Linksys E1000 2.1 - Erasing NVRAM with Serial cable - Help

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
miq2012
DD-WRT Novice


Joined: 29 Jan 2012
Posts: 8

PostPosted: Sun Jan 29, 2012 2:21    Post subject: Linksys E1000 2.1 - Erasing NVRAM with Serial cable - Help Reply with quote
Hi,
I have Cisco Linksys E1000 v2.1 router. I tried to upgrade with DDWRT dd-wrt.v24_std_generic. Firmware was upload successfully but router is not working any more. I have been reading DDWRT forums and Googling a lot and made some progress without success.
I was able to ping it with TTL=100 if I ping in first few seconds of power cycle. Tried to upload original Linksys FW using Linksys utility. FW was upload but router is not accessible on network via any interface. Eventually I have opened it. I prepared a serial wire (three wires GND, RX and TX) and connected router's PCB to my desktop's serial port.
I fired up a putty session (used Hyper terminal as well) with 115200 bit rate. I changed the default speed of my com1 port as well to match with what I did in Putty. After that I powered up router and start receiving junk character on the screen.
I like to erase the NVRAM (that is what I learned from these forums as a solution) but router is not sending any readable character to my Putty session neither CTRL-C is working.
Any help please?
Sponsor
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7061

PostPosted: Sun Jan 29, 2012 2:44    Post subject: Reply with quote
You can not connect the routers 3.3V TTL serial port directly to a computers + and - 12V RS232 serial port, you need a level converter in between.

see the dd-wrt wiki for serial recovery or any of the many serial debrick threads in the forum.

_________________
I'm on a whiskey diet, lost 3 days already
miq2012
DD-WRT Novice


Joined: 29 Jan 2012
Posts: 8

PostPosted: Sun Jan 29, 2012 3:09    Post subject: Linksys E1000 2.1 - Erasing NVRAM with Serial cable - Help Reply with quote
Hi,
Many thanks for quick reply. I am not using VCC ( Pin 1) so best of my understanding +-12 volt should not be an issue. I am using Router's power adapter for the power and using regular 9-PIN serial port to connect to my desktop and with three wire (GND, TX, RX) going to router's PIN 5,3 and 2. (Pin 3 on router is RX and Pin 2 is TX). Do you still think it is a voltage issue?
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7061

PostPosted: Sun Jan 29, 2012 4:50    Post subject: Reply with quote
Connecting without a level converter is the issue and you are likely to burn the routers serial port if you continue.
The router is getting to high signal levels from the computer and the computer is getting too low signal levels from the router.

_________________
I'm on a whiskey diet, lost 3 days already
miq2012
DD-WRT Novice


Joined: 29 Jan 2012
Posts: 8

PostPosted: Wed Feb 22, 2012 3:40    Post subject: E1000 V2.1 serial recovery - nvram erase not helping Reply with quote
hi Lom,
Eventually I did receive my cat-42 cable and was able to successfully get TTL connection using Putty. I was able to break into CFE> quickly after powering up the router. I issued nvram erase command followed by nvram committ.
I had a TFTP (used Linksys TFTP utility)session ready. After nvram committ command, I issued "go" command and press "upgrade" button on my TFTP session. The stock firmware was recived successfully by router.
Then I issued reboot command but router again stucked at the same statement where it used to stuck earlier. Any help/tip is highly appreciated. Please see below the boot log from Putty session:
Decompressing............done
Start to blink diag led ...


CFE version 5.60.120.1 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 09/21/10 15:09:58 CST (wzh@cybertan)
Copyright (C) 2000-2008 Broadcom Corporation.

Initializing Arena
Initializing Devices.

No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 0004001B (2Cool
os #02 0004001C -> 003F7FFF (3899364)
nvram #03 003F8000 -> 003FFFFF (32768)
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 003F7FFF (3899392)
nvram #02 003F8000 -> 003FFFFF (32768)
BCM47XX_GMAC_ID
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.120.1
CPU type 0x19749: 300MHz
Total memory: 32768 KBytes

CFE mem: 0x80700000 - 0x807A7E70 (687728)
Data: 0x8073DF70 - 0x807411B0 (12864)
BSS: 0x807411B0 - 0x80741E70 (3264)
Heap: 0x80741E70 - 0x807A5E70 (409600)
Stack: 0x807A5E70 - 0x807A7E70 (8192)
Text: 0x80700000 - 0x8073DF6C (253804)

Boot version: v5.1.8
The boot is CFE
mac_init(): Find mac [c0:c1:c0:75:c9:b8] in location 0
Nothing...
CMD: [ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0]
Device eth0: hwaddr C0-C1-C0-75-C9-B8, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
CMD: [go;]
Check CRC of image1
Len: 0x394000 (3751936) (0xBC040000)
Offset0: 0x1C (2Cool (0xBC04001C)
Offset1: 0x9A8 (2472) (0xBC0409A8)
Offset2: 0xE4C00 (936960) (0xBC124C00)
Header CRC: 0x8EF045F6
Calculate CRC: 0x8EF045F6
Image 1 is OK
Try to load image 1.
Waiting for 3 seconds to upgrade ...
CMD: [load -raw -addr=0x807a7e70 -max=0x1858190 :]
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
_tftpd_open(): retries=2/3

### Start=628283538 E=1029343377 Delta=401059839 ###
Failed.
Could not load :: Timeout occured
CMD: [boot -raw -z -addr=0x80001000 -max=0x6ff000 flash0.os:]
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3856 bytes read

### Start=1032451584 E=1033470982 Delta=1019398 ###
Entry at 0x80001000
Closing network.
Starting program at 0x80001000



Linksys TFTP utility session.JPG
 Description:
 Filesize:  19.78 KB
 Viewed:  6589 Time(s)

Linksys TFTP utility session.JPG


barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 12833
Location: Behind The Reset Button

PostPosted: Wed Feb 22, 2012 15:30    Post subject: Reply with quote
erase nvram:

cfe> nvram erase [enter]

DO NOT then issue an nvram commit nor issue a go command. Where did you see to do that?

I was unaware that a "go" command will start the router listening for a tftp transfer.

now flash the firmware again via tftp:

flash -ctheader : flash1.trx

when you are back at the cfe prompt, issue a reboot command, or power cycle the router.

_________________
[Moderator Deleted] Shocked
miq2012
DD-WRT Novice


Joined: 29 Jan 2012
Posts: 8

PostPosted: Wed Feb 22, 2012 16:35    Post subject: Reply with quote
Thank you barryware for the reply.
I did use nvram erase but it did not work. (May be I have been missing any important step), then I read nvram commit and thought it might help - which didn't.

What did I use 'go' command?
Actually my router start receiving/waiting for firmware after code "Loading: _tftpd_open(): retries=0/3". I had break into CFE> before this code and had erased nvram. I issued go command in order to get to "Loading: _tftpd_open(): retries=0/3" so the router can start receiving the firmware.
A quick question regarding your reply.
1)
what is flash1.trx in "flash -ctheader : flash1.trx " command in your reply? Is this a dd-wrt firmware? If yes then what verion/build I should use? can it be any name or it has to be flash1.trx?
Is it ok using Linksys tftp utility, I copied the image in previous post.
I was trying to upload oem firmware that I downloaded from Linksys website. below are the details:
date:05/25/2011
Ver.2.1.02 (Build 5)
Download 3.66 MB
FileName:FW_E1000_2.1.02.005_US_20110506,0.bin
URL:http://homesupport.cisco.com/en-us/support/routers/E1000
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 12833
Location: Behind The Reset Button

PostPosted: Wed Feb 22, 2012 17:05    Post subject: Reply with quote
the go command executes the firmware program. before the firmware starts, the cfe (bootloader) listens for a tftp upload.. you can see it in your output.. it listened three times, then started the firmware program:

Starting program at 0x80001000

Problem is.. the nic is not ready on your pc so the three tries have come and gone. There are ways around that but we don't need to get into that as you have a serial connection and you can tell the router to do what ever you want..

1st... set a static ip on your pc.. 192.168.1.10, mask 255.255.255.0, gateway 192.168.1.1. All AV and firewall software disabled. Only the pc is connected to a lan port of the router via cable. No other lan connections.

Get your tftp utility all ready to go so all you have to do is hit the enter key to launch it. Leave the password field empty!

Set it up to flash the stock linksys firmware for your router.

power up the router and stop the boot by banging on ctrl-c as you power it up. You will be at the cfe prompt:

cfe>

now erase nvram:

cfe> nvram erase [enter]

[enter] = hit the enter key Wink

nvram will erase in a second or two.. you will have a command status of zero, and be back at the cfe prompt.

now issue the command I stated earlier:

cfe> flash -ctheader : flash1.trx [enter]

Note the space before and after the colon.

now immediately launch your tftp utility. The firmware will flash. The data transfer happens very fast but the actual process of writing to the flash chip takes some time.

After a bit, you will be back at the cfe prompt:

cfe>

at this point, either type reboot, or power cycle the router. The router will boot 2 times (maybe 3) as it needs to restart as it builds and reads default nvram variables it has written.

"flash" tells the router that you are going to send a file and it is to flash it to the flash chip. "-ctheader" tells the router to look at the header of the bin you are sending. I have also read that -ctheader tell it where to put the data but I'm not so sure because sometimes -noheader is needed (not for your router though.. use -ctheader). "flash1.trx" is internal to the router. It has nothing to do with the file name you are sending. You set your tftp utility to send the firmware. The router listens and when it sees it, it will flash it in the right spot on the flash chip (flash1). flash0 will take out the cfe on some routers.

_________________
[Moderator Deleted] Shocked
miq2012
DD-WRT Novice


Joined: 29 Jan 2012
Posts: 8

PostPosted: Thu Feb 23, 2012 1:33    Post subject: Reply with quote
Thanks a million to barryware. It worked and my router has been recovered with oem firmware. Instructions were so clear and literly took 5 minutes total (top of two months reseatch etc. reading forums etc. Laughing ).
Summary (see above barryware's detial post):
after successful serial connection.
ctrl-c to get cfe>
nvram erase [enter] to erase the nvram and
flash -ctheader : flash1.trx [enter] to load the new firmware... and that is it.. my problem solved.
Next I yet need to find out correct dd-wrt built for E1000 V2.1 so I should not brick it again.
Net gain: I learnt a lot..many thanks again.
shunail
DD-WRT Novice


Joined: 16 Jul 2012
Posts: 1

PostPosted: Mon Jul 16, 2012 15:24    Post subject: Reply with quote
so miq2012,which version of DD-WRT firmware you used for your Linksys E1000 v2.1 router. I've the Linksys firmware 2.1.02 and ever since I've gotten it upgraded, it prompts for WPS connection on wireless screen automatically every minute and would not connect any wireless device (with WPS or Push button option)... So I wondered if I switch to DD-WRT, that would help me.
Mangix
DD-WRT User


Joined: 04 Aug 2011
Posts: 367

PostPosted: Tue Jul 17, 2012 2:42    Post subject: Reply with quote
yes it would. get this: ftp://dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2012/06-08-12-r19342/broadcom_K26/dd-wrt.v24-19342_NEWD-2_K2.6_mini_e1000v2.bin
imacamper
DD-WRT Novice


Joined: 26 Jan 2012
Posts: 9

PostPosted: Wed Sep 12, 2012 21:07    Post subject: Reply with quote
I'm trying to recover my bricked e1000 2.1 via serial. I think I have everything all wired up correctly as I get the output at the bottom of this post when booting.

My problem is that I can't break the boot process and get the CFE prompt. I've been hitting Ctrl-C many different times and have even begun before powering as suggested in this thread. Any suggestions? Am I missing something?

Thanks,

Drew

Code:
Decompressing............done
Start to blink diag led ...


CFE version 5.60.120.1  based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 12/03/10 16:33:20 CST (wzh@cybertan)
Copyright (C) 2000-2008 Broadcom Corporation.

Initializing Arena
Initializing Devices.

No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
Partition information:
boot    #00   00000000 -> 0003FFFF  (262144)
trx     #01   00040000 -> 0004001B  (28)
os      #02   0004001C -> 003F7FFF  (3899364)
nvram   #03   003F8000 -> 003FFFFF  (32768)
Partition information:
boot    #00   00000000 -> 0003FFFF  (262144)
trx     #01   00040000 -> 003F7FFF  (3899392)
nvram   #02   003F8000 -> 003FFFFF  (32768)
BCM47XX_GMAC_ID
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.120.1
CPU type 0x19749: 300MHz
Total memory: 32768 KBytes

CFE mem:    0x80700000 - 0x807A7E70 (687728)
Data:       0x8073DF70 - 0x807411B0 (12864)
BSS:        0x807411B0 - 0x80741E70 (3264)
Heap:       0x80741E70 - 0x807A5E70 (409600)
Stack:      0x807A5E70 - 0x807A7E70 (8192)
Text:       0x80700000 - 0x8073DF6C (253804)

Boot version: v5.1.8
The boot is CFE
mac_init(): Find mac [c0:c1:c0:a6:cc:bc] in location 0
Nothing...
CMD: [ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0]
Device eth0:  hwaddr C0-C1-C0-A6-CC-BC, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
CMD: [go;]
Check CRC of image1
  Len:     0x3A9000     (3837952)       (0xBC040000)
  Offset0: 0x1C         (28)            (0xBC04001C)
  Offset1: 0xAD8        (2776)  (0xBC040AD8)
  Offset2: 0xE3C00      (932864)        (0xBC123C00)
  Header CRC:    0xA7A3BC6D
  Calculate CRC: 0xA7A3BC6D
Image 1 is OK
Try to load image 1.
Waiting for 5 seconds to upgrade ...
CMD: [load -raw -addr=0x807a7e70 -max=0x1858190 :]
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: _tftpd_open(): retries=0/5
_tftpd_open(): retries=1/5
_tftpd_open(): retries=2/5
_tftpd_open(): retries=3/5
_tftpd_open(): retries=4/5

### Start=649231295 E=1611220642 Delta=961989347 ###
Failed.
Could not load :: Timeout occured
CMD: [boot -raw -z -addr=0x80001000 -max=0x6ff000 flash0.os:]
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 5192 bytes read

### Start=1615571631 E=1617711693 Delta=2140062 ###
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.22.19 (root@tomato) (gcc version 4.2.4) #25 Fri Jun 15 22:45:15 ICT 2012
CPU revision is: 00019749
Found a 4MB ST compatible serial flash
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal          0 ->     8192
  HighMem      8192 ->     8192
early_node_map[1] active PFN ranges
    0:        0 ->     8192
Built 1 zonelists.  Total pages: 8192
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 256 (order: 8, 1024 bytes)
CPU: BCM5357 rev 1 pkg 8 at 80 MHz
Using 40.000 MHz high precision timer.
console [ttyS0] enabled
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28664k/32768k available (33k kernel code, 4088k reserved, 2669k data, 124k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
PCI: no core
PCI: Fixing up bus 0
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered (default)
HDLC line discipline: version $Revision: 4.8 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb8000300 (irq = 8) is a 16550A
PPP generic driver version 2.4.2
MPPE/MPPC encryption/compression module registered
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.17
PPTP driver version 0.8.5
pflash: found no supported devices
Creating 5 MTD partitions on "sflash":
0x00000000-0x00040000 : "pmon"
0x00040000-0x003f0000 : "linux"
0x00123c00-0x003f0000 : "rootfs"
0x003f0000-0x00400000 : "jffs2"
0x003f0000-0x00400000 : "nvram"
u32 classifier
    OLD policer on
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (512 buckets, 4096 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_account 0.1.21 : Piotr Gasidlo <quaker@barbara.eu.org>, http://www.barbara.eu.org/~quaker/ipt_account/
net/ipv4/netfilter/tomato_ct.c [Jun 15 2012 22:44:52]
NET: Registered protocol family 1
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 124k freed
Warning: unable to open an initial console.
emf: module license 'Proprietary' taints kernel.
eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.10.147.0
eth%d: 5.10.147.0 driver failed with code 12
/ # vlan0: No such device
eth1: No such device
eth2: No such device
eth3: No such device
lo: File exists
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum