WRT54G3G dead, question about its firmware.

Discussion in 'Cisco/Linksys Wireless Routers' started by LucaR, Jan 24, 2008.

  1. LucaR

    LucaR LI Guru Member

    I am writing from Italy, first of all, sorry for my english.

    I don't know linux; I am a regular+, not expert, msdos/windows computer user; the digital electronic I know is the one referred to TTL/CMOS ports; I like use the tin welder, but playing with vacuum tubes radio sets for hobby.

    So, this is an idea of who I am, what I am able to do/understand or NOT :)

    I don't want to waste your time, so I have spent some days reading troubleshooting faq e guides from wiki.openwrt.org and forum.openwrt.org.

    I am writing here and I need the help of experts guys due to my wrt54g3g (eu) linksys router that is fall into a not working status.

    Hardware version, 1.0 (?);
    original firmware 1.98.40;
    the router has ben upgraded to 2.10.17 few days prior to crash (it has worked fine in those days).

    This was not an errate flashing event.
    This is the Vodafone branded version of this router and I have tried to use it with another company. When I have started the network search: that popup window has crashed and all the web interface too.

    After power off/on, the power led is going flashing continously, the reset button doesn't have effect in any way, and, worst of all, the router does not respond to pings!

    So, using an usb-uart interface, I have reached the router through hyperterminal (115200, 8-N-1, flow control=none, rx ASCII 7bit).

    My router is continously telling:

    CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
    Build Date: d8 9f 5 18:53:12 CST 2005 (root@NC6K.cybertan.com)
    Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

    Initializing Arena
    Initializing Devices.

    No DPN
    rndis0: Broadcom USB RNDIS Network Adapter (P-t-P)
    CPU type 0x29007: 200MHz
    Total memory: 16384 KBytes

    Total memory used by CFE: 0x80300000 - 0x803A3660 (669280)
    Initialized Data: 0x80339570 - 0x8033BC80 (10000)
    BSS Area: 0x8033BC80 - 0x8033D660 (6624)
    Local Heap: 0x8033D660 - 0x803A1660 (409600)
    Stack Area: 0x803A1660 - 0x803A3660 (8192)
    Text (code) segment: 0x80300000 - 0x80339570 (234864)
    Boot area (physical): 0x003A4000 - 0x003E4000
    Relocation Factor: I:00000000 - D:00000000

    Boot version: v3.6
    The boot is CFE

    mac_init(): Find mac [00:00:00:00:00:00] in location 1

    No eou key find
    **Exception 8: EPC=8032562C, Cause=00000008 (TLBMissRd)
    RA=80311920, VAddr=00000430

    0 ($00) = 00000000 AT ($01) = 80340000
    v0 ($02) = 00000001 v1 ($03) = 00000000
    a0 ($04) = 00000000 a1 ($05) = 803595F8
    a2 ($06) = 80358620 a3 ($07) = 80358624
    t0 ($08) = 80359618 t1 ($09) = 00001000
    t2 ($10) = 00049048 t3 ($11) = 00000001
    t4 ($12) = 00000000 t5 ($13) = 00000000
    t6 ($14) = 9FC02278 t7 ($15) = 9FC037F4
    s0 ($16) = 803595F8 s1 ($17) = 8033E8C8
    s2 ($18) = 803A3048 s3 ($19) = 00000003
    s4 ($20) = 8033EAA8 s5 ($21) = 803A3170
    s6 ($22) = 803A3178 s7 ($23) = 803A3180
    t8 ($24) = 01000000 t9 ($25) = 00000000
    k0 ($26) = 00000006 k1 ($27) = 00000000
    gp ($28) = 80341570 sp ($29) = 803A2FB8
    fp ($30) = 00000000 ra ($31) = 80311920

    And again, forever:

    CFE version 1.0.37 for BCM947XX (32bit,SP,LE)

    I am not able to stop it anyway!
    I have tried continuously pressing ctrl+c from hyperterminal during the router bootup, connecting the cable before powering on and when it was already on.

    I guess the CFE is corrupted, and I will build a JTAG cable.

    At this point I am very confused about all I have read.

    First of all, I don't need a 3rd party Linux fw: I only want to restore the original linksys one.

    Question: the WRT54G3G_x.xx.xx_ETSI_code.bin does contain the WHOLE flash of this router? Or I need a CFE.BIN copy and something else... in order to restore the system through JTAG?

    Many thanks for any reply,
  2. mstombs

    mstombs Network Guru Member


    I guess its out of warranty - or at least it is now you've opened it!

    I'm pretty sure the download will not include the CFE, but also I suspect it only the NVRAM that is corrupt

    Have you tried a hard reset - press and hold the reset button for at least 30 seconds?
  3. LucaR

    LucaR LI Guru Member

    Hello mstombs,
    yes, this router is out of warranty, and I have tried various resetting procedures (some found on the web about the wrt54 and two suggested by the linksys tech support).

    Do you think the wrt54's pin-shorting trik to clear the nvram may apply to wrt54g3g?

    By the way, do you know where I could find, in case it will be actually corrupted, a valid CFE copy?

    Finally, when booting, what the router is looking for at mac address 00:00:00:00:00:00?

    ""mac_init(): Find mac [00:00:00:00:00:00] in location 1

    Many thanks,
  4. mstombs

    mstombs Network Guru Member

    Never had to do pin shorting - its risky you could damage the flash permanently.

    Don't know about CFE, sometimes its in the GPL distro - its not in the source but maybe it will appear if built -there are some ".o" files that might get used!

    I don't know how to backup the CFE from a live router - but I recall Tomato has an option in its firmware and can be done from a command line for other devices.

    No idea what it is looking for, but have you tried with/without a 3g adaptor and with/without a mobile SIM?
  5. LucaR

    LucaR LI Guru Member

    Hello again.

    In order to settle the nvram, in this moment I know 3 ways only:
    #1 hard reset to defaults (don't work for my router);
    #2 pin-shorting (probably, as you tell, dangerous);
    #3 erasing through the EJTAG utility of HairyDairyMaid (I will try to build the cable in this weekend, but I have to see if the JTAG pins on the wrt54g3g pcb are the same as the wrt54).

    Do you know other solutions?

    About the CFE and GPL distro, unfortunately I am not able to build the fw!
    I have looked at linksys ftp for somethings like a wrt54g3g cfe.bin file, but I haven't had good luck :-(
    In this moment I guess the only way is to obtain the cfe from another router via jtag.

    In both cases (gpl distro built/recovering from a router) I will need the help of a good soul :)

    Are there some, or at least one, of them? ;-P

    All I have done, as the linksys support has told, was done without datacard and without ethernet cables.

    Bye and have a nice weekend,
  6. LucaR

    LucaR LI Guru Member


    I have built the jtag cable, but the HDM v4.8 windows utility seem to doesn't work correctly.

    In a first time, it doesn't recognize the cpu id in any way.

    Then I have seen that pin n°12 of the wrt54g3g connector isn't grounded on the pcb side... so I have thought that it must be on the db25 side, and I have connected it to pins n°20-25 with a 100 ohm resistor.

    Then the utility has started to work somewhat... when it has recognized the cpu id it has failed to stop the cpu itself for debug and has failed to identify the intel's flash chip.
    In other times it has failed to identify the cpu id.

    Now (I can't work at the wrt54g3g when I am on the net because it is in another location) I have sent the command wrt54g -backup:cfe /nocheck (I don't remember the name of the last switch that I have called "nocheck"... it is the one to avoid the cpu id check) and the utility has arrived to the flash check... then I have let it work and I am here.

    I don't know what to think about the jtag's pin n°12 (ground/un-ground) and about the unstable operation of the HDM's utility.

    In this moment I am guessing I have done a longer jtag cable of about 1,5mt.

    When at home I will cut it to a smaller size and I will retry.
  7. LucaR

    LucaR LI Guru Member

    It works!

    This is the happy end.

    Jtag cable shortened to less than 50cm (19"), pin n°12 unconnected.

    The HairyDairyMaid's utility v.4.8 has worked smoothly and the problem was into the nvram only.

    By the way, attached there is the cfe.bin for wrt54g3g-eu v.1.0

    PS#1: the file is cfe.bin then RAR compressed and finally ZIP compressed to reach the forum's upload limit and filename extensions exclusions.

    PS#2: in this moment I am having problems connecting with a legally unbranded Cingulat Option GT MAX 3.6 and a network that is not Vodafone (and the linksys tech support has told me that the EU version could connect with Vodafone only...).
    Any tips?


    Attached Files:

    • CFE.zip
      File size:
      93.8 KB
  8. mstombs

    mstombs Network Guru Member

    Gosh - you had a busy weekend congratulations!

    I have used a short ribbon HDM cable before - the guide is a bit misleading - you can see a round extension cable in the photo!

    Tornado on the dd-wrt forums has extended the HDM utility - to tjtagv2 to support more CPU/flash combinations - but looks like you didn't need it!

    I haven't tried building the firmware - but it looks complete similar to WAG200G distros which do compile.

    I take it the CFE is is from your router? I guess it will also include your MAC address?

    Sorry can't help with 3G - I know of one being used with Vodafone and I could find out the real supplier of the 3G PC-Card SIM adaptor (I know it is just badged Vodafone).
  9. LucaR

    LucaR LI Guru Member

    Nice to hear from you!

    Well, I don't have finished my studies in electronic engineering years ago... but I do must know that my 60" unshielded flat cable did not have to work!
    I can't blame HDM so much for this :)

    Yes: the CFE comes from my own router but I have setted the MAC address to 00:00:00:00:00:00

  10. LucaR

    LucaR LI Guru Member

    I am forgetting...

    I am looking for a wrt54g3g-EM CFE copy in order to try learning something...

    There is anyone of the readers of this thread that can provide it or know where to look for??

  11. mstombs

    mstombs Network Guru Member

    Can't help with the CFE, but just wanted to say the sourcode in WRT54G3G_v2_01_02_EURO.tgz
    builds fine, I didn't use the enclosed toolchain, just another Linksys WRT54GL one that I already had in the right place, I haven't checked the logs but it ran to completion producing:

    -rw------- 1 root root 3224576 2008-01-31 21:40 code.bin
    -rw-r--r-- 1 root root 3260416 2008-01-31 21:40 linux.bin
    -rw-r--r-- 1 root root 3223552 2008-01-31 21:40 linux.trx
  12. LucaR

    LucaR LI Guru Member

    What are you writing hasn't a meaning for me :-\

    My experience with software building were some visualbasic cgi scripts and some simple c++ codes that I never compiled!

    But... can I test the fw you have built?? :)
  13. mstombs

    mstombs Network Guru Member

    I've never attempted to run my own compiled firmware for WRT54G**, so wouldn't recommend it. BUT have you noticed there is now newer firmware posted on Linksys website 2.01.03 (UK at least)

  14. LucaR

    LucaR LI Guru Member

    Wonderful mstombs!

    This is a good new for me.

    I have loaded that fw on my router and it works somehow...
    Now I know that is the cingular Option card that doesn't like to work with wrt54g3g, because if the Vodafone fw allow the 3G connection through the hardware connection button only, the EM fw allow the automatic connection in a very strange way. In other words, with this fw the router connects, but the router's 3G blue led stay off and on the router setup page there is the written "disconnected-connect"...
    Only the time counter on the router management pages seem to know that all is working...

    Now I will try to upgrade the datacard fw.

    PS: sorry for my reply delays.

  15. mstombs

    mstombs Network Guru Member

    I'm confused about Linksys firmware versions, 2.01.03 says it is based on 2.01.00 and it is more recent than 2.10.17 which says it is based on 2.01.02 (which is the latest with GPL sourcecode available). I don't know the difference between Euro, EM and ETSI versions.

    Version 2.02.2 for the US WRT54G3G-AT is also based on 2.01.00 and quite new

    Wireless-G Router for Mobile Broadband 
    Release Notes 
    Firmware Version 2.02.2 
    I. FILE DETAILS File Name WRT54G3G-AT_2.02.2_US_code.bin 
    Firmware Version 2.02.2 
    Previous Firmware Version 2.01.0 
    Firmware Release Date January 4, 2008
    There's also a US version for WRT54G3G-ST (Sprint?) which is at v 2.00.9

    If the 3G light doesn't come on maybe the router is connecting in one of the slower GSM/GPRS modes?
  16. LucaR

    LucaR LI Guru Member

    I know that EU suffix stays for Vodafone branded routers.
    The EU firmwares have pre-loaded Vodafone APNs and they may officially work with a number of datacards reduced respect the datacard types alloweb by the EM ones.

    "Officially" a EU router is not able to work with datacards that aren't Vodafone branded and is not able to connect to non Vodafone networks.

    Yes, this is the official statement, but I know that something works however without Vodafone.

    Like EU are ST and AT.

