Posted: Sun Jan 29, 2012 2:21 Post subject: Linksys E1000 2.1 - Erasing NVRAM with Serial cable - Help
Hi,
I have Cisco Linksys E1000 v2.1 router. I tried to upgrade with DDWRT dd-wrt.v24_std_generic. Firmware was upload successfully but router is not working any more. I have been reading DDWRT forums and Googling a lot and made some progress without success.
I was able to ping it with TTL=100 if I ping in first few seconds of power cycle. Tried to upload original Linksys FW using Linksys utility. FW was upload but router is not accessible on network via any interface. Eventually I have opened it. I prepared a serial wire (three wires GND, RX and TX) and connected router's PCB to my desktop's serial port.
I fired up a putty session (used Hyper terminal as well) with 115200 bit rate. I changed the default speed of my com1 port as well to match with what I did in Putty. After that I powered up router and start receiving junk character on the screen.
I like to erase the NVRAM (that is what I learned from these forums as a solution) but router is not sending any readable character to my Putty session neither CTRL-C is working.
Any help please?
You can not connect the routers 3.3V TTL serial port directly to a computers + and - 12V RS232 serial port, you need a level converter in between.
see the dd-wrt wiki for serial recovery or any of the many serial debrick threads in the forum. _________________ Kernel panic: Aiee, killing interrupt handler!
Posted: Sun Jan 29, 2012 3:09 Post subject: Linksys E1000 2.1 - Erasing NVRAM with Serial cable - Help
Hi,
Many thanks for quick reply. I am not using VCC ( Pin 1) so best of my understanding +-12 volt should not be an issue. I am using Router's power adapter for the power and using regular 9-PIN serial port to connect to my desktop and with three wire (GND, TX, RX) going to router's PIN 5,3 and 2. (Pin 3 on router is RX and Pin 2 is TX). Do you still think it is a voltage issue?
Connecting without a level converter is the issue and you are likely to burn the routers serial port if you continue.
The router is getting to high signal levels from the computer and the computer is getting too low signal levels from the router. _________________ Kernel panic: Aiee, killing interrupt handler!
Posted: Wed Feb 22, 2012 3:40 Post subject: E1000 V2.1 serial recovery - nvram erase not helping
hi Lom,
Eventually I did receive my cat-42 cable and was able to successfully get TTL connection using Putty. I was able to break into CFE> quickly after powering up the router. I issued nvram erase command followed by nvram committ.
I had a TFTP (used Linksys TFTP utility)session ready. After nvram committ command, I issued "go" command and press "upgrade" button on my TFTP session. The stock firmware was recived successfully by router.
Then I issued reboot command but router again stucked at the same statement where it used to stuck earlier. Any help/tip is highly appreciated. Please see below the boot log from Putty session:
Decompressing............done
Start to blink diag led ...
CFE version 5.60.120.1 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 09/21/10 15:09:58 CST (wzh@cybertan)
Copyright (C) 2000-2008 Broadcom Corporation.
Initializing Arena
Initializing Devices.
No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 0004001B (2
os #02 0004001C -> 003F7FFF (3899364)
nvram #03 003F8000 -> 003FFFFF (32768)
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 003F7FFF (3899392)
nvram #02 003F8000 -> 003FFFFF (32768)
BCM47XX_GMAC_ID
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.120.1
CPU type 0x19749: 300MHz
Total memory: 32768 KBytes
Thank you barryware for the reply.
I did use nvram erase but it did not work. (May be I have been missing any important step), then I read nvram commit and thought it might help - which didn't.
What did I use 'go' command?
Actually my router start receiving/waiting for firmware after code "Loading: _tftpd_open(): retries=0/3". I had break into CFE> before this code and had erased nvram. I issued go command in order to get to "Loading: _tftpd_open(): retries=0/3" so the router can start receiving the firmware.
A quick question regarding your reply.
1)
what is flash1.trx in "flash -ctheader : flash1.trx " command in your reply? Is this a dd-wrt firmware? If yes then what verion/build I should use? can it be any name or it has to be flash1.trx?
Is it ok using Linksys tftp utility, I copied the image in previous post.
I was trying to upload oem firmware that I downloaded from Linksys website. below are the details:
date:05/25/2011
Ver.2.1.02 (Build 5)
Download 3.66 MB
FileName:FW_E1000_2.1.02.005_US_20110506,0.bin
URL:http://homesupport.cisco.com/en-us/support/routers/E1000
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Wed Feb 22, 2012 17:05 Post subject:
the go command executes the firmware program. before the firmware starts, the cfe (bootloader) listens for a tftp upload.. you can see it in your output.. it listened three times, then started the firmware program:
Starting program at 0x80001000
Problem is.. the nic is not ready on your pc so the three tries have come and gone. There are ways around that but we don't need to get into that as you have a serial connection and you can tell the router to do what ever you want..
1st... set a static ip on your pc.. 192.168.1.10, mask 255.255.255.0, gateway 192.168.1.1. All AV and firewall software disabled. Only the pc is connected to a lan port of the router via cable. No other lan connections.
Get your tftp utility all ready to go so all you have to do is hit the enter key to launch it. Leave the password field empty!
Set it up to flash the stock linksys firmware for your router.
power up the router and stop the boot by banging on ctrl-c as you power it up. You will be at the cfe prompt:
cfe>
now erase nvram:
cfe> nvram erase [enter]
[enter] = hit the enter key
nvram will erase in a second or two.. you will have a command status of zero, and be back at the cfe prompt.
now issue the command I stated earlier:
cfe> flash -ctheader : flash1.trx [enter]
Note the space before and after the colon.
now immediately launch your tftp utility. The firmware will flash. The data transfer happens very fast but the actual process of writing to the flash chip takes some time.
After a bit, you will be back at the cfe prompt:
cfe>
at this point, either type reboot, or power cycle the router. The router will boot 2 times (maybe 3) as it needs to restart as it builds and reads default nvram variables it has written.
"flash" tells the router that you are going to send a file and it is to flash it to the flash chip. "-ctheader" tells the router to look at the header of the bin you are sending. I have also read that -ctheader tell it where to put the data but I'm not so sure because sometimes -noheader is needed (not for your router though.. use -ctheader). "flash1.trx" is internal to the router. It has nothing to do with the file name you are sending. You set your tftp utility to send the firmware. The router listens and when it sees it, it will flash it in the right spot on the flash chip (flash1). flash0 will take out the cfe on some routers. _________________ [Moderator Deleted]
Thanks a million to barryware. It worked and my router has been recovered with oem firmware. Instructions were so clear and literly took 5 minutes total (top of two months reseatch etc. reading forums etc. ).
Summary (see above barryware's detial post):
after successful serial connection.
ctrl-c to get cfe>
nvram erase [enter] to erase the nvram and
flash -ctheader : flash1.trx [enter] to load the new firmware... and that is it.. my problem solved.
Next I yet need to find out correct dd-wrt built for E1000 V2.1 so I should not brick it again.
Net gain: I learnt a lot..many thanks again.
so miq2012,which version of DD-WRT firmware you used for your Linksys E1000 v2.1 router. I've the Linksys firmware 2.1.02 and ever since I've gotten it upgraded, it prompts for WPS connection on wireless screen automatically every minute and would not connect any wireless device (with WPS or Push button option)... So I wondered if I switch to DD-WRT, that would help me.
I'm trying to recover my bricked e1000 2.1 via serial. I think I have everything all wired up correctly as I get the output at the bottom of this post when booting.
My problem is that I can't break the boot process and get the CFE prompt. I've been hitting Ctrl-C many different times and have even begun before powering as suggested in this thread. Any suggestions? Am I missing something?
Thanks,
Drew
Code:
Decompressing............done
Start to blink diag led ...
CFE version 5.60.120.1 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 12/03/10 16:33:20 CST (wzh@cybertan)
Copyright (C) 2000-2008 Broadcom Corporation.
Initializing Arena
Initializing Devices.
No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found a 4MB ST compatible serial flash
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 0004001B (28)
os #02 0004001C -> 003F7FFF (3899364)
nvram #03 003F8000 -> 003FFFFF (32768)
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 003F7FFF (3899392)
nvram #02 003F8000 -> 003FFFFF (32768)
BCM47XX_GMAC_ID
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.120.1
CPU type 0x19749: 300MHz
Total memory: 32768 KBytes