Posted: Wed Jan 02, 2013 9:59 Post subject: JTAG pinout for E1000 V2
Hi all,
I have a hard bricked E1000 V2 and the following two questions:
1) Is the 2x6 pin micro JTAG connector on the board connected to the CPU (I read that for V1 it isn't)?
2) What is the JTAG pin layout for this connector?
You should be able to debrick it with a serial cable, rather than jtag. See the wiki on serial recovery. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
Not sure about that. I tried with a serial cable but I cannot get the router to accept any commands. It is stuck and there is no output. All LEDs are immediately lit at the same time and there is no change (blinking, etc.) after power on. The LAN interface does not have an IP address assigned. Normally I can stop the boot with ctrl-c and assign IP addresses or upload images on the serial console. That is not working on this router. So I assume that the boot config is stuck. If you know how to fix that without a JTAG I would appreciate any hints. The usual 30/30/30 NVRAM clearing methods did not work.
In the meantime I found the pinout, it is the same for all hardware versions:
E1000 - DB25 (unbuffered cable with 100 Ohm resistors in the line)
TCK – 'test clock' synchronizes the internal state machine operations
TMS – 'test mode select' is sampled at the rising edge of TCK to determine the next state.
TDI – 'test data in' represents the data shifted into the device's test or programming logic.
TDO – 'test data out' represents the data shifted out of the device's test or programming logic
TRST –'test reset' resets the TAP controller's state machine.
SRST - 'system reset' that acts like conventional "Reset' button
nTRST/nSRST active level is "0" (the first "n" indicates negative logic). Do not need to be connected.
I just wanted to share my debugging results. Short message is, the router is up and running again. Long story is that I had to clear the NVRAM with a JTAG cable. Then the router booted into CFE again and I could access the serial interface. From this point it was easy to put the stock firmware with tftp and flash it.
The JTAG cable was not so easy to make, because the Linksys E1000 V2 only has an unsoldered 12 pin micro connector on the PCB. I used a 2x10 micro (1.27mm spacing) pin strip, cut it to 2x6 and soldered it to the PCB. The corresponding 2x10 micro receptacle (female) strip could not be cut, but fits anyway with some unused pins on the side. I soldered a 1.27mm ribbon cable to the micro receptacle and standard female (2.54mm) 1x1 headers onto the other side (cut from a longer strip). Soldering the micro strip to the cable is a bit annoying if you do not have a magnifying glass or very good eyes. I really would have appreciated a micro to standard header converter, but I do not know if such a converter even exists. The 1x1 female headers can be connected to any parallel interface adapter, I prefer this over soldering the cable direcly to a DB25 connector, because it gives you more flexibility to change the pin layout.
In my case I used an universal parallel port JTAG adapter from TIAO I got from DIYGADGET, here you can simply plug in any self made JTAG cable as needed. Costs only 13$ and also offers to use a buffered JTAG interface (Wiggler cable). The unbuffered cable should be as short as possible, below 20 cm is ideal for an unbuffered interface. For me a 20 cm cable was not very practial so I made a 40 cm cable and used it in buffered mode.
After the interface cable is ready the rest is quite straight forwared, there is a lot of good documentation on how to debrick broadcam based devices with the tjtag/ejtag tool. Some of my pain points that may be interesting to share:
- make sure that you have a parallel port on your computer that is actually enabled (on my computer it was deactivated in the BIOS - set it to EPP mode)
- if you use a buffered cable you need to tell the jtag utility to switch to wiggler mode or it will simply fail to detect the chip without any errors
- If the jtag utility detects a chip (ID is not 0), but cannot recognize it, then your jtag tool is too old.
- If you do not have the reset lines connected you need to power on the device and start the jtag utility immediately after that. If you wait too long the JTAG port on the chip may be blocked.