Posted: Thu Feb 13, 2020 5:55 Post subject: Bricked WNDR3700v3
I'm trying to unbrick a WNDR3700v3 Netgear router.
I soldered 3 cables to Serial GND,TX,RX and I can see router booting.
After connection, I tried to send Ctrl-C in many different ways. None of them worked.
Finally wrote a python script, that also didn't work.
I'm trying to send Ctrl-C (b'\x03') in different places. Nothing worked so far!
How can I get this router to accept input from me or drop to CFE???
Code:
import serial
with serial.Serial('/dev/tty.usbserial-1420', 115200) as ser:
ser.write(b'\x03')
ser.write(b'\x03')
ser.write(b'\x03')
ser.flushInput()
while True:
try:
ser.write(b'\x03')
ser.write(b'\x03')
ser.write(b'\x03')
ser_bytes = ser.readline()
print(ser_bytes.decode('UTF-8'))
ser.write(b'\x03')
except Exception as e:
print(e)
break
Here is my output:
Quote:
Decompressing..........done
CFE for WNDR3700v3 version: v1.0.6
Build Date: Wed May 18 17:25:10 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 128 64KB blocks; total size 8MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 2010.09.30.0
CPU type 0x19740: 480MHz
Tot mem: 65536 KBytes
Device eth0: hwaddr 74-44-01-48-6A-23, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:192.168.1.2:vmlinuz Options:(null)
Loading: Failed.
Could not load 192.168.1.2:vmlinuz: Timeout occured
too long file.
LZMA boot failed
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 5192 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.22.19 (root@tomato) (gcc version 4.2.4) #2 Sat Jan 18 15:33:38 CET 2020
CPU revision is: 00019740
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Zone PFN ranges:
Normal 0 -> 16384
HighMem 16384 -> 16384
early_node_map[1] active PFN ranges
0: 0 -> 16384
Built 1 zonelists. Total pages: 16384
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Setting up vectored interrupts
PID hash table entries: 512 (order: 9, 2048 bytes)
CPU: BCM4716 rev 1 pkg 10 at 480 MHz
Using 240.000 MHz high precision timer.
console [ttyS0] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 61188k/65536k available (33k kernel code, 4288k reserved, 2786k data, 128k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
PCI: Using membase 8000000
PCI: Initializing host
PCI: Reset RC
PCI: no core
PCI: Fixing up bus 0
PCI/PCIe coreunit 0 is set to bus 1.
PCI: Fixing up bridge
PCI: Fixing up bridge
PCI: Enabling device 0000:01:00.1 (0004 -> 0006)
PCI: Fixing up bus 1
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered (default)
HDLC line discipline: version $Revision: 4.8 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb8000300 (irq = is a 16550A
PPP generic driver version 2.4.2
MPPE/MPPC encryption/compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.18.3
PPTP driver version 0.8.5
pflash: found no supported devices
Found an ST compatible serial flash with 128 64KB blocks; total size 8MB
Creating 6 MTD partitions on "sflash":
0x00000000-0x00040000 : "pmon"
0x00040000-0x00790000 : "linux"
0x0012d000-0x005e0000 : "rootfs"
0x005e0000-0x00780000 : "jffs2"
0x007f0000-0x00800000 : "nvram"
0x007e0000-0x007f0000 : "board_data"
_nvram_init: allocat header: 2166161408, size= 65536
u32 classifier
OLD policer on
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (512 buckets, 4096 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_account 0.1.21 : Piotr Gasidlo <quaker@barbara.eu.org>, http://www.barbara.eu.org/~quaker/ipt_account/
net/ipv4/netfilter/tomato_ct.c [Jan 18 2020 15:26:10]
NET: Registered protocol family 1
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 128k freed
Warning: unable to open an initial console.
Algorithmics/MIPS FPU Emulator v1.5
emf: module license 'Proprietary' taints kernel.
eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.110.27.20012
wl_module_init: passivemode set to 0x0
eth1: Broadcom BCM4329 802.11 Wireless Controller 5.110.27.20012
PCI: Enabling device 0000:01:01.0 (0000 -> 0002)
eth2: Broadcom BCM4331 802.11 Wireless Controller 5.110.27.20012
I begin to suspect if my TX line is dead on the TTL-USB adapter, I can read 3.3 Volts on the multimeter but I still haven't been able to send a Ctrl-C through that line...
Posted: Thu Feb 13, 2020 15:13 Post subject: [SOLVED]
Turns out the TTL-USB adapter is NOT working on the Transmit. I tried it with a Raspberry Pi and never been able to get any key strokes through. I ordered a replacement...
Joined: 16 Mar 2019 Posts: 353 Location: Szczecin, Poland EU
Posted: Thu Feb 13, 2020 18:51 Post subject: Bricked WNDR3700v3
If you usue Putty software for serial connection change in options and serial section -> flow control option to none. If you do not this operation keybord won't working in serial connection. Click ctrl+c still immidetly as soon as prompt line start and cursor is blinking.
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Thu Feb 13, 2020 19:18 Post subject: Re: Bricked WNDR3700v3
thommy181 wrote:
If you usue Putty software for serial connection change in options and serial section -> flow control option to none. If you do not this operation keybord won't working in serial connection. Click ctrl+c still immidetly as soon as prompt line start and cursor is blinking.
Pretty sure, it's correct! I used the same adapter on Raspberry, I can see the output which means Receive works. I couldn't get to write anything via T. I'm getting a replacement part tomorrow. Btw, I'm on Mac.
I had this happen on 3700 v2. It was because the USB TTL device needs to be grounded. You can watch the terminal output with just tx and rx connected but nothing from your keyboard will be inputted from PuTTY without the ground connection. Once you got the ground connection. Power it up and hold CTRL and spam the C key then it will finally get to the cfe prompt.
is a 16550A
