Posted: Fri Feb 02, 2007 16:26 Post subject: Buffalo WHR-G54S JTAG Pinout!!
OK, maybe I need sleep, or maybe I'm missing something, but what's the JTAG pinout on the WHR-G54S???? I installed a header on the 12 pin port that's just behind and to the left of the radio housing (looking at the router from the front), and when I connect my cable and query it, it says "no chip detected, yada yada". So, I took a multimeter to it, and .....well.....it wasn't what I expected. It's almost like it's backwards.....?? Based on the square solder pad on the board (pin 1), pins 1, 3, 5, 7, 9 and 11 are all ground!! With that pattern, I'm unable to tell where 2, 4, 6, 8 and 10 go. Now, there's a 9 pin port to the right of the radio housing, next to a capacitor. It's kinda weird too.....who has JTAG'd this creature and knows the pinout?? I've searched the Forum, etc. to no avail. Thanks!!
Posted: Wed Feb 07, 2007 10:36 Post subject: Buffalo WHR-G54S JTAG - SOLVED!!!
OK......progress here. I'll first say that, during this investigation, I did discover that the JTAG pinout on the Buffalo HP is exactly as it appears, oriented to pin 1 just as you'd orient to pin 1 on a WRT54. Additionally, there are no special tricks or anything to get the HP to talk to your computer via JTAG.
The G54S on the other hand, is a bit different. The JTAG port is indeed the 12 pin port, just north and west of the radio housing (looking at the front of the router). It too is oriented to pin 1, just as you'd orient the header on a WRT54. The problem lies with the HairyDairy utility not recognizing the CPU or flash chip of the G54S. You'll continually get "No or unknown CPU chip detected" or "No or unknown flash chip detected". With the help of HairyDairy himself, and Tornado, I found a temporary work-around. You'll need to use the following switches after your standard JTAG command(s): "/skipdetect" (to skip auto-detection of the CPU chip), and "/fc:29" (tells the utility that the proper flash chip is present, so it doesn't try to auto-detect it). A sample command would look like this: "wrt48.exe -erase:nvram /skipdetect /fc:29" (I like to use /noemw as well). I was able to backup, erase and flash my WHR-G54S using this work-around. Ideally, this is just temporary, and HairyDairy will provide an upgraded utility that will recognize the Buffalo chips by default. Stay tuned.
Hope this helps all of you that have been banging your head against the wall as I have!! Good luck.......go debrick your Buffaloes!! _________________ Clear 4G Wimax.
Linksys WRT54G-TM w/14929 std-nokaid, fan-cooled, 2 GB SD mod, Primary Router.
Linksys WRT54G v.3 w/15230 std-nokaid, Client Bridge.
Linksys E2000 w/15200 "Big"
Linksys WRT54G v.4
La Fonera 2100, fan-cooled
Linksys WRT54G v.3.1
Linksys WRT54G v.1.1
Linksys WRT54GS v.1
2x Linksys WRT54G v.2.2
Update: HairyDairy asked me to provide some output info from the G54S so he can work on adding compatibility for it to his utility. In the process, me being half asleep, distracted, in a hurry, yada yada, I inadvertently put 12 volts DC to my 3.3 volt G54S. My new G54S from Newegg.com ($39 shipped) will be here in a few days, and I'll resume work on this so we have a compatible version of the HairyDairy utility. In the meantime, the switches work as a good work-around. Later. _________________ Clear 4G Wimax.
Linksys WRT54G-TM w/14929 std-nokaid, fan-cooled, 2 GB SD mod, Primary Router.
Linksys WRT54G v.3 w/15230 std-nokaid, Client Bridge.
Linksys E2000 w/15200 "Big"
Linksys WRT54G v.4
La Fonera 2100, fan-cooled
Linksys WRT54G v.3.1
Linksys WRT54G v.1.1
Linksys WRT54GS v.1
2x Linksys WRT54G v.2.2
I guess we must start a new wiki section on jtag pinouts for different models....
Indeed. Thanks for making this a sticky, Eko. If you want to start a Wiki entry on said topic, I'll update this part of it as I acquire more info. Hopefully I won't barbecue any more routers!!...muckin' foron that I am !!! _________________ Clear 4G Wimax.
Linksys WRT54G-TM w/14929 std-nokaid, fan-cooled, 2 GB SD mod, Primary Router.
Linksys WRT54G v.3 w/15230 std-nokaid, Client Bridge.
Linksys E2000 w/15200 "Big"
Linksys WRT54G v.4
La Fonera 2100, fan-cooled
Linksys WRT54G v.3.1
Linksys WRT54G v.1.1
Linksys WRT54GS v.1
2x Linksys WRT54G v.2.2
I have a Buffalo WHR-G54S that is bricked. I just ordered a JTAG cable, and I am wondering what to do to unbrisk it, since I don't have a good CFE to flash onto it. Do I just write a whole DD-wrt .bin file, or do I need someting else. I downloaded HairyDairyMaid_WRT54G_Debrick_Utility_v45.zip. Is that what I Need? I couldn't find any instructions on what to do for a Buffalo Router.
Joined: 21 Jul 2006 Posts: 1898 Location: Fortaleza Ce Brazil
Posted: Wed Feb 14, 2007 20:29 Post subject:
I need help too .. i have a whr54g bricked ... i open the box and try to reset the flash ram , jump to ground the #12 .. but nothing happens ... the ethernet leds still on .. i just bought another router and have a bag with a unmount bricked whr .. hehehhehe .. what a have to do ?
_________________ DDwrt ...it rocks ....
1 R7800 54420 AP Wireguard webserver JFFS SAMBA FTP usb HD Mesh
1 R7800 54420 Cli Mesh
1 WZR1750 54389 AP Webserver Samba Wireguard
1 TP link Archer C7v5 54420 Cli Mesh
1 DD x86_64 48296 Gateway Samba Ftp Webserver
Update: I got the new WHR-G54S and started playing with it, getting it set up, etc. I installed the JTAG header, installed DD-WRT, installed heat sink.....all went well. About half way through entering my settings I clicked "save settings" and it wouldn't respond!! I have no idea what I did!!! Anyway, I tried and tried to revive it via JTAG, but it acted EXACTLY like my other G54S.....won't erase via JTAG, won't take a flash via JTAG, etc. It will run a backup via JTAG, but the saved file is all 0's. So, I don't think I barbecued my first one, I think it's bricked.....as is this one. The good part of all this is, I have been in daily contact with HairyDairy trying to come up with a solution to this. The theory I've come up with (and he kinda concurs....at least that it's possible) is that the JTAG pinout on the G54S is different than the JTAG pinout on the HP and the Linksys WRT's. It's close enough to allow comunication, but different enough so that we can't properly transfer files. There has to be something different when compared to the HP because I can use the exact same PC, software, JTAG cable, etc and JTAG the HP all day long. So, I'm sending my first G54S to HairyDairy so he can look at it first hand, determine pinouts of the JTAG port, and come up with an upgraded utility that works with the Buffs and the WRT's. If it turns out that the JTAG pinout is different, I'll make up some new JTAG cables with the correct pinout and make them available fairly cheap. So, for now, it's wait and see. I'm sending the router out via Priority Mail tomorrow so he should have it by the first of the week. Hopefully he'll come up with a solution fairly soon!! I'll keep ya posted. Ideas are welcome!!
Hi, can one of you folks recommend a place to buy a JTAG cable from, or point me to a schematic for a JTAG cable that will work with the Buffalo WHRG54S? Thank in advance from a DD-WRT noob!
Scroll to the bottom to see how I used JTAG and Hairy Dairy Maid to fix three bricked buffalo. Once I had got my PC to actually talk to the JTAG the rest was easy thanks to someone posting how to set the correct flash chip.
I did not have to reflash the whole firmware, erase:nvram was enough and only takes a moment. _________________ Buffalo
WRT54G
OK.....success is near!! With the help of HairyDairy and Tornado, I have successfully unlocked the secret to the JTAG pinout on the Buffalo WHR-G54S. I need a day or so to get some sleep and confirm a thing or two, and then I'll have modified JTAG cables for sale, and post my findings here. I have successfully debricked one WHR, all the way down to reflashing the CFE, so this will work.....just be patient and let me polish it a bit and I'll put the info up here for all to use. For those that want the modified JTAG cables (no, you can't take one of my regular cables and make it work without destroying it), I'll build up a few as quick as I can. Off to sleep now. Later!!
OK......here's the deal. For reasons known only to the powers that be at Buffalo, the JTAG port on the WHR-G54S is not only missing the pull-up/pull-down resistors, it's wired as a sort of mirror image of a standard JTAG port. Now, before I get carried away here, to the best of my knowledge, this applies ONLY to the WHR-G54S. The WHR-HP-G54 has the resistors and is wired normally.
So, the pinout is as follows: pins 1, 3, 5, 7, 9 and 11 are ground. Pin 2 puts out 4.4 volts, but doesn't play into the JTAG scheme. Pins 4, 6, 8 and 10 are TDI, TDO, TMS and TCK respectively. Pin 12 seems to do nothing. So without pull-up/pull-down resistors on the board, we had to calculate the proper resistance for the JTAG cables. The best number we came up with, using some rather crude calculations, is 470 ohms. I have tested this on 3 different WHR boards, and it works very well.
With these numbers in hand, I have created 2 items. A JTAG cable with the proper resistors and pinout, and an adapter that can be used with a standard JTAG cable and the WHR board. The adapter not only changes the pinout, but adds the correct resistance to the 100 ohm resistors in the standard JTAG cable so it works properly. I have attached a picture of the adapter. I will be selling these, along with my standard cables. Contact me via IM here or e-mail me at "abessey(at)runbox.com" for details and pricing. I hope this discovery is helpful to all those with bricked WHR's!! Good luck!!
See the picture below. The WHR-G54S JTAG connector (J7) seems to use the same pinout as other models, only the header needs to be installed on the bottom side of the PCB. My setup worked fine with 100 Ohm resistors in series with the JTAG signals. Guess the exact value to be used depends on the actual PC parallel port. I used HairyDairyMaid's excellent tool rev 4.8 under XP. The parallel port needs to be at 3F8h and should be in Centronics mode (not: ECP or EPP). I had to set /noemw or the program would hang. However, chip detection worked like a charme. I was able to backup the original Buffalo firmware (wrt54g -backup:kernel /noemw) before upgrading to DD-WRT via TFTP.
BTW, http://www.k9spud.com/whr-g54s/disassembly.php explains howto disassemble the enclosure without breaking it, and it also proposes serial port and SD/MMC port extensions which I haven't tried yet.
That's all well and good, with the exception of your suggestion to set the Parallel port to "centronics" (whatever that is) and not ECP or EPP. I'd venture to say that most people don't even know what a "centronics" setting is, much less have one. The preferred setting for Parallel port function for JTAG, and this comes directly from HairyDairy himself, is ECP.
The other caveat to installing the JTAG header on the bottom of the board (yes, we'd figured that out.......thus the "mirror image" of the standard JTAG port), is that once you've done so, you can't close the case. Desolder and resolder a JTAG header even once, and you might not be able to JTAG ever again due to trace/hole plating damage. Seems to make more sense to put it on the top and use an adapter or special cable. Just my 2 cents. Thanks! _________________ Clear 4G Wimax.
Linksys WRT54G-TM w/14929 std-nokaid, fan-cooled, 2 GB SD mod, Primary Router.
Linksys WRT54G v.3 w/15230 std-nokaid, Client Bridge.
Linksys E2000 w/15200 "Big"
Linksys WRT54G v.4
La Fonera 2100, fan-cooled
Linksys WRT54G v.3.1
Linksys WRT54G v.1.1
Linksys WRT54GS v.1
2x Linksys WRT54G v.2.2