WAG200G firmware upgrade failed - now Power LED only RED

Discussion in 'Other Linksys Equipment' started by ArrowSat, Sep 15, 2007.

  ArrowSat

    ArrowSat LI Guru Member


    During firmware upgrade process electricity went off, now status is like this:
    Power LED always RED, DSL LED red-green blinking, if any ethernet is connected, green led goes on and blinks after some time.

    I CANNOT PING, cannot access, cannot RESET on switch, everything went wrong !

    Is there anyone with full flash file or someone that could help with this problem.

    all solutions like TFTP etc are not working, also all ip adresses are set ok, bt still NO PING, NO REPLY, NO WIRELESS activity.

    Help, help, help....

    It is too pity to put this nice little box into recycle bin.

  ItalianJob

    ItalianJob LI Guru Member

    Use the 3 years warranty, call Linksys.
  car67

    car67 LI Guru Member

    As someone whos spend the last 2 weeks on and off setting up a WAG200G (under the impression I didn't need a wireless adapter if I used the ethernet cable), I used the reset option on the back of the router quite a number of times. :)

    I realise this may not be the best option for you as it will probably resultin you losing all or some setup details, but if the hardware is stuck prtway through a firmware upgarde it might be worth considering as a last resort.
  Toxic

    Toxic Administrator

    contact linksys for an RMA
  ArrowSat

    ArrowSat LI Guru Member

    Thanks for advice on RMA, but...

    Previous owner tried to open it, didn't know for screw location and made physical damage to mask.
    Now, RMA is not acceptable by importer (reason to reject - is more than normal - small damage was made to plastic case). So - I got unusuable device and I feel sorry to slam it in recycle bin.

    I opened device and tried to re-flash MX chip externally - but no luck because I have no valid flash dump. Only firmware is not enough.

    If interested I can send you flash readout from this WAG200G - but as I said, it is unusuable. Maybe someone can analyze what happened.

    Thanks again to all.
    Keep this game.


    PS. back microswitch for reset - as I said - is NOT working (nothing happens) even if 30 sec pressed and power on/off etc.... I am familiar with Linksys devices more than 3 years now... know how it works... but here in this case - it does not work.
  ArrowSat

    ArrowSat LI Guru Member

  mstombs

    mstombs Network Guru Member

    The flash dump seems to show the bootloader is intact - minor differences such as date only from the loader.bin in WAG200G GPL source to the start of the dump you have given

    The Bootloader seems to be typical Ti ADAM2 with default IP address, and suggests the default flash is arranged as follows

    mtd2 will be the Bootloader, mtd1 the kernel, mtd0 the filesystem.

    usually mtd3 is the environment variable section, maybe mtd4 is a default environment? mtd5 may hold web screen language options?

    With an intact bootloader you should be able to get to the adam2 prompt via ftp and reload the firmware...

    Alternatively you should be able to hook up a serial console cable and see what is going on.

    PS How you download the flash contents - JTAG?

    From another post in this forum:-

  ArrowSat

    ArrowSat LI Guru Member

    I get flash dump by removing flash chip with SMD rework station and reprogram it in external programmer - Labtool48, with adequate flash chip adapter.

    I will build serial console adapter and see what happens.
    Till then - I have no clue what the hack is going on with this nasty little device :)

  mstombs

    mstombs Network Guru Member

  Toxic

    Toxic Administrator

    you already answered this. The powercut and the fact you were upgrading the firmware are the time. it has trashed the wag200, simple.

    btw i have RMA's many routers to linksys even when the label has not been intact.

    good luck with your JTAG reflashing but it would be simplier to RMA the unit.
  ArrowSat

    ArrowSat LI Guru Member

    Need someone to dump FULL flash from working device WAG200g.

    Many thanks.

  ItalianJob

    ItalianJob LI Guru Member

    Quite same problem for me after a flash that never ends on my Linksys WAG200G (I was in Wifi mode, what a bad idea)...

    => Power LED is always red, other LEDs are off, if any ethernet client is connected, ethernet led goes on and blinks (green) sometimes.

    I opened a thread at routertech : http://www.routertech.org/viewtopic.php?p=24970

    I hope there's an undocumented fail safe mode ( :confused: ) or someone to give precise links for UART or JTAG how to ?

    From the WK site :
    "Picture showing location of the connectors on the WAG200 board:
    1 - JTAG, 2 - UART ( it's under the barcode sticker )."

    "Here are Marcin's picture of soldered in JTAG and UART connectors:"

  mstombs

    mstombs Network Guru Member

    Update, in case anyone's still waiting:-

    Woytekm has now published full flash images, suitable for JTAG


    The HairyDairyMaid passive parallel JTAG connector should work with the Ti AR7 processor, I have used this on similar processor in ADSL2MUE.

    Note JTAG is only a last resort, should only be needed if bootloader (CFE) corrupt, and not for just a failed/incomplete firmware upgrade (tftp should work there). But there are various reports that corrupt config data can brick a router - its even in the HDM docs that just clearing the config area of flash (by JTAG) is often sufficient to revive such devices.
  bovirus

    bovirus LI Guru Member

    The main problem that the bootloader (Adam2) it's a custom version without TFTP feature to recover brick router (and without the option to stop the bootloader).

    The only way it's using JTAG (with debrcik sw utility)
  ArrowSat

    ArrowSat LI Guru Member

    Back to past :)

    These days I am again playing with this faulty linksys.
    Will post some results in few days.

  ArrowSat

    ArrowSat LI Guru Member

    And finally GOOD NEWS !

    WAG200G now works again !

    JTAG solution was OK, using full flash dump provided by woytekm!
    Thanx for really great work.

  bovirus

    bovirus LI Guru Member

    We are working on some mod of bootloader to enable quick reflash using Tiupgrade.
    I will publish any new about asap.
  ArrowSat

    ArrowSat LI Guru Member

    :) LOL

    After almost 2 years I found time and nerves to finish this "hard way" and day after that you are telling me that there is easy way :)

    Just kidding :)

    Either way, I managed to make it work perfect. Hard way is my middle name :)
  bovirus

    bovirus LI Guru Member

    I didn't say that there is an easy way.
    We are working to find it and to have a document to show it.
    To avoid in the future the use of JTAG (not all can do it).
  mstombs

    mstombs Network Guru Member

    I remember your posts 2 years ago - well done - it means you were able to solder the flash back in OK?
  bovirus

    bovirus LI Guru Member

    The WAG200G JTAG it's the same of Dlink DSL-5xxT/G6xxT family.
    You can build a parallel-JTAG cable with 6 resistor (easy and cheapest)
  ArrowSat

    ArrowSat LI Guru Member

    Waiting for news :) Bovirus dont forget us :)
  bovirus

    bovirus LI Guru Member

    The WAG200G has some problems about firmware upgrade due the firm,ware file structure.

    Every firmware upgrade include ALWAYS the upgrade of bootloader (also if it never changed).
    It means that any problems during the upgrade means a bricked router (due bootloader wrong update).
    Should be a better solution if the bootloader doesn't change make a firmware upgrade that doesn't regard the bootloader.

    Also the bootloader it's the big problem. It's a Adam2 custom version with many features missing. It read/save on MTD4 (and not on MTD3 like as standard bootloader), doesn't have tftp feature (usable with Tiupgrade to recovery dead router) and the bootup cannot be interrupted.

    Our job will make in two fase.

    - Test a custom bootloader (based on Adam2 standard bootloader with read/write on MTD4). In this way should be possible save/restore any partitions (except filesystem/kernel) and should be possible recovery the firmware without touch the bootloader.

    If the bootloader test will be OK, will test a special recovery firmware (based on original firmware with telnet but with the bootloader section stripped).

    If the bootloader test wiill OK, will work on other firmware upgrade option.
    Should be possible (already tested) to load the Routertech 2.91.1 Pspboot 1350A firmware (many option more than Linksys firmware)

    Many many test will be necessary.
  ArrowSat

    ArrowSat LI Guru Member

    Well, I am here :) Jtag is also still present.

    Thanks to all again, without you guys I will never manage to do it (even after 2 years).

    Few basic infos (may be useful for someone):

    - While desoldering flash chip, you have to be extra careful, it is very thin foil on motherboard, if you understand what I mean. It could be easily torn from board, leading to have faulty motherboard (some pin leading missing). I almost lost few of leads. And I am experienced with SMD rework station.

    - Much much better way is to leave flash alone, on motherboard, and make cheap but very useful JTAG.

    - If possible, solder 14 pins header. It is useful when doing multiple JTAG flashes (takes about 17 hrs to do full JTAG flash). Usually, I LIKE to readout written flash file to other file and compare it after reading. If it is same - great! If not, re-flash with JTAG, but before that re-check any connections JTAG-LPT, if there is difference again, you might have faulty flash on board (very rare, but possible). Then, desoldering is only way, with flash chip replacement.

    - Use woytekm full flash file for JTAG - it worked for me, and some others did not. (do you need that file, or it is well-known for us?)

    What I concern now, is that, should I change MAC address to original ? And how? Not JTAG again ?

    @ Bovirus
    Maybe good starting point is making known woytekm jtag file in "lite" version, just bootloader and basic stuff, for fast JTAG re-flash operation, then upgrade firmware via ethernet.
    With that file will save time after unsuccesseful firmware upgrade (until new bootloader comes).

    My WAG200G is ROCK STABLE now ! Rulez ! :)
  bovirus

    bovirus LI Guru Member

    As I said before I'm working on bootloader mod.

    It's possible to change the MAC address via telnet changing the mac variable.

    Also when someone reflash the router via JTAG before to flash it's important to change the mac addreess (with start 00:) in the JTAG flash file with the origional MAC address.

    If the bootloader mod will work fine should be possible to relaflah the firmware without JTAG, using Tiupgrade.

    I create some different JTAG files (ex. original Linksys 1.01.09 with telenet always enabled (my personal & MisteroX mod)). Where can I find woytekm JTAG lite file?
  ArrowSat

    ArrowSat LI Guru Member

    I will send to you on email if you like, I found it on net, cannot remember now exact address.

    With permisson from Woytekm hope it could be public.

  ArrowSat

    ArrowSat LI Guru Member

    Where is position of MAC in firmware (address) in hex ?
  bovirus

    bovirus LI Guru Member

    You can search with program like WinHex (shareware) or XVI32 (freeware) the string "00:" .
  ArrowSat

    ArrowSat LI Guru Member

    Found, thanx.

    Waiting for news from you.
  cristiaw

    cristiaw Networkin' Nut Member

    Im too.. waiting news..

    Have same problem that arrowasat...

  ValiCheche

    ValiCheche Networkin' Nut Member

    Hello, I know this might be the unholy practice to revive an undead thread, but I have a wag200g which I want to debrick just for the sake of it (got it for free and used it as a switch 'till now :) ).

    I have 2 issues:
    1. woytekm website seems to be gone, at least the wag200g section of it.
    Can someone please email me the wholeflash.bin for wag200g, maybe the lite version ArrowSat was mentioning here....
    vali dot cheche at yahoo dot com
    For starter, I got the img from linksys, hexedited the generic MACs to match my wag200 mac, and renamed it to WHOLEFLASH.BIN. But I doubt this will do. Will it?

    2. I am using the HDM debrick tool moded for wag200, I took it from here:
    http://sourceforge.net/projects/openwag200/files/WAG200 Tools/HairyDairyMaid EJTAG Debrick Utility v4.5/
    The problem is it gets stuck at Clearing watchdog or, if I use the /nocwd switch, at Manual Flash Selection.
    What syntax should I use in order to get this done? can anyone please advise? I am at the end of my wits, I hammered Google big time and still nothing.
    I succeeded with a jtag kernel recovery on a wrt54gl v1.1 some time ago. same homebrewed jtag cable. It worked. :-(

    I don't have a rs232-ttl level adapter, so no serial, atm.
    I will build one of those too but I need to buy a max232 ic, but i don't have time for shopping right now.

    Many thanks all.

    PS: what mode should the parallel port be into? like ecc, ecp etc. Does it make a difference?
  ValiCheche

    ValiCheche Networkin' Nut Member

    C:\a>wrt54g.exe -flash:wholeflash /nocwd /fc:29

    WRT54G/GS EJTAG Debrick Utility v4.5

    Probing bus ... Done

    Instruction Length set to 5

    CPU Chip ID: 00000000000000000001000000001111 (0000100F)
    *** Found a TI AR7WRD TNETD7300GDU Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 11111111111111111111111111111110 (FFFFFFFE)
    - EJTAG Version ....... : Unknown (7 is a reserved value)
    - EJTAG DMA Support ... : No

    Issuing Processor / Peripheral Reset ... Done
    Enabling Memory Writes ... Skipped
    Halting Processor ... <Processor Entered Debug Mode!> ... Done
    Clearing Watchdog ... Skipped

    Manual Flash Selection ...
  mstombs

    mstombs Network Guru Member

    I have a working WAG200G, still with original Linksys firmware - been meaning to JTAG and serial it and hack sometime... but never got around to it.

    Flashing a wholeflash via parallel is slow, real slow (12 hours?), would be much quicker to just flash a 64kB pspboot bootloader, then use Ethernet tools to upload a firmware


    'thechief' uses ciclamab as a jtag tool, I use a mod of dd-wrt tjtag (a development of the HDM wrt54g.exe) which, presumably like the OpenWAG version, doesn't require custom flash mem locations

