NMRP --- unbrick protocol for NetGear Routers
NMRP (I don't know what this stands for — maybe NetGear
Management Remote Protocol) is a way to force a Netgear router to
run TFTP to grab a new firmware image. It may have other uses
too.
NMRP Packet format
The Ethernet code is 0x0912. Following the ethernet header, is
a struct that looks like this:
struct {
ushort reserved;
uchar code;
uchar id;
ushort length;
int numOptions;
NMRP_PARSED_OPT options[NMRP_MAX_OPT_PER_MSG];
} nmrp_msg;
typedef struct {
ushort type;
ushort len;
union {
uchar magicno[MAGIC_NO_LEN];
struct{
uchar addr[IP_LEN];
uchar mask[IP_LEN];
}ip;
} value;
} NMRP_PARSED_OPT;
There are only two option types we care about: MAGIC_NO (value: 1)
and DEV_IP (value: 2).
Option Type | Values |
MAGIC_NO |
Field | Value |
type | 1 |
len | 8 |
magicno | "NTGR" | |
DEV_IP |
Field | Value |
type | 2 |
len | 12 |
addr | IPv4 Address for device |
mask | IPv4 net
mask | |
Message Field | Description |
reserved | Always zero |
code | The packet type. See below |
id | Apparently unused |
length | total length of the packet |
options | See above |
Packet types correspond to actions. Some are sent to the
device, some are sent by the device.
Code (value) | Direction | Meaning |
ADVERTISE (1) | To device | Turn
on the NMRP stack; content should be MagicNumber option |
CONF_REQ (2) | From Device | Ask for
configuration from server |
CONF_ACK (3) | To device | Contains IP
address of TFTP server |
CLOSE_REQ (4) | From device | Ask for
connexion to close |
CLOSE_ACK (5) | To device | Close connexion |
KEEP_ALIVE_REQ (6) | Either | |
KEEP_ALIVE_ACK (7) | Either | |
TFTP_UL_REQ (16) | From device | Device
has started a TFTP server, so upload a firmware image to it. |
The protocol works something like this (I think!):
- After booting into U-boot, but before starting Linux from
flash, Uboot waits around 1 second for a packet on any of
the LAN ports. If an ADVERTISE NMRP packet with the correct
magic number arrives during that time then the NMRP stack is
started, in state LISTENING.
-
The device when transitioning to state LISTENING sends a
CONF_REQ packet with no options.
-
The server then sends a CONF_ACK packet to the device. This
packet must contain an OPT_DEV_IP option that is used to
configure the IP address and netmask of the device. It can
also contain a FW-UP option, but that is currently ignored.
The device transitions to state CONFIGING.
-
When transitioning to start CONFIGING, the device sends a
packet of type TFTP_UL_REQ, with no options, and then starts
a TFTP server on the address sent beforehand.
-
The device then waits for a tftp transfer of firmware
image. When the TFTP server has received one file (or
times out) the NMRP state machine transitions to state
KEEP_ALIVE, while flashing the image. It sends a
KEEP_ALIVE_REQ every 15 seconds or so.
-
KEEP_ALIVE_ACKs are ignored. When the flash has been
written, the state is set to CLOSING.
-
When transitioning to state CLOSING, the device sends a
CLOSE_REQ packet.
-
The server then sends a CLOSE_ACK packet with no options,
and the machine then reboots from the new flash image.
Peter Chubb
Last modified: Mon Nov 16 10:02:35 EST 2009