JTAG pinouts and guides ! ! !

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
KeithB
DD-WRT User


Joined: 22 Jun 2008
Posts: 489

PostPosted: Mon Dec 01, 2008 3:33    Post subject: Re: Awaiting my rescue cable for serial connector Reply with quote
diagpope wrote:
many thanks for your heads up with the Netgear Router WNR834B V1. I (still) have the bricked V1, another bricked V2 I had returned to the store because I got tired of it. After I de-bricked a Linksys WRT350N V1 successfully now I am eager to try the procedure via the serial port and a console on the Netgear. I have measured via Ohm-meter the GND connector of the Netgear and found 3.3V on all other three pins (maybe pull-up resistors on the TX and RX ?). Thanks for giving me the pinout for the four pins ! At the moment I am waiting for a USB to Serial/TTL adapter purchased at eBay to try the magic. I would appreciate if you could give me a hint where to find the correct images and commands to erase and re-flash the WNR834B. Cheers.

Here's what the CFE will show on the console port at boot-up, but I don't see any explicit options for interrupting it.
This Broadcom CFE page documents various CFE commands and options.
Reviewing text strings inside the compressed CFE binary shows you might be able to interrupt it with CTRL-C if you're VERY quick Wink when it first boots.
Where it says Reading :: Failed.: Timeout occured is where the BOOT_WAIT nvram setting forces it to wait for a TFTP image, so that might also be an option for you.
Code:
Decompressing..........done
CFE,restore_defaults=0

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Îå  4Ô  7 16:53:07 CST 2006 (root@localhost.localdomain)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.
Boot partition size = 131072(0x20000)
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.23.0
rndis0: Broadcom USB RNDIS Network Adapter (P-t-P)
et1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.23.0
CPU type 0x29006: 264MHz
Total memory: 16384 KBytes

Total memory used by CFE:  0x80300000 - 0x807D3780 (5060480)
Initialized Data:          0x80333F10 - 0x80336DD0 (11968)
BSS Area:                  0x80336DD0 - 0x8076D780 (4417968)
Local Heap:                0x8076D780 - 0x807D1780 (409600)
Stack Area:                0x807D1780 - 0x807D3780 (8192)
Text (code) segment:       0x80300000 - 0x80333F10 (212752)
Boot area (physical):      0x007D4000 - 0x00814000
Relocation Factor:         I:00000000 - D:00000000

mac address in flash is:00:C0:02:63:00:08
have eRcOmM
before pushbutton
et0macaddr=00:C0:02:63:00:08
run kernel
nvram header:
46:4c:53:48:bc:4c:00:00:60:01:
0b:00:62:00:00:00:08:01:00:00:
Device eth0:  hwaddr 00-C0-02-63-00-08, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Reading :: Failed.: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3856 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000


I believe there might be three ways possible to un-brick your v1:

1) CONTROL-C to interrupt the CFE (if it's enabled) and use CFE commands to force a TFTP load of a new image. I'd prefer this method over everything else.

2) Short pins on the Macronix Flash RAM chip (MX29LV320ABTC-90G) to force a debug/TFTP wait and then use TFTP to put a new firmware image onto the router. Shorting pins is generally a last-ditch effort before you throw the router out Sad or donate it to a hardware wizard (like redhawk0) with more skills Wink than either of us. But it's a decent option compared to searching for the JTAG points on this v1 board.

3) Identify the JTAG points, prepare a JTAG cable, and attempt to re-flash an image via JTAG. JTAG will require a lot of work to trace the proper pins from the BCM4704KPBG processor chip to test points on the board. If I had to make un-founded wild-arsed guesses about which points they are, I'd bet on two different areas:
a) nine spots on the top side of the board, above the BCM4704KPBG processor chip at #A: TP1, TP2, TP3, TP7, and further right, above pin 17: TP4, TP5, TP8, TP9. TP6 is to the right of TP4. The label for TP6 is to the right of the 48.0 MHz crystal oscillator.
b) five spots on the bottom side of the board: TP15, TP16, TP17, TP18, and TP19. Those are strictly guesses, I have performed no research whatsoever, only visual inspection.

_________________
2x Asus RT-AC68U
Sponsor
diagpope
DD-WRT Novice


Joined: 22 Oct 2008
Posts: 15

PostPosted: Tue Dec 02, 2008 2:02    Post subject: Debrick of Netgear WNR834B V1 Reply with quote
I will post my results once I have attempted to debrick my V1 with a serial cable. Thanks for all your help !
Gdfath3r
DD-WRT Novice


Joined: 02 Oct 2006
Posts: 2

PostPosted: Mon Dec 08, 2008 14:49    Post subject: Re: JTAG pinouts and guides ! ! ! Reply with quote
JTAG pinout for Asus WL-500g Deluxe (wl-500gd):
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=16530[/quote]

I would like to ask you, if you can, to provide JTAG pinouts for WL-550GE device.
I have semi-bricked my Asus router.
It seems that dhcp is working, because gives IP to my LAN card, but I cannot log in into the router because it wont accept the username and password, despite I know is the right one. I tried all the guides available, but it seems no one is working in my situation, so the remaining only chance would be the JTAG procedure.

I have flashed my other router which is a wrt54gl, so I have a proper cable.

Thank you in advance.
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Fri Dec 19, 2008 13:34    Post subject: Re: Awaiting my rescue cable for serial connector Reply with quote
KeithB wrote:

Here's what the CFE will show on the console port at boot-up, but I don't see any explicit options for interrupting it.


If its anything like the Netgear WGR614Lv8 that I have, you have to start hitting Cntl-C (rapid fire) right when you plug it in. You only have about 250-500mS to get it to take.

It will come back with a CFE> prompt when you get it.

redhawk

_________________
The only stupid question....is the unasked one.
juanii
DD-WRT Novice


Joined: 12 Dec 2008
Posts: 10

PostPosted: Sun Dec 21, 2008 14:11    Post subject: Reply with quote
Hi!

First of all, sorry if this is the wrong thread. I think it's not worth to open a new one for this question but I couldn't decide on which one to post.

I just finished soldering my unbuffered JTAG cable. The ohm meter is reading values between 99.5 and 101.5 ohm. According to the code the resistor has 5% tolerance so my 1.5% seems OK. But since I know so little about electronics (all my knowledge can be summarized to IR=V) I wanted to ask if it's still inside the tolerance range and safe to use.

Thanks in advance!

Regards
kisbetu
DD-WRT User


Joined: 10 Dec 2008
Posts: 55

PostPosted: Sun Dec 21, 2008 14:39    Post subject: Reply with quote
juanii wrote:

I just finished soldering my unbuffered JTAG cable. The ohm meter is reading values between 99.5 and 101.5 ohm.


Don't worry!

It's OK.
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Wed Jan 21, 2009 15:41    Post subject: Reply with quote
Another pointer for anyone that uses an ebay purchased JTAG cable.

I purchased mine about a year ago (probably longer...time seems to fly)...anyway, about 8 months ago, I opened up my cable on the parallel connector side to find that only pin 6 was connected to ground. Meaning pins 2,4,8,10 were all just floating and could potentially pick up noise. I would occasionally see random problems with the cable while flashing devices.

So...I grounded all pins 2,4,6,8,10 (I left the pin 12 floating as suggested in the JTAG build diagram)

Since these pins all run right next to a data/signal pin in a ribbon cable my crosstalk noise seems to be lower and my JTAG experience has been improved.

redhawk

_________________
The only stupid question....is the unasked one.
kisbetu
DD-WRT User


Joined: 10 Dec 2008
Posts: 55

PostPosted: Wed Jan 21, 2009 17:20    Post subject: Reply with quote
redhawk0 wrote:


So...I grounded all pins 2,4,6,8,10 (I left the pin 12 floating as suggested in the JTAG build diagram)

Since these pins all run right next to a data/signal pin in a ribbon cable my crosstalk noise seems to be lower and my JTAG experience has been improved.

redhawk


Yessssssssss!

That's the benefit of this pinout.
Bimbo
DD-WRT Novice


Joined: 07 May 2007
Posts: 15

PostPosted: Wed Jan 21, 2009 23:29    Post subject: JTag for WRT 600n Reply with quote
Does anyone know if it is possible to have jtag on linksys wrt 600n? I have overwritten cfe so it doesn't boot anymore. I can also unsolder flash memory but i don't have the file to load. I have CFE but i don't know from which address to load cfe. Can sonemone help me?
Thanks.
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Sat Feb 21, 2009 9:56    Post subject: Reply with quote
I am looking for the Pin out for the WTR54GS v1 & v2: v2.1
Thanks
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Sat Feb 21, 2009 17:21    Post subject: Reply with quote
A340 wrote:
I am looking for the Pin out for the WTR54GS v1 & v2: v2.1
Thanks


I am not sure of the WTR models...but it is most likely the same as all the other WRT units.

Here is a pinout for the WRT...maybe it will help....but WTR is basically unknown.

[EDIT] - all references that I found were that it is this standard.

redhawk



JTAG-Pin-out.jpg
 Description:
WRT pinout for JTAG
 Filesize:  50.62 KB
 Viewed:  47189 Time(s)

JTAG-Pin-out.jpg



_________________
The only stupid question....is the unasked one.
A340
DD-WRT Novice


Joined: 23 Oct 2007
Posts: 41

PostPosted: Sun Feb 22, 2009 17:31    Post subject: Reply with quote
Redhawk0, thanks very much for the information.
HyperVerbal
DD-WRT Novice


Joined: 05 Jul 2008
Posts: 9
Location: GA

PostPosted: Mon Mar 30, 2009 7:00    Post subject: tcniso USB Reply with quote
ok i think i can use the tcniso USB jtag from the cable modem for the netgear wnr834bv2 to get dd-wrt running has anyone tried this?
Shawn360
DD-WRT Guru


Joined: 26 Jul 2008
Posts: 1237

PostPosted: Mon Mar 30, 2009 7:18    Post subject: Re: tcniso USB Reply with quote
HyperVerbal wrote:
ok i think i can use the tcniso USB jtag from the cable modem for the netgear wnr834bv2 to get dd-wrt running has anyone tried this?

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=49461&highlight=
HyperVerbal
DD-WRT Novice


Joined: 05 Jul 2008
Posts: 9
Location: GA

PostPosted: Mon Mar 30, 2009 20:58    Post subject: Re: tcniso USB Reply with quote
Shawn360 wrote:
HyperVerbal wrote:
ok i think i can use the tcniso USB jtag from the cable modem for the netgear wnr834bv2 to get dd-wrt running has anyone tried this?

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=49461&highlight=


I'll cross post then with a pic of the Blackcat and see what i get there... thank you...
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 3 of 6
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum