Difference between revisions of "Debrick Wireless Router Using TUMPA Lite and zJTAG"
10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!
(Created page with "<meta name="keywords" content="TIAOWIKI,JTAG,TJTAG,FTA,JTAG,WRT54G,DD-WRT,urjtag, openocd, flashrom,USB jtag, debrick,tomato,router,wireless router,motorola modem,sb5100,wiggler,...") |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 17: | Line 17: | ||
The [http://www.diygadget.com/tiao-usb-multi-protocol-adapter-lite-jtag-spi-i2c-serial.html TIAO USB Multi Protocol Adapter Lite(TUMPA Lite)] is a multi-functional USB communication adapter for hobbyists or engineers. | The [http://www.diygadget.com/tiao-usb-multi-protocol-adapter-lite-jtag-spi-i2c-serial.html TIAO USB Multi Protocol Adapter Lite(TUMPA Lite)] is a multi-functional USB communication adapter for hobbyists or engineers. | ||
The adapter is based on FDTI's flagship communication chip FT232H, a USB 2.0 Hi-Speed (480Mb/s) to UART/FIFO IC. It has one multi-protocol synchronous serial engines (MPSSEs) which allow for communication using JTAG, I2C and SPI. | The adapter is based on FDTI's flagship communication chip FT232H, a USB 2.0 Hi-Speed (480Mb/s) to UART/FIFO IC. It has one multi-protocol synchronous serial engines (MPSSEs) which allow for communication using JTAG, I2C and SPI. | ||
+ | |||
+ | The following link will bring you to the manual of TUMPA Lite: | ||
+ | [[TIAO USB Multi Protocol Adapter Lite User's Manual]] | ||
In this tutorial, we are going to show you how to debrick a wireless router using TUMPA Lite and zJTAG. | In this tutorial, we are going to show you how to debrick a wireless router using TUMPA Lite and zJTAG. | ||
Line 26: | Line 29: | ||
* [http://www.diygadget.com/tiao-usb-multi-protocol-adapter-lite-jtag-spi-i2c-serial.html TIAO USB Multi Protocol Adapter Lite (TUMPA Lite)] | * [http://www.diygadget.com/tiao-usb-multi-protocol-adapter-lite-jtag-spi-i2c-serial.html TIAO USB Multi Protocol Adapter Lite (TUMPA Lite)] | ||
* Wireless router debricking software [[http://www.tiaowiki.com/download//file.php?id=37 zJTAG]] | * Wireless router debricking software [[http://www.tiaowiki.com/download//file.php?id=37 zJTAG]] | ||
+ | * Solder iron and solders to solder IDC header on the TUMPA Lite | ||
+ | |||
+ | == Solder the IDC headers onto the TUMPA Lite == | ||
+ | |||
+ | The first step you need to do is to solder the IDC headers onto the board. The headers are standard 2.54mm IDC headers thus it is very easy to solder. | ||
+ | |||
+ | This is what you will receive from us: | ||
+ | |||
+ | [[Image:Lite-p-1.png|none]] | ||
+ | |||
+ | * TUMPA Lite board | ||
+ | * 2 x 80 PIN IDC header | ||
+ | * Female to female solderless jumper wire (8 PCS) | ||
+ | |||
+ | You don't need to solder all headers. If your only purpose is to use TUMPA Lite to debrick your router or cable modem, you only need to solder JTAG headers. | ||
+ | |||
+ | Since I have my solder iron warmed up already, I soldered all headers: | ||
+ | |||
+ | [[Image:Lite-p-2.png|none]] | ||
== Disassemble your router == | == Disassemble your router == | ||
Line 56: | Line 78: | ||
− | and the pinout one the TUMPA is: | + | and the pinout one the TUMPA Lite is: |
+ | |||
+ | |||
+ | [[Image:Lite-jtag.png|none]] | ||
− | |||
{| | {| | ||
! align="left"|Pin # | ! align="left"|Pin # | ||
+ | ! FT232H Pin | ||
! Description | ! Description | ||
|- | |- | ||
| 1 | | 1 | ||
− | | | + | | Not Connected |
+ | | Not Connected | ||
|- | |- | ||
| 3 | | 3 | ||
+ | | AD5 | ||
| nTRST | | nTRST | ||
|- | |- | ||
| 5 | | 5 | ||
+ | | AD1 | ||
| TDI | | TDI | ||
|- | |- | ||
| 7 | | 7 | ||
+ | | AD3 | ||
| TMS | | TMS | ||
|- | |- | ||
| 9 | | 9 | ||
+ | | AD0 | ||
| TCK | | TCK | ||
|- | |- | ||
| 11 | | 11 | ||
+ | | AD7 | ||
| RTCK | | RTCK | ||
|- | |- | ||
| 13 | | 13 | ||
+ | | AD2 | ||
| TDO | | TDO | ||
|- | |- | ||
| 15 | | 15 | ||
+ | | AD4 | ||
| RST | | RST | ||
|- | |- | ||
| 17 | | 17 | ||
+ | | AD6 | ||
| DBGRQ | | DBGRQ | ||
|- | |- | ||
| 19 | | 19 | ||
+ | | AC0 | ||
| DBGACK | | DBGACK | ||
|- | |- | ||
| 2 | | 2 | ||
+ | | Not Connected | ||
| Not Connected | | Not Connected | ||
|- | |- | ||
| 4, 6, 8, 10, 12, 14, 16, 18, 20 | | 4, 6, 8, 10, 12, 14, 16, 18, 20 | ||
+ | | GND | ||
| GND | | GND | ||
|} | |} | ||
+ | Or if you use GPIO P2 pins: | ||
− | + | [[image:lite-p2.png|none]] | |
+ | These pins are either power pins or directly connected to GPIO pins of FT232H. | ||
+ | |||
+ | {| | ||
+ | ! align="left"|Pin # | ||
+ | ! | ||
+ | ! Description | ||
+ | |- | ||
+ | | 1, 2 | ||
+ | | | ||
+ | | GND | ||
+ | |- | ||
+ | | 3, 4 | ||
+ | | | ||
+ | | +3.3V of TUMPA Lite's onboard LDO output. | ||
+ | |- | ||
+ | | 5, 6 | ||
+ | | | ||
+ | | +3.3V of TUMPA Lite's onboard LDO output. | ||
+ | |- | ||
+ | | 7, 8 | ||
+ | | | ||
+ | | +5V output (from USB) | ||
+ | |- | ||
+ | | 9, 10 | ||
+ | | | ||
+ | | +5V output (from USB) | ||
+ | |- | ||
+ | | 11, 12 | ||
+ | | | ||
+ | | GND | ||
+ | |- | ||
+ | | 13, 14 | ||
+ | | | ||
+ | | '''''AD0''''' | ||
+ | |- | ||
+ | | 15, 16 | ||
+ | | | ||
+ | | '''''AD1''''' | ||
+ | |- | ||
+ | | 17, 18 | ||
+ | | | ||
+ | | '''''AD2''''' | ||
+ | |- | ||
+ | | 19, 20 | ||
+ | | | ||
+ | | '''''AD3''''' | ||
+ | |- | ||
+ | | 21, 22 | ||
+ | | | ||
+ | | '''''AD4''''' | ||
+ | |- | ||
+ | | 23, 24 | ||
+ | | | ||
+ | | '''''AD5''''' | ||
+ | |- | ||
+ | | 25, 26 | ||
+ | | | ||
+ | | '''''AD6''''' | ||
+ | |- | ||
+ | | 27, 28 | ||
+ | | | ||
+ | | '''''AD7''''' | ||
+ | |} | ||
+ | |||
+ | |||
+ | |||
+ | Thus, it is easy to make the connections. (Make sure both router and TUMPA Lite are not powered on) | ||
+ | |||
+ | If you use TUMPA Lite's JTAG pins: | ||
+ | <pre> | ||
+ | Use a flex female to female to connect TDI together (PIN 3 on Router to PIN 5 on TUMPA Lite's 20 PIN JTAG Header | ||
+ | Use a flex female to female to connect TCK together (PIN 9 on Router to PIN 9 on TUMPA Lite's 20 PIN JTAG Header | ||
+ | Use a flex female to female to connect TMS together (PIN 7 on Router to PIN 7 on TUMPA Lite's 20 PIN JTAG Header | ||
+ | Use a flex female to female to connect TDO together (PIN 5 on Router to PIN 13 on TUMPA Lite's 20 PIN JTAG Header | ||
+ | Use a flex female to female to connect GND together (PIN 4 on Router to PIN 4 on TUMPA Lite's 20 PIN JTAG Header | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | Or if you use TUMPA Lite's GPIO Header 2 P2: (which is what I am using) | ||
<pre> | <pre> | ||
− | Use a flex female to female to connect TDI together (PIN 3 on Router to PIN 5 on TUMPA's | + | Use a flex female to female to connect TDI together (PIN 3 on Router to PIN 5 (AD1) on TUMPA Lite's P2 header |
− | Use a flex female to female to connect TCK together (PIN 9 on Router to PIN 9 on TUMPA's | + | Use a flex female to female to connect TCK together (PIN 9 on Router to PIN 9 (AD0) on TUMPA Lite's P2 header |
− | Use a flex female to female to connect TMS together (PIN 7 on Router to PIN 7 on TUMPA's | + | Use a flex female to female to connect TMS together (PIN 7 on Router to PIN 7 (AD3) on TUMPA Lite's P2 header |
− | Use a flex female to female to connect TDO together (PIN 5 on Router to PIN 13 on TUMPA's | + | Use a flex female to female to connect TDO together (PIN 5 on Router to PIN 13 (AD2) on TUMPA Lite's P2 header |
− | Use a flex female to female to connect GND together (PIN 4 on Router to PIN 4 on TUMPA's | + | Use a flex female to female to connect GND together (PIN 4 on Router to PIN 4 (GND) on TUMPA Lite's P2 header |
</pre> | </pre> | ||
− | |||
− | [[Image: | + | So, it would look like this: |
+ | |||
+ | [[Image:Lite-p-3.png|none]] | ||
+ | [[Image:Lite-p-4.png|none]] | ||
+ | [[Image:Lite-p-5.png|none]] | ||
+ | |||
− | OK, double check the connections, do not power on both router and TUMPA yet. | + | OK, double check the connections, do not power on both router and TUMPA Lite yet. |
== Get zJTAG Ready == | == Get zJTAG Ready == | ||
− | Download | + | Download [http://www.tiaowiki.com/download//file.php?id=37 zJTAG] and unzip it to an empty directory. In my example, I unzipped it to E:\diy\zjtag directory. |
− | Double check connections make sure they are correct and secure. Then, connect router to the power outlet and connect TUMPA to your computer's USB port via an USB cable (USB A to Mini B, most digital cameras and camcorders use this kind of cable). | + | Double check connections make sure they are correct and secure. Then, connect router to the power outlet and connect TUMPA Lite to your computer's USB port via an USB cable (USB A to Mini B, most digital cameras and camcorders use this kind of cable). |
== Run zJTAG to Debrick Your Router == | == Run zJTAG to Debrick Your Router == | ||
Line 136: | Line 257: | ||
-flash:<area name> -> example: -flash:Kernel | -flash:<area name> -> example: -flash:Kernel | ||
</pre> | </pre> | ||
− | Also, the most important flag is <font color=red><b>JTAG clock speed divider</b></font> <pre>/L1:<divider></pre>. TUMPA can clock TCK as high as 30Mhz, however most router's CPU cannot handle such high clock speed, thus you will have to slow down the clock to make it work. | + | Also, the most important flag is <font color=red><b>JTAG clock speed divider</b></font> <pre>/L1:<divider></pre>. TUMPA Lite can clock TCK as high as 30Mhz, however most router's CPU cannot handle such high clock speed, thus you will have to slow down the clock to make it work. |
This is the formula: | This is the formula: | ||
Line 148: | Line 269: | ||
The TCK clock speed is 7500KHz or 7.5MHz (30000/(3+1)). | The TCK clock speed is 7500KHz or 7.5MHz (30000/(3+1)). | ||
− | + | By default, zJTAG will detect TUMPA. However since we are using TUMPA Lite, we need to pass TUMPA Lite's cable id to zJTAG. The cable id is 3 for TUMPA Lite: | |
− | <pre> | + | <pre>/cable:3</pre> |
− | + | Let's detect the CPU and Flash now by running the following command: | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | <pre>zJTAG -probeonly /cable:3 /L1:3</pre> | |
− | |||
− | |||
+ | [[Image:Lite-1.png]] | ||
Most time, you only need to erase NVRAM, so let's do it: | Most time, you only need to erase NVRAM, so let's do it: | ||
<pre> | <pre> | ||
− | + | E:\diy\zjtag>zjtag.exe -erase:NVRAM /cable:3 /L1:3 | |
− | |||
============================================== | ============================================== | ||
− | + | zJTAG EJTAG Debrick Utility V0.9 | |
============================================== | ============================================== | ||
+ | cableid=3, cabletype=0 | ||
Set I/O speed to 7500 KHz | Set I/O speed to 7500 KHz | ||
Line 185: | Line 297: | ||
Probing bus ... Done | Probing bus ... Done | ||
− | Detected IR Length is 8 | + | Detected IR chain Length is 8 |
CPU assumed running under LITTLE endian | CPU assumed running under LITTLE endian | ||
Line 229: | Line 341: | ||
− | + | E:\diy\zjtag> | |
</pre> | </pre> | ||
Line 241: | Line 353: | ||
<pre> | <pre> | ||
− | + | ||
+ | E:\diy\zjtag>zjtag.exe -backup:NVRAM /cable:3 /L1:3 | ||
============================================== | ============================================== | ||
− | + | zJTAG EJTAG Debrick Utility V0.9 | |
============================================== | ============================================== | ||
+ | cableid=3, cabletype=0 | ||
Set I/O speed to 7500 KHz | Set I/O speed to 7500 KHz | ||
Line 255: | Line 369: | ||
Probing bus ... Done | Probing bus ... Done | ||
− | Detected IR Length is 8 | + | Detected IR chain Length is 8 |
CPU assumed running under LITTLE endian | CPU assumed running under LITTLE endian | ||
Line 288: | Line 402: | ||
========================= | ========================= | ||
− | Saving NVRAM.BIN. | + | Saving NVRAM.BIN.SAVED_20120922_154936 to Disk... |
− | Done (NVRAM.BIN. | + | Done (NVRAM.BIN.SAVED_20120922_154936 saved to Disk OK) |
bytes written: 131072 | bytes written: 131072 | ||
Line 301: | Line 415: | ||
− | + | E:\diy\zjtag> | |
</pre> | </pre> | ||
− | Open the file <pre>NVRAM.BIN. | + | Open the file <pre>NVRAM.BIN.SAVED_20120922_154936</pre> in any Hex editor you will see all bytes are changed to 0xFF. |
− | |||
− | |||
− | This should resolve your problem. If this doesn't work, erase the kernel (firmware): <pre>zJTAG -erase:kernel /L1:3</pre> then reflash the kernel via TFTP (see [http://www.dd-wrt.com/wiki/index.php/TFTP_flash TFTP Flashing]) | + | This should resolve your problem. If this doesn't work, erase the kernel (firmware): <pre>zJTAG -erase:kernel /cable:3 /L1:3</pre> then reflash the kernel via TFTP (see [http://www.dd-wrt.com/wiki/index.php/TFTP_flash TFTP Flashing]) |
Or still doesn't work, you may need to flash CFE: | Or still doesn't work, you may need to flash CFE: | ||
<pre> | <pre> | ||
− | zJTAG -flash:CFE /L1:3 | + | zJTAG -flash:CFE /cable:3 /L1:3 |
</pre> | </pre> | ||
Latest revision as of 19:55, 6 October 2012
Contents
Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from http://www.easymg.com and http://www.diygadget.com
Overview
The TIAO USB Multi Protocol Adapter Lite(TUMPA Lite) is a multi-functional USB communication adapter for hobbyists or engineers. The adapter is based on FDTI's flagship communication chip FT232H, a USB 2.0 Hi-Speed (480Mb/s) to UART/FIFO IC. It has one multi-protocol synchronous serial engines (MPSSEs) which allow for communication using JTAG, I2C and SPI.
The following link will bring you to the manual of TUMPA Lite: TIAO USB Multi Protocol Adapter Lite User's Manual
In this tutorial, we are going to show you how to debrick a wireless router using TUMPA Lite and zJTAG. We use WRT54GS as an example, however, it doesn't mean than you can only debrick WRT54GS with TUMPA Lite and zJTAG. You can follow the same instruction to debrick other wireless routers.
Required Hardware and Software
- Obviously, a bricked wireless router (in this example, I am using a bricked Linksys WRT54GS)
- TIAO USB Multi Protocol Adapter Lite (TUMPA Lite)
- Wireless router debricking software [zJTAG]
- Solder iron and solders to solder IDC header on the TUMPA Lite
Solder the IDC headers onto the TUMPA Lite
The first step you need to do is to solder the IDC headers onto the board. The headers are standard 2.54mm IDC headers thus it is very easy to solder.
This is what you will receive from us:
- TUMPA Lite board
- 2 x 80 PIN IDC header
- Female to female solderless jumper wire (8 PCS)
You don't need to solder all headers. If your only purpose is to use TUMPA Lite to debrick your router or cable modem, you only need to solder JTAG headers.
Since I have my solder iron warmed up already, I soldered all headers:
Disassemble your router
The first step is to disassemble your router. In this example, the WRT54GS is very easy to disassemble. See reference here: Debrick Routers Using JTAG Cable. If you don't know how to disassemble your router, just search it on google :-)
Locate the JTAG Header/Pin on the router's PCB board
The JTAG pin on the WRT54GS is the JP2. See reference here: Debrick Routers Using JTAG Cable
Install TUMPA Drivers
We have tutorials for TUMPA driver installation. TUMPA Lite driver installation is very similar to TUMPA driver installation below:
How to install TIAO USB Multi Protocol Adapter Driver on Windows XP
How to install TIAO USB Multi Protocol Adapter Driver on Windows Vista or Windows 7
Once the driver is installed, unplug TUMPA Lite from your USB port.
Make The Connections
Once you have identified the JTAG pins on your router, you can connect the router with TUMPA Lite board with the supplied female to female flex cable.
The pinout on the router is as follows:
nTRST 1 2 GND TDI 3 4 GND TDO 5 6 GND TMS 7 8 GND TCK 9 10 GND nSRST 11 12 GND
and the pinout one the TUMPA Lite is:
Pin # | FT232H Pin | Description |
---|---|---|
1 | Not Connected | Not Connected |
3 | AD5 | nTRST |
5 | AD1 | TDI |
7 | AD3 | TMS |
9 | AD0 | TCK |
11 | AD7 | RTCK |
13 | AD2 | TDO |
15 | AD4 | RST |
17 | AD6 | DBGRQ |
19 | AC0 | DBGACK |
2 | Not Connected | Not Connected |
4, 6, 8, 10, 12, 14, 16, 18, 20 | GND | GND |
Or if you use GPIO P2 pins:
These pins are either power pins or directly connected to GPIO pins of FT232H.
Pin # | Description | |
---|---|---|
1, 2 | GND | |
3, 4 | +3.3V of TUMPA Lite's onboard LDO output. | |
5, 6 | +3.3V of TUMPA Lite's onboard LDO output. | |
7, 8 | +5V output (from USB) | |
9, 10 | +5V output (from USB) | |
11, 12 | GND | |
13, 14 | AD0 | |
15, 16 | AD1 | |
17, 18 | AD2 | |
19, 20 | AD3 | |
21, 22 | AD4 | |
23, 24 | AD5 | |
25, 26 | AD6 | |
27, 28 | AD7 |
Thus, it is easy to make the connections. (Make sure both router and TUMPA Lite are not powered on)
If you use TUMPA Lite's JTAG pins:
Use a flex female to female to connect TDI together (PIN 3 on Router to PIN 5 on TUMPA Lite's 20 PIN JTAG Header Use a flex female to female to connect TCK together (PIN 9 on Router to PIN 9 on TUMPA Lite's 20 PIN JTAG Header Use a flex female to female to connect TMS together (PIN 7 on Router to PIN 7 on TUMPA Lite's 20 PIN JTAG Header Use a flex female to female to connect TDO together (PIN 5 on Router to PIN 13 on TUMPA Lite's 20 PIN JTAG Header Use a flex female to female to connect GND together (PIN 4 on Router to PIN 4 on TUