1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unbrick WRT54 using JTAG interface

Discussion in 'Cisco/Linksys Wireless Routers' started by Disman_ca, Dec 30, 2004.

  1. Disman_ca

    Disman_ca Super Moderator Staff Member Member

    I have seen many posts related to people bricking their routers (I did it once to my WRT54G unit). As probably posted many times already, it is next to impossible to "brick" a Linksys WRT54G or GS unit. There are many sources to help you recover a "bricked" unit. But what happens when the 30 second reset doesn't work or power on while holding the reset for 5 seconds? How about the "pin short method"?. Enter the JTAG recovery method. It has been discovered that you can perform a hardware hack/mod to add on a JTAG interface on the circuit board. hairydairymaid of the Sveasoft dev team has put together a really good recepie and even coded the utility to do the flash recovery method. http://www.sveasoft.com/modules/phpBB2/viewtopic.php?t=6796&highlight=jtag. It was originally written for Linux but has recently been ported to Windows by ShermanOwen. Go to http://www.sveasoft.com/modules/phpBB2/dlman.php?func=select_folder&folder_id=19 for the public "tools" section where it resides. The only problem left is to get a virgin whole flash image with the embeded unique MAC stripped out so that it could be a generic image for anyone to use.
  2. kinemax

    kinemax Network Guru Member

    Unfortunately this doesn't help those of us who are not subscribers of sveasoft.
  3. Avenger20

    Avenger20 Network Guru Member

  4. Disman_ca

    Disman_ca Super Moderator Staff Member Member

    In that case an alternative below if you don't want to subscribe. You probably won't receive any support in this forum for it though as the author is part of the dev team. Please note the user guide is in the first file only (PDF).

  5. Celphor

    Celphor Network Guru Member

    What a great method!

    I had a brick (WRT54G v2) with flashing power led. No way to ping or tftp a new firmware. boot_wait was set!!! I tried all possibilities of resetting (short, long, very long, while powering on or later). All I got was the DMZ led coming up after the 2 second reset. I tried 10Mps/half duplex, several tftp programs on windows and linux, but it turned out that nothing could bring it back to life. Even 15/16 shorting only lit the DMZ led and nothing more.
    I knew I played with fwbuilder 2.0.0 before which might have scared my nvram (script to big to fit in rc_firewall).
    Since my brick was "born" on 12/31 8pm I wouldn't have had the chance to buy a 232 chip and build the serial interface until 3/1. I didn't want to wait that long so I searched the web up and down until I came across this thread.

    I decided to setup the JTAG-Interface and had all required tools at home (even the 4 resistors, which I bought about 20 years ago in my youth).
    The rest came from an old P133 PC and a Soundblaster 16. Thank god I kept the old stuff for so long :)

    The cable was built in around 2 hours. I did the flash backup and erased the nvram. And ? My old bun came back to life!!!! Now it is immortable :)

    Thank you so much everybody who discovered this great interface and wrote the software. You saved my weekend, my nerves and my money!
    Sometimes it's so easy :)
  6. Disman_ca

    Disman_ca Super Moderator Staff Member Member

    I'm glad my post has helped you Celphor although I haven't used the JTAG method yet. This is the reason I posted it here as I have seen enough posts about bricks. We all have to share what knowledge we come accross. I am also intreaged that you used an old Soundblast card for donor parts. May I ask what parts exactly did you use from the P133 and SB16?
  7. Celphor

    Celphor Network Guru Member

    From the SB 16 i used only the socket pins needed for JP2.
    From my P133 I took the parallel port cable (DB25), but this can be found in almost any desktop PC I guess. It's has a female connector. Normally you need a male connector, but I have an old external SCSI-extension cable (both sides male) with all cables connected 1:1.
    I think I needed it for an external ZIP drive some decades ago :)

    JIMBELMAR Network Guru Member


    Celphor could you tell me the syntax,or command you use to flash.
    I have built the interface cable but i am not having any luck with the commands.

    JIMBELMAR Network Guru Member


    Never mind i figured out the commands,the one i needed is

    wrtjtag -flash:cfe

    One other problem i ran into was the ini file,i had to configure it as

    tck =1
    tms =2
    tdi =0
    tdo =4

    It is in the process of writing now so i will find out if this works , it does look promising.
  10. videoato

    videoato Network Guru Member

    How debrick WRT54G v4 with wrtjtag

    I made jtag cable, but I have WRT54G v4 when I try conect it to read the bcm5352 flash, dont read, and show some causes, the cable is not adecuate, the flash is not bcm47xx, and two more opcions, how can I do to make the wrtjtag work with bcm5352 for debrick it? Thanks for your help.

    Luis M. Lopez H.
    Atotonilco, Jal. Mex
  11. Disman_ca

    Disman_ca Super Moderator Staff Member Member

    Re: How debrick WRT54G v4 with wrtjtag

    The utility has been updated by the author so I found another link for ya. I'm not sure if it supports your hardware version.
  12. videoato

    videoato Network Guru Member

    Thanks for your help, I try th new one debrick, after I commented your

    Luis M. Lopez Herrera
    Atotonilco, Jal. mexico
  13. crawdaddy

    crawdaddy Network Guru Member

    I am having similar problems where it won't identify the chip. In addition, I guess I need the entire image or something, so that once I do get it connected, I can get this router back up and running. Any help if IMMENSLY appreciated, as it's near impossible to find a non v4 or v5 router in my area.
  14. Disman_ca

    Disman_ca Super Moderator Staff Member Member

    CFE generator

    For those of you who would like to have a CFE for your hardware this link can be usefull. http://lonewolf.hacker-nin.com/wrt/cfe/cfe.php Please note it is outdated and has not been updated. Site owner is/was a sveasoft dev team member (not currently active).

Share This Page