NETGEAR WNR2000

This is a 802.11n Router for the 2.4 GHz band with in some revisions three built-in antennas of which the one in the middle (ANT_1_1) isn't used.

The stock firmware for the v3 device runs OpenWrt 7.09 and contains 4 antennas:

1. Soldered aluminium antenna
2. On the main PCB
3. PCB antenna daughter board
4. PCB antenna daughter board

1. follow Unlocking the Netgear Telnet Console to unlock telnet on the OEM firmware and be able to telnet into the router
2. (optional, but recommended) Back up your u-boot and art flash partitions as outlined by forum user CheBuzz in the second code box in this post
3. Follow the info in radengr's post and fuhry's post to flash. Linking to the posts instead of copying the commands here is intentional so you know what you are doing
   • Note: Fuhry's domain has changed. His new domain is: “http://fuhry.com/”. He does NOT allow director traversal, meaning you must know the exact file you need.
     • For example his re-partition script is at http://fuhry.com/b/wnr2000//install-repart.sh.
   • 500K Additional Space: According to dony71 on the forum, to gain the additional 500K space that fuhry refers to, you must make these additional changes.
4. Reboot, then checks_and_troubleshooting.

Important: DON'T FLASH FACTORY IMAGE OF LEDE OVER STOCK FIRMWARE, IT WILL NOT WORK AND WILL MAKE YOUR ROUTER UNABLE TO BOOT. You will be able to restore it using the emergency TFTP server when it happens, though.

First, make sure you have fuhry's bootloader. If you already have fuhry's modified bootloader, then skip to the next part. If you don't, do this:

1. Do whatever you have to do to restore back to Netgear's stock firmware.
2. Use an UART cable, gain access to the root shell of the router. Telnetenable won't be sufficient!
3. Flash fuhry's bootloader and firmware by issuing these commands, then you'll have the bootloader installed correctly.

cd /tmp
snarf http://fuhry.com/b/wnr2000/install-repart.sh
chmod +x ./install-repart.sh
./install-repart.sh

When you have fuhry's bootloader:

1. Download LEDE latest version of wnr2000 rootfs and uImage:
   1. ar71xx-generic-wnr2000-rootfs-squashfs.bin, then rename it sqfs.bin
   2. ar71xx-generic-uImage-lzma.bin, then rename it uImage.bin
2. Install TFTP server, and transfer the two files to your TFTP server root
3. Use an UART cable, gain access to the bootloader, and interrupt the normal boot process
4. Type the following:

# Tell u-boot that we have a tftp server on 192.168.1.10
setenv serverip 192.168.1.10

# Tell u-boot that the router should take the address 192.168.1.1
setenv ipaddr 192.168.1.1

# Erase the region from 0x050000-0x3f0000
erase 0xbf050000 +0x3A0000

# Load sqfs.bin on TFTP server, and put it to memory address 0x81000000
tftpboot 0x81000000 sqfs.bin
# U-boot will tell you the length of sqfs.bin in hex, let's say ZZZZZZ
# Copy bit by bit 0xZZZZZZ bytes from offset 0x050000
cp.b 0x81000000 0xbf050000 0xZZZZZZ

# Same to the uImage.bin, write it right next to sqfs.bin
# Again, 0xYYYYYY is the length that tftpboot reports
tftpboot 0x81000000 uImage.bin
cp.b 0x81000000 0xbf2b0000 0xYYYYYY

# We need to tell the kernel what board it is booting into, and where to find the partitions
setenv bootargs "board=WNR2000 console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,3712k(firmware),64k(art)ro rootfstype=squashfs,jffs2 noinitrd"

# Tell u-boot where to find the uImage
setenv bootcmd "bootm 0xbf2b0000"

# Tell u-boot to save parameters to the u-boot-env partitions
saveenv

# Reset the board
reset

For more information, read instructions on tnhh's website here: https://www.tnhh.net/mobile/posts/lede-on-wnr2000v1-unsupported-hardware.html

The original U-Boot bootloader runs a CRC check on the flash before it executes the bootcmd command. This prevents OpenWrt from being run from flash. As long as you do not replace the OEM bootloader, you can only create an OpenWrt ramdisk image and load it via tftp. This requires access to the serial console:

• configure the NIC of a PC with a tftp server at 192.168.1.12
• copy openwrt-ar71xx-uImage-initramfs-lzma.bin into the directory of the tftp server (e.g. /tftpboot)

On the WNR2000v1 serial console:

• press any key after Hit any key to stop autoboot: to stop autoboot
• tftpboot 0x81000000 openwrt-ar71xx-uImage-initramfs-lzma.bin - this should print a couple of # signs
• setenv bootargs board=WNR2000
• bootm - boots the kernel

e.g.

U-Boot 1.1.4.16-g04e9b8bf (May 14 2008 - 17:04:28)

AP81 (ar7100) U-boot
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 245k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 4MB, sector count = 64
Flash: 4MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
Fetching MAC Address from 0x81fea7b0
: cfg1 0xf cfg2 0x7114
eth0: 00:1f:33:f3:30:05
dup 1 speed 100
eth0 up
eth0
### main_loop entered: bootdelay=4

### main_loop: bootcmd="bootm 0xbf2a0000"
Hit any key to stop autoboot:  0 
ar7100> tftpboot 0x81000000 wnr2000
Using eth0 device
TFTP from server 192.168.1.12; our IP address is 192.168.1.10
Filename 'wnr2000'.
Load address: 0x81000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #############################
done
Bytes transferred = 2143454 (20b4de hex)
ar7100> setenv bootargs board=WNR2000
ar7100> bootm
## Booting image at 81000000 ...
   Image Name:   MIPS OpenWrt Linux-2.6.32.10
   Created:      2010-03-28   6:54:52 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2143390 Bytes =  2 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ...OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 33554432

Starting kernel ...

Linux version 2.6.32.10 (joerga@quad) (gcc version 4.3.3 (GCC) ) #1 Sun Mar 28 08:54:48 CEST 2010
bootconsole [early0] enabled
CPU revision is: 00019374 (MIPS 24Kc)
Atheros AR9130 rev 1, CPU:400.000 MHz, AHB:200.000 MHz, DDR:400.000 MHz
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000

1. Official images are too large as of 17.XX. Use the Community Builds in the forum topic URL below for the latest 17.XX, 18.XX, and 19.XX images. https://forum.openwrt.org/t/builds-for-netgear-wnr1000v2-wnr1000v2-vc-wnr612v2-wpn824n-wnr2000v3/39360
2. Since changeset r45054 from 27.03.2015 OpenWrt can be flashed by using the built-in updater in the Netgear Web-Gui:
   • Installing OpenWrt: Use https://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-wnr2000v3-squashfs-factory.img with built-in updater. It come without web interface, you must install it (this is a little bit tricky, no free space were available after installation of this firmware)
3. If the built-in updater rejects the image, you can use “tftp2.exe” or similar to flash the device:
   • tfpt2.exe can be downloaded from the instructions provided by Netgear: http://kb.netgear.com/app/answers/detail/a_id/19841/~/reinstall-the-firmware-on-a-router-without-the-setup-cd-recovery-tool
   • Prep the router to receive the image: turn off the router, hold down the reset button, turn ON the router (with reset button still pressed), then wait about 10-15 seconds for the light to start flashing green. Once it flashes green at least 10 times, you can release the reset button and the router is ready to receive an image (the device seems to wait forever for an image, so you don't have to hurry).
   • To flash with tftp2.exe: set your computer to a static IP (such as 192.168.1.7) and connect the computer to one of the router's 4 wired-ethernet ports (NOT the WAN port). Open the tftp2.exe program on your computer, set the “Server” to 192.168.1.1, leave “Password” blank, for “File” choose the OpenWrt image, then click “Upgrade”. That's it. After about 2-3 minutes, the image will finalize and you should be able to login to Luci immediately at 192.168.1.1
4. After automatic reboot follow: checks_and_troubleshooting.

• (Optional Information) Bug #18959 gives all the information for the WNR2000v3. https://dev.openwrt.org/ticket/18959

A method to install OpenWrt on wnr2000v4 without opening the case can be found here: wnr2000v4

OpenWrt can also be initially flashed using serial access to the bootloader. It is necessary to change the 'bootcmd' environment variable to not call the “2 stage firmware integrity check” since OpenWrt builds will fail the second stage test, stopping the boot.

AR7241>setenv bootcmd bootm 0x9F040000
AR7241>saveenv

The flashing process is standard u-boot TFTP to RAM, erase the firmware partition of flash, and cp.b to flash. Once OpenWrt is running, sysupgrade can be used to install new versions.

Use a WNR2000v4 build for the WR2000RPTv3. The hardware appears to be identical other than that the WAN port and the LAN connection LEDs are not populated on the board.

These are v0 of the WNR2000, the primary difference being that there is NO WAN PORT. Stock units run Kamikaze 7.09, I followed the main directions for the WNR2000 and the only issue ive seen is an inability to do a hardware reset. Havent bothered to look into it, just plugged it back into the serial connection and restored the device from there. Good luck.

WN2000RPTv1 must be considered a WNR2000v2 with a missing WAN port, you can follow WNR2000v2 install instructions

WN2000RPTv2 must be considered a WNR2000v3 with a missing WAN port, you can follow WNR2000v3 install instructions

# cat /proc/cpuinfo
system type		: Atheros AR7241 rev 1
machine			: NETGEAR WNR2000 V3
processor		: 0
cpu model		: MIPS 24Kc V7.4
BogoMIPS		: 239.61
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 16
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa			: mips1 mips2 mips32r1 mips32r2
ASEs implemented	: mips16
shadow register sets	: 1
kscratch registers	: 0
package			: 0
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

Note: This will void your warranty!

• To remove the cover remove two little silver screws (Torx 5 or 6) at the bottom and slide the front and back cover down to the feet for some mm.

PCB upper side

PCB back side

PCB detail at the CPU

• WNR2000v0 (rev0)
  • The serial port is at T1(goldpin): 38400 8N1 at 3.3V. Pins are, from top to bottom, with the ethernet ports above: [Vcc] [Tx] [Rx] [GND]
• WNR2000v1
  • The serial port is at JP1: 115200 8N1 at 3.3V. Pins are, from left with the ethernet ports above: [Vcc] [Tx] [Rx] [GND]
• WNR2000v2
  • The serial port is at JP1: 115200 8N1 at 3.3V. Pads are, from top to bottom with the ethernet ports above: [Vcc] [Tx] [-] [-] [Rx][GND]
• WNR2000v3
  • The serial port is at JP1: 115200 8N1 at 3.3V. Pads are, from left to right with the ethernet ports on right: [Vcc] [Tx] [Rx] [GND]
• WNR2000v4
  • The serial port is at JP1: 115200 8N1 at 3.3V. Pads are, from left to right with the ethernet ports on right: [GND] [Rx] [Tx] [Vcc]
• WNR2000v5
  • The serial port is at JP2: 115200 8N1 at 3.3V. Pads are, from left to right with the ethernet ports on right: [GND] [Rx] [Tx] [Vcc]
• WNR2000RPTv2 (rev0)
  • The serial port is at JP1: 115200 8N1 at 3.3V. Pins are, from left to right with the ethernet ports on the right: [Vcc] [Rx] [Tx] [GND]

GPIO LEDs and buttons on this device are connected to GPIO controllers on AR7241 SoC and AR9287 wireless chip.

Controlled by AR7241 SoC (20 GPIOs total, some shared with JTAG or built-in Ethernet switch) :

Controlled by AR9287 wireless chip (11 GPIOs total) :

Notes:

• [0] - needs reprogramming of SoC to deallocate GPIO pins from JTAG
• [1] - needs reprogramming of SoC to deallocate GPIO pins from built-in Ethernet switch; required for different link speed colors
• [2] - 'phy0radio' trigger does not work, use default 'phy0tpt' or 'wlan0' netdevice instead
• [3] - this is amber light on power LED (labelled TEST in u-boot sources)

# cat /sys/kernel/debug/gpio
GPIOs 0-19, ath79:
 gpio-0   (netgear:green:wan ) out hi    
 gpio-1   (netgear:amber:lan1) out hi    
 gpio-6   (netgear:amber:lan2) out hi    
 gpio-7   (netgear:green:wps ) out hi    
 gpio-8   (netgear:amber:lan3) out hi    
 gpio-11  (wps                 ) in  hi    
 gpio-12  (netgear:amber:lan4) out hi    
 gpio-13  (netgear:green:lan1) out lo    
 gpio-14  (netgear:green:lan2) out lo    
 gpio-15  (netgear:green:lan3) out lo    
 gpio-16  (netgear:green:lan4) out lo    
 gpio-17  (netgear:amber:wan ) out lo    

GPIOs 53-63, ath9k-phy0:
 gpio-54  (netgear:blue:wlan ) out lo    
 gpio-55  (netgear:amber:test) out hi    
 gpio-56  (netgear:green:powe) out lo    
 gpio-61  (reset               ) in  hi    
 gpio-62  (rfkill              ) in  hi    

On the V5 version, the buttons are connected to GPIOs. The LEDs are controlled by a HC164 8-bit shift register.

There is an SPI based driver in gpio-74×164.c and mach-rb91x.c provides an example. Netgear uses a bit-bang implementation, so these pins may not be capable of SPI function. From their released serial-led-gpio.c:

void serial_led_output(int val)
{
        int i;
        int bit_end;
        
        spin_lock(&my_lock);
        //printk("serial_led_output val = %x\n",val);
        for(i=0;i<8;i++)                //shift serial_led_flag to register
        { 
                bit_end = ((val>>i) & 1)?1:0;
                ath_gpio_out_val(LED_DATA,bit_end);
                ath_gpio_out_val(LED_SH,1);
                ath_gpio_out_val(LED_SH,0);
        }
        spin_unlock(&my_lock);
}

JTAG pins were found by removing the BGA from a WNR2000 and a TP-Link WR-1043ND (AR9132 with JTAG header) and comparing the PCB traces. The top side of the PCB is the one with the heatsinks.

(Be aware that there is no “I” row in the BGA counting!)

→ generic.debrick

User RoundSparrow posted this little how-to in the forum topic:

Experimenting with flashing, I've managed to mess up the firmware a few times. Good news is you can recover it. If you hold down reset (for like 30 seconds) while you turn on power to unit... it goes into tftp recover mode.

U-Boot 1.1.4.16-g04e9b8bf (May 14 2008 - 17:04:28)

AP81 (ar7100) U-boot
sri
32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 245k for U-Boot at: 81fc0000
Reserving 192k for malloc() at: 81f90000
Reserving 44 Bytes for Board Info at: 81f8ffd4
Reserving 36 Bytes for Global Data at: 81f8ffb0
Reserving 128k for boot params() at: 81f6ffb0
Stack Pointer at: 81f6ff98
Now running in RAM - U-Boot at: 81fc0000
id read 0x100000ff
flash size 4MB, sector count = 64
Flash: 4MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
Fetching MAC Address from 0x81fea7b0
: cfg1 0xf cfg2 0x7114
eth0: 00:22:3f:0b:c5:9c
dup 1 speed 100
eth0 up
eth0
Factory Reset Mode
The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1...

I got the factory firmware back on by using tftp tips from this page: http://cyberstorm.altervista.org/wag354g/guides/howto_unbricking_wag354g_en.txt

There is a project allowing to build custom u-boot image https://github.com/realmicu/uboot-wnrmod2k It could be used if flash memory chip was replaced or to obtain additional functionality.

• Review at Smallnetbuilder.com
• Thread in OpenWrt Forum
• Another Thread with the quest for the JTAG pins