Posted: Sat Oct 11, 2008 11:34 am Post subject: bdrestore fails: how to recover board config for dir-300?
During the process of flashing with different images I've made a stupid mistake, erasing flash by "fis init -f". So, I do believe that board config is cleaned up, bdrestore returns:
DD-WRT> bdmove
No board config data found!
DD-WRT> DD-WRT> bdrestore
Board config found at 0xbff90000
No board config data found!
So, neither linux.bin or original firmware from d-link doesnt start anymore. Does anybody has an experience in such a case, is there any way to restore the board config?
use the dir300 instruction to flash the ap62.rom again.
EDIT typo: ap61.rom _________________ Forum Guidelines...How to get help
and
Forum Rules
_________________
I'm NOT rude, just offer pure facts!
_________________
Germany 4 - 0 Australia
Germany 4 - 1 England
Germany 4 - 0 Argentina! beautiful forecast!
Germany 0 - 1 Spain
Spain 1 - 0 Oranije (Netherlands) damn fucking espaniolos
Last edited by Sash on Sat Oct 25, 2008 8:27 am; edited 1 time in total
AP62 ?? If this is a typo error I have this problem and reflashed AP61.ROM again but the board config continues missing. And AP does not load kernel completely.
use the dir300 instruction to flash the ap62.rom again.
Sash - thanx for answer. Hope you may easily understand what's wrong. Sure I did use instruction. BTW, I do also believe there was a typo with ap62.rom: no references for such a file on dd-wrt download page. So, I'm going with ap61.rom. Here is the full log of my last attempt, too long but hope clear:
Version: "RedBoot v2.3"
RAM: 0x80000000-0x80800000, [0x80036350-0x807ed000] available
FLASH: 0xbfc00000 - 0xbfff0000, 64 blocks of 0x00010000 bytes each.
RedBoot(tm) bootstrap and debug environment [RAM]
production release, version "2.1.3" - built 18:43:37, Sep 20 2007
Platform: ap61 (Atheros WiSOC)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2007, NewMedia-NET GmbH.
Board: DLINK DIR-300
RAM: 0x80000000-0x81000000, [0x8007ff00-0x80fe1000] available
FLASH: 0xbfc00000 - 0xbfff0000, 64 blocks of 0x00010000 bytes each.
DD-WRT> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> load -r -b %{FREEMEMLO} ap61.rom
Using default protocol (TFTP)
Raw file loaded 0x80080000-0x800a8717, assumed entry at 0x80080000
DD-WRT> fis create -l 0x30000 -e 0xbfc00000 RedBoot
An image named 'RedBoot' exists - continue (y/n)? y
... Erase from 0xbfc00000-0xbfc30000: ...
... Program from 0x80080000-0x800a8718 at 0xbfc00000: ...
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
Here I see the only difference with flashing.txt guide provided:
in memory addresses used for fis programming guide gives 0x807f0000-0x80800000 and mine result is shifted for x800000. Not sure it's a problem, but just in case you may know what it means.
DD-WRT> fis create -l 0x30000 -e 0xbfc00000 RedBoot
An image named 'RedBoot' exists - continue (y/n)? y
... Erase from 0xbfc00000-0xbfc30000: ...
... Program from 0x80080000-0x800a8718 at 0xbfc00000: ...
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> reset
re-connected telnet session again in a second.
Then checked out flash:
DD-WRT> ^C
DD-WRT> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot.........0xBFC00000 0x80080000 0x00030000 0xBFC00000
FIS directory....0xBFFE0000 0xBFFE0000 0x0000F000 0x00000000
RedBoot config..0xBFFEF000 0xBFFEF000 0x00001000 0x00000000
DD-WRT> fis free
0xBFC30000 .. 0xBFFE0000
So far so good. Continuing with guide:
DD-WRT> load -r -b 0x80041000 linux.bin
Using default protocol (TFTP)
TFTP timed out 1/15
Can't load 'linux.bin': operation timed out
I'd say it would be really nice to update the flashing.txt by adding tftp host address seeting: surely a lot of people spent time discovering in other guides what's going wrong and why transfer doesn't start. Thanks to Shadowandy's mini-flashing-guide-for-dir-300 I see what's wrong.
DD-WRT> ip_address -h 192.168.1.2
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.2
DD-WRT> load -r -b 0x80041000 linux.bin
Using default protocol (TFTP)
Raw file loaded 0x80041000-0x803bafff, assumed entry at 0x80041000
DD-WRT> fis create linux
... Erase from 0xbfc30000-0xbffaa000: ........................................................
... Program from 0x80041000-0x803bb000 at 0xbfc30000: ........................................................
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
Took some 10 minutes, looks ok, but the same shift in sourced area for programming into flash. Then just to be sure everything is ok with flashing the image:
DD-WRT> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot..........0xBFC00000 0x80080000 0x00030000 0xBFC00000
linux..............0xBFC30000 0x80041000 0x0037A000 0x80041000
FIS directory.....0xBFFE0000 0xBFFE0000 0x0000F000 0x00000000
RedBoot config...0xBFFEF000 0xBFFEF000 0x00001000 0x00000000
DD-WRT> fis free
0xBFFAA000 .. 0xBFFE0000
DD-WRT> fconfig boot_script true
boot_script: Setting to true
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fconfig boot_script_timeout 3
boot_script_timeout: Setting to 3
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fconfig bootp false
bootp: Setting to false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> fconfig
Run script at boot: true
Boot script:
Enter script, terminate with empty line
>> fis load -l linux
>> exec
>>
Boot script timeout (1000ms resolution): 3
Use BOOTP for network configuration: false
Gateway IP address:
Local IP address:
Local IP address mask:
Default server IP address:
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbffe0000-0xbfff0000: .
... Program from 0x80ff0000-0x81000000 at 0xbffe0000: .
DD-WRT> version
RedBoot(tm) bootstrap and debug environment [ROMRAM]
production release, version "2.1.3" - built 18:43:19, Sep 20 2007
Platform: ap61 (Atheros WiSOC)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2007, NewMedia-NET GmbH.
Board: DLINK DIR-300
RAM: 0x80000000-0x81000000, [0x80040580-0x80fe1000] available
FLASH: 0xbfc00000 - 0xbfff0000, 64 blocks of 0x00010000 bytes each.
DD-WRT> reset
So everything looks fine to me. Yet it doesn't work: device restarted every minute for 3 times I guess, then hungs with not started SW, no DHCP server as well - I've connected another comp with auto net config so no ip address applied. RedBoot works, I can power cycle device and telnet it again. Trying to see what's going on I've started linux manualy:
DD-WRT> fis load -l linux Image loaded from 0x80041000-0x802d0c58
DD-WRT> exec
Device restarted and goes the same way: 3 times rebooted and hungs.
DD-WRT> x -b 0xbfc30000 -l 0x00000100
BFC30000: 6D 00 00 80 00 58 FC 28 00 00 00 00 00 00 04 02 |m....X.(........|
BFC30010: 95 00 0E 0F F8 3F D5 D1 50 C7 E1 D5 37 C0 34 84 |.....?..P...7.4.|
BFC30020: 0C 61 30 4E FF FD 72 22 F0 2A 68 DF 47 71 28 FB |.a0N..r".*h.Gq(.|
BFC30030: D7 F6 18 CA 60 FF B3 A4 CC 96 AE 22 A5 BD 9C 55 |....`......"...U|
BFC30040: 2B 44 4D 48 ED B9 C8 FC 0F C2 07 B4 2F EC FD 59 |+DMH......../..Y|
BFC30050: EE 85 03 45 EF BC 6C 82 4F C1 64 73 00 73 46 89 |...E..l.O.ds.sF.|
BFC30060: 2E C9 31 C8 60 74 30 57 7E A5 2A 71 84 A4 53 19 |..1.`t0W~.*q..S.|
BFC30070: 3A 59 6F CC 28 FB DE FF 41 40 B1 03 B1 99 58 39 |:Yo.(...A@....X9|
BFC30080: B9 98 84 B9 EB F1 5E 95 3D 84 03 0D ED 73 30 9D |......^.=....s0.|
BFC30090: 46 79 F3 CB BE 3A 91 15 65 58 B6 38 5A 9E 57 73 |Fy...:..eX.8Z.Ws|
BFC300A0: 12 1F 8F 88 8C 51 A3 3C E0 5B DC A7 D3 61 CD 64 |.....Q.<.[...a.d|
BFC300B0: 2D 1E 63 FE 5F 0E 6B E4 61 AD 9F 46 82 78 73 68 |-.c._.k.a..F.xsh|
BFC300C0: F1 4D 4B 3B 83 F7 CA D0 E0 83 F3 8B 7A 64 DF 73 |.MK;........zd.s|
BFC300D0: 4D 85 69 4B B1 61 DE C7 60 F2 C9 46 99 D1 A8 D2 |M.iK.a..`..F....|
BFC300E0: 2A 05 A3 FE F7 80 94 3E E1 01 6E 83 97 C7 FF 6D |*......>..n....m|
BFC300F0: 8A 6E 46 97 59 03 9F 40 82 38 E2 DA 86 EC 39 CF |.nF.Y..@.8....9.|
DD-WRT> exec
Well, didn't really got what's wrong. BDRESTORE gives the same: founding no device info. Reloads of original firmware v. 1.03-1.05, earlier versions of DD-WRT give the same. It couldn't be bricked as far as RedBoot works, so my guess is only device config, this is why I've asked about it. Any other assumptions are warmly welcomed
Would it be sensible to run bdrestore at first, prior to flashing Redboot into ROM? As I see it moves board config to the end of ROM and hopefully gonna prevent RedBoot from overwriting it. Guru, what would you say?
I have a similar problem. While "playing" with flashing dd-wrt and flashing back to original firmware procedures (several times) I did somthing (don't know what exactly but for sure it was NOT the "fis init -f" command) and next time the dd-wrt did not start and cycling with reboot process infinitelly. I tried the OpenWRT with the same result (while before thatI could load and start OpenWRT without any problem). During the flash procedure the only difference with "Mini Flashing Guide..." and with flashing.txt I coud see is the same as in twiky's log:
... Program from 0x80ff0000-0x81000000 at 0xbffe0000
The manual
With original RedBoot (dir300redboot.rom) and original firmware (1.04) the boot script is not working (while before that everythting was ok). I connect putty to the RedBoot in passive mode (without ^C) during the boot process and got this error:
== Executing boot script in 4.950 seconds - enter ^C to abort
RedBoot> Using default protocol (TFTP)
__udp_sendto: Can't find address of server
Can't load 'COBRAART.SYS': some sort of network error
RedBoot> No entry point known - aborted
RedBoot>
But when I manually enter "fload" and "go" (which are definitely in the script) the original firmware started and seems working properlly.
So it seems the problem is not in the RedBoot or firmware (original or dd-wrt), because they both worked on my hardware (dir-300) before.
Same as I did. Same, started original firmware manually as script was not running on boot up.
Yet had radio not started up - system works, shows all OK but not discoverable at all; so went to OpenWRT but completely unsuccessful as it doesn't start at all, flashed back to DD-wrt and original and back - got system not even starting manually, cycling on boot.
Now I do realize that non-working radio most probably means bdconfig damaged. Having no idea how to recover it on my own I went to d-link service and flashed it back in full - they did it easily within 3 days mentioning it as a regular support procedure for free )) -- seems I'm not the only one who f*cked up.
Well, now I'm wondering how could I pass the problem flashing it to dd-wrt again. Have no clear idea what was wrong. Not sure is it needed to bdrestore initially or not, but some say yes.
Course, would be great to have some analysis and getting into solution / recommendations for others, but I'm personally not qualified enough. Could anybody has a clue? Not sure, the case seems to be not common even being probably specific for widely spread DIR-300. But problem persists.
Twiky, could you make a full flash memory dump to the putty log file when you get back your device? (RedBoot> dump -b 0xbfc00000) Or if it is to long:
RedBoot> dump -b 0xbfc00000 -l 0x40000
RedBoot> dump -b 0xbffe0000 -l 0xf000
RedBoot> dump -b 0xbffef000 -l 0x1000
One more thing. I load the ap61.ram and run the "fis list". Here is the result (could anybody compare it with the same result from working device?):
DD-WRT> fis list
Name FLASH addr Mem addr Length Entry point
RGCFG1 0x00000038 0x00000039 0x00000641 0x0003183B
<Not a string: 0x80FF2400> 0x08459094 0x2B81DF32 0x57B5EEE7 0xA1A255F0
<Not a string: 0x80FF2100> 0x199F2016 0xD1201412 0x1954E320 0x2D88E923
<Not a string: 0x80FF2300> 0x3A1C0627 0xC1A53B8D 0xC0641C69 0x85DC8E0D
<Not a string: 0x80FF2500> 0x4D0D875C 0x2B2CF905 0xEB6B3F71 0x2B8B3F47
<Not a string: 0x80FF2700> 0xB87AAABA 0x9622AF38 0x23A05EFF 0xD3E4DFD9
RedBoot 0xBFC00000 0x80040800 0x00030000 0xBFC00000
FIS directory 0xBFFE0000 0xBFFE0000 0x0000F000 0x00000000
RedBoot config 0xBFFEF000 0xBFFEF000 0x00001000 0x00000000
<Not a string: 0x80FF2600> 0xF8E252E5 0xF252689F 0xAFF2D6B0 0x6AD95697
<Not a string: 0x80FF2200> 0xFE2D1462 0xBAE7ADC2 0x28F34410 0x77920FE4
I bought one more router for my work and make a full dump of its flash rom. Secondly I connected my router through its TTL pins and some kind of simple pl2303 USBtoRS232 converter. Then I could see what is happening wneh the router is booting up and when I do the bdrestore or bdmove command. I don't have the exact procedure how to restore other routers with the same problem, so I suggest everybody who wants to repeat my steps to have this kind of connection, just in case.
Actually the board config is located in 0xbfff0000-0xbfffffff. When you flash your router with new redboot (ap61.rom) and then with dd-WRT linux.bin or some openWRT linux - they change this block of flash memory when booting first time (I think the red light indicate it) adding its own information. And it seems in some case they could break the original board information (I don't know in what case - now I can not break it even if I try to). In my case I could see some strange information at the very beggining of that block of memory.
I could restore this board config by loading the block of memory from the original dump I made from the second device (I can send it to anybody who needs it) to the appropriate address.
1. I flashed the dd-WRT redboot. (This procedure dose not work with original redboot for some reason - maybe you should use another address in step 2, I don't know.)
2. Then I loaded the original board config to the address 0xbffd0000 (don't ask me why I use this address - I don't know. But it seems that the dd-WRT bdrestore and bdmove commands use exactly this address to restore the board cofig). Actually I loaded two blocks of memory - the second one was 0xbffe0000-0xbffeffff (from the original dump). I loaded it to the address 0xbffc0000 (DO NOT confuse with 0xbfc00000 - you can dammage your router as it is the address of redboot). But I'm not sure you will need this block, first time try without this block.
3. bdrestroe
4. bdmove
So, maybe some guru could explain (I could not) what axactly I did - but the bord config was restored .
Would be great to have it -- don't you mind to create an instruction how to program onto config area, or it can be simply accessed in RedBoot for overwrite?
I've been experiencing the same problem with a ar430w for about a week now, constantly power cycles, no dhcp, won't load dd-wrt/original fw. Has anyone found out what's getting messed up? I also noticed that one address change as fluffy and twiky pointed out earlier, has anyone resolved this issue? I have been bashing my brains in for the past week trying to figure out what got damaged and honestly I don't know, I'm not a guru but even with all my logs, step by step posted all I've managed to get is "did you follow the instructions in the dl folder" and nothing related to the actual problem. I had v24-sp1 installed and ran fine for 3 days, then decided to upgrade to v24-pre-sp2, uploaded the ar430w-firmware.bin via http and reset to defaults. On 1st boot, everything seemed fine, after changing some settings and trying to enable jffs, also booted fine but with no jffs, since I was unfamiliar with a few wireless settings, I decided to reset back to defaults, well, that's when it all started. Since then all I have been able to get that the most is a dd-wrt> bootloader prompt, tried reverting using the dir300redboot.rom and using the emergency web server to upload the factory firmwares 1.01 and 1.02, tried flashing v24-rc5, v24, v24-sp1, v24-pre-sp2 and all failed horribly when it came to booting (only redboot would work), it's like the linux fs fails to load on boot, or gets a bad write? Even with all addresses matching flashing.txt and other instructions, I was unable to boot another firmware. If anyone is interested in some logs or whatever, I am willing to test the hell out of this box, may it be thankful I haven't crushed it yet after spending over a week with this retarded issue
Code:
DD-WRT> version
RedBoot(tm) bootstrap and debug environment [ROMRAM]
production release, version "2.1.3" - built 18:43:19, Sep 20 2007
Platform: ap61 (Atheros WiSOC)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2007, NewMedia-NET GmbH.
Board: DLINK DIR-300
RAM: 0x80000000-0x81000000, [0x80040580-0x80fe1000] available
FLASH: 0xbfc00000 - 0xbfff0000, 64 blocks of 0x00010000 bytes each.
DD-WRT> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xBFC00000 0x80080000 0x00030000 0xBFC00000
linux 0xBFC30000 0x80041000 0x00395000 0x80041000
FIS directory 0xBFFE0000 0xBFFE0000 0x0000F000 0x00000000
RedBoot config 0xBFFEF000 0xBFFEF000 0x00001000 0x00000000
DD-WRT> fis list -d
Name FLASH addr Mem addr Datalen Entry point
RedBoot 0xBFC00000 0x80080000 0x00028718 0xBFC00000
linux 0xBFC30000 0x80041000 0x00395000 0x80041000
FIS directory 0xBFFE0000 0xBFFE0000 0x00000000 0x00000000
RedBoot config 0xBFFEF000 0xBFFEF000 0x00000000 0x00000000
DD-WRT> bdrestore
Board config found at 0xbff90000
No board config data found!
DD-WRT>
deaftone I too had tried a pre-sp2 release unsuccessfully, but was able to recover my AR430 to v24-sp1 by following to-the-letter the original flashing instructions as published by member donn here:
I haven't read every detail of your posts, but I would say to make certain if you do this that the tftp server has ONLY the linux.bin in its directory that is included with the original v24-sp1 download.
deaftone,
You said in the other thread that this happened after you enabled jffs. The same thing happened to me last week. It looks like turning on jffs nuked the board config.
Good news is that I managed to recover it. I don't have an ar430w handy right now, so I'll post the details to restore it when I get home. It's similar to the steps fluffy posted. (I saw it after I spend a good part of my sleeping hours figuring out the same thing) The gist of it is this:
1) Find the flash location of the board config. You can find this in the dd-wrt boot log of a good ar430w or dir300. it's the address of mtd\6. I think openwrt also has a copy up on their site.
2) Make a copy of /dev/mtd/6 from a good router.
3) Find the MAC addresses located in the previous file and change them to those of your router.
4) Load up the original ar430w redboot to your router.
5) fwrite the file from step 3 to the address from step 1.
6) flash to dd-wrt
beautiful forecast!
