[SOLVED] HOWTO - unbrick Linksys E4200 v1 with JTAG

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4  Next
Author Message
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Mon Mar 10, 2014 11:36    Post subject: [SOLVED] HOWTO - unbrick Linksys E4200 v1 with JTAG Reply with quote
Hi everybody,

This is a small HOWTO that you can use to unbrick the E4200 using JTAG. See details below.

I have managed to brick my E4200 after flashing dd-wrt.v24-23082_NEWD-2_K2.6_XXX-nv60k.bin.

After flash, instant brick.
The bad thing was that I could not unbrick it with a serial connection and TFTP. Of course I have tried and apparently it worked, but after reboot the only thing it did was to constantly show the following message on the serial console: (some of you may have seen it Smile - the reboot loop)

CFE version 2010.09.20.0 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Fri Nov 12 11:01:26 CST 2010 (lzh@team2-complier)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.

No DPN
This is a Serial Flash
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 256 64KB blocks; total size 16MB
sflash_cfe_probe: flash type ST, nparts 4
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 1KB
sflash_cfe_probe: idx 2, name os, descr ST Serial flash offset 0004001C size 16068KB
sflash_cfe_probe: idx 3, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 3
sflash_cfe_probe: idx 0, name boot, descr ST Serial flash offset 00000000 size 256KB
sflash_cfe_probe: idx 1, name trx, descr ST Serial flash offset 00040000 size 16068KB
sflash_cfe_probe: idx 2, name nvram, descr ST Serial flash offset 00FF1000 size 60KB
sflash_cfe_probe: flash type ST, nparts 0
CPU type 0x19740: 133MHz
Tot mem: 65536 KBytes

CFE mem: 0x80700000 - 0x8079EA40 (649792)
Data: 0x80734000 - 0x80737FE0 (16352)
BSS: 0x80737FE0 - 0x80738A40 (2656)
Heap: 0x80738A40 - 0x8079CA40 (409600)
Stack: 0x8079CA40 - 0x8079EA40 (8192)
Text: 0x80700000 - 0x80734000 (212992)

board_final_init: commit=0, restore_defaults=0Boot version: v5.2
The boot is CFE

mac_init(): Find mac [C0:C1:C0:AF:75:B0] in location 0
Nothing...
country_init(): Find country code in location 0
The country is same
**Exception 8: EPC=80718DDC, Cause=80000008 (TLBMissRd)
RA=80718DE4, VAddr=0000000C

0 ($00) = 00000000 AT ($01) = 80730000
v0 ($02) = 00000000 v1 ($03) = 00000000
a0 ($04) = 80739A80 a1 ($05) = 8072E345
a2 ($06) = 00000001 a3 ($07) = 00000005
t0 ($0Cool = 00000000 t1 ($09) = 00000000
t2 ($10) = 807337EC t3 ($11) = 00000000
t4 ($12) = 00000000 t5 ($13) = 48534C46
t6 ($14) = 9FC036BC t7 ($15) = FECDFFBF
s0 ($16) = 00000000 s1 ($17) = 8072E32C
s2 ($1Cool = 8072E2E4 s3 ($19) = 8072E2F0
s4 ($20) = 8079E800 s5 ($21) = 8079E800
s6 ($22) = 19A14716 s7 ($23) = 00000001
t8 ($24) = 04000000 t9 ($25) = 00000000
k0 ($26) = CAC1CAD1 k1 ($27) = 8AF548C0
gp ($2Cool = 8073C000 sp ($29) = 8079E7D8
fp ($30) = 00000000 ra ($31) = 80718DE4



The good news here is that after a week I have SUCCESFULLY managed to unbrick my E4200 with JTAG.
My E4200 v1 has a Broadcom BCM4716 CPU @ 480MHz and a Winbond W25Q128BVFG 128Mbit/16MB flash chip.

For serial connection I used a PL 2303HX USB to TTL. It works just fine with putty.
For JTAG I could only used an unbuffered JTAG cable.

SERIAL PINOUT - JB2 - 5 holes on the board
pin 1 is the square one
pin 2 TX - connect to RX on the PL2303
pin 3 RX - connect to TX on the PL2303
pin 5 GND - connect to GND on the PL2303

JTAG PINOUT - JB3 - 12 holes on the board
pin 1 - not used
pin 3 - JATG TDI
pin 5 - JTAG TDO
pin 7 - JTAG TMS
pin 9 - JTAG TCK
pin 11 - not used
pin 2, 4, 6, 8, 10 - GND - use one of them
pin 12 - not used

I didn't use any soldering, I only used pins that could fit in.


Last edited by alins75 on Wed Mar 12, 2014 12:11; edited 2 times in total
Sponsor
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Mon Mar 10, 2014 13:59    Post subject: Re: HOWTO - unbrick Linksys E4200 v1 with JTAG Reply with quote
As I said, serial recovery didn't work. I had to use the unbuffered JTAG cable.

Erasing the NVRAM did not help - the CFE was corrupt. The E4200 was still in the continuos CFE boot loop.
Erasing the wholeflash din not help either.
I had to erase the CFE, kernel and NVRAM. Next I could flash the CFE

I used for this brjtag v2.0.5 / TJTAG and ZJTAG did not work. Maybe they do, I don't know, but they didn't work for me.


DO NOT RESTART THE E4200 between steps 1 to 7


1. probe
brjtag -probeonly /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5

2. erase CFE
brjtag -erase:cfe /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose

3. erase kernel
brjtag -erase:kernel /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose

4. erase NVRAM
- erase:nvram - it never worked - at least for me
- this is what I used

brjtag -erase:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1cff0000 /length:10000

5. flash CFE
- if you have a backup of your CFE - good. If not use a generic one and use a HEX editor to edit the MAC address, S/N and PIN
- once you have the CFE - make sure the name is CFE.BIN and place it in the brjtag directory
- do not erase CFE before flashing - it will fail - you have to use /noerase

brjtag -flash:cfe /cable:dlc5 fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /noerase

6. backup the CFE
brjtag -backup:cfe /cable:dlc5 fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose

- binary compare the backup with what you have written in the previous step. It should be identical.

7. backup NVRAM
brjtag -backup:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1cff0000 /length:10000
- look at the backup - it should be empty
- when doing the backup you should see something like this:
===============================================
Broadcom EJTAG Debrick Utility v2.0.5-hugebird
===============================================


Probing bus ... Done

Detected IR Length is 5

CPU assumed running under LITTLE endian

CPU Chip ID: 00000000000010001100000101111111 (0008C17F)
*** Found a Broadcom manufactured HND Mips 74K(008C) REV 01 CPU ***

- EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
- EJTAG Version ....... : 3.1
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Skipped
Enabling Memory Writes ... Skipped
Halting Processor ... Skipped
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped

Matching Flash Chip (VenID:DevID = 0020 : 0017)

*** Manually Selected a ST SPI compatible 128Mb (16MB) from ST/Numonyx

- Flash Chip Window Start .... : 1C000000
- Flash Chip Window Length ... : 01000000
- Selected Area Start ........ : 1CFF0000
- Selected Area Length ....... : 00020000

*** You Selected to Backup the CUSTOM.BIN ***

=========================
Backup Routine Started
=========================



8. reboot the e4200 and perform a serial recovery
- alternatively (worked for me) after reboot start the tftp recovery with tftp.exe using the latest stock firmware: FW_E4200_1.0.05.007_US_20120823_code.bin

9. You have a revived E4200 v1.

Howto edit CFE with your mac, s/n and pin
Use this attched e4200v1_cfe.bin and modify with your data using an HEX editor.


E4200 CFE:
MAC @ 0x3EF00
S/N @ 0x3FE30
PIN @ 0x3FCDC



cfe_e4200_V1.bin
 Description:
E4200 V1 - generic CFE.BIN - to be used with JTAG recovery

Download
 Filename:  cfe_e4200_V1.bin
 Filesize:  256 KB
 Downloaded:  1286 Time(s)

Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7231
Location: Columbus, Ohio

PostPosted: Wed Apr 02, 2014 22:06    Post subject: Reply with quote
I can't erase the nvram using either one of the two steps. It hangs right at the beginning.
_________________
I am far from a guru, I'm barely a novice.
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Thu Apr 03, 2014 17:46    Post subject: Reply with quote
Before trying to erase, can you try to make a backup of the NVRAM, just to make sure the brjtag works?

Try step 1, then step 7.
You should get a NVRAM, corrupted probably, but looking close to what a NVRAM should look like.

I have successfully backed up the CFE and the NVRAM from a second E4200v1 that I have, therefore I'am pretty sure it should work for you too, if you have the same Winbond flash chip.

erase: nvram or backup:nvram din not work for me.

On a second thought, you may try to backup the cfe and binary compare with the cfe I have posted. If the connection works for you,
they should be almost identical.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7231
Location: Columbus, Ohio

PostPosted: Thu Apr 03, 2014 17:51    Post subject: Reply with quote
I backed up my cfe, twice. They were the same. Same as yours except the Mac, serial and pin.
I got it to erase, nvram, cfe but erasing kernel hangs.
Before going to bed last night I started erase:wholeflash.
8 hours later only 55 blocks out of 235 (i think) had been erased.
We will see when I get home.

