NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
N900 (WNDR4500v2) Web Administration not accessible
Hello, Overnight, the router's Web administration server became inaccessible: the port 80 was closed, but everything else was still functioning properly (Wi-Fi, local connectivity and Internet, e...
Thanks to AndyOxon I succeeded to unbrick my router!
I bought this cable (2.46€): niceeshop(TM) PL2303HX USB TTL Pour UART COM RS232 Câble Module Convertisseur (Noir, 1m)
https://www.amazon.fr/gp/product/B00F167PWE/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1
And I connect it to the router like here, switching TXD and RXD:
https://www.myopenrouter.com/article/how-set-serial-console-netgear-wndr4500v2
1- nothing
2- TXD, green cable
3- nothing
4- nothing
5- RXD, white cable
6- GND, black cableI connected my laptop with the router on Ethernet port LAN1, and on USB with the PL2303HX cable.
Then, on my laptop, using Linux and picocom:
picocom -s 115200 /dev/ttyUSB0
I started by doing a normal boot and waited for a shell. Then, I kept CTRL + C on the picocom prompt and rebooted (physically) the router. A CFE prompt has appeared. I executed the following command:
CFE> nvram erase *** command status = 0
In another shell on my laptop, I connected in TFTP on the router:
tftp> connect 192.168.1.1 tftp> mode binary tftp> timeout 90 tftp> put WNDR4500v2-V1.0.0.62_1.0.39.chk
Do not hit enter after the "put" command!
Back to the CFE shell in picocom:
CFE> flash -noheader : flash1.trx
Press Enter and very quickly switch to the shell with TFTP and also press Enter to validate the "put" command.
CFE> flash -noheader : flash1.trx Reading :: Done. 12804154 bytes read Programming...done. 12804154 bytes written *** command status = 0 CFE> reboot Decompressing...done
and then... it does not work for me... yet.
This boot ends with:
Checking crc...Invalid boot block on disk [...] Start TFTP server Reading ::
Go back to the TFTP shell and execute the "put" command again. Into the picocom shell:
Reading :: Done. 12804154 bytes read Programming...done. 12804154 bytes written Decompressing...done [...]
And now it's all good! The router is fully functional using firmware 1.0.0.62_1.0.39 (and telnet backdoor is still here...).
Thank you ElaineM. Unfortunately, the router is no longer under warranty.
I ordered a USB to RS232 cable, but in the meantime I managed to get a shell on the router.
Using the netgear backdoor described here, with the Python (UDP version) script:
https://wiki.openwrt.org/toh/netgear/telnet.console
https://github.com/insanid/netgear-telenetenable
./telnetenable.py 192.168.1.1 <routermacaddr> admin password Sent telnet enable payload to '192.168.1.1:23' root@eeepc:/# telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. BusyBox v1.7.2 (2015-06-04 17:07:24 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. #
However, I can not launch the http server manually. Here are the error messages:
# httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem Can't find handler for ASP command: eco_get_redirect_link(); Can't find handler for ASP command: cdl_cgi_set_hijack(0); Can't find handler for ASP command: cdl_cgi_set_hijack(1); Info: No FWPT default policies. rmmod: l7_filter insmod: cannot insert '/lib/modules/2.6.22/kernel/lib/MultiSsidCntl.ko': Success (17) ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported rmmod: /lib/modules/2.6.22/kernel/lib/AccessCntl.ko [AFP]: 0 partitions found. [AFP]: disk mountd:0 hfsplus mounted:0 [AFP]: no disk mounted. killall: bftpd: no process killed httpd: socket bound in 0.0.0.0:80. httpd: socket bound in 0.0.0.0:443. httpd_sig_usr:6060 buf: handle_genie: don't know how to process url
and httpd kills itself.
I think the interesting error is "httpd_sig_usr:6060" (httpd received a bad signal?)
If I put an HTTP request into /tmp/tmp_http_request.txt I can remove the handle_genie error and get a new one:
# echo "GET shares HTTP/1.0" > /tmp/tmp_http_request.txt # echo "Host: routerlogin.net" >> /tmp/tmp_http_request.txt # httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem Can't find handler for ASP command: eco_get_redirect_link(); Can't find handler for ASP command: cdl_cgi_set_hijack(0); Can't find handler for ASP command: cdl_cgi_set_hijack(1); Info: No FWPT default policies. rmmod: l7_filter insmod: cannot insert '/lib/modules/2.6.22/kernel/lib/MultiSsidCntl.ko': Success (17) ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported rmmod: /lib/modules/2.6.22/kernel/lib/AccessCntl.ko [AFP]: 0 partitions found. [AFP]: disk mountd:0 hfsplus mounted:0 [AFP]: no disk mounted. killall: bftpd: no process killed httpd: socket bound in 0.0.0.0:80. httpd: socket bound in 0.0.0.0:443. httpd_sig_usr:6060 buf:GET shares HTTP/1.0 Host: routerlogin.net SendData3Client:763 error sending data.
But httpd is still killed...
erase nvram and reboot does not resolve the problem too.
- Does this problem talk to anyone?
- Can I flash the firmware from this console? Currently the firmware on the router is 1.0.0.60/1.0.38 and I would like to update it to 1.0.0.62/1.0.39, hoping that the update fix the problem. I am able to upload WNDR4500v2-V1.0.0.62_1.0.39.chk to the the router using wget but I don't know how to tell the router that it should apply it.
Thanks to AndyOxon I succeeded to unbrick my router!
I bought this cable (2.46€): niceeshop(TM) PL2303HX USB TTL Pour UART COM RS232 Câble Module Convertisseur (Noir, 1m)
https://www.amazon.fr/gp/product/B00F167PWE/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1
And I connect it to the router like here, switching TXD and RXD:
https://www.myopenrouter.com/article/how-set-serial-console-netgear-wndr4500v2
1- nothing
2- TXD, green cable
3- nothing
4- nothing
5- RXD, white cable
6- GND, black cable
I connected my laptop with the router on Ethernet port LAN1, and on USB with the PL2303HX cable.
Then, on my laptop, using Linux and picocom:
picocom -s 115200 /dev/ttyUSB0
I started by doing a normal boot and waited for a shell. Then, I kept CTRL + C on the picocom prompt and rebooted (physically) the router. A CFE prompt has appeared. I executed the following command:
CFE> nvram erase *** command status = 0
In another shell on my laptop, I connected in TFTP on the router:
tftp> connect 192.168.1.1 tftp> mode binary tftp> timeout 90 tftp> put WNDR4500v2-V1.0.0.62_1.0.39.chk
Do not hit enter after the "put" command!
Back to the CFE shell in picocom:
CFE> flash -noheader : flash1.trx
Press Enter and very quickly switch to the shell with TFTP and also press Enter to validate the "put" command.
CFE> flash -noheader : flash1.trx Reading :: Done. 12804154 bytes read Programming...done. 12804154 bytes written *** command status = 0 CFE> reboot Decompressing...done
and then... it does not work for me... yet.
This boot ends with:
Checking crc...Invalid boot block on disk [...] Start TFTP server Reading ::
Go back to the TFTP shell and execute the "put" command again. Into the picocom shell:
Reading :: Done. 12804154 bytes read Programming...done. 12804154 bytes written Decompressing...done [...]
And now it's all good! The router is fully functional using firmware 1.0.0.62_1.0.39 (and telnet backdoor is still here...).