A few days ago, I bought a Netgear R6250 router. The 5G performance and coverage were quite impressive. After enjoying it for a few days, I couldn’t resist tinkering with it and flashed it with Merlin firmware1, which unfortunately… bricked it. The router would boot up flashing a yellow light and automatically enter TFTP mode. Trying to upload firmware via TFTP had no response, and pinging the router always returned a TTL of 100 (a TTL of 100 for the router indicates recovery mode, while a TTL of 64 indicates normal operation). This was my first experience bricking a router despite having tinkered with many before. After scouring through forums, it seemed like using a TTY was the only option left. After flashing, I experienced its powerful features for a couple of days, but its stability was not reliable, which was a major concern for my mother. I decided to revert to the original firmware, which turned out to be another challenge. This post documents the process, hoping to help others in similar situations.
TFTP Recovery
I followed a thread here for flashing, where you can download the necessary firmware. Additionally, koolshare also provides relevant firmware, please refer to the R6300V2 flashing tutorial.
Flashing Merlin modifies the board_id and CFE (built-in shell) of the device and requires several intermediary firmware versions, which leads to firmware verification failures and prevents writing. Without access to a TTY, we cannot determine the current board_id, so the following attempts are recommended:
-
If your router can still use TFTP, try flashing the following firmware in order:
-
If TFTP is not an option, continue reading.
TTY
If you do not have a TTY cable, purchase one from Taobao. A common USB-to-TTY or serial cable should work. If you do not have a screwdriver for disassembling or a soldering iron, remember to purchase a set.
Open the router and follow the diagram below for wiring (the image is borrowed, see reference):
- G = GND
- R = RXD
- T = TXD
Since the R6250 does not include DuPont connectors (unlike the R6300), you will need to solder the wires directly onto the motherboard.
You can then connect to the router’s TTY. On OSX/Linux, minicom can be used.
On Windows, Putty is an option.
For detailed usage, please refer to online resources.
Connection parameters:
Speed: 115200
Stopbits: 8-N-1
After connecting and powering up the router, you’ll see the terminal rapidly displaying messages. If the router is still in recovery mode (flashing yellow light), press Ctrl-C several times upon startup to enter the router’s built-in shell (CFE).
Then, connect a network cable to a LAN port and set a static IP to 192.168.1.2. Type tftpd and press enter, then repeat the steps in the TFTP Recovery section.
Flashing Back to the Original Firmware
Initially, I thought flashing back to the original firmware would be straightforward, as this post provided a R6250-back-to-ofw.trx firmware, claiming it could be directly flashed from the Merlin interface.
However, my attempts were rejected by the Merlin firmware because, after flashing Merlin, the device was recognized as an R6300V2. Attempting to flash it with the R6250 firmware was blocked by the verification mechanism. After several unsuccessful attempts, I decided to take a risk and flash the R6300V2_back-to-ofw.trx, which succeeded on the first try.
After flashing, I smoothly entered the original Netgear interface but found that it still recognized the device as an R6300V2 (feels like a bit of a win). The basic functions worked normally, but some aspects were off; the 5G channel couldn’t be selected, the default channel was quite low, and the 5G speed was unsatisfactory. The system could find firmware updates, but the downloads were reported as corrupt and could not be written. At this point, through the web interface, whether attempting to flash Merlin, R6300V2, R6250, or DD-WRT, all were unsuccessful; no firmware was accepted.
Although the router was usable and seemed stable, my perfectionism kicked in. Having a router that wasn’t fully functional was frustrating, and I was determined to solve the issue. After some thought, I recalled that using nvram get board_id in TTY showed the result as HDR0, indicating a missing board_id, likely failing the board_id verification. If there was a way to reset the board_id, there might be a solution. After some research, I found here that the original firmware’s telnet console includes a burnboardid command to write the board_id, offering a glimmer of hope.
Netgear routers have a backdoor to open the telnet console, as guided on openwrt wiki, but I wasn’t successful. If anyone manages to do it, please let me know.
If telnet access isn’t possible, we still have the TTY cable. Refer to the TTY section above, connect to the device, and use commands to write the board_id.
burnboardid U12H245T00_NETGEAR
After restarting and flashing the 6250 firmware, success! I finally reverted to the original firmware.
However, upon accessing the system again, some abnormalities persisted. Certain interfaces were incorrect, and while the WiFi region could be selected, it was ineffective. Further investigation revealed a series of burn commands:
burn_hw_rev
burn5gpass
burn5gssid
burnboardid
burnethermac
burnpass
burnpin
burnrf
burnsku
burnsn
burnssid
By examining each one (executing the command without parameters displays the current value), it was discovered that the sn (serial number) and pin values appeared as gibberish, indicating that correct values should be written:
burnsn XXXXXXXXXX # SN可以在机器底部的条形码上找到(SERIAL NUMBER)
burnpin XXXXXXXX # 随便写8位数字,路由器的PIN码,写入的值在路由器的设置界面可以看到
After restarting, everything worked normally!
Bonus
My router was a parallel import, and the region could only be set to the United States, which limited the available frequency bands. To address this, we can use:
burnsku 0x0002
commands to flash the router to the WW (World Wide) version. This modification transforms the router into a global version, allowing for any region to be selected in the WiFi settings interface.
Additionally, the burnrf command returned an error, but it seemed to have no impact. I couldn’t find relevant information on this issue, so if anyone knows, please let me know.