Posted: Fri Jul 10, 2020 14:07 Post subject: Netgear R6400v2 full recovery
I have bought a cheap used Netgear R6400v2 with a bootloop problem. After powering it up, I have seen that someone has tried to flash the firmware for the R7000p, so what I have done was to open it up, connect to the serial console and try to recover it to the factory firmware.
By booting with active serial console, I have seen that the CFE was reporting a strange MAC (00:FF:FF:FF:FF:FF) for LAN.
After some research, I have found that all vital configurations (like MAC, default SSID, default WiFi password, serial number, etc.) from this router are not stored on CFE, but on the board_data partition (mtd4 on last factory firmware).
It seems that if we use DD-WRT or FreshTomato and try to create a JFFS partition using the full flash size, the board_data partition will be deleted and so all the vital configuration.
This configurations are still on NVRAM but will be deleted as soon as we do an erase nvram (an this is why it enters probably on a bootloop).
Using the burn* tools from the factory firmware I could restore almost everything to factory defaults (the problem seems to be the RF calibration of the board that will be lost and this is why I now get poor wireless coverage on both frequencies).
This were the steps I did to recover the faulty R6400v2 to factory defaults (if we use the burn* tools without any parameter, they will show the actual stored values of the board_data partition):
# burnethermac [MAC address from the router label]
# burnsku 0x0002 (will change wireless location to world wide with sku_name="WW")
# burnsn [Serial number from the router label] (recover admin password on factory firmware is not possible without correct serial number)
# burnboardid U12H332T20_NETGEARHDR0 (some R6400v2 are U12H332T30_NETGEARHDR0. Check white label on board near serial console connection)
# burnssid [SSID from router label]
# burnpass [Wireless password from router label]
# burn5gssid [SSID from router label plus "-5G" at the end]
# burn5gpass [Wireless password from router label]
# burnpin [8 digit PIN] (will be shown on webgui of the factory firmware: WDS PIN)
# burnrf (this will store the RF calibration from NVRAM. I have found the following values on another forum from someone that also lost all vital data, so I do not know if they are correct. The first parameter with 0x0 is suspect.):
It would be interesting if other owners of a working R6400v2 could post the RF calibration values to check if they change for every board. This could be done using the factory firmware (using telnet enabler for Netgear http://www.antinode.info/nte/index.html) or a 3rd party firmware like FreshTomato or DD-WRT.
This should be the correct commands to execute on telnet/ssh/serial console:
# nvram show | grep board
# nvram show | grep rpcal
# nvram show | grep rxgainerr
Just post your results so we can see if this RF calibration values are unique or the same for every board.
Hope this helps to fully unbrick the R6400v2 or even the R6700v3...
Last edited by barroshelder on Fri Jul 10, 2020 14:58; edited 2 times in total
Thanks for the file, I will check it.
It would be better if we post the results of running the commands above so we can have "readable" values to compare (it also does not contain other data found on mtd4 like WiFi passwords, SSID, MAC, etc.)...