I spent too much time today reading MIPS disassembly of the ADAM2 bootload, as used on the Netgear DG834G. The problem is that the version used on the Netgear performs a checksum over most of the flash device on every boot. This makes the use of JFFS2, as done by OpenWRT, somewhat problematic. In an ideal world I'd try to compile up a newer, less restrictive version of ADAM2 but there's no JTAG on the Netgear that I've found and the thought of frying the bootloader and bricking the device wasn't appealing.
So what I've ended up doing is finding where the checksum is done and changing the branch instruction that aborts the boot to a nop. It's still scary, but it appears to do the job.
PLEASE NOTE THE BELOW COULD PERMANENTLY BREAK YOUR ROUTER
First, obtain your ADAM2 image. This is 128K and is mtd2 from the bootloader
view. It should have an md5sum of 0530bfdf00ec155f4182afd70da028c1. If it
doesn't, stop. The version I'm talking about is 0.18.01 as distributed by
Netgear.
Assuming you have the right md5sum you want to go to offset 0x3944 where the 4
bytes should be 44 09 00 0C (representing a jal 0x90002510 during
execution). Replace these 4 bytes with 0 (representing nop) and you should
end up with a new image with an md5sum of d8a2f4623bf6f64b7427812f0e849aa7.
You'll then need to do something like
dd if=adam2-fix.bin of=/dev/mtdblock/2 on the device (I don't believe you'll
be able to rewrite the bootloader from the bootloader for some reason...).
After that ADAM2 will still checksum the flash, but will continue to boot it
after printing a checksum error message. This means you can go off and
build yourself an OpenWRT AR7 based image and install
it on your Netgear. Rock.
Good one. I have a DG834G that I will be introducing to a hammer when my new Linksys WAG54v2 arrives. I might try the OpenWRT AR7 port first, before the real fun starts with Mr Hammer. Does your wireless work after the OpenWRT install? Cheers
I'd just like to confirm this DOES work. You can actually do the patching from netgear firmware, once you creatively get the WRT54G busybox with ftp stuff on your DG-834. An alternate fix, some architectures have a branch never instruction, or for this, long branch never, but nop is just as good.
I'm in awe of how one disassembles binary files and finds the particular point that a checksum happens... Also, since I'm interested, I looked up the JAL command on http://www.mrc.uidaho.edu/mrc/people/jff/digital/MIPSir.html and found the encoding should be 0000 11ii iiii iiii iiii iiii iiii iiii, so not sure how that matches up to jal 0x90002510? Thanks for the work - got OpenWRT running on my DG834Gv1 now, though I was going to have to make a serial cable or something... By the way, one doesn't have to build one's own AR7 image now, can download from http://downloads.openwrt.org/people/nbd/ar7/annex-a/ (which is fortunate, as I'd have no idea how to do it...)
i think don't be able to do it as give power to a max232 using power taked from a 74xxx and other things as possibile problems derivated from the 4 offsets.
I live in Italy and there are not people able to flash a netgear dg834g
so i am thinking to do one thing:
to buy 2 netgear dg834g
the first one at home, the second to send you, so that you could flash it and when finished with the first, send you the second one.
so at the end i got 2 netgear dg834g one for home and the other one to sell to any is interested to a netgear dg834g version 3.
or we could buy from you netgear dg834g just flashed
what do you think about ?
Two years on; is their a more noob-tastic method of installing openwrt on a DG834Gv1?