc.bat.ru/dlinkt/acorp-russia … .4.0.4.rar and flash it into 0x90000000,0x90010000. Then you can continue by using ftp interface of PSPBoot.

Would writing pspboot to it over telnet with dd work? (Currently i don't have the stuff to make a cable).

Can someone confirm the md5 for pspboot? (Link doesn't work, i found another with google).
d7f9a9e753c6a50bd65a585e5a465c4a *psp_boot_Acorp_W400G-1.4.0.4.bin

Thanks.

HellFire,

Yup you can flash the new bootloader with dd, but if something goes wrong then you'll need to find the cable stuff.

The file you've found have the same checksum as mine.

Well i've just managed to get my DG834Gv2 working (i have no idea how). I overwrote ADAM2 while connected to it's FTP server, after that it wouldn't boot anymore. Today i added a serial console (pinout on the wiki is wrong, it has Rx & Tx swapped) and it booted. So i'll probably try and put OpenWRT on that too (i've lost the wifi card so there's not really much i can do with it.. except modem/router).

(Last edited by HellFire on 5 May 2009, 12:01)

Well, if it booted ... then yo didn't overwrite your bootloader (ADAM2 in your case).

The DG834V2 is working fine with OpenWRT even with ADAM2.

Now it doesn't boot again (netgear's recovery app hung while it was reflashing)
boot output:

ADAM2 Revision 0.18.01
(C) Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved.
(C) Copyright 2003 Telogy Networks, Inc.
Usage: setmfreq [-d] [-s sys_freq, in MHz] [cpu_freq, in MHz]
Memory optimization Complete!

DGB34 >
CAUSE    = 0x10808010
CAUSE    = 0x10808008
CAUSE    = 0x10808008
CAUSE    = 0x10808008
CAUSE    = 0x10808008
CAUSE    = 0x10808008
CAUSE    = 0x10808008
CAUSE    = 0x10808008
CAUSE    = 0x10808008
CAUSE    = 0x10808008
etc...

The discussion might have continued from here.