[SOLVED] HOWTO - unbrick Linksys E4200 v1 with JTAG

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Thu May 11, 2017 18:12    Post subject: Re: jtag Reply with quote
alex0001 wrote:
hi.does anybody successfully managed to communicate with the e4200 and raspberry pi?i tried oxplot raspberry tjtag but it does not recognise it.it seems it does not have the W25Q128BVFG chipset support.are there any other solution?

thanks


Hello alex, greetings from Chile. Well, i connected the e4200 with no problem from raspberry pi, but it can not unbricked from rpi, because brjtag not work from there, and tjtag not supporting the chip.
Man, I been trying a lots of things to unbrick it, even I bought a pci paralel port (coz my pc dont have it), I build the famous "unbuffered JTAG cable", I bought a jtag usb cable too, with not success, I connected for jtag and serial ttl (ttl only give me the loop msg), all things with no success.
I have only one thing to do that i do not have done yet: try brjtag on a pc with native paralel port just like the first post. If its not work I think will bury the router and i will wait if grow a e4200 tree.
send me and email for share info and knowledge, sfrooze a gmail.
Sponsor
immi803
DD-WRT Novice


Joined: 17 Mar 2018
Posts: 20

PostPosted: Mon Mar 19, 2018 22:06    Post subject: Re: [SOLVED] HOWTO - unbrick Linksys E4200 v1 with JTAG Reply with quote
alins75 wrote:
Hi everybody,

This is a small HOWTO that you can use to unbrick the E4200 using JTAG. See details below.

I have managed to brick my E4200 after flashing dd-wrt.v24-23082_NEWD-2_K2.6_XXX-nv60k.bin.

After flash, instant brick.
The bad thing was that I could not unbrick it with a serial connection and TFTP. Of course I have tried and apparently it worked, but after reboot the only thing it did was to constantly show the following message on the serial console: (some of you may have seen it Smile - the reboot loop)

CFE version 2010.09.20.0 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Nov 12 11:01:26 CST 2010 (lzh@team2-complier)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.

No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 256 64KB blocks; total size 16MB
sflash_cfe_probe: flash type ST, nparts 4
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 1KB
sflash_cfe_probe: idx 2, name os, descr ST Serial flash offset 0004001C size 16068KB
sflash_cfe_probe: idx 3, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 3
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 16068KB
sflash_cfe_probe: idx 2, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 0
CPU type 0x19740: 133MHz
Tot mem: 65536 KBytes

CFE mem: 0x80700000 - 0x8079EA40 (649792)
Data: 0x80734000 - 0x80737FE0 (16352)
BSS: 0x80737FE0 - 0x80738A40 (2656)
Heap: 0x80738A40 - 0x8079CA40 (409600)
Stack: 0x8079CA40 - 0x8079EA40 (8192)
Text: 0x80700000 - 0x80734000 (212992)

board_final_init: commit=0, restore_defaults=0Boot version: v5.2
The boot is CFE

mac_init(): Find mac [C0:C1:C0:AF:75:B0] in location 0
Nothing...
country_init(): Find country code in location 0
The country is same
**Exception 8: EPC=80718DDC, Cause=80000008 (TLBMissRd)
RA=80718DE4, VAddr=0000000C

0 ($00) = 00000000 AT ($01) = 80730000
v0 ($02) = 00000000 v1 ($03) = 00000000
a0 ($04) = 80739A80 a1 ($05) = 8072E345
a2 ($06) = 00000001 a3 ($07) = 00000005
t0 ($0Cool = 00000000 t1 ($09) = 00000000
t2 ($10) = 807337EC t3 ($11) = 00000000
t4 ($12) = 00000000 t5 ($13) = 48534C46
t6 ($14) = 9FC036BC t7 ($15) = FECDFFBF
s0 ($16) = 00000000 s1 ($17) = 8072E32C
s2 ($1Cool = 8072E2E4 s3 ($19) = 8072E2F0
s4 ($20) = 8079E800 s5 ($21) = 8079E800
s6 ($22) = 19A14716 s7 ($23) = 00000001
t8 ($24) = 04000000 t9 ($25) = 00000000
k0 ($26) = CAC1CAD1 k1 ($27) = 8AF548C0
gp ($2Cool = 8073C000 sp ($29) = 8079E7D8
fp ($30) = 00000000 ra ($31) = 80718DE4



The good news here is that after a week I have SUCCESFULLY managed to unbrick my E4200 with JTAG.
My E4200 v1 has a Broadcom BCM4716 CPU @ 480MHz and a Winbond W25Q128BVFG 128Mbit/16MB flash chip.

For serial connection I used a PL 2303HX USB to TTL. It works just fine with putty.
For JTAG I could only used an unbuffered JTAG cable.

SERIAL PINOUT - JB2 - 5 holes on the board
pin 1 is the square one
pin 2 TX - connect to RX on the PL2303
pin 3 RX - connect to TX on the PL2303
pin 5 GND - connect to GND on the PL2303

JTAG PINOUT - JB3 - 12 holes on the board
pin 1 - not used
pin 3 - JATG TDI
pin 5 - JTAG TDO
pin 7 - JTAG TMS
pin 9 - JTAG TCK
pin 11 - not used
pin 2, 4, 6, 8, 10 - GND - use one of them
pin 12 - not used

I didn't use any soldering, I only used pins that could fit in.



I've gone through this discussion and i think it's still possible to re-live e4200

https://www.dd-wrt.com/phpBB2/viewtopic.php?p=889394

Just a few things I need your help please

1. There's a generic cfe.bin file attached, well how to input mac address, serial and pin using hex editor?

2. In this discussion, it's given as following

E4200 CFE:
MAC @ 0x3EF00
S/N @ 0x3FE30
PIN @ 0x3FCDC

But i cant find string for this PIN @ 0x3FCDC, there's no such string, is it written wrong?

3. In this discussion, unbuffered jtag cable has been used, what is meant by unbiffered? Can we simply use cables with working pins , is it that simple?

4. Also, at step 2, it erases CFE, Can we give a try like step 1 and step 4 and see if lan ports start working? Possible?

Desperately looking for help please
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Mon Mar 19, 2018 22:56    Post subject: Reply with quote
Hello immi803, welcome to this post, I've been searching help for unbrick my e4200 v1 for a while with not success. A bricked E4200 at simple glance blinks softly white his Cisco logo, if you see that lets gonna start.
Well, I recomend to you try a TTL connection to begin, by serial-usb-putty or raspberry pi if you want, if you can see the loop msg that here people describe try to stop it whit Ctrl+C or any key, if you can stop and introduce commands I think you can unbrick, if you see loop msg but can't stop it, you have to build the famous unbuffered jtag cable, respond me what is your situation.
saludos.
immi803
DD-WRT Novice


Joined: 17 Mar 2018
Posts: 20

PostPosted: Tue Mar 20, 2018 7:25    Post subject: Reply with quote
sfrooze wrote:
Hello immi803, welcome to this post, I've been searching help for unbrick my e4200 v1 for a while with not success. A bricked E4200 at simple glance blinks softly white his Cisco logo, if you see that lets gonna start.
Well, I recomend to you try a TTL connection to begin, by serial-usb-putty or raspberry pi if you want, if you can see the loop msg that here people describe try to stop it whit Ctrl+C or any key, if you can stop and introduce commands I think you can unbrick, if you see loop msg but can't stop it, you have to build the famous unbuffered jtag cable, respond me what is your situation.
saludos.


Thanks for response so prompt

Here the situation is :
1. Linksys Logo white light blinks for a second and router goes to loop mentioned above

2. No Lan connectivity

3. Serial connectivity is fine as i can see this loop in putty serial console

Now I'll try to stop that loop as much as i can and I'll report you back if I'm able to stop it or not

I'm sure we'll together be able to go through this either serial or jtag, we cannot let this baby sleep forever Smile
immi803
DD-WRT Novice


Joined: 17 Mar 2018
Posts: 20

PostPosted: Tue Mar 20, 2018 14:28    Post subject: Reply with quote
sfrooze wrote:
Hello immi803, welcome to this post, I've been searching help for unbrick my e4200 v1 for a while with not success. A bricked E4200 at simple glance blinks softly white his Cisco logo, if you see that lets gonna start.
Well, I recomend to you try a TTL connection to begin, by serial-usb-putty or raspberry pi if you want, if you can see the loop msg that here people describe try to stop it whit Ctrl+C or any key, if you can stop and introduce commands I think you can unbrick, if you see loop msg but can't stop it, you have to build the famous unbuffered jtag cable, respond me what is your situation.
saludos.


can you please help me learn how to input my values in generic cfe.bin ?
detailed elaboration is appreciated
thanks
immi803
DD-WRT Novice


Joined: 17 Mar 2018
Posts: 20

PostPosted: Wed Mar 21, 2018 21:12    Post subject: Reply with quote
Guys!!!! Very Happy

i've finally unbricked it, Following this below mentioned guide

https://www.dd-wrt.com/phpBB2/viewtopic.php?p=889394

Yes!! you can unbrick it , below are some pics of my Setup, though it look clumpsy but it was very solid, i using pins and NO Solidering of anything

https://ibb.co/bHdoaH
https://ibb.co/jVg8aH
https://ibb.co/mrTX2x
https://ibb.co/e6TbUc
https://ibb.co/ekrKhx

Here is also a little video of CFE flashing Very Happy

https://youtu.be/9-GdcDOACPc

Happy Debricking Very Happy

Thanks to all Devs, Gurus and everyone out there to help me out Smile
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Wed Oct 02, 2019 20:24    Post subject: Still want to debrick this cr..p Reply with quote
Has been a long time since we talk about unbrick this router but I'm posting just in case.

First that all, I could not unbrick this router yet:( Has been a long since I bricked by myself trying to installing tomato couple years ago, I tried traditional methods to unbrick, reset, tftp, serial, only got the loop, yes that loop.. but never tried with JTAG bcoz i did not have an old pc with famous purple parallel port, but I got jtag cable.. famous jtag cable do it by myself.

Well, the thing is I never realized that I have parallel port in a laptop Dell dock.. was always there, the f**king port was there since 5 f**king years that I bought and never realize for jtag debug the router until now. Well with parallel port and jtag cable I downloaded winxp virtual image in flash memory and voila.. I have Jtag access to router, then hex the mac, s/n and pin in cfe.bin and started the process.

I follow with no problem all steps by alins75 from 1 to 7 even step 4 without any problem, so many times, step by step, another and another time with sadly no success, only the annoying loop, but, I discovered some things that maybe worth to say, if somebody can help me.

First, my router have 256 blocks of 64KB( 16MB total), first four blocks corresponds of the cfe routine, seems to be the last one is the nvram. According first post of alins75 from 5th block begin kernel, it seems to be right.

When start cfe, after erase nvram, seems to work for 1 second, until says, "committing nvram...done" and the router enter in same demoniac loop. f++ing loop.
but the cfe doesn't get corrupt, im sure of that, is kernel or nvram the problem, coz when the loop is happen I backed up the cfe.bin and still is the same file, even hash, only when erase nvram, appear the msg "committing nvram... done" and start again all time same loop. it seems to cfe doesn't find codes to continue routine and enter in error loop. and I can't stop it, with ctrl c or escape, with nothing. is unstoppable.

And I have couple theories,

first one, this router have 2 editions (no versions, editions) one edition have Mac address start with C0:C1:C0 (which is type of backup of cfe.bin that posting here) ... the 2d edition start with 58:6D:8F (which is mine), I think alins75 algorithm works only with first edition. that's why 4th step don't work for him and works for me, and the whole solution not work for me. This appear in wikidevi: 802dot11 OUI: 58:6D:8F (8 E, 8 W, 2011), C0:C1:C0 (12 E, 14 W, 2011)

second theory, is a hw problem, which means there is nothing to do. and I don't believe it because I checked and I can write and erase flash with no problem, or I don't want to believe Sad

with brjtag I perform a wholeflash erase with no problem, and then flash cfe.bin with no problem too, I mean, flash erase totally, and only cfe in first 4 blocks, despite of that my router enter in loop. so we have 2 options more,

1-problem is cfe.bin that not correspond to router(I not did backup original cfe of my router thinking the solution would work with no problems Sad ) , or

2- problem is nvram and kernel are blank and cannot be blank, when they are blank router enter in loop.

Questions if someone can help me.

1 - What another CFE.BIN can proof in this router, is there another router similar.

2 - What is kernel? is the firmware? is the same?

3 - Can I flash the kernel or firmware by brjtag? no matter the time that its take.


This is no problem of money, or replace or buy another, is challenge, it turned in something personal, to revive this Fu** router is a fight, that's why I continue. when I unbrick this, it will hang over my fireplace beside a deer head that I have (electronic deer).

grettings
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Oct 03, 2019 3:58    Post subject: Reply with quote
There are TWO Versions of the E4200 that I know of. I have several V1s, and the stickers all have different MAC addresses. Now, to clarify with some pertinent and irrelevant information: V1 is Broadcom, V2 is Marvell, and identical to the EA4500 V1 & V2. The EA4500 V3 is Qualcomm Atheros. Also, if you are seeing a CFE prompt, etc. via serial, it's a Broadcom V1. The V2 is u-boot. You shouldn't need to go farther than CFE serial recovery unless it's really borked.

*/Gratuitous Special Year Number Post*/
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Thu Oct 03, 2019 12:19    Post subject: fixing e4200 Reply with quote
Thanks so much for respond, I thought this router was almost junk now.

