Hi all,
This is my story on debricking WNR3500L router.
I had dd-wrt (the mega version) on my router and in some point I wanted to test OpenWRT Kamikaze 8.09.2 (downloaded from this website and cross compiled).
I've performed "erase linux" and then reboot. So the green LED was blinking waiting for data from my Debian Linux host machine. I've used the tftp to download the code (first hint: use tftp-hpa package with -m binary switch - it will save you many sleepless nights).
By my mistake I've powered off the router a bit too soon :-) . So then my trouble starts :-)
I was trying the 30-30-30 reset and shorting pins of my FLASH memory. From time perspective I can say, that it was very unwise. I could short cut the router's memory. DO NOT DO IT.
What I can recommend is the serial console. Use the cable as presented at:
http://www.myopenrouter.com/gallery/13865/Gallery-How-To-Debrick-Your-NE...
One thing. Remember that this router needs TTL LV (0 to 3.3V) signals. So use the proper cable (thx to Sylwiusz :-) ). What is missing on the tutorial is that near the mark JP1 is the GND (black), then next pin to it is RXD (yellow) and the 5th (orange) is TXD. The last pin is 3V3 power :-).
Serial console is relatively cheap to build or buy, but gives you insights what is going on in the router. I was using the minicom program with 115200 bod, 8N1 settings.
When I had the access to the serial console, I saw the CFE bootloader for WNR3500L (not WNR3500Lv2 - this is another router - be carefull). The CFE version is 1.0.36 for WNR3500L. Remember this number.
So with serial console I've seen what is going on. Finally.
First of all backup the CFE. And one more time -> backup it. And most important -> BACKUP.
And then:
CFE>tftpd => start the tftpd to listen for new image.
On the host machine:
tftp –m binary 192.168.1.1 -c put wnr3500l-v1.0.2.26_30.0.98NA.chk
This is for my tftp flavor. You can use any other, but remember that data are sent in binary. In my case lack of -m binary was one of the reasons for checksum mismatch error.
You should be able to flash a new image (preferably the stock firmware).
I made a mistake and flashed the whole memory with a wrong image
DO NOT use: flash [image name] flash0
If by some mishap you do this, you need JTAG. I've used the wiggler cable clone (which I've built myself) from this schematic:
http://wiki.openwrt.org/oldwiki/OpenWrtDocs/Customizing/Hardware/JTAG_Cable
It is named as: Wiggler JTAG for MIPS CPU(ADM5120 Edimax BR6104K)
To connect the LPT cable I've used the AXAGO's card (lspci -v "Parallel controller: NetMos Technology PCIe 9901") . It works out of the box with Debian. Hot plug is not working (at least on my setup), so reboot your machine :-)
Please READ the following document: http://www.dd-wrt.com/wiki/index.php/JTAG
Connect JTAG cable aligned to PIN1 (12 pin header) and 3V3 from the serial connector. You will need tjtag program (tjtag 3.0.2-rc1):
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=22655
Probe to check if everything is working:
./tjtag302 -probeonly /cable:wiggler
If you see all 0xFFFFFFFF then check the cable/JTAG interface/drivers on your machine.
If in your router blue (wifi) and amber(power) LEDs are lit with a diminish light, then it means that your CFE got corrupted and you need to replace it.
The following is the last resort for your router.
Reread http://www.dd-wrt.com/wiki/index.php/JTAG
and if nothing from this howto is useful for solving the problem then:
THINK TWICE BEFORE FLASHING THE WHOLE SERIAL MEMORY
./tjtag -erase:wholeflash /cable:wiggler
Then download cfe.bin for WNR3500L (1.0.36) - file WNR3500L_NVRAM_CFE.zip :
http://www.dd-wrt.com/phpBB2/download.php?id=14486
Read README. It will show you how to prepare "board_data" section for your router. The router's memory layout can be found in the document "WNR3500L_opensource_guide.pdf" from this website.
One thing - pay attention to the NVRAM_CLEAN_WNR3500L.BIN. The first line contains the string: U12H136T99 - it is the identification string for the router. When this is missing/corrupted, then checksum is wrong.
To flash CFE use ./tjtag -flash:cfe /cable:wiggler . The corresponding file should be named CFE.BIN (yes, capital letters) and placed in the tjtag directory. It will take some time (approx 2h). If after reboot nothing has changed, then it means that your flash memory need byte swapped data (like mine did). So backup the CFE (./tjtag -backup:cfe /cable:wiggler), rename the file to CFE.BIN and flash router again. It should boot now (power,amber red is blinking). Some output on the serial console should be visible (CFE>). To break CFE execution press CTRL+C.
Now the tricky part. Restore router's board data. After editing the NVRAM_CLEAN_WNR3500L.BIN (according to README :-) - I used hexeditor ) it is ready to flash. Please use the command:
./tjtag -flash:custom /window:0x1c000000 /start:0x1c7e0000 /length:0x20000, where 0x1c000000 is the CPUs memory region used for flash communication.
Rename the NVRAM_CLEAN_WNR3500L.BIN file to CUSTOM.BIN. If everything goes well, you should see yours,correct macaddr on the serial console.
Now you are restored :-). Use tftpd from CFE to download WNR3500L stock firmware (it is also available on this website). Check if it is working via webGUI.
That's all :-)
Special thanks for mpf and LOM for guiding me in the MIPS routers world. Without their help and most of all patience :-) my WNR3500L router would be still bricked.
Regards,
Lukasz
p.s. Is it possible to make available to download (on the myopenrouter.com) the source code and toolchain for WNR3500L's CFE?
Recent comments