OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Documentation
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority Very Low
  • Reported Version openwrt-18.06
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Michael Evans - 17.12.2018

FS#2009 - Netgear R8000 - Unable to install OpenWRT firmware

Netgear R8000 - Unable to install OpenWRT firmware

https://openwrt.org/toh/netgear/r8000#tab__firmware_downloads

A recently purchased from Amazon Netgear R8000 (Nighthawk X6) refuses to accept the OpenWRT firmware file and there are not directions for an alternate installation method.

Full model from the back:

NETGEAR Nighthawk X6
AC3200 Tri-Band WiFiRouter
Model: R8000
FCCID: PY314200264
Made in Vietnam 272-12664-01

Michael Evans commented on 18.12.2018 00:13

I was able to enable telnet console with these older instructions:
https://oldwiki.archive.openwrt.org/toh/netgear/telnet.console

BusyBox v1.7.2 (2018-10-09 16:42:16 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# burnboardid
Board ID - U12H315T00_NETGEAR
# help

Built-in commands:


      . : [ [[ alias bg break cd chdir command continue echo eval exec
      exit export false fg getopts hash help jobs kill let local pwd
      read readonly return set shift source test times trap true type
      ulimit umask unalias unset wait

#

nvram show also worked, but lists over 2000 lines of key=value pairs; nearly all of which seems like junk at this point, but the password is probably somewhere in there.

Michael Evans commented on 18.12.2018 00:59

I've also tried Netgear's current TFTP flashing instructions:

https://kb.netgear.com/000059634/How-to-upload-firmware-to-a-NETGEAR-router-using-Windows-TFTP

(though from Linux with a standalone system, NetworkManager disabled, and a static assigned address of 192.168.1.3/24 ; I was able to ping the router at the point where their instructions say to remove the paperclip.)

atftp –option "mode octet" –option "timeout 60" –verbose –trace -p -l openwrt-18.06.1-bcm53xx-netgear-r8000-squashfs.chk 192.168.1.1

atftp times out several times and the router continues booting

I'm also including Netgear's directions in case they relocate or otherwise update this page again.

To upload firmware using Windows TFTP:

  Download and save the router’s firmware onto the desktop of your computer. Make sure to extract the file from the zip folder. The firmware file format is either a .img or .chk file.
  Connect a PC wired to the router and set it to have a static IP address (example 192.168.1.10). 
  For Mac users, go to Beginner: How To Set Up A Static IP in Mac OS X and proceed to step 5.
      Right-click the Windows start button then select Network Connections.
      Right-click Ethernet and select Properties.
      Double-click Internet Protocol Version 4 (TCP/IPv4).
      Select Use the following IP address and set the IP address information like below:
          IP address => 192.168.1.10
          Subnet mask => 255.255.255.0
          Default Gateway => 192.168.1.1
      Click OK to save the configuration.
  Open Command Prompt by typing “cmd” in the Windows search box.
  Change the command prompt directory to your desktop. To change directory, type in cd desktop.
  Type in the command tftp -i [router IP] put [firmware filename].[file format]. Do NOT press Enter yet.
      Example: tftp -i 192.168.1.1 put R9000-V1.0.4.2.img
  Unplug all port connections from router except the PC you are using to upload.
  Turn router OFF for 10 seconds.
  Hold down the reset button on the back of router with a paper clip.
  Power ON the router while holding down the reset button.
  Watch the Power LED. It starts with an orange color, and then start flashing.
  Count at least 10 flashing power LED and release the reset button.
  Press Enter to execute the TFTP command. Wait for a few minutes (be patient, do not reboot the router). When the upload is successful, the Power LED will turn solid. The rest of LED’s on the router will also turn ON indicating that the router has booted up properly.
  Note: Please remember to change your PC back to “Obtain an IP address automatically” and “Obtain DNS server address automatically”.
Michael Evans commented on 18.12.2018 02:35

Could this really be as simple as getting back in to the telnet connection mode and updating...

board_id=U12H315T00_NETGEAR

to

board_id=U12H315T00_NETGEARHDR0

saving the nvram

Rebooting

Trying to flash the image from the web interface?

Alternately, are there instructions for flashing a .chk file from said telnet interface on the factory firmware (I can arrange some way of getting the firmware in to ram)? Or should the .chk file/sources be broken apart and manually flashed in some other way?

Finally, would this tool likely work for delivering the firmware I'd prefer to have on the router?

https://github.com/jclehner/nmrpflash

Michael Evans commented on 19.12.2018 01:25

My attempt at getting it to take a TFTP image upload the other day did succeed in performing a 'factory reset' on the config.

I made a complete backup of the flash partitions, MTD table, and some other stuff to a USB drive by:

* answering setup questions and set an admin password (again)
* send a telnet2 (udp) magic enable packet with mac (printed on bottom of router) allcaps, no :s, + admin + pw
* sign in and use the command line to grab stuff.

The upgrade system webpage files are under /www/ (UPG*.htm) however they direct to a couple different .cgi files that don't actually exist in the filesystem. Grepping all the files of that magic string directed me to the /usr/sbin/httpd file, a 1628500 byte binary that seems to include the actual CGI bin files within it's self. That's probably where figuring out why it rejects openwrt firmware should focus.

cat /proc/mtd
dev: size erasesize name
mtd0: 00080000 00020000 "boot"
mtd1: 00180000 00020000 "nvram"
mtd2: 02400000 00020000 "linux"
mtd3: 0220b2e4 00020000 "rootfs"
mtd4: 00080000 00020000 "board_data"
mtd5: 00100000 00020000 "POT1"
mtd6: 00100000 00020000 "POT2"
mtd7: 002c0000 00020000 "T_Meter1"
mtd8: 002c0000 00020000 "T_Meter2"
mtd9: 00080000 00020000 "ML1"
mtd10: 00080000 00020000 "ML2"
mtd11: 00080000 00020000 "ML3"
mtd12: 00080000 00020000 "ML4"
mtd13: 00080000 00020000 "ML5"
mtd14: 00080000 00020000 "ML6"
mtd15: 00080000 00020000 "ML7"
mtd16: 00080000 00020000 "QoSRule"
mtd17: 04900000 00020000 "brcmnand"
mtd18: 00500000 00020000 "OpenVPN"

My first guess is to just take the headder off of the chk image and put the result inside of: mtd2 "linux"

However looking at the actual upgrade process for when OpenWRT is in use... it seems to expect a completely different set of mtd partition names, it also wants a number of binaries that don't exist as those names in the factory firmware. (E.G. mtd otrx osafeloader oseama dd) Even dd is missing (I chose to use cat to redirect the MTD sections).

https://github.com/openwrt/openwrt/blob/a07730472c49c1f7bb56afa3eb8be23e6e87b4f1/target/linux/bcm53xx/base-files/lib/upgrade/platform.sh

At this point I see four potential choices:

1) Attempt the upgrade with https://github.com/jclehner/nmrpflash 2) Try to locate a Netgear tool similar to the above and use it from a Windows device
3) Try reset-button TFTP dance again (I don't expect this to work)
4) Return the device to Amazon and pick a different router...

Michael Evans commented on 19.12.2018 21:56

I got this working my modifying mkchkimg.patch and running it manually with the extracted TRX file (starts with the HDR0 bytes, and offset specified in the header_len field).

I've attached a patch to the mkchkimg program.

I spent an evening trying to figure out why OpenWRT's files weren't being accepted by the r8000 that was recently purchased.
After a few dead-leads and growing frustrated that the update parts of the process live within the non-free sections of Netgear's release, I realized I had to answer two questions before moving forward.

1) how does openwrt build chk files? (answer: mkchkimg.c)
2) how is that differed from stock firmware?

This router has a LOT of releases now, around 20 of them. Patterns become more obvious with more data.

What is previously known only as a 'reserved' section with magic numbers is now far more obvious as a set of build numbers. Literally the actual numbers in the filename that I'm dumping. I'm hoping that by setting most of those numbers to higher values, I can make the router realize that this upgrade superceeds the stock firmware.

$ hexdump -Cn64 openwrt-18.06.1-bcm53xx-netgear-r8000-squashfs__999999.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 09 63 63 63 63 63 |*#$^...:...ccccc|
00000010 38 f9 8d 81 00 00 00 00 00 74 00 00 00 00 00 00 |8........t......|
00000020 38 f9 8d 81 5d 27 0c a7 55 31 32 48 33 31 35 54 |8...]'..U12H315T|
00000030 30 30 5f 4e 45 54 47 45 41 52 48 44 52 30 00 00 |00_NETGEARHDR0..|

$ hexdump -Cn80 openwrt-18.06.1-bcm53xx-netgear-r8000-squashfs.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 01 63 00 00 00 00 |*#$^...:...c....|
00000010 38 f9 8d 81 00 00 00 00 00 74 00 00 00 00 00 00 |8........t......|
00000020 38 f9 8d 81 16 d1 0b 13 55 31 32 48 33 31 35 54 |8.......U12H315T|
00000030 30 30 5f 4e 45 54 47 45 41 52 48 44 52 30 00 00 |00_NETGEARHDR0..|
00000040 74 00 13 4e 29 ef 00 00 01 00 1c 00 00 00 00 00 |t..N)...........|
00000050

v4 magic = '*#$^'
v4 header_len = 0x3a
v1 region = 0x1
v1 major = 1
v1 minor = 1
v1 build = 99
v1 subb = 0
v1 major2 = 0
v1 minor2 = 0
v1 build2 = 0
v4 sumkernel = 0x[38 f9 8d 81]
v4 sumrootfs = 0x0
v4 lenkernel = 0x[00 74 00 00]
v4 lenroot = 0x
v4 sumimg = 0x[38 f9 8d 81]
v4 sumheader =
v0 model = 'U12H315T00_NETGEAR'
...

$ hexdump -Cn80 R8000-V1.0.4.28_10.1.54.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 1c 0a 01 36 |*#$^...:.......6|
00000010 07 87 5f 1b 00 00 00 00 01 e3 10 00 00 00 00 00 |.._.............|
00000020 07 87 5f 1b d7 0c 09 22 55 31 32 48 33 31 35 54 |.._...."U12H315T|
00000030 30 30 5f 4e 45 54 47 45 41 52 48 44 52 30 00 10 |00_NETGEARHDR0..|
00000040 e3 01 bd f8 af d7 00 00 01 00 1c 00 00 00 1c 4d |...............M|
00000050

v4 magic = '*#$^'
v4 header_len = 0x3a
v1 region = 0x1
v1 major = 1
v1 minor = 0
v1 build = 4
v1 subb = 28
v1 major2 = 10
v1 minor2 = 1
v1 build2 = 54
v4 sumkernel = 0x[07 87 5f 1b]
v4 sumrootfs = 0x0
v4 lenkernel = 0x[01 e3 10 00]
v4 lenroot = 0x0
v4 sumimg = 0x[07 87 5f 1b]
v4 sumheader = 0x[d7 0c 09 22] (with zeros here when computed?)
v0 model = 'U12H315T00_NETGEAR'
...

-rw-r–r– 1 user user 24465466 Jun 11 2014 R8000-V1.0.0.46_1.0.17.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 2e 01 00 11 |*#$^...:........|
-rw-r–r– 1 user user 24465466 Jul 3 2014 R8000-V1.0.0.68_1.0.27.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 44 01 00 1b |*#$^...:....D...|
-rw-r–r– 1 user user 24465466 Jul 3 2014 R8000-V1.0.0.74_1.0.31.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 4a 01 00 1f |*#$^...:....J...|
-rw-r–r– 1 user user 24465466 Jul 4 2014 R8000-V1.0.0.76_1.0.32.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 4c 01 00 20 |*#$^...:....L.. |
-rw-r–r– 1 user user 24490042 Jul 11 2014 R8000-V1.0.0.90_1.0.39.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 5a 01 00 27 |*#$^...:....Z..'|
-rw-r–r– 1 user user 24490042 Jul 24 2014 R8000-V1.0.0.100_1.0.44.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 64 01 00 2c |*#$^...:....d..,|
-rw-r–r– 1 user user 24518714 Jul 29 2014 R8000-V1.0.0.102_1.0.45.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 66 01 00 2d |*#$^...:....f..-|
-rw-r–r– 1 user user 24518714 Oct 28 2014 R8000-V1.0.0.110_1.0.70.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 00 6e 01 00 46 |*#$^...:....n..F|
-rw-r–r– 1 user user 24539194 Nov 13 2014 R8000-V1.0.1.16_1.0.74.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 01 10 01 00 4a |*#$^...:.......J|
-rw-r–r– 1 user user 26370106 Apr 2 2015 R8000-V1.0.2.44_1.0.96.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 02 2c 01 00 60 |*#$^...:....,..`|
-rw-r–r– 1 user user 26210362 Jun 4 2015 R8000-V1.0.2.46_1.0.97.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 02 2e 01 00 61 |*#$^...:.......a|
-rw-r–r– 1 user user 31223866 Oct 16 2015 R8000-V1.0.3.4_1.1.2.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 04 01 01 02 |*#$^...:........|
-rw-r–r– 1 user user 31223866 Dec 14 2016 R8000-V1.0.3.26_1.1.18.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 1a 01 01 12 |*#$^...:........|
-rw-r–r– 1 user user 31240250 Jan 5 2017 R8000-V1.0.3.32_1.1.21.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 20 01 01 15 |*#$^...:.... ...|
-rw-r–r– 1 user user 30208058 Feb 21 2017 R8000-V1.0.3.36_1.1.25.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 24 01 01 19 |*#$^...:....$...|
-rw-r–r– 1 user user 30220346 Apr 29 2017 R8000-V1.0.3.46_1.1.32.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 2e 01 01 20 |*#$^...:....... |
-rw-r–r– 1 user user 30224442 Jun 20 2017 R8000-V1.0.3.48_1.1.33.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 30 01 01 21 |*#$^...:....0..!|
-rw-r–r– 1 user user 30228538 Aug 4 2017 R8000-V1.0.3.54_1.1.37.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 03 36 01 01 25 |*#$^...:....6..%|
-rw-r–r– 1 user user 31522874 Sep 18 2017 R8000-V1.0.4.2_1.1.41.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 02 01 01 29 |*#$^...:.......)|
-rw-r–r– 1 user user 31522874 Nov 19 2017 R8000-V1.0.4.4_1.1.42.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 04 01 01 2a |*#$^...:.......*|
-rw-r–r– 1 user user 31350842 Jan 16 2018 R8000-V1.0.4.12_10.1.46.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 0c 0a 01 2e |*#$^...:........|
-rw-r–r– 1 user user 31653946 May 12 2018 R8000-V1.0.4.18_10.1.49.chk
00000000 2a 23 24 5e 00 00 00 3a 01 01 00 04 12 0a 01 31 |*#$^...:.......1|

01 01 00 00 2e 01 00 11  |*#$^...:........|
01 01 00 00 44 01 00 1b  |*#$^...:....D...|
01 01 00 00 4a 01 00 1f  |*#$^...:....J...|
01 01 00 00 4c 01 00 20  |*#$^...:....L.. |
01 01 00 00 5a 01 00 27  |*#$^...:....Z..'|
01 01 00 00 64 01 00 2c  |*#$^...:....d..,|
01 01 00 00 66 01 00 2d  |*#$^...:....f..-|
01 01 00 00 6e 01 00 46  |*#$^...:....n..F|
01 01 00 01 10 01 00 4a  |*#$^...:.......J|
01 01 00 02 2c 01 00 60  |*#$^...:....,..`|
01 01 00 02 2e 01 00 61  |*#$^...:.......a|
01 01 00 03 04 01 01 02  |*#$^...:........|
01 01 00 03 1a 01 01 12  |*#$^...:........|
01 01 00 03 20 01 01 15  |*#$^...:.... ...|
01 01 00 03 24 01 01 19  |*#$^...:....$...|
01 01 00 03 2e 01 01 20  |*#$^...:....... |
01 01 00 03 30 01 01 21  |*#$^...:....0..!|
01 01 00 03 36 01 01 25  |*#$^...:....6..%|
01 01 00 04 02 01 01 29  |*#$^...:.......)|
01 01 00 04 04 01 01 2a  |*#$^...:.......*|
01 01 00 04 0c 0a 01 2e  |*#$^...:........|
01 01 00 04 12 0a 01 31  |*#$^...:.......1|
01 01 00 04 1c 0a 01 36  |*#$^...:.......6|
Project Manager
Mathias Kresin commented on 21.12.2018 06:35

Please follow https://openwrt.org/submitting-patches to submit your patch.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing