Posted: Mon Dec 01, 2008 3:33 Post subject: Re: Awaiting my rescue cable for serial connector
diagpope wrote:
many thanks for your heads up with the Netgear Router WNR834B V1. I (still) have the bricked V1, another bricked V2 I had returned to the store because I got tired of it. After I de-bricked a Linksys WRT350N V1 successfully now I am eager to try the procedure via the serial port and a console on the Netgear. I have measured via Ohm-meter the GND connector of the Netgear and found 3.3V on all other three pins (maybe pull-up resistors on the TX and RX ?). Thanks for giving me the pinout for the four pins ! At the moment I am waiting for a USB to Serial/TTL adapter purchased at eBay to try the magic. I would appreciate if you could give me a hint where to find the correct images and commands to erase and re-flash the WNR834B. Cheers.
Here's what the CFE will show on the console port at boot-up, but I don't see any explicit options for interrupting it.
This Broadcom CFE page documents various CFE commands and options.
Reviewing text strings inside the compressed CFE binary shows you might be able to interrupt it with CTRL-C if you're VERY quick when it first boots.
Where it says Reading :: Failed.: Timeout occured is where the BOOT_WAIT nvram setting forces it to wait for a TFTP image, so that might also be an option for you.
CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Îå 4ÔÂ 7 16:53:07 CST 2006 (root@localhost.localdomain)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.
Initializing Arena
Initializing Devices.
Boot partition size = 131072(0x20000)
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.23.0
rndis0: Broadcom USB RNDIS Network Adapter (P-t-P)
et1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.23.0
CPU type 0x29006: 264MHz
Total memory: 16384 KBytes
Total memory used by CFE: 0x80300000 - 0x807D3780 (5060480)
Initialized Data: 0x80333F10 - 0x80336DD0 (11968)
BSS Area: 0x80336DD0 - 0x8076D780 (4417968)
Local Heap: 0x8076D780 - 0x807D1780 (409600)
Stack Area: 0x807D1780 - 0x807D3780 (8192)
Text (code) segment: 0x80300000 - 0x80333F10 (212752)
Boot area (physical): 0x007D4000 - 0x00814000
Relocation Factor: I:00000000 - D:00000000
mac address in flash is:00:C0:02:63:00:08
have eRcOmM
before pushbutton
et0macaddr=00:C0:02:63:00:08
run kernel
nvram header:
46:4c:53:48:bc:4c:00:00:60:01:
0b:00:62:00:00:00:08:01:00:00:
Device eth0: hwaddr 00-C0-02-63-00-08, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Reading :: Failed.: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3856 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
I believe there might be three ways possible to un-brick your v1:
1) CONTROL-C to interrupt the CFE (if it's enabled) and use CFE commands to force a TFTP load of a new image. I'd prefer this method over everything else.
2) Short pins on the Macronix Flash RAM chip (MX29LV320ABTC-90G) to force a debug/TFTP wait and then use TFTP to put a new firmware image onto the router. Shorting pins is generally a last-ditch effort before you throw the router out or donate it to a hardware wizard (like redhawk0) with more skills than either of us. But it's a decent option compared to searching for the JTAG points on this v1 board.
3) Identify the JTAG points, prepare a JTAG cable, and attempt to re-flash an image via JTAG. JTAG will require a lot of work to trace the proper pins from the BCM4704KPBG processor chip to test points on the board. If I had to make un-founded wild-arsed guesses about which points they are, I'd bet on two different areas:
a) nine spots on the top side of the board, above the BCM4704KPBG processor chip at #A: TP1, TP2, TP3, TP7, and further right, above pin 17: TP4, TP5, TP8, TP9. TP6 is to the right of TP4. The label for TP6 is to the right of the 48.0 MHz crystal oscillator.
b) five spots on the bottom side of the board: TP15, TP16, TP17, TP18, and TP19. Those are strictly guesses, I have performed no research whatsoever, only visual inspection. _________________ 2x Asus RT-AC68U
I would like to ask you, if you can, to provide JTAG pinouts for WL-550GE device.
I have semi-bricked my Asus router.
It seems that dhcp is working, because gives IP to my LAN card, but I cannot log in into the router because it wont accept the username and password, despite I know is the right one. I tried all the guides available, but it seems no one is working in my situation, so the remaining only chance would be the JTAG procedure.
I have flashed my other router which is a wrt54gl, so I have a proper cable.
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Fri Dec 19, 2008 13:34 Post subject: Re: Awaiting my rescue cable for serial connector
KeithB wrote:
Here's what the CFE will show on the console port at boot-up, but I don't see any explicit options for interrupting it.
If its anything like the Netgear WGR614Lv8 that I have, you have to start hitting Cntl-C (rapid fire) right when you plug it in. You only have about 250-500mS to get it to take.
It will come back with a CFE> prompt when you get it.
redhawk _________________ The only stupid question....is the unasked one.
First of all, sorry if this is the wrong thread. I think it's not worth to open a new one for this question but I couldn't decide on which one to post.
I just finished soldering my unbuffered JTAG cable. The ohm meter is reading values between 99.5 and 101.5 ohm. According to the code the resistor has 5% tolerance so my 1.5% seems OK. But since I know so little about electronics (all my knowledge can be summarized to IR=V) I wanted to ask if it's still inside the tolerance range and safe to use.
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Wed Jan 21, 2009 15:41 Post subject:
Another pointer for anyone that uses an ebay purchased JTAG cable.
I purchased mine about a year ago (probably longer...time seems to fly)...anyway, about 8 months ago, I opened up my cable on the parallel connector side to find that only pin 6 was connected to ground. Meaning pins 2,4,8,10 were all just floating and could potentially pick up noise. I would occasionally see random problems with the cable while flashing devices.
So...I grounded all pins 2,4,6,8,10 (I left the pin 12 floating as suggested in the JTAG build diagram)
Since these pins all run right next to a data/signal pin in a ribbon cable my crosstalk noise seems to be lower and my JTAG experience has been improved.
redhawk _________________ The only stupid question....is the unasked one.
So...I grounded all pins 2,4,6,8,10 (I left the pin 12 floating as suggested in the JTAG build diagram)
Since these pins all run right next to a data/signal pin in a ribbon cable my crosstalk noise seems to be lower and my JTAG experience has been improved.
Posted: Wed Jan 21, 2009 23:29 Post subject: JTag for WRT 600n
Does anyone know if it is possible to have jtag on linksys wrt 600n? I have overwritten cfe so it doesn't boot anymore. I can also unsolder flash memory but i don't have the file to load. I have CFE but i don't know from which address to load cfe. Can sonemone help me?
Thanks.