NETGEAR WNR2200

When flashing from the official firmware, always use the one with factory in its name. Note, however, that there are two factory images created for the WNR2200. One has 'NA' on the end, and the other doesn't. From my research, the 'NA' stands for 'North America'. However, it also seems that Netgear did not make a different firmware for North Americans. Not being from North America, I didn't care about this and just flashed the one without 'NA' in its name. If you are from North America, then you should probably contact someone on IRC, the mailing lists or the forums to get a more definite answer. I also saw that Netgear listed on their website that there are firmware differences between the worldwide versions and the Russian and Chinese versions, so if you're from Russia or China, you might want to ask someone before flashing as well.

Factory firmware, as well as firmware distributed from the official site has 128 byte header, which consists of 3-4 lines of plain text padded with 0x00 bytes. The official web interface checks for correct device identifier (in this case wnr2200) and when it's present, compares the version and shows a warning when you try to downgrade it. Firmware named factory-NA has line “region:NA” in it. Example header from an official firmware image:

device:wnr2200
version:V1.0.2.24
region:

Other than that, the last byte of the image contains a checksum. A program tools/firmware-utils/src/mkdniimg.c from OpenWRT source tree contains code which can create images of this format.

The difference between routers sold in Russia and China and other version is flash size. Russian router has MX25L12845EMI-10G which is 16 legged SPI chip with 16M of NOR flash. It is sometimes marketed as WNR2200-100RUS, but router label just says WNR2200.

However, as far as I can see, there is difference between labels on 100RUS and WW versions: Russian (16M) version has three fields with adhesive stickers: SECURITY PIN, SERIAL, MAC; While version sold elsewhere (8M) has four: WiFi Network Name (SSID), Network Key (Password), SERIAL, MAC. It could be used as a clue, but this observation is based on only couple of routers and only definitive ways to determine fw size are via terminal or by looking at the chip itself.

If you are unsure of which version to flash, do not flash. You could end up bricking your router if you flash the wrong version.

To flash OpenWrt from factory firmware, you just connect to your router over LAN and select the openwrt-ar71xx-generic-wnr2200-squashfs-factory.img firmware under Advanced → Firmware upgrade → Manual (or similar) and confirm that you want to flash OpenWrt.

The OpenWrt web interface has an option to flash new firmware over it. If it doesn't work, sysupgrade script can be used from terminal.

Update can also be done manually by flashing sysupgrade.bin image onto “firmware” partition with mtd write command. Please make sure, first four bytes of image you are about flash are 2200 (32 32 30 30 in hex).

If you want to flash official firmware from OpenWRT you need to strip 128 byte-long header first.

So to flash OpenWrt manually over tftp (without a serial console), you'll have to boot into recovery mode. (Using Reset button is not necessarily mandatory, probably other hardware buttons will work as well).

  1. Turn the router off
  2. Use a long, thin object (e.g. a toothpick) to hold down the button marked “Restore Factory Settings” (or something similar).
  3. Turn the router on, while still holding down the button with the long, thin object
  4. The 'power' LED will start to flash. Wait for it to stay lit green. Then release the button.
  5. Set your computer a static IP of 192.168.1.2 and connect to the router to you computer using the LAN1 port on the WNR2200.
  6. Follow the OS-specific tftp instructions to flash the image onto the router.

tftp instructions on Linux:

  1. Open a terminal in the directory where you have downloaded the firmware
  2. Type 'tftp'. (If you don't have tftp installed, install it.)
  3. Type the following commands:
connect 192.168.1.1
binary
rexmt 1
timeout 60
put "path_to/openwrt-ar71xx-generic-wnr2200-squashfs-factory.img"

tftp instructions on Windows:

First, you need to download a special tftp client, that has more options than the one built into Windows has. You can download it here. Then execute tftp.exe using the following commandline:

tftp.exe -v -i -b8192 -t255 192.168.1.1 PUT "path_to\openwrt-ar71xx-generic-wnr2200-squashfs-factory.img"

Make sure, that tftp.exe doesn't throws any errors. If so, retry the command until tftp executes successfully.

Final steps

Once you've done all of this, wait around 3 to 7 minutes (you can see that the update is in progress, when a pairs of yellow leds goes on; its finished, when the power led turns solid green) and then reconnect to your router. If all goes well, you should be able to access your router using telnet on 192.168.1.1:23.

Do NOT touch the router during the update or you could possibly render it unusable.

Serial output while flashing openwrt

  1. Serial connection: on the top, right corner there is already a serial connector. When holding the device with the LAN/Power connectors down, the pinout is like this: <Ground> <RX> <TX> <3,3V> (Hint: You do not need to connect 3,3V when turning the device with the original power supply)
  2. the 3,3V pin have a white dot next to it
  3. port settings: Speed:115200, Data bits:8, Stop bits:1, Parity:none, Flow control:none

U-Boot 1.1.4-gab090933 (Sep 19 2011 - 12:51:47) WNR2200 (ar7241) U-boot dni25 V1.5 DRAM: sri ar7240_ddr_initial_config(139): virian ddr1 init #### TAP VALUE 1 = 0x2, 2 = 0x2 [0x0: 0x0] 64 MB Top of RAM usable for U-Boot at: 84000000 Reserving 281k for U-Boot at: 83fb8000 Reserving 192k for malloc() at: 83f88000 Reserving 44 Bytes for Board Info at: 83f87fd4 Reserving 36 Bytes for Global Data at: 83f87fb0 Reserving 128k for boot params() at: 83f67fb0 Stack Pointer at: 83f67f98 Now running in RAM - U-Boot at: 83fb8000 id read 0x100000ff sector count = 128 Flash: 8 MB In: serial Out: serial Err: serial Net: ag7240_enet_initialize... Fetching MAC Address from 0x83fe9d50 Fetching MAC Address from 0x83fe9d50 Virian MDC CFG Value ==> 4 : XXXXXXXXXXXX eth0: XXXXXXXXXXXXXX eth0 up Virian MDC CFG Value ==> 4 : XXXXXXXXXXXXX eth1: XXXXXXXXXXXXX ATHRS26: resetting s26 ATHRS26: s26 reset done eth1 up eth0, eth1 Trying eth1et Mode dup 1 speed 1000 The Router is in TFTP Server Firmware Recovery mode NOW! Listening on Port : 69, IP Address: 192.168.1.1... Upgrade Mode Rcv: ................................................................. ................................................................. ................................................................. ................................................................. ................................................................. ................................................................. ................................................................. ................................................................. ................................................................. ................................................................. .......................................... Done! Bytes transferred = 3539077 (360085 hex) Erase Flash from 0x9f050000 to 0x9f05ffff in Bank # 1 First 0x5 last 0x5 sector size 0x10000 5 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f060000 to 0x9f06ffff in Bank # 1 First 0x6 last 0x6 sector size 0x10000 6 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f070000 to 0x9f07ffff in Bank # 1 First 0x7 last 0x7 sector size 0x10000 7 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f080000 to 0x9f08ffff in Bank # 1 First 0x8 last 0x8 sector size 0x10000 8 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f090000 to 0x9f09ffff in Bank # 1 First 0x9 last 0x9 sector size 0x10000 9 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f0a0000 to 0x9f0affff in Bank # 1 First 0xa last 0xa sector size 0x10000 10 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f0b0000 to 0x9f0bffff in Bank # 1 First 0xb last 0xb sector size 0x10000 11 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f0c0000 to 0x9f0cffff in Bank # 1 First 0xc last 0xc sector size 0x10000 12 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f0d0000 to 0x9f0dffff in Bank # 1 First 0xd last 0xd sector size 0x10000 13 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f0e0000 to 0x9f0effff in Bank # 1 First 0xe last 0xe sector size 0x10000 14 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f0f0000 to 0x9f0fffff in Bank # 1 First 0xf last 0xf sector size 0x10000 15 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f100000 to 0x9f10ffff in Bank # 1 First 0x10 last 0x10 sector size 0x10000 16 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f110000 to 0x9f11ffff in Bank # 1 First 0x11 last 0x11 sector size 0x10000 17 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f120000 to 0x9f12ffff in Bank # 1 First 0x12 last 0x12 sector size 0x10000 18 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f130000 to 0x9f13ffff in Bank # 1 First 0x13 last 0x13 sector size 0x10000 19 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f140000 to 0x9f14ffff in Bank # 1 First 0x14 last 0x14 sector size 0x10000 20 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f150000 to 0x9f15ffff in Bank # 1 First 0x15 last 0x15 sector size 0x10000 21 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f160000 to 0x9f16ffff in Bank # 1 First 0x16 last 0x16 sector size 0x10000 22 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f170000 to 0x9f17ffff in Bank # 1 First 0x17 last 0x17 sector size 0x10000 23 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f180000 to 0x9f18ffff in Bank # 1 First 0x18 last 0x18 sector size 0x10000 24 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f190000 to 0x9f19ffff in Bank # 1 First 0x19 last 0x19 sector size 0x10000 25 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f1a0000 to 0x9f1affff in Bank # 1 First 0x1a last 0x1a sector size 0x10000 26 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f1b0000 to 0x9f1bffff in Bank # 1 First 0x1b last 0x1b sector size 0x10000 27 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f1c0000 to 0x9f1cffff in Bank # 1 First 0x1c last 0x1c sector size 0x10000 28 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f1d0000 to 0x9f1dffff in Bank # 1 First 0x1d last 0x1d sector size 0x10000 29 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f1e0000 to 0x9f1effff in Bank # 1 First 0x1e last 0x1e sector size 0x10000 30 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f1f0000 to 0x9f1fffff in Bank # 1 First 0x1f last 0x1f sector size 0x10000 31 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f200000 to 0x9f20ffff in Bank # 1 First 0x20 last 0x20 sector size 0x10000 32 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f210000 to 0x9f21ffff in Bank # 1 First 0x21 last 0x21 sector size 0x10000 33 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f220000 to 0x9f22ffff in Bank # 1 First 0x22 last 0x22 sector size 0x10000 34 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f230000 to 0x9f23ffff in Bank # 1 First 0x23 last 0x23 sector size 0x10000 35 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f240000 to 0x9f24ffff in Bank # 1 First 0x24 last 0x24 sector size 0x10000 36 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f250000 to 0x9f25ffff in Bank # 1 First 0x25 last 0x25 sector size 0x10000 37 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f260000 to 0x9f26ffff in Bank # 1 First 0x26 last 0x26 sector size 0x10000 38 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f270000 to 0x9f27ffff in Bank # 1 First 0x27 last 0x27 sector size 0x10000 39 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f280000 to 0x9f28ffff in Bank # 1 First 0x28 last 0x28 sector size 0x10000 40 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f290000 to 0x9f29ffff in Bank # 1 First 0x29 last 0x29 sector size 0x10000 41 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f2a0000 to 0x9f2affff in Bank # 1 First 0x2a last 0x2a sector size 0x10000 42 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f2b0000 to 0x9f2bffff in Bank # 1 First 0x2b last 0x2b sector size 0x10000 43 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f2c0000 to 0x9f2cffff in Bank # 1 First 0x2c last 0x2c sector size 0x10000 44 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f2d0000 to 0x9f2dffff in Bank # 1 First 0x2d last 0x2d sector size 0x10000 45 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f2e0000 to 0x9f2effff in Bank # 1 First 0x2e last 0x2e sector size 0x10000 46 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f2f0000 to 0x9f2fffff in Bank # 1 First 0x2f last 0x2f sector size 0x10000 47 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f300000 to 0x9f30ffff in Bank # 1 First 0x30 last 0x30 sector size 0x10000 48 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f310000 to 0x9f31ffff in Bank # 1 First 0x31 last 0x31 sector size 0x10000 49 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f320000 to 0x9f32ffff in Bank # 1 First 0x32 last 0x32 sector size 0x10000 50 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f330000 to 0x9f33ffff in Bank # 1 First 0x33 last 0x33 sector size 0x10000 51 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f340000 to 0x9f34ffff in Bank # 1 First 0x34 last 0x34 sector size 0x10000 52 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f350000 to 0x9f35ffff in Bank # 1 First 0x35 last 0x35 sector size 0x10000 53 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f360000 to 0x9f36ffff in Bank # 1 First 0x36 last 0x36 sector size 0x10000 54 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f370000 to 0x9f37ffff in Bank # 1 First 0x37 last 0x37 sector size 0x10000 55 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f380000 to 0x9f38ffff in Bank # 1 First 0x38 last 0x38 sector size 0x10000 56 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f390000 to 0x9f39ffff in Bank # 1 First 0x39 last 0x39 sector size 0x10000 57 Erased 1 sectors Alive-timer 0 Erase Flash from 0x9f3a0000 to 0x9f3affff in Bank # 1 First 0x3a last 0x3a sector size 0x10000 58 Erased 1 sectors timestamp overflows Alive-timer 23 Active-timer expires Erase Flash from 0x9f3b0000 to 0x9f3bffff in Bank # 1 First 0x3b last 0x3b sector size 0x10000 59 Erased 1 sectors Alive-timer 0 Copy image to Flash... write addr: 9f050000 Alive-timer 0 write addr: 9f060000 Alive-timer 0 write addr: 9f070000 Alive-timer 0 write addr: 9f080000 Alive-timer 0 write addr: 9f090000 Alive-timer 0 write addr: 9f0a0000 Alive-timer 0 write addr: 9f0b0000 Alive-timer 0 write addr: 9f0c0000 Alive-timer 0 write addr: 9f0d0000 Alive-timer 0 write addr: 9f0e0000 Alive-timer 0 write addr: 9f0f0000 Alive-timer 0 write addr: 9f100000 Alive-timer 0 write addr: 9f110000 Alive-timer 0 write addr: 9f120000 Alive-timer 0 write addr: 9f130000 Alive-timer 0 write addr: 9f140000 Alive-timer 0 write addr: 9f150000 Alive-timer 0 write addr: 9f160000 Alive-timer 0 write addr: 9f170000 Alive-timer 0 write addr: 9f180000 Alive-timer 0 write addr: 9f190000 Alive-timer 0 write addr: 9f1a0000 Alive-timer 0 write addr: 9f1b0000 Alive-timer 0 write addr: 9f1c0000 Alive-timer 0 write addr: 9f1d0000 Alive-timer 0 write addr: 9f1e0000 Alive-timer 0 write addr: 9f1f0000 Alive-timer 0 write addr: 9f200000 Alive-timer 0 write addr: 9f210000 Alive-timer 0 write addr: 9f220000 Alive-timer 0 write addr: 9f230000 Alive-timer 0 write addr: 9f240000 Alive-timer 0 write addr: 9f250000 Alive-timer 0 write addr: 9f260000 Alive-timer 0 write addr: 9f270000 Alive-timer 0 write addr: 9f280000 Alive-timer 0 write addr: 9f290000 Alive-timer 0 write addr: 9f2a0000 Alive-timer 0 write addr: 9f2b0000 Alive-timer 0 write addr: 9f2c0000 Alive-timer 0 write addr: 9f2d0000 Alive-timer 0 write addr: 9f2e0000 Alive-timer 0 write addr: 9f2f0000 Alive-timer 0 write addr: 9f300000 Alive-timer 0 write addr: 9f310000 Alive-timer 0 write addr: 9f320000 Alive-timer 0 write addr: 9f330000 Alive-timer 0 write addr: 9f340000 Alive-timer 0 write addr: 9f350000 Alive-timer 0 write addr: 9f360000 Alive-timer 0 write addr: 9f370000 Alive-timer 0 write addr: 9f380000 Alive-timer 0 write addr: 9f390000 Alive-timer 0 write addr: 9f3a0000 Alive-timer 0 write addr: 9f3b0000 Alive-timer 0 Done Rebooting... Resetting...


  1. Supported serial commands

ar7240> help autoscr - run script from memory ? - alias for 'help' base - print or set address offset bdinfo - print Board Info structure board_hw_id_set - set board_hw_id board_hw_id_show - Show board_hw_id board_model_id_set - set board_model_id board_model_id_show - Show board_model_id board_passphrase_set - set passphrase on board board_passphrase_show - Show board_passphrase board_ssid_set - set ssid on board board_ssid_show - Show board_ssid boot - boot default, i.e., run 'bootcmd' bootd - boot default, i.e., run 'bootcmd' bootelf - Boot from an ELF image in memory bootm - boot application image from memory bootp - boot image via network using BootP/TFTP protocol bootvx - Boot vxWorks from an ELF image cmp - memory compare coninfo - print console devices and information cp - memory copy crc32 - checksum calculation fls - Set to change DDR settings on reboot dhcp - invoke DHCP client to obtain IP/boot params echo - echo args to console erase - erase FLASH memory ethreg - S26 PHY Reg rd/wr utility exit - exit script flinfo - print FLASH memory information fls - Set to change Flash size on reboot fsinfo - print information about filesystems fsload - load binary file from a filesystem image go - start application at address 'addr' help - print online help iminfo - print header information for application image imls - list all images found in flash itest - return true/false on integer compare loadb - load binary file over serial line (kermit mode) loads - load S-Record file over serial line loady - load binary file over serial line (ymodem mode) loop - infinite loop on address range ls - list files in a directory (default /) macset - Set ethernet MAC address macshow - Show ethernet MAC addresses md - memory display mii - MII utility commands mm - memory modify (auto-incrementing) mtest - simple RAM test mw - memory write (fill) nfs - boot image via network using NFS protocol nm - memory modify (constant address) pci - list and access PCI Configuration Space ping - send ICMP ECHO_REQUEST to network host pll - Set to change CPU/AHB/DDR speeds printenv- print environment variables progmac - Set ethernet MAC addresses protect - enable or disable FLASH write protection rarpboot- boot image via network using RARP/TFTP protocol reset - Perform RESET of the CPU rnset - set region number rnshow - Show Region Number on Board run - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables sleep - delay execution for some time snset - set serial number test - minimal test like /bin/sh tftpboot- boot image via network using TFTP protocol version - print monitor version wmacset - Set wlan MAC address wpspinset - set wpspin number ar7240> board_hw_id_show board_hw_id : �������������� ar7240> rnshow region on board: 0x0003 ar7240> coninfo List of available devices: serial 80000003 SIO stdin stdout stderr


Flashing 16M RU/CN model via bootloader

There are indications that NMRP protocol can be used to flash it. TFTP recovery method might also work, but can be tricky. Try to watch for power LED, if it starts flashing dimly it is indication, that router is in recovery/upgrade mode.

port.serial general information about the serial port, serial port cable, etc.

The serial port is found at JP1. Pin 1 is marked with dot.

Pin Description
1 VCC
2 RX
3 TX
4 GND

GPIO LEDs and buttons on this device are connected to GPIO controllers on AR7241 SoC and AR9287 wireless chip.

Controlled by AR7241 SoC (20 GPIOs total, some shared with JTAG or built-in Ethernet switch) :

Type Function GPIO Polarity Notes
LED LAN2 AMBER 0 (0, 0) active low
LED LAN4 AMBER 1 (0, 1) active low
LED LAN1 AMBER 6 (0, 6) active low shared with JTAG - see note [0]
LED WPS GREEN 7 (0, 7) active low shared with JTAG - see note [0]
LED USB GREEN 8 (0, 8) active low shared with JTAG - see note [0]
LED LAN3 AMBER 11 (0, 11) active low
LED WAN AMBER 12 (0, 12) active low
LED LAN1 GREEN 13 (0, 13) active low link activity - see note [1]
LED LAN2 GREEN 14 (0, 14) active low link activity - see note [1]
LED LAN3 GREEN 15 (0, 15) active low link activity - see note [1]
LED LAN4 GREEN 16 (0, 16) active low link activity - see note [1]
LED WAN GREEN 17 (0, 17) active low link activity - see note [1]

Controlled by AR9287 wireless chip (11 GPIOs total) :

Type Function GPIO Polarity Notes
LED WLAN BLUE 53 (1, 0) active low not all triggers work - see note [2]
LED POWER AMBER 54 (1, 1) active low aka TEST AMBER - see note [3]
LED POWER GREEN 55 (1, 2) active low
Button RFKILL 56 (1, 3) active low
PWR USB +5V 57 (1, 4) active high
Button WPS 58 (1, 5) active low
Button RESET 59 (1, 6) active low

Notes:

  • [0] - needs reprogramming of SoC to deallocate GPIO pins from JTAG
  • [1] - needs reprogramming of SoC to deallocate GPIO pins from built-in Ethernet switch; required for different link speed colors
  • [2] - 'phy0radio' trigger does not work, use default 'phy0tpt' or 'wlan0' netdevice instead
  • [3] - this is amber light on power LED (labelled TEST in u-boot sources)

GPIO in OpenWrt

# cat /sys/kernel/debug/gpio
GPIOs 0-19, ath79:
 gpio-0   (netgear:amber:lan2  ) out hi    
 gpio-1   (netgear:amber:lan4  ) out hi    
 gpio-6   (netgear:amber:lan1  ) out hi    
 gpio-7   (netgear:green:wps   ) out hi    
 gpio-8   (netgear:green:usb   ) out hi    
 gpio-11  (netgear:amber:lan3  ) out hi    
 gpio-12  (netgear:amber:wan   ) out hi    
 gpio-13  (netgear:green:lan1  ) out lo    
 gpio-14  (netgear:green:lan2  ) out lo    
 gpio-15  (netgear:green:lan3  ) out lo    
 gpio-16  (netgear:green:lan4  ) out lo    
 gpio-17  (netgear:green:wan   ) out lo    

GPIOs 53-63, ath9k-phy0:
 gpio-53  (netgear:blue:wlan   ) out lo    
 gpio-54  (netgear:amber:test  ) out hi    
 gpio-55  (netgear:green:power ) out lo    
 gpio-56  (rfkill              ) in  hi    
 gpio-58  (wps                 ) in  hi    
 gpio-59  (reset               ) in  hi    

There is a project allowing to build custom u-boot image https://github.com/realmicu/uboot-wnrmod2k It could be used if flash memory chip was replaced or to obtain additional functionality.

Starting kernel ... [ 0.000000] Linux version 4.1.16 (micu@kosmio) (gcc version 5.3.0 (OpenWrt GCC 5.3.0 r49022) ) #1 Sat Mar 26 15:29:28 UTC 2016 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc) [ 0.000000] SoC: Atheros AR7241 rev 1 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x0000000000000000-0x0000000003ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000003ffffff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff] [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 [ 0.000000] Kernel command line: board=WNR2200 console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,7808k(firmware),64k(art)ro rootfstype=squashfs,jffs2 noinitrd [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 60612K/65536K available (2890K kernel code, 143K rwdata, 372K rodata, 296K init, 200K bss, 4924K reserved, 0K cma-reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:83 [ 0.000000] Clocks: CPU:360.000MHz, DDR:360.000MHz, AHB:180.000MHz, Ref:40.000MHz [ 0.000000] clocksource MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 10618113593 ns [ 0.000014] sched_clock: 32 bits at 180MHz, resolution 5ns, wraps every 11930464253ns [ 0.007807] Calibrating delay loop... 239.61 BogoMIPS (lpj=1198080) [ 0.080395] pid_max: default: 32768 minimum: 301 [ 0.085157] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.091667] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.102638] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.114029] NET: Registered protocol family 16 [ 0.120242] MIPS: machine is NETGEAR WNR2200 [ 0.567109] registering PCI controller with io_map_base unset [ 0.615931] PCI host bridge to bus 0000:00 [ 0.619956] pci_bus 0000:00: root bus resource [mem 0x10000000-0x13ffffff] [ 0.626798] pci_bus 0000:00: root bus resource [io 0x0000] [ 0.632273] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0] [ 0.639008] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] [ 0.646929] pci 0000:00:00.0: fixup device configuration [ 0.654460] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1000ffff 64bit] [ 0.661671] pci 0000:00:00.0: using irq 40 for pin 1 [ 0.667642] Switched to clocksource MIPS [ 0.673155] NET: Registered protocol family 2 [ 0.679179] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.686062] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.692410] TCP: Hash tables configured (established 1024 bind 1024) [ 0.698837] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.704591] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.711198] NET: Registered protocol family 1 [ 0.716827] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.748322] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.754051] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.766992] io scheduler noop registered [ 0.770895] io scheduler deadline registered (default) [ 0.776279] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled [ 0.787246] console [ttyS0] disabled [ 0.810861] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 11250000) is a 16550A [ 0.819465] console [ttyS0] enabled [ 0.819465] console [ttyS0] enabled [ 0.826398] bootconsole [early0] disabled [ 0.826398] bootconsole [early0] disabled [ 0.841048] m25p80 spi0.0: found mx25l6405d, expected m25p80 [ 0.846774] m25p80 spi0.0: mx25l6405d (8192 Kbytes) [ 0.851789] 4 cmdlinepart partitions found on MTD device spi0.0 [ 0.857752] Creating 4 MTD partitions on "spi0.0": [ 0.862577] 0x000000000000-0x000000040000 : "u-boot" [ 0.869002] 0x000000040000-0x000000050000 : "u-boot-env" [ 0.875596] 0x000000050000-0x0000007f0000 : "firmware" [ 0.891080] 2 netgear-fw partitions found on MTD device firmware [ 0.897149] 0x000000050000-0x000000177440 : "kernel" [ 0.903471] 0x000000177440-0x0000007f0000 : "rootfs" [ 0.909825] mtd: device 4 (rootfs) set to be root filesystem [ 0.915575] 1 squashfs-split partitions found on MTD device rootfs [ 0.921860] 0x0000003a0000-0x0000007f0000 : "rootfs_data" [ 0.928721] 0x0000007f0000-0x000000800000 : "art" [ 0.954144] libphy: ag71xx_mdio: probed [ 1.549369] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY] [ 1.559689] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:MII [ 2.149137] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch [ 2.191334] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:GMII [ 2.202534] NET: Registered protocol family 10 [ 2.215265] NET: Registered protocol family 17 [ 2.219915] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. [ 2.232644] Bridge firewalling registered [ 2.236836] 8021q: 802.1Q VLAN Support v1.8 [ 2.254765] VFS: Mounted root (squashfs filesystem) readonly on device 31:4. [ 2.264621] Freeing unused kernel memory: 296K (803b6000 - 80400000) [ 3.647027] init: Console is alive [ 3.650854] init: - watchdog - [ 5.030719] usbcore: registered new interface driver usbfs [ 5.036387] usbcore: registered new interface driver hub [ 5.041968] usbcore: registered new device driver usb [ 5.054402] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 5.062976] ehci-platform: EHCI generic platform driver [ 5.068433] ehci-platform ehci-platform: EHCI Host Controller [ 5.074269] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1 [ 5.084433] ehci-platform ehci-platform: irq 3, io mem 0x1b000000 [ 5.107674] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00 [ 5.115307] hub 1-0:1.0: USB hub found [ 5.119598] hub 1-0:1.0: 1 port detected [ 5.138186] init: - preinit - [ 5.931330] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level [ 8.028838] eth1: link up (1000Mbps/Full duplex) [ 8.033567] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready [ 9.167585] jffs2: notice: (419) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. [ 9.185346] mount_root: switching to jffs2 overlay [ 9.234519] eth1: link down [ 9.253527] procd: - early - [ 9.256583] procd: - watchdog - [ 9.992058] procd: - ubus - [ 10.143034] random: ubusd urandom read with 16 bits of entropy available [ 10.153184] procd: - init - Please press Enter to activate this console. [ 11.374684] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 11.400669] Loading modules backported from Linux version v4.4-rc5-1913-gc8fdf68 [ 11.408187] Backport generated by backports.git backports-20151218-0-g2f58d9d [ 11.419754] ip_tables: (C) 2000-2006 Netfilter Core Team [ 11.439185] nf_conntrack version 0.5.0 (951 buckets, 3804 max) [ 11.489967] xt_time: kernel timezone is -0000 [ 11.573523] PPP generic driver version 2.4.2 [ 11.581594] NET: Registered protocol family 24 [ 11.641383] PCI: Enabling device 0000:00:00.0 (0000 -> 0002) [ 11.652304] ath: phy0: Ignoring endianness difference in EEPROM magic bytes. [ 11.659468] ath: phy0: eeprom contains invalid mac address: ff:ff:ff:ff:ff:ff [ 11.666664] ath: phy0: random mac address will be used: 26:dc:d5:fd:a2:39 [ 11.673507] ath: phy0: platform MAC address will be used: 2c:b0:5d:9b:be:55 [ 11.702625] ieee80211 phy0: Atheros AR9287 Rev:2 mem=0xb0000000, irq=40 [ 24.063329] device eth1 entered promiscuous mode [ 24.074630] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 24.147745] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 26.158852] eth1: link up (1000Mbps/Full duplex) [ 26.163559] br-lan: port 1(eth1) entered forwarding state [ 26.169070] br-lan: port 1(eth1) entered forwarding state [ 26.176612] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready [ 28.167654] br-lan: port 1(eth1) entered forwarding state [ 80.827696] random: nonblocking pool is initialized


Warning! Third party software! Unknown user! Dont use for regular work!

Images by Muessigb (no official developer!)

Compilation Date OpenWrt Base Version Notes and Changes Repository Download
15/05/15-a Chaos Calmer (trunk) Initial release. Note that USB is supported, LuCI is enabled by default and that it contains drivers for FAT and ext4 formatted usb sticks. It also contains alot of tools to use over SSH or telnet. The hardware buttons are not supported. here Worldwide North America
15/05/15-b Chaos Calmer (trunk) Same as above version, but with slightly more fs tools, HID and GPIO drivers. here Worldwide North America

Note, that as always the images come with no warranty. You can't make the contributors to OpenWrt nor Muessigb (the builder and patcher of the build above) liable if it doesn't work for you or you break your router.

The router's stock firmware from Netgear is an old OpenWrt(Kamikaze) which you can access over Telnet after using the old TCP telnetenable.exe. The username and password is Gearguy:Geardog. Here's the telnet output from a telnet unlocked stock WNR2200:

   === IMPORTANT ============================
    Use 'passwd' to set your login password
    this will disable telnet and enable SSH
   ------------------------------------------
   
   
  BusyBox v1.4.2 (2013-12-23 15:48:24 CST) Built-in shell (ash)
  Enter 'help' for a list of built-in commands.
   
    _______                     ________        __
   |       |.-----.-----.-----.|  |  |  |.----.|  |_
   |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
   |_______||   __|_____|__|__||________||__|  |____|
            |__| W I R E L E S S   F R E E D O M
   KAMIKAZE (7.09) -----------------------------------
    * 10 oz Vodka       Shake well with ice and strain
    * 10 oz Triple sec  mixture into 10 shot glasses.
    * 10 oz lime juice  Salute!
   ---------------------------------------------------
  root@WNR2200:/#
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/12 08:58
  • by 127.0.0.1