Debrick Routers Using zJTAG and DIYGADGET.COM's Blackcat JTAG Cable for Cable Modems

From TIAO's Wiki
Revision as of 16:08, 3 April 2012 by Admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!

Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from and

In this tutorial, I am going to show you how to debrick your router using DIYGADGET's blackcat JTAG cable for routers.

This tutorial only works with zJTAG, which is the only software supports debricking wireless routers using blackcat JTAG cable

Before you try to JTAG your router, we highly recommend you to try a few other steps before you JTAG your router.

Things need to try before you JTAG the router

Please read carefully on this article:

Recover from a Bad Flash

If you have tried everything before the section "Recovery by JTAG cable" and it still doesn't work, you can now proceed with the following tutorials on how to save your router by using DIYGADGET's FTA JTAG cable.

You need a PC with parallel port. USB to parallel adapter will NOT work.

No USB port? no problem, use our USB JTAG:


TIAO Multiple Protocol Adapter (JTAG/SPI/I2C/Serial)

Tutorial (debrick router using USB):

Debrick Wireless Router Using TUMPA and zJTAG

Router Basics

See Debrick_Routers_Using_JTAG_Cable#Router_Basics

Using JTAG Cable to Repair Bricked Router

If you have read this far, it means the only way to debrick your router is by using a JTAG cable. Sorry to hear that! However, don't worry, the steps are really straightforward!

DIYGADGET's Blackcat JTAG Cable

The blackcat jtag cable is different than the FTA or wireless router jtag cable. The pin assignments are complete different.

The following are the pin assignments for blackcat jtag cable:

Blackcat JTAG cable Pinout
DB25 Blackcat JTAG female header
6 1
7 7
8 3
9 9
11 5
18-25 2,4,6,8,10

This is the JTAG pinout of the Linksys WRT54G(GS/GL) series routers:

nTRST  1   2 GND
TDI    3   4 GND
TDO    5   6 GND
TMS    7   8 GND
TCK    9  10 GND
nSRST 11  12 GND

zJTAG uses the following DB25 pin assignments when cable is set to BlackCat:

DB25         Signal
8            TDI
9            TCK
7            TMS
11           TDO
18-25        GND

Disassemble WRT54G/GS/GL) Series Router

See Debrick_Routers_Using_JTAG_Cable#Disassemble_WRT54G.2FGS.2FGL.29_Series_Router

Locate the JTAG Pins/Pads on the Router

See Debrick_Routers_Using_JTAG_Cable#Locate_the_JTAG_Pins.2FPads_on_the_Router

The Softwares

We will need to use DIYGADGET's zJTAG (version 0.2 or above) for our debricking process.


Download [zJTAG] program and unzip it to a temp directory on your harddrive.

You will have the following files:


WinIO32 is used for accessing parallel port, no need to run loaddrv or giveio.

Making The JTAG Connection

If your router (like the Linksys WRT54G series) already has the standard 12 pin JTAG pads on the PCB, you mostly like do NOT need to solder wires on your PCB. Otherwise you many need to solder IDC headers on your board's JTAG pads or holes.

In this demonstration, I soldered 12 pin header on my router (WRT54GS).

Now we need to make the following connections:

Blackcat JTAG cable connected to Wireless router:


Now, make the connections using the flexible cables provided in the package.

It looks like this:


Whole setup:


Now get your PC ready, make sure the parallel port is 0x378 and mode is ECP or EPP. (Check BIOS setting of your PC if you are not sure).

Plug the db25 connector to your PC's parallel port:


Debrick it!

Let's debrick your router!

  1. Attach the router's power adapter to the wall outlet.
  2. From the command prompt cd to your unzipped zJTAG's windows directory and run zjtag.exe to get a list of options.
  3. To check your cable, run command zjtag.exe -probeonly /diygadgetblackcat. It will automatically detect the CPU type (see pic below for an example of LINKSYS WRT54GS). If not then check your cable.
    Probe Only Output
  4. Backup CFE (command zjtag.exe -backup:cfe /diygadgetblackcat):
    backup CFE
    . It took 60 seconds to backup my WRT54GS' CFE.
  5. Try above steps at least 2 times, generate backups again, then use a binary comparison software to compares the backups, make sure they are exactly the same before you erase anything.
  6. Finally to erase your NVRAM (the usual cause of the problem) with command zjtag.exe -erase:nvram /diygadgetblackcat
  7. If that doesn't work, erase the kernel (firmware): zjtag.exe -erase:kernel /diygadgetblackcat, then reflash the kernel via TFTP. This is a very good tutorial on how to flash your router with TFTP: [TFTP Flash]
  8. If it still doesn't work, try to find a CFE for your router (make sure model/version matches) first. Here are two repositories of some router's CFE: [CFE collection project] and [CFE collection 2]
  9. The CFE bin files in the repository all have MAC addresses that DO NOT MATCH your hardware. Use the CFE editing tool "IMGTOOL_NVRAM" available from The [Bitsum Wiki] to set the et0macaddr and il0macaddr before uploading the CFE. et0macaddr is the address printed on the outside; il0macaddr is that same address, plus one. Example: If the printed address is 00:90:4d:83:00:01, then et0macaddr is 00:90:4d:83:00:01 and il0macaddr is 00:90:4d:83:00:02. These are HEX numbers, so HEX 09 plus one is 0A, not 10.
  10. Erase the CFE of your router and flash the working CFE back. zjtag.exe -erase:cfe /diygadgetblackcat will erase your router's CFE and zjtag.exe -flash:cfe /diygadgetblackcat will flash the CFE back to your router. Remember to use the modified CFE bin.
    flash CFE

Non Linksys Routers

If your router doesn't have JTAG headers or pads, but if it has JTAG enabled, you can still debrick it using the above technique. However, it is very likely you will need to solder the wire on the board.

For a collection of the JTAG pinout of other routers, please take a look [Router JTAG pinouts].

You can connect DIYGADGET's JTAG cable's pin 3, 5, 7, 9 and 2 to your router's TDI, TDO, TMS, TCK, GND respectively, then run zjtag with "/diygadgetblackcat" option to erase/backup/flash the flash chip.

Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from and

10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!