Any help to unbrick a WRT350N?


skorianez

skorianez

Network Guru
Member
Hi, I just bought a linksys wrt350n and put a dd-wrt on it, it work , but my wireless always drop. So I decided to put OpenWRT on it , like my wrt54g.
And now it is a brick :tongue:
The power led is blinking, and I can't even ping 192.168.1.1 so I can't recover from tftp

So that is my plan:
I will put a serial console to see if I have CFE boot loader and assembly a JTAG cable try to recover it.

Problem:
I can't find a .bin linksys firmware

Is this steps are right?
Any one have any hints to help me?
 
thanks, but I cant use tftp way

I cant even ping 192.168.1.1


Code: 
Welcome to minicom 2.2 
 
 OPTIONS: I18n 
 Compiled on Mar  7 2007, 15:10:03. 
 Port /dev/ttyS0 
 
                Press CTRL-A Z for help on special keys 
 
 
 
 CFE version 1.0.37 for BCM947XX (32bit,SP,LE) 
 Build Date: Mon Oct 30 23:22:44 CST 2006 (root@linux) 
 Copyright (C) 2000,2001,2002,2003 Broadcom Corporation. 
 
 Initializing Arena 
 Initializing PCI. [normal] 
 PCI: Initializing host 
 PCI: Enabling CardBus 
 SB PCI init done 
 
 0x3c = 0x00000100 
 PCI bus 0 slot 0/0: vendor 0x14e4 product 0x0800 (flash memory, rev 0x02) 
 PCI bus 0 slot 1/0: vendor 0x14e4 product 0x471f (ethernet network, rev 0x02) 
 PCI bus 0 slot 2/0: vendor 0x14e4 product 0x471a (USB serial bus, interface 0x10, rev 0x02) 
 PCI bus 0 slot 2/1: vendor 0x14e4 product 0x471a (USB serial bus, interface 0x20, rev 0x02) 
 PCI bus 0 slot 3/0: vendor 0x14e4 product 0x471b (USB serial bus, rev 0x02) 
 PCI bus 0 slot 4/0: vendor 0x14e4 product 0x0804 (PCI bridge, rev 0x02) 
 PCI bus 0 slot 5/0: vendor 0x14e4 product 0x0816 (MIPS processor, rev 0x02) 
 PCI bus 0 slot 6/0: vendor 0x14e4 product 0x471d (IDE mass storage, rev 0x02) 
 PCI bus 0 slot 7/0: vendor 0x14e4 product 0x4718 (network/computing crypto, rev 0x02) 
 PCI bus 0 slot 8/0: vendor 0x14e4 product 0x080f (RAM memory, rev 0x02) 
 PCI bus 0 slot 9/0: vendor 0x14e4 product 0x471e (class 0xfe, subclass 0x00, rev 0x02) 
 PCI bus 1 slot 0/0: vendor 0x14e4 product 0x4785 (host bridge, rev 0x02) 
 Initializing Devices. 
 
 No DPN 
 This is a Parallel Flash 
 Partition information: 
 boot    #00   00000000 -> 0003FFFF  (262144) 
 trx     #01   00040000 -> 0004001B  (28) 
 os      #02   0004001C -> 007F7FFF  (8093668) 
 nvram   #03   007F8000 -> 007FFFFF  (32768) 
 Partition information: 
 boot    #00   00000000 -> 0003FFFF  (262144) 
 trx     #01   00040000 -> 007F7FFF  (8093696) 
 nvram   #02   007F8000 -> 007FFFFF  (32768) 
 PCI bus 0 slot 1/0: _pci_map_mem: attempt to map 64-bit region tag =0x800 @ addr=18010004 
 PCI bus 0 slot 1/0: _pci_map_mem: addr=0x18010004   pa=0x18010000   pci_mem_space_pci_base=0x40000000   0 
   mcfg = 000810fe 
 ge0: BCM5750 Ethernet at 0x18010000 
 CPU type 0x2901A: 300MHz 
 Total memory: 32768 KBytes 
 
 Total memory used by CFE:  0x80300000 - 0x803A7AB0 (686768) 
 Initialized Data:          0x8033C900 - 0x8033FCB0 (13232) 
 BSS Area:                  0x8033FCB0 - 0x80341AB0 (7680) 
 Local Heap:                0x80341AB0 - 0x803A5AB0 (409600) 
 Stack Area:                0x803A5AB0 - 0x803A7AB0 (8192) 
 Text (code) segment:       0x80300000 - 0x8033C900 (248064) 
 Boot area (physical):      0x003A8000 - 0x003E8000 
 Relocation Factor:         I:00000000 - D:00000000 
 
 Boot version: v4.2 
 The boot is CFE 
 
 mac_init(): Find mac [00:1A:70:59:B9:B9] in location 1 
 Nothing... 
 
 eou_key_init(): Find key pair in location 4 
 The eou device id is same 
 The eou public key is same 
 The eou private key is same 
 CMD: [ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0] 
 bcm5700: no firmware rendevous 
 eth0: Link speed: 1000BaseT FDX 
 Device eth0:  hwaddr 00-1A-70-59-B9-B9, ipaddr 192.168.1.1, mask 255.255.255.0 
         gateway not set, nameserver not set 
 CMD: [go;] 
 Check CRC of image1 
   Len:     0x1AE000     (1761280)       (0xBC040000) 
   Offset0: 0x1C         (28)            (0xBC04001C) 
   Offset1: 0x8F0        (2288)  (0xBC0408F0) 
   Offset2: 0xAFC00      (719872)        (0xBC0EFC00) 
   Header CRC:    0x81BB794 
   Calculate CRC: 0x81BB794 
 Image 1 is OK 
 Try to load image 1. 
 CMD: [boot -raw -z -addr=0x80001000 -max=0x3a0000 flash0.os:] 
 Loader:raw Filesys:raw Dev:flash0.os File: Options:(null) 
 Loading: .. 3740 bytes read 
 Entry at 0x80001000 
 Starting program at 0x80001000 
 
 ******************************************************************* 
 ****  lot of garbage ******************************************** 
 ******************************************************************* 
 
 
 CFE version 1.0.37 for BCM947XX (32bit,SP,LE) 
 Build Date: Mon Oct 30 23:22:44 CST 2006 (root@linux) 
 Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

this messages is in loop.

any one have any ideia?
 
try setting the PC to a static IP 192.168.1.2, Mask 255.255.255.0. gateway 192.168.1.1 then reset the WRT by pressing the reset button for 30 seconds. now start the TFTP utility, load the binary file and password but do not upgrade just yet. now turn off the WRT, then as soon as you power on the WRT again, click the upgrade button on the TFTP utility. you must try doing this instantly the WRT powers on. you maybe lucky and get the WRT upgraded again.
 
I had to use the serial console to set nvram:
Code: 
CFE> nvram set boot_wait=on
CFE> nvram commit

Now I could flash via tftp this archive. but I got erros:
Code: 
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: ......... 2864128 bytes read
Entry at 0x803a7ab0
CMD: [boot -raw -z -addr=0x80001000 -max=0x3a0000 -fs=memory :0x803a7ab0]
Loader:raw Filesys:memory Dev:eth0 File::0x803a7ab0 Options:(null)
Loading: . 0 bytes read
Failed.
Could not load :0x803a7ab0: Error
CFE>

Has any one have list of nvram setting so I can see?
 
skorianez: I just bricked mine today, too. Can you tell me how you got to the serial console?
 
Do an "nvram show" from the serial console CFE prompt and see if your NVRAM looks right or not. I do not know about WRT350N but on most WRT units if you blank the nvram, the CFE will build a default one on next power-up.

The serial console is 99% of the time the way to recover from a bad flash, JTAG is also useful but much slower.

You should be able to put in TFTP receptive mode from CFE prompt, then you have some seconds to start the TFTP send from a PC on the LAN ports. Make sure you use the "-i" flag on tftp so it sends in BINARY, not 7-bit ascii. That is a mistake that has messed me up several time.
 
I'm in the same situation as skorianez is (or was). i can get to the CFE> prompt and force a flash (flash -noheader : flash1.trx), but nothing takes.

Has anyone solved this issue?
 
How did you access the serial ports?

Hi, how did you access the serial ports? I know where they are on the board, and which pins correspond to tx, rx, and gnd as per http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&thread.id=71882... I just need to know if you needed any special hardware to get it to talk to your computer's serial ports and if so, which hardware? I've seen some posts that mention different hardware one can purchase for the WRT54g models, but nothing specifically for the wrt350n.
 
gaebriel said:
Hi, how did you access the serial ports? I know where they are on the board, and which pins correspond to tx, rx, and gnd as per http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&thread.id=71882... I just need to know if you needed any special hardware to get it to talk to your computer's serial ports and if so, which hardware? I've seen some posts that mention different hardware one can purchase for the WRT54g models, but nothing specifically for the wrt350n.
Click to expand...

This http://www.ftdichip.com/Products/EvaluationKits/TTL-232R-3V3.htm worked for me with WRT350N.
 
You must log in or register to reply here.

Back
Top