Table of Contents

NETGEAR WNR2000

This device is NOT RECOMMENDED for future use with OpenWrt due to low flash/ram.
DO NOT BUY DEVICES WITH 4MB FLASH / 32MB RAM if you intend to flash an up-to-date and secure OpenWrt version onto it! See 4/32 warning for details.

1) This device does not have sufficient resources (flash and/or RAM) to provide secure and reliable operation.
This means that even setting a password or changing simple network settings might not be possible any more, rendering the device effectively useless. See OpenWrt on 4/32 devices what you can do now.

2) OpenWrt support for this device has ended in 2022.
19.07.10 was the last official build for 4/32 devices.

This is a 802.11n Router for the 2.4 GHz band with in some revisions three built-in antennas of which the one in the middle (ANT_1_1) isn't used.

The stock firmware for the v3 device runs OpenWrt 7.09 and contains 4 antennas:

  1. Soldered aluminium antenna
  2. On the main PCB
  3. PCB antenna daughter board
  4. PCB antenna daughter board

Supported Versions

Hardware Highlights

Installation

Flashing modified u-boot and pre-built OpenWrt Backfire on WNR2000v1

  1. follow Unlocking the Netgear Telnet Console to unlock telnet on the OEM firmware and be able to telnet into the router
  2. (optional, but recommended) Back up your u-boot and art flash partitions as outlined by forum user CheBuzz in the second code box in this post
  3. Follow the info in radengr's post and fuhry's post to flash. Linking to the posts instead of copying the commands here is intentional so you know what you are doing ;-)
    • Note: Fuhry's domain has changed. His new domain is: “http://fuhry.com/”. He does NOT allow director traversal, meaning you must know the exact file you need.
    • 500K Additional Space: According to dony71 on the forum, to gain the additional 500K space that fuhry refers to, you must make these additional changes.

Installing trunk LEDE on WNR2000v1

Important: DON'T FLASH FACTORY IMAGE OF LEDE OVER STOCK FIRMWARE, IT WILL NOT WORK AND WILL MAKE YOUR ROUTER UNABLE TO BOOT. You will be able to restore it using the emergency TFTP server when it happens, though.

First, make sure you have fuhry's bootloader. If you already have fuhry's modified bootloader, then skip to the next part. If you don't, do this:

  1. Do whatever you have to do to restore back to Netgear's stock firmware.
  2. Use an UART cable, gain access to the root shell of the router. Telnetenable won't be sufficient!
  3. Flash fuhry's bootloader and firmware by issuing these commands, then you'll have the bootloader installed correctly.
cd /tmp
snarf http://fuhry.com/b/wnr2000/install-repart.sh
chmod +x ./install-repart.sh
./install-repart.sh

When you have fuhry's bootloader:

  1. Download LEDE latest version of wnr2000 rootfs and uImage:
    1. ar71xx-generic-wnr2000-rootfs-squashfs.bin, then rename it sqfs.bin
    2. ar71xx-generic-uImage-lzma.bin, then rename it uImage.bin
  2. Install TFTP server, and transfer the two files to your TFTP server root
  3. Use an UART cable, gain access to the bootloader, and interrupt the normal boot process
  4. Type the following:
# Tell u-boot that we have a tftp server on 192.168.1.10
setenv serverip 192.168.1.10

# Tell u-boot that the router should take the address 192.168.1.1
setenv ipaddr 192.168.1.1

# Erase the region from 0x050000-0x3f0000
erase 0xbf050000 +0x3A0000

# Load sqfs.bin on TFTP server, and put it to memory address 0x81000000
tftpboot 0x81000000 sqfs.bin
# U-boot will tell you the length of sqfs.bin in hex, let's say ZZZZZZ
# Copy bit by bit 0xZZZZZZ bytes from offset 0x050000
cp.b 0x81000000 0xbf050000 0xZZZZZZ

# Same to the uImage.bin, write it right next to sqfs.bin
# Again, 0xYYYYYY is the length that tftpboot reports
tftpboot 0x81000000 uImage.bin
cp.b 0x81000000 0xbf2b0000 0xYYYYYY

# We need to tell the kernel what board it is booting into, and where to find the partitions
setenv bootargs "board=WNR2000 console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,3712k(firmware),64k(art)ro rootfstype=squashfs,jffs2 noinitrd"

# Tell u-boot where to find the uImage
setenv bootcmd "bootm 0xbf2b0000"

# Tell u-boot to save parameters to the u-boot-env partitions
saveenv

# Reset the board
reset

For more information, read instructions on tnhh's website here: https://www.tnhh.net/mobile/posts/lede-on-wnr2000v1-unsupported-hardware.html

Installing OpenWrt onto a RAMdisk on WNR2000v1

The original U-Boot bootloader runs a CRC check on the flash before it executes the bootcmd command. This prevents OpenWrt from being run from flash. As long as you do not replace the OEM bootloader, you can only create an OpenWrt ramdisk image and load it via tftp. This requires access to the serial console:

On the WNR2000v1 serial console:

e.g.

U-Boot 1.1.4.16-g04e9b8bf (May 14 2008 - 17:04:28)

AP81 (ar7100) U-boot
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 245k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 4MB, sector count = 64
Flash: 4MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
Fetching MAC Address from 0x81fea7b0
: cfg1 0xf cfg2 0x7114
eth0: 00:1f:33:f3:30:05
dup 1 speed 100
eth0 up
eth0
### main_loop entered: bootdelay=4

### main_loop: bootcmd="bootm 0xbf2a0000"
Hit any key to stop autoboot:  0 
ar7100> tftpboot 0x81000000 wnr2000
Using eth0 device
TFTP from server 192.168.1.12; our IP address is 192.168.1.10
Filename 'wnr2000'.
Load address: 0x81000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #############################
done
Bytes transferred = 2143454 (20b4de hex)
ar7100> setenv bootargs board=WNR2000
ar7100> bootm
## Booting image at 81000000 ...
   Image Name:   MIPS OpenWrt Linux-2.6.32.10
   Created:      2010-03-28   6:54:52 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2143390 Bytes =  2 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ...OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 33554432

Starting kernel ...

Linux version 2.6.32.10 (joerga@quad) (gcc version 4.3.3 (GCC) ) #1 Sun Mar 28 08:54:48 CEST 2010
bootconsole [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR9130 rev 1, CPU:400.000 MHz, AHB:200.000 MHz, DDR:400.000 MHz
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000

Installing OpenWrt on WNR2000v3

  1. Official images are too large as of 17.XX. Use the Community Builds in the forum topic URL below for the latest 17.XX, 18.XX, and 19.XX images. https://forum.openwrt.org/t/builds-for-netgear-wnr1000v2-wnr1000v2-vc-wnr612v2-wpn824n-wnr2000v3/39360
  2. Since changeset r45054 from 27.03.2015 OpenWrt can be flashed by using the built-in updater in the Netgear Web-Gui:
  3. If the built-in updater rejects the image, you can use “tftp2.exe” or similar to flash the device:
    • Prep the router to receive the image: turn off the router, hold down the reset button, turn ON the router (with reset button still pressed), then wait about 10-15 seconds for the light to start flashing green. Once it flashes green at least 10 times, you can release the reset button and the router is ready to receive an image (the device seems to wait forever for an image, so you don't have to hurry).
    • To flash with tftp2.exe: set your computer to a static IP (such as 192.168.1.7) and connect the computer to one of the router's 4 wired-ethernet ports (NOT the WAN port). Open the tftp2.exe program on your computer, set the “Server” to 192.168.1.1, leave “Password” blank, for “File” choose the OpenWrt image, then click “Upgrade”. That's it. After about 2-3 minutes, the image will finalize and you should be able to login to Luci immediately at 192.168.1.1
  4. After automatic reboot follow: checks_and_troubleshooting.

If you are experiencing troubles, its probably because the device id of your router got messed up. To fix this you have attach a serial console to it. All further steps are described here: http://www.techinfodepot.info/wiki/Netgear_WNR2000_v3#JTAG-Serial_Info

Read the section about (Serial recovery), where it states how to set the proper device id. If you flash through TFTP while having a serial console attached the firmware spits out the reason, why the firmware cannot be flashed. In my case it was a mismatch between the product id “wnr2000v3” vs “WNR200V3”.

Installing OpenWrt on WNR2000 v4 (or WN2000RPTv3)

A method to install OpenWrt on wnr2000v4 without opening the case can be found here: wnr2000v4

OpenWrt can also be initially flashed using serial access to the bootloader. It is necessary to change the 'bootcmd' environment variable to not call the “2 stage firmware integrity check” since OpenWrt builds will fail the second stage test, stopping the boot.

AR7241>setenv bootcmd bootm 0x9F040000
AR7241>saveenv

The flashing process is standard u-boot TFTP to RAM, erase the firmware partition of flash, and cp.b to flash. Once OpenWrt is running, sysupgrade can be used to install new versions.

Use a WNR2000v4 build for the WR2000RPTv3. The hardware appears to be identical other than that the WAN port and the LAN connection LEDs are not populated on the board.

Netgear WN2000RPT

These are v0 of the WNR2000, the primary difference being that there is NO WAN PORT. Stock units run Kamikaze 7.09, I followed the main directions for the WNR2000 and the only issue ive seen is an inability to do a hardware reset. Havent bothered to look into it, just plugged it back into the serial connection and restored the device from there. Good luck.

WN2000RPTv1 must be considered a WNR2000v2 with a missing WAN port, you can follow WNR2000v2 install instructions

WN2000RPTv2 must be considered a WNR2000v3 with a missing WAN port, you can follow WNR2000v3 install instructions

Supported Versions

Version/Model S/N OpenWrt Version Supported Model Specific Notes Extra
v0 ? trunk (use AP81 profile) FCC ID: TBA WN2000RPT
v1 ? trunk (use AP81 profile) LEDE trunk FCC ID: PY308200083
v2 ? 15.05 with proprietary driver FCC ID: PY309100105
v3 ? 15.05 (use AR71XX profile) FCC ID: PY310200135
v4 1.0.0.58 15.05 (use AR71XX profile) FCC ID: PY312300212
v5 ? WIP FCC ID: PY314100256

Hardware Highlights

Version/Model CPU Ram Flash Network USB Serial JTag Additional Notes
v0 Atheros AR9132 32 MB 4 MB (4) 100 MBit/s no yes no The physical label may state “rev0”, yet dmesg may state 'v1'. Please be aware of this fact, and use caution when deciding what version of OpenWrt to use on your specific device
v1 Atheros AR9132 32 MB 4 MB (4+1) 100 MBit/s no yes no LEDE trunk works, you will have to flash using the serial console with TFTP. Don't try to use the sysupgrade or factory image, while they will allow us to flash, it will not boot.
v2 Broadcom BCM4716 32 MB 4 MB (4+1) 100 MBit/s no pads no Generate your own OpenWrt image using the profile “Broadcom-mips74k-wl” for WiFi support. The generated image cannot exceed 3,473,408 bytes so drop unnecessary packages. Tested with 14.07 BB
v3 Atheros AR7241 32 MB 4 MB (4+1) 100 MBit/s no yes yes (unpopulated) OpenWrt 15.05 works OK with exception of some LEDs and buttons (see GPIO section). Device is fully supported in trunk versions r48924 and later.
v4 Atheros AR9341 32 MB 4 MB (4+1) 100 MBit/s no yes yes
v5 Qualcomm Atheros QCA9531 32 MB 4 MB (4+1) 100 MBit/s no pads ?

CPU (WNR2000v3)

# cat /proc/cpuinfo
system type		: Atheros AR7241 rev 1
machine			: NETGEAR WNR2000 V3
processor		: 0
cpu model		: MIPS 24Kc V7.4
BogoMIPS		: 239.61
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 16
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa			: mips1 mips2 mips32r1 mips32r2
ASEs implemented	: mips16
shadow register sets	: 1
kscratch registers	: 0
package			: 0
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

Hardware

Info

Version: v1 v2 v3 v4 v5
Architecture: MIPS MIPS MIPS MIPS MIPS
Vendor: Atheros Broadcom Atheros Atheros Atheros
Bootloader: U-Boot cfe U-Boot U-Boot U-Boot
System-On-Chip: Atheros AR9132 Broadcom BCM4716 Atheros AR7241 Atheros AR9341 Qualcomm Atheros QCA9531
CPU Speed: 400 MHz 300 Mhz 400 Mhz 500 Mhz 650 Mhz
Flash-Chip: MX 25L3205DMI MX 25L3205DMI MX 25L3206EM2I MX 25L3206EM2I MX 25L3205D
Flash size: 4 MiB 4 MiB 4 MiB 4 MiB 4 MiB
RAM-Chip: Hynix HY5DU561622FTP-D43 Samsung K4H561638J-LCCC ESMT M13S2561616A-AZK1P03Z8 ESMT M13S2561616A Winbond W9425G6JH-4
RAM size: 32 MiB 32 MiB 32 MiB 32 MiB 32 MiB
Wireless: Atheros AR9103 (3×3 integrated) (integrated) Atheros AR9287 Atheros 9341 (integrated) Qualcomm Atheros QCA9531 (integrated)
Ethernet: Atheros AR8216 Broadcom BCM5325E (integrated) Atheros 9341 (integrated) Qualcomm Atheros QCA9531 (integrated)
USB: No No No No No
Serial: Yes pads (JP1) Yes (JP1) Yes(JP1) pads (JP2)
JTAG: No No Yes (J1) Yes(JP2) ?

Opening the case

Note: This will void your warranty!

PCB upper side
WNR2000v1 PCB upper side

PCB back side
PCB back side

PCB detail at the CPU
PCB upper side, some PCB trace details

Serial

GPIO

WNR2000 v3

GPIO LEDs and buttons on this device are connected to GPIO controllers on AR7241 SoC and AR9287 wireless chip.

Controlled by AR7241 SoC (20 GPIOs total, some shared with JTAG or built-in Ethernet switch) :

Type Function GPIO Polarity Notes
LED WAN GREEN 0 (0, 0) active low
LED LAN1 AMBER 1 (0, 1) active low
LED LAN2 AMBER 6 (0, 6) active low shared with JTAG - see note [0]
LED WPS GREEN 7 (0, 7) active low shared with JTAG - see note [0]
LED LAN3 AMBER 8 (0, 8) active low shared with JTAG - see note [0]
Button WPS 11 (0, 11) active low
LED LAN4 AMBER 12 (0, 12) active low
LED LAN1 GREEN 13 (0, 13) active low link activity - see note [1]
LED LAN2 GREEN 14 (0, 14) active low link activity - see note [1]
LED LAN3 GREEN 15 (0, 15) active low link activity - see note [1]
LED LAN4 GREEN 16 (0, 16) active low link activity - see note [1]
LED WAN AMBER 17 (0, 17) active low link activity - see note [1]

Controlled by AR9287 wireless chip (11 GPIOs total) :

Type Function GPIO Polarity Notes
LED WLAN BLUE 54 (1, 1) active low not all triggers work - see note [2]
LED POWER AMBER 55 (1, 2) active low aka TEST AMBER - see note [3]
LED POWER GREEN 56 (1, 3) active low
Button RESET 61 (1, 8) active low
Button RFKILL 62 (1, 9) active low

Notes:

GPIO in OpenWrt

# cat /sys/kernel/debug/gpio
GPIOs 0-19, ath79:
 gpio-0   (netgear:green:wan ) out hi    
 gpio-1   (netgear:amber:lan1) out hi    
 gpio-6   (netgear:amber:lan2) out hi    
 gpio-7   (netgear:green:wps ) out hi    
 gpio-8   (netgear:amber:lan3) out hi    
 gpio-11  (wps                 ) in  hi    
 gpio-12  (netgear:amber:lan4) out hi    
 gpio-13  (netgear:green:lan1) out lo    
 gpio-14  (netgear:green:lan2) out lo    
 gpio-15  (netgear:green:lan3) out lo    
 gpio-16  (netgear:green:lan4) out lo    
 gpio-17  (netgear:amber:wan ) out lo    

GPIOs 53-63, ath9k-phy0:
 gpio-54  (netgear:blue:wlan ) out lo    
 gpio-55  (netgear:amber:test) out hi    
 gpio-56  (netgear:green:powe) out lo    
 gpio-61  (reset               ) in  hi    
 gpio-62  (rfkill              ) in  hi    

WNR2000 v5

On the V5 version, the buttons are connected to GPIOs. The LEDs are controlled by a HC164 8-bit shift register.

0 WLAN button
1 RESET button
2 WPS button
14 HC164 reset
15 HC164 data
16 HC164 clock

There is an SPI based driver in gpio-74×164.c and mach-rb91x.c provides an example. Netgear uses a bit-bang implementation, so these pins may not be capable of SPI function. From their released serial-led-gpio.c:

void serial_led_output(int val)
{
        int i;
        int bit_end;
        
        spin_lock(&my_lock);
        //printk("serial_led_output val = %x\n",val);
        for(i=0;i<8;i++)                //shift serial_led_flag to register
        { 
                bit_end = ((val>>i) & 1)?1:0;
                ath_gpio_out_val(LED_DATA,bit_end);
                ath_gpio_out_val(LED_SH,1);
                ath_gpio_out_val(LED_SH,0);
        }
        spin_unlock(&my_lock);
}

JTAG

JTAG pins were found by removing the BGA from a WNR2000 and a TP-Link WR-1043ND (AR9132 with JTAG header) and comparing the PCB traces. The top side of the PCB is the one with the heatsinks.

Name BGA pin Top/Bottom of PCB Location on PCB
TMS G20 bottom R335 towards C324
TDO G21 top TP34
nTRST F22 top R68 toward CPU
TCK F21 top R336 toward CPU
TDI G22 top R334 toward CPU
nSRST D22 top U8 toward R262

(Be aware that there is no “I” row in the BGA counting!)

JTAG pins on PCB top side TMS pin on PCB bottom side

Debricking

generic.debrick

User RoundSparrow posted this little how-to in the forum topic:

Experimenting with flashing, I've managed to mess up the firmware a few times. Good news is you can recover it. If you hold down reset (for like 30 seconds) while you turn on power to unit... it goes into tftp recover mode.

U-Boot 1.1.4.16-g04e9b8bf (May 14 2008 - 17:04:28)

AP81 (ar7100) U-boot
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 245k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 4MB, sector count = 64
Flash: 4MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
Fetching MAC Address from 0x81fea7b0
: cfg1 0xf cfg2 0x7114
eth0: 00:22:3f:0b:c5:9c
dup 1 speed 100
eth0 up
eth0
Factory Reset Mode
The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1...


I got the factory firmware back on by using tftp tips from this page: http://cyberstorm.altervista.org/wag354g/guides/howto_unbricking_wag354g_en.txt

Custom u-boot

There is a project allowing to build custom u-boot image https://github.com/realmicu/uboot-wnrmod2k It could be used if flash memory chip was replaced or to obtain additional functionality.

Tags