Posted: Mon Mar 10, 2014 11:36 Post subject: [SOLVED] HOWTO - unbrick Linksys E4200 v1 with JTAG
Hi everybody,
This is a small HOWTO that you can use to unbrick the E4200 using JTAG. See details below.
I have managed to brick my E4200 after flashing dd-wrt.v24-23082_NEWD-2_K2.6_XXX-nv60k.bin.
After flash, instant brick.
The bad thing was that I could not unbrick it with a serial connection and TFTP. Of course I have tried and apparently it worked, but after reboot the only thing it did was to constantly show the following message on the serial console: (some of you may have seen it - the reboot loop)
CFE version 2010.09.20.0 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Nov 12 11:01:26 CST 2010 (lzh@team2-complier)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 256 64KB blocks; total size 16MB
sflash_cfe_probe: flash type ST, nparts 4
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 1KB
sflash_cfe_probe: idx 2, name os, descr ST Serial flash offset 0004001C size 16068KB
sflash_cfe_probe: idx 3, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 3
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 16068KB
sflash_cfe_probe: idx 2, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 0
CPU type 0x19740: 133MHz
Tot mem: 65536 KBytes
board_final_init: commit=0, restore_defaults=0Boot version: v5.2
The boot is CFE
mac_init(): Find mac [C0:C1:C0:AF:75:B0] in location 0
Nothing...
country_init(): Find country code in location 0
The country is same
**Exception 8: EPC=80718DDC, Cause=80000008 (TLBMissRd)
RA=80718DE4, VAddr=0000000C
The good news here is that after a week I have SUCCESFULLY managed to unbrick my E4200 with JTAG.
My E4200 v1 has a Broadcom BCM4716 CPU @ 480MHz and a Winbond W25Q128BVFG 128Mbit/16MB flash chip.
For serial connection I used a PL 2303HX USB to TTL. It works just fine with putty.
For JTAG I could only used an unbuffered JTAG cable.
SERIAL PINOUT - JB2 - 5 holes on the board
pin 1 is the square one
pin 2 TX - connect to RX on the PL2303
pin 3 RX - connect to TX on the PL2303
pin 5 GND - connect to GND on the PL2303
JTAG PINOUT - JB3 - 12 holes on the board
pin 1 - not used
pin 3 - JATG TDI
pin 5 - JTAG TDO
pin 7 - JTAG TMS
pin 9 - JTAG TCK
pin 11 - not used
pin 2, 4, 6, 8, 10 - GND - use one of them
pin 12 - not used
I didn't use any soldering, I only used pins that could fit in.
Last edited by alins75 on Wed Mar 12, 2014 12:11; edited 2 times in total
Posted: Mon Mar 10, 2014 13:59 Post subject: Re: HOWTO - unbrick Linksys E4200 v1 with JTAG
As I said, serial recovery didn't work. I had to use the unbuffered JTAG cable.
Erasing the NVRAM did not help - the CFE was corrupt. The E4200 was still in the continuos CFE boot loop.
Erasing the wholeflash din not help either.
I had to erase the CFE, kernel and NVRAM. Next I could flash the CFE
I used for this brjtag v2.0.5 / TJTAG and ZJTAG did not work. Maybe they do, I don't know, but they didn't work for me.
5. flash CFE
- if you have a backup of your CFE - good. If not use a generic one and use a HEX editor to edit the MAC address, S/N and PIN
- once you have the CFE - make sure the name is CFE.BIN and place it in the brjtag directory
- do not erase CFE before flashing - it will fail - you have to use /noerase
- binary compare the backup with what you have written in the previous step. It should be identical.
7. backup NVRAM
brjtag -backup:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1cff0000 /length:10000
- look at the backup - it should be empty
- when doing the backup you should see something like this:
===============================================
Broadcom EJTAG Debrick Utility v2.0.5-hugebird
===============================================
Probing bus ... Done
Detected IR Length is 5
CPU assumed running under LITTLE endian
CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom manufactured HND Mips 74K(008C) REV 01 CPU ***
- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32
=========================
Backup Routine Started
=========================
8. reboot the e4200 and perform a serial recovery
- alternatively (worked for me) after reboot start the tftp recovery with tftp.exe using the latest stock firmware: FW_E4200_1.0.05.007_US_20120823_code.bin
9. You have a revived E4200 v1.
Howto edit CFE with your mac, s/n and pin
Use this attched e4200v1_cfe.bin and modify with your data using an HEX editor.
I can't erase the nvram using either one of the two steps. It hangs right at the beginning. _________________ I am far from a guru, I'm barely a novice.
Before trying to erase, can you try to make a backup of the NVRAM, just to make sure the brjtag works?
Try step 1, then step 7.
You should get a NVRAM, corrupted probably, but looking close to what a NVRAM should look like.
I have successfully backed up the CFE and the NVRAM from a second E4200v1 that I have, therefore I'am pretty sure it should work for you too, if you have the same Winbond flash chip.
erase: nvram or backup:nvram din not work for me.
On a second thought, you may try to backup the cfe and binary compare with the cfe I have posted. If the connection works for you,
they should be almost identical.
I backed up my cfe, twice. They were the same. Same as yours except the Mac, serial and pin.
I got it to erase, nvram, cfe but erasing kernel hangs.
Before going to bed last night I started erase:wholeflash.
8 hours later only 55 blocks out of 235 (i think) had been erased.
We will see when I get home. _________________ I am far from a guru, I'm barely a novice.
But why do you need to erase kernel?
After erasing the nvram the serial recovery should work.
Alternatively, you can try erasing the kernel using erase: custom
Something like this:
brjtag -erase:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1cf040000 /length:100000
This should erase the first 1MB of your kernel.
After erasing nvram, I still got no serial output. No ping, computer was saying no Ethernet cable connected.
Btw when I tried your erase:custom command, brjtag kept giving an error saying " with custom you need 'window', Start and length.
I copied your command exactly. Even tried copy and paste in case I was leaving out a character. _________________ I am far from a guru, I'm barely a novice.
Well, I don't know what to tell you, but I think eventually will work.
Anyway performing all the steps (1to7) didn't take more than 30 min.
Erasing the kernel was pretty quick too...
I did not try to erase the whole flash.
Regardless of all the above, at some point after playing with zjtag an tjtag I have managed to make my E4200 completely dead, no serial output, nothing but a steady led under the cisco logo. Steps 1 to 7 that I have posted revived it.
Hope it will work for you too.
The erase:custom is one long line, including window length and start parameters.
I am not sure it is good as I have typed on my phone
But, It looks like I have mistyped anyway
Just got home. Almost 24 hours later and wholeflash is only at block 76.
I can't mess with the parameters myself. I'm illiterate when it comes to this stuff.
All I know how to do is copy other people steps.
I know what the word verbose means but I have no idea why it's in that command, nor wx8. _________________ I am far from a guru, I'm barely a novice.
At this point you can probably stop the brjtag and try the command in the previous post to erase the kernel.
Next try again steps 1 to 7. Shouldn't take more than 30 min.
You can lose the verbose, but you will not see any more the progress.
The wx8 tells to write using the x8, byte mode for the SPI chip
Using that command you just gave me, I don't get an error. It just hangs at erasing block :256 (add = 1cff0000)....
Now when I try to erase the cfe it just hangs at erasing block 1.
Just noticed my connection on tdo was barely hanging on. Going to resolder
Made no difference. Still hanging. I think it's toast. _________________ I am far from a guru, I'm barely a novice.
Last edited by Malachi on Thu Apr 03, 2014 19:41; edited 1 time in total
First turn of the router for a few seconds.
Then immediately after turning it on type the command from step 1. Then go to step 2 to erase cfe or to step 4 to erase the nvram.
Whenever it hangs, stop the brjtag with ctrl+C then turn off the router.
Before running any command after power on, make sure you type the command from step 1, to make sure the router has been properly initialized.
What are using to connect? Are you using an unbuffered jtag cable? This is what I used.