Posted: Tue Aug 25, 2009 13:01 Post subject: Madscientist's quest for the successful jtag recovery
This kept me entertained for quite some time and I believe others might be interested in this too (especially, since everything went wrong which could or could not go wrong):
A few weeks ago I bricked my Netgear 614L(european version). I played around with jffs and as is speculated somewhere else in this forum this killed that thing. After switching it on, for 20-30sec power and test LED would be solid and then power would start blinking. I could ping it (TTL=100) and send via tftp firmware to it, but nothing would bring it out of this state.
I tried a serial cable (cheap Nokia CA42 clone), but the 614L would not send any messages. I still don't know if it was the cable or the router, but I knew I would need a JTAG cable.
At www.myopenrouter.com I found a description how to build a jtag cable for the 614L and I did so. Of course I knew were to find tjtagv3 software. But it wasn't there! Fortunately, Tornado is a really helpful guy. Finally, I could start to talk to the router and it would tell my something.
From other topics in the forum I knew I had to specify the flash chip because it would not be recognized automatically. The bad thing is also the CPU would only be recognized from time to time. But after a few tries I was able to flash the CFE (I had a backup). To test if the flash was successful I did a backup of the CFE and got rubbish. I tried a second time and got different rubbish. I flashed the CFE again. But still a backup would give me nice and unpredictable rubbish. Something must be wrong!
I checked the cable, but it was o.k. and in any case I could flash and backup. So communication was working... in a sense... I remembered that someone somewhere said jtag cables should be short to avoid noise. Well, my cable was two meters long, unshielded and the connector would plug into a parallel port which was located just next to a wireless card.
I shortened the cable, moved the parallel port (its just a bracket connected via cable to the mainboard) and wrapped the cables in aluminum foil. Now a backup of the CFE would give back something which was at least looking like a CFE. I re-checked the cables, re-soldered the pins of the jtag header and improved cable shielding. Finally, two backups would really be the same.
Now we can go on to the real work. Fortunately, Tornado had sent me in the mean time the boarddata of his 614L (which is a specialty of the 614L which I had not as a backup). But tjtag would not work! It was just stuck whenever it should erase or flash anything, only backup was fine. Of course I knew it was working before. I had already flashed the CFE, erased the kernel and nvram. That meant, I broke the cable! I re-checked the cables, re-soldered the pins of the jtag header (but didn't change cable shielding). Still nothing...
Had it really worked before? There is no real proof because after "successfully" flashing the CFE the behavior of the router didn't change a bit. May be it was never corrupt, the problem could well be just corrupt boarddata. And backups of kernel and nvram showed that there is still the old stuff in besides having been erased already. I came to the conclusion that tjtag had never worked correctly. It had been fooled by the noise and thought it would work when it didn't.
Before dumping the router I tried another computer: no success...I sent some information to Tornado and asked for some last ideas. They came in form of a new version of the tjtag code.
I erased nvram and kernel (this time really successfully), flashed the bdata, tftp'd the firmware and now that thing is running! Damn! It could have been so easy if I would have made some proper work at the beginning (and if that router would not exist in different versions)!
Some final thoughts:
I never expected jtagging to be that complicated! And now I can understand why so many people had no success with it. Without Tornados help my 614L would now lie on the bottom of a trash bin.