Hi everyone,

I own a Netgear DG834GB v5 where I performed a simple firmware upgrade via the default browser firmware update procedure. I am also quite sure that I chose the correct firmware file. Long story short: The device is bricked and I want to recover it using a USB-TTL cable.

Does anyone know if that works for that model?
And most importantly: Where do I have to solder the serial cables?

Resetting by pressing both buttons for a while does not have any net effect on the situation.

Upon device bootup it takes a few seconds, then I receive only a few pings before the link dies out again. I tried to tftp the firmware in that very short timeframe (using WinXP and Linux) but it didn't work. Perhaps no client is waiting for my tftp input.

Below are some images of the device (large).
Btw, I hereby relinquish the copyright to these images and (if you wish) you may integrate them into the OpenWrt wiki.

Cheers
weaker

I see three regions, I would check: 
1) The vertical aligned pins on the top picture between the network ports and the power-button
2) the vertical aligned pins on the top picture left of the barcode sticker, labeled J2
3) the six pins in two rows on the lower left corner of the lower picture, labeled TP16 to TP21 (that may bei JTAG)

follow this recipe: http://www.devttys0.com/2012/11/reverse … ial-ports/

Thank you for your answer! The guide to identify the pins is exactly what I was looking for! This guide seems very elaborate, I will definitely look at that.

Cheers
weaker

4 pins near the ethernet ports are a missing usb port for sure

serial is on the 6 vertical pins labeled J2.

i bet rx and tx are on pins 2-5, you see the traces on the back side of pcb.
gnd you can find checking for 0 ohm resistance with known ground points (example on power connector).

do not use vcc to connect serial...

Thank you!
I assume with "do not use vcc to connect serial..." you mean that I shouldn't use 5V. The USB-TTL cable has 3.3V, is that what you mean or did I misunderstand you?

i mean you must use ONLY gnd tx rx.

OK, understood now. Thank you for clarification!

OK, here is my feedback:
Pin no 6 (closest to "J2") is GND, Pin 5 is Rx, Pin2 is Tx.
Connection has to be 38400, 8N1

Then I get the following output:

FSB v0.06 PLL w ln p08 zi

Solos 461x PP boot v1.5


BootCode Version : 4.2.1 
SDRAM size = 0x1000000
Processor clock speed 264.0MHz

Entered console ... Nmrp request.
cd

Solos 461x Network boot v1.19 (00000000)  (FLASH)

MAC C0:3F:0E:50:DC:C0
IP 192.168.1.1
SDRAM 0x01000000 bytes

Phy reset line on GPIO 4
Boot from Ethernet Port
FSB v0.06 PLL Normal mode

p08 zi

Solos 461x PP boot v1.5


BootCode Version : 4.2.1 
SDRAM size = 0x1000000
Processor clock speed 264.0MHz
Finding flashfs partition...kernel should be : length = 0 , checksum = FFFFFFFF.
rootfs should be : length = 269000 , checksum = DD94FF1F.
checking kernel...
checking rootfs...
done.

Image 'image' is a Linux kernel
Trying to load initrd...none found
Calling Configure_NVS_FromFile.

Passing Linux kernel command line -> 'console=ttyS0 root=31:2 mem=15M ro mtdparts=phys_mapped_flash:128k(boot),768k(kernel),2880k(squashfs),64k(pot),64k(nvram),64k(bdata),64k(dpf),-(reserved) rootfstype=squashfs' 
LZMA 4.05
00bXRemounting /dev ;this is silly :-)
 Loading Conexant BSP...
 Loading Wireless ...
 Reading True PDA ...
ŽN> ÌpÂNNN¾ ÌpŒ²¼‚¾2ÌB[... more random stuff]

The random stuff that follows at the end is not identical each time.

When I press both router buttons upon startup (for reset), a message appears every second "WIFI and WPN buttons are pressed for x seconds" with x being the second count. Upon releasing the buttons the device says "load default" and continues with no discernible difference to the log above.

As it says that its IP is 192.168.1.1 (as opposed to 192.168.2.1 what I had set before the flash), I again tried to tftp, especially as it said "Booting from ethernet port" but it didn't work.
Here I read about netboot, but as it is Spanish I don't understand what that is. Perhaps I need to do that instead of tftp?
Here is another thread where something about that bootloader
is posted.

By sending Ctrl-C (Break), I could get "Please press Enter to activate this console" and upon sending CRLF I get a busybox 1.2.1 built-in shell. "help" yields the following inbuilt commands:

. : [ [[ alias bg break cd chdir continue echo eval exec exit export false fg hash help jobs kill let local pwd read readonly return set shift source test times trap true type ulimit umask unalias unset wait

1) Should I open a new thread regarding the next steps or should I continue here?
2) How would I continue flashing the original firmware back?

Cheers and thanks a lot so far
weaker

Hi,
the Recovery Mode should be enabled from the Console Mode with a special command: netboot recover.

Hold the WIFI BUTTON and switch on DG834G v5 router, as soon as you release it, the bootstrap is halted: the router enters the Console Mode and you can type the command.
Then you just need to TFTP the correct firmware and the router will finally reboot successfully.

Here is a more detailed procedure:
http://forum1.netgear.com/showthread.php?t=93148

Regards,
W.

Thank you for your reply! I will try that. However, I don't know when exactly I will do it :-)

Best regards
weaker

You're welcome!
You deserved at least a little answer, you helped me in going deeper in the tech investigation!
Then I suddenly erased the "lxcmdlineinfo" tied to the flash to start the kernel and I found that string in your post, you saved me a lot of time.

So, it's just a matter of testing this router, I consider it a bit unstable for continuous service with 2-3 VPN tunnels.

Thanks for your answer and best regards!
W.

Hi wyz73,

the forum software killed my entire post.
So here again in short: I have no "netboot recover": This is what the integrated BusyBox provides:

Built-in commands:
-------------------
       . : [ [[ alias bg break cd chdir continue echo eval exec exit
       export false fg hash help jobs kill let local pwd read readonly
       return set shift source test times trap true type ulimit umask
       unalias unset wait

The /bin folder provides:

VeriSign2028RootCA.cer  iproutesh
ash   iptunnel  sleep
busybox kill  startasterisk
cat   ln    startbif
chgrp ls    startbsp
chmod mkdir startdslbridge
chown mknod startminbsp
cp    mount startnat
date  mv    startppp
df    netstat startusb
du    paed  startwps
echo  pda-rw swapdev
egrep ping  sys_restart
fgrep ps    tar
flash_eraseall pwd   test
flash_update   qsh   touch
getoid read-truepda   umount
grep  respawnd  uname
gunziprm    verify_flash
gzip  rmdir wpin
halt  rpaed writemac
insmod rssid wsccmd
ip    scanpvczcat
ipaddr sed
iplink  
iproute

I tried flash_update which did the following

Partition 0 to 0 are configured 
Partition 0 to 1 are configured 
Partition 0 to 2 are configured 
seems /var/fs does not exists, trying to create it
Failed to create /var/fs

/sbin contains

acos_init        burnpin          ipoa-up          reboot
acos_service     burnsn           klogd            reset_no_reboot
atmarp           cert             lsmod            rmmod
atmarpd          halt             modprobe         route
bd               ifconfig         ntpclient        syslogd
burnboardid      init             poweroff         uptime
burnethermac     insmod           read_bd          version

I wondered why tftp existed, so upon calling busybox --help I get

Currently defined functions:

           [, [[, arping, ash, awk, basename, busybox, cat, chgrp, chmod,
           chown, chroot, cp, date, df, dirname, du, echo, egrep, env, expr,
           fgrep, grep, gunzip, gzip, halt, ifconfig, init, insmod, ip, ipaddr,
           iplink, iproute, iptunnel, kill, killall, klogd, linuxrc, ln,
           logger, ls, lsmod, mkdir, mknod, modprobe, mount, mv, netstat,
           nslookup, ping, poweroff, ps, pwd, reboot, rm, rmdir, rmmod, route,
           sed, sh, sleep, syslogd, telnetd, test, tftp, top, touch, tr,
           umount, uname, uptime, whoami, zcat

So this seems to be the set of utilites that are actually available.

Any idea how to proceed? I am stuck here.

Thanks againg and best regards
weaker

(Last edited by weaker on 5 Jan 2015, 15:03)

It's booting into a firmware, presumably stock.  You need to stop the boot earlier so you are working with the bootloader instead.

Sorry for the late reply.

How do I stop the boot earlier? As I said earlier, by sending Ctrl-C (Break), I get "Please press Enter to activate this console" and upon sending CRLF I then get the busybox built-in shell.

What command would let me step earlier into the boot process? I send Ctrl-C as early as the connection is established.

Best regards
weaker