[SOLVED] HOWTO - unbrick Linksys E4200 v1 with JTAG

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4  Next
Author Message
xebbmw
DD-WRT Novice


Joined: 19 Jan 2008
Posts: 17

PostPosted: Tue Apr 15, 2014 2:54    Post subject: Reply with quote
@Malachi: from what I have read from other posts erasing nvram and kernel should be just enough for an E4200.

@alins75: could you please post for me a full bootlog and also nvram content?

As I explained in my other thread http://www.dd-wrt.com/phpBB2/viewtopic.php?p=890722 my router was bricked. I used a flash programmer to write CFE and the entire firmware. After posting in my thread and further research I realized my router hangs after executing the command insmod wl which handles the radio drivers. So my router might have a broken radio chip.

BR


Last edited by xebbmw on Wed May 07, 2014 20:54; edited 1 time in total
Sponsor
scotyard
DD-WRT Novice


Joined: 15 Apr 2014
Posts: 2

PostPosted: Tue Apr 15, 2014 12:26    Post subject: Reply with quote
My E4200 remains bricked after a case of flashing the wrong firmware. Can it be fixed via a serial cable or is a JTAG cable needed? Also, could you post pics of the cables/equipment you used and links to the compatible cables on dx.com?

Thanks for the tutorial.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7209
Location: Columbus, Ohio

PostPosted: Tue Apr 15, 2014 20:11    Post subject: Reply with quote
Mine just sits at erasing nvram, cfe or kernel.
_________________
I am far from a guru, I'm barely a novice.
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Thu Apr 17, 2014 7:51    Post subject: Reply with quote
scotyard wrote:
My E4200 remains bricked after a case of flashing the wrong firmware. Can it be fixed via a serial cable or is a JTAG cable needed? Also, could you post pics of the cables/equipment you used and links to the compatible cables on dx.com?

Thanks for the tutorial.


I have used an unbuffered JTAG cable - DLC5
I don't know where you would buy one, because this is own made.
This is the cable.
http://wiki.openwrt.org/doc/hardware/port.jtag.cable.unbuffered
You can used HairyDairyMaid's tutorial on how to make one.
http://www.zero13wireless.net/wireless/APs/JTAG_Tools/HairyDairyMaid_WRT54G_PDF.pdf
scotyard
DD-WRT Novice


Joined: 15 Apr 2014
Posts: 2

PostPosted: Fri Apr 18, 2014 0:42    Post subject: Reply with quote
alins75 wrote:
scotyard wrote:
My E4200 remains bricked after a case of flashing the wrong firmware. Can it be fixed via a serial cable or is a JTAG cable needed? Also, could you post pics of the cables/equipment you used and links to the compatible cables on dx.com?

Thanks for the tutorial.


I have used an unbuffered JTAG cable - DLC5
I don't know where you would buy one, because this is own made.
This is the cable.
http://wiki.openwrt.org/doc/hardware/port.jtag.cable.unbuffered
You can used HairyDairyMaid's tutorial on how to make one.
http://www.zero13wireless.net/wireless/APs/JTAG_Tools/HairyDairyMaid_WRT54G_PDF.pdf


Many thanks for the pic alins75. As complicated as it is for a non tech guy like me, I was willing to do it just to give a lease of life to my 4200 but the requirement of serial port is a bummer. Is a serial port absolutely essential?
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Fri Apr 18, 2014 6:26    Post subject: Reply with quote
Well, the serial recovery can be done using an USB adapter.
For this jTAG cable you will need a parallel port.
The serial recovery is one thing that I recommend you to try first. In most cases will do.
For me the JTAG recovery is kind of the last resort.
For serial connection(actually trough USB) I used a PL 2303HX USB to TTL adapter. It works just fine with putty or hyperterminal. You can find them on dx.com for 3 or 4 $.
xebbmw
DD-WRT Novice


Joined: 19 Jan 2008
Posts: 17

PostPosted: Fri May 02, 2014 16:32    Post subject: Re: HOWTO - unbrick Linksys E4200 v1 with JTAG Reply with quote
alins75 wrote:

8. reboot the e4200 and perform a serial recovery
- alternatively (worked for me) after reboot start the tftp recovery with tftp.exe using the latest stock firmware: FW_E4200_1.0.05.007_US_20120823_code.bin

Hi,

Alins75: when you are executing tftp.exe the router is stuck at processing when I tried to upload original firmware FW_E4200_1.0.05.007_US_20120823_code.bin. Did you experience the same? I will try to do it again when I have some time.

I tried uploading the firmware using a dd-wrt e4200 mini firmware, in this case the update processing worked fine (the router was not stuck in processing). However after the firmware is loaded and the router restarts some messages were raised as it could not find eth0, eth1, wl0, wl1. I guess it has something to do with nvram variables.

And about tftp.exe, up to now I tried always with the tftp client from WinXP but it looks I was wrong. Did you use tftp.exe or tftp2.exe?

BR
brice83
DD-WRT Novice


Joined: 08 May 2014
Posts: 1

PostPosted: Thu May 08, 2014 10:16    Post subject: cfe backup is not exactly as original Reply with quote
hi alins75,
i've follow your steps and when i backup the cfe(step6), and open it with an hex editor,the last line is missing in the backup.
i, tried the step 7 and get this outpout in the serial console.
any idea of what causing this problem?
thanks
trushna
DD-WRT Novice


Joined: 04 Jun 2013
Posts: 2

PostPosted: Thu Jun 18, 2015 9:25    Post subject: Reply with quote
Hi to all,
i have an e4200 bricked in the same way as yours.

I tried all the steps from 1 to 7 except for that i had to omit /nobreak and /noreset

after all i have the same problem

What i don't understand is why my router reports a cpu speed of 480mhz and yours 133.

I'm open to suggestions. I also tried to do a erase:wholeflash twice

CFE version 2010.09.20.0 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Nov 12 11:01:26 CST 2010 (lzh@team2-complier)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.

No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 256 64KB blocks; total size 16MB
sflash_cfe_probe: flash type ST, nparts 4
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 1KB
sflash_cfe_probe: idx 2, name os, descr ST Serial flash offset 0004001C size 16068KB
sflash_cfe_probe: idx 3, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 3
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 16068KB
sflash_cfe_probe: idx 2, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 0
CPU type 0x19740: 480MHz
Tot mem: 65536 KBytes

CFE mem: 0x80700000 - 0x8079EA40 (649792)
Data: 0x80734000 - 0x80737FE0 (16352)
BSS: 0x80737FE0 - 0x80738A40 (2656)
Heap: 0x80738A40 - 0x8079CA40 (409600)
Stack: 0x8079CA40 - 0x8079EA40 (8192)
Text: 0x80700000 - 0x80734000 (212992)

board_final_init: commit=0, restore_defaults=0Boot version: v5.2
The boot is CFE

mac_init(): Find mac [C0:C1:C0:F7:17:5F] in location 0
Nothing...
country_init(): Find country code in location 0
The country is same
**Exception 8: EPC=80718DDC, Cause=80008008 (TLBMissRd)
RA=80718DE4, VAddr=0000000C

0 ($00) = 00000000 AT ($01) = 80730000
v0 ($02) = 00000000 v1 ($03) = 00000000
a0 ($04) = 80739A80 a1 ($05) = 8072E345
a2 ($06) = 00000001 a3 ($07) = 00000003
t0 ($0Cool = 00000000 t1 ($09) = 00000000
t2 ($10) = 807337EC t3 ($11) = 00000000
t4 ($12) = 66000023 t5 ($13) = 48534C46
t6 ($14) = 9FC036BC t7 ($15) = 3D7D7F7E
s0 ($16) = 00000000 s1 ($17) = 8072E32C
s2 ($1Cool = 8072E2E4 s3 ($19) = 8072E2F0
s4 ($20) = 8079E800 s5 ($21) = 8079E800
s6 ($22) = 19A14716 s7 ($23) = 00000001
t8 ($24) = 04000000 t9 ($25) = 00000000
k0 ($26) = 82D1EBD1 k1 ($27) = 0A810A80
gp ($2Cool = 8073C000 sp ($29) = 8079E7D8
fp ($30) = 00000000 ra ($31) = 80718DE4
Nukfror
DD-WRT Novice


Joined: 25 Mar 2010
Posts: 12

PostPosted: Mon Aug 08, 2016 16:10    Post subject: Re: HOWTO - unbrick Linksys E4200 v1 with JTAG Reply with quote
Old thread I know but I got my E4200 un-bricked using Serial yesterday. It is possible !!!

I had the same issue with the looping CFE boots complaining about a bad image1 and bad boot block before that.

What I found is using the CFE CLI to perform the "flash" command on the E4200 just didn't work. It would pull the image over TFTP then reboots and immediately goes into the CFE boot loop (saying the image isn't right and hoping a TFTP server exists for it to attempt to a pull again auto-magically on it's own ...) I tried multiple attempts from various blog entries on handling Serial CFE flash-from-external-file attempts ... even a few from the OpenWRT forums. Nothing worked at the CFI CLI using the CFE "flash" command.

BUT, what did work was running this at the CFE command line (which is on dd-wrt forums):

flash -ctheader : flash1.trx

and then on my Macbook Pro - did up to the "put" command before running the "flash" command above:

tftp 192.168.1.1 <<<- IP address of the E4200 while attached via TTL 232 cable
binary
rexmt 1
timeout 60
tftp> put <correct .bin file> <<<<- had this typed into the my MBP CLI but hadn't hit ENTER yet.

Once executed the "flash" command in CFE, I had enter on the put command ... POOOF ... un-bricked.

So I think I learned this:

1) On the E4200, the CFE flash command for pulling external files from an external TFTP isn't reliable or flat out doesn't work.

2) Setting binary mode on the TFTP command is a requirement !! At least on my MBP it is. The OS X tftp OOTB command isn't a smart TFTP client that auto-magically attempts to detect binary vs ASCII files.

3) For those new to CFE like me, the "flash -ctheader : flash1.trx" command actually enables a rather short lived TFTP *SERVER* service on the E4200 waiting for stuff to be pushed into via an external TFTP client.

4) The TFTP binary client side option came from a OpenWRT blog post. If the DD-WRT forum mentions this I likely missed it as the threads for unbricking are long.

Seems the CFE TFTP Server Service knows how to update the firmware in a working fashion vs the CFE flash-from-external-file path which doesn't. I'm wondering if the flash-from-external-file path isn't doing BINARY mode transfers - or maybe it's expecting the TFTP Server to already be in BINARY transfer mode.

Anyway, in short, you can unbrick a E4200 over serial !!! Smile


P.S. and Yes getting the case opened on a E4200 is a royal PITA. My warranty is fully and completely toast Smile Whatever ... it's unbricked.
comatech
DD-WRT Novice


Joined: 21 Sep 2016
Posts: 2

PostPosted: Wed Sep 21, 2016 13:21    Post subject: Reply with quote
Hi Alins! I have same problem with my router, i made a jtag cable form your guide, connected it to the router, it's looks fine, but when i trying brjtag probe its stops on Clearing Watchdog... can i just Ctrl + C and go to next command?
Or maybe you can tell me what to do to fix this?
Thx.
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Wed Sep 21, 2016 13:58    Post subject: Reply with quote
See the jtag wiki article. You might want /ncw command, or something like that.
_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
comatech
DD-WRT Novice


Joined: 21 Sep 2016
Posts: 2

PostPosted: Wed Sep 21, 2016 15:23    Post subject: Reply with quote
Well, it was /nocwd thanks.. anyway brjtag working very unstable on me, crushed on writing cfe and now it looks totally broken.
sfrooze
DD-WRT Novice


Joined: 14 Jan 2015
Posts: 10

PostPosted: Wed Nov 23, 2016 5:10    Post subject: Help with boot loop... Reply with quote
I just brick my e4200 v1 Sad, have the exactly same issue a infinite loop with the same msg of first post, I connected serial with usb ttl uart, I can see boot loop, but now my question is how can stop the boot for put codes?? I try every combinations and pressing hurry Ctrl+C several times again and again, break with putty, even with software for auto press ctrl+c in milliseconds but I can not stop the annoying starting boot loop Mad, i don't know what to do, give me any suggestion please, I keep stuck on that Sad

any help is welcome,

greetings.
alex0001
DD-WRT Novice


Joined: 18 Oct 2014
Posts: 30

PostPosted: Mon May 01, 2017 18:52    Post subject: jtag Reply with quote
hi.does anybody successfully managed to communicate with the e4200 and raspberry pi?i tried oxplot raspberry tjtag but it does not recognise it.it seems it does not have the W25Q128BVFG chipset support.are there any other solution?

thanks
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum