Posted: Thu Oct 23, 2014 11:44 Post subject: Router brick
TL;DR
Router: Cisco E1200 V2 (FCC-ID:Q87-E1200V2)
SoC: Broadcom BCM5357
State: Bricked
-------------------------------------------
Back-story
I bought a Cisco/Linksys E1200V2 router from target as a replacement router a month ago and then finally proceeded to install DD-WRT on it. I knew about DD-WRT years ago but was too lazy to buy a router of my own (at the time I was living with my parents), so with the E1200V2 I said "finally".
Anyway, I followed the wiki-dev guide (http://www.dd-wrt.com/wiki/index.php/Linksys_E1200v2) to the letter and the install went perfectly. After the initial flash to dd-wrt.v24-21676_NEWD-2_K2.6_mini-e1200v2.bin I upgraded (actually a downgrade, I wasn't thinking) to dd-wrt.v24-21061_NEWD-2_K2.6_big-nv64k.bin (http://www.dd-wrt.com/routerdb/de/download/Linksys/E1200/V2.0/dd-wrt.v24-21061_NEWD-2_K2.6_big-nv64k.bin/3932). Everything was working fine, and I kept on reading more DD-WRT forum posts and other blogs about different versions of ROM's. I quickly learned that I was outdated,my sshd wasn't working amoung other security issues, (thanks to me for not reading before hand, but that goes to show), so I went for an upgrade to dd-wrt.v24-23204_NEWD-2_K2.6_mega-nv64k.bin.
Unfortunately I did not read everything I needed to read about V24 NEWD2, so I did not know that there might be some firmware issues that could brick my router regardless if I flashed the firmware correctly or not. Anyway after the initial 30/30/30 (this was when I was still on dd-wrt.v24-21061_NEWD-2_K2.6_big-nv64k.bin) I entered a retarded passphrase and went to the administration page for firmware upgrading. I selected my new file (dd-wrt.v24-23204_NEWD-2_K2.6_mega-nv64k.bin) and proceeded to upgrade. Everything was going fine until I did the post 30/30/30 and fucked (hence 30/x/30) up. I accidentally pressed the soft reset button on the back of the router while letting go of the hard reset button. I was so pissed off... However I was thinking that that shouldn't really do anything except maybe incorrectly wipe the NVRAM configuration files, I mean the power was off. So I just waited a little bit before completing another 30/30/30, after that was done I logged into the router, changed my password, completed a power cycle.
And then nothing, the LED on the back (which normally would stay lit after the bootloader loaded the firmware) died out after three seconds, I couldn't ping the router, it was bricked.
So I did my research, I already knew what to do but needed to make sure 110% that I was going to do the right thing, and I ended up using a UART "programmer" (http://www.silabs.com/products/interface/usbtouart/pages/usb-to-uart-bridge.aspx) CP210x to connect to the serial pins (now header) on the mainboard so I could re-flash with tftp.
The router defaults to IP 192.168.1.1/24 so I used a static IP of 192.168.1.10/24 to connect to the router. I first issued the nvram erase command and got a status code of 0 back. I then connected the ethernet cord, power cycled the router, and ran the upgrade.
The first pass was successful (the erasing NVRAM and flashing firmware), so I waited five minutes before power cycling the router but after the initial boot the router's LED went dark again after three seconds??? So I ran the commands again but this time I also going to make sure the router was ready for the incoming data with the command flash -ctheader : flash1.trx, but when after I hit CTRL+C a thousand times to get a CFE prompt the router started looping (trying to decompress an image that wasn't there). So I unplugged the ethernet cord and the USB cable attached to my serial device. I plugged back in my serial device breaked a bunch of times and got a CFE prompt with no loop. So I plugged in my ethernet cord to start the firmware upgrade but then the router started looping again. I can't upgrade with it looping.