_________________
I am far from a guru, I'm barely a novice.
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Thu Apr 03, 2014 18:01    Post subject: Reply with quote
But why do you need to erase kernel?
After erasing the nvram the serial recovery should work.
Alternatively, you can try erasing the kernel using erase: custom
Something like this:
brjtag -erase:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1cf040000 /length:100000
This should erase the first 1MB of your kernel.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7231
Location: Columbus, Ohio

PostPosted: Thu Apr 03, 2014 18:04    Post subject: Reply with quote
After erasing nvram, I still got no serial output. No ping, computer was saying no Ethernet cable connected.

Btw when I tried your erase:custom command, brjtag kept giving an error saying " with custom you need 'window', Start and length.
I copied your command exactly. Even tried copy and paste in case I was leaving out a character.

_________________
I am far from a guru, I'm barely a novice.
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Thu Apr 03, 2014 18:38    Post subject: Reply with quote
Well, I don't know what to tell you, but I think eventually will work.

Anyway performing all the steps (1to7) didn't take more than 30 min.
Erasing the kernel was pretty quick too...
I did not try to erase the whole flash.
Regardless of all the above, at some point after playing with zjtag an tjtag I have managed to make my E4200 completely dead, no serial output, nothing but a steady led under the cisco logo. Steps 1 to 7 that I have posted revived it.
Hope it will work for you too.

The erase:custom is one long line, including window length and start parameters.
I am not sure it is good as I have typed on my phone Smile
But, It looks like I have mistyped anyway

brjtag -erase:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1c040000 /length:100000

You can play with the parameters yourself.
As the CFE is 256kb, the kernel start right after at the offset 00040000.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7231
Location: Columbus, Ohio

PostPosted: Thu Apr 03, 2014 18:41    Post subject: Reply with quote
Just got home. Almost 24 hours later and wholeflash is only at block 76.
I can't mess with the parameters myself. I'm illiterate when it comes to this stuff.
All I know how to do is copy other people steps.
I know what the word verbose means but I have no idea why it's in that command, nor wx8.

_________________
I am far from a guru, I'm barely a novice.
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Thu Apr 03, 2014 18:53    Post subject: Reply with quote
At this point you can probably stop the brjtag and try the command in the previous post to erase the kernel.
Next try again steps 1 to 7. Shouldn't take more than 30 min.
You can lose the verbose, but you will not see any more the progress.
The wx8 tells to write using the x8, byte mode for the SPI chip
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7231
Location: Columbus, Ohio

PostPosted: Thu Apr 03, 2014 19:08    Post subject: Reply with quote
I just tried to erase nvram using:
brjtag -erase:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1c040000 /length:100000

I get: error message- custom also requires '/window' '/start' and '/lenght' options

_________________
I am far from a guru, I'm barely a novice.
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Thu Apr 03, 2014 19:12    Post subject: Reply with quote
brjtag -erase:custom /cable:dlc5 /fc:120 /noreset /nobreak /instrlen:5 /wx8 /verbose /window:1c000000 /start:1cff0000 /length:10000

This is what you need to use to erase nvram. This is what I used.

Make sure this is one long line.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7231
Location: Columbus, Ohio

PostPosted: Thu Apr 03, 2014 19:26    Post subject: Reply with quote
Using that command you just gave me, I don't get an error. It just hangs at erasing block :256 (add = 1cff0000)....
Now when I try to erase the cfe it just hangs at erasing block 1.

Just noticed my connection on tdo was barely hanging on. Going to resolder

Made no difference. Still hanging. I think it's toast.

_________________
I am far from a guru, I'm barely a novice.


Last edited by Malachi on Thu Apr 03, 2014 19:41; edited 1 time in total
alins75
DD-WRT Novice


Joined: 10 Mar 2014
Posts: 12

PostPosted: Thu Apr 03, 2014 19:41    Post subject: Reply with quote
First turn of the router for a few seconds.
Then immediately after turning it on type the command from step 1. Then go to step 2 to erase cfe or to step 4 to erase the nvram.
Whenever it hangs, stop the brjtag with ctrl+C then turn off the router.
Before running any command after power on, make sure you type the command from step 1, to make sure the router has been properly initialized.
What are using to connect? Are you using an unbuffered jtag cable? This is what I used.
Malachi
DD-WRT Guru


Joined: 17 Jul 2012
Posts: 7231
Location: Columbus, Ohio

PostPosted: Thu Apr 03, 2014 19:50    Post subject: Reply with quote
Started from the beginning. It hangs at erasing cfe.
Backing up nvram hangs at 0%.

_________________
I am far from a guru, I'm barely a novice.
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum