Posted: Wed Mar 21, 2012 16:07 Post subject: WRT600N - ANR0-MRNO? (swap-o-presto) -► STUCK, needs flash
Okay..
This is not my first Linksys WRT600N flash. But, it has me baffled. I've labeled this WRT600N the "swap-o-presto" router since it looks like it has either had a board change or a "magic trick"..
This WRT600N is labeled on the external case label as an "ANR0" v1.1 model, but internally it has the "Broadcom 4705 @ 300 MHz" chip-set. I believe the main-board may have been swapped by the previous owner. "OR" Linksys was really not building good stuff when this one was built. According to the "Wikipedia" site, ALL ANR0 models are listed as v1.0 ???
The label on the bottom of the router reads MAC ADDRESS "00-21-29-67-AC-E3".
I used the command "CFE> ifconfig eth0 -ipaddr=192.168.1.1 -mask=255.255.255.0" to set the LAN back to 192.168.1.1 so I could get it to ping.
I am not sure "WHAT" firmware was on this router before since it was not working when I received it and have not been able to get it to a GUI. It presently only reads the following when I go into PuTTy. I believe I need to get it working in OEM firmware before anything else. it presently goes through a few lines of code during boot-up and then "STOPS". The power light is "ON" (not flashing, the "LAN" port is lit when the Ethernet cable is plugged in (again, not flashing) and there are no blinking lights.
PuTTy reads...
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3856 bytes read
Entry at 0x80001000
Closing network.
eth0: cannot clear 1400/00000002
Starting program at 0x80001000
CPU ProcId is: 0x0002901a, options: 0x0000004d
Linux version 2.4.37 (root@dd-wrt) (gcc version 3.4.6 (OpenWrt-2.0)) #13298 Thu Aug 12 03:58:44 CEST 2010
Setting the PFC to its default value
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
CPU: BCM4785 rev 2 at 300 MHz
Using 150.000 MHz high precision timer.
Calibrating delay loop... 299.82 BogoMIPS
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Initializing host
PCI: Ignoring BAR0-1 of IDE controller 00:06.0
PCI: Fixing up bus 0
PCI: Fixing up bridge
PCI: Setting latency timer of device 01:00.0 to 64
And it stops and sits there...
Also, in the PuTTy output, the one line of output reads that it thinks the routers CPU is a "BCM4785 rev 2 at 300 MHz" but I have "visually" confirmed that it is not a "BCM4785r2", it is visually confirmed to be a "BCM4705".
Does anyone have a recommendation on which OEM firmware should be on this unit?
Can OEM firmware be put back on this unit and then upgraded to DD-WRT from there?
Thank You.
Last edited by lost-in-space on Sat Mar 24, 2012 3:18; edited 3 times in total
1. Determine the actual make and model that the Board is from. If it doesn't match the box, the box is irrelevant. There are sometimes submodels of routers created for specific vendors (eg. wrt54g-tm) that have specific components and firmware.
2. Find out what the stock router firmware was, and Flash stock firmware to that router if you can. You might have to redo the cfe as it seems, from what you have said, that the cfe doesn't match. However, sometimes chipset are the grouped into a similar type, and reported as one of those types. LOM or Barryware will know about this.
3. Whether you can put dd-wrt on the router depends on whether the board is from a supported router or not. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
Thank you so very much for replying to my posting.
RE: 1) Determine the actual make and model that the Board is from. If it doesn't match the box, the box is irrelevant. There are sometimes submodels of routers created for specific vendors (eg. wrt54g-tm) that have specific components and firmware.
I agree. The board & box do not match, I believe the board was replaced.
Yes, the box tag information is irrelevant to the hardware (board) for repair, flashing and configuration at present.
RE: 2A) Find out what the stock router firmware was, and Flash stock firmware to that router if you can.
At present, I only have the chip-set numbers to use to identify it as a WRT600N v1.0 board. I've downloaded/saved/flashed all of the OEM WRT600N firmwares that I've been able to locate from the forum that I could find. None of the ones I have loaded seem to get it back to a functional state. The versions I've tried are:
RE: 2B) You might have to redo the cfe as it seems, from what you have said, that the cfe doesn't match. However, sometimes chipset are the grouped into a similar type, and reported as one of those types. LOM or Barryware will know about this.
yes.. "Reload the CFE"..
I'm unfamiliar with how to reload a "CFE" but, I'll try anything if someone can explain the process and where I can find the files I need to download something.
RE: 2C) 3. Whether you can put dd-wrt on the router depends on whether the board is from a supported router or not.
I agree. Presently, if I can determine a "functional" path to get it flashed to OEM", from there, even thought the board isn't in the original BOX, I can try to flash DD-WRT and if t fails, go back to OEM and have it at least functional.
At present, it just seems like the router is trying to load "something" for the wrong processor model. trying to load for a "BCM4785r2" when it should be loading for a "BCM4705". I don't know if that any bearing or not.
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Sat Mar 24, 2012 3:06 Post subject:
do not.. DO NOT!!! try to replace the cfe vie winscp & telnet. You will brick the router and to fix it, you will have to remove the flash chip, program it, and put it back in.
because it is such a pita to repair, I have not attempted to write the cfe again (after two failed attempts). It is a theory that there is something wrong with the firmware write routine on this router.
The 350 had a similar problem when the cfe was replaced to allow k26 to run. Eko fixed the write routine for the 350.
don't worry about the macs.. the cfe does not contain the macs. The macs are stored in a secret partition on the flash chip called "factory". Under the right circumstances (enabling jffs), dd-wrt wipes out this partition.
The radio macs actually come from the radio cards. this device had two mini pcmcia radio cards.
tmk.. there is no diff in hardware between v1 & v1.1. It is normal for serial output to report the processor that is actually not on the board.. they are in the same family and only the package is diff I believe.. LOM will know.
just erase nvram, flash it back to stock.. reboot it & power cycle it a few times, then install dd-wrt.
Somewhere around here, I have all the files from a 600 or two LOM & I were working on. It was quite a while ago though (1.5 years ago at least)
I can prolly dig out the factory partition.. you need to flash it to the chip @ offset 0x007E0000. I don't remember how I did it. I used the cfe's flash command but I forgot how I pointed it to the right offset _________________ [Moderator Deleted]
RE: do not.. DO NOT!!! try to replace the cfe vie winscp & telnet. You will brick the router and to fix it, you will have to remove the flash chip, program it, and put it back in.
Excellent!! I'll leave the CFE alone. I understand very well the work necessary to replace the flash chip and "no", I don't relish that thought. Personally, if I have to replace a flash chip, I'd rather it be for a storage upgrade and not as a uninstall/reflash/re-install "repair"... It's a lot of work.
RE: It is a theory that there is something wrong with the firmware write routine on this router.
It sounds logical. I've tried to flash the OEM firmware several times and the versions I've mentioned earlier have no effect on getting it working in the present state.
RE: don't worry about the macs... (et/al), ...The radio macs actually come from the radio cards.
yes, I understand...
RE: tmk.. there is no diff in hardware between v1 & v1.1. It is normal for serial output to report the processor that is actually not on the board.. they are in the same family and only the package is diff I believe.. LOM will know.
Okay.. I don't have any specification data sheets to use to evaluate the parameters but until someone knows otherwise, I'll look past it at this point. There must have been some change in the chipset though for Broadcom to issue it a new ID number; I just don't know what it is/was. (Again, I don't have datasheets).
RE: just erase nvram, flash it back to stock.. reboot it & power cycle it a few times, then install dd-wrt.
Okay.. I'll have to get the WRT600N to accept a OEM flash. Going to have to overcome the something wrong with the firmware write routine on this router obstacle first from what I understand. It seems to accept the OEM firmware when I use the "CFE> nvram erase", reboot, "tftp -i 192.168.1.1 put filename.bin" command, etc.. I can see the LAN1 port flickering indicating file transfer. I let the router sit, reboot, etc.. but still no-go.
RE: I can prolly dig out the factory partition.. you need to flash it to the chip @ offset 0x007E0000.
Okay.. well, at present. I've used the tools at my disposal. The "factory partition", is that like the boot sector on a hard drive but in this case, stored on the flash chip?
RE: I don't remember how I did it. I used the cfe's flash command but I forgot how I pointed it to the right offset.
Well, I am not in a hurry. This one will be my back-up router. My primary router is doing fine and I have time to get this one functioning.
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Sat Mar 24, 2012 13:21 Post subject:
attached is the "factory" partition. As you can see, the et0 mac as well as the pin is contained in this partition. it is 64k in size.
I went digging through my notes and I can not find, nor do I remember how I flashed it. I either used the cfe commands or possibly telnet (busybox). I am sure someone can chime in how to do it.
chip layout from stock boot that gives location:
Creating 5 MTD partitions on "Physically mapped flash":
I went back and started fresh, tried the flashing again with a clear mind to see if I overlooked anything..
RE: cfe> nvram erase [hit enter]and then cfe> flash -noheader : flash1.trx [hit enter]*(1 space before the colon, one space after the colon ":")
with PuTTY
RE: c:\(path)tftp -i 192.168.1.1 put WRT600N.bin with Terminal
yes, works fine. flash transfers...
VERSION: WRT600N_1.01.36_Build_4.bin
7:00PM
CFE> flash -noheader : flash1.trx
Reading :: Done. 6729760 bytes read
front: Total size is 6729760
BCM5395
Programming...done. 6729760 bytes written
*** command status = 0
CFE>
7:03PM.. let the router/computer "things" alone, go get coffee, (w/french vanilla creamer)..
7:16PM.. back at my desk, look out window to see if "hot/sexy" neighbor lady is dressed; (darn!!, no cam)..
7:16PM.. reboot router....
7:17PM.. Go eat dinner, feed dog while router reboots..
8:10PM.. back at desk, cut/copy/paste from PuTTy to forum post.
PuTTy Reads..
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Interrupted
CFE> nvram erase
*** command status = 0
CFE> flash -noheader : flash1.trx
Reading :: Done. 6729760 bytes read
front: Total size is 6729760
BCM5395
Programming...done. 6729760 bytes written
*** command status = 0
CFE>
eth0: Link speed: 1000BaseT FDX
Device eth0: hwaddr 00-90-4C-A6-00-01, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 2408448 bytes read
Entry at 0x80001000
Closing network.
eth0: cannot clear 1400/00000002
Starting program at 0x80001000
CPU revision is: 0002901a
Primary instruction cache 32kb, linesize 16 bytes (4 ways)
Primary data cache 32kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (joseph@localhost) (gcc version 3.2.3 with Broadcom modifications) #2781 ¤ 5¤ë 2 11:28:34 CST 2008
Setting the PFC to its default value
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4785 rev 2 at 300 MHz
Calibrating delay loop... 299.82 BogoMIPS
Memory: 29812k/32768k available (2116k kernel code, 2956k reserved, 136k data, 76k init, 0k highmem)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Initializing host
PCI: Fixing up bus 0
PCI: Fixing up bridge
eth0: Link speed: 1000BaseT FDX
Device eth0: hwaddr 00-90-4C-A6-00-01, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 2408448 bytes read
Entry at 0x80001000
Closing network.
eth0: cannot clear 1400/00000002
Starting program at 0x80001000
CPU revision is: 0002901a
Primary instruction cache 32kb, linesize 16 bytes (4 ways)
Primary data cache 32kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (joseph@localhost) (gcc version 3.2.3 with Broadcom modifications) #2781 ¤ 5¤ë 2 11:28:34 CST 2008
Setting the PFC to its default value
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4785 rev 2 at 300 MHz
Calibrating delay loop... 299.82 BogoMIPS
Memory: 29812k/32768k available (2116k kernel code, 2956k reserved, 136k data, 76k init, 0k highmem)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Initializing host
PCI: Fixing up bus 0
PCI: Fixing up bridge
eth0: Link speed: 1000BaseT FDX
Device eth0: hwaddr 00-90-4C-A6-00-01, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 2408448 bytes read
Entry at 0x80001000
Closing network.
eth0: cannot clear 1400/00000002
Starting program at 0x80001000
CPU revision is: 0002901a
Primary instruction cache 32kb, linesize 16 bytes (4 ways)
Primary data cache 32kb, linesize 16 bytes (2 ways)
Linux version 2.4.20 (joseph@localhost) (gcc version 3.2.3 with Broadcom modifications) #2781 ¤ 5¤ë 2 11:28:34 CST 2008
Setting the PFC to its default value
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4785 rev 2 at 300 MHz
Calibrating delay loop... 299.82 BogoMIPS
Memory: 29812k/32768k available (2116k kernel code, 2956k reserved, 136k data, 76k init, 0k highmem)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Initializing host
PCI: Fixing up bus 0
PCI: Fixing up bridge
Decompressing...........done
AUTO-REBOOTS....
same as above (edited text for space)
POSIX conformance testing by UNIFIX
PCI: Initializing host
PCI: Fixing up bus 0
PCI: Fixing up bridge
Decompressing...........done
AUTO-REBOOTS AGAIN...
same as above (edited text for space)
POSIX conformance testing by UNIFIX
PCI: Initializing host
PCI: Fixing up bus 0
PCI: Fixing up bridge
Decompressing...........done
AUTO-REBOOTS AGAIN...
same as above (edited text for space)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Initializing host
PCI: Fixing up bus 0
PCI: Fixing up bridge <--<< (the screen freezes here this time..)
IT STOPS WORKING HERE.. SCREEN FREEZES...
Last edited by lost-in-space on Sun Mar 25, 2012 18:13; edited 2 times in total
Hey.. is this the flashing procedure you used to restore the WRT600N chip. Remove, install in a JTAG capable router, "flash", remove from other router, reinstall back into the WRT600N? I really don't think I care to be swapping/flashing/de-soldering/soldering chips at this point..
Also, I am wondering if I may have "error-ed" in my initial suspicion that the board is/was replaced. Is it possible that the present MAC Address difference that is present may be a default that the router "defaulted" back to and erased the original flashed MAC?
QUESTION.. How do "bootkillers" work? I don't know anything about them. Is there a software tool that would write code to the partition sufficiently to allow direct flashing of DD-WRT to a WRT600N that has a "boinked" factory partition that will not flash/boot/restore? (i/e: An alternative to chip removal or in the absence of a JTAG port on the WRT600N)
This is all above my area of experience and present knowledge-base.
