Posted: Fri Mar 19, 2021 2:20 Post subject: Questions about Jtag troubles with broadcom and atheros mods
So I have an (1) old D link DIR 615 e3 and (1) wrt54gs v1 and (1) wrt54gs v2 ( jtag pins are different on this one) routers, they all work and boot up and run fine all routers have headers soldered in.
I would like to be able to jtag in since I plan on changing the mac address on all of them the trouble I am having is I have a bus pirate Jtag board and jtag cable neither give me a cpu response on windows do I need to use linux to get this working tried on windows 7
I know the routers are fine I also know the pins are soldered fine because I have a jtagulator and all the pins register TDI TDO TMS TCK and the ground pin
Am I just needing to use windows XP, or linux for this work, I am leaning on an issue with ECP and the parallel port which is selected atm any idea would be great.
The other option would be to desolder the flash and edit the flash using a SPI programmer but I would like to avoid this option unless I get a test socket like this one where I would be able to pop up the flash and do whatever with it. Would nice just to get the jtags working now on 3 routers.
So I figured out the issue its got nothing to do with my soldering or the pins it was the jtag software!!!
make sure to use either tjtag or the original wrt54g.exe ONLy!!!!!!! do not use zjtag or any other version with parallel port you will have issues!
I used ECP and windows 7 it works fine on port 378 with make sure to select " USE interrupt when availble for the ltp port" for windows. This was 1 week of scratching my head trying to figure out whats busted which was nothing at all turns out just software, the unbuffered works better than buffered using bus pirate or bus blaster.
you will see something like this and can move on to whatever you want. getting the detection is the hard part.
wrt54g.exe -backup:cfe
rename saved CFE.SAVED blah blah to CFE.bin
wrt54g.exe -erase:kernel
wrt54g.exe -erase:nvram
final step:
wrt54g.exe -flash:cfe
make sure to edit prior to final step: CFE.bin the mac location using HxD hex editor at offset 000010C1
and your done, reflash your firmware using tftp or whatever method, if that didnt work then you might have a case where the mac is coming from another location you can search the forum for a solution.
Few more notes,
=================
In some cases your flash will not work even thou it says it worked, in these cases you can try
wrt54g.exe -erase:wholeflash
then
wrt54g.exe -erase:cfe
pay careful attention to the entering debug mode part.
BAD CFE
=======
In some cases your CFE is bad, in this case you will need to hook up BOTH!! serial and jtag and watch the serial port while the router boots to see if your CFE worked.
Some of the CFEs need to edit: 1E00 - 1E01 address space the initial imacaddr unfortunately this was figured out by trial and error. For my wrt54Gs v1 the macaddr worked but for the wrt54gs 2, needed to edit 1e00.
I had a lot of trouble with CFEs both dumping and using CFEs from collection both gave a lot of troubles. You might need to try a few.
Basic CFE organization is as follows:
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.60.13.0
rndis0: Broadcom USB RNDIS Network Adapter (P-t-P)
CPU type 0x29007: 200MHz
Total memory: 0x2000000 bytes (32MB)
Total memory used by CFE: 0x80300000 - 0x8043EB40 (1305408)
Initialized Data: 0x80338DB0 - 0x8033B160 (9136)
BSS Area: 0x8033B160 - 0x8033CB40 (6624)
Local Heap: 0x8033CB40 - 0x8043CB40 (1048576)
Stack Area: 0x8043CB40 - 0x8043EB40 (8192)
Text (code) segment: 0x80300000 - 0x80338DB0 (232880)
Boot area (physical): 0x0043F000 - 0x0047F000
Relocation Factor: I:00000000 - D:00000000
If you see : Reading :: CODE Pattern is INCORRECT! (W54S)
Failed.: Error
CFE>
When trying to load firmware you will need to edit the header from the bin you are putting on to match W54S.
Good luck, I have attached a ddwrt firmware with an edited header 54S header so this should work fine if you see the error.