Debricking E3000 using JTAG

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Dark-Show
DD-WRT Novice


Joined: 26 Jun 2009
Posts: 45

PostPosted: Sat Jul 19, 2014 18:50    Post subject: Debricking E3000 using JTAG Reply with quote
This is a record of what I've done to successfully debrick my E3000 when tftp and serial did not work.
These steps should also work with the 610 v2 (just use a different stock firmware for recovery.

I take no responsibility for damages to any hardware resulting in the use of this guide. Research everything separately and understand what you are doing before attempting anything listed below.

As a note before we continue, upon successful JTAG of the unit try to clear NVRAM and KERNEL before messing with any CFE files, we are working in 8bit serial mode so data transfers are going to be quite slow.

So the first step would be to get your soldering iron ready, and bridge these points together to make up for the missing resistors. (thanks cisco/linksys)



This is the most difficult part of the whole deal, and the image does not do justice as to how small the pads are. What I have done to ease the job was to lay a peice of solder on the PCB and melt off tiny balls (when I say tiny I mean tiny) and using the non-grounded nature of my iron to make the balls stick onto the iron, this lets us bring the small bead of solder to the spot to be bridged. (this worked well for me in keeping the job clean) When applying the beads of solder DO NOT use much force on the pads, A mod of this forum with (I'm guessing) much soldering experience lifted these pads of a few E3000. If this is done, you're on your own. BE GENTLE!

Once you get this done, test the points with a multimeter to ensure they are properly bridged. Then, install a JTAG header into the space shown in the picture (use a iron thats atleast 30W or else it will be a pain to melt through the PCB coating, I used a butane iron first then needed to switch to a 30W radioshack to get the job done).

Now the next part could require more soldering depending on the JTAG you use, I believe if you are using a wiggler cable (buffered) you will need to install 4x4.6k resistors, one on each of the JTAG lines. I however did the job with an unbuffered resistor JTAG cable. I did not need the extra resistors.

Next up is the software. You will want to grab a copy of TJTAG 3.0.2.1
you can grab your copy here:
http://sourceforge.net/projects/tjtag/files/v3.0.2-Final/

install giveio.sys to C:\windows\system32\drivers
then open loaddrv and append giveio.sys to the end of the path and press install then start.

Now you are ready to JTAG.
Unplug the router that you are working on and hook up the JTAG to the unit.

Timing is very critical to the JTAG process, we want to halt the processor and put it in a debug state before it gets to any corrupted software.

What I do to ease this is make a simple batch file containing the following:

Code:
:start
pause
tjtag3.exe -erase:nvram /byte_mode /cable:dlc5 /fc:159
goto start


this lets us pause the execution of the command until we are ready.

before we continue let me explain the command.

Code:
tjtag3.exe -erase:nvram /byte_mode /cable:dlc5 /fc:159


-erase:nvram - this will erase the nvram portion of the flash chip.
-erase:kernel - this will erase the kernel (linux) portion of the flash chip.
/byte_mode - this tell the software we are in 8bit mode for communication with the flash chip
/cable:dlc5 - This tells the software we are using an unbuffered cable. Look up the command for the cable you are using, if its anything other than a unbuffered resistor cable.
/fc:159 - This is an important switch for the E3000 I was working on. The software could not automatically detect my flash chip so I forced it to the "MX29LV640EB 4Mx16 BotB". You can read the code right off the flash chip, so double check to make sure your chip matches.

So now that the command has been explained and you feel comfortable, launch the batch file, then plug the E3000 power source in, and as fast as possible hit any key.

This "should" successfully erase your NVRAM.

Now next edit the batch file and replace -erase:nvram with -erase:kernel. Replug the device after launching the batch file and hit that any key again.

This "should" successfully erase your KERNEL.

Now you are ready to tftp the stock firmware to the device.


Last edited by Dark-Show on Sun Jul 20, 2014 14:19; edited 3 times in total
Sponsor
Phonism
DD-WRT User


Joined: 27 Sep 2008
Posts: 449
Location: Norway

PostPosted: Sun Jul 20, 2014 11:25    Post subject: Reply with quote
Impressive work and details in this guide! I'm bookmarking this in case I need to or want to try JTAG on my E3000.

Thank you Smile

_________________

Asus RT-AC66U DD-WRT v24-sp2 giga - build 25015 [Main]
Linksys E3000 DD-WRT v24-sp2 mega - build 15962 [Backup]
Linksys WRT600N v1.1 DD-WRT v24-sp2 (08/12/10) mega - build 14929 [Retired]
Linksys WRT54GS v4 DD-WRT v24-sp2 mini - build 15747 [Retired]
E3000 Info | WRT600N Info | Know-it-all thread
Dark-Show
DD-WRT Novice


Joined: 26 Jun 2009
Posts: 45

PostPosted: Sun Jul 20, 2014 15:19    Post subject: Reply with quote
Phonism wrote:
Impressive work and details in this guide! I'm bookmarking this in case I need to or want to try JTAG on my E3000.

Thank you Smile


Glad this info can be useful, if you try this and have any questions, just ask them here and ill try to fill them into the guide. I want all the needed JTAG information on the E3000 in a nice easy to find post.
adelara
DD-WRT Novice


Joined: 09 Dec 2013
Posts: 5

PostPosted: Sat Oct 21, 2017 20:49    Post subject: Re: Debricking E3000 using JTAG Reply with quote
Thanks a lot for the picture !

Dark-Show wrote:

This is the most difficult part of the whole deal, and the image does not do justice as to how small the pads are.


LOL ! That's almost an understatement (thank you Linksys Evil or Very Mad )
Indeed, the pic does not do justice; but it helps a lot to locate those damn (almost) microscopic things.

I had to resort to a couple different magnifying glasses: one more weak to have a good idea where I was going and the next one, the eyepiece of an old camcorder to really zoom in.

Then, soldering those little teeny pesky pads, I found that it would really be a challenge; no, serious.. I'm very good with soldering but I didn't want to risk shortening anything else... started to think of options since my soldering iron heats a lot even though it's a small on... that makes the solder very fluid and prone to not sticking... one option would be to slightly lower the temperature by using a dimmer, which I have enclosed in a box with a couple outlets...
I still wasn't happy with the idea of approaching that thing with the soldering so it would be my last resource.

What I ended up using is (drum roll Exclamation ) Permatex Rear Defrost Window Repair paint - about 16 bucks at the local car parts store. I've used in the past to actually fix a rear defogger... lasts for years. It is basically, powdered copper with adhesive. Works pretty good.

The job was still a challenge... I sharpened a toothpick and also used a piece of thin wire to complete the connections. That stuff starts to dry out almost immediately as you take it out of the little tube.

I'm waiting now for it to really dry, and will check again with the eyepiece glass... then some touch up - more like cleanup... the good thing is that it can be scrapped out (carefully) with a new tip of the utility knife.

And, there was no coating over the pads: I checked them to the connector and the material is exposed, so this method should be no problem.

Dark-Show wrote:

Next up is the software. You will want to grab a copy of TJTAG 3.0.2.1
you can grab your copy here:


The project unfortunately, is not there anymore (10/2017)
So I tried this: https://sourceforge.net/projects/urjtag/files/urjtag/0.10/
but I was not sure what I was looking at... didn't seem very intuitive

Next one: http://gigenet.dl.osdn.jp/zjtag/63820/zjtag-1.8.zip looked better but it's missing drivers to make it work on my Windows 7... sigh....

More updates later.... unfortunately my cell camera is not good for such small zooming .. seen through the camcorder eyepiece (still bad)...



Screen Shot 2017-10-21 at 4.40.34 PM.png
 Description:
Using Permatex, before cleanup.
 Filesize:  815.25 KB
 Viewed:  5641 Time(s)

Screen Shot 2017-10-21 at 4.40.34 PM.png



_________________
//-- alex --//
adelara
DD-WRT Novice


Joined: 09 Dec 2013
Posts: 5

PostPosted: Sat Oct 21, 2017 22:06    Post subject: Reply with quote
aw dang... can't find tjtag and zjtag is definitely not working here... but, of course, that software is for the TIAO Tumpa board ...

Looks like after all this work I'll have to use the tumpa board... seems too much spend another 40 bucks for have back a $50 router Sad

_________________
//-- alex --//
Display posts from previous:    Page 1 of 1
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum