Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2009 - Netgear R8000 - Unable to install OpenWRT firmware #8430

Closed
openwrt-bot opened this issue Dec 17, 2018 · 7 comments
Closed

FS#2009 - Netgear R8000 - Unable to install OpenWRT firmware #8430

openwrt-bot opened this issue Dec 17, 2018 · 7 comments
Labels

Comments

@openwrt-bot
Copy link

mjevans:

Netgear R8000 - Unable to install OpenWRT firmware

https://openwrt.org/toh/netgear/r8000#tab__firmware_downloads

A recently purchased from Amazon Netgear R8000 (Nighthawk X6) refuses to accept the OpenWRT firmware file and there are not directions for an alternate installation method.

Full model from the back:

NETGEAR Nighthawk X6
AC3200 Tri-Band WiFiRouter
Model: R8000
FCCID: PY314200264
Made in Vietnam 272-12664-01

@openwrt-bot
Copy link
Author

mjevans:

I was able to enable telnet console with these older instructions:
https://oldwiki.archive.openwrt.org/toh/netgear/telnet.console

BusyBox v1.7.2 (2018-10-09 16:42:16 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

burnboardid

Board ID - U12H315T00_NETGEAR

help

Built-in commands:

    . : [ [[ alias bg break cd chdir command continue echo eval exec
    exit export false fg getopts hash help jobs kill let local pwd
    read readonly return set shift source test times trap true type
    ulimit umask unalias unset wait

nvram show also worked, but lists over 2000 lines of key=value pairs; nearly all of which seems like junk at this point, but the password is probably somewhere in there.

@openwrt-bot
Copy link
Author

mjevans:

I've also tried Netgear's current TFTP flashing instructions:

https://kb.netgear.com/000059634/How-to-upload-firmware-to-a-NETGEAR-router-using-Windows-TFTP

(though from Linux with a standalone system, NetworkManager disabled, and a static assigned address of 192.168.1.3/24 ; I was able to ping the router at the point where their instructions say to remove the paperclip.)

atftp --option "mode octet" --option "timeout 60" --verbose --trace -p -l openwrt-18.06.1-bcm53xx-netgear-r8000-squashfs.chk 192.168.1.1

atftp times out several times and the router continues booting

--

I'm also including Netgear's directions in case they relocate or otherwise update this page again.

To upload firmware using Windows TFTP:

Download and save the router’s firmware onto the desktop of your computer. Make sure to extract the file from the zip folder. The firmware file format is either a .img or .chk file.
Connect a PC wired to the router and set it to have a static IP address (example 192.168.1.10). 
For Mac users, go to Beginner: How To Set Up A Static IP in Mac OS X and proceed to step 5.
    Right-click the Windows start button then select Network Connections.
    Right-click Ethernet and select Properties.
    Double-click Internet Protocol Version 4 (TCP/IPv4).
    Select Use the following IP address and set the IP address information like below:
        IP address => 192.168.1.10
        Subnet mask => 255.255.255.0
        Default Gateway => 192.168.1.1
    Click OK to save the configuration.
Open Command Prompt by typing “cmd” in the Windows search box.
Change the command prompt directory to your desktop. To change directory, type in cd desktop.
Type in the command tftp -i [router IP] put [firmware filename].[file format]. Do NOT press Enter yet.
    Example: tftp -i 192.168.1.1 put R9000-V1.0.4.2.img

Unplug all port connections from router except the PC you are using to upload.
Turn router OFF for 10 seconds.
Hold down the reset button on the back of router with a paper clip.
Power ON the router while holding down the reset button.
Watch the Power LED. It starts with an orange color, and then start flashing.
Count at least 10 flashing power LED and release the reset button.
Press Enter to execute the TFTP command. Wait for a few minutes (be patient, do not reboot the router). When the upload is successful, the Power LED will turn solid. The rest of LED’s on the router will also turn ON indicating that the router has booted up properly.

Note: Please remember to change your PC back to “Obtain an IP address automatically” and “Obtain DNS server address automatically”.

@openwrt-bot
Copy link
Author

mjevans:

Could this really be as simple as getting back in to the telnet connection mode and updating...

board_id=U12H315T00_NETGEAR

to

board_id=U12H315T00_NETGEARHDR0

saving the nvram

Rebooting

Trying to flash the image from the web interface?

Alternately, are there instructions for flashing a .chk file from said telnet interface on the factory firmware (I can arrange some way of getting the firmware in to ram)? Or should the .chk file/sources be broken apart and manually flashed in some other way?

Finally, would this tool likely work for delivering the firmware I'd prefer to have on the router?

https://github.com/jclehner/nmrpflash

@openwrt-bot
Copy link
Author

mjevans:

My attempt at getting it to take a TFTP image upload the other day did succeed in performing a 'factory reset' on the config.

I made a complete backup of the flash partitions, MTD table, and some other stuff to a USB drive by:

  • answering setup questions and set an admin password (again)
  • send a telnet2 (udp) magic enable packet with mac (printed on bottom of router) allcaps, no :s, + admin + pw
  • sign in and use the command line to grab stuff.

The upgrade system webpage files are under /www/ (UPG*.htm) however they direct to a couple different .cgi files that don't actually exist in the filesystem. Grepping all the files of that magic string directed me to the /usr/sbin/httpd file, a 1628500 byte binary that seems to include the actual CGI bin files within it's self. That's probably where figuring out why it rejects openwrt firmware should focus.

cat /proc/mtd
dev: size erasesize name
mtd0: 00080000 00020000 "boot"
mtd1: 00180000 00020000 "nvram"
mtd2: 0240000 00020000 "linux"
mtd3: 0220b2e4 00020000 "rootfs"
mtd4: 00080000 00020000 "board_data"
mtd5: 00100000 00020000 "POT1"
mtd6: 00100000 00020000 "POT2"
mtd7: 002c0000 00020000 "T_Meter1"
mtd8: 002c0000 00020000 "T_Meter2"
mtd9: 00080000 00020000 "ML1"
mtd10: 00080000 00020000 "ML2"
mtd11: 00080000 00020000 "ML3"
mtd12: 00080000 00020000 "ML4"
mtd13: 00080000 00020000 "ML5"
mtd14: 00080000 00020000 "ML6"
mtd15: 00080000 00020000 "ML7"
mtd16: 00080000 00020000 "QoSRule"
mtd17: 04900000 00020000 "brcmnand"
mtd18: 00500000 00020000 "OpenVPN"

My first guess is to just take the headder off of the chk image and put the result inside of: mtd2 "linux"

However looking at the actual upgrade process for when OpenWRT is in use... it seems to expect a completely different set of mtd partition names, it also wants a number of binaries that don't exist as those names in the factory firmware. (E.G. mtd otrx osafeloader oseama dd) Even dd is missing (I chose to use cat to redirect the MTD sections).

https://github.com/openwrt/openwrt/blob/a07730472c49c1f7bb56afa3eb8be23e6e87b4f1/target/linux/bcm53xx/base-files/lib/upgrade/platform.sh

--

At this point I see four potential choices:

  1. Attempt the upgrade with https://github.com/jclehner/nmrpflash
  2. Try to locate a Netgear tool similar to the above and use it from a Windows device
  3. Try reset-button TFTP dance again (I don't expect this to work)
  4. Return the device to Amazon and pick a different router...

@openwrt-bot
Copy link
Author

mjevans:

I got this working my modifying mkchkimg.patch and running it manually with the extracted TRX file (starts with the HDR0 bytes, and offset specified in the header_len field).

I've attached a patch to the mkchkimg program.

I spent an evening trying to figure out why OpenWRT's files weren't being accepted by the r8000 that was recently purchased.
After a few dead-leads and growing frustrated that the update parts of the process live within the non-free sections of Netgear's release, I realized I had to answer two questions before moving forward.

  1. how does openwrt build chk files? (answer: mkchkimg.c)
  2. how is that differed from stock firmware?

This router has a LOT of releases now, around 20 of them. Patterns become more obvious with more data.

What is previously known only as a 'reserved' section with magic numbers is now far more obvious as a set of build numbers. Literally the actual numbers in the filename that I'm dumping. I'm hoping that by setting most of those numbers to higher values, I can make the router realize that this upgrade superceeds the stock firmware.

$ hexdump -Cn64 openwrt-18.06.1-bcm53xx-netgear-r8000-squashfs__999999.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 09 63 63 63 63 63 |*#$^...:...ccccc|
00000010 38 f9 8d 81 00 00 00 00 00 74 00 00 00 00 00 00 |8........t......|
00000020 38 f9 8d 81 5d 27 0c a7 55 31 32 48 33 31 35 54 |8...]'..U12H315T|
00000030 30 30 5f 4e 45 54 47 45 41 52 48 44 52 30 00 00 |00_NETGEARHDR0..|

$ hexdump -Cn80 openwrt-18.06.1-bcm53xx-netgear-r8000-squashfs.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 01 63 00 00 00 00 |*#$^...:...c....|
00000010 38 f9 8d 81 00 00 00 00 00 74 00 00 00 00 00 00 |8........t......|
00000020 38 f9 8d 81 16 d1 0b 13 55 31 32 48 33 31 35 54 |8.......U12H315T|
00000030 30 30 5f 4e 45 54 47 45 41 52 48 44 52 30 00 00 |00_NETGEARHDR0..|
00000040 74 00 13 4e 29 ef 00 00 01 00 1c 00 00 00 00 00 |t..N)...........|
00000050

v4 magic = '*#$^'
v4 header_len = 0x3a
v1 region = 0x1
v1 major = 1
v1 minor = 1
v1 build = 99
v1 subb = 0
v1 major2 = 0
v1 minor2 = 0
v1 build2 = 0
v4 sumkernel = 0x[38 f9 8d 81]
v4 sumrootfs = 0x0
v4 lenkernel = 0x[00 74 00 00]
v4 lenroot = 0x
v4 sumimg = 0x[38 f9 8d 81]
v4 sumheader =
v0 model = 'U12H315T00_NETGEAR'
...

$ hexdump -Cn80 R8000-V1.0.4.28_10.1.54.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 1c 0a 01 36 |*#$^...:.......6|
00000010 07 87 5f 1b 00 00 00 00 01 e3 10 00 00 00 00 00 |...............|
00000020 07 87 5f 1b d7 0c 09 22 55 31 32 48 33 31 35 54 |..
...."U12H315T|
00000030 30 30 5f 4e 45 54 47 45 41 52 48 44 52 30 00 10 |00_NETGEARHDR0..|
00000040 e3 01 bd f8 af d7 00 00 01 00 1c 00 00 00 1c 4d |...............M|
00000050

v4 magic = '*#$^'
v4 header_len = 0x3a
v1 region = 0x1
v1 major = 1
v1 minor = 0
v1 build = 4
v1 subb = 28
v1 major2 = 10
v1 minor2 = 1
v1 build2 = 54
v4 sumkernel = 0x[07 87 5f 1b]
v4 sumrootfs = 0x0
v4 lenkernel = 0x[01 e3 10 00]
v4 lenroot = 0x0
v4 sumimg = 0x[07 87 5f 1b]
v4 sumheader = 0x[d7 0c 09 22] (with zeros here when computed?)
v0 model = 'U12H315T00_NETGEAR'
...

-rw-r--r-- 1 user user 24465466 Jun 11 2014 R8000-V1.0.0.46_1.0.17.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 2e 01 00 11 |#$^...:........|
-rw-r--r-- 1 user user 24465466 Jul 3 2014 R8000-V1.0.0.68_1.0.27.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 44 01 00 1b |
#$^...:....D...|
-rw-r--r-- 1 user user 24465466 Jul 3 2014 R8000-V1.0.0.74_1.0.31.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 4a 01 00 1f |#$^...:....J...|
-rw-r--r-- 1 user user 24465466 Jul 4 2014 R8000-V1.0.0.76_1.0.32.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 4c 01 00 20 |
#$^...:....L.. |
-rw-r--r-- 1 user user 2449004 Jul 11 2014 R8000-V1.0.0.90_1.0.39.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 5a 01 00 27 |#$^...:....Z..'|
-rw-r--r-- 1 user user 2449004 Jul 24 2014 R8000-V1.0.0.100_1.0.44.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 64 01 00 2c |
#$^...:....d..,|
-rw-r--r-- 1 user user 24518714 Jul 29 2014 R8000-V1.0.0.102_1.0.45.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 66 01 00 2d |#$^...:....f..-|
-rw-r--r-- 1 user user 24518714 Oct 28 2014 R8000-V1.0.0.110_1.0.70.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 6e 01 00 46 |
#$^...:....n..F|
-rw-r--r-- 1 user user 24539194 Nov 13 2014 R8000-V1.0.1.16_1.0.74.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 01 10 01 00 4a |#$^...:.......J|
-rw-r--r-- 1 user user 26370106 Apr 2 2015 R8000-V1.0.2.44_1.0.96.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 02 2c 01 00 60 |
#$^...:....,..`|
-rw-r--r-- 1 user user 26210362 Jun 4 2015 R8000-V1.0.2.46_1.0.97.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 02 2e 01 00 61 |#$^...:.......a|
-rw-r--r-- 1 user user 31223866 Oct 16 2015 R8000-V1.0.3.4_1.1.2.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 04 01 01 02 |
#$^...:........|
-rw-r--r-- 1 user user 31223866 Dec 14 2016 R8000-V1.0.3.26_1.1.18.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 1a 01 01 12 |#$^...:........|
-rw-r--r-- 1 user user 31240250 Jan 5 2017 R8000-V1.0.3.32_1.1.21.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 20 01 01 15 |
#$^...:.... ...|
-rw-r--r-- 1 user user 30208058 Feb 21 2017 R8000-V1.0.3.36_1.1.25.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 24 01 01 19 |#$^...:....$...|
-rw-r--r-- 1 user user 30220346 Apr 29 2017 R8000-V1.0.3.46_1.1.32.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 2e 01 01 20 |
#$^...:....... |
-rw-r--r-- 1 user user 30224442 Jun 20 2017 R8000-V1.0.3.48_1.1.33.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 30 01 01 21 |#$^...:....0..!|
-rw-r--r-- 1 user user 30228538 Aug 4 2017 R8000-V1.0.3.54_1.1.37.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 36 01 01 25 |
#$^...:....6..%|
-rw-r--r-- 1 user user 31522874 Sep 18 2017 R8000-V1.0.4.2_1.1.41.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 02 01 01 29 |#$^...:.......)|
-rw-r--r-- 1 user user 31522874 Nov 19 2017 R8000-V1.0.4.4_1.1.42.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 04 01 01 2a |
#$^...:.......|
-rw-r--r-- 1 user user 31350842 Jan 16 2018 R8000-V1.0.4.12_10.1.46.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 0c 0a 01 2e |
#$^...:........|
-rw-r--r-- 1 user user 31653946 May 12 2018 R8000-V1.0.4.18_10.1.49.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 12 0a 01 31 |*#$^...:.......1|

01 01 00 00 2e 01 00 11 |#$^...:........|
01 01 00 00 44 01 00 1b |
#$^...:....D...|
01 01 00 00 4a 01 00 1f |#$^...:....J...|
01 01 00 00 4c 01 00 20 |
#$^...:....L.. |
01 01 00 00 5a 01 00 27 |#$^...:....Z..'|
01 01 00 00 64 01 00 2c |
#$^...:....d..,|
01 01 00 00 66 01 00 2d |#$^...:....f..-|
01 01 00 00 6e 01 00 46 |
#$^...:....n..F|
01 01 00 01 10 01 00 4a |#$^...:.......J|
01 01 00 02 2c 01 00 60 |
#$^...:....,..`|
01 01 00 02 2e 01 00 61 |#$^...:.......a|
01 01 00 03 04 01 01 02 |
#$^...:........|
01 01 00 03 1a 01 01 12 |#$^...:........|
01 01 00 03 20 01 01 15 |
#$^...:.... ...|
01 01 00 03 24 01 01 19 |#$^...:....$...|
01 01 00 03 2e 01 01 20 |
#$^...:....... |
01 01 00 03 30 01 01 21 |#$^...:....0..!|
01 01 00 03 36 01 01 25 |
#$^...:....6..%|
01 01 00 04 02 01 01 29 |#$^...:.......)|
01 01 00 04 04 01 01 2a |
#$^...:.......|
01 01 00 04 0c 0a 01 2e |
#$^...:........|
01 01 00 04 12 0a 01 31 |#$^...:.......1|
01 01 00 04 1c 0a 01 36 |
#$^...:.......6|

@openwrt-bot
Copy link
Author

mkresin:

Please follow https://openwrt.org/submitting-patches to submit your patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant