Difference between revisions of "Debrick Routers Using zJTAG and DIYGADGET.COM's FTA JTAG Cable"

From TIAO's Wiki
Jump to: navigation, search

10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!
(The Softwares)
 
(11 intermediate revisions by the same user not shown)
Line 25: Line 25:
  
 
If you have tried everything before the section "Recovery by JTAG cable" and it still doesn't work, you can now proceed with the following tutorials on how to save your router by using DIYGADGET's FTA JTAG cable.
 
If you have tried everything before the section "Recovery by JTAG cable" and it still doesn't work, you can now proceed with the following tutorials on how to save your router by using DIYGADGET's FTA JTAG cable.
 +
 +
 +
You need a PC with parallel port.  USB to parallel adapter will NOT work.
 +
 +
No USB port? no problem, use our USB JTAG:
 +
 +
[http://www.diygadget.com/tiao-usb-multi-protocol-adapter-jtag-spi-i2c-serial.html http://www.diygadget.com/media/catalog/product/t/u/tumpa-small.jpg]
 +
 +
[http://www.diygadget.com/tiao-usb-multi-protocol-adapter-jtag-spi-i2c-serial.html TIAO Multiple Protocol Adapter (JTAG/SPI/I2C/Serial)]
 +
 +
Tutorial (debrick router using USB):
 +
 +
[[Debrick Wireless Router Using TUMPA and zJTAG]]
  
 
==Router Basics==
 
==Router Basics==
Line 92: Line 105:
 
[[Image:Zjtag02.png|none]]
 
[[Image:Zjtag02.png|none]]
  
Download [[http://www.tiaowiki.com/download//file.php?id=34 zJTAG]] program and unzip it to a temp directory on your harddrive.
+
Download [[http://www.tiaowiki.com/download//file.php?id=37 zJTAG]] program and unzip it to a temp directory on your harddrive.
  
 
You will have the following files:
 
You will have the following files:
Line 102: Line 115:
 
===Making The JTAG Connection===
 
===Making The JTAG Connection===
  
This is the exciting part of this tutorial.  If your router (like the Linksys WRT54G series) already has the standard 12 pin JTAG pads on the PCB, you mostly like do NOT need to solder wires on your PCB! DIYGADGET provides solderless solution for these routers.
+
This is the exciting part of this tutorial.  If your router (like the Linksys WRT54G series) already has the standard 12 pin JTAG pads on the PCB, you mostly like do NOT need to solder wires on your PCB. Otherwise you many need to solder IDC headers on your board.
  
This is what you will receive in your purchase. In this package, you will receive a Router JTAG cable, a 12 PIN header and 6 solderless pins. The solderless pins are provided for solderless operation:
+
In this demonstration, I soldered 12 pin header on my router (WRT54GS).
  
[[Image:Router_jtag_pkg.jpg|none|thumb|DIYGADGET's Router JTAG Package]]
+
Now we need to make the following connections:
  
The 12 PIN header is for peoples who have the skills soldering on PCB.  All you need to do is solder the 12 pin headers on the JTAG port of the router, and then connect the JTAG Cable's black header on the 12 pin header you just soldered on the pcb.  Make sure pin 1 of the cable is connected to pin 1 on the board.  The pin 1 of the cable can be identified by a little triangle on the black header.  Pin 1 on the pcb is marked.
+
10 PIN FTA header and WRT54GS:
  
In this tutorial, I will show you how to make the connection using the solderless pins.
+
[[image:Fta.jtag.10.conn.jpg|none]]
  
We only need 6 solderless pins for the connections because JTAG only uses 6 pins.  From the schematic above, we know only the following pins on the 12 pin headers are used: 3, 5, 7, 9 and GND.
+
or
  
Let's carefully insert the solderless pins into the 12 header's 3, 5, 7, 9 and 6 (WRT54G/GS/GL's 2,4,6,8,10 are all grounds and they are all interconnected on the PCB.  The wire 6 is the only GND wire of the header so make sure you insert a solderless pin in hole 6 not 2, 4, 8, 10 or 12):
+
20 PIN FTA header and WRT54GS:
  
[[Image:Insert_pins.jpg|none|thumb|Insert solderless pins]]
+
[[image:Fta.jtag.20.conn.jpg|none]]
  
(I also insert a pin into 1, it is optional)
 
  
Top view:
+
Now, make the connections using the flexible cables provided in the package.  You can use either 10 pin header or 20 pin header from the JTAG cable.
  
[[Image:Insert_pins1.jpg|none|thumb|Top view when solderless pins are inserted into the header]]
+
It looks like this:
  
Now, let's see how we make the connection. Put the spring loaded solderless pins on top of the JTAG pads, align the pins with the pads, make sure all 6 pins are connected to the corresponding pads. Give it a little pressure, you will feel the little resistance. The pins are spring loaded with crown headers, so if you give it a little pressure and it will 'clamp' to the pads and won't move at all. Try it!
+
10 PIN header:
 +
[[Image:Fta.jtag.10.close.jpg|none]]
  
[[Image:Test_on_board.jpg|none|thumb|Feel the spring loaded solderless pins]]
+
10 Pin setup:
 +
[[Image:Fta.jtag.10.jpg|none]]
  
Before we try to 'permanently' attach the pins to the pads, let's make sure other connections are finished. 
+
20 Pin header:
#Connect the power adapter to the router's power input, but DO NOT attach the transformer to the wall outlet yet.
+
[[Image:Fta.jtag.20.close.jpg|none]]
#Connect the network cable to one of the LAN port and another end of the network cable to your PC.
 
#Connect the DB25 side of the JTAG cable to your PC's parallel port:[[Image:Db25_pc.jpg|none|thumb|Plug the DB25 side of the cable to your PC]]
 
#Carefully put the pins on top of the JTAG pads, then put a book or something heavy on top of the header, so the spring loaded pins will stay connected with the pads and you do not have to hold the headers any more. In the example, I used a digikey catalog on top of the header: [[Image:Book_ontop.jpg|none|thumb|A book on top of the header, so the pins don't move]]
 
  
This is the whole setup:
+
20 Pin setup:
 +
[[Image:Fta.jtag.20.jpg|none]]
  
[[Image:Whole_setup.jpg|none|thumb|Whole setup]]
+
Now get your PC ready, make sure the parallel port is 0x378 and mode is ECP or EPP. (Check BIOS setting of your PC if you are not sure).
 +
 
 +
Plug the db25 connector to your PC's parallel port:
 +
 
 +
[[image:Fta.jtag.png|none]]
  
 
===Debrick it!===
 
===Debrick it!===
Line 143: Line 159:
  
 
#Attach the router's power adapter to the wall outlet.
 
#Attach the router's power adapter to the wall outlet.
#From the command prompt cd to your unzipped TJTAG's windows directory and run ''tjtagv2.exe'' to get a list of options.
+
#From the command prompt cd to your unzipped zJTAG's windows directory and run ''zjtag.exe'' to get a list of options.
#To check your cable, run command ''tjtagv2.exe -probeonly''.  It will automatically detect the CPU type (see pic below for an example of LINKSYS WRT54GS). If not then check your cable. [[Image:Probeoonly.JPG|none|thumb|Probe Only Output]]
+
#To check your cable, run command <font color=red>''zjtag.exe -probeonly /diygadgetfta''</font>.  It will automatically detect the CPU type (see pic below for an example of LINKSYS WRT54GS). If not then check your cable. [[Image:Zjtag.fta.probe.png|none|thumb|Probe Only Output]]
#Backup NVRAM (command ''tjtagv2.exe -backup:nvram''):[[Image:Backupcfedone.JPG|none|thumb|Backup NVRAM]].  It took 32 seconds to backup my WRT54GS' NVRAM.
+
#Backup CFE (command <font color=red>''zjtag.exe -backup:cfe /diygadgetfta''</font>):[[Image:Zjtag.fta.backup.png|none|thumb|backup CFE]].  It took 60 seconds to backup my WRT54GS' CFE.
#Backup CFE (command ''tjtagv2.exe -backup:cfe''):[[Image:Backupcfedone.JPG|none|thumb|backup CFE]].  It took 60 seconds to backup my WRT54GS' CFE.
 
#Backup the whole flash (command ''tjtagv2.exe -backup:wholeflash): [[Image:Backupwhole.JPG|none|thumb|Backup whole flash]].  It took 1931 seconds (or 33 minutes) to backup my WRT54GS' whole flash.
 
 
#Try above steps at least 2 times, generate backups again, then use a binary comparison software to compares the backups, make sure they are exactly the same before you erase anything.
 
#Try above steps at least 2 times, generate backups again, then use a binary comparison software to compares the backups, make sure they are exactly the same before you erase anything.
#Finally to erase your NVRAM (the usual cause of the problem) with command ''tjtagv2.exe -erase:nvram''
+
#Finally to erase your NVRAM (the usual cause of the problem) with command ''zjtag.exe -erase:nvram /diygadgetfta''
#If that doesn't work, erase the kernel (firmware): ''tjtagv2.exe -erase:kernel'', then reflash the kernel via TFTP.  This is a very good tutorial on how to flash your router with TFTP: [[http://www.dd-wrt.com/wiki/index.php/TFTP_flash TFTP Flash]]
+
#If that doesn't work, erase the kernel (firmware): <font color=red>''zjtag.exe -erase:kernel /diygadgetfta''</font>, then reflash the kernel via TFTP.  This is a very good tutorial on how to flash your router with TFTP: [[http://www.dd-wrt.com/wiki/index.php/TFTP_flash TFTP Flash]]
 
#If it still doesn't work, try to find a CFE for your router (make sure model/version matches) first.  Here are two repositories of some router's CFE: [[http://www.dd-wrt.com/phpBB2/viewtopic.php?t=25971&postdays=0&postorder=asc&start=0 CFE collection project]] and [[http://ftp.timisoara.roedu.net/mirrors/openwrt.org/people/inh/cfe/ CFE collection 2]]
 
#If it still doesn't work, try to find a CFE for your router (make sure model/version matches) first.  Here are two repositories of some router's CFE: [[http://www.dd-wrt.com/phpBB2/viewtopic.php?t=25971&postdays=0&postorder=asc&start=0 CFE collection project]] and [[http://ftp.timisoara.roedu.net/mirrors/openwrt.org/people/inh/cfe/ CFE collection 2]]
 
#The CFE bin files in the repository all have MAC addresses that DO NOT MATCH your hardware.  Use the CFE editing tool "IMGTOOL_NVRAM" available from The [[http://www.bitsum.com/openwiking/owbase/ Bitsum Wiki]] to set the et0macaddr and il0macaddr before uploading the CFE.  et0macaddr is the address printed on the outside; il0macaddr is that same address, plus one.  Example: If the printed address is 00:90:4d:83:00:01, then et0macaddr is 00:90:4d:83:00:01 and il0macaddr is 00:90:4d:83:00:02.  These are HEX numbers, so HEX 09 plus one is 0A, not 10.
 
#The CFE bin files in the repository all have MAC addresses that DO NOT MATCH your hardware.  Use the CFE editing tool "IMGTOOL_NVRAM" available from The [[http://www.bitsum.com/openwiking/owbase/ Bitsum Wiki]] to set the et0macaddr and il0macaddr before uploading the CFE.  et0macaddr is the address printed on the outside; il0macaddr is that same address, plus one.  Example: If the printed address is 00:90:4d:83:00:01, then et0macaddr is 00:90:4d:83:00:01 and il0macaddr is 00:90:4d:83:00:02.  These are HEX numbers, so HEX 09 plus one is 0A, not 10.
#Erase the CFE of your router and flash the working CFE back.  ''tjtagv2.exe -erase:cfe'' will erase your router's CFE and ''tjtagv2.exe -flash:cfe'' will flash the CFE back to your router.  Remember to use the modified CFE bin.
+
#Erase the CFE of your router and flash the working CFE back.  <font color=red>''zjtag.exe -erase:cfe /diygadgetfta''</font> will erase your router's CFE and <font color=red>''zjtag.exe -flash:cfe /diygadgetfta''</font> will flash the CFE back to your router.  Remember to use the modified CFE bin.
  
 
==Non Linksys Routers==
 
==Non Linksys Routers==
Line 161: Line 175:
 
For a collection of the JTAG pinout of other routers, please take a look [[http://www.dd-wrt.com/wiki/index.php/JTAG_pinouts Router JTAG pinouts]].
 
For a collection of the JTAG pinout of other routers, please take a look [[http://www.dd-wrt.com/wiki/index.php/JTAG_pinouts Router JTAG pinouts]].
  
You can cut the DIYGADGET's JTAG cable, solder wire 1, 6, 3, 5, 7 and 9 of the 12 pin flat cable to your router's TDI, GND, TDO, TMS, TCK respectively.  You can check the schematic above for details.  (Make sure use wire 6 of the 12 pin flat cable for ground.  Wire 6 is the only GND line in the 12 pin flat cable, it connects to the DB25's 18-25).
+
You can use DIYGADGET's JTAG cable, connect wire 4, 3, 1, 6 and 9 of the 10 pin flat cable to your router's TDI, TCK, TMS, TDO, GND respectively, or, connect 9, 11, 13, 15 and 20 of the 20 pin flat cable to your router's TDI, TCK, TMS, TDO, GND respectively, then run zjtag with "/diygadgetfta" option to erase/backup/flash the flash chip.
 +
 
 +
 
  
 
<span class="plainlinks">
 
<span class="plainlinks">

Latest revision as of 16:07, 3 April 2012








Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from http://www.easymg.com and http://www.diygadget.com


In this tutorial, I am going to show you how to debrick your router using DIYGADGET's FTA (All in one, 20 pin or 10 pin) JTAG cable for routers.


Before you try to JTAG your router, we highly recommend you to try a few other steps before you JTAG your router.

Things need to try before you JTAG the router

Please read carefully on this article:

Recover from a Bad Flash

If you have tried everything before the section "Recovery by JTAG cable" and it still doesn't work, you can now proceed with the following tutorials on how to save your router by using DIYGADGET's FTA JTAG cable.


You need a PC with parallel port. USB to parallel adapter will NOT work.

No USB port? no problem, use our USB JTAG:

tumpa-small.jpg

TIAO Multiple Protocol Adapter (JTAG/SPI/I2C/Serial)

Tutorial (debrick router using USB):

Debrick Wireless Router Using TUMPA and zJTAG

Router Basics

See Debrick_Routers_Using_JTAG_Cable#Router_Basics

Using JTAG Cable to Repair Bricked Router

If you have read this far, it means the only way to debrick your router is by using a JTAG cable. Sorry to hear that! However, don't worry, the steps are really straightforward!

DIYGADGET's Router FTA JTAG Cable

The is the schematic of the our FTA JTAG cable:

0.jpg

Ignore the signal names on the connections in above picture. It's up to the software to choose which pin is for what signal. For example, in above picture, FTA's JTAG software will use DB25's pin 4 as TDI. However this is not the case in the wireless router JTAG software (e.g. tjtag or zJTAG).

This is the JTAG pinout of the Linksys WRT54G(GS/GL) series routers:

nTRST  1   2 GND
TDI    3   4 GND
TDO    5   6 GND
TMS    7   8 GND
TCK    9  10 GND
nSRST 11  12 GND
Linksys Series Routers JTAG Pinout
DB25 Router Function
2 3 TDI
3 9 TCK
4 7 TMS
5 1 TRST (Not Connected)
13 5 TDO
18-25 2,4,6,8,10 GND


Looking at above table, the wireless router JTAG software (tjtag or zJTAG) uses DB25's pin 2, 3, 4, 13 and GND. Compare this with FTA's JTAG schematic, they use identical pins. FTA JTAG also uses these pins. So it is clear now, we can use FTA JTAG cable to debrick wireless routers.

Disassemble WRT54G/GS/GL) Series Router

See Debrick_Routers_Using_JTAG_Cable#Disassemble_WRT54G.2FGS.2FGL.29_Series_Router

Locate the JTAG Pins/Pads on the Router

See Debrick_Routers_Using_JTAG_Cable#Locate_the_JTAG_Pins.2FPads_on_the_Router

The Softwares

We will need to use DIYGADGET's zJTAG (version 0.2 or above) for our debricking process.

Zjtag02.png

Download [zJTAG] program and unzip it to a temp directory on your harddrive.

You will have the following files:

Zjtag.files.png

WinIO32 is used for accessing parallel port, no need to run loaddrv or giveio.

Making The JTAG Connection

This is the exciting part of this tutorial. If your router (like the Linksys WRT54G series) already has the standard 12 pin JTAG pads on the PCB, you mostly like do NOT need to solder wires on your PCB. Otherwise you many need to solder IDC headers on your board.

In this demonstration, I soldered 12 pin header on my router (WRT54GS).

Now we need to make the following connections:

10 PIN FTA header and WRT54GS:

Fta.jtag.10.conn.jpg

or

20 PIN FTA header and WRT54GS:

Fta.jtag.20.conn.jpg


Now, make the connections using the flexible cables provided in the package. You can use either 10 pin header or 20 pin header from the JTAG cable.

It looks like this:

10 PIN header:

Fta.jtag.10.close.jpg

10 Pin setup:

Fta.jtag.10.jpg

20 Pin header:

Fta.jtag.20.close.jpg

20 Pin setup:

Fta.jtag.20.jpg

Now get your PC ready, make sure the parallel port is 0x378 and mode is ECP or EPP. (Check BIOS setting of your PC if you are not sure).

Plug the db25 connector to your PC's parallel port:

Fta.jtag.png

Debrick it!

Let's debrick your router!

  1. Attach the router's power adapter to the wall outlet.
  2. From the command prompt cd to your unzipped zJTAG's windows directory and run zjtag.exe to get a list of options.
  3. To check your cable, run command zjtag.exe -probeonly /diygadgetfta. It will automatically detect the CPU type (see pic below for an example of LINKSYS WRT54GS). If not then check your cable.
    Probe Only Output
  4. Backup CFE (command zjtag.exe -backup:cfe /diygadgetfta):
    backup CFE
    . It took 60 seconds to backup my WRT54GS' CFE.
  5. Try above steps at least 2 times, generate backups again, then use a binary comparison software to compares the backups, make sure they are exactly the same before you erase anything.
  6. Finally to erase your NVRAM (the usual cause of the problem) with command zjtag.exe -erase:nvram /diygadgetfta
  7. If that doesn't work, erase the kernel (firmware): zjtag.exe -erase:kernel /diygadgetfta, then reflash the kernel via TFTP. This is a very good tutorial on how to flash your router with TFTP: [TFTP Flash]
  8. If it still doesn't work, try to find a CFE for your router (make sure model/version matches) first. Here are two repositories of some router's CFE: [CFE collection project] and [CFE collection 2]
  9. The CFE bin files in the repository all have MAC addresses that DO NOT MATCH your hardware. Use the CFE editing tool "IMGTOOL_NVRAM" available from The [Bitsum Wiki] to set the et0macaddr and il0macaddr before uploading the CFE. et0macaddr is the address printed on the outside; il0macaddr is that same address, plus one. Example: If the printed address is 00:90:4d:83:00:01, then et0macaddr is 00:90:4d:83:00:01 and il0macaddr is 00:90:4d:83:00:02. These are HEX numbers, so HEX 09 plus one is 0A, not 10.
  10. Erase the CFE of your router and flash the working CFE back. zjtag.exe -erase:cfe /diygadgetfta will erase your router's CFE and zjtag.exe -flash:cfe /diygadgetfta will flash the CFE back to your router. Remember to use the modified CFE bin.

Non Linksys Routers

If your router doesn't have JTAG headers or pads, but if it has JTAG enabled, you can still debrick it using the above technique. However, it is very likely you will need to solder the wire on the board.

For a collection of the JTAG pinout of other routers, please take a look [Router JTAG pinouts].

You can use DIYGADGET's JTAG cable, connect wire 4, 3, 1, 6 and 9 of the 10 pin flat cable to your router's TDI, TCK, TMS, TDO, GND respectively, or, connect 9, 11, 13, 15 and 20 of the 20 pin flat cable to your router's TDI, TCK, TMS, TDO, GND respectively, then run zjtag with "/diygadgetfta" option to erase/backup/flash the flash chip.



Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from http://www.easymg.com and http://www.diygadget.com



10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!