Bootloop Investigation for Netgear R8300 and R8500 routers

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4  Next
Author Message
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Sun Jul 29, 2018 18:59    Post subject: Bootloop Investigation for Netgear R8300 and R8500 routers Reply with quote
Can a few folks send me mtd dumps from their Netgear stock firmware R8300 and R8500 routers?

I'm diagnosing things and close to the solution to fix these. Im particularly interested in the MP2 variants of these routers as those are what is affecting most people.

Code:
cat /prod/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "boot"
mtd1: 00180000 00020000 "nvram"
mtd2: 06d00000 00020000 "linux"
mtd3: 06ae649c 00020000 "rootfs"
mtd4: 00080000 00020000 "board_data"
mtd5: 00100000 00020000 "POT1"
mtd6: 00100000 00020000 "POT2"
mtd7: 002c0000 00020000 "T_Meter1"
mtd8: 002c0000 00020000 "T_Meter2"
mtd9: 00080000 00020000 "ML1"
mtd10: 00080000 00020000 "ML2"
mtd11: 00080000 00020000 "ML3"
mtd12: 00080000 00020000 "ML4"
mtd13: 00080000 00020000 "ML5"
mtd14: 00080000 00020000 "ML6"
mtd15: 00080000 00020000 "ML7"
mtd16: 00080000 00020000 "DebugMsg"
mtd17: 03b00000 00020000 "brcmnand"
mtd18: 00500000 00020000 "OpenVPN"

Here are the steps (using working stock firmware please):

1) Insert a formatted USB stick into usb port and verify it is mounted
2) Enable telnet by going to http://192.168.1.1/debug.htm and checking telnet box
3) On computer, open a terminal window and telnet to router: (i.e.-> telnet 192.168.1.1)
4) Then run the following commands via telnet seesion:

Code:
export usb_stick="$(find /tmp/shares/* | head -n 1)"
cat /proc/mtd > $usb_stick/mtdblock_list.txt
for x in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do cat /dev/mtdblock$x > $usb_stick/mtdblock$x; done
zip -j $usb_stick/router_partition_backup.zip $usb_stick/mtdblock*
rm /$usb_stick/mtdblock*


Lastly, post the resulting "router_partition_backup.zip" for comparison and make note of Router, firmware revision, etc.
Note: you can exclude mtdblock1 and mtdblock4 if you are concerned with sharing pwd/mac stuff.

Thanks,
routerhacker
Sponsor
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Mon Jul 30, 2018 19:54    Post subject: Reply with quote
<bump> help a brother help all
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Tue Jul 31, 2018 19:20    Post subject: Reply with quote
Come on guys, please someone try to provide the details I requested. I really am trying to get to the bottom of the wireless issues / bootloop problems on these two routers.

If nothing else, the steps above will help you get some insurance if you have a backup of every single partition on your router while it is working.

Any help would be greatly appreciated.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7209
Location: Columbus, Ohio

PostPosted: Tue Jul 31, 2018 20:04    Post subject: Reply with quote
The problem is bad hardware.
_________________
I am far from a guru, I'm barely a novice.
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Wed Aug 01, 2018 1:03    Post subject: Reply with quote
Well, I am not denying some have bad hardware; however, it seems a few things are really going on:

1) Broadcom screwed up the numbering on pci device numbering for *some* revisions of the wifi chips used in some of the units.

2) Netgear used some of those chips in various units.

3) It seems that they did not update the GPL sources shared on their site and/or any of the firmware on their site that used those. My belief is that when they made the MP2 units (specifically those in Vietnam) they hacked in a new updated dhd.ko driver that knew about the specific revision of the chip (rev 04) that is not reflected in their public repo.

4) As a result when the firmware would auto update, boom... it boot loops because the unit gets something off their update site but *NONE* of those firmwares account for the newer rev 04 of the 4366 chip. A little evidence may be seen by folks when using CFE and it gets to "insmod dpasta.ko" and puts out a message and then the segment fault and reboot occurs right after that (which is really when it tries to load dhd.ko driver and it is wrong version for this chip).

5) Looking at every firmware for both the R8300 and R8500 off their site, I confirmed the dhd.ko driver in each firmware and they are all earlier versions of the driver than what is proper for that chip. (they are very close, but minor changes in the firmware affect things directly)

I can post what I have found about the drivers in each firmware as proof. But to your point, their still may be bad units out there. I have had no luck with any stock firmware as a result (I believe) due to my R8300 having a rev 04 chip.

