Discussion in 'Modding Forum' started by jmranger, Apr 14, 2006.

  jmranger

    jmranger

    Just in case you were wondering what else you could try with your SL during the Easter Holiday :)

    JTAG is working on the SL. There is no header, but all required signals are available.

    (add the usual 20-pts warning message here - danger, no warranty, at your own risk, blablabla).

    Basically, no surprise compared with other WRT54.

    Following pins were identified:
    TDO on RH49
    TDI on RH47
    TCK on RH46
    TMS on RH43
    All are in the same JTAG-labeled area, in the back of the board. I'll add a picture to the SL page on OpenWrt's wiki soon.
    The other pin that pair with those on each RHxx is Vcc, not ground. Ground is only present in one location in JTAG-labeled pins, on RG19. Other JTAG-labeled pins (RG19, RH42, RH49) remain to be identified (SRST, TRST) but aren't required.

    HairyDairyMaid's debrick utility is working through "override" modes: since processor is unknown, /skipdetect and /instrlen:8 options must be used. For the curious, chip id is 0470417F. DMA transfers are possible. The flash is recognized as an 28F640J3 (same as what SysInfo1.htm says) and is in the known part list of the debricker.

    To this point, I've only dumped the bootloader, without error. The dump contains strings that match known environment variables, so I'm guessing that what I'm seeing are the default values of those, which means that the dump is OK. A more formal validation is pending, though.

    Thanks to HairyDairyMaid for his assistance, and have fun :)

  vincentfox

    vincentfox

    Wow! Excellent work, I thought no one would crack this.

    I'll bounce this info to Kaloz I think he still has a bricked SL unit.
  albertr

    albertr

    Very nice, JMR!

    Just wondering if you ever tried to add the second SDRAM chip? Your research posted on the autopsy thread seems quite complete, did you verify that extra address line (A12?) is traced?
    Please keep us updated...

  jmranger

    jmranger

    RAM upgrade

    Probing confirmed most of the guesses that I made on the autopsy thread, prior to receiving my SL.

    So yes, the two RAM sockets are in parallel, i.e.both share the A0-A12 lines, and have separate DQ0-DQ15. So yes, the SL could be slightly faster with a second RAM chip in place, since it could address RAM 32-bit wide instead of 16. CAS/RAS, WE and CK lines are shared too, but DM and DQS are separate, which is consistent.

    Known to be required in addition to the RAM chip itself is the big bunch or resistors next to it (20 total/32 ohms, if I recall). Haven't the eye to identified the form-factor just by looking, but it's just a matter of using the appropriate tool to measure them.

    Software, I'm fairly confident that the assumptions I made in the autopsy thread are valid too. But by reading what I wrote there, you'll understand why I worked on JTAG first :) (BTW, the linksys 2.00.5 firmware write to NVRAM on each power up, visible if you have the serial console - quite hard to have reproducible flash dump in that setup. Better upgrade to Thibor's).

    The big gotcha that remains is named CC10/11 and RB34/35 (located between the two RAM sockets). These are serial RC networks, connecting CK and /CK to ground, not populated on stock SL. These are either line terminators or delay circuitries. All in all, it means that we're talking about antenna design, not simple logic circuits. And I'm unable to say whether these were placed "just in case" in early design, and are never required, or whether they're needed if both sockets are to be populated. I'm afraid only Linksys have the answer to this one, unless someone want to take a logic analyzer for a debugging ride. Even then, computing the right values to use will be quite a challenge - much more than identifying JTAG pins! Not populating them if they're required could mean anywhere form nothing works, random crash, or everything fine.

    I may still try, though... I've been able to cross-compile memtester (let's do some adds for a fellow Canadian :)) for the SL, which could be enough to get a rough first idea. Just saw albertr's post in autopsy thread which shows that there's a memtester in CFE too - great !

    Stay tuned, I guess...


    (I'll add a PM address in case someone want to share the fun...)
  jmranger

    jmranger

    Just curious...

    Has anyone else attempted this mod ?

  albertr

    albertr

    I've tried the 64MB memory mod (posted details on the other thread), now JTAG mod is coming next ;)
  albertr

    albertr

    Glad to report that I successfully JTAG'ed my SL and re-wrote NVRAM area in the flash chip. I was using unbuffered cable and HairyDairyMaid's debrick utility under Linux.
  pmarc

    pmarc

    More info Please!

    Hi albertr,

    I bricked my SL too, now everything is set to reflash, But I'm not sure as to the exact procedure.

    I can't connect to the router via LAN and boot_wait wasn't set.

    I just have to erase:nvram ?

    Please, provide more detailed instructions on the procedure, as I'm lost.

