An example Flash Layout with explanations. And here the flash layout of the Netgear DG834G:

The mtd2 device/partition (base location) holds the bootloader with its configuration stored in mtd4 so you can use mtd1 + mtd0 + mtd3, from 0x90020000 to 0x903f0000 to store OpenWrt (providing 3920KiB of storage space).

NOTE: These instructions don't work for v3. See next section.

For this segment it will be assumed that your routers IP is 192.168.0.1, if it is not please take this into account then performing the following steps.

The DG834(G) ADAM 2 Bootloader calculates a checksum of the image in flash memory, if this check fails the router will not boot.

This checksum verification can be removed from the bootloader.

If there is no adam2 directory in /proc upgrade the device to newer firmware for example DG834_V3.01.29.

Once you patch the bootloader you don't need to patch the device again in case of recovery.

Obtaining your current Bootloader

1. Enable debug mode. Visit http://192.168.0.1/setup.cgi?todo=debug
2. Telnet into your router

   telnet 192.168.0.1

3. Assign an IP address to ADAM2

   echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment

4. Backup each MTD Block to RAM

      dd if=/dev/mtdblock/0 of=/tmp/mtd0.bin
      dd if=/dev/mtdblock/1 of=/tmp/mtd1.bin
      dd if=/dev/mtdblock/2 of=/tmp/mtd2.bin
      dd if=/dev/mtdblock/3 of=/tmp/mtd3.bin
      dd if=/dev/mtdblock/4 of=/tmp/mtd4.bin

5. Spawn a HTTP Daemon to download MTD Backups

   cd /tmp
   mini_httpd -p 1080

6. Download the MTD Backups

   http://192.168.0.1:1080/mtd0.bin
   http://192.168.0.1:1080/mtd1.bin
   http://192.168.0.1:1080/mtd2.bin
   http://192.168.0.1:1080/mtd3.bin
   http://192.168.0.1:1080/mtd4.bin

Patch ADAM 2

ADAM2 is contained in the mtd2.bin file, this should be the focus of alteration.

1. Verify the current edition is eligible for modification:
   1. These modifications steps apply to the 0.18.01 edition of ADAM2 as distributed by Netgear.
   2. The MD5 sum of this should be 0530bfdf00ec155f4182afd70da028c1 if this isn't the case DO NOT follow these instructions (have you previously patched this loader?, if unsure go to step 3).
2. Modify the bootloeader binary file with a hex editor:
   1. go to offset 0x3944. Here there should be 4 bytes: 44 09 00 0C (representing jal 0x90002510 during execution)
   2. Replace these 4 bytes with 00 (representing nop).
3. Verify the modification
   1. Confirm the new MD5 of the modified mtd2.bin is d8a2f4623bf6f64b7427812f0e849aa7.

Replace the restricted ADAM2 on the router

1. Place the Modified mtd2.bin onto a web or FTP server (e.g http://127.0.0.1/mtd2.bin)
2. Download the new mtd2.bin to the router via WGET

   cd /tmp
   rm mtd2.bin
   wget http://127.0.0.1/mtd2.bin

3. Install the new mtd2.bin to the Router

   dd if=mtd2.bin of=/dev/mtdblock/2 

Installation of OpenWrt can now be done using the TFTP method by targeting the IP address you specified in part 3 of obtaining the bootloader. It should be noted that due to the memory layout of this device an OpenWrt SquashFS image needs to be split into to files, this can be done using the DD tool.

The MTD1 Partition is 720896 bytes in size and is executed first and so should be the first 720896 bytes of the OpenWrt Image, the MTD0 partition contains the remainder of the image.

dd if=openwrt-ar7-squashfs.bin of=ow-mtd1.bin count=720896 bs=1
dd if=openwrt-ar7-squashfs.bin of=ow-mtd0.bin skip=720896 bs=1

Now that the image has been split appropriately its can now be uploaded (and flashed) to the Router using its ADAM2 FTP service. To connect to the ADAM2 FTP service you need to use a COMMAND LINE ftp client targeting the IP address you specified in part 3 of obtaining the bootloader.

Note: The size of the two images combined cannot be bigger than 3932160 bytes, or the upload will fail and you will end with an unusable device!

Note: Modern Windows FTP command line clients are incompatible with this process so the Windows XP one must be used, Ubuntu 11.04 has no such issue.

Note: As soon as the device power on target it with telnet. After you spawn the FTP (need some time..).

the device will blink amber

Before you leave the telnet FTP (that actually doesn't work), prepare command line FTP and open connection.

ftp 192.168.0.1
Connected to 192.168.0.1.
220 ADAM2 FTP Server ready.
Name (192.168.0.1:none): adam2
331 Password required for adam2.
Password: adam2
230 User adam2 successfully logged in.
Remote system type is UNIX.
ftp> quote "MEDIA FLSH"
200 Media set to FLSH.
ftp> bin
200 Type set to I.
ftp> put ow-mtd0.bin "fs mtd0"
local: ow-mtd0.bin remote: fs mtd0
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
1598607 bytes sent in 14.64 secs (106.6 kB/s)
ftp> put ow-mtd1.bin "fs mtd1"
local: ow-mtd1.bin remote: fs mtd1
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
720896 bytes sent in 6.56 secs (107.3 kB/s)
ftp> quote REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.

The ADAM2 bootloader in v3 is different, and cannot be patched as shown. It does not seem to be needed anyway. Another important difference is that the bootloader does not allow FTP access nor interruption of the boot from the serial console, so recovery can only be done with the Windows recovery tool or the nftp.2 tool described below.

The old wiki has information for this particular model: dg834gv3

See also: http://www.pitt-pladdy.com/blog/_20100424-103102+0100%20OpenWrt%20Take%202%20-%20native%20IPv6%20on%20DG834%20v3%20%28using%20AAISP%29/

In case of a failed upload, the device might become unresponsive and look bricked.

Enter the failsafe mode:

Power-cycling the router with the reset button pressed,
power and test leds will blink.

In this mode you can return the device flash back to original.

There is a official netgear recovery utility or you can use adam2flash Perl script.

Also there is a small utility nftp.2.c that is able to reflash and verify the router.

Compile as follows:

  $ gcc -o nftp.2 nftp.2.c

Invoke the utility like this to re-flash the router (it requires root as it uses raw sockets):

  $ sudo ./nftp.2 -u eth0 IMAGE_TO_UPDATE

The image file is expected to be in the official firmware format, which I think is mtd2+mtd1+mtd0 concatenated.

After programming, the router will reset.

You can also verify the flashed image like this:

  $ sudo ./nftp.2 -v eth0 IMAGE_TO_VERIFY

Note: This program might complain about the image not passing an integrity check, but that seems to be broken. In that case, just remove the "return 1" from line 266 and try again.

*Wired Only Edition Pictured

Serial console is J603. Settings are: 115200, 8, n, 1.

(Pin 1 is identified by a square printed box on the PCB.

This JTAG port Follows the 14 pin EJTAG 2.5 specification, pin 1 is marked by a square printed box on the PCB (This is verified as working).

Orientation and distribution on the board:

JTAG signals and pins

See port.jtag for more JTAG details.

The onboard Flash Chip for V1 is a 4MB 29DL32BF-70PFTN when manipulating this chip from JTAG software such as TJTAG it may not be detected, in such cases masquerading as/forcing use of either the MBM29DL323BE or AM29LV320 chips will likely work (This has worked for the user Funkimunk, your mileage may vary).