Look also at the wiggler diagram included in the tjtag zip file...it's probably very close to one of these... and some boards require power on pin 1 _________________ Want JTAG support - Donate a router
or Donate with PayPal !
Can someone fill me in on the details of this, I didn't see it in the thread anywhere.
Jtag cable being used ?
Jtag software being used ?
What is the flash chip ?
I am using a JTAG adapter from usbjtag.com.
I am using the software for the adapter.
The flash chip on my particular router is EN29LV640B, and is located on the bottom of the PCB.
I don't have any micro headers either so I just took some 22AWG wire and stripped the ends, then poked them into the JTAG holes in order. They are just thick enough where they will hold just fine and provide you with a fairly reliable connection.
So far, I have found the settings I needed to correctly recognize the flash, but I screwed up and accidentally used the profile for the WRT54GS when doing the backup. The file that I have now as a result is indeed 8MB, but as far as I know it may contain just garbage.
I'm going to continue trying to debrick the router and reply back if I make any progress.
My apologies to everyone who reads my posts and thinks, "What a fscking n00b..."
This is my first foray into hacking a new and yet unsupported router and I really don't have a clear idea of what I'm doing in regards this router and I'm working with tools that are poorly documented at best.
At this point my difficulties stem from my inexperience with JTAG on Linksys devices, and also my inability to find the right settings to use with my USB JTAG.
I was able to finally find the right settings for the flash chip, but I do not know the addresses to use for the WRT610N profile, as it would be defined in the JTAG software. The configuration files used by USBJTAG are easy to edit, but there isn't much support documentation on what all of the values actually mean.
For reference, here is the profile for the WRT54GS:
This profile, while it allows me to talk to the device in some capacity, does not appear to help me out much in getting a good backup. Furthermore, I have been only successful in reading data, and as far as I can tell any attempts to write to the device have stalled the JTAG software. I suspect this is related to my using incorrect settings.
If anyone has any ideas I can try, I'd be more than happy give it a shot.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Sat Jul 26, 2008 5:27 Post subject:
@Omikron
Not to many forum members would even attempt to do this, so my hats off to you. I have looked at the backup, and at least the CFE seems to be in good order so we now have the embedded nvram defaults.
Broadcom typically uses two windows for flash on this type of processor, 1C000000 for greater than 4MB and 1FC00000 for 4MB and less, but your software could be changing that, you could try it anyway if your software allows it.
Does the software allow you to edit flash chip definitions ? do you have the setting you are using now ?
Can you provide the pinout you used ? it seems to be correct.. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
@Omikron
Not to many forum members would even attempt to do this, so my hats off to you. I have looked at the backup, and at least the CFE seems to be in good order so we now have the embedded nvram defaults.
Broadcom typically uses two windows for flash on this type of processor, 1C000000 for greater than 4MB and 1FC00000 for 4MB and less, but your software could be changing that, you could try it anyway if your software allows it.
Does the software allow you to edit flash chip definitions ? do you have the setting you are using now ?
Can you provide the pinout you used ? it seems to be correct..
I don't know the pinout off the top of my head, but I'm just connecting the wires 1:1 to the 14 pin header on the adapter.
The software for the adapter I am using has two files that define its operation.
The first one is flash.def, which has the following information at the top:
Code:
// ============================================================================
// Flash definition file
// type of the definition
// Format Id1,Id2, Name of flash, size(Hex), Protocol (0,AMD, 1 INTEL),
// Number of secttors, sector size,(hex).... (optional buffer size in)
// ============================================================================
Per the datasheet for the Eon part, I extrapolated the following defintion:
Now I have been able to figure out a little bit about how SOME of these values work.
I don't know how the first "Memory" line works but I do know that everything after that simply defines the address ranges of different areas of flash. I believe it follows the following layout:
Code:
Memory=Name,Type,StartAddress,Size
I don't know what anything else means. Also, so far I have been unsuccessful in actually getting it to WRITE anything. I can only read.
Here's the latest "garbage" that I pulled from the bricked device.
For reference, here are the stupid steps I did, in order.
1. Try to find a way to interact with JTAG port.
2. Found way, but did not research the proper settings very well.
3. Tried to find a way to pull a complete backup of the flash.
4. Couldn't figure out proper settings. Guessed the settings and dumped a partial flash. (previous garbage file)
5. Got impatient and tried flashing v24_tng via web interface for WRT600N to see what would happen.
6. I found out that it bricks the router (no surprise)
7. Figured out proper settings to use in flash.def.
8. Tried to write back "garbage" dump in a vain attempt to ressurect the unit.
9. Failed.
10. Possibly figured out correct settings to use to dump entire 8MB flash.
11. Dumped the attachment below.
I think I might head to the store and pick up another WRT610N tomorrow and hopefully be more careful with this one. Namely, I'm not going to attempt any writes or upgrades until I am 100% sure I have the correct backup.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Sat Jul 26, 2008 7:03 Post subject:
@Omikron
The flash definitions are correct for a BotB flash. The second dump is garbage, I guess from trying to flash it previously :)
On your pinout, on the board, you pins are not labeled TDO,TCK, etc ? Thats what I was talking about...
I do not think anything is wrong with the 610n that you have. Just settings for your cable, if you had a standard or wiggler cable, I think it would be short work now...as you have figured out almost everything...and like I said, Im pretty sure we have a good CFE, and most likely a good wholeflash backup. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
@Omikron
The flash definitions are correct for a BotB flash. The second dump is garbage, I guess from trying to flash it previously :)
On your pinout, on the board, you pins are not labeled TDO,TCK, etc ? Thats what I was talking about...
I do not think anything is wrong with the 610n that you have. Just settings for your cable, if you had a standard or wiggler cable, I think it would be short work now...as you have figured out almost everything...and like I said, Im pretty sure we have a good CFE, and most likely a good wholeflash backup.
That's the thing...there's no labels on either the router or the JTAG adapter I'm using. It's the one from http://usbjtag.com/
I'm sure the router I have is fine, but by now I've completely trashed the flash I think. :-D
If I can get this cable working I'll be very happy since it is ridiculously fast compared to a parallel wiggler device. I'm actually borrowing this one from a friend but I may end up purchasing one of these if this works out.
I don't think anything is wrong with the flash. Why don't you build a std cable, just to try it, you would learn something in the process.
I will look at the link you provided.
Unfortunately, I do not have access to any machines that have a parallel port. This is why I must be able to find a USB based solution. I can't imagine that I'm the only one in this situation.
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Sat Jul 26, 2008 8:46 Post subject:
Ok, I understand now, to bad we don't have USB Jtag support in Tjtag yet. But with the work you have done so far, Im confident we have no problems with a standard or wiggler cable on this box.
You will have to write the author of your jtag cable and ask for the pinouts...and why you might be haveing problems writing to that flash chip. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
Ok, I understand now, to bad we don't have USB Jtag support in Tjtag yet. But with the work you have done so far, Im confident we have no problems with a standard or wiggler cable on this box.
You will have to write the author of your jtag cable and ask for the pinouts...and why you might be haveing problems writing to that flash chip.
From what I can find, the USB JTAG device that I use uses the standard 14-pin EJTAG pinout. Does this help you at all?
Joined: 07 Jun 2006 Posts: 2087 Location: Odessa, Ukraine
Posted: Sat Jul 26, 2008 9:24 Post subject:
I kinda already knew that I still don't think it will be a problem for the other two cables..and now we have a CFE thanks to you. _________________ Want JTAG support - Donate a router
or Donate with PayPal !
so we now have the embedded nvram defaults.