    The EM ones should be "free-use" routers.

    About the 3g light:

    I think no: I haven't use GSM/GPRS because the first thing I do everytime I reset/upgrade/downgrade the fw is to set the "UMTS/3G/HSDPA Only" mode, due to fees question with my network carrier.

    I have updated the Option datacard: with the 1.12.1Hd firmware the light goes on...
    Even if the router can't still reach acquiring the network name.

    In order to connect I must start a manual network search and when I select the network from the choices it has found, the router connect immediatelly...

    I think I must wait a new fw release.

  17. angel8865

    angel8865 Guest

    Hello @ all!
    I'm searching for WRT54G3G following backup files: CFE.BIN, NVRAM.BIN, KERNEL.BIN and WHOLEFLASH.BIN. If you have something send it to me. Itried to open the CFE.BIN in the CFE.ZIP archive from LucaR, but its corrupted.

    Thank You!
  18. LucaR

    LucaR LI Guru Member


    I have checked it again now: it works.

    First unzip the file, then unrar. Finally you will obtain the cfe.bin.

    You will need a tool (I don't remember its name) in order to set the proper MAC ADDRESS of your set (see the label on the bottom of your WRT).

    I think that nvram.bin isn't needed: when erased, it is rebuilt by the uP on power up.

  19. Hirschkäfer

    Hirschkäfer Networkin' Nut Member

    bricked WRT54G3G reanimated

    Hello to all who want to repair their bricked WRT54G3G`s

    1. in reply to angel8865:
    The CFE.ZIP from LucaR isn't corrupted, but in fact a gzip file and therefore 3 times compressed: rename to cfe.z, un-gzip, rename the output to cfe.zip, unzip, output=cfe.rar, unrar this and finally get cfe.bin.
    This bin is identical to the one I backed up out of my router, except
    the MAC address, and the textstring "CKI00F201631" at offset 3FE32h.

    2. my own expierience:
    I had the same problem as LucaR: Rapidly flashing power LED, no effect of 30sec reset switch, no ping.
    Searched a lot around. Found the HairyDairyMaid debrick utility, don`t remember where. The file name is "HairyDairyMaid_WRT54G_Debrick_Utility_v48.zip", google for this if you want it. In my case, all I needed for the work is included in this file.
    The utility is working fine also for the WRT54G3G without any modifications.
    So I say 1000 thanks to HairyDairyMaid for his (her?) great work !
    As described in the included guide, I soldered in the 12pin JTAG jumper block
    (at the WRT54G3G located right at the side of the serial I/O jumper block, see text graphics) and built a very short passive parallel JTAG cable.

    JTAG Serial
    12 │●●│ 11 ┌─┐
    10 │●●│ 09 │●│ 5 (Gnd)
    08 │●●│ 07 │●│ 4
    06 │●●│ 05 │●│ 3 (RxD)
    04 │●●│ 03 │●│ 2 (TxD)
    02 │○●│ 01 │●│ 1
    └──┘ └─┘

    Following HairyDairyMaid's proposal, first I backed up bootloader (CFE), kernel and
    NVRAM, omitting wholeflash, because it only consists of the mentioned 3 parts in
    the mentioned order. Again following the proposal I decided to erase just the
    NVRAM. After the reboot everything went OK, all interfaces working normally.
    Finally I found out that the router is running the same software as LucaR's one
    (V2.10.17 Vodafone), so I suppose a bug in this release, writing unallowed values
    to the NVRAM at updating the search network page.

    happy WRTing, the Hirschkäfer
  20. mstombs

    mstombs Network Guru Member

    congrats - just a 'for info', HairyDairyMaids great old wrt54g utility (available from OpenWrt archive I recall) is still in active development in a number of JTAG tools - the most advanced is dd-wrt tornado's tjtag program which supports a number of new routers and flash types. There are also versions for SpeedTouch stjtag, wag200g and I'm sure the same code is inside Ciclamab for ar7 routers
  21. token_z

    token_z Reformed Router Member

  22. JoeYang

    JoeYang Reformed Router Member

    Hi, Sir:

    I don't have permission to download your cfe, please help .

  23. JoeYang

    JoeYang Reformed Router Member

  24. mstombs

    mstombs Network Guru Member

    New users are blocked from downloads by default policy to save bandwidth sucked by bots, so have patience - also check the dd-wrt cfe repository - I recall giving it to them as well.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice