NMRP --- unbrick protocol for NetGear Routers

NMRP (I don't know what this stands for — maybe NetGear Management Remote Protocol) is a way to force a Netgear router to run TFTP to grab a new firmware image. It may have other uses too.

NMRP Packet format

The Ethernet code is 0x0912. Following the ethernet header, is a struct that looks like this:

struct {
	ushort reserved;
	uchar code;
	uchar id;
	ushort length;
	int numOptions;
} nmrp_msg;
typedef struct  {
	ushort type;
	ushort len;
	union {
		uchar magicno[MAGIC_NO_LEN];
			uchar addr[IP_LEN];
			uchar mask[IP_LEN];
	} value;

There are only two option types we care about: MAGIC_NO (value: 1) and DEV_IP (value: 2).

Option TypeValues
addrIPv4 Address for device
maskIPv4 net mask

Message FieldDescription
reservedAlways zero
codeThe packet type. See below
idApparently unused
lengthtotal length of the packet
optionsSee above

Packet types correspond to actions. Some are sent to the device, some are sent by the device.

Code (value)DirectionMeaning
ADVERTISE (1)To deviceTurn on the NMRP stack; content should be MagicNumber option
CONF_REQ (2)From DeviceAsk for configuration from server
CONF_ACK (3)To deviceContains IP address of TFTP server
CLOSE_REQ (4)From deviceAsk for connexion to close
CLOSE_ACK (5)To deviceClose connexion
TFTP_UL_REQ (16)From deviceDevice has started a TFTP server, so upload a firmware image to it.

The protocol works something like this (I think!):

  1. After booting into U-boot, but before starting Linux from flash, Uboot waits around 1 second for a packet on any of the LAN ports. If an ADVERTISE NMRP packet with the correct magic number arrives during that time then the NMRP stack is started, in state LISTENING.
  2. The device when transitioning to state LISTENING sends a CONF_REQ packet with no options.
  3. The server then sends a CONF_ACK packet to the device. This packet must contain an OPT_DEV_IP option that is used to configure the IP address and netmask of the device. It can also contain a FW-UP option, but that is currently ignored. The device transitions to state CONFIGING.
  4. When transitioning to start CONFIGING, the device sends a packet of type TFTP_UL_REQ, with no options, and then starts a TFTP server on the address sent beforehand.
  5. The device then waits for a tftp transfer of firmware image. When the TFTP server has received one file (or times out) the NMRP state machine transitions to state KEEP_ALIVE, while flashing the image. It sends a KEEP_ALIVE_REQ every 15 seconds or so.
  6. KEEP_ALIVE_ACKs are ignored. When the flash has been written, the state is set to CLOSING.
  7. When transitioning to state CLOSING, the device sends a CLOSE_REQ packet.
  8. The server then sends a CLOSE_ACK packet with no options, and the machine then reboots from the new flash image.

Peter Chubb
Last modified: Mon Nov 16 10:02:35 EST 2009