1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bricked WRT54GL

Discussion in 'Tomato Firmware' started by Shimakaze, Dec 9, 2009.

  1. Shimakaze

    Shimakaze Addicted to LI Member

    Hi everyone. My one week-old WRT54GL flashed with Tomato Victek mod version 1.25 just died on me...It happened when I tried to reboot the router from the web interface, and the router never rebooted. Right now if I power it on, the front panel will show a blinking power light, unlit DMZ light, and constantly lit LAN and Internet lights.

    I've tried the tftp flashing method to revive the router with new firmware, but I got no ping responses from it. Is there any hope left to unbrick the router? If not, what should I do/avoid doing with a new router flashed with Tomato in the future? With the bricked router, I used pretty standard settings except increasing power output to 84mW and overclocking CPU from 200mhz to 215mhz.

    Thanks
     
  2. arthurtoo

    arthurtoo Addicted to LI Member

    hey there Shimakaze, ironically my 5 year old WRT54GL died on my last night as well when i rebooted the router from the web interface.

    my transmit power was at 50mW and my CPU was at 215mhz as well. had QoS, IP/MAC BW Limiter and ARP binding on.

    is there something wrong with the web interface reboot?
     
  3. Shimakaze

    Shimakaze Addicted to LI Member

    Sorry to hear that...The coincidence is interesting though. Was that the first time you tried to reboot the router through the web interface with the current version of the firmware? Were you running vanilla Tomato, or was it modded?
     
  4. arthurtoo

    arthurtoo Addicted to LI Member

    what's more interesting is that i'm running on Victek's 1.25 as well.

    i don't know if it was the first time rebooting as i was previously using dd-wrt and switched to Victek's tomato mod couple of days ago and i did a reset via the web interface right after the installation. if i remember correctly, i think it rebooted once after the reset.

    i did a couple of QoS configuration changes last night and decided to reboot the router. that's when it got bricked.
     
  5. ladysman

    ladysman LI Guru Member

    I've rebooted several times on my GSv2 via the web interface without issue. This is on Victek's non-ND 1.25. I know it's not an "L" but wanted to let you know about the rebooting. :)
     
  6. arthurtoo

    arthurtoo Addicted to LI Member

    i guess **** happens, arGGggg......will have to go out and get myself another one. i'm still gonna flash it to Victek's tomato 1.25 though :)
     
  7. TexasFlood

    TexasFlood Network Guru Member

    Have you tried a hard reset to see if it might revive, at least enough to respond to a ping at power-up and listen for TFTP? I assume you reset to defaults after first loading Victek's tomato? Wonder if it might be worth using the arp command to manually map the router MAC to the expected IP address? - I googled and found that process described here and here. Basically you plug into the router, either use arp to discover a MAC or get it off the router label, then use arp -s to create an arp entry. I've used this process to get into avocent console devices for initial configuration and have read of having to use it on routers although I've never had to myself.
     
  8. arthurtoo

    arthurtoo Addicted to LI Member

    i actually tried a hard reset. the infamous 30/30/30. no luck....
     
  9. Shimakaze

    Shimakaze Addicted to LI Member

    30/30/30 was one of the first things I tried, no luck either...I guess I'll look into the arp command method. Thanks.
     
  10. Planiwa

    Planiwa LI Guru Member

    Very nice links.

    The arp command is of great value. You can think of it as a lower-layer search for life tool. A host may not feel like responding to a ping, but it will almost certainly respond to arp or arping.

    Just as an IP-layer consciousness might say "can I ping it?", a MAC-layer consciousness might say "can I arp(ing) it?"

    In other words, one of the first things to do with a suspected brick is to plunk it on a network, run arp,and see if it shows up.
     
  11. mstombs

    mstombs Network Guru Member

    Setting an invalid clockrate is known to brick these routers. Surely you mean 216MHz?

    To recover you need to use JTAG to clear the nvram, so it resets to defaults on next boot. Few hours with soldering iron and software setup, then 2s to do the command!

    But check the 12V PSU first - they are definitely a weak point.
     
  12. arthurtoo

    arthurtoo Addicted to LI Member

    if setting an invalid clockrate is known to brick these routers. maybe as a safety percaution, they shud do something like dd-wrt where there is a scroll down list of the usable clockrates instead of the current text box.
     
  13. Shimakaze

    Shimakaze Addicted to LI Member

    Do you know what are the clock frequencies to avoid?

    On another note, the arp method recommended earlier unfortunately did not work. The MAC address of the router could not be found with the arp command. I don't think there's any communication at all between the router and the computer. I have a feeling that it's too far gone now...
     
  14. TexasFlood

    TexasFlood Network Guru Member

    It's probably a doorstop without jtag, but also note that as I said earlier, the MAC -should- be printed on a label on the bottom of the router, that's how I used to get it for my avocent console devices. I can't comment on clock frequencies since I have been historically scared of it and avoid it so have basically no experience to draw on.
     
  15. Shimakaze

    Shimakaze Addicted to LI Member

    Yup, I've tried manually adding an entry using the MAC address printed on the bottom of the router, and I still didn't get anything :frown:
     
  16. landa

    landa LI Guru Member

    Have you tried to connect to the router in failsafe mode?

    1. Unplug the router's power cord.
    2. Connect the router's LAN1 port directly to your PC.
    3. Configure your PC with a static IP address between 192.168.1.2 and 192.168.1.254. E. g. 192.168.1.2 (gateway and DNS is not required).
    4. Plug the power on and wait for the DMZ LED to light up.
    5. While the DMZ LED is on immediately press any button (Reset and Secure Easy Setup will work) a few times .
    6. If done right the DMZ LED will quickly flash 3 times every second.
    7. You should be able to telnet to the router at 192.168.1.1 now (no username and password).
     
  17. Shimakaze

    Shimakaze Addicted to LI Member

    Unfortunately the DMZ LED never lights up...
     
  18. mstombs

    mstombs Network Guru Member

    Some discussion here about the valid combinations

    http://www.bitsum.com/openwiking/owbase/ow.asp?WRT54G

    which actually suggests the bricking by mis-set values is only an issue with earlier models with earlier CFEs

    I know my wrt54gsv1.1 has been run at 216 with some firmwares. My WRT54G-TM has a heatsink and JTAG and serial console fitted, but I have never felt the need to break it it beyond tftp recovery stage.
     
  19. Edhel

    Edhel LI Guru Member

    As a very last resort you could try and short the pins. It's not really advisable and can damage your router beyond repair. I've successfully done it in the past, but only when I have nothing else to lose.
     
  20. arthurtoo

    arthurtoo Addicted to LI Member

    i tired to shortpin as well...didnt work. anyways, got myself a new WRT54GL and i'm back on victek's tomato. this time i ain't messing around with the clockrate. tried rebooting a few times and the router is still running fine.

    really can't figure out what was the problem with my previous router that caused it to brick.
     
  21. noodles2k

    noodles2k Addicted to LI Member

    have you tried using a serial console? Otherwise jtag!
     
  22. arthurtoo

    arthurtoo Addicted to LI Member

    nopes...figured that it'll be easier to just get a new router instead.
     
  23. TVTV

    TVTV LI Guru Member

    That = money. It'd be fun for you to get your hands dirty and make a JTAG cable. Who knows, maybe it'll come in handy in the future, too. ;)
     
  24. noodles2k

    noodles2k Addicted to LI Member

    that's crazy :s
     
  25. Toastman

    Toastman Super Moderator Staff Member Member

    After conducting experiments on what clock frequencies can be accepted by the WRT54GL v1.1 - I had in addition to the standard valid frequencies also tried several odd frequencies and always the router chose the nearest lower valid value.

    *Added* 19/12/2009 - Working frequencies are 183/188/197/200/206/212/216/217/225/238/240/250 (from the bitsum article).

    Then in response to a post by TexasFlood referring to this thread, I tried 215 MHz. Instant brick, exactly as described above. It should have chosen 212 - but it didn't.

    I don't know if there was any particular reason for the above posters to choose 215, buit it's clearly best avoided!

    Oh, it's definitely a JTAG job by the way. No ARP response. And no parallel port on my PC's these days.

    I will try to recover it so that the OP and others can see how to do it. But it'll maybe have to wait until I can get a backplate to plug into the motherboard.
     
  26. TVTV

    TVTV LI Guru Member

    Mine is now running at 240...

    Proof:
     
  27. karogyoker

    karogyoker Addicted to LI Member

    why the hell are you messing with cpu freq?? 200 is far enough
     
  28. RonWessels

    RonWessels Network Guru Member

    Not necessarily. It is certainly plenty if all you are doing is having one or two machines doing the occasional email and web browsing, and your ISP connection speed isn't particularly high. For higher speed connections or higher bandwidth communications (eg. torrents), there are noticeable (arguably "significant") performance improvements when the CPU frequency is increased.
     
