Tag Archives: ADAM2

I recently bricked a Netgear DG834G v3 by modifying the bootloader’s environment variables*. I purposefully set mtd1 to a bogus starting address (0x90120000), to see if ADAM2, unable to locate the OS, would drop me to the prompt. I did this because, with this particular modem, you cannot interrupt the boot process and talk to the bootloader; it always starts the OS. The result, however, was not what I expected. Upon rebooting the modem I received the following through my serial connection:

ADAM2 Revision 0.22.02
(C) Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved.
(C) Copyright 2003 Telogy Networks, Inc.
memsize == 0x01000000
Usage: setmfreq [-d] [-s sys_freq, in MHz] [cpu_freq, in MHz]
maca                  00:1b:2f:78:bb:d2
macb                  00:1b:2f:78:bb:d3
memsize               0x01000000
flashsize             0x00400000
modetty0              115200,n,8,1,hw
modetty1              115200,n,8,1,hw
bootserport           tty0
cpufrequency          211968000
sysfrequency          105984000
bootloaderVersion     0.22.02
ProductID             DG834
HWRevision            Unknown
SerialNumber          none
prompt                ADAM2
firstfreeaddress      0x9401bd20
req_fullrate_freq     125000000
mtd0                  0x900d0000,0x903e0000
mtd1                  0x90120000,0x900d0000
mtd2                  0x90000000,0x90020000
mtd3                  0x903e0000,0x903f0000
mtd4                  0x903f0000,0x90400000
oam_lb_timeout        100
modulation            MMODE
autoload              0
autoload_timeout      45

ADAM2 > addr=90120000
File for wrong Endian!
gocommand even2
Copying download from b0017000 to b4020000

Then the process froze, with the power and check mark (√) leds blinking continuously. The modem was bricked.

Time to debrick

To recover from this state you need to connect to the modem through its JTAG interface. You can see the JTAG header pictured below.

The Netgear DG834G v3 board. You can see the JTAG interface top right. Note you will need to solder the header on the board.

The Netgear DG834G v3 board. You can see the JTAG interface top right. Note you will need to solder the header on the board.

According to this modem’s wiki page on OpenWrt (where you can also find another picture of the JTAG header, probably better than mine too), the interface’s pinout is as follows:

Pin # Function Function Pin #
9 TCK GND 10
11 nSRST KEY 12

This corresponds to MIPS EJTAG 2.5.

Assuming that your computer does not have a parallel port, to implement this connection you need a USB-to-JTAG adapter, such as the TUMPA. With modem and TUMPA powered off, make the following connections:

TUMPA DG834G Notes
Pin 5 Pin 3 TDI to TDI
Pin 7 Pin 7 TMS to TMS
Pin 9 Pin 9 TCK to TCK
Pin 13 Pin 5 TDO to TDO
Pin 4 Pin 4 GND to GND

Lastly download zJTAG from


What I want to do in my case is use zJTAG to grab the part of memory that holds the environment variables, save it on my computer, edit it with a hex editor to undo the change I made that bricked the router, and, finally, write it back to memory. (Of course there are other ways you can brick/debrick your router and not everyone will be in the same type of situation as me. For those other cases check this. Please note: I haven’t tried the other methods described there, so I can’t comment on them.)

Connect TUMPA (I suppose you have already installed its drivers) to your computer and power on the modem. Now, assuming you messed up the bootloader’s environment variables like I did, proceed as follows:

1. Run zJTAG to get the environment variables.

C:\zjtag 1.8>zjtag.exe -backup:custom /start:0x903f0000
              /length:0x10000 /window:0x90000000 /L1:3 /fc:030
              /nodma /LE

               zJTAG EJTAG Debrick Utility v1.8 RC3

Dev 0:
 Description=TIAO USB Multi-Protocol Adapter A
 Set I/O speed to 7500 KHz

USB TAP device has been initialized. Please confirm VREF signal
Press any key to continue... ONCE target board is powered on!

Detected IR chain length = 32

There are 1 device(s) in the JTAG chain
 IDCODE for device 1 is 0x0000100F (IR length:1)

Probing bus ... Done

Defined IR Length is 5 bits

CPU assumed running under LITTLE endian

CPU Chip ID: 00000000000000000001000000001111 (0x0000100F)
*** Found a TI manufactured TNETD7300GDU(AR7WRD) REV 01 CPU ***

    - EJTAG IMPCODE ....... : 01000001010000000100000000000000
    - EJTAG Version ....... : 2.6
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R4k DINTsup ASID_8 NoDMA MIPS32
    *** DMA Mode Forced Off ***

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ...  ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a MX29LV320AB 2Mx16 BotB   (4MB) from Macronix

    - Flash Chip Window Start .... : 90000000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 903F0000
    - Selected Area Length ....... : 00010000

*** You Selected to Backup the CUSTOM.BIN ***

Backup Routine Started

Saving CUSTOM.BIN.SAVED_20140130_223245 to Disk...
Done  (CUSTOM.BIN.SAVED_20140130_223245 saved to Disk OK)

bytes written: 65536
Backup Routine Complete
elapsed time: 121 seconds


C:\zjtag 1.8>

2. Open the file zJTAG just generated (CUSTOM.BIN.SAVED_X_Y) with a hex-editor.

3. Locate the bogus entry. In my case the offending line is located at 0xd80.

The mtd variable I modified, thus bricking the router.

The mtd variable I modified, thus bricking the modem.

4. Undo the changes you made. In my case I find that the original mtd1 value is still present at 0x900, so I can safely remove my entire new entry, by filling those bytes with ff. Save the file as custom.bin.

5. Write back the edited and corrected environment variables.

C:\zjtag 1.8>zjtag.exe -flash:custom.bin /start:0x903f0000
              /length:0x10000 /window:0x90000000 /L1:3 /fc:030
              /nodma /LE

6. Reboot the modem.

If all went well your modem should now be debricked. Congrats!

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

* There are a few ways to modify the bootloader’s environment variables, even when you can’t get to the bootloader prompt. The variables are stored in /proc/sys/dev/adam2/environment and in /proc/ticfg/env. You can read and write either of those at runtime, once the OS has loaded, through your serial connection, or through telnet (provided you’ve enabled telnet first).

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

In my previous post we installed OpenWrt 10.03.1 on D-Link’s DSL-G624T. In this post I’ll show you, just in case you’re not happy with OpenWrt, how you can uninstall it and go back to the original D-Link firmware. The procedure is simple. You connect to the bootloader again, open an ftp connection, flash the original D-Link firmware and reset the mtd variables to their original values (you did make a note of the original mtd values, didn’t you?).

Before we begin we need to grab the original DSL-G624T firmware. You can find v3.10 of the original firmware on the router’s product support page (I’ve also uploaded it to OneDrive in case D-Link decides to remove it. SHA1: 73867582db7120ed1a3d5a59afb4ad395dda21f8). Download the zip archive and extract the firmware image ‘DLinkEU-A_DSL-G624T_singleimage_kernel_fs_-V3.10B01T02.EU–A.20070613’. Rename the image to something more manageable like ‘original.bin‘.

Now that we have the firmware let’s connect to the modem. Connect your USB-to-UART converter to the modem’s serial port as before:

  • Converter GND to modem pin 4 or pin 2 (either one will do)
  • Converter Rx to modem pin 1
  • Converter Tx to modem pin 5

Launch your preferred terminal emulator (I’ll be using PuTTY) and open the serial connection. Power on the router (I use the terms ‘modem’ and ‘router’ interchangeably) and stop the bootloader from running the OS (just press any key). Set an ip address in the 192.168.1.x range for your NIC and connect to the router via UTP. Next, if you’re running Ubuntu, make sure that F-RTO is disabled (more info in my previous post), change to the directory where you extracted the original firmware and open an ftp connection to

With the ftp connection established, issue, as before, the following commands:

ftp> binary
200 Type set to I.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> quote MEDIA FLSH
200 Media set to FLSH.

Finally execute:

ftp> put original.bin "fw mtd1"

Just like when we flashed OpenWrt, the memory will be erased first, and then the transfer will begin. You can monitor the progress of the erase in PuTTY.

With the transfer of the original firmware completed, we need to reset mtd1 to its original value. At the bootloader prompt issue the following command:

Adam2_AR7RD > setenv mtd1 0x90010090,0x900a1000

Make sure that the mtd variables now have the values given below:

Adam2_AR7RD > printenv
mtd0  0x900a1000,0x903f0000
mtd1  0x90010090,0x900a1000
mtd2  0x90000000,0x90010000
mtd3  0x903f0000,0x90400000
mtd4  0x90010000,0x903f0000

At this point we are ready to run the original D-Link firmware. Disconnect the UTP cable. Switch to PuTTY and enter go:

Adam2_AR7RD > go

Good job, your modem is now running the original D-Link firmware.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

Updated November 20, 2013 – Added paragraph for TcpMaxDataRetransmissions

The D-Link DSL-G624T is a wireless 4-port ADSL modem/router based on the TI AR7 platform. It employs the following hardware:

Type Part Notes
Flash Spansion S29AL032D90TFI04 4 MB
Switch Infineon ADM6996M 4 ports
WiFi TI TNETW1130ZVF IEEE 802.11 b/g

We will be installing OpenWrt 10.03.1 Backfire instead of the latest (as of this writing) 12.09 Attitude Adjustment version, since the latter seems to have a bug in controlling the ethernet switch and you end up being unable to connect to the modem. (Note: the terms ‘modem’ and ‘router’ are used interchangeably in this post).

Note for Windows users only: A registry edit and thus a reboot will be required later on (§On Windows), so I suggest you do that first and then come back to this point.

Serial Port

To install OpenWrt we first need to connect to the modem’s serial port and talk to its bootloader (ADAM2 in this case; more info here). To implement this connection you need a USB-to-UART serial converter such as this one.

The modem’s serial port is located at the top left side of the board, as shown in the figure below.

The DSL-G624T board. The serial port is located top left.

The D-Link DSL-G624T board. The serial port is located at the top left side.

Connect the converter to your computer and, with the modem powered off, implement the following connection:

  • Converter GND to modem pin 4 or pin 2 (either one will do)
  • Converter Rx to modem pin 1
  • Converter Tx to modem pin 5

Use only the pins mentioned above. Do not connect the 3.3v line.

Do not turn on the modem yet. On your computer launch PuTTY or SecureCRT or any other terminal emulator you like (I will be using PuTTY for this post) and, on Ubuntu, point it to /dev/ttyUSB0. (On Windows you need to use the COM port assigned to the converter). Select speed 38400, data bits 8, parity None, stop bits 1 (8N1) and open the connection.

PuTTY serial connection settings

PuTTY serial connection settings.

Note: For PuTTY to be able to open /dev/ttyUSB0 you need to run it as root. To do so, open a command terminal and enter gksudo putty & .

Power on the modem now. As soon as the modem is turned on you will see the following output in PuTTY:

ADAM2 Revision 0.22.02_b04_Mar 10 2005
(C) Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved.
(C) Copyright 2003 Telogy Networks, Inc.
Usage: setmfreq [-d] [-s sys_freq, in MHz] [cpu_freq, in MHz]
Memory optimization Complete!

Adam2_AR7RD >
Press any key to abort OS load, or wait 5 seconds for OS to boot...

Press enter to stop the OS from loading and get the bootloader prompt.

MTD Partitions

Once you are at the bootloader prompt you can see all the available commands by typing help. Enter printenv to get an output similar to the following (please note that not all lines are shown; I have included only the lines that interest us):

Adam2_AR7RD > printenv
mtd0  0x900a1000,0x903f0000
mtd1  0x90010090,0x900a1000
mtd2  0x90000000,0x90010000
mtd3  0x903f0000,0x90400000
mtd4  0x90010000,0x903f0000

Make a note of the mtd values above. Also note the ip address given by the ‘my_ipaddress’ parameter. We will connect to this ip later on.

The mtd values given above logically divide the flash memory into different partitions. Each pair of values defines a starting position and an ending position. The figure below helps illustrate this.

mtd partitions

D-Link DSL-G624T flash memory partitions.

This is where the firmware and the bootloader (plus environment variables) are stored.

Partition Contents
mtd2 ADAM2 bootloader
mtd1 Kernel
mtd0 filesystem
mtd3 Environment variables
mtd4 mtd1+mtd0

Note: Do not edit, modify or in any way alter the contents of partitions mtd2 (the bootloader) and mtd3 (the environment variables) unless you absolutely know what you’re doing. Doing so may render your router unbootable. As long as the bootloader and its settings are intact, you can recover from a bad flash.

Preparing for Installation

We will be installing OpenWrt by overwriting the contents of partitions mtd1 and mtd0 (the original D-Link firmware). According to this device’s page on, we need to slightly modify the partitions’ layout so that it can store the new firmware. Specifically, we need to modify mtd1 and mtd0 so that they have the following values:

mtd0  0x900a1000,0x903f0000
mtd1  0x90010000,0x903f0000

In my case mtd0 already has the required value, so I only need to change mtd1, however I’ll show you how to change both.

To modify the values of mtd1 and mtd0 we issue the setenv command, followed by the parameter we wish to modify and its new values, as shown below:

Adam2_AR7RD > setenv mtd1 0x90010000,0x903f0000
Adam2_AR7RD > setenv mtd0 0x900a1000,0x903f0000
Adam2_AR7RD >


Now we can proceed to the installation of OpenWrt. Download ‘openwrt-ar7-squashfs.bin’ from . Once the download is complete, disconnect from the internet and set an ip address in the 192.168.1.x subnet for your computer. Connect to the modem via UTP. Change to the directory where you saved the OpenWrt firmware and open an ftp connection to (this is the ip address the ftp service of ADAM2 is listening to, as given by the ‘my_ipaddress’ variable we saw earlier). Username and password is ‘adam2’.

$ ftp
Connected to
220 ADAM2 FTP Server ready.
Name: adam2
331 Password required for adam2.
230 User adam2 successfully logged in.
Remote system type is UNIX.

Issue the following commands to the ftp server:

  • binary for binary file transfer
  • hash for hash mark printing to see the file transfer progress as the firmware is being copied to the modem
  • quote MEDIA FLSH to indicate we want to write to the flash memory

The commands are shown below:

ftp> binary
200 Type set to I.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> quote MEDIA FLSH
200 Media set to FLSH.

There is one last thing left to do before we begin flashing the modem with the new firmware: we need to take care of TCP retransmission timeouts. On Ubuntu we need to disable F-RTO. On Windows we need to add a dword named ‘TcpMaxDataRetransmissions’ to a registry key. This is crucial; if F-RTO is enabled or if TcpMaxDataRetransmissions is at its default value, the transfer of the firmware will fail.

On Ubuntu

To check whether F-RTO is enabled, do cat /proc/sys/net/ipv4/tcp_frto as shown below. A value of 1 or 2 means F-RTO is enabled; a 0 means it is disabled. If F-RTO is enabled on your system, open a root terminal (sudo won’t work) and issue echo 0 > /proc/sys/net/ipv4/tcp_frto.

# cat /proc/sys/net/ipv4/tcp_frto
# echo 0 > /proc/sys/net/ipv4/tcp_frto
On Windows

Run regedit.exe and go to HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters. Add a DWORD named TcpMaxDataRetransmissions and set it to a high value (e.g. 40 decimal). Close regedit and reboot. Do not forget to delete this dword after flashing is complete.

Once F-RTO or the Windows registry is taken care of, we are ready to flash the modem with the new firmware. At the ftp prompt issue the following command:

ftp> put openwrt-ar7-squashfs.bin "fw mtd1"

(What the above command says is “store ‘openwrt-ar7-squashfs.bin’ as ‘fw’ into mtd1”. You don’t have to name the destination file ‘fw’. You can name it whatever you like; it doesn’t matter. However you must use mtd1).

You won’t see any output at the ftp prompt immediately. This is normal. If you switch to PuTTY you will see that the flash memory is being erased first. Just be patient.

Adam2_AR7RD > Erasing from 0xb0010000 to 0xb03f0000.
Erase Successful.

Once the erase is completed the transfer will begin. You will get a long series of hash marks at the ftp prompt, indicating the transfer is in progress. You will know when the transfer is complete.

ftp> put openwrt-ar7-squashfs.bin "fw mtd1"
local: openwrt-ar7-squashfs.bin remote: fw mtd1
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.

226 Transfer complete.
2818052 bytes sent in 37.02 secs (74.3 kB/s)


You’ve now flashed your modem with the OpenWrt firmware. The only thing left to do now is to reboot. At the ftp prompt enter quote REBOOT:

ftp> quote REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.

and immediately disconnect the UTP cable from the modem as it reboots and runs Backfire for the first time. You can keep the serial connection open and examine the bootlog of OpenWrt as it boots. Don’t forget to remove the ip address you set on your computer manually. Your NIC will be assigned an ip address via DHCP once the modem is booted and you reconnect the UTP cable.

If you press enter from within PuTTY or if you telnet to your modem once it is ready, you will get the following ouput:

OpenWrt 10.03.1 Backfire banner.

OpenWrt 10.03.1 Backfire banner.

Congratulations, you are now running OpenWrt 10.03.1 Backfire. In one of my next posts I’ll walk you through the next steps after first boot. In the meantime, if you wish, you can check .

If you have any questions or if you spotted any errors or omissions, please leave me a comment.