OpenWrt Forum Archive

Topic: Flash Netgear WNDR3800SW with generic firmware?

The content of this topic has been archived on 25 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Sure West gave me a Netgear WNDR3800SW router with my cable service. It is running a custom version of the firmware that limits the configuration and has a different admin password. They won't tell me what the admin password is because they've had confused customers change random settings in the past. They said that if I want to customize settings, I need to get my own router. I already have a router and just want to use the Netgear as a access point.

It was running v1.0.0.8SW. I tried to flash the standard WNDR3800-V1.0.0.40.img firmware, but that was rejected by a firmware check. I then flashed WNDR3800SW-V1.0.0.99SW.img that I found on Netgear's FTP server. That worked fine, so I replaced the header in WNDR3800-V1.0.0.40.img with the one from WNDR3800SW-V1.0.0.99SW.img using a hex editor. Flashing this gave a different error and I'm guessing it's now failing a CRC check or something due to the modified header.

I've also tried flashing these firmwares via the TFTP recovery mode. Only the Sure West firmware actually takes, so it still seems to be doing some version number checking.

Can anyone point me to some documentation of the update file format or provide any tips on how to free this router?

I used the telnetEnable utility to get telnet access and then retrieved the plaintext username and password using the config command. I'm not going to post them here because I don't want Sure West to get too mad. The steps are pretty straight forward for anyone else in the same situation.

config get http_username
config get http_passwd

I'm still interested in flashing some other firmware though. I used binwalk from the firmware-mod-kit to identify the header as the first 192 bytes. It starts with a plain text description of the firmware padded out to 128 bytes, followed by 32 bytes of something, followed by another plain text version number padded out to 32 bytes.

WNDR3800-V1.0.0.40 header:

64 65 76 69 63 65 3A 57 4E 44 52 33 38 30 30 0A 76 65 72 73 69 6F 6E 3A 56 31 2E 30
2E 30 2E 34 30 0A 72 65 67 69 6F 6E 3A 0A 68 64 5F 69 64 3A 32 39 37 36 33 36 35 34
2B 31 36 2B 31 32 38 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 37 30 31 9D E6 3C DA 4F EA C1 75
00 AA 00 00 BF 07 00 00 BF 07 00 00 D1 ED 08 13 05 05 07 00 57 4E 44 52 33 38 30 30
2D 56 31 2E 30 2E 30 2E 34 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00

device:WNDR3800
version:V1.0.0.40
region:
hd_id:29763654+16+128
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\33\37\30\31\9D\E6\3C\DA\4F\EA\C1\75\00\AA\00\00\BF\07\00\00
\BF\07\00\00\D1\ED\08\13\05\05\07\00WNDR3800-V1.0.0.40\00\00\00\00\00\00\00\00\00\00
\00\00\00\00

WNDR3800SW-V1.0.0.99SW header:

64 65 76 69 63 65 3A 57 4E 44 52 33 38 30 30 53 57 0A 76 65 72 73 69 6F 6E 3A 56 31
2E 30 2E 30 2E 39 39 53 57 0A 72 65 67 69 6F 6E 3A 0A 68 64 5F 69 64 3A 32 39 37 36
33 36 35 34 2B 31 36 2B 31 32 38 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 37 30 31 CE 01 6F CA 4F A2 34 0D
00 98 00 00 BF 07 00 00 BF 07 00 00 55 39 C7 EB 05 05 07 00 57 4E 44 52 33 38 30 30
53 57 2D 56 31 2E 30 2E 30 2E 39 39 53 57 00 00 00 00 00 00 00 00 00 00

device:WNDR3800SW
version:V1.0.0.99SW
region:
hd_id:29763654+16+128
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
\00\00\00\00\33\37\30\31\CE\01\6F\CA\4F\A2\34\0D\00\98\00\00\BF\07\00\00\BF\07\00\00
\55\39\C7\EB\05\05\07\00WNDR3800SW-V1.0.0.99SW\00\00\00\00\00\00\00\00\00\00

Breaking down the WNDR3800-V1.0.0.40 header further:

33 37 30 31    Same in every firmware
9D E6 3C DA    Vary between firmwares
4F EA C1 75    The last three bytes vary between firmwares; the 4F doesn't change
00 AA 00 00    This is the size of the rootfs: 11,141,120 bytes
BF 07 00 00    Same in every firmware
BF 07 00 00    Same in every firmware
D1 ED 08 13    Vary between firmware
05 05 07 00    Same in every firmware

I've tried CRCing different chunks of the image, but nothing matches. There's also a single byte right at the end of the image, after the padding, that varies. Maybe it's some kind of 8-bit checksum (?). Does anyone else know anything about the Netgear firmware format? When I login with telnet it says OpenWRT in ASCII art, so it must be fairly similar.

So the 1.0.0.8SW firmware source package is actually on Netgear's FTP server. I setup a VM with FC6 as the readme suggests and built the 1.0.0.8SW firmware image myself. I'd be happy to upload it somewhere if anyone knows of a free hosting service for stuff like this.

The end of the build process shows exactly what's going on with the header and checksum:

staging_dir_mips/bin/mkimage -A mips -O linux -T filesystem -C none -a 0xbf070000 -e 0xbf070000 -name "WNDR3800SW-V1.0.0.8SW"  -d bin/openwrt-wndr3700u-2.6-root.squashfs bin/WNDR3800SW-V1.0.0.8SW"".image
Image Name:   WNDR3800SW-V1.0.0.8SW
Created:      Thu Sep 13 19:58:51 2012
Image Type:   MIPS Linux Filesystem Image (uncompressed)
Data Size:    9175040 Bytes = 8960.00 kB = 8.75 MB
Load Address: 0xBF070000
Entry Point:  0xBF070000

dd bs=128 if=/dev/zero count=1 of=bin/head.pad
1+0 records in
1+0 records out
128 bytes (128 B) copied, 2.3336e-05 seconds, 5.5 MB/s

echo "device:WNDR3800SW" > bin/head_info.pad
echo "version:V1.0.0.8SW" >> bin/head_info.pad
echo "region:""" >> bin/head_info.pad
echo "hd_id:29763654+16+128" >> bin/head_info.pad

cat bin/head_info.pad bin/head.pad | head -c 128 > bin/info.pad

rm -rf bin/head_info.pad bin/head.pad

cat bin/info.pad bin/WNDR3800SW-V1.0.0.8SW"".image > bin/WNDR3800SW-no-crc.img

staging_dir_mips/../tools/appendsum bin/WNDR3800SW-no-crc.img bin/WNDR3800SW-V1.0.0.8SW"".img
append checksum  =>  file : bin/WNDR3800SW-no-crc.img,  len : 0x8C00C0, checksum : 0x80

With that info, cross flashing becomes very easy:

1. Grab the firmware image you want to flash to.
2. Replace the 128 byte header with one from the existing firmware using a hex editor.
3. Delete the last byte of the modified firmware.
4. Use the appendsum script below (from the firmware source package) to append a new checksum byte: appendsum <firmware-mod-no-crc.img> <firmware-mod.img>

#!/usr/bin/perl -w

use strict;

my $TempCompFileName = shift(@ARGV);
my $OutFileName  = shift(@ARGV);

my ($start_addr, $appd_cks, $appd_len) = (0);

sub appendCks
{
    my ($fileName) = @_;
    my ($cks, $len) = (0, 0);
    
    open APPENDCKS_FH, "+<$fileName"  or die "fail to open file $fileName : $!";
    until ( eof APPENDCKS_FH ) {
        $cks = ( $cks + ord( getc( APPENDCKS_FH )) ) % 0x100 ;
        $len++ ;
    }
    
    $cks = 0xFF - $cks;
    close APPENDCKS_FH;

    printf ("append checksum  =>  file : %s,  len : 0x%X, checksum : 0x%X \n", , $fileName, $len, $cks);
    $appd_cks =$cks;
    $appd_len =$len;
}


appendCks($TempCompFileName);

# Then append Checksum (include the 4bytes starting address)  
open INS_FH, "$TempCompFileName"  or die "fail to open file $TempCompFileName : $!";
open OUT_FH, ">$OutFileName"      or die "fail to Append file $OutFileName: $!";
while (<INS_FH>)
{
   print OUT_FH $_;
}
print OUT_FH chr($appd_cks); 
close INS_FH;
close OUT_FH;

Following a couple of requests, I thought it would be easiest to just provide the built/modified firmware images.

So here's the 1.0.0.8SW image I built:
http://www20.zippyshare.com/v/5687179/file.html
MD5: 4ed644cd0c10ab63561151016aaa4576
SHA1: bd4da6756ea88140782fdb0d9e9fb375c48c6b2d

and here's the modded 1.0.0.40 image to cross-flash from the SW firmware:
http://www7.zippyshare.com/v/58271461/file.html
MD5: 17de1bf0311a116f7e538885684a24e8
SHA1: e8ed3c3469d1b7844c95eba17fd89154d6dee27e

Hopefully the links stay alive for a while. PM me if they die and I'll upload the images again.

(Last edited by Vynce on 20 Nov 2013, 05:07)

This was extremely helpful, thanks. I couldn't get telnetEnable to work but the firmware did. You're a champion!

Your downloads and editing instructions worked perfectly, thanks Vynce!  I was able to modify a CeroWRT image and flash it to my WNDR3800SW with no problems at all.

This is a old topic , But i was wondering how to do this in noob instructions lol. I really want to do some port forwarding the router will not let me stream ...

I need the firmware from wndr3800 1.0.0.48 to wndrmacv2, i changed the header but the second step i dont know,please help me

I just created a WNDRMACv2 image from wndr3800 1.0.0.48 and it flashed and is working well.

Here it is: http://www46.zippyshare.com/v/zG7ko4cn/file.html

file: WNDRMACv2-V1.0.0.48.img
MD5: c91a3bc2ecc3402b875d1846eb8d6af6
SHA1: 9e68ce258c50fbbc1d3d7afc96d17877dd426fc4

(Last edited by LambeauXLIV on 6 May 2015, 17:16)

Bump for an old thread.  I'm looking for a little help, too.

(Last edited by fokewe on 30 Aug 2015, 02:00)

EVERY file linked on this page expires, would someone repost an image file which I could flash directly, please? With great appreciate...

Can LambeauXLIV please repost the files again. Thanks

WNDR4300SW user, same condition to WNDR3800SW, and your post helps me greatly, thanks!

I know this is an old thread, but if anyone might be able to post a link to any of the files referenced above, it would be greatly appreciated. Desperately trying to crack this SureWest router with new firmware. Thanks!

Vynce wrote:

With that info, cross flashing becomes very easy:

1. Grab the firmware image you want to flash to.
2. Replace the 128 byte header with one from the existing firmware using a hex editor.
3. Delete the last byte of the modified firmware.
4. Use the appendsum script below (from the firmware source package) to append a new checksum byte: appendsum <firmware-mod-no-crc.img> <firmware-mod.img>

#!/usr/bin/perl -w

use strict;

my $TempCompFileName = shift(@ARGV);
my $OutFileName  = shift(@ARGV);

my ($start_addr, $appd_cks, $appd_len) = (0);

sub appendCks
{
    my ($fileName) = @_;
    my ($cks, $len) = (0, 0);
    
    open APPENDCKS_FH, "+<$fileName"  or die "fail to open file $fileName : $!";
    until ( eof APPENDCKS_FH ) {
        $cks = ( $cks + ord( getc( APPENDCKS_FH )) ) % 0x100 ;
        $len++ ;
    }
    
    $cks = 0xFF - $cks;
    close APPENDCKS_FH;

    printf ("append checksum  =>  file : %s,  len : 0x%X, checksum : 0x%X \n", , $fileName, $len, $cks);
    $appd_cks =$cks;
    $appd_len =$len;
}


appendCks($TempCompFileName);

# Then append Checksum (include the 4bytes starting address)  
open INS_FH, "$TempCompFileName"  or die "fail to open file $TempCompFileName : $!";
open OUT_FH, ">$OutFileName"      or die "fail to Append file $OutFileName: $!";
while (<INS_FH>)
{
   print OUT_FH $_;
}
print OUT_FH chr($appd_cks); 
close INS_FH;
close OUT_FH;

the perl script appended perfectly.  thank you vynce.

Hi, I was given a Netgear 4300SW and I am trying to ascertain how to modify a LEDE image to be accepted. The image needs the header from the stock image and I don't completely understand what to do. Thanks for assistance.

PS- PM me for the links to the images I couldn't post.

The discussion might have continued from here.