Ressurecting a dead Netgear router

A friend recently gave me a 2 year old Netgear router that had failed. It has some pretty impressive specifications (dual-core 1.4GHz processor, 512 MB RAM, and a bunch of wireless connections), with reviews positively highlighting its capabilities. The same reviews were pretty harsh (3/5 stars) because upfront this was an incredibly expensive router (it was originally 620$), though now the price has dropped to 130$. It's disappointing that for a 620$ router, Netgear only offered a 1 year hardware warranty with 90 days of support. Based on reviews this router appears to have really poor longevity, and a lot of them seem to have failed in service after a short period of time. On Amazon 22% of the 1,844 reviews for this model are 1 star!

Some Amazon review highlights

This router has been the bane of my existence since I bought it.

K. Fujita (November 29, 2017)

This router worked great for about two hours and then the endless boot loop started

Julio O. (December 13, 2016)

I came home from work and it had fallen victim to the "continuous reboot loop" that a vast amount of others have encountered with this product.

Michael Geisen (February 9, 2018)

Getting started

I was curious whether I might be able to bring it back to life. My initial thought was that maybe the power supply was faulty, since it was constantly rebooting (the power indicator would turn amber, flash a bit, then go back to amber, then the unit would reboot. A quick check showed the power brick output was correct (19.5 volts!). After reading reviews and comments on the netgear forum, I realized that the issue was likely a firmware problem. Sounded like fun to see if I could get it going again.

A great resource was this forum page on "How to Set Up a Serial Console for NETGEAR R8000". In essence, Netgear routers have a computer running a linux operating system, and a boot loader called CFE (Common Firmware Environment). CFE is an open source bootloader for Broadcom devices. When the computer (a microcontroller) first starts, there is a software called CFE that starts up. This piece of software can perform diagnostics on the hardware, and allows the device to be programmed or started up. To interact with CFE, there is a serial communication port on the circuit board of the router. This means opening the case, and creating a cable to connect to the board.

Opening the case

On the bottom of the router, there are 6 screws. 2 are visible when you turn it over. The other 4 are under the small rubber feet in the four corners. Once the screws are removed, the bottom cover slides up a little bit toward the antennae and can then be removed.

Image showing the screw locations

The circuit board and antenna wires are then visible. All the antenna wires are labelled with the numbers of the corresponding surface-mount SMA connectors. The connectors each have a number stenciled onto the PCB, so it's easy to figure out where all the wires plug back in afterwards. The tape over the connectors and holding the wires in place needs to be removed. Then the board can be carefully lifted out of the housing, being careful to not damage the small circuit boards at the front of the box.

Image showing the bottom of the circuit board

The top side of the circuit board has a large heat-sink. On the R8500 the serial port is near the front-left of the board. The red arrow in the next image shows the 4 pin serial port connector. The R8500 board has 4 pins labeled R (receive), T (transmit), G (ground), and V (voltage). The R, T, and G pins need to be connected to the serial port on the computer.

Image showing the bottom of the circuit board

Making a serial connection

Next, I needed a physical serial port connection. I have used lots of USB-serial converters in the past. I happened to have a DLP-USB232M serial adapter handy. After about 15 years, this thing is still working great, and could be installed on a windows 7 machine without too much trouble. I hooked it up on a wireless breadboard using the USB 5V power to supply the serial connection.

Image showing the DLP-USB232M wiring

The connections here are based on the manual for the DLP-USB232M (http://www.dlpdesign.com/usb/dlp-usb232mv16.pdf).

Diagram of the DLP-USB232M wiring

R8500 USB-DLP232M Pin
R TXD (pin 24)
T RXD (pin 23)
G GND (pin 2)
V Not Connected

I used a ribbon connector to hook up the R, T, and G pins to the USB-DLP232M pins. Note that I only connected the first 3 pins on the R8500 serial connector.

Image showing the bottom of the circuit board

I found that the device enumerated on my computer as COM15, and I opened a serial port connection in Putty. The com port settings are 115200 kbps, 8 bits, N (no parity), 1 (stop bit).

Working with the CFE (cafe) boot loader

After setting up and connecting the serial port, I plugged the router circuit board back in and turned it on. As soon as it started to boot, I saw text on the serial connection. Hitting control-C during the boot sequence causes the CFE bootloader to open a prompt. Without doing this, it would start to load linux, then fail and reboot after about 30-60 seconds.

Here is what it looks like when it boots to CFE

Digital core power voltage set to 1.05V
Decompressing...done
Digital core power voltage set to 1.05V

SHMOO VER 1.13

PKID07DC06011801080000000000001A103F01000000

S300001FF
00001660


RDLYW0 00000004

RDENW0 00000042

RDQSW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 -----+++++++++++++++++++++++++++X+++++++++++++++++++++++++++----
 01 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++
 02 ------+++++++++++++++++++++++++++X++++++++++++++++++++++++++----
 03 ---------++++++++++++++++++++++++X++++++++++++++++++++++++------
 04 ---+++++++++++++++++++++++++X++++++++++++++++++++++++-----------
 05 ---------+++++++++++++++++++++++++++X++++++++++++++++++++++++++-
 06 --++++++++++++++++++++++++++X+++++++++++++++++++++++++----------
 07 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 08 ----++++++++++++++++++++++++++X+++++++++++++++++++++++++--------
 09 ---------------++++++++++++++++++++++++X++++++++++++++++++++++++
 10 -------+++++++++++++++++++++++++X+++++++++++++++++++++++++------
 11 ---------------++++++++++++++++++++++++X++++++++++++++++++++++++
 12 ------+++++++++++++++++++++++++X+++++++++++++++++++++++++-------
 13 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++
 14 --------++++++++++++++++++++++++++++X+++++++++++++++++++++++++--
 15 --------------+-++++++++++++++++++++++++X+++++++++++++++++++++++


PW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++----
 01 ------+++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 02 --+++++++++++++++++++++++++++++X++++++++++++++++++++++++++++----
 03 -++++++++++++++++++++++++++++X++++++++++++++++++++++++++++------
 04 ++++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
 05 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 06 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
 07 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 08 --++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-----
 09 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 10 -----+++++++++++++++++++++++++++X+++++++++++++++++++++++++++----
 11 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 12 ---++++++++++++++++++++++++++++X++++++++++++++++++++++++++++----
 13 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
 14 -----+++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-
 15 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++


NW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ----++++++++++++++++++++++++++++X+++++++++++++++++++++++++++----
 01 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 02 ------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++---
 03 --------++++++++++++++++++++++++++X++++++++++++++++++++++++++---
 04 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++---------
 05 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 06 --+-+++++++++++++++++++++++++X+++++++++++++++++++++++++---------
 07 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 08 -----+++++++++++++++++++++++++X+++++++++++++++++++++++++--------
 09 ---------------++++++++++++++++++++++++X++++++++++++++++++++++++
 10 ------++++++++++++++++++++++++++X+++++++++++++++++++++++++------
 11 ---------------++++++++++++++++++++++++X++++++++++++++++++++++++
 12 ------+++++++++++++++++++++++++X+++++++++++++++++++++++++-------
 13 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 14 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++--
 15 ---------------++++++++++++++++++++++++X++++++++++++++++++++++++


WRDQW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 +++++++++++++++++++++++++X++++++++++++++++++++++++---------++++-
 01 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
 02 +++++++++++++++++++++++++X+++++++++++++++++++++++++---------+++-
 03 +++++++++++++++++++++++++X+++++++++++++++++++++++++---------+++-
 04 +++++++++++++++++++++++X+++++++++++++++++++++++------------++++-
 05 +++++++++++++++++++++++++++X++++++++++++++++++++++++++------+++-
 06 +++++++++++++++++++++++X++++++++++++++++++++++---------------++-
 07 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++------++-
 08 +++++++++++++++++++++++++X++++++++++++++++++++++++---------++++-
 09 ----+++++++++++++++++++++++++X++++++++++++++++++++++++----------
 10 ++++++++++++++++++++++++++X++++++++++++++++++++++++++--------++-
 11 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++---------
 12 +++++++++++++++++++++++++X+++++++++++++++++++++++++--------++++-
 13 ---++++++++++++++++++++++++++X+++++++++++++++++++++++++---------
 14 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
 15 -----+++++++++++++++++++++++++X++++++++++++++++++++++++---------


WRDMW0 00000025
WRDMW0 00000027


ADDR

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ++++++++++++++++++++++S++++++++X++++++++++++++++++++++++++++++++

Decompressing...done


CFE for Foxconn Router R7800/R8500 version: v1.0.5
Build Date: Tue Jun 30 20:39:15 CST 2015
Init Arena
Init Devs.
Boot up from NAND flash...
Bootcode Boot partition size = 524288(0x80000)
DDR Clock: 800 MHz
Info: DDR frequency set from clkfreq=1400,*800*
et2: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 7.14.121 (r552363)
CPU type 0x0: 1400MHz
Tot mem: 524288 KBytes

Device eth0:  hwaddr A0-04-60-6A-20-77, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Startup canceled
CFE>

Typing 'help' lists the valid commands in CFE.

CFE> help
Available commands:

checkflash          Check nand flash memory.
checkmem            Check memory.
checkBC             check the bootcode settings
show clocks         Show current values of the clocks.
nvram               NVRAM utility.
reboot              Reboot.
tftpd               Start TFTP server
flash               Update a flash memory device
memtest             Test memory.
f                   Fill contents of memory.
e                   Modify contents of memory.
d                   Dump memory.
u                   Disassemble instructions.
batch               Load a batch file into memory and execute it
go                  Verify and boot OS image.
boot                Load an executable file into memory and execute it
load                Load an executable file into memory without executing it
save                Save a region of memory to a remote file via TFTP
ping                Ping a remote IP host.
arp                 Display or modify the ARP Table
ifconfig            Configure the Ethernet interface
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
CFE> help checkflash

  SUMMARY

     Check nand flash memory.

  USAGE

     checkflash

*** command status = 0

I did end up running the checkmem, checkflash, and memtest utilities, and they just kept running and running. I didn't see any errors, but I don't think that those tests actually ever end. I needed to power-cycle the router to get out of the tests and re-enter CFE.

Getting a working image onto the router

With the serial port connection open, it was obvious that my router was stuck in a boot loop because it was failing to load the operating system image.

Here is what it looks like when the system fails to boot

Digital core power voltage set to 1.05V
Decompressing...done
Digital core power voltage set to 1.05V

SHMOO VER 1.13

PKID07DC06011801080000000000001A103F01000000

S300001FB
00001630


RDLYW0 00000004

RDENW0 00000041

RDQSW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ----+++++++++++++++++++++++++++X+++++++++++++++++++++++++++-----
 01 -----------++++++++++++++++++++++++++X++++++++++++++++++++++++++
 02 -----+++++++++++++++++++++++++++X+++++++++++++++++++++++++++----
 03 -------+++++++++++++++++++++++++X+++++++++++++++++++++++++------
 04 ---+++++++++++++++++++++++++X++++++++++++++++++++++++-----------
 05 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 06 --++++++++++++++++++++++++++X+++++++++++++++++++++++++----------
 07 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 08 ----++++++++++++++++++++++++++X+++++++++++++++++++++++++--------
 09 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++
 10 -----++++++++++++++++++++++++++X++++++++++++++++++++++++++------
 11 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++
 12 ----++++++++++++++++++++++++++X+++++++++++++++++++++++++--------
 13 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
 14 ------+++++++++++++++++++++++++++++X++++++++++++++++++++++++++--
 15 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++


PW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 +++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-----
 01 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 02 -+++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++----
 03 --++++++++++++++++++++++++++++X+++++++++++++++++++++++++++------
 04 ++++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
 05 ---++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-
 06 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
 07 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 08 --++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-----
 09 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 10 -----+++++++++++++++++++++++++++X++++++++++++++++++++++++++-----
 11 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 12 ---++++++++++++++++++++++++++++X++++++++++++++++++++++++++++----
 13 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
 14 -----+++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 15 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++


NW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ----++++++++++++++++++++++++++++X+++++++++++++++++++++++++++----
 01 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 02 -----++++++++++++++++++++++++++++X+++++++++++++++++++++++++++---
 03 ------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++---
 04 --++++++++++++++++++++++++++X++++++++++++++++++++++++++---------
 05 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 06 --++++++++++++++++++++++++++X++++++++++++++++++++++++++---------
 07 --------++++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 08 ----++++++++++++++++++++++++++X++++++++++++++++++++++++++-------
 09 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++
 10 ------++++++++++++++++++++++++++X+++++++++++++++++++++++++------
 11 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++
 12 ----++++++++++++++++++++++++++X+++++++++++++++++++++++++--------
 13 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
 14 ------+++++++++++++++++++++++++++++X++++++++++++++++++++++++++--
 15 --------------+++++++++++++++++++++++++X++++++++++++++++++++++++


WRDQW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 +++++++++++++++++++++++++X+++++++++++++++++++++++++--------++++-
 01 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
 02 +++++++++++++++++++++++++X+++++++++++++++++++++++++---------+++-
 03 ++++++++++++++++++++++++++X++++++++++++++++++++++++++--------++-
 04 +++++++++++++++++++++++X+++++++++++++++++++++++------------++++-
 05 +++++++++++++++++++++++++++X++++++++++++++++++++++++++------+++-
 06 +++++++++++++++++++++++X++++++++++++++++++++++--------------+++-
 07 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++------++-
 08 +++++++++++++++++++++++++X++++++++++++++++++++++++---------++++-
 09 ----+++++++++++++++++++++++++X++++++++++++++++++++++++----------
 10 ++++++++++++++++++++++++++X++++++++++++++++++++++++++---------+-
 11 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++---------
 12 +++++++++++++++++++++++++X+++++++++++++++++++++++++--------++++-
 13 ---++++++++++++++++++++++++++X+++++++++++++++++++++++++---------
 14 ++++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
 15 -----+++++++++++++++++++++++++X++++++++++++++++++++++++---------


WRDMW0 00000025
WRDMW0 00000027


ADDR

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ++++++++++++++++++++++S++++++++X++++++++++++++++++++++++++++++++

Decompressing...done


CFE for Foxconn Router R7800/R8500 version: v1.0.5
Build Date: Tue Jun 30 20:39:15 CST 2015
Init Arena
Init Devs.
Boot up from NAND flash...
Bootcode Boot partition size = 524288(0x80000)
DDR Clock: 800 MHz
Info: DDR frequency set from clkfreq=1400,*800*
et2: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 7.14.121 (r552363)
CPU type 0x0: 1400MHz
Tot mem: 524288 KBytes

Device eth0:  hwaddr XX-XX-XX-XX-XX-XX, ipaddr 192.168.1.1, mask 255.255.255.0 *(MAC blanked)*
        gateway not set, nameserver not set
Checking crc...Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
Loading: ..... 5470272 bytes read
Entry at 0x00008000
Closing network.
Starting program at 0x00008000
[    2.130000] console [ttyS0] enabled, bootconsole disabled
[    2.140000] serial8250.0: ttyS1 at MMIO 0x18000400 (irq = 117) is a 16550
[    2.150000] brd: module loaded
[    2.160000] loop: module loaded
[    2.160000] pflash: found no supported devices
[    2.160000] bcmsflash: found no supported devices
[    2.740000] Boot partition size = 524288(0x80000)
[    2.750000] lookup_nflash_rootfs_offset: offset = 0x200000
[    2.750000] nflash: squash filesystem with lzma found at block 32
[    2.760000] Creating 17 MTD partitions on "nflash":
[    2.770000] 0x000000000000-0x000000080000 : "boot"
[    2.770000] 0x000000080000-0x000000200000 : "nvram"
[    2.790000] 0x000000200000-0x000006f00000 : "linux"
[    3.280000] 0x00000041ab5c-0x000006f00000 : "rootfs"
[    3.290000] 0x000007400000-0x000007480000 : "board_data"
[    3.290000] 0x000007480000-0x000007580000 : "POT1"
[    3.300000] 0x000007580000-0x000007680000 : "POT2"
[    3.310000] 0x000007680000-0x000007940000 : "T_Meter1"
[    3.330000] 0x000007940000-0x000007c00000 : "T_Meter2"
[    3.350000] 0x000007c00000-0x000007c80000 : "ML1"
[    3.360000] 0x000007c80000-0x000007d00000 : "ML2"
[    3.370000] 0x000007d00000-0x000007d80000 : "ML3"
[    3.370000] 0x000007d80000-0x000007e00000 : "ML4"
[    3.380000] 0x000007e00000-0x000007e80000 : "ML5"
[    3.390000] 0x000007e80000-0x000007f00000 : "ML6"
[    3.400000] 0x000007f00000-0x000007f80000 : "ML7"
[    3.400000] 0x000007f80000-0x000008000000 : "DebugMsg"
[    3.410000] PPP generic driver version 2.4.2
[    3.420000] PPP MPPE Compression module registered
[    3.420000] NET: Registered protocol family 24
[    3.430000] PPPoL2TP kernel driver, V0.17
[    3.430000] tun: Universal TUN/TAP device driver, 1.6
[    3.440000] tun: (C) 1999-2004 Max Krasnyansky 
[    3.440000] csw_retry 100
[    3.450000] Initializing USB Mass Storage driver...
[    3.450000] usbcore: registered new interface driver usb-storage
[    3.460000] USB Mass Storage support registered.
[    3.460000] usbcore: registered new interface driver usbserial
[    3.470000] USB Serial support registered for generic
[    3.470000] usbcore: registered new interface driver usbserial_generic
[    3.480000] usbserial: USB Serial Driver core
[    3.480000] USB Serial support registered for GSM modem (1-port)
[    3.490000] usbcore: registered new interface driver option
[    3.490000] option: v0.7.2:USB Driver for GSM modems
[    3.500000] USB Serial support registered for Sierra USB modem
[    3.510000] usbcore: registered new interface driver sierra
[    3.510000] sierra: v.1.7.16:USB Driver for Sierra Wireless USB modems
[    3.520000] u32 classifier
[    3.520000]     Actions configured
[    3.520000] nf_conntrack version 0.5.0 (8030 buckets, 32120 max)
[    3.530000] IPv4 over IPv4 tunneling driver
[    3.540000] GRE over IPv4 tunneling driver
[    3.540000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    3.540000] TCP cubic registered
[    3.550000] NET: Registered protocol family 10
[    3.550000] lo: Disabled Privacy Extensions
[    3.560000] tunl0: Disabled Privacy Extensions
[    3.560000] IPv6 over IPv4 tunneling driver
[    3.570000] sit0: Disabled Privacy Extensions
[    3.570000] ip6tnl0: Disabled Privacy Extensions
[    3.580000] NET: Registered protocol family 17
[    3.580000] 802.1Q VLAN Support v1.8 Ben Greear 
[    3.590000] All bugs added by David S. Miller 
[    3.620000] Northstar brcmnand NAND Flash Controller driver, Version 0.1 (c)                                                                              Broadcom Inc. 2012
[    3.630000] NAND device: Manufacturer ID: 0x01, Chip ID: 0xf1 (AMD NAND 128Mi                                                                             B 3,3V 8-bit)
[    3.640000] Spare area=64 eccbytes 56, ecc bytes located at:
[    3.640000]  2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27                                                                              28 29 30 31 34 35 36 37 38 39 40 41 42 43 44 45 46 47 50 51 52 53 54 55 56 57 58                                                                              59 60 61 62 63
[    3.660000] Available 7 bytes at (off,len):
[    3.660000] (1,1) (16,2) (32,2) (48,2) (0,0) (0,0) (0,0) (0,0)
[    3.670000] Scanning device for bad blocks
[    4.250000] Options: NO_AUTOINCR,NO_READRDY,BBT_SCAN2NDPAGE,
[    4.250000] Creating 2 MTD partitions on "brcmnand":
[    4.260000] 0x000003400000-0x000006f00000 : "brcmnand"
[    4.260000] 0x000006f00000-0x000007400000 : "OpenVPN"
[    4.280000] SQUASHFS error: Xattrs in filesystem, these will be ignored
[    4.290000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[    4.300000] devtmpfs: mounted
[    4.300000] Freeing init memory: 292K
[sighandler]: No more events to be processed, quitting.
[cleanup]: Waiting for children.
[cleanup]: All children terminated.
Reading board data...
hwtype=R8500<,hwrev=MP1
WSC UUID: 0x0c9xxxxxxxxxxxxxxxxxxxxxxxxxxxx *(uuid blanked)*
wps_uuid=0x0c9xxxxxxxxxxxxxxxxxxxxxxxxxxxx *(uuid blanked)*
read_board_data(682) region_num=11 2 (PA)
NTP synchronized date/time: Sun Nov 26 19:27:08 2017
MAC address of 1st STA connected: XX-XX-XX-XX-XX-XX *(MACblanked)*
Internet Time date/time: Tue Jun 11 02:42:46 1935
### main:1691 Set Normal Power!
[    8.990000] Initialise conn table 2048 entries
[    9.090000] bcm_robo_config_vlan 2475 is_erobo=0 vid=1 untag|member=0x17DBE ports=1 2 3 4 5 7 8*<
[    9.100000] bcm_robo_config_vlan 2475 is_erobo=0 vid=2 untag|member=0x20301 ports=0 8u<
[    9.130000] bcm_robo_config_vlan 2475 is_erobo=0 vid=1 untag|member=0x17DBE ports=1 2 3 4 5 7 8*<
[    9.140000] bcm_robo_config_vlan 2475 is_erobo=0 vid=2 untag|member=0x20301 ports=0 8u<
[    9.180000] bcm_robo_config_vlan 2475 is_erobo=1 vid=1 untag|member=0x7E3F ports=0 1 2 3 4 5u<
[   10.480000] bcm_robo_config_vlan 2475 is_erobo=1 vid=1 untag|member=0x7E3F ports=0 1 2 3 4 5u<
insmod: dpsta.ko: no module by that name found
^Ainsmod: usbcore.ko: no module by that name found
insmod: cannot insert '/lib/modules/2.6.36.4brcmarm+/kernel/drivers/usb/host/ehci-hcd.ko': Unknown symbol in module (-1): No such file or directory
insmod: wl_high.ko: no module by that name found
eth3: cmd=14: No such device
wl1 not up in 3 sec
Creating device nodes...
Insert IDP engine...
Running rule agent to setup signature file /tmp/trend/rule.trf...
[main(247)]: kaStartup() passed
[main(258)]: GetPolicy() passed (ret=600209)
[main(265)]: Loading policy succeeded
[main(270)]: Signature version: major = 1, minor = 170
[main(288)]: Enable IPS!
[main(293)]: IPS enable = 1
[main(299)]: IPS-0.0.11
[main(320)]: kaShutDown()
Insert UDB ...
Insert forward module /tmp/trend/tdts_udbfw.ko with param - dev_wan=eth0...
Unload fw_mod...
Unload udb_mod...
Unload idp_mod...
Remove device nodes...
[   51.300000] Sorry, registering the character device  failed with 0
Hit enter to continue...[   52.400000] bcm_robo_config_vlan 2475 is_erobo=0 vid=1 untag|member=0x17DBE ports=1 2 3 4 5 7 8*<
[   52.410000] bcm_robo_config_vlan 2475 is_erobo=0 vid=2 untag|member=0x20301 ports=0 8u<
[   52.440000] bcm_robo_config_vlan 2475 is_erobo=0 vid=1 untag|member=0x17DBE ports=1 2 3 4 5 7 8*<
[   52.450000] bcm_robo_config_vlan 2475 is_erobo=0 vid=2 untag|member=0x20301 ports=0 8u<
WARNING: console log level set to 1
killall: upnp: no process killed
upnp: No such file or directory

### wps_wfi_init(): WFI is not enabled ###
Setup RRB socket, interface name=br0
enter11 acs_default_policy index=0
leave acs_default_policy
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acs_start down for interface eth1
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
result: 1
acsd: selected channel spec: 0xd92e
acsd: Adjusted channel spec: 0xd92e
acsd: selected DFS-exit channel spec: 0xd92e
ACSD acs_select_chspec 4014 force edcrs == 0
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
enter acs_candidate_score_intfadj
leave acs_candidate_score_intfadj
result: 1
acsd: selected channel spec: 0xd92e
acsd: Adjusted channel spec: 0xd92e
acsd: selected channel spec: 0xd92e
ACSD acs_select_chspec 4014 force edcrs == 0
ACSD acsd_main_loop 429 force edcrs == 0
wl: wl driver adapter not found
wl: wl driver adapter not found
ACSD start_wl 1432 force edcrs == 0
wl: wl driver adapter not found
wl: wl driver adapter not found
wl: wl driver adapter not found

--------------------isDhdReady()------------------------
eth1: Cannot assign requested address
isDhdReady 5046 found eth1 ret=0x63
eth2: Cannot assign requested address
isDhdReady 5046 found eth2 ret=0x63
eth3: No such device
isDhdReady 5042 could not found eth3 ret=0x13

-------------------isDhdReady flag=1-----------------------------
DHD didn't bring up all the interfaces!
reboot: rmmod dhd failed: No such file or directory
Terminated
eth2: WLC_SET_VAR(dngl_wd): Operation not supported
shutdown_system:216:(eth2): setting iovar "dngl_wd" to 0x1 failed, err = -1
Sending SIGTERM to all processes
Sending SIGKILL to all processes
[   64.510000] Restarting system.
Digital core power voltage set to 1.05V

It looks like it fails to load the correct drivers and then restarts when the WLC_SET_VAR command is attempted. A bunch of modules failed to load, so maybe they're not included in the image, or they are corrupted... Either way, the firmware boot image needs to be replaced.This is done by loading a new image from either Netgear or a third party.

To load an image, we transfer a binary file to the router using TFTP over an ethernet connection. Netgear has a good help page that describes how to upload the firware via TFTP. So in addition to the serial port that's already connected, an ethernet cable need to be connected between the computer ethernet port and the router ports (the ports numbered 3-6 work for this). The computer ethernet port needs to be set as IP address => 192.168.1.1, with Subnet mask => 255.255.255.0, and the Default Gateway => 192.168.1.1.

Next, you need to download the correct firmware. I tried several Netgear images (R8500-V1.0.2.128_1.0.97, R8500-V1.0.2.26_1.0.41, and R8500-V1.0.0.28_1.0.15), but only the old image (1.0.0.28) would correctly boot the device. Download the zip file with the image, and unzip the binary .CHK file to a convenient directory (like C:\temp), and rename it to something simple (like "R8500.chk"). Using a TFTP client, you will need to transfer this file to the router.

I was using windows 7, so I needed to enable the TFTP client first. I followed the simple instructions at the following link to enable TFTP in windows 7. In essence, I needed to go into windows settings and enable the TFTP Client.

Next, I opened a command line prompt (by entering 'cmd' in the windows start menu search box), changed to the temporary directory with the R8500.chk file (by entering 'cd c:\temp\'), and needed to get ready to upload the firmware. The command is "tftp -i 192.168.1.1 put R8500.chk", but the router needs to be prepared to receive the file before the firmware can be sent.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Me>cd c:\temp
C:\temp> tftp -i 192.168.1.1 put R8500.chk

To prepare the router, I rebooted to the serial port CFE prompt (restart it, then hit control-C during the boot sequence until it shows "CFE>"). Here I first erased the NVRAM (type "nvram erase" and enter at the CFE prompt), and then typed "tftpd" at the prompt and hit enter (this makes the router wait for the firmware file to be transferred via TFTP over ethernet to the address 192.168.1.1). Finally, I started the firmware upload from the command line dos prompt by hitting enter to start the command "tftp -i 192.168.1.1 put R8500.chk". Here is what it all looks like:

On the serial port at the CFE prompt:

CFE> nvram erase
*** command status = 0
CFE> tftpd
Start TFTP server
Reading :: Done. 28123194 bytes read
Programming...done. 28123194 bytes written
Skip writing CHK checksum for nflash.
Digital core power voltage set to 1.05V
Decompressing...done

CFE for Foxconn Router R7800/R8500 version: v1.0.5

On the DOS command line prompt:

c:\temp\netgear> tftp -i 192.168.1.1 put R8500.chk
Transfer successful: 28123194 bytes in 97 second(s), 289929 bytes/s

In the CFE prompt, the tftpd program returns once the image has been transferred, and it indicates that teh device is programmed. The router will restart automatically, showing the "Digital core power voltage set to 1.05V" message followed by the rest of the boot sequence. After the new firmware is loaded, then I performed a hard reset (also called a 30/30/30 reset).

A hard reset can be done by following these steps: "With the router powered on, hold the reset button in for 30 seconds. Continue to hold the reset button in and unplug the router, holding it in for another 30 seconds. Plug the router back in, with the reset button still held, and continue to hold it in for another 30 seconds."

Finally let the router try to boot about 3 times in a row. After that, my router booted correctly. I was able to log in by going to http://www.routerlogin.net/ and using the login information printed on the label for my router.

Upgrading to another firmware (like DD-WRT)

Since the issue seems to be the more recent Netgear firmware, I decided to install a third party firmware. This has some downsides (some advanced features are missing and not all of the wireless connections are configured), but it shouldn't crash, which is more important to me. First I needed to check the hardware version of my device to see if it was compatible. The hardware version of the R8500 can be found via the serial port boot sequence after CFE tries to load linux (it's ok if the device isn't actually starting properly, just look in the serial port text). Look for the following text:

Reading board data...
hwtype=R8500<,hwrev=MP1

I have a hardware type R8500 (the Nighthawk AC5300), with hardware revision MP1, which from searching through the DD-WRT forums is a Chinese build, and works with DD-WRT. So I downloaded the most recent firmware from DD-WRT by searching for "R8500" and selecting the revision 1 (that's the only one that is supported).

You can either use the Netgear web interface to update to the DD-WRT firmware using the "netgear-r8500-webflash.bin" file, or use the CFE tftpd upload (same process as above with the serial port and ethernet connection) approach to upload the "factory-to-dd-wrt.chk" file. Keep in mind that it's important to use the "nvram erase" command in CFE, or the firmware might not be writeable.

Finally, here is DD-WRT running on the previously dead AC5300 Netgear R8500.

DD-WRT running on the previously dead AC5300 Netgear R8500

I'm not sure why this router is so prone to crashing, but I suspect that the system doesn't handle power outages very well, maybe the Netgear firmware tries to store settings often, and if this happens during a power cycle event the system will fail. Hopefully the DD-WRT firmware is better, I haven't seen reports of it failing. I'll update this text if it does prove to be unstable (Jan 7, 2019).