Well my router is de V1 version, never had the V2 version just becouse not have broadcom chip. Now, about my issue:

The algorith of the first post not work for me, even doing a erase wholeflash and flash only cfe.bin, the router enter in the unstoppable loop again.
According wikidevi this router have two possibles mac addres types, A) C0:C1:C0:XX:XX:XX , B) 58:6D:8F:XX:XX:XX and. in The first post cfe.bin is taked from A mac address, and I have a B type mac address. Well this is only theorical coz maybe the cfe are identical, I only serching an explain of why the fix not work for me.

Now Im trying to flash kernel, it take a long time but maybe work, what im doing now is flashing a bin firmware from possition 1C040000 where supposed to start kernel. The problem is sometimes this stuck and I dont know why, but not in same place in mem. I'm looking to write by selected blocks for distribute the work with brjtag -flash:custom

If you can send me cfe.bin taked from router with 58:6D:8F:XX:XX:XX addres I really appreciate, but if you can upload the wholeflash.bin of that router you would the best person in history of humanity and the charity.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Oct 03, 2019 13:06    Post subject: Reply with quote
The cfe bin is common to both AFAIK. The mtd layout is also common to both. If you are overwriting the wrong partition, then you are breaking it. At most, you should have to flash over a corrupted CFE, boot it to the cfe prompt (CTRL-C via serial), nvram erase, flash stock firmware, and then you can re-convert to DD-WRT from there. I don't understand why you are making this more complicated than it should be. Shocked Rolling Eyes
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Thu Oct 03, 2019 13:19    Post subject: Reply with quote
kernel-panic69 wrote:
The cfe bin is common to both AFAIK. The mtd layout is also common to both. If you are overwriting the wrong partition, then you are breaking it. At most, you should have to flash over a corrupted CFE, boot it to the cfe prompt (CTRL-C via serial), nvram erase, flash stock firmware, and then you can re-convert to DD-WRT from there. I don't understand why you are making this more complicated than it should be. Shocked Rolling Eyes


Since I can't break loop via serial (CTRL+C) I can not run tftp server, that's it. I erased the wholeflash (including cfe, kernel and nvram) then I flash cfe.bin, it doesn't work. the cfe flash into first 4 blocks. rest of mem are blank. Im not sure if are the same cfe.bin then.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Oct 14, 2019 19:56    Post subject: Reply with quote
I don't understand why you erased anything at all. Again, you made something more complicated than it should've been. The most I have ever had to do was a serial recovery back to stock firmware. I've never had to JTAG any of my E4200s or erase any partitions on the flash chip.
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Tue Oct 15, 2019 18:11    Post subject: Reply with quote
kernel-panic69 wrote:
I don't understand why you erased anything at all. Again, you made something more complicated than it should've been. The most I have ever had to do was a serial recovery back to stock firmware. I've never had to JTAG any of my E4200s or erase any partitions on the flash chip.


Again, thanks for trying help, but I think there is no solution now, coz now I cannot write in flash memory. I think I put a corrupt cfe.bin and now it stick when i try to write in the mem blocks. Anyway I think it's a hw problem, and always was. now I can't to start cfe routine, neither it cannot boot. I think now is really bricked. Sad
Respect to your solution, look the first post of this thread, it would never works with serial recovery. This is jtag solution thread, that's what about. If you could recover with serial way means your router never had the same symptoms of here appear.
Hopefully it could be a serial problem. I wish it had been a serial problem, solution would be in here and now.
thanks anyway.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Oct 15, 2019 18:45    Post subject: Reply with quote
The first two posts pretty much outline how to JTAG this router, if needed. I guess I'm not understanding the problem on why you can't revive it. Don't over-complicate it, use the instructions. I've never used a Pi to add to the complications, but I also have NEVER had to JTAG any of my 5 E4200s, either.
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Tue Oct 15, 2019 19:17    Post subject: Re: HOWTO - unbrick Linksys E4200 v1 with JTAG Reply with quote
alins75 wrote:
As I said, serial recovery didn't work. I had to use the unbuffered JTAG cable.

Erasing the NVRAM did not help - the CFE was corrupt. The E4200 was still in the continuos CFE boot loop.
Erasing the wholeflash din not help either.
I had to erase the CFE, kernel and NVRAM. Next I could flash the CFE

I used for this brjtag v2.0.5 / TJTAG and ZJTAG did not work. Maybe they do, I don't know, but they didn't work for me.


the jtag connection is quit necessary for unbrick, I think you never had this type of problem on your routers. Serial conn don't work since this enter in loop, console keep not accepting ctr+c, esc, space, or any intent of break the loop.
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 3 of 4
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum