× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

N900 (WNDR4500v2) Web Administration not accessible

Christophe56
Aspirant

N900 (WNDR4500v2) Web Administration not accessible

Hello,

 

Overnight, the router's Web administration server became inaccessible: the port 80 was closed, but everything else was still functioning properly (Wi-Fi, local connectivity and Internet, etc.). I had to change the configuration of the router so I tried a simple factory reset: the configuration of the router had been successfully reset, but I still do not have access to the administration Web interface. The router is now unusable since I cannot modify the configuration, and I can only use the router with the default configuration.

 

I tried several techniques without success: factory reset, hard reset (30/30/30), TFTP (on Windows and Linux), connection by all LAN ports or by Wi-Fi, Netgear Genie, etc.

 

Here is a nmap scan with all opened ports on the router:

 

Host is up (0.0028s latency).
Scanned at 2017-07-20 04:57:22 CEST for 6778s
Not shown: 65527 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.15-OpenDNS-1
548/tcp open afp Netatalk 2.2.5 (name: WNDR4500v2; protocol 3.3)
1990/tcp open tcpwrapped
5000/tcp open tcpwrapped
5916/tcp open unknown
8200/tcp open tcpwrapped
20005/tcp open btx? NetUSB
33344/tcp open tcpwrapped NetUSB
MAC Address: C4:04:15:11:xx:xx (Netgear,)
Service Info: OS: Unix
curl http://192.168.1.1
curl: (7) Failed to connect to 192.168.1.1 port 80: Connection refused

 

Port 80 of the Web administration interface is not open.

 

I saw another person with the same problem but there is no solution:

 

http://www.tomshardware.co.uk/answers/id-2988795/netgear-wndr4500v2-wireless-router-issues.html

 

What can I do? Is the bug known? Thank you.

 

 

EDIT: OK, just found this thead:

 

https://community.netgear.com/t5/Wireless-N-Routers/WNDR4500v2-Router-Recovery-Using-UART-Serial-Con...

 

I will try this if no one has a better idea here 🙂

 

Model: WNDR4500v2|N900 Wireless Dual Band Gigabit Router
Message 1 of 4

Accepted Solutions
Christophe56
Aspirant

Re: N900 (WNDR4500v2) Web Administration not accessible

Thanks to @AndyOxon I succeeded to unbrick my router!

 

I bought this cable (2.46€): niceeshop(TM) PL2303HX USB TTL Pour UART COM RS232 Câble Module Convertisseur (Noir, 1m)

https://www.amazon.fr/gp/product/B00F167PWE/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1

 

 

And I connect it to the router like here, switching TXD and RXD:

https://www.myopenrouter.com/article/how-set-serial-console-netgear-wndr4500v2

 

1- nothing
2- TXD, green cable
3- nothing
4- nothing
5- RXD, white cable
6- GND, black cable

 

n900.jpg

 

I connected my laptop with the router on Ethernet port LAN1, and on USB with the PL2303HX cable.

 

Then, on my laptop, using Linux and picocom:

picocom -s 115200 /dev/ttyUSB0

I started by doing a normal boot and waited for a shell. Then, I kept CTRL + C on the picocom prompt and rebooted (physically) the router. A CFE prompt has appeared. I executed the following command:

CFE> nvram erase
*** command status = 0

In another shell on my laptop, I connected in TFTP on the router:

tftp> connect 192.168.1.1
tftp> mode binary
tftp> timeout 90
tftp> put WNDR4500v2-V1.0.0.62_1.0.39.chk

Do not hit enter after the "put" command!

 

Back to the CFE shell in picocom:

CFE> flash -noheader : flash1.trx

Press Enter and very quickly switch to the shell with TFTP and also press Enter to validate the "put" command.

CFE> flash -noheader : flash1.trx
Reading :: Done. 12804154 bytes read
Programming...done. 12804154 bytes written
*** command status = 0
CFE> reboot
Decompressing...done

and then... it does not work for me... yet.

This boot ends with:

Checking crc...Invalid boot block on disk
[...]
Start TFTP server
Reading ::

 

Go back to the TFTP shell and execute the "put" command again. Into the picocom shell:

Reading :: Done. 12804154 bytes read
Programming...done. 12804154 bytes written
Decompressing...done
[...]

 

And now it's all good! The router is fully functional using firmware 1.0.0.62_1.0.39 (and telnet backdoor is still here...).

 

View solution in original post

Message 4 of 4

All Replies
ElaineM
NETGEAR Employee Retired

Re: N900 (WNDR4500v2) Web Administration not accessible

Welcome to the community, @Christophe56

 

Looks like you have done most of the troubleshooting and at this point it can already be considered faulty.

If this is still in warranty then you may  want to contact support and get it replaced.

 

How do I request a Return Material Authorization (RMA)?

 

When you contact support have them record all the troubleshooting steps you have done for them to determine that it's already for an RMA.

Message 2 of 4
Christophe56
Aspirant

Re: N900 (WNDR4500v2) Web Administration not accessible

Thank you @ElaineM. Unfortunately, the router is no longer under warranty.

 

I ordered a USB to RS232 cable, but in the meantime I managed to get a shell on the router.

 

Using the netgear backdoor described here, with the Python (UDP version) script:

https://wiki.openwrt.org/toh/netgear/telnet.console
https://github.com/insanid/netgear-telenetenable

 

./telnetenable.py 192.168.1.1 <routermacaddr> admin password
Sent telnet enable payload to '192.168.1.1:23'
root@eeepc:/# telnet 192.168.1.1 
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
BusyBox v1.7.2 (2015-06-04 17:07:24 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#

 

However, I can not launch the http server manually. Here are the error messages:

 

# httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem
Can't find handler for ASP command: eco_get_redirect_link();
Can't find handler for ASP command: cdl_cgi_set_hijack(0);
Can't find handler for ASP command: cdl_cgi_set_hijack(1);
Info: No FWPT default policies.
rmmod: l7_filter
insmod: cannot insert '/lib/modules/2.6.22/kernel/lib/MultiSsidCntl.ko': Success (17)
ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported
ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported
rmmod: /lib/modules/2.6.22/kernel/lib/AccessCntl.ko
[AFP]: 0 partitions found.
[AFP]: disk mountd:0 hfsplus mounted:0
[AFP]: no disk mounted.
killall: bftpd: no process killed
httpd: socket bound in 0.0.0.0:80.
httpd: socket bound in 0.0.0.0:443.
httpd_sig_usr:6060
buf:
handle_genie: don't know how to process url

and httpd kills itself.

I think the interesting error is "httpd_sig_usr:6060" (httpd received a bad signal?)

 

If I put an HTTP request into /tmp/tmp_http_request.txt I can remove the handle_genie error and get a new one:

# echo "GET shares HTTP/1.0" > /tmp/tmp_http_request.txt
# echo "Host: routerlogin.net" >> /tmp/tmp_http_request.txt
# httpd -E /usr/sbin/ca.pem /usr/sbin/httpsd.pem
Can't find handler for ASP command: eco_get_redirect_link();
Can't find handler for ASP command: cdl_cgi_set_hijack(0);
Can't find handler for ASP command: cdl_cgi_set_hijack(1);
Info: No FWPT default policies.
rmmod: l7_filter
insmod: cannot insert '/lib/modules/2.6.22/kernel/lib/MultiSsidCntl.ko': Success (17)
ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported
ioctl(BRCTL_SET_BCMCTF_ENABLE): Operation not supported
rmmod: /lib/modules/2.6.22/kernel/lib/AccessCntl.ko
[AFP]: 0 partitions found.
[AFP]: disk mountd:0 hfsplus mounted:0
[AFP]: no disk mounted.
killall: bftpd: no process killed
httpd: socket bound in 0.0.0.0:80.
httpd: socket bound in 0.0.0.0:443.
httpd_sig_usr:6060
buf:GET shares HTTP/1.0
Host: routerlogin.net
SendData3Client:763 error sending data.

But httpd is still killed...

 

erase nvram and reboot does not resolve the problem too.

 

- Does this problem talk to anyone?
- Can I flash the firmware from this console? Currently the firmware on the router is 1.0.0.60/1.0.38 and I would like to update it to 1.0.0.62/1.0.39, hoping that the update fix the problem. I am able to upload WNDR4500v2-V1.0.0.62_1.0.39.chk to the the router using wget but I don't know how to tell the router that it should apply it.

 

Message 3 of 4
Christophe56
Aspirant

Re: N900 (WNDR4500v2) Web Administration not accessible

Thanks to @AndyOxon I succeeded to unbrick my router!

 

I bought this cable (2.46€): niceeshop(TM) PL2303HX USB TTL Pour UART COM RS232 Câble Module Convertisseur (Noir, 1m)

https://www.amazon.fr/gp/product/B00F167PWE/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1

 

 

And I connect it to the router like here, switching TXD and RXD:

https://www.myopenrouter.com/article/how-set-serial-console-netgear-wndr4500v2

 

1- nothing
2- TXD, green cable
3- nothing
4- nothing
5- RXD, white cable
6- GND, black cable

 

n900.jpg

 

I connected my laptop with the router on Ethernet port LAN1, and on USB with the PL2303HX cable.

 

Then, on my laptop, using Linux and picocom:

picocom -s 115200 /dev/ttyUSB0

I started by doing a normal boot and waited for a shell. Then, I kept CTRL + C on the picocom prompt and rebooted (physically) the router. A CFE prompt has appeared. I executed the following command:

CFE> nvram erase
*** command status = 0

In another shell on my laptop, I connected in TFTP on the router:

tftp> connect 192.168.1.1
tftp> mode binary
tftp> timeout 90
tftp> put WNDR4500v2-V1.0.0.62_1.0.39.chk

Do not hit enter after the "put" command!

 

Back to the CFE shell in picocom:

CFE> flash -noheader : flash1.trx

Press Enter and very quickly switch to the shell with TFTP and also press Enter to validate the "put" command.

CFE> flash -noheader : flash1.trx
Reading :: Done. 12804154 bytes read
Programming...done. 12804154 bytes written
*** command status = 0
CFE> reboot
Decompressing...done

and then... it does not work for me... yet.

This boot ends with:

Checking crc...Invalid boot block on disk
[...]
Start TFTP server
Reading ::

 

Go back to the TFTP shell and execute the "put" command again. Into the picocom shell:

Reading :: Done. 12804154 bytes read
Programming...done. 12804154 bytes written
Decompressing...done
[...]

 

And now it's all good! The router is fully functional using firmware 1.0.0.62_1.0.39 (and telnet backdoor is still here...).

 

Message 4 of 4
Top Contributors
Discussion stats
  • 3 replies
  • 4876 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi 770 Series