  29. TVTV

    TVTV LI Guru Member

    Me? I want the most throughput i can get because i'm on a 50 mbps FO line.
     
  30. Toastman

    Toastman Super Moderator Staff Member Member

    TVTV - 240 does indeed work... as you say. I did know about that because about 2 years ago I used 240 for no particular reason. But what is worrying is the fact that certain frequencies brick the router. And since the web GUI offers not guidance on this, more people will undoubtedly fall foul of this in the future.

    karogyoker - the router is snappier, and gives more throughput when it is clocked at 250MHz. So why NOT do it?
     
  31. arthurtoo

    arthurtoo Addicted to LI Member

    215mhz is exactly what i set cause i mistakenly remembered 216mhz in dd-wrt for 215mhz. but 215mhz is what i've set, and when rebooting the router it bricked.

    maybe the next upgrade for tomato can have a drop down list with the safe values to choose from.
     
  32. Toastman

    Toastman Super Moderator Staff Member Member

    That would be a really good idea, but every router from different manufacturers may not be the same, it may then be a nightmare to get it right. Probably just a choice of reasonable steps - 200/216/238/240/250 or whatever is common to all machines and cfe versions, would be acceptable. Personally, I think a small bit of help text with the known good frequencies should suffice.
     
  33. Planiwa

    Planiwa LI Guru Member

    Speaking of small and help, I'm not sure this very small message is all that helpful:

    Perhaps the javascript might verify that whatever it calls to set the clock frequency accepts it, and not enshrine it in NVRAM, if not.

    Is there a command to show valid CLKFREQ values?

    BTW, what exactly does "Boot Wait Time" signify?

    Is it related to when exactly the INIT script is run? (Clearly there is some that could be better understood with that.)

    :)

    P.S.: I noticed that init.c erases NVRAM when it detects certain impossibilities. Perhaps an impossible CLKFREQ might also be such a good cause to erase NVRAM?
     
  34. mstombs

    mstombs Network Guru Member

    It's the 3 second window to tftp new firmware in, if set, way before the firmware loaded. It is supposed to be possible to also use CTRL-C from a serial console to interrupt the boot and change/erase the nvram from the CFE> prompt.
     
  35. TexasFlood

    TexasFlood Network Guru Member

  36. Toastman

    Toastman Super Moderator Staff Member Member

    I just got a PC for repair which has a parallel port :biggrin: So, I am trying to unbrick this busted router using the usual hairydairymaid utility. No joy.

    EJTAG 4.8 -probeonly reports read and write errors and does not give any useful information.

    EJTAG 3.0.1 Tornado mod -probeonly option also reports Unknown or No flash chip detected. I can't believe that just entering a wrong clock frequency would trash the flash chip, so anyone know what is wrong?


    ==============================================
    EJTAG Debrick Utility v3.0.1 Tornado-MOD
    ==============================================

    Probing bus ... Done

    Instruction Length set to 8

    CPU Chip ID: 00000101001101010010000101111111 (0535217F)
    *** Found a Broadcom BCM5352 Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000100000000000000010000001001 (04000409)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS64

    Issuing Processor / Peripheral Reset ... Done
    Enabling Memory Writes ... DMA Read Addr = ff300000 Data = (04000409)ERROR ON R
    EAD
    DMA Write Addr = ff300000 Data = ERROR ON WRITE
    Done
    Halting Processor ... <Processor Entered Debug Mode!> ... Done
    Clearing Watchdog ... DMA Write Addr = b8000080 Data = ERROR ON WRITE
    Done

    Probing Flash at (Flash Window: 0x1fc00000) ...
    DMA Write Addr = 1fc00000 Data = ERROR ON WRITE
    DMA Write Addr = 1fc00aaa Data = ERROR ON WRITE
    DMA Write Addr = 1fc00554 Data = ERROR ON WRITE
    DMA Write Addr = 1fc00aaa Data = ERROR ON WRITE
    DMA Read Addr = 1fc00000 Data = (04000409)ERROR ON READ
    DMA Read Addr = 1fc00002 Data = (04000409)ERROR ON READ
    DMA Write Addr = 1fc00000 Data = ERROR ON WRITE
    DMA Write Addr = 1fc0aaaa Data = ERROR ON WRITE
    DMA Write Addr = 1fc05554 Data = ERROR ON WRITE
    DMA Write Addr = 1fc0aaaa Data = ERROR ON WRITE
    DMA Read Addr = 1fc00000 Data = (04000409)ERROR ON READ
    DMA Read Addr = 1fc00002 Data = (04000409)ERROR ON READ
    DMA Write Addr = 1fc00000 Data = ERROR ON WRITE
    DMA Write Addr = 1fc00000 Data = ERROR ON WRITE
    DMA Write Addr = 1fc00000 Data = ERROR ON WRITE
    DMA Read Addr = 1fc00000 Data = (04000409)ERROR ON READ
    DMA Read Addr = 1fc00002 Data = (04000409)ERROR ON READ
    DMA Write Addr = 18000040 Data = ERROR ON WRITE
    DMA Read Addr = 18000040 Data = (04000409)ERROR ON READ
    DMA Write Addr = 18000044 Data = ERROR ON WRITE
    DMA Write Addr = 18000040 Data = ERROR ON WRITE
    DMA Read Addr = 18000040 Data = (04000409)ERROR ON READ
    DMA Read Addr = 18000048 Data = (04000409)ERROR ON READ
    Done

    *** Unknown or NO Flash Chip Detected ***

    *** REQUESTED OPERATION IS COMPLETE ***
     
  37. Toastman

    Toastman Super Moderator Staff Member Member

    specifying the crrect flash chip (Samsung K8D326UBC)

    D:\WRT54GL v1.1 Debricking>gl -probeonly /fc:

    =============================================
    EJTAG Debrick Utility v3.0.1 Tornado-MOD
    =============================================

    Probing bus ... Done

    Instruction Length set to 8

    CPU Chip ID: 00000101001101010010000101111111
    *** Found a Broadcom BCM5352 Rev 1 CPU chip *

    - EJTAG IMPCODE ....... : 000001000000000
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS64
    *** DMA Mode Forced On ***

    Issuing Processor / Peripheral Reset ... Done
    Enabling Memory Writes ... DMA Read Addr = ff
    EAD
    DMA Write Addr = ff300000 Data = ERROR ON WR
    Done
    Halting Processor ... <Processor Entered Debu
    Clearing Watchdog ... DMA Write Addr = b80000
    Done

    Manual Flash Selection ... DMA Write Addr = 1
    Done

    Flash Vendor ID: 0000000000000000000000001110
    Flash Device ID: 0000000000000000001000101010
    *** Manually Selected a K8D3216UBC 2Mx16 Bot

    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 00000000
    - Selected Area Length ....... : 00000000



    *** REQUESTED OPERATION IS COMPLETE ***


    ******************************

    D:\WRT54GL v1.1 Debricking>gl -flash:cfe /noreset /nobreak /fc:19

    ==============================================
    EJTAG Debrick Utility v3.0.1 Tornado-MOD
    ==============================================

    Probing bus ... Done

    Instruction Length set to 8

    CPU Chip ID: 00000101001101010010000101111111 (0535217F)
    *** Found a Broadcom BCM5352 Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000100000000000000010000001001 (04000409)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS64

    Issuing Processor / Peripheral Reset ... Skipped
    Enabling Memory Writes ... DMA Read Addr = ff300000 Data = (04000409)ERROR ON R
    EAD
    DMA Write Addr = ff300000 Data = ERROR ON WRITE
    Done
    Halting Processor ... Skipped
    Clearing Watchdog ... DMA Write Addr = b8000080 Data = ERROR ON WRITE
    Done

    Manual Flash Selection ... DMA Write Addr = 1fc00000 Data = ERROR ON WRITE
    Done

    Flash Vendor ID: 00000000000000000000000011101100 (000000EC)
    Flash Device ID: 00000000000000000010001010100010 (000022A2)
    *** Manually Selected a K8D3216UBC 2Mx16 BotB (4MB) Flash Chip ***

    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 1fc00000
    - Selected Area Length ....... : 00040000

    *** You Selected to Flash the CFE.BIN ***

    =========================
    Flashing Routine Started
    =========================
    Total Blocks to Erase: 11

    Erasing block: 1 (addr = 1fc00000)...DMA Write Addr = 1fc00aaa Data = ERROR ON
    WRITE
    DMA Write Addr = 1fc00554 Data = ERROR ON WRITE
    DMA Write Addr = 1fc00aaa Data = ERROR ON WRITE
    DMA Write Addr = 1fc00aaa Data = ERROR ON WRITE
    DMA Write Addr = 1fc00554 Data = ERROR ON WRITE
    DMA Write Addr = 1fc00000 Data = ERROR ON WRITE
    DMA Read Addr = 1fc00000 Data = (04000409)ERROR ON READ
    DMA Read Addr = 1fc00000 Data = (04000409)ERROR ON READ
    DMA Read Addr = 1fc00000 Data = (04000409)ERROR ON READ
    ^C
     
  38. WRobertE

    WRobertE Addicted to LI Member

    You're certainly more technically knowledgeable about all this stuff than I am, but I'd like to help if I can.

    The DD-WRT website mentions first erasing CFE before attempting to flash it.

    See Step 12 under section "Recovery by JTAG cable" in the "WRT54G/GL/GS" section.
    http://www.dd-wrt.com/wiki/index.php/Recover_from_a_Bad_Flash

    Maybe this will make a difference?
     
  39. WRobertE

    WRobertE Addicted to LI Member

    Here's an interesting post on the DD-WRT website by tornado, a DD-WRT developer:
    http://www.dd-wrt.com/phpBB2/viewtopic.php?p=347752#347752

    If the router is "bricked" due to an incorrect overclock speed, then this says the router will continue to try to use the incorrect speed stored in NVRAM even if the CFE is replaced. So, it seems that the 1st step to unbricking is to try to erase NVRAM first so that the CFE will attempt to use the default speed in its internal table during the next boot.

    The "freezer" process also sounds interesting ... I never would have thought of that.
     
  40. Toastman

    Toastman Super Moderator Staff Member Member

    Cannot erase anything because of the reported read and write errors. It could be the chicken and the egg situation - can't erase the cfe until the clock frequency has been reset by being erased :) But - why is 215 such a bummer?

    Freezing a processor is a very old trick known to all PC overclockers, but of course it only works if you had tried to overclock the frequency above the processor's maximum limit at normal operating temperatures, so it ended up dead or unstable. This one has run at 250 for years - it was downclocked to only 215, and the processor is running OK anyway.

    Nevertheless, I tried freezing it. No change.

    I'm still puzzled. This is not my field of expertise, but it appears to me as if the flash chip is not being recognized. Unless the flash type is entered manually, probes do not detect it. It would seem unlikely that it is damaged, so what on earth has happened to it? I have just trawled through a great many forum posts where it seems to me that the authors have had the same problem, with no reported outcome.
     
  41. TexasFlood

    TexasFlood Network Guru Member

    Think the results would be any different with a serial console or same issue? Just remember reading that you can hit control-c very quickly after powering the rounter on and get into a CFE shell, so if there is -any- window where it's stable, it might be the best shot. Of course, if it's locked from the start then there is no window and won't help.

    Actually, at least in the case of a GL, shouldn't a hard reset reset the clock frequency to default? Guess not, just did a hard reset on my TM, reset debug_clkfix to 1 but not clkfreq
     
  42. WRobertE

    WRobertE Addicted to LI Member

    Maybe some other things to try ...

    1. Try a different power supply? I've read that the flash write process stresses the power supply. Maybe the current one is marginal?

    2. Test the JTAG on another good router to see if it can read that one successfully? Maybe there's a spotty connection on one of the JTAG pins.

    3. How did you determine that /fc:19 was the correct value? I couldn't tell... was this reported by "probeonly"?

    EDIT: Never mind. I found this in the TJTAG documentation.

    4. Try hairydairymaid's utility instead of tornado's to see if it can do the read/erase?
     
  43. Toastman

    Toastman Super Moderator Staff Member Member

    Hmmm. I found this comment in DD-WRT forum:

    "I had same problem with you previously, after gone through many de-brick solutions for few months...

    I revived it by changing the flash chip, and viola, 1 flash and success.

    I found many people have the same problem with WRT54GL with samsung chip, once the cfe changed the router will brick completely.Maybe due to bad flash chip. "

    A clue...
     
  44. TexasFlood

    TexasFlood Network Guru Member

    Somehow I don't see myself replacing a flash chip, although upgrading to a 16MB flash would be cool. FYI, near as I can tell, the WRT54G-TM has an Intel JS28f640 flash chip.

    Clearly the guy who wrote the Bitsum article "Overclocking the WRT54G/GS v4, WRT54GL v1, WRT54GL v1.1" never experienced the evil 215MHz clock speed as it says at the top of the article:

    "WARNING: Although the the versions of the WRT54G discussed here (a reference to the WRT54G/GS v4, WRT54GL v1, WRT54GL v1.1 listed above) are safer to attempt to overclock than previous versions since their CFE does not allow the possibility of bricking via a bad clkfreq setting, I do not recommend overclocking unless you have built a JTAG cable to allow for recovery in case things somehow do go horribly wrong..

    While it has some appropriate warnings, it also gives an at least somewhat false sense of security about the CFE protecting you from bad clock speed settings.
     
  45. Toastman

    Toastman Super Moderator Staff Member Member

    Well, JTAG works OK in a large number of instances. But obviously it cannot, if there is a damaged component. Other routers interrogate just fine, reporting the flash immediately as the Samsung chip, so that was not the issue either. I can also read and save the cfe on those, so it seems to confirm the flash chip is busted.

    Without proper soldering tools I am not even going to think about changing the chip. Although if I can find one I can always ask one of the phone repair guys to swap it - there are a lot of those around!
     
  46. TexasFlood

    TexasFlood Network Guru Member

    So your working theory is that the clock speed 215 actually damages the flash chip somehow? Weird, suppose it's possible. Or perhaps it's something like the clock speed is set at 215 which is somehow incompatible with the flash chip. So long as it's set that way, you're screwed. If this was the case could even the evil pin shorting get you out of it? I mean it's like a catch 22. Not sure this makes sense, just thinking out loud.
     
  47. Toastman

    Toastman Super Moderator Staff Member Member

    I have no idea really. That's why I wondered if there are any hardware engineers reading the forum who might have an idea. It really seems to be fried, but I really can't imagine why setting 215 as clock for the processor would fry the flash chip. But then, this isn't my field.
     
  48. WRobertE

    WRobertE Addicted to LI Member

    Toastman ...

    Check out the following link...
    http://mail.dd-wrt.com/phpBB2/viewtopic.php?t=31298&postdays=0&postorder=asc&start=0

    This guy also had a bricked GL and it had the same Samsung chip. One thing is he used the /noemw switch.

    Ultimately, he grounded pin 16 (see post on Sun Sep 21, 2008 1:07 am) and it brought the router back. I'm aware that this should be a "last resort" approach, but if you think the flash chip is toasted anyway, what do you have to lose.

    Here's the datasheet for the Samsung chip:
    http://www.datasheetarchive.com/K8D3216UBC-PC07-datasheet.html

    Page 14 mentions a special "chip erase" mode and the thought in the above link is that grounding pin 16 triggers the flash chip to run this sequence.

    I agree with TexasFlood's idea that there's something with the 215 Mhz clock setting being somehow incompatible with some of the internal timings in the flash chip and that speed setting causes the flash chip to enter an inconsistent internal state.
     
  49. mstombs

    mstombs Network Guru Member

    This is what I get on serial console of my -TM if you interrupt the boot with CTRL-C (I have external connector to plug in for this)

    Code:
    CFE version 1.0.37 for BCM947XX (32bit,SP,LE) 
    Build Date: Thu Oct  6 16:01:20 CST 2005 (root@localhost.localdomain) 
    Copyright (C) 2000,2001,2002,2003 Broadcom Corporation. 
     
    Initializing Arena 
    Initializing Devices. 
     
    No DPN 
    et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.37.0 
    CPU type 0x29008: 200MHz 
    Total memory: 32768 KBytes 
     
    Total memory used by CFE:  0x80300000 - 0x803A39C0 (670144) 
    Initialized Data:          0x803398D0 - 0x8033BFE0 (10000) 
    BSS Area:                  0x8033BFE0 - 0x8033D9C0 (6624) 
    Local Heap:                0x8033D9C0 - 0x803A19C0 (409600) 
    Stack Area:                0x803A19C0 - 0x803A39C0 (8192) 
    Text (code) segment:       0x80300000 - 0x803398D0 (235728) 
    Boot area (physical):      0x003A4000 - 0x003E4000 
    Relocation Factor:         I:00000000 - D:00000000 
     
    Boot version: v3.7 
    The boot is CFE 
     
    mac_init(): Find mac [00:1A:70:xx:yy:zz] in location 1 
    Nothing... 
     
    eou_key_init(): Find key pair in location 0 
    The eou device id is same 
    The eou public key is same 
    The eou private key is same 
    Device eth0:  hwaddr 00-1A-70-xx:yy:zz, ipaddr 192.168.1.1, mask 255.255.255.0 
            gateway not set, nameserver not set 
    Reading :: Failed.: Interrupted 
    CFE> 
    So I think it has already loaded and run the CFE from flash and will not be able to fix a clkfreq from here. If there is an nvram variable that subsequently causes the firmware to crash then that could be fixed at this point.

    Toastman's flash chip does have hardware write lock which might need a special command sequence to unlock if accidentally set - but I don't see how this would prevent read. I have had devices that only respond to the HDM JTAG commands in the first second after power up, so timing can be critical.
     
  50. Toastman

    Toastman Super Moderator Staff Member Member

    mstombs - Yes, that is what I had surmised.

    However, I am now very confused. I refuse to give up because my gut feeling is that nothing can have been damaged. So I have just checked 4 more working WRT54GL's. Three of them probe the flash chip OK. But one does not, it gives *exactly* the same result as the faulty router. This one has MX flash chip. So we now have a perfectly good router in which I cannot read the flash.

    I fished my junk boxes out of the store and found the GL that was killed during the famous experiment with fyellin some time ago, in which uploading a backup from a different router bricked it. That has exactly the same problem too, Samsung chip again. So I have some reason to believe now that these 2 routers are probably recoverable. I'm not going to short any pins yet, that will be a last resort.

    I'm not sure what is wrong at the moment, but this is all very interesting and explains something I've always noticed in the forums - namely - that despite all the advice so many people do not come back to report a successful outcome to JTAG.

    Have you ever seen or read about any cause, why some routers give no trouble and others cannot probe the flash chip? It's almost certainly something simple and obvious, but I'm not seeing it :mad:
     
  51. mstombs

    mstombs Network Guru Member

  52. Toastman

    Toastman Super Moderator Staff Member Member

    Hehe - that one fools a lot of people. The resistors aren't necessary. The pins are tracked in an internal layer. Which all goes to show what I mean when I say there is so much misinformation on the forums!

    Anyway, I have progress! I now know what my problem is. I have just bodged a load of wires into the pin header connector on my gigabyte PC (EP45-UD3R) motherboard (still can't buy a backplate with D connector here) - and it probes the flash chip OK on all routers.

    The repaired machine I was using which seems to have a problem is a PC Chips M957G pile of junk. The laptop I used six months ago on the other router, which also seemed to have the same problem, was an ACER M290. So it seems to be a // port difference between manufacturers, when using the unbuffered bodge to do the job instead of a proper tool.

    Never mind. I'm off to do some flashing - more later but it seems to be doing something now.

    EDIT - seemed to be a difference in signal between the different manufacturers on pin 2 of the DB25 connector. They are in a different state on startup of the port, anyway.
     
  53. Toastman

    Toastman Super Moderator Staff Member Member

    Recovered - JTAG works normally. The actual tomato firmware was still there and OK.

    So I think anyone flashing 215 can rest assured that recovery is VERY easy and if it doesn't work it's due to your cable or PC parallel port.
     
  54. arthurtoo

    arthurtoo Addicted to LI Member

    hey Toastman,

    did you purchase your JTAG cable off ebay or did you made it yourself?
     
  55. Toastman

    Toastman Super Moderator Staff Member Member

    I just also recovered the old GL that was killed several months ago by a backup config from a different router. So that's quite impressive, I have around 350 or so routers and now it turns out that I have not had a single hardware failure in 2 years. The two that died, I killed myself while conducting experiments, and now they are resurrected again.

    Arthurtoo - I made a JTAG cable myself - it's very easy, but you can buy from many places too. My current PC, like most these days, does not have a parallel port on the back. The motherboard has the capability but the required backplate, ribbon cable, and pin connector is not supplied, and needless to say nobody sells the damned things here. So in the end I bodged bits of wire onto the pins (put rubber insulation sleeve over the pins and jammed bits of wire down inside) and wired them to the GL with the required 100 ohm resistors where necessary. I would not suggest this is a good idea to follow, but I was just getting desperate to sort this problem out.

    What a painful experience!
     
  56. TexasFlood

    TexasFlood Network Guru Member

    Yes, but glad you got it sorted and turns out that it's recoverable.
     
  57. WRobertE

    WRobertE Addicted to LI Member

    Very impressive, Toastman. Both your skill and persistence. Congratulations.
     

Share This Page