Unbricking Netgear WGT634U via serial console

Purposes of this post:

  • Help people install OpenWRT on Netgear WGT634U without bricking it: DO NOT FLASH WGT634U with Kamikaze <8.09.2 or you’ll brick it!
  • Explain how to unbrick your Netgear WGT634U with a serial cable
  • Explain how to reset the NVRAM in case you mess up the environment variables

I recently bought some refurbished Netgear WGT634U off Ebay at a bargain price. And my odissey started. It looks like all kind of bugs hit this poor box.

When I received the units, they had an ancient version of Kamikaze with a bug that would cause eth0.1 to not see any packets. Everything would look good (link at the ethernet level would show a 100Mbit duplex connection) but no packets would come in and no packets would go out. Reassigning the eth0.1 port to another physical port would not solve the issue. Simply put: I could only have eth0.0 and the wifi device. Any other device (eth0.1, eth0.2) would simply be deaf, no matter to which physical port it was assigned to.

Time to upgrade to the latest Kamikaze release! So I go to http://downloads.openwrt.org/kamikaze/8.09.1/brcm47xx/ and download the .trx image, scp it to the /tmp dir on the WGT634U and run:

That’s it. I thought! All is good, the unit automatically reboots after completing the flashing process and I get my brand new Kamikaze 8.09.1 welcome message. I configure the network interfaces, connect it to Internet through another gateway, install some additional packages and configure the WiFi:
opkg update;
opkg install hostapd-mini bwm kmod-usb-storage qos-scripts  \
mii-tool luci-app-ddns luci-app-ntpc luci-app-qos luci-app-samba \
macchanger kmod-usb-ohci kmod-usb2 fdisk \
kmod-fs-vfat kmod-nls-cp437 kmod-nls-iso8859-1 \
kmod-nls-iso8859-15 kmod-nls-utf8 \
/etc/init.d/samba enable
cat >/etc/config/wireless <<EOF
config wifi-device  wifi0
option type     atheros
option channel  auto
#option disabled 1
config wifi-iface
option device   wifi0
option network  lan
option mode     ap
option ssid     OpenWrt
option encryption psk
option key      "password"

Great, I think! Time for a reboot and… *poof* the WGT634U is bricked.

What happened? A few google searches later I found a post on the forum (https://forum.openwrt.org/viewtopic.php?pid=89598) mentioning that there is a bug in recent versions of OpenWRT. The bug is going to be fixed in 8.09.2 and it has been described by the OpenWRT team as:

Prevent nvram corruption on the WGT634U (r16350, r16379) – https://dev.openwrt.org/milestone/Kamikaze%208.09.2

This means that immediately after installation, nvram settings are still loaded and the world is shiny. As soon as you unplug the power those very same settings are lost forever and the AP won’t boot again.

Fine, I have a corrupted nvram.

Time to connect to the router via serial console! But first let’s build a serial cable for Netgear WGT634U (see my other post).

Opening the unit is no challenge, and finding the serial connector is easy too: it’s identified as J6 and needless to say, it has four pins.

Assuming you are using a USB-to-serial adapter, the serial connection will show up on /dev/ttyUSB0.

Start minicom -s, set port to /dev/ttyUSB0, 115200 8n1 without hardware and software control, choose “Save as dfl” and “Exit”.

Power on the AP.

After a few messages you should get a CFE> prompt:

As you can see the et0phyaddr cannot be found. This is bad and prevents the unit from booting. Somehow during the upgrade of OpenWRT the nvram got corrupted and these values are lost. Time to set them again.

Now be extremely careful: you’ll find many guides around the net which tell you to run some commands like this:

WRONG! DO NOT DO THAT. If for some reason you do some typo (like I did) you are in trouble. In fact when using the -ro parameters, settings are stored permanently in nvram and there is no way to overwrite them. The only way to overwrite them is to reset the nvram.

The proper way to setup the environment variable is to use:

Unfortunately I just blindly followed one of such not-so-smart guides found on some forum and ended up with a broken environment that could only be fixed by resetting the nvram.

Recent versions of CFE has a special command to reset the nvram directly from the prompt, but guess what? The CFE installed on the Netgear WGT634U is old and doesn’t have anything like that (or maybe you can somehow flash the flash0.nvram partition, but I wasn’t able to do it and didn’t want to risk).

After a lot of googling I found a nice post by “jmh” at https://forum.openwrt.org/viewtopic.php?id=20641 who went through the trouble of finding the datasheet for the TE28F6401 flash chip (the one used by our beloved WGT634U) and discovered that in order to reset the nvram in this chip you have to short out the 1st and 2nd pin. wgt634u pcb

The flash chip is located on the bottom right of the PCB (if you look at it while it’s hanging with the LAN ports up and the leds down).

The 1st and 2nd pin are in the bottom right corner of the chip (see page 15 of the datasheet).

Alright so I put a small piece of metal between them, connect the power adapter to the WGT634U et voilà, nvram is cleared.

This time I’m more careful. I setup all the missing environment variable using the -p option, so that I can correct any mistake:

The values for et0macaddr and et1macaddr should match the ones specified in the label on the bottom of the WGT634U.

When you are done you can verify that the environment is correct by using:

Happy? Now type reset at the CFE prompt and Netgear WGT634U will boot Kamikaze 8.09.1!

And don’t forget that you could have saved the time to go through all this procedure if only you would have chosen 8.09.2 ;-)



8 thoughts on “Unbricking Netgear WGT634U via serial console

  1. Ciao, complimenti per questa guida, ho risolto tutto tranne il fatto che non mi riconosce nessuna periferica USB ne pendrive ne hardisk.
    E’ normale?

    In giro c’è di tutto come aiuto, ma questo non sono stato capace di trovare qualcosa sulla porta USB
    Grazie e complimenti di nuovo.

  2. Hai caricato il modulo ohci_hcd?

    insmod ohci_hcd

    E’ possibile che per porterlo fare tu debba prima rimuovere gli altri moduli per l’usb, tipo l’uhci-hcd. Controlla con lsmod cosa hai caricato.

  3. root@OpenWrt:~# lsmod
    Module Size Used by Tainted: P
    usb_storage 35680 0
    ath_pci 317152 0
    ath_hal 272464 2 ath_pci
    xt_IMQ 704 0
    imq 3088 0
    nf_nat_tftp 432 0
    nf_conntrack_tftp 2400 1 nf_nat_tftp
    nf_nat_irc 864 0
    nf_conntrack_irc 2592 1 nf_nat_irc
    nf_nat_ftp 1360 0
    nf_conntrack_ftp 4896 1 nf_nat_ftp
    xt_HL 1280 0
    xt_hl 928 0
    xt_MARK 496 0
    ipt_ECN 1376 0
    xt_CLASSIFY 496 0
    xt_time 1632 0
    xt_tcpmss 1008 0
    xt_statistic 800 0
    xt_mark 512 0
    xt_length 688 0
    ipt_ecn 992 0
    xt_DSCP 1536 0
    xt_dscp 1040 0
    xt_string 880 0
    xt_layer7 10752 0
    ipt_MASQUERADE 992 1
    iptable_nat 2880 1
    nf_nat 12544 5 nf_nat_tftp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE ,iptable_nat
    xt_CONNMARK 768 0
    xt_recent 5872 0
    xt_helper 816 0
    xt_conntrack 2144 0
    xt_connmark 640 0
    xt_connbytes 1216 0
    xt_NOTRACK 672 0
    iptable_raw 656 1
    xt_state 800 3
    nf_conntrack_ipv4 8352 6 iptable_nat,nf_nat
    nf_defrag_ipv4 608 1 nf_conntrack_ipv4
    nf_conntrack 44032 18 nf_nat_tftp,nf_conntrack_tftp,nf_nat_irc,nf_conn track_irc,nf_nat_ftp,nf_conntrack_ftp,xt_layer7,ipt_MASQUERADE,iptable_nat,nf_na t,xt_CONNMARK,xt_helper,xt_conntrack,xt_connmark,xt_connbytes,xt_NOTRACK,xt_stat e,nf_conntrack_ipv4
    sd_mod 22992 0
    pppoe 10208 0
    pppox 1312 1 pppoe
    ipt_REJECT 1984 2
    xt_TCPMSS 2720 1
    ipt_LOG 4640 0
    xt_comment 464 0
    xt_multiport 1904 0
    xt_mac 576 0
    xt_limit 1152 1
    iptable_mangle 992 0
    iptable_filter 768 1
    ip_tables 8864 4 iptable_nat,iptable_raw,iptable_mangle,iptable_f ilter
    xt_tcpudp 1856 4
    x_tables 9824 35 xt_IMQ,xt_HL,xt_hl,xt_MARK,ipt_ECN,xt_CLASSIFY,x t_time,xt_tcpmss,xt_statistic,xt_mark,xt_length,ipt_ecn,xt_DSCP,xt_dscp,xt_strin g,xt_layer7,ipt_MASQUERADE,iptable_nat,xt_CONNMARK,xt_recent,xt_helper,xt_conntr ack,xt_connmark,xt_connbytes,xt_NOTRACK,xt_state,ipt_REJECT,xt_TCPMSS,ipt_LOG,xt _comment,xt_multiport,xt_mac,xt_limit,ip_tables,xt_tcpudp
    ppp_async 9040 0
    ppp_generic 21216 3 pppoe,pppox,ppp_async
    slhc 5360 1 ppp_generic
    vfat 8016 0
    fat 45472 1 vfat
    b43legacy 97456 0
    b43 148160 0
    nls_utf8 832 0
    nls_iso8859_15 3360 0
    nls_iso8859_1 2848 0
    nls_cp437 4384 0
    mac80211 215952 2 b43legacy,b43
    usbcore 106960 2 usb_storage
    ts_fsm 2656 0
    ts_bm 1456 0
    ts_kmp 1344 0
    scsi_mod 72976 2 usb_storage,sd_mod
    nls_base 4960 7 vfat,fat,nls_utf8,nls_iso8859_15,nls_iso8859_1,n ls_cp437,usbcore
    crc_ccitt 976 1 ppp_async
    cfg80211 121280 3 b43legacy,b43,mac80211
    compat_firmware_class 5360 2 b43legacy,b43
    compat 1808 1 cfg80211
    arc4 816 0
    aes_generic 31056 0
    deflate 1328 0
    ecb 1328 0
    cbc 2016 0
    switch_robo 4048 0
    switch_core 5216 1 switch_robo
    diag 7504 0

  4. root@OpenWrt:~# opkg list-installed
    base-files – 43.10-r24045
    busybox – 1.15.3-2
    bwm – 1.1.0-2
    crda – 1.1.0-2
    ddns-scripts – 1.0.0-9
    dnsmasq – 2.55-5
    dropbear – 0.52-4
    firewall – 1-20
    hotplug2 – 1.0-beta-2
    iptables – 1.4.6-2
    iptables-mod-conntrack – 1.4.6-2
    iptables-mod-conntrack-extra – 1.4.6-2
    iptables-mod-filter – 1.4.6-2
    iptables-mod-imq – 1.4.6-2
    iptables-mod-ipopt – 1.4.6-2
    iptables-mod-nat – 1.4.6-2
    iw – 0.9.21-1
    kernel –
    kmod-b43 –
    kmod-b43legacy –
    kmod-cfg80211 –
    kmod-crc-ccitt –
    kmod-crypto-aes –
    kmod-crypto-arc4 –
    kmod-crypto-core –
    kmod-diag –
    kmod-fs-vfat –
    kmod-ipt-conntrack –
    kmod-ipt-conntrack-extra –
    kmod-ipt-core –
    kmod-ipt-filter –
    kmod-ipt-imq –
    kmod-ipt-ipopt –
    kmod-ipt-nat –
    kmod-ipt-nathelper –
    kmod-mac80211 –
    kmod-madwifi –
    kmod-nls-base –
    kmod-nls-cp437 –
    kmod-nls-iso8859-1 –
    kmod-nls-iso8859-15 –
    kmod-nls-utf8 –
    kmod-ppp –
    kmod-pppoe –
    kmod-sched –
    kmod-scsi-core –
    kmod-switch –
    kmod-textsearch –
    kmod-usb-core –
    kmod-usb-storage –
    libc –
    libgcc – 4.3.3+cs-43.10
    libiptc – 1.4.6-2
    liblua – 5.1.4-7
    libnl-tiny – 0.1-1
    libpthread –
    librt –
    libuci – 12012009.6-2
    libuci-lua – 12012009.6-2
    libxtables – 1.4.6-2
    lua – 5.1.4-7
    luci – 0.9+svn6512-1
    luci-admin-core – 0.9+svn6512-1
    luci-admin-full – 0.9+svn6512-1
    luci-admin-mini – 0.9+svn6512-1
    luci-app-ddns – 0.9+svn6512-1
    luci-app-firewall – 0.9+svn6512-1
    luci-app-initmgr – 0.9+svn6512-1
    luci-app-ntpc – 0.9+svn6512-1
    luci-app-qos – 0.9+svn6512-1
    luci-app-samba – 0.9+svn6512-1
    luci-cbi – 0.9+svn6512-1
    luci-core – 0.9+svn6512-1
    luci-http – 0.9+svn6512-1
    luci-i18n-english – 0.9+svn6512-1
    luci-ipkg – 0.9+svn6512-1
    luci-lmo – 0.9+svn6512-1
    luci-nixio – 0.9+svn6512-1
    luci-sgi-cgi – 0.9+svn6512-1
    luci-sys – 0.9+svn6512-1
    luci-theme-base – 0.9+svn6512-1
    luci-theme-openwrt – 0.9+svn6512-1
    luci-uci – 0.9+svn6512-1
    luci-uvl – 0.9+svn6512-1
    luci-web – 0.9+svn6512-1
    mii-tool –
    mtd – 13
    ntpclient – 2007_365-4
    nvram – 7
    opkg – 576-1
    ppp – 2.4.4-11
    ppp-mod-pppoe – 2.4.4-11
    qos-scripts – 1.2.1-3
    samba3 – 3.0.24-7
    tc – 2.6.29-1-2
    uci – 12012009.6-2
    udevtrigger – 106-1
    uhttpd – 19
    wireless-tools – 29-4
    wpad-mini – 20100705-1

  5. Io ho installato CFE openwrt-wgt634u-squashfs, poi per filo e per segno la tua guida con i pacchetti che hai suggerito tu.
    Ho configurato la LAN e il WIFI tutto perfetto.
    USB non va.

  6. Proprio all’inizio del mio articolo, trovi scritto che occorre installare kmod-usb-ohci e kmod-usb2. Esegui questi comandi:
    opkg update; opkg install kmod-usb-ohci kmod-usb2
    insmod ohci_hcd

Leave a Reply