Posted: Thu May 11, 2017 18:12 Post subject: Re: jtag
alex0001 wrote:
hi.does anybody successfully managed to communicate with the e4200 and raspberry pi?i tried oxplot raspberry tjtag but it does not recognise it.it seems it does not have the W25Q128BVFG chipset support.are there any other solution?
thanks
Hello alex, greetings from Chile. Well, i connected the e4200 with no problem from raspberry pi, but it can not unbricked from rpi, because brjtag not work from there, and tjtag not supporting the chip.
Man, I been trying a lots of things to unbrick it, even I bought a pci paralel port (coz my pc dont have it), I build the famous "unbuffered JTAG cable", I bought a jtag usb cable too, with not success, I connected for jtag and serial ttl (ttl only give me the loop msg), all things with no success.
I have only one thing to do that i do not have done yet: try brjtag on a pc with native paralel port just like the first post. If its not work I think will bury the router and i will wait if grow a e4200 tree.
send me and email for share info and knowledge, sfrooze a gmail.
Posted: Mon Mar 19, 2018 22:06 Post subject: Re: [SOLVED] HOWTO - unbrick Linksys E4200 v1 with JTAG
alins75 wrote:
Hi everybody,
This is a small HOWTO that you can use to unbrick the E4200 using JTAG. See details below.
I have managed to brick my E4200 after flashing dd-wrt.v24-23082_NEWD-2_K2.6_XXX-nv60k.bin.
After flash, instant brick.
The bad thing was that I could not unbrick it with a serial connection and TFTP. Of course I have tried and apparently it worked, but after reboot the only thing it did was to constantly show the following message on the serial console: (some of you may have seen it - the reboot loop)
CFE version 2010.09.20.0 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Nov 12 11:01:26 CST 2010 (lzh@team2-complier)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 256 64KB blocks; total size 16MB
sflash_cfe_probe: flash type ST, nparts 4
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 1KB
sflash_cfe_probe: idx 2, name os, descr ST Serial flash offset 0004001C size 16068KB
sflash_cfe_probe: idx 3, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 3
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 16068KB
sflash_cfe_probe: idx 2, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 0
CPU type 0x19740: 133MHz
Tot mem: 65536 KBytes
board_final_init: commit=0, restore_defaults=0Boot version: v5.2
The boot is CFE
mac_init(): Find mac [C0:C1:C0:AF:75:B0] in location 0
Nothing...
country_init(): Find country code in location 0
The country is same
**Exception 8: EPC=80718DDC, Cause=80000008 (TLBMissRd)
RA=80718DE4, VAddr=0000000C
The good news here is that after a week I have SUCCESFULLY managed to unbrick my E4200 with JTAG.
My E4200 v1 has a Broadcom BCM4716 CPU @ 480MHz and a Winbond W25Q128BVFG 128Mbit/16MB flash chip.
For serial connection I used a PL 2303HX USB to TTL. It works just fine with putty.
For JTAG I could only used an unbuffered JTAG cable.
SERIAL PINOUT - JB2 - 5 holes on the board
pin 1 is the square one
pin 2 TX - connect to RX on the PL2303
pin 3 RX - connect to TX on the PL2303
pin 5 GND - connect to GND on the PL2303
JTAG PINOUT - JB3 - 12 holes on the board
pin 1 - not used
pin 3 - JATG TDI
pin 5 - JTAG TDO
pin 7 - JTAG TMS
pin 9 - JTAG TCK
pin 11 - not used
pin 2, 4, 6, 8, 10 - GND - use one of them
pin 12 - not used
I didn't use any soldering, I only used pins that could fit in.
I've gone through this discussion and i think it's still possible to re-live e4200
But i cant find string for this PIN @ 0x3FCDC, there's no such string, is it written wrong?
3. In this discussion, unbuffered jtag cable has been used, what is meant by unbiffered? Can we simply use cables with working pins , is it that simple?
4. Also, at step 2, it erases CFE, Can we give a try like step 1 and step 4 and see if lan ports start working? Possible?
Hello immi803, welcome to this post, I've been searching help for unbrick my e4200 v1 for a while with not success. A bricked E4200 at simple glance blinks softly white his Cisco logo, if you see that lets gonna start.
Well, I recomend to you try a TTL connection to begin, by serial-usb-putty or raspberry pi if you want, if you can see the loop msg that here people describe try to stop it whit Ctrl+C or any key, if you can stop and introduce commands I think you can unbrick, if you see loop msg but can't stop it, you have to build the famous unbuffered jtag cable, respond me what is your situation.
saludos.
Hello immi803, welcome to this post, I've been searching help for unbrick my e4200 v1 for a while with not success. A bricked E4200 at simple glance blinks softly white his Cisco logo, if you see that lets gonna start.
Well, I recomend to you try a TTL connection to begin, by serial-usb-putty or raspberry pi if you want, if you can see the loop msg that here people describe try to stop it whit Ctrl+C or any key, if you can stop and introduce commands I think you can unbrick, if you see loop msg but can't stop it, you have to build the famous unbuffered jtag cable, respond me what is your situation.
saludos.
Thanks for response so prompt
Here the situation is :
1. Linksys Logo white light blinks for a second and router goes to loop mentioned above
2. No Lan connectivity
3. Serial connectivity is fine as i can see this loop in putty serial console
Now I'll try to stop that loop as much as i can and I'll report you back if I'm able to stop it or not
I'm sure we'll together be able to go through this either serial or jtag, we cannot let this baby sleep forever
Hello immi803, welcome to this post, I've been searching help for unbrick my e4200 v1 for a while with not success. A bricked E4200 at simple glance blinks softly white his Cisco logo, if you see that lets gonna start.
Well, I recomend to you try a TTL connection to begin, by serial-usb-putty or raspberry pi if you want, if you can see the loop msg that here people describe try to stop it whit Ctrl+C or any key, if you can stop and introduce commands I think you can unbrick, if you see loop msg but can't stop it, you have to build the famous unbuffered jtag cable, respond me what is your situation.
saludos.
can you please help me learn how to input my values in generic cfe.bin ?
detailed elaboration is appreciated
thanks
Posted: Wed Oct 02, 2019 20:24 Post subject: Still want to debrick this cr..p
Has been a long time since we talk about unbrick this router but I'm posting just in case.
First that all, I could not unbrick this router yet:( Has been a long since I bricked by myself trying to installing tomato couple years ago, I tried traditional methods to unbrick, reset, tftp, serial, only got the loop, yes that loop.. but never tried with JTAG bcoz i did not have an old pc with famous purple parallel port, but I got jtag cable.. famous jtag cable do it by myself.
Well, the thing is I never realized that I have parallel port in a laptop Dell dock.. was always there, the f**king port was there since 5 f**king years that I bought and never realize for jtag debug the router until now. Well with parallel port and jtag cable I downloaded winxp virtual image in flash memory and voila.. I have Jtag access to router, then hex the mac, s/n and pin in cfe.bin and started the process.
I follow with no problem all steps by alins75 from 1 to 7 even step 4 without any problem, so many times, step by step, another and another time with sadly no success, only the annoying loop, but, I discovered some things that maybe worth to say, if somebody can help me.
First, my router have 256 blocks of 64KB( 16MB total), first four blocks corresponds of the cfe routine, seems to be the last one is the nvram. According first post of alins75 from 5th block begin kernel, it seems to be right.
When start cfe, after erase nvram, seems to work for 1 second, until says, "committing nvram...done" and the router enter in same demoniac loop. f++ing loop.
but the cfe doesn't get corrupt, im sure of that, is kernel or nvram the problem, coz when the loop is happen I backed up the cfe.bin and still is the same file, even hash, only when erase nvram, appear the msg "committing nvram... done" and start again all time same loop. it seems to cfe doesn't find codes to continue routine and enter in error loop. and I can't stop it, with ctrl c or escape, with nothing. is unstoppable.
And I have couple theories,
first one, this router have 2 editions (no versions, editions) one edition have Mac address start with C0:C1:C0 (which is type of backup of cfe.bin that posting here) ... the 2d edition start with 58:6D:8F (which is mine), I think alins75 algorithm works only with first edition. that's why 4th step don't work for him and works for me, and the whole solution not work for me. This appear in wikidevi: 802dot11 OUI: 58:6D:8F (8 E, 8 W, 2011), C0:C1:C0 (12 E, 14 W, 2011)
second theory, is a hw problem, which means there is nothing to do. and I don't believe it because I checked and I can write and erase flash with no problem, or I don't want to believe
with brjtag I perform a wholeflash erase with no problem, and then flash cfe.bin with no problem too, I mean, flash erase totally, and only cfe in first 4 blocks, despite of that my router enter in loop. so we have 2 options more,
1-problem is cfe.bin that not correspond to router(I not did backup original cfe of my router thinking the solution would work with no problems ) , or
2- problem is nvram and kernel are blank and cannot be blank, when they are blank router enter in loop.
Questions if someone can help me.
1 - What another CFE.BIN can proof in this router, is there another router similar.
2 - What is kernel? is the firmware? is the same?
3 - Can I flash the kernel or firmware by brjtag? no matter the time that its take.
This is no problem of money, or replace or buy another, is challenge, it turned in something personal, to revive this Fu** router is a fight, that's why I continue. when I unbrick this, it will hang over my fireplace beside a deer head that I have (electronic deer).
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Thu Oct 03, 2019 3:58 Post subject:
There are TWO Versions of the E4200 that I know of. I have several V1s, and the stickers all have different MAC addresses. Now, to clarify with some pertinent and irrelevant information: V1 is Broadcom, V2 is Marvell, and identical to the EA4500 V1 & V2. The EA4500 V3 is Qualcomm Atheros. Also, if you are seeing a CFE prompt, etc. via serial, it's a Broadcom V1. The V2 is u-boot. You shouldn't need to go farther than CFE serial recovery unless it's really borked.
Posted: Thu Oct 03, 2019 12:19 Post subject: fixing e4200
Thanks so much for respond, I thought this router was almost junk now.
Well my router is de V1 version, never had the V2 version just becouse not have broadcom chip. Now, about my issue:
The algorith of the first post not work for me, even doing a erase wholeflash and flash only cfe.bin, the router enter in the unstoppable loop again.
According wikidevi this router have two possibles mac addres types, A) C0:C1:C0:XX:XX:XX , B) 58:6D:8F:XX:XX:XX and. in The first post cfe.bin is taked from A mac address, and I have a B type mac address. Well this is only theorical coz maybe the cfe are identical, I only serching an explain of why the fix not work for me.
Now Im trying to flash kernel, it take a long time but maybe work, what im doing now is flashing a bin firmware from possition 1C040000 where supposed to start kernel. The problem is sometimes this stuck and I dont know why, but not in same place in mem. I'm looking to write by selected blocks for distribute the work with brjtag -flash:custom
If you can send me cfe.bin taked from router with 58:6D:8F:XX:XX:XX addres I really appreciate, but if you can upload the wholeflash.bin of that router you would the best person in history of humanity and the charity.
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Thu Oct 03, 2019 13:06 Post subject:
The cfe bin is common to both AFAIK. The mtd layout is also common to both. If you are overwriting the wrong partition, then you are breaking it. At most, you should have to flash over a corrupted CFE, boot it to the cfe prompt (CTRL-C via serial), nvram erase, flash stock firmware, and then you can re-convert to DD-WRT from there. I don't understand why you are making this more complicated than it should be.
The cfe bin is common to both AFAIK. The mtd layout is also common to both. If you are overwriting the wrong partition, then you are breaking it. At most, you should have to flash over a corrupted CFE, boot it to the cfe prompt (CTRL-C via serial), nvram erase, flash stock firmware, and then you can re-convert to DD-WRT from there. I don't understand why you are making this more complicated than it should be.
Since I can't break loop via serial (CTRL+C) I can not run tftp server, that's it. I erased the wholeflash (including cfe, kernel and nvram) then I flash cfe.bin, it doesn't work. the cfe flash into first 4 blocks. rest of mem are blank. Im not sure if are the same cfe.bin then.
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Mon Oct 14, 2019 19:56 Post subject:
I don't understand why you erased anything at all. Again, you made something more complicated than it should've been. The most I have ever had to do was a serial recovery back to stock firmware. I've never had to JTAG any of my E4200s or erase any partitions on the flash chip.
I don't understand why you erased anything at all. Again, you made something more complicated than it should've been. The most I have ever had to do was a serial recovery back to stock firmware. I've never had to JTAG any of my E4200s or erase any partitions on the flash chip.
Again, thanks for trying help, but I think there is no solution now, coz now I cannot write in flash memory. I think I put a corrupt cfe.bin and now it stick when i try to write in the mem blocks. Anyway I think it's a hw problem, and always was. now I can't to start cfe routine, neither it cannot boot. I think now is really bricked.
Respect to your solution, look the first post of this thread, it would never works with serial recovery. This is jtag solution thread, that's what about. If you could recover with serial way means your router never had the same symptoms of here appear.
Hopefully it could be a serial problem. I wish it had been a serial problem, solution would be in here and now.
thanks anyway.
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Tue Oct 15, 2019 18:45 Post subject:
The first two posts pretty much outline how to JTAG this router, if needed. I guess I'm not understanding the problem on why you can't revive it. Don't over-complicate it, use the instructions. I've never used a Pi to add to the complications, but I also have NEVER had to JTAG any of my 5 E4200s, either.
Posted: Tue Oct 15, 2019 19:17 Post subject: Re: HOWTO - unbrick Linksys E4200 v1 with JTAG
alins75 wrote:
As I said, serial recovery didn't work. I had to use the unbuffered JTAG cable.
Erasing the NVRAM did not help - the CFE was corrupt. The E4200 was still in the continuos CFE boot loop.
Erasing the wholeflash din not help either.
I had to erase the CFE, kernel and NVRAM. Next I could flash the CFE
I used for this brjtag v2.0.5 / TJTAG and ZJTAG did not work. Maybe they do, I don't know, but they didn't work for me.
the jtag connection is quit necessary for unbrick, I think you never had this type of problem on your routers. Serial conn don't work since this enter in loop, console keep not accepting ctr+c, esc, space, or any intent of break the loop.