bricked buffalo wzr-1750DHP (eu-jp?)

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
pitfermi
DD-WRT Novice


Joined: 06 Jun 2021
Posts: 19

PostPosted: Mon Jun 07, 2021 0:47    Post subject: bricked buffalo wzr-1750DHP (eu-jp?) Reply with quote
Hi,

I have an old buffalo router which was flashed with dd-wrt 2 years ago. It worked fine with the right firmware version. Recently I decided to upgrade/change my home network configuration, so I figured I'd flash the stock firmware from the manufacturer, for whatever reason I thought it would be a good idea, which turned out not to be.

Basically, I flashed the latest openWrt firmware, then found a beta Tomato(shibby) firmware Version for this router and decided to give it a go, see how the later performs. Upgrade was done via the web gui.
After the flash, the router would not turn on anymore, the power led would flash 2 times red and won't post/boot.

I then went ahead and took it apart, gaining access to the uart interface. Attached picture shows the main uart0 interface on the board. I have various ebay usb-ttl adapters, so I used a 3.3V one, hooked it up according to attached picture taken from the dd wrt forum (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=176310), and I got no readings on the Putty terminal. Thinking that the adapter might be broken, I grabbed another one(5 V logic data pins), same situation, no output on the TX pin of the router. I then found another post from someone who messed around with the serial interface (https://kdpeter.blogspot.com/2015/04/adding-serial-console-to-buffalo-air.html?m=1, where they mention that the serial data pin connection is the other way around..
Booting into CFE with 115200/8/1/n using the 3.3V dongle was no problem(did not try with the 5 V one again). I got lucky here apparently, the serial pins are 5V tolerant?

So inside CFE, I was able to verify that something was broken when it tried to boot, according to following message:
Code:
check_trx: start flash1.trx
Invalid boot block on disk
check_trx: exit flash1.trx
fw is broken
blinking led 2



Code:
show devices
command yields the following list, based on what I remember. i regret not making screenshots..
Code:
uart0
uart1
flash0.boot
flash0.trx
flash0.os
flash0.nvram
flash1.boot
flash1.trx
flash1.nvram
eth0


So then I had to flash a firmware manually using a windows tftp client in order to get it back to boot. First ran tftp Put command on Pumpkin client then,
Flash commands I used:
Code:
flash -noheader : flash1.trx
flash -noheader : nflash1.trx

At this point, i was unsure if "nflash1" or "flash1" was correct, so I tried both(i know, my bad),
While/after flashing, i got error code -4. something with I/O being incorrect(reason why i kept trying to flash different firmwares). sorry, forgot to take screenshot.

Following I issued the below commands to clear nvram. Read it helps.
Code:
flash -erase nflash1.nvram
flash -erase nflash1.brcmnand
nvram erase




After that, I issued a reboot and the serial output of the router was no longer there. The TX pin on the usb adapter blinks, when I try to interrupt the boot with Ctrl + C, indicating that it can send data, sadly the input from RX is nonexistent. Power led on the front is not blinking, no white, no red, meaning it wont even start the bootloader(?). This is the point where I knew something was really wrong. From what I was told, the only option I'd have now is to program the onboard flash via jtag, starting with the bootloader? The 4 serial header Pins were already soldered, the (presumably) Jtag Interface is where i soldered the 14 header pins.

Regarding its pinout, check attached macro picture. The red shorted pins on the left represent(are connected to) the 2 pads on the left, where resistors are missing. yellow marked pins are grounded, i checked.
purple/pink pins are Vcc(3.3 V). The other pins measure infinite resistance/high impedance to either Vcc or Gnd. some of them are pulled high, some low when the router is in operation(less than 3.3 V). Sadly, I have no experience with jtag so I did not try anything smart yet.

Things that I tried after this whole mess.
-spammed ctrl+c while booting, very rapidly, in case the bootloader does not output anything and hands over execution to the cpu, while the firmware is bad.. But i couldnt enter CFE.
-checked pins with an oscilloscope. only constant voltages on serial/jtag.
-trying the tftp "rescue" method described here: http://g300nh.blogspot.com/2010/06/firmware-flash-and-brick-recovery.html . No luck, File is not transferring, windows detects no device on port 1 of the router..

Firmware files that I recall flashing using CFE/TFTP(Tftpd64):
-wzr_1750dhp_ap_227 (oem firmware from buffalo.jp website)
-wzr1750dhpd-v24sp2-23709c.bin
-wzr1750dhpd-v24sp2-23709c_recover.enc

links that I used in the process:
https://kdpeter.blogspot.com/2015/04/adding-serial-console-to-buffalo-air.html?m=1
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=176310
https://openwrt.org/toh/buffalo/wzr-1750dhp
128M NAND Flash: Zentel A5U1GA341ATS-BC TSOP48

Right now i am out of ideas and would gladly avoid jtag programming, if possible.
Had no luck acquiring info for jtag/debricking from Buffalo, unfortunately, since I flashed dd wrt.(lol!)
How do I proceed? any suggestions/questions are welcome.

pictures:
https://imgur.com/a/K3ysVRp


Last edited by pitfermi on Wed Jun 16, 2021 19:45; edited 8 times in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9521
Location: Texas, USA

PostPosted: Mon Jun 07, 2021 3:33    Post subject: Reply with quote
The pins in the red circle are for your serial recovery and should be verified with a multimeter if you cannot find a proper pinout reference. I couldn't find any information for JTAG on this device to speak of, either.

https://www.google.com/search?q=buffalo+wzr-1750DHP+serial+recovery

https://www.google.com/search?q=Buffalo+WZR-1750DHP+jtag

https://wikidevi.wi-cat.ru/Buffalo_WZR-1750DHP

Are you sure you connected serial properly and didn't fry the UART interface on the router board?

https://wiki.dd-wrt.com/wiki/index.php/Serial_Recovery

P.S. You don't 30-30-30 a Broadcom ARM device.

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
pitfermi
DD-WRT Novice


Joined: 06 Jun 2021
Posts: 19

PostPosted: Mon Jun 07, 2021 10:31    Post subject: Reply with quote
no. i did not fry the uart. as i said, i was able to cfe into it and issue commands etc. then i tftp and after flashing a firmware/erasing nvram it stooped booting and the power leds dont light up either. its almost certainly the bootloader.
i was just hoping i could make it work without jtag?
kernel-panic69 wrote:
The pins in the red circle are for your serial recovery and should be verified with a multimeter if you cannot find a proper pinout reference. I couldn't find any information for JTAG on this device to speak of, either.

https://www.google.com/search?q=buffalo+wzr-1750DHP+serial+recovery

https://www.google.com/search?q=Buffalo+WZR-1750DHP+jtag

https://wikidevi.wi-cat.ru/Buffalo_WZR-1750DHP

Are you sure you connected serial properly and didn't fry the UART interface on the router board?

https://wiki.dd-wrt.com/wiki/index.php/Serial_Recovery

P.S. You don't 30-30-30 a Broadcom ARM device.
AfterShock
DD-WRT User


Joined: 17 May 2010
Posts: 131

PostPosted: Mon Jun 07, 2021 13:19    Post subject: Reply with quote
This might help
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=948311&highlight=#948311

you will need a usb to ttl cable but the link in the post has long been dead so you can try https://www.amazon.com/USB-to-TTL-Serial-Cable/dp/B00N2FPJ0Q
pitfermi
DD-WRT Novice


Joined: 06 Jun 2021
Posts: 19

PostPosted: Mon Jun 07, 2021 14:25    Post subject: Reply with quote
hi. isnt it in my post clear, that i lost access to the serial interface? i successfully booted to cfe and did stuff using a cp2102 3.3v usb uart/serial converter which works as it should. but it does not read stuff from the router after the latest flash anymore.

AfterShock wrote:
This might help
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=948311&highlight=#948311

you will need a usb to ttl cable but the link in the post has long been dead so you can try https://www.amazon.com/USB-to-TTL-Serial-Cable/dp/B00N2FPJ0Q
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9521
Location: Texas, USA

PostPosted: Mon Jun 07, 2021 15:08    Post subject: Reply with quote
Either your USB-UART-TTL adapter drivers are bunked, you connected Vcc (+3.3v) and fried the adapter or the UART interface on the router, or you really screwed up. I have not found any information that says this device supports JTAG, however, it looks as if you have a JTAG header of some sort. Are you sure your settings in PuTTY or whatever terminal client you are using are correct?
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
pitfermi
DD-WRT Novice


Joined: 06 Jun 2021
Posts: 19

PostPosted: Mon Jun 07, 2021 15:31    Post subject: Reply with quote
the jtag headers(14 pin) I soldered on my own, as that was the most obvious place that a jtag would be placed, if it is indeed a jtag interface and enabled.
i did not mess anything with the uart. i did not change pin connections when i tried cfe. flashed, rebooted, and there were no power leds blinking anymore(red was flashing 2 times before the flash,nvram erase). after that, the serial was not outputting anymore. the usb uart adapter i use utilizes the silicon labs cp2102 chip. drivers are correct, everything is fine with it, baudrate also correct, 3.3V pin is untouched.

mext next step is to try and identify the jtag pins according to this: http://www.jtagtest.com/pinouts/ejtag
it seems to be the closest to what my device is equipped with. verified the gnd and vref pins, next are the most data pins
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 88
Location: DE

PostPosted: Mon Jun 07, 2021 17:18    Post subject: Reply with quote
I'm always shivering when I see a board on a plastic-carpet.
Electronic devices are sensitive to static discharges. (If you see something like that on eb*y: stay away.)

That said:
The UART may be OK, but you may have killed the CPU, the RAM, or $whatever by applying some 1000V, without noticing it.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
pitfermi
DD-WRT Novice


Joined: 06 Jun 2021
Posts: 19

PostPosted: Mon Jun 07, 2021 17:21    Post subject: Reply with quote
kooper2013 wrote:
I'm always shivering when I see a board on a plastic-carpet.
Electronic devices are sensitive to static discharges. (If you see something like that on eb*y: stay away.)

That said:
The UART may be OK, but you may have killed the CPU, the RAM, or $whatever by applying some 1000V, without noticing it.


you are right, but the router was outside the case, AFTER the serial stopped working, so i can solder jtag headers. the troubleshooting/flashing was done inside the case. as i said, immediately when i flashed the router and erased nvram, i rebooted and the serial was not showing anything.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9521
Location: Texas, USA

PostPosted: Mon Jun 07, 2021 17:43    Post subject: Reply with quote
@AfterShock was pointing you to the same serial flash procedure shown in the OpenWRT wiki:

https://openwrt.org/toh/buffalo/wzr-1750dhp

Which we would hope is the procedure you followed. If you did not, there is NO telling what you b0rked. Hopefully, you can find information for JTAG and find a cfe.bin file for this router, unless it is a dead adapter. Some adapters do not work well with devices. Also, the Vcc pin on this thing is 5V.

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
tedm
DD-WRT User


Joined: 13 Mar 2009
Posts: 451

PostPosted: Mon Jun 07, 2021 17:49    Post subject: Re: bricked buffalo wzr-1750DHP (eu-jp?) Reply with quote
pitfermi wrote:
tried to tftp a dd wrt firmware and then a buffalo stock firmware. it was transfered ok, but i got error code -4 I/O, then tried erasing nvram,


OK hold on here.

How do you know the CFE is not working? This is not a PC - if the CFE detects what it thinks is a valid firmware image it transfers CPU control to that image in less than a second. You maybe have a half-second window where you have to bang madly on Cntl-C or whatever escape character to break the boot and get the CFE prompt.

If the CFE thinks the image is good but the image is scotched then the moment the device powers up and the CFE transfers control the CPU will hit the corrupted image and either end up in a tight loop or crash. It's only if the CFE thinks the image is scotched will it decide as a last ditch effort to issue a prompt at the serial port.

The I/O error you got COULD have been because your AC adapter was putting out too low voltage and so the CPU was crashing during normal code execution. If you get an I/O error from the CFE during a transfer then you have to stop what you are doing and fix that first. Either you have bad power or part of the flash chip itself has failed or your ethernet connection to the device is messed up.

Please post the sequence of events and things that you did to erase the nvram.
pitfermi
DD-WRT Novice


Joined: 06 Jun 2021
Posts: 19

PostPosted: Mon Jun 07, 2021 17:54    Post subject: Reply with quote
kernel-panic69 wrote:
@AfterShock was pointing you to the same serial flash procedure shown in the OpenWRT wiki:

https://openwrt.org/toh/buffalo/wzr-1750dhp

Which we would hope is the procedure you followed. If you did not, there is NO telling what you b0rked. Hopefully, you can find information for JTAG and find a cfe.bin file for this router, unless it is a dead adapter. Some adapters do not work well with devices. Also, the Vcc pin on this thing is 5V.

no. the vcc pin is 3.3V i checked. and also the polarity of rx and tx pins is the wrong way, as some guy here posted a picture of.
apparently the US PCB version is different. or mine is just a newer model.
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 88
Location: DE

PostPosted: Mon Jun 07, 2021 18:31    Post subject: Reply with quote
OK, so it wasn't killed on the carpet.
You could have a look with a oscilloscope if you find some bits flipping near the CPU. If you see something IS happening, you could play around with the JTAG. Search for JTAG in the hw/diy subforum... but your mileage may vary. (I didn't play with JTAG yet, though I have one misflashed cheap wall-wart type router - but couldn't find the time to revive it).

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 9521
Location: Texas, USA

PostPosted: Mon Jun 07, 2021 18:37    Post subject: Reply with quote
OpenWRT Vcc info may always be bunk, but it's the same pin order in both places. If you used another reference that differs, post the link, please. The order of pins does not matter as the board is the same in both models, most likely. They didn't waste the money on tooling up two separate PCBs. And X2 on tedm's comment about posting the order of events without error on what exactly you did to get to the point you are at. Screenshots taken at each step, etc. would greatly help.
_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
pitfermi
DD-WRT Novice


Joined: 06 Jun 2021
Posts: 19

PostPosted: Mon Jun 07, 2021 18:58    Post subject: Reply with quote
kernel-panic69 wrote:
OpenWRT Vcc info may always be bunk, but it's the same pin order in both places. If you used another reference that differs, post the link, please. The order of pins does not matter as the board is the same in both models, most likely. They didn't waste the money on tooling up two separate PCBs. And X2 on tedm's comment about posting the order of events without error on what exactly you did to get to the point you are at. Screenshots taken at each step, etc. would greatly help.


sorry i didnt make screenshots in the procedure. i think i was clear enough as to what i did. but to answer your question about the TX RX pins, i checked with a multimeter and with an oscilloscope, also, see following post:
https://scarygliders.net/2010/02/23/hacking-around-the-japanese-buffalo-wzr-hp-g300n/#comment-334
it is indeed a different router, but that variant of the swapped tx/rx pins does exist, by buffalo. i searched before hooking anything up, since it made me wonder why here on the forum the pins are the other way around. so i confirmed. steps i followed, roughly, but the most important ones are here:

1. openwrt version 19. something coming from ddwrt. worked fine, tho slow wan port
2. flashed tomato(to test wan speed) by shibby, latest version from his website
3. power leds blink red twice, serial showed error about leds flashing 2 times--> firmware error
Code:

check_trx: start flash1.trx
Invalid boot block on disk
check_trx: exit flash1.trx
fw is broken
blinking led 2

4. did cfe procedure, with lan 1 attached, according to the instructions. eth0 working, used pumpkin to send buffalo oem firmware 2.27, it was transferred with octet format, smallest blocksize available by pumpkin(512kb).
5. show devices for nvram, gave me flash0 and 1 partitions with names such as:
-flash0.boot
.
.
-flash1.boot
-flash1.nvram
6. erased nvmra with cmd: nvmram erase flash1.trx AND nvram erase nflash1.trx
notice the "n" before the flash name. since i found numerous instructions here and on another forum as to which name is correct, i tried both, i figured the one that exists would get erased, the other would fail erasing. this is probably the part where the UART stopped working, after reboot.

again, serial was hooked up correctly at ALL times, vcc untouched.

by the way, any idea where the main cpus is located? the chips on the picture are the wifi ones i think
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum