Posted: Mon Jun 18, 2012 21:18 Post subject: Linksys E4200 Serial/JTAG Port Guide
E4200 - The Serial/JTAG Reference Thread
Before now there's been no real info around on adding console and JTAG to the E4200. Certainly no HOWTO like for other models.
Given the "experimental" nature of these models, particularly the NVRAM issue, RS-232 console and JTAG are almost a must-have.
JTAG allows unbricking in almost all cases.
This thread is an attempt to write a modder's guide for the E4200, focusing on JTAG/serial support.
OUTSTANDING QUESTIONS
Is there TJTAG support for this platform?
(Tornado is the man for this)
What is the pinout of the JTAG header?
Is a pullup resistor (100-300R) required between Vcc and tRST to enable JTAG?
I'd like to be able stick this up on the wiki but it seems adding to the wiki is off-limits to anyone now. Which defeats the idea of a wiki.. (sigh) anyways I'm not going to poke that tiger again.
I'll edit as information comes to hand, please pm or post if you have anything that might help.
==
{Watch the casing, it's a real pr*ck}
1)a) Four base screws
Simple enough, four small phillips head screws.
Don't lose 'em, yeah?
1)b) The Warranty Label
First, use a bit of light solvent (electrosolve, brake cleaner etc) on the warranty label top rear near Gig0/0 to gently roll one side off, so it will stick on again when you're done. Hey if you can keep the warranty, why not?
1)b) Loosening The Middle Strip
The middle strip running across the top has to come off. The strip has hooks poking towards the outside so lever a spudger to arch the strip up in it's middle. Run along progressively till you hit the end but DON'T remove it yet!
1)c) Detaching The Middle Strip
The middle strip has an end retaining clip that breaks real easy. Don't angle the strip away, use a tool to separate the end of the strip from its housing recess (where the hook is).
2)a) Notes on these casings
The lid has retaining 'rings' all round that hook over and onto plastic hooks moulded into the base.
So angle your spudger so it's pushing the top/lid into the centre, while peeling the base section out and away freom the lid. Pic's worth a thousand here.. You'll have to push the plastic in on the the base half where its hooks are as you go, to avoid snapping off the retaining clips on the top.
2b) Removing The Lid
START AT THE BACK, THEN FRONT, then sides.
Anyways assuming it's open..
The Following Steps Are Still Under Construction
3)Locate the serial header
The seriad header appears to be present but unpopulated. There's a set of through holes for a standard 2.54mm pitch 5-pin inline header, marked J82. The pinout needs to be confirmed.
UPDATE: For pinout see Ref1.
4) Install the serial header pins
5) Locate the JTAG Header
JTAG is available via another unpopulated block, double row 12 pins labelled JB3. It's a real bitch, call it a "micro JTAG" header. It's tiny, both in pin size and pitch. My calipers say 1mm spacing, 0.5-0.75mm pin diameter. The JST-SH line of connector may fit it, they're 1.25mm.
Update: Forum member jrscs says this is 1.27mm pitch, Mouser stocks it (Ref2)
6) Install JTAG header pins
In the absence of proper sized header pins and socket, cut 7 x 10mm pieces of appropriate gauge copper wire (should be a snug fit in the holes).
Put a 45* bend in each about halfway down.
To make sure the solder flows and sticks smooth and quick, polish the coppery PCB pads on the header with a pencil eraser thoroughly, top and bottom. Finish with a solvent like alcohol or acetone to remove any oils.
You'll need a good fine-tipped soldering iron (and fine solder) for this job.
Pre-tin the tips of all 7 pins (lightly!) and solder them into the board, with the angled heads laid out in a splayed "fan-out" arrangement.
Use your head here, they should be angled so they're easy to connect to without risking any shorts.
7) Connect your JTAG Adapter to the header
Squeeze the tips of the PCB pins with some pliers to flatten them out a bit. This should make them a snug fit into a normal Dupont/2.54mm female socket.
So here, normal female-to-male jumpers can be used to hook the signals into your JTAG adapter's IDC connector. A bit of Blu-Tack (or whatever adhesive putty is called where you are) or tape should be used to secure both the jumpers and the adaptor ribbon to the PCB just for safety.
RF Notes
The RF fronts ends are the usual SkyWay SiGe family. Unfortunately their max TX power is rather limited.. somethings a bit funny here cause the 5ghz section specs dual-band RF components - perhaps the 11G section shares with 11A???)
802.11b - 22dBm
802.11g - 18dBm
802.11a - 16dBm
The shielded area at front right contains the 802.11a/5Ghz RF finals (SiGe SE2594L's), the front left has the 2.4Ghz (SiGI 2528L 2xMIMO section (I think one chain is diversity-enabled)
Note the bastards fitted U.FL's to the 5Ghz section but soldered the 2.4 antenna pigtails direct.. grr. and you can see the pads for the u.FL further back along the trace.
If you want to add external antennas, add the 2.4 Ghz to the pads closest to the switch ports (eg "ANT2G0") - unsolder the existing, don't be tempted to use the u.FL pads cause there's no ESD protection that far back.
For 5Ghz, it's plug n play though I'd go for far front right "J12" just to try and grab the first chain.
Ref1: E4200 Serial Pinout
[img]https://skydrive.live.com/embed?cid=E55F3F5F75B5A7BB&resid=E55F3F5F75B5A7BB%211175&authkey=AFrpLcwuUQwP4RQ[/img]
Ref2: JTAG pin header for the e4200 at Mouser (www.mouser.com). It is 1.27 mm row spacing and manufacturing part number 20021111-00012T4LF.
Samtec also makes them, header is FTSH series.
Ref3: JB3 PCB JTAG Area Image
[img]https://skydrive.live.com/embed?cid=E55F3F5F75B5A7BB&resid=E55F3F5F75B5A7BB%211177&authkey=AB4MfBI_Da3oM9w[/img]
PROGRESS NOTES: JTAG Pinout
As the pinout is still unconfirmed I wire-wrapped 12 lengths of Kynar onto the cobbled-up pins and terminated them into some perfboard, setup as a fully reconfigurable 12-pin 2.54mm breakout board.
From here I can logic-analyse, measure volts and resistances to earth for each pin. Once I've some idea of what may be what I can jumper to the JRAG adapter all the likely combinations, and hopefully nail the proper pinout.
Serial Connection
While tyring to confirm the serial pinout I might have cooked the CPU's UART.. I can't get anything from the TX/RX pins, not even on the 'scope. I got a bit of a tingle from the router when I was working on it powered up so I checked its ground against mains earth.
Seems the plugpack I was using was very 'leaky', meaning the DC output was sitting 75v AC above earth.
I'm worried the AC has grounded out via the desktop PC through the data pins of the router serial port. That'd probably pop the UART driver.
And I can't find another v1.0 E4200
*UPDATED: Added serial pinout, JTAG connector info[/b]
Updated with serial pinout, more JTAG info and pics.
If anyone can provide ANY further info it would be most appreciated! _________________ ========================
<<CURRENTLY WORKING ON>>
-Netgear WNR3500Lv1 w/DD-WRT v24-sp2 (03/19/12) big - build 18777
-Buffalo WBR-G54 w/DD-WRT v24_pre_sp2 (08/07/10) std - build 14896
I have a soft bricked e4200 v1 and long story short it was my fault flashing dd-wrt.v24-23138_NEWD-2_K2.6_big-nv60k.bin after successfully flashing a mini build.
After reading a lot and trying a lot this is what I know:
I get 4 to 5 ttl=100 ping replies after powering up, so it is possible to send a file with tfpt (tried both on windows and linux - binary mode!) but it does not get accepted.
So - next step is a serial flash, so I hooked up my e4200 to my raspberry pi using an old serial cable I had lying around.
I used the jtag layout suggested by benryanau and directly soldered them on the e4200 pcb.
This is the other end. TX is connected to RX on the pi and vice versa.
and after everything is set up (I connected my router to a second nic with fixed ip 192.168.1.8 subnet 255.255.255.0) I powered that e4200 on.
I still get ttl=100 ping replies after powering up, but minicom does not show anything.
What is the missing part in here? Do we need to connect 3.3 Vcc? Second GND? I am far above my level here and hope you guys can help me out.
jtag and serial are two different things, you have connected your serial adapter to the jtag port and not to the serial port.
The serial port is the 5 hole area oon the right side of the pcb (near the back of the router). _________________ Kernel panic: Aiee, killing interrupt handler!
Thanks for your quick reply LOM!
I was able to connect with the right serial port (near the back/on of the five antennas) proceeding with the same setup!
Stock fw is up and I am currently working on putting a proper dd-wrt version on it, this time it will be dd-wrt.v24-23040_NEWD-2_K2.6_mega-e4200.bin
Joined: 03 Jan 2014 Posts: 2 Location: Germany - Bochum
Posted: Fri Jan 03, 2014 16:48 Post subject:
jakob wrote:
Thanks for your quick reply LOM!
I was able to connect with the right serial port (near the back/on of the five antennas) proceeding with the same setup!
Stock fw is up and I am currently working on putting a proper dd-wrt version on it, this time it will be dd-wrt.v24-23040_NEWD-2_K2.6_mega-e4200.bin
Thanks a lot!!
Hey jakob,
could you please explain in more detail how you unbricked your E4200?
I just bricked mine on January 1st so it was a not so nice start of 2014 to me...
I was happy to find this post and the positive outcome by using a Raspberry Pi! I also have one as well as some 3.3V USB/UART-converters...
After using DD-WRT for so many years and flashing so many devices this was the first time it ended up with a paperweight...
So i look forward to unbrick my E4200, too!
Well, just connect it up like I did and prepare your pi to use that connection (that one github link I posted..) - install minicom and start listening to that connection with the following command
Code:
sudo minicom -b 115200 -o -D /dev/ttyAMA0
Make sure you have your router connected to another pc or another nic that you manually configure to use 192.168.1.8 subnet 255.255.255.0 and prepare tftp with stock firmware!
Power it up, as soon as you see output in minicom hit ^C until it stops booting and drops you to a shell.
First execute
Code:
nvram erase
then prepare it to accept stock firmware with
Code:
flash -ctheader : flash1.trx
as soon as you executed that send stock firmware with tftp!
you will see it loading up, and when you get a prompt again just enter
Code:
go
wait a few minutes (you can watch output on your serial console) and you are back on stock firmware.
Joined: 03 Jan 2014 Posts: 2 Location: Germany - Bochum
Posted: Fri Jan 03, 2014 17:38 Post subject:
jakob wrote:
Well, just connect it up like I did and prepare your pi to use that connection (that one github link I posted..) - install minicom and start listening to that connection with the following command
Code:
sudo minicom -b 115200 -o -D /dev/ttyAMA0
Make sure you have your router connected to another pc or another nic that you manually configure to use 192.168.1.8 subnet 255.255.255.0 and prepare tftp with stock firmware!
Power it up, as soon as you see output in minicom hit ^C until it stops booting and drops you to a shell.
First execute
Code:
nvram erase
then prepare it to accept stock firmware with
Code:
flash -ctheader : flash1.trx
as soon as you executed that send stock firmware with tftp!
you will see it loading up, and when you get a prompt again just enter
Code:
go
wait a few minutes (you can watch output on your serial console) and you are back on stock firmware.
Unfortunately i can't connect my Raspi and try it because my soldering iron got broken! So i have to wait up until monday/tuesday to solder it at work.
2014 seems to be star-crossed...
Posted: Sat Jan 04, 2014 21:19 Post subject: succesful debrick using arduino as serial interface
I can confirm the above method works with an arduino uno R3 as well. I successfully unbricked my e4200 after bricking it with the latest n60k build.
i put the arduino into tri-state mode by connecting the arduino Reset and Ground pins, this essentially disables or bypasses the atmege 328 chip so you are using the arduinos on board usb to ttl convertor.
I then connected the arduino to the linksys e4200:
ground to ground
linksys tx to arduino tx pin via 1k ohm resistor
linksys rx to arduino rx pin via 1k ohm resistor
the 1k ohm resistors are probably important here.
i realize normally you would want to connect rx to tx and vice versa, but for some reason this is not the case here. i'm not sure why it would be opposite with the arduino in tri state mode.
anyhow, flashed the stock firmware using tftp (from ubuntu terminal) while using the minicom and arduino as a serial communicator.
I tried to use the serial port to unbrick my E4200V1 also with no luck.
Setup:
minicom on Ubuntu
minicom bit rate set to 115k
ttyUSB0 (PL2303 serial port)
used a DB9F and cable to connect to the E4200 pinouts shown in this thread
even tried reversing TXD and RXD connections
nothing shows up on the screen.
So, I looped back the cable after disconnecting from the E4200 and got a character echo so I know my setup is good. I doubt that I'm going to spend the money to try to recover the router with a jtag cable. But, you never know.
used a DB9F and cable to connect to the E4200 pinouts
Any usb-serial cable that has a DB9 connector is RS-232 +-12V and not 3.3/5V TTL level.
I must have written that more than 100 times over the years here.. _________________ Kernel panic: Aiee, killing interrupt handler!
I tried to use the serial port to unbrick my E4200V1 also with no luck.
Setup:
minicom on Ubuntu
minicom bit rate set to 115k
ttyUSB0 (PL2303 serial port)
used a DB9F and cable to connect to the E4200 pinouts shown in this thread
even tried reversing TXD and RXD connections
nothing shows up on the screen.
So, I looped back the cable after disconnecting from the E4200 and got a character echo so I know my setup is good. I doubt that I'm going to spend the money to try to recover the router with a jtag cable. But, you never know.
Posted: Tue Feb 04, 2014 21:08 Post subject: E4200 V1 Softbricked!
I have a USB serial working connected, I can see the output and even hit Ctrl C quick enough to get to a prompt but this is where things go wrong,
CFE> nvram erase
but when I hit enter nothing happens, it's as if the enter key does not work, the text remains as it is, no commands work at all and I don't get back to a prompt.