Posted: Thu Aug 20, 2009 10:21 Post subject: wgr614v8 / wgr614L bricked after enabling jffs
I have bricked my WGR614v8 netgear routers multiple times after enabling jffs. For the most recent bricking I was using eko dd-wrt.v24-12476_NEWD_std-nokaid_nohotspot_nostor.bin. I have not had a problem actually loading the firmware itself, the problem has occurred either directly after initializing jffs or after doing some customizations shortly after enabling jffs. I have also seen the same problem with other recent versions of dd-wrt.
I have experienced two different problems.
- All lights on the router are either on with normal brightness or are very dim. In this case the router is totally bricked due to a corrupt cfe boot loader. I have been able to recover this by reloading cfe128.bin.
- the routers MAC address is set to FF:FF:FF:FF:FF:FF which means that the router lights will look correct but the network will not work. On a WGR614v8 the mac address is stored in the bdata partition so something obviously overwrote this area. To recover I had to temporarily set the network mac address and netgear boardid, reload the Netgear firmware, use burnethermac to set the mac address and burnboardid to set the board id to U12H072T00_NETGEAR and then reinstall dd-wrt. Further details below.
I have not seen the problem when running the mini version of dd-wrt. I have only seen the problem when running the standard version of dd-wrt when jffs is enabled. That is not to say that the mini version does not have the problem, just that I have not seen the failure running the mini version of dd-wrt.
It certainly looks like something is going wrong with the jffs initialization. I have reported this bug at http://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=3708. If you experience the same problem or have anything further to add then please update this case.
MORE DETAILS ON RECOVERING FROM A BRICKED WGR614V8:
Details on loading cfe can be found elsewhere in this this forum. The cfe binary file can be found at http://www.dd-wrt.com/phpBB2/viewtopic.php?p=279885&sid=60ab24ce92db26ef21c048aa22c4e036
The wgr614v8 contains two different types of Macronix flash chips. Some have a MX25L3205D flash chip which is recognized by tjtag3 while others have a MX25L3205A which is not recognized by tjtag. As such it may be necessary to manually define the type of flash chip. In brief, the command to reload the cfe is
tjtag3 -flash:cfe128.bin /fc:21 /noreset
If you do get a CFE boot message on the serial console but you then see a MAC address of FF-FF-FF-FF-FF-FF then you will need to change the MAC address in order to talk to it over the network since all F's is invalid. In most instances where the MAC address has been wiped out the Board ID has also been wiped out. The Board ID is required to validate the downloaded firmware. The commands required to temporarily set the mac address and board id are shown in the following example. You should substitute the MAC address shown in this example with the MAC address written on the bottom of the router.
CFE for WGR514v8 version 1.3
Build Date: Fri Apr 20 14:04:44 CST 2007
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 4.138.1.0
Device eth0: hwaddr FF-FF-FF-FF-FF-FF, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
CFE> ^c
CFE> ifconfig eth0 -hwaddr=00-1e-2a-54-27-5e
CFE> setenv BOARD_ID U12H072T00_NETGEAR
CFE> nvram set board_id=U12H072T00_NETGEAR
(where 0 is the number zero)
CFE> nvram commit
CFE> tftpd
You can now load the wgr614v8 firmware using a tftp client under windows or linux. You will need to first download the Netgear firmware from http://kb.netgear.com/app/answers/detail/a_id/8320. The tftp command will vary based on the tftp client but will be similar to this.
tftp -i 192.168.1.1 put WGR614v8-V1.1.24_14.0.43.chk
Once the NETGEAR firmware is flashed and the router boots you need to permanently define the MAC address and boardid on the bdata partition. The commands to do this on the serial console are.
burnethermac 00-1e-2a-54-27-5e
burnboardid U12H072T00_NETGEAR
(where 0 is the number zero)
The router should now boot normally. Once booted you can then re-install dd-wrt. Until the firmware corruption problem is resolved, either don't use jffs or if you do then use the mini version of dd-wrt rather than the standard version. I have not seen the firmware corruption while running the mini version of dd-wrt with jffs enabled but cannot say for sure that flash corruption will not occur.
The instructions listed above are not a step by step guide but should point you in the right direction to resolve any flash corruption problems on a Netgear WGR614v8 or WGR614L.
Great! That's some really useful information. But I still have questions:
1) Have you been able to un-brick both of your 614l/v8?
In this topic:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=22655
on page 51 you were still stuck with tjtagv3 not recognizing the flash chip.
2) For setting MAC and boardid do I really need serial or is it also possible via tjtag?
Posted: Sat Jan 02, 2010 15:19 Post subject: Great thanks.
I got my v8 bricked a couple days ago, today I managed to solder a jtag connector, but to find I got MX25L3205A flash chip which is not recognized by tjtag3.01.
I'm hasitating about using the /fc:21 switch, thanks for your tip, I'll give it a try tommorow.
I tried "tjtag3 -flash:cfe128 /fc:21 /noreset" with "v8_cfe_1_3 with swapped byte order" several times today but still noluck. I even erased the kernel and nvram several times.
In my situation, I got MX25L3205A instead of MX25L3205D, then WAN and LAN lit normal brightness, TEST and Wireless lit dim, while Power only lit when reset button pressed.
This v8 was bricked when upgrading to Tomato from OpenWrt in Web GUI, and then a Power cycle. Both firmwares download from myopenrouter.com.
Posted: Sun Mar 07, 2010 5:47 Post subject: Bricked again:(
I upgrade to 02-23-10-r13972 std without noticing its size(3,743,744 bytes) exceeded the max firmware a WGR614v8 can handle(3735552 bytes).
After unbricking using TTL and relashed DD-WRT it runs but complains "nvram_commit: write error" when saving changes.
I tried cfe 1.3 and 1.5 found in forum, and even a different cfe 1.3 dumped from another v8. I tried erase the wholeflash. I tried different DD-WRT builds.
But no lock:( sometimes even "VFS: Cannot open root device "mtdblock2" or 1f:02" or similar error.
flash layout turned to be currupted under some circumstances but not always:
Creating 5 MTD partitions on "sflash":
0x00000000-0x00020000 : "cfe"
0x00020000-0x003f0000 : "linux"
0x00104c00-0x003b0000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x003f0000-0x00400000 : "nvram"
0x003b0000-0x003f0000 : "ddwrt"
But it should be, cause there are boardata and etc at 0x003b0000-0x003f0000:
Creating 5 MTD partitions on "sflash":
0x00000000-0x00020000 : "cfe"
0x00020000-0x003b0000 : "linux"
0x00104c00-0x00320000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x003f0000-0x00400000 : "nvram"
0x00320000-0x003a0000 : "ddwrt"