NMRP --- unbrick protocol for NetGear Routers

NMRP (I don't know what this stands for — maybe NetGear Management Remote Protocol) is a way to force a Netgear router to run TFTP to grab a new firmware image. It may have other uses too.

NMRP Packet format

The Ethernet code is 0x0912. Following the ethernet header, is a struct that looks like this:

struct {
	ushort reserved;
	uchar code;
	uchar id;
	ushort length;
	int numOptions;
	NMRP_PARSED_OPT options[NMRP_MAX_OPT_PER_MSG];
} nmrp_msg;

typedef struct  {
	ushort type;
	ushort len;
	union {
		uchar magicno[MAGIC_NO_LEN];
		struct{
			uchar addr[IP_LEN];
			uchar mask[IP_LEN];
		}ip;
	} value;
} NMRP_PARSED_OPT;

There are only two option types we care about: MAGIC_NO (value: 1) and DEV_IP (value: 2).

Option Type Values

MAGIC_NO

Field Value

type 1

len 8

magicno "NTGR"

DEV_IP

Field Value

type 2

len 12

addr IPv4 Address for device

mask IPv4 net mask

Message Field Description

reserved Always zero

code The packet type. See below

id Apparently unused

length total length of the packet

options See above

Message Field	Description
`reserved`	Always zero
`code`	The packet type. See below
`id`	Apparently unused
`length`	total length of the packet
`options`	See above

Packet types correspond to actions. Some are sent to the device, some are sent by the device.

Code (value)	Direction	Meaning
ADVERTISE (1)	To device	Turn on the NMRP stack; content should be MagicNumber option
CONF_REQ (2)	From Device	Ask for configuration from server
CONF_ACK (3)	To device	Contains IP address of TFTP server
CLOSE_REQ (4)	From device	Ask for connexion to close
CLOSE_ACK (5)	To device	Close connexion
KEEP_ALIVE_REQ (6)	Either
KEEP_ALIVE_ACK (7)	Either
TFTP_UL_REQ (16)	From device	Device has started a TFTP server, so upload a firmware image to it.

The protocol works something like this (I think!):

After booting into U-boot, but before starting Linux from flash, Uboot waits around 1 second for a packet on any of the LAN ports. If an ADVERTISE NMRP packet with the correct magic number arrives during that time then the NMRP stack is started, in state LISTENING.
The device when transitioning to state LISTENING sends a CONF_REQ packet with no options.
The server then sends a CONF_ACK packet to the device. This packet must contain an OPT_DEV_IP option that is used to configure the IP address and netmask of the device. It can also contain a FW-UP option, but that is currently ignored. The device transitions to state CONFIGING.
When transitioning to start CONFIGING, the device sends a packet of type TFTP_UL_REQ, with no options, and then starts a TFTP server on the address sent beforehand.
The device then waits for a tftp transfer of firmware image. When the TFTP server has received one file (or times out) the NMRP state machine transitions to state KEEP_ALIVE, while flashing the image. It sends a KEEP_ALIVE_REQ every 15 seconds or so.
KEEP_ALIVE_ACKs are ignored. When the flash has been written, the state is set to CLOSING.
When transitioning to state CLOSING, the device sends a CLOSE_REQ packet.
The server then sends a CLOSE_ACK packet with no options, and the machine then reboots from the new flash image.

Peter Chubb

Last modified: Mon Nov 16 10:02:35 EST 2009