Code:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.10.23 03:41:43 =~=~=~=~=~=~=~=~=~=~=~=
Header CRC: 0x643953A3
Calculate CRC: 0x643953A3
Image 1 is OK
Try to load image 1.
Waiting for 3 seconds to upgrade ...
CMD: [load -raw -addr=0x807ae0f0 -max=0x1851f10 :]
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: _tftpd_open(): retries=0/3
### Start=408115796 E=408498667 Delta=382871 ###
Failed.
Could not load :: Interrupted
CFE> ^C
CFE> ^C
CFE> ^C
CFE> ^C
CFE> ^C
CFE> ^C
CFE> ^C
CFE> ^C
CFE> ie
CMD: [ie]
Invalid command: "ie"
Available commands: upgrade, et, modify, nvram, reboot, flash, memtest, f, e, d, u, batch, go, boot, load, save, ttcp, tcp, rlogin, client, ping, arp, ifconfig, show, unsetenv, printenv, setenv, help
*** command status = -1
CFE> ei
CMD: [ei]
Invalid command: "ei"
Available commands: upgrade, et, modify, nvram, reboot, flash, memtest, f, e, d, u, batch, go, boot, load, save, ttcp, tcp, rlogin, client, ping, arp, ifconfig, show, unsetenv, printenv, setenv, help
*** command status = -1
CFE> help
CMD: [help]
Available commands:
upgrade Upgrade Firmware
et Broadcom Ethernet utility.
modify Modify flash data.
nvram NVRAM utility.
reboot Reboot.
flash Update a flash memory device
memtest Test memory.
f Fill contents of memory.
e Modify contents of memory.
d Dump memory.
u Disassemble instructions.
batch Load a batch file into memory and execute it
go Verify and boot OS image.
boot Load an executable file into memory and execute it
load Load an executable file into memory without executing it
save Save a region of memory to a remote file via TFTP
ttcp TCP test command.
tcp constest tcp console test.
tcp listen port listener.
tcp connect TCP connection test.
rlogin mini rlogin client.
client Show the client of the dhcp server.
ping Ping a remote IP host.
arp Display or modify the ARP Table
ifconfig Configure the Ethernet interface
show clocks Show current values of the clocks.
show heap Display information about CFE's heap
show memory Display the system physical memory map.
show devices Display information about the installed devices.
unsetenv Delete an environment variable.
printenv Display the environment variables
setenv Set an environment variable.
help Obtain help for CFE commands
For more information about a command, enter 'help command-name'
*** command status = 0
CFE> client
CMD: [client]
The DHCP server did not start up successfully!
*** command status = 0
CFE> printenv
CMD: [printenv]
Variable Name Value
-------------------- --------------------------------------------------
BOOT_CONSOLE uart0
CFE_VERSION 1.0.37
CFE_BOARDNAME BCM947XX
CFE_MEMORYSIZE 32768
NET_DEVICE eth0
NET_IPADDR 192.168.1.1
NET_NETMASK 255.255.255.0
NET_GATEWAY 0.0.0.0
NET_NAMESERVER 0.0.0.0
STARTUP go;
*** command status = 0
CFE> show devices
CMD: [show devices]
Device Name Description
------------------- ---------------------------------------------------------
uart0 NS16550 UART at 0x18000300
flash0.boot ST Serial flash offset 00000000 size 256KB
flash0.trx ST Serial flash offset 00040000 size 1KB
flash0.os ST Serial flash offset 0004001C size 7872KB
flash0.nvram ST Serial flash offset 007F0000 size 64KB
flash1.boot ST Serial flash offset 00000000 size 256KB
flash1.trx ST Serial flash offset 00040000 size 7872KB
flash1.nvram ST Serial flash offset 007F0000 size 64KB
flash0 ST Serial flash size 8192KB
eth0 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller
*** command status = 0
CFE> show memory
CMD: [show memory]
Range Start Range End Range Size Description
------------ ------------ -------------- --------------------
000000000000-0000006FFFFF (000000700000) DRAM (available)
0000007AF000-000001FFFFFF (000001851000) DRAM (available)
*** command status = 0
CFE> show heap
CMD: [show heap]
Boot version: ==> v5.3.7
The boot is CFE
mac_init(): Find mac [c8:b3:73:2e:fa:69] in location 0
Update lan mac from [00:01:36:1f:e7:7d] to [c8:b3:73:2e:fa:69]
Committing NVRAM...Decompressing...done
Start to blink diag led ...
CFE version 5.100.138.11 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 07/30/12 12:18:33 HKT (cjc@t.sw3)
Copyright (C) 2000-2008 Broadcom Corporation.
Initializing Arena
Initializing Devices.
No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 128 64KB blocks; total size 8MB
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 0004001B (28)
os #02 0004001C -> 007EFFFF (8060900)
nvram #03 007F0000 -> 007FFFFF (65536)
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 007EFFFF (8060928)
nvram #02 007F0000 -> 007FFFFF (65536)
BCM47XX_GMAC_ID
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138.11
CPU type 0x19749: 300MHz
Total memory: 32768 KBytes
Boot version: ==> v5.3.7
The boot is CFE
mac_init(): Find mac [c8:b3:73:2e:fa:69] in location 0
Update lan mac from [00:01:36:1f:e7:7d] to [c8:b3:73:2e:fa:69]
Committing NVRAM...Decompressing...done
Start to blink diag led ...
CFE version 5.100.138.11 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 07/30/12 12:18:33 HKT (cjc@t.sw3)
Copyright (C) 2000-2008 Broadcom Corporation.
Initializing Arena
Initializing Devices.
No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 128 64KB blocks; total size 8MB
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 0004001B (28)
os #02 0004001C -> 007EFFFF (8060900)
nvram #03 007F0000 -> 007FFFFF (65536)
Partition information:
boot #00 00000000 -> 0003FFFF (262144)
trx #01 00040000 -> 007EFFFF (8060928)
nvram #02 007F0000 -> 007FFFFF (65536)
BCM47XX_GMAC_ID
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138.11
CPU type 0x19749: 300MHz
Total memory: 32768 KBytes
Boot version: ==> v5.3.7
The boot is CFE
mac_init(): Find mac [c8:b3:73:2e:fa:69] in location 0
Update lan mac from [00:01:36:1f:e7:7d] to [c8:b3:73:2e:fa:69]
Committing NVRAM...Decompressing...done
Start to blink diag led ...
CFE version 5.100.138.11 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 07/30/12 12:18:33 HKT (cjc@t.sw3)
Copyright (C) 2000-2008 Broadcom Corporation.
Initializing Arena
Initializing Devices.
No DPN
I issued a reboot here to view the loop that happens when I plug in an ethernet cord after applying power to the serial adapter (via USB), the loop also happens while the ethernet cord is already plugged in as well.
Posted: Thu Oct 23, 2014 15:46 Post subject: Router brick
Right I understand that but don't I need an ethernet cable from my server to the router to do a trivial transfer? If so when I use an ethernet cable when accessing CFE mode via the serial adapter the router boot loops and I cannot stop it with a signal break.
Posted: Thu Oct 23, 2014 16:46 Post subject: Router brick
Also when because my router automatically starts a tftp server looking for a firmware upgrade after powering the unit on, as I initially tried, I used the tftp2 application again to send the firmware to the router to flash, and it seemed to work. But now the router's light is just blinking. It did this before and I waited for a good ten minutes before I did a 30/30/30.
Posted: Fri Oct 24, 2014 0:10 Post subject: Router Fixed
The process was incorrect for the Cisco E1200V2.
The solution was to run tftp2 over the network first while the router was plugged into its power supply, then after the upgrade plug in the serial adapter, return a couple times to bring up the CFE prompt, and then select go.
If you don't do this in this order it will result in your bootloader looping (i.e. kernel panic like behavior).