JTag debricking guide for WRT54G

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
mauxiliar
DD-WRT User


Joined: 11 Sep 2007
Posts: 135
Location: 64.233.167.99 :-) not really! Santa Fe, Argentina

PostPosted: Sat Sep 15, 2007 19:08    Post subject: JTag debricking guide for WRT54G Reply with quote
Hello nice people who have WRT54G's and DD-WRT!
I made this JTag Cable Debricking Guide because I bricked my router this week uploading DD-WRT v24 RC2 and spend several hours reading this forum and asking to RedHawk's (thanks buddy!) until I figure out how to unbrick it!

First of all let me be clear:
1- I'm sort of a beginner on flashing things! So I think anyone can do it!
2- I'm from Argentina so my English is not the best you'll find!
3- I followed the steps I'm about to write with my WRT54G v1.00 and the symptoms I had where that only power and DMZ leds turned on in the front panel of the router and didn't blink at all!
4- I didn't invent the things I'll said... all was taken from other tutorials or from RedHawk instructions so be thankful to the intelligent people we have in DD-WRT development!
5- As every tutorial says: I'm not responsible for the damage done to your router by your incompetence etc, etc, etc!

For those who are idiots (like me) experimenting with their router for their first or second time and brick it follow this awesome guide first:

http://www.dd-wrt.com/wiki/index.php/Recover_from_a_Bad_Flash

I recommend to read it very carefully, the first few points r essential, if u get ping responses from the router u r probably saved without much trouble...
Don't forget to try slowing your Ethernet card to 10mbits half duplex to see if that works for the pings... I got responses doing that with DD-WRT v23 SP2.

If u get to topic "Recovery by JTAG cable" with no luck (like me!), that’s were I can help you (hope so)! Making a JTag cable it’s easy and it’s safer than the other 2 methods listed in that tutorial...

Before beginning, to do this u'll need to know how to solder or at least know someone that can do it 4 u!

Well... let’s begin with the JTag thing.

1- Open your router as its described in the "Revival guide" (
http://www.linksysinfo.org/forums/showthread.php?t=47259 ). Look at the first 6 pictures that shows how to do it.

2- Download HairyDairyMaid Debrick utility from
http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Fjtag%20tools%2F&download=HairyDairyMaid_WRT54G_Debrick_Utility_v48.zip
and follow the instructions on how to make the JTag cable from the pdf that is inside (HairyDairyMaid_WRT54G_v2_DeBrick_Guide.pdf) or look at
http://wiki.openwrt.org/OpenWrtDocs/Customizing/Hardware/JTAG_Cable
in that page u have 2 alternatives of cables... both works but the "Unbuffered Cable, Xilinx DLC5 Cable III" is easier to make and probably free!
I did the unbuffered cable with an old serial port (DB25) from a 486 I had trashed in my garage! and for the other side of the cable I cut an IDE cable, but is best if u can get a Midi port (the one's used for joysticks!) because it’s smaller and has only 14 pins so u don’t need to cut anything… The 100 ohms resistors cost less than $0.50c.

3- Soldier the 12 pins needed in your router's motherboard where it says JP2, in the HairyDairyMaid_WRT54G_v2_DeBrick_Guide.pdf shows you how it needs to be and where it is. It is right next to the leds...
I got the pins from the 486 motherboard! But any motherboard has those pins...

4- Once the cable and the router are soldered and ready, unplug every cable from the router and then plug only the JTag cable to the parallel port on the PC and the other side to the router. THE ROUTER MUST BE POWERED OFF in this step.

5- This is the step I have problems with and it’s the easiest one!:
- First unzip HairyDairyMaid Debrick utility
- Copy giveio.sys to C:\Windows\sytem32\drivers
- Start LoadDrv.exe that comes with hairydairy.
- In "Full pathname of driver" write: C:\WINDOWS\system32\drivers\giveio.sys and press Install and Start buttons.
If everything is right in status should said: "Operation was successful"
If not check the path. I think it is case sensitive because I brote c:\windows\system32\... and didn’t worked!

6- Once the driver is working ("Operation was successful") read "The Software" section in the pdf from HairyDairyMaid to get some ideas on how it works!

7- Now open a DOS windows by clicking on Start, Run, type CMD and then Enter. And go to HairyDairyMaid directory.

8- Now... I'll explain how this app work... first write the command u'd like to use and then plug the router's power cable and quickly hit Enter key on the computer... its easy! So first do a backup of everything.
For that the commands would be:
wrt54g -backup:cfe
wrt54g -backup:nvram
wrt54g -backup:kernel
wrt54g -backup:wholeflash
type one command at a time obviously and what for the backup to finish! The kernel and wholefalsh commands takes about 15 minutes each...
If you see no progress, and by that I mean that no percentage number is increasing or it freezes at Clearing Watchdog then something is wrong...

What happened to me was that my processor number was old or something and had problems with HairyDairyMaid new processor compatibility... I really didn't understand but with the command:
wrt54g -backup:cfe /noreset /nobreak worked wonderfully! (That would be applied on version 1.00 of WRT54G)

RedHawk told me that he used /nocwd /noewm /noreset parameters for his router otherwise it freezes at clearing watchdog timer too.

Also he told me that another way around this... at least it worked for him in the past... if it freezes... unplug the unit and plug it back in with the wrt54g.exe command line still running.

9- If you see that the backup up is running: congratulation! You probably did it in less time than me!
Now what I recommend you is to erase ONLY the nvram... so DD-WRT firmware rebuild it next time the router powers on.
For doing this just type:
wrt54g -erase:nvram
then disconnect the router, disconnect the JTag cable, start pinging the router to 192.168.1.1 and connect the router power again with the network cable to the computer (without JTag)... and cross your fingers!
In my case the pings reply and I entered the web interface and downgraded to an old beta of v24 I was using, but if the web interface doesn’t work start re reading the first steps of the first guide! the ones that tells you what to do when pings works! Because u can probably revive it with tftp or something.
Another thing… in my case, after erasing the nvram, with the v24 cr2 firmware, if I unplugged and plugged the router for the second time it bricked again… so I the web interface doesn’t work and u need to tftp while boot wait, then u’ll need to erase nvram each time the router is powered off…

OK, that’s all in what I can help! I hope I have been helpful to someone and had not waste my time building this guide!
Good luck with your flashings...

OverLord (A.K.A. Mauxiliar )
Sponsor
Tortri
DD-WRT Novice


Joined: 26 Jul 2007
Posts: 31

PostPosted: Sat Sep 15, 2007 20:56    Post subject: Reply with quote
what if you got an error while trying to use a jtag. Basically i bought a premade one from ebay, soldered it in, type in the commands(had to use my neighbors computer as none of my computer have a parallel port) and basically didn't work. If I remember right it couldn't find it..
mauxiliar
DD-WRT User


Joined: 11 Sep 2007
Posts: 135
Location: 64.233.167.99 :-) not really! Santa Fe, Argentina

PostPosted: Sat Sep 15, 2007 21:04    Post subject: Reply with quote
Tortri wrote:
what if you got an error while trying to use a jtag. Basically i bought a premade one from ebay, soldered it in, type in the commands(had to use my neighbors computer as none of my computer have a parallel port) and basically didn't work. If I remember right it couldn't find it..


Can u copy and paste the error u r getting here?
Did you load the driver with loaddrv.exe before using wrt54g.exe?
Exvitermini
DD-WRT User


Joined: 13 Feb 2008
Posts: 228

PostPosted: Tue Jun 10, 2008 19:17    Post subject: Reply with quote
im just posting here so this thread goes into my post record. just incase i mess up, i can come back here Very Happy
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Wed Jun 11, 2008 0:27    Post subject: Reply with quote
Depending on your unit make/model. It would be wise to substitute the HairyDairyMaid software with the new TFTAG software that Tornado wrote.

the commands are pretty much the same but instead of using the command wrt54g....it is now tjtagv2

The TJTAG can be found here.
http://www.dd-wrt.com/dd-wrtv2/downloads/others/tornado/jtag/tjtagv2-1-4.zip

Any newer devices with a 5354 CPU will require this new TJTAG...the HairyDairyMaid only supports up to 5352 CPU types.

When in doubt about switches for the command...just type the command name...the help list of switches will come up.

redhawk

_________________
The only stupid question....is the unasked one.
skylercall
DD-WRT Novice


Joined: 04 Oct 2007
Posts: 8
Location: Utah

PostPosted: Tue Oct 14, 2008 21:19    Post subject: Reply with quote
redhawk0 wrote:
Depending on your unit make/model. It would be wise to substitute the HairyDairyMaid software with the new TFTAG software that Tornado wrote.

I have been using this and it works great.

mauxiliar wrote:
RedHawk told me that he used /nocwd /noewm /noreset parameters for his router otherwise it freezes at clearing watchdog timer too.

Maybe /noewm is correct with wrt54g but with tjtagv2 the command is /noemw.
moreins
DD-WRT User


Joined: 18 Nov 2006
Posts: 320
Location: Cali, Colombia

PostPosted: Sat Feb 07, 2009 19:38    Post subject: Reply with quote
thanf for all the info posted here...
quick question...
what about using
Code:
/nocwd /noewm /noreset
when issuing
Code:
tjtag -flash:cfe
?? is this necessary??
thanks

_________________
WRT54GS v2.1 > v24-sp2 (01/01/09) mega
WRT54GS v5 > v24-sp2 (01/01/09) micro
PPTP, WDS link and SD Mod
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Sat Feb 07, 2009 19:45    Post subject: Reply with quote
moreins wrote:
thanf for all the info posted here...
quick question...
what about using
Code:
/nocwd /noewm /noreset
when issuing
Code:
tjtag -flash:cfe
?? is this necessary??
thanks


Yeah...that was a typo..../noemw not /noewm (I got these fat fingers...doncha know)

Anyway....you can use /nocwd and /noemw with 5352 processor and older units...but I have found that they are not necessary with 5354 processor based...use just /noreset (and /bypass...if your flash chip supports it)

And....I never used /noreset with older units either.

redhawk

_________________
The only stupid question....is the unasked one.
moreins
DD-WRT User


Joined: 18 Nov 2006
Posts: 320
Location: Cali, Colombia

PostPosted: Sat Feb 07, 2009 19:50    Post subject: Reply with quote
thanks for the reply!
i wasnt sure about those commands so i just issued tjtagv2 -flash:cfe on a 5354 Confused is that bad???

i havent got any problems but it is taking more time that i expected...

its been almost 15 minutes, and its still on 0% ¿?

Code:
Loading CFE.BIN to Flash Memory...
[  0% Flashed]   1fc00000: 10000817 00000000 00000000 00000000
[  0% Flashed]   1fc00010: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00020: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00030: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00040: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00050: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00060: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00070: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00080: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00090: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc000f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00100: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00110: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00120: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00130: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00140: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00150: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00160: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00170: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00180: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00190: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc001f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00200: 100009e7 00000000 00000000 00000000
[  0% Flashed]   1fc00210: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00220: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00230: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00240: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00250: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00260: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00270: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00280: 100009d4 241a0010 00000000 00000000
[  0% Flashed]   1fc00290: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002a0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002b0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002c0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002d0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002e0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc002f0: 00000000 00000000 00000000 00000000
[  0% Flashed]   1fc00300: 100009b6 00000000

_________________
WRT54GS v2.1 > v24-sp2 (01/01/09) mega
WRT54GS v5 > v24-sp2 (01/01/09) micro
PPTP, WDS link and SD Mod
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Sat Feb 07, 2009 20:07    Post subject: Reply with quote
moreins wrote:
thanks for the reply!
i wasnt sure about those commands so i just issued tjtagv2 -flash:cfe on a 5354 Confused is that bad???

i havent got any problems but it is taking more time that i expected...

its been almost 15 minutes, and its still on 0% ¿?


No...it won't hurt anything...but if this is a V8...then that is where the problem is. V8 units are horrible little boxes. They are the most troublesome JTAG boxes that I've ever come across. I have a bricked one right now that I know is good...but I've been working over 26 hours (5 days) to reflash a cfe to.

I've flashed it before successfully, but it is a real pain to get it to take.

I can get it to complete a cfe flash...only to find out the data is corrupt...I can take any of my other units and it flashes first time out of the gate.

Anyway...the V8 should flash in about 600 seconds...give or take for a 256K CFE. If it doesn't scroll a full percentage every 5-10 seconds...then there is something wrong.

I always use

tjtag -erase:wholeflash /noreset (twice)

then

tjtag -flash:cfe /noreset /bypass

my K8D1716UBC supports /bypass

if you have a 128K compressed cfe then the command line is

tjtag -flash:cfe128 /noreset /bypass

hope it helps...but these V8's are the worst little boxes that Linky ever produced.

redhawk

_________________
The only stupid question....is the unasked one.
moreins
DD-WRT User


Joined: 18 Nov 2006
Posts: 320
Location: Cali, Colombia

PostPosted: Sat Feb 07, 2009 20:14    Post subject: Reply with quote
yes...i have a wrt54g v8...i got it from a friend and thought i could flash it...
i got the CFE from tornado's downloads...it is a 196KB .BIN file

i havent got any errors so far but its taking too damn long to advance in %.
it takes around 1 minute to complete the 4 groups each line has but its been almost half hour and im still on 3%...i do know its working since new lines appear every while...

what do you recommend me to do? how do i stop the flash procedure and start all over again??

how do i know it my processor supports bypass?

thanks

_________________
WRT54GS v2.1 > v24-sp2 (01/01/09) mega
WRT54GS v5 > v24-sp2 (01/01/09) micro
PPTP, WDS link and SD Mod
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Sat Feb 07, 2009 20:27    Post subject: Reply with quote
moreins wrote:
yes...i have a wrt54g v8...i got it from a friend and thought i could flash it...
i got the CFE from tornado's downloads...it is a 196KB .BIN file

i havent got any errors so far but its taking too damn long to advance in %.
it takes around 1 minute to complete the 4 groups each line has but its been almost half hour and im still on 3%...i do know its working since new lines appear every while...

what do you recommend me to do? how do i stop the flash procedure and start all over again??

how do i know it my processor supports bypass?

thanks


What flash chip is detected...look it up in the datasheet for your flash chip...it will say that there is an "unlock bypass" for the chip.

Personally, I would (and have) stop it if it is taking that long to flash 16 bytes....it should flash a full percent every 5-10 seconds....like I said...the cfe you got from Tornado (size is 192K...for a 256K CFE) should only take 10 minutes total.

It sounds like you are in the same boat that I am in.

Now...Tornado told me on Thursday that sometimes you can "kick start" these V8 units...by issuing a /nodma switch to the command line...do that a few times..then run the command normally without the /nodma switch.

I was unsuccessful with this tip..but maybe it will work for you.

Another thing to try...write all FF's to the CFE...then do a -backup:cfe and compare it...see if it really is writing all FF's to the cfe partition.
(you can do it with all 00's also)...I've attached both for you to use if you like.

redhawk



CFE-All-FF.bin
 Description:
256K of all ones

Download
 Filename:  CFE-All-FF.bin
 Filesize:  256 KB
 Downloaded:  2228 Time(s)


CFE-All-00.bin
 Description:
256K of all zeros

Download
 Filename:  CFE-All-00.bin
 Filesize:  256 KB
 Downloaded:  1989 Time(s)


_________________
The only stupid question....is the unasked one.
moreins
DD-WRT User


Joined: 18 Nov 2006
Posts: 320
Location: Cali, Colombia

PostPosted: Sat Feb 07, 2009 20:31    Post subject: Reply with quote
thanks!!! i will follow all the tips you just posted...
last question

the /nodma switch is issued with the tjtagv2 -flash:cfe ???

Code:
tjtagv2 -flash:cfe /noreset /nodma
???

thanks!!

_________________
WRT54GS v2.1 > v24-sp2 (01/01/09) mega
WRT54GS v5 > v24-sp2 (01/01/09) micro
PPTP, WDS link and SD Mod
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Sat Feb 07, 2009 20:33    Post subject: Reply with quote
moreins wrote:
thanks!!! i will follow all the tips you just posted...
last question

the /nodma switch is issued with the tjtagv2 -flash:cfe ???

Code:
tjtagv2 -flash:cfe /noreset /nodma
???

thanks!!


Yeah..or -erase:wholeflash.....it will always fail either way...so don't worry too much about what type of function you are performing.

[EDIT] - BTW...I have all 00's and all FF's of wholeflash too (for both 2M and 4M devices)....if you want/need them.

redhawk

_________________
The only stupid question....is the unasked one.
moreins
DD-WRT User


Joined: 18 Nov 2006
Posts: 320
Location: Cali, Colombia

PostPosted: Sat Feb 07, 2009 20:38    Post subject: Reply with quote
issued issued tjtag -erase:wholeflash /noreset twice

then tjtagv2 -flash:cfe /noreset /bypass

it was flying until it got to 37%...now...its as slow as the first time i did it...
ill leave it there...i need to go and run some errands..ill let you know what happens...
thanks!

_________________
WRT54GS v2.1 > v24-sp2 (01/01/09) mega
WRT54GS v5 > v24-sp2 (01/01/09) micro
PPTP, WDS link and SD Mod


Last edited by moreins on Sun Feb 08, 2009 14:56; edited 1 time in total
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum