Posted: Fri May 27, 2011 14:11 Post subject: Progress..
Hi Barryware. Thanks for the quick response.
Some progress. I've successfully changed NVRAM with the /byte_mode and /fc:43 for my FLASH device and although the console hasn't come back up yet, I now get a full set of LED's flashing on reboot, not just the power and wireless that I had before.
Also managed to erase the bad kernel image - to try and force recovery mode.
If I can't get the console to come back up, I may try and push the stock Linksys firmware back in via JTAG. Slow, but perhaps it will get me there ..
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Fri May 27, 2011 14:20 Post subject: Re: Progress..
phoenix127 wrote:
Hi Barryware. Thanks for the quick response.
Some progress. I've successfully changed NVRAM with the /byte_mode and /fc:43 for my FLASH device and although the console hasn't come back up yet, I now get a full set of LED's flashing on reboot, not just the power and wireless that I had before.
Also managed to erase the bad kernel image - to try and force recovery mode.
If I can't get the console to come back up, I may try and push the stock Linksys firmware back in via JTAG. Slow, but perhaps it will get me there ..
/fc:43 is wrong (bottom vs top boot) /fc:44 would be the correct fc but the chip is not supported cuz it is a revision D. I have gone over this with tornado.
Jtag looks like it is working but is not.
Use /fc:107. You will see the diff. Jtag will take a bit longer.. It is actually erasing nvram.
EDIT: the fc's might be diff between jtag versions. I used the latest posted, 3.0.2 - rc2 I believe with a wiggler (tornado's diy adapter) _________________ [Moderator Deleted]
This erased both NVRAM and Kernel (using tjtag 3.0.2) byte_mode seems to be the key here.
Powered router off
Powered up - Now all the LED's flash, instead of the two that had been before. The first part of progress.
I attempted recovery mode - power off, power on. Wait 2.5 seconds, hold in reset button for 5 seconds.
The router flashed some LED's, so recovery mode was working and the device became pingable on 192.168.1.1, but no web interface on http://192.168.1.1.
So, I fired up Pumpkin TFTP (http://kin.klever.net/pumpkin).
Renamed the stock Cisco firmware as kernel.bin and sent it to 192.168.1.1
Pumpkin showed the progress on transfer and it completed.
Now you need to wait for about 3-5 minutes until all of the LED's flashed on the router.
The device will reboot and will be back on stock Cisco firmware on 192.168.1.1 and ready for a DD-WRT update again (this time using the correct firmware !).
I'd already used /FC:43 by the time your posting came in. Are you sure you are right on the /fc:43 ? According to the Macronix data sheet for the device, its an "EB" version, which makes it bottom boot. Anyhow, either way it worked and its not a brick any more and the passive JTAG cable worked OK.
BTW - your last posting has disappeared - the one that gives the serial recovery and JTAG options, would be good to get this back on the thread for completeness.
Thanks for your help on this. Now to re-image DD-WRT onto it and make the changes I planned a couple of days ago.
Posted: Fri May 27, 2011 16:08 Post subject: serial down
Nope, serial is still down, think its bust.
I found is a previous post on 610Nv2 that says shorting TXD to VDD on the serial port kills the driver (which makes sense), so its possible during my time creating a suitable plug for the WAN port serial that I may have shorted it. Alternately, it may have never worked from the factory.
I started with Eko's 4 pin ribbon cable console hack and moved to an RJ45 socket that I removed the cente from and cut down to get the springy contacts in a fairly robust header per a suggestion from another posting.
This worked well and reliably connects to the 610Nv1 I have. The only limitation is having to wedge it in with some sleeving off a CAT5 cable to stop the header from popping out while your doing something else.
If only I'd have found the serial pads on the bottom of the PCB first ...
Suppose it doesn't really matter as I've always got the recovery process above to fall back on and can use SSH to do everything I need to from within the box.
Posted: Thu Jul 07, 2011 17:34 Post subject: Re: Some progress - E3000 / JTAG - part 1
phoenix127 wrote:
I've bridged the JTAG pads on the PCB (http://www.dd-wrt.com/phpBB2/viewtopic.php?t=75073) and agree with barryware that its very difficult, even for an experienced person (it took hours). The easiest way I found was to take a piece of ribbon cable, strip a wire off, then using just a a single strand from that wire, tin the strand, then tin the pads on the PCB and *briefly* heat the PCB. A good magnifying glass and a scalpel for moving the wires helps a lot. You also need a very fine tip on your iron.
If you lift a pad, then scrape the etch resist from the track and solder directly to that - using less heat and time !!
If you're not really good with an iron then don't attempt this.
The JTAG pinout is as per other Linksys devices, taking 1 from the square pad on JB3 is as follows
I bricked my E3000 - think the NVRAM is fscked. It keeps rebooting and never takes a CTRL-C (the serial console works so I can see it reboot every second).
It took seven or eight hours to bridge those five pads. It's like gluing a strand of hair to a grain of salt using a hot glue gun. Using a single strand of wire from an old IDE cable works well - I tinned the end of a strand, and used that to first tin the pads, which limits the solder used. Once the pads were tinned, I cut the strand, tinned another one, and left the strand on the cable to solder it to the PCB - it's easier to hold that way, and functions as a light duty heatsink as well. I managed to do it with a basic soldering iron - a finer point would have made a huge difference.
I only lifted one of the pads (the last one! grr!) and managed to solder directly to the track. Touch the iron to the PCB for maybe half a second. Anything more and you risk damaging it. There's not much solder to heat up anyway.
The key here is to take your time. If your hand is shaking too much, just wait. Once you have a soldered joint, don't move the wire - there's so little solder it's quite easy to break the weld. Leave it for five seconds or so. Once it's soldered to the board and the joint is cool, I just cut the strand with a scalpel - the wire is thin enough it takes very little effort to cut it with a sharp scalpel. Check your work with a multimeter - make sure both sides of the pads you bridged have continuity to the JTAG header.
And after all that, I realized I don't have a DB25 plug
Detected IR chain length = 5
Number of device(s) = 1
IDCODE for device 1 is 0x0008C17F
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom BCM4716 Rev 1 CPU in MIPS MODE chip ***
- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32
Intial value of Control register is 000000CC
Intial value of status register is 0000007F
01111111 (0000007F)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x0000007F
system reset complete
Chip ID 4716
Chip Rev 1
Package Options a
Number of Cores 9
Core Revision 79
Core Type 710
Core Vendor ID 19a10000
Flash Type 700
Flash Type = PFLASH
Flash bus is 8 bits
Dest is bits 0
Flash is byteswapped 0
Endian Type is LE 0
PLL Type 00000000
Posted: Thu Jan 31, 2019 10:42 Post subject: update
wrt610nv2 or e3000 corrupted flash update.
I have done +-15 routers sofar, wrt610nv2 or e3000. Actually, there is no need for JTAG for unbricking whatsoever unless somebody erased CFE intentionally.
The reason why nvram gets corrupt is the heat. To place it straight, the 470uF 10V cap for 1.284V circuit (placed in the middle of the board gets a lot of heat and just dies) is the culprit of corrupted nvram.
No JTAG not even serial is needed to fix corrupted nvram (power button blinks forewer) on these routers.
Just replace the mentioned cap and you are done. Sometimes, you might experience a cfe boot loop but pressing the reset button at power-up will erase nvram, just like serial or jtag will.
))
