Netgear DG834G

Release Status

Version/Model OpenWrt Version Status Notes
v1/2/3 Kamikaze 8.09.2 Working Stable with the occasional "dma ring overrun"
v1/2/3 Backfire 10.03 Working
v1/2/3 Backfire 10.03.1-rc1/2 Working
v1/2/3 Backfire 10.03.1-rc3/4/5/6 Not Working :!:
v1/2/3 Backfire 10.03.1 Not Working Ethernet Switch lost=Reflash using nftp tool + Netgear recovery mode
v1/2/3 Attitude Adjustment 12.09 beta Not Working :!:

:!: Note: This doesn't help people using pre-compiled binaries, but YMMV removing certain cpmac patches prior to compilation.

Hardware Versions

Model CPU Wireless Flash RAM FCC ID
DG834G v1 TI AR7 TNETD7300GDU TI TNETW1130GVF (PC-card) 4MB 16MB
DG834G v2 TI AR7 TNETD7301GDU TI TNETW1130GVF (PC-card) 4MB 16MB
DG834G v3 TI AR7 TNETD7200ZDW TI TNETW1350A (Integrated) 4MB 16MB
DG834G v4 Broadcom BCM6348 Broadcom BCM4318 4MB 16MB

Installation

Flash Layout

An example Flash Layout with explanations. And here the flash layout of the Netgear DG834G:

Netgear DG834G
mtd0 0x900d0000,0x903e0000 RootFS
mtd1 0x90020000,0x900d0000 Kernel
mtd2 0x90000000,0x90020000 ADAM2
mtd3 0x903e0000,0x903f0000 Netgear firmware config
mtd4 0x903f0000,0x90400000 ADAM2 config

The mtd2 device/partition (base location) holds the bootloader with its configuration stored in mtd4 so you can use mtd1 + mtd0 + mtd3, from 0x90020000 to 0x903f0000 to store OpenWrt (providing 3920KiB of storage space).

Installation Information

NOTE: These instructions don't work for v3. See next section.

For this segment it will be assumed that your routers IP is 192.168.0.1, if it is not please take this into account then performing the following steps.

Patching the Bootloader

The DG834(G) ADAM 2 Bootloader calculates a checksum of the image in flash memory, if this check fails the router will not boot.

This checksum verification can be removed from the bootloader.

If there is no adam2 directory in /proc upgrade the device to newer firmware for example DG834_V3.01.29.

Once you patch the bootloader you don't need to patch the device again in case of recovery.

Obtaining your current Bootloader

  1. Enable debug mode. Visit http://192.168.0.1/setup.cgi?todo=debug
  2. Telnet into your router
    telnet 192.168.0.1
  3. Assign an IP address to ADAM2
    echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment
  4. Backup each MTD Block to RAM
       dd if=/dev/mtdblock/0 of=/tmp/mtd0.bin
       dd if=/dev/mtdblock/1 of=/tmp/mtd1.bin
       dd if=/dev/mtdblock/2 of=/tmp/mtd2.bin
       dd if=/dev/mtdblock/3 of=/tmp/mtd3.bin
       dd if=/dev/mtdblock/4 of=/tmp/mtd4.bin
  5. Spawn a HTTP Daemon to download MTD Backups
    cd /tmp
    mini_httpd -p 1080
  6. Download the MTD Backups
    http://192.168.0.1:1080/mtd0.bin
    http://192.168.0.1:1080/mtd1.bin
    http://192.168.0.1:1080/mtd2.bin
    http://192.168.0.1:1080/mtd3.bin
    http://192.168.0.1:1080/mtd4.bin

Patch ADAM 2

ADAM2 is contained in the mtd2.bin file, this should be the focus of alteration.

  1. Verify the current edition is eligible for modification:
    1. These modifications steps apply to the 0.18.01 edition of ADAM2 as distributed by Netgear.
    2. The MD5 sum of this should be 0530bfdf00ec155f4182afd70da028c1 if this isn't the case DO NOT follow these instructions (have you previously patched this loader?, if unsure go to step 3).
  2. Modify the bootloeader binary file with a hex editor:
    1. go to offset 0x3944. Here there should be 4 bytes: 44 09 00 0C (representing jal 0x90002510 during execution)
    2. Replace these 4 bytes with 00 (representing nop).
  3. Verify the modification
    1. Confirm the new MD5 of the modified mtd2.bin is d8a2f4623bf6f64b7427812f0e849aa7.

Replace the restricted ADAM2 on the router

  1. Place the Modified mtd2.bin onto a web or FTP server (e.g http://127.0.0.1/mtd2.bin)
  2. Download the new mtd2.bin to the router via WGET
    cd /tmp
    rm mtd2.bin
    wget http://127.0.0.1/mtd2.bin
  3. Install the new mtd2.bin to the Router
    dd if=mtd2.bin of=/dev/mtdblock/2 

Installing OpenWrt

Installation of OpenWrt can now be done using the TFTP method by targeting the IP address you specified in part 3 of obtaining the bootloader. It should be noted that due to the memory layout of this device an OpenWrt SquashFS image needs to be split into to files, this can be done using the DD tool.

The MTD1 Partition is 720896 bytes in size and is executed first and so should be the first 720896 bytes of the OpenWrt Image, the MTD0 partition contains the remainder of the image.

dd if=openwrt-ar7-squashfs.bin of=ow-mtd1.bin count=720896 bs=1
dd if=openwrt-ar7-squashfs.bin of=ow-mtd0.bin skip=720896 bs=1

Now that the image has been split appropriately its can now be uploaded (and flashed) to the Router using its ADAM2 FTP service. To connect to the ADAM2 FTP service you need to use a COMMAND LINE ftp client targeting the IP address you specified in part 3 of obtaining the bootloader.

Note: The size of the two images combined cannot be bigger than 3932160 bytes, or the upload will fail and you will end with an unusable device!

Note: Modern Windows FTP command line clients are incompatible with this process so the Windows XP one must be used

Note: Linux users, make sure to enable Passive mode.

Note: As soon as the device power on target it with telnet. After you spawn the FTP (need some time..).

the device will blink amber

Before you leave the telnet FTP (that actually doesn't work), prepare command line FTP and open connection.

ftp 192.168.0.1
Connected to 192.168.0.1.
220 ADAM2 FTP Server ready.
Name (192.168.0.1:none): adam2
331 Password required for adam2.
Password: adam2
230 User adam2 successfully logged in.
Remote system type is UNIX.
ftp> quote "MEDIA FLSH"
200 Media set to FLSH.
ftp> bin
200 Type set to I.
ftp> put ow-mtd0.bin "fs mtd0"
local: ow-mtd0.bin remote: fs mtd0
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
1598607 bytes sent in 14.64 secs (106.6 kB/s)
ftp> put ow-mtd1.bin "fs mtd1"
local: ow-mtd1.bin remote: fs mtd1
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
720896 bytes sent in 6.56 secs (107.3 kB/s)
ftp> quote REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.

Installation Information (v3)

The ADAM2 bootloader in v3 is different, and cannot be patched as shown. It does not seem to be needed anyway. Another important difference is that the bootloader does not allow FTP access nor interruption of the boot from the serial console, so recovery can only be done with the Windows recovery tool or the nftp.2 tool described below.

The old wiki has information for this particular model: dg834gv3

See also: http://www.pitt-pladdy.com/blog/_20100424-103102+0100%20OpenWrt%20Take%202%20-%20native%20IPv6%20on%20DG834%20v3%20%28using%20AAISP%29/

Recovery

In case of a failed upload, the device might become unresponsive and look bricked.

Enter the failsafe mode:

Power-cycling the router with the reset button pressed,
power and test leds will blink.

In this mode you can return the device flash back to original.

There is a official netgear recovery utility or you can use adam2flash Perl script.

Also there is a small utility nftp.2.c that is able to reflash and verify the router.

Compile as follows:

  $ gcc -o nftp.2 nftp.2.c

Invoke the utility like this to re-flash the router (it requires root as it uses raw sockets):

  $ sudo ./nftp.2 -u eth0 IMAGE_TO_UPDATE

The image file is expected to be in the official firmware format, which I think is mtd2+mtd1+mtd0 concatenated.

After programming, the router will reset.

You can also verify the flashed image like this:

  $ sudo ./nftp.2 -v eth0 IMAGE_TO_VERIFY

Note: This program might complain about the image not passing an integrity check, but that seems to be broken. In that case, just remove the "return 1" from line 266 and try again.

Hardware

Info - Revision 1

Architecture: MIPS (little endian)
Vendor: Texas Instruments
Bootloader: ADAM2
System-On-Chip: TI AR7 TNETD7300GDU
CPU Speed: 150Mhz
Flash-Chip: Fujitsu 29DL32BF-70PFTN
Flash size: 4 MiB
RAM: 16 MiB V54C3128164VAT7
Wireless: TI TNETW1130GVF MiniPCI (802.11bg)
Ethernet: Marvell 88E6060-RCJ
Serial: Yes
JTAG: Yes

Info - Revision 2

Architecture: MIPS (little endian)
Vendor: Texas Instruments
Bootloader: ADAM2
System-On-Chip: TI AR7 TNETD7301GDU
CPU Speed: 150Mhz
Flash-Chip: MX 29LV320ABTC-90
Flash size: 4 MiB
RAM: 16 MiB ISSI IS42S16800A-7T
Wireless: TI TNETW1350A On-Board (802.11bg)
Ethernet: Marvell 88E6060
Serial: Yes - JP603 as V1
JTAG: No

*Wired Only Edition Pictured

Info - Revision 3

Architecture: MIPS (little endian)
Vendor: Texas Instruments
Bootloader: ADAM2
System-On-Chip: TI AR7 TNETD7200ZDW
CPU Speed: 150Mhz
Flash-Chip: Macronix 29LV32
Flash size: 4 MiB
RAM: 16 MiB EtronTech EM63916
Wireless: TI TNETW1350A On-Board (802.11bg)
Ethernet: Marvell 88E6060
Serial: Yes - JP603 as V1
JTAG: Yes - JP102 as V1

Info - Revision 4

Architecture: MIPS (Big endian)
Vendor: Broadcom
Bootloader: CFE
System-On-Chip: Broadcom BCM6348
CPU Speed: 240 MHz
Flash-Chip: Spansion S29GL032A90TFIR4
Flash size: 4 MiB
RAM: 2x8MiB EtronTech EM638165TS-6G / SDR-166
Wireless: Broadcom BCM4318
Ethernet: Broadcom BCM5325

General Information

Serial - JP603

Serial console is J603. Settings are: 115200, 8, n, 1.

pin signal
1 GND
2 TX
3 VCC (3.3V)
4 RX

(Pin 1 is identified by a square printed box on the PCB.

JTAG - JP102

This JTAG port Follows the 14 pin EJTAG 2.5 specification, pin 1 is marked by a square printed box on the PCB (This is verified as working).

Orientation and distribution on the board:

2 4 6 8 10 12 14
1 3 5 7 9 11 13

JTAG signals and pins

nTRST 1 2 GND
TDI 3 4 GND
TDO 5 6 GND
TMS 7 8 GND
TCK 9 10 GND
nSRST 11 12 -key
DINT 13 14 VCC

See port.jtag for more JTAG details.

The onboard Flash Chip for V1 is a 4MB 29DL32BF-70PFTN when manipulating this chip from JTAG software such as TJTAG it may not be detected, in such cases masquerading as/forcing use of either the MBM29DL323BE or AM29LV320 chips will likely work (This has worked for the user Funkimunk, your mileage may vary).

Tags

Back to top

toh/netgear/dg834g.txt · Last modified: 2014/02/13 07:36 by hhm