I have been able to somewhat confirm this by using a ASUS Merlin image that will run due to it's dhd.ko driver being newer and support the funky rev 04 chip version.

I want to take the latest stock Netgear firmware (122 I think?) for the R8500, and try to use firmware mod kit to replace the dhd.ko driver and rebuild the image. Mileage may vary as that is not a true compile from scratch but we shall see.

Anyhow, just something to noodle on. I sure wish others would pitch in and get me the info above I had hoped for. It would go a long way to also confirm the real issue.

later Smile
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7209
Location: Columbus, Ohio

PostPosted: Wed Aug 01, 2018 1:12    Post subject: Reply with quote
Which rmerlin firmware did you get to work? I’d like try it on my bad units.
_________________
I am far from a guru, I'm barely a novice.
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Wed Aug 01, 2018 3:24    Post subject: Reply with quote
The Koolshare Asus Merlin for Netgear 8500 port 7.9 version.
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Wed Aug 01, 2018 3:30    Post subject: Reply with quote
Here is a link:
https://firmware.koolshare.cn/Koolshare_Merlin_Legacy_380/Netgear/R8500/

Clear nvram and you may need to set language to English as the guys working on it are in China but it is a mod of Asus Merlin.

Post your results.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7209
Location: Columbus, Ohio

PostPosted: Wed Aug 01, 2018 9:41    Post subject: Reply with quote
Thanks.
_________________
I am far from a guru, I'm barely a novice.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7209
Location: Columbus, Ohio

PostPosted: Wed Aug 01, 2018 21:17    Post subject: Reply with quote
No change for me. Still only have the upper band 5ghz working on this koolshare fw as I do on dd-wrt.
The 2.4ghz sometimes shows up some times doesn’t, on either firmware.
Won’t boot at all on Netgear firmware.
This is on an r8300. I threw away the other r8500’s I had two weeks ago.

_________________
I am far from a guru, I'm barely a novice.
routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Wed Aug 01, 2018 21:34    Post subject: Reply with quote
Interesting. I found something odd on this one. If I do a nvram erase & nvram commit through CFE it really doesn't do it (commit it to flash that is). If I hold in reset on power up for 3 cycles it takes care of it. Maybe worth a try.

Back on stock firmware in log you can see:
[ 1986.010000] dhdpcie_pci_probe: PCIe Enumeration failed
[ 1986.010000] Broadcom PCI Device 0x4715 has allocated with driver et
[ 1986.010000] Broadcom PCI Device 0x4715 has allocated with driver et
[ 1986.010000] Broadcom PCI Device 0x4715 has allocated with driver et
[ 1986.010000] Broadcom PCI Device 0x471a has allocated with driver ohci_hcd
[ 1986.010000] Broadcom PCI Device 0x471a has allocated with driver ehci_hcd
[ 1986.010000] Broadcom PCI Device 0x472a has allocated with driver xhci_hcd
[ 1986.010000] dhdpcie_bus_register: dhdpcie initialize failed.
[ 1986.010000] dhd_module_init: Failed to load the driver, try cnt 1
[ 1986.010000] no wifi platform data, skip
[ 1986.010000] PCI_PROBE: bus 1, slot 0,vendor 14E4, device 4365(good PCI location)
[ 1986.010000] dhdpcie_init: can't find adapter info for this chip

[ 1986.110000] DHD: dongle ram size is set to 1343488(orig 1343488) at 0x200000
[ 1986.120000] dhd_attach(): thread:dhd_watchdog_thread:309 started
[ 1986.120000] dhd_deferred_work_init: work queue initialized
[ 1986.120000] dhd_bus_download_firmware: firmware path=, nvram path=
[ 1986.120000] dhdpcie_ramsize_adj: Enter
[ 1986.120000] select_fd_image: Dongle image not available for chipid = 0x5366 chiprev = 4 chippkg = 4
[ 1986.120000] select_fd_image: Dongle image not available for chipid = 0x5366 chiprev = 4 chippkg = 4

[ 1986.120000] _dhdpcie_download_firmware: dongle image array download failed
[ 1986.120000] dhd_bus_start: failed to download firmware

I still believe this is related to chip setup/failure due to wrong driver and pci id's not properly accounted for.

Anyhow I am attaching a couple pieces of info that might serve Kong or BrainSlayer or others about stock driver revisions, etc.



R8300_R8500_dhd_firmware_versions_details.txt
 Description:
And this is a detail list of every chip firmware inside every dhd.ko driver in every stock R8300 and R8500 firmware.

Download
 Filename:  R8300_R8500_dhd_firmware_versions_details.txt
 Filesize:  31.23 KB
 Downloaded:  566 Time(s)


R8300_R8500_dhd_firmware_versions.txt
 Description:
This is a high level detail of every dhd.ko driver in every stock R8300 and R8500 firmware

Download
 Filename:  R8300_R8500_dhd_firmware_versions.txt
 Filesize:  8.09 KB
 Downloaded:  544 Time(s)

cjb
DD-WRT Novice


Joined: 03 Aug 2018
Posts: 1

PostPosted: Fri Aug 03, 2018 16:53    Post subject: Reply with quote
mtd dumps from their Netgear stock firmware


router_partition_backup.zip
 Description:
1 and 4 removed

Download
 Filename:  router_partition_backup.zip
 Filesize:  64.16 MB
 Downloaded:  378 Time(s)

routerhacker
DD-WRT Novice


Joined: 20 Jul 2018
Posts: 34

PostPosted: Sun Aug 05, 2018 2:35    Post subject: Reply with quote
Very Cool! Thank you.
deslatha
DD-WRT User


Joined: 12 Jul 2016
Posts: 187

PostPosted: Wed Aug 08, 2018 2:09    Post subject: Reply with quote
Wl chipsets had no eeprom. but behind cpu there is another ic. it may have code that cpu can control wl chipset. as long as you can not read and write then very much useless. there are over 26 i/o lines most connect to cpu. need to read and find out what kind exactly.
after some research then it pop up:https://www.smallnetbuilder.com/wireless/wireless-reviews/32998-linksys-ea9500-max-stream-ac5400-mu-mimo-gigabit-router-reviewed
with ic is PLX Technology PEX8603 3-lane, 3-port PCIe switch come from intel. So router has limited communication between cpu and wl chipset. (no directly data from cpu to wl chipset due cpu design for only 2 pci-e. it needs a switch.
from intel doc:
After a FLEX 8000 device has entered the user mode, you can choose to
replace the configuration data pattern inside the device at any time. In this
process, called in-circuit reconfiguration, new configuration data is selected
using one of three methods, depending on the configuration scheme:
❏ In a passive configuration scheme, a different file can be downloaded
from a mass-storage system.
❏ In the AS configuration scheme, multiple sets of configuration data
can be stored in one or more serial Configuration EPROMs. Each set of
data is used in succession.
❏ In the APU and APD configuration schemes, new configuration data
is selected by externally multiplexing a different EPROM source onto
the data path or by providing offset address generation circuitry to
select a different page within the same EPROM.

there are 4 testpoint T11,21,13,14 that you can prob to log and check.



pci-e_switch.png
 Description:
 Filesize:  342.38 KB
 Viewed:  8835 Time(s)

pci-e_switch.png


tasman_shn
DD-WRT Novice


Joined: 12 Aug 2018
Posts: 9

PostPosted: Sun Aug 12, 2018 0:56    Post subject: Reply with quote
I have 2 units Netgear R8500 conditions all work with factory default firmware. One unit upgrade the firmware online by netgenie menu. After the upgrade was complete the router always restarts. Currently only can use the R8500-V1.0.0.28_1.0.15.chk firmware with missing 5Ghz-2 Band.

out of curiosity I backup the second R8500 firmware (mtd2 and mtd3) then do online update. After the upgrade is complete the Router R8500 always restarts. I try to restore mtd2 and mtd3 but it doesn't help. I returned to the R8500-V1.0.0.28_1.0.15.chk firmware with missing 5Ghz-2 Band.



Malachi wrote:
No change for me. Still only have the upper band 5ghz working on this koolshare fw as I do on dd-wrt.
The 2.4ghz sometimes shows up some times doesn’t, on either firmware.
Won’t boot at all on Netgear firmware.
This is on an r8300. I threw away the other r8500’s I had two weeks ago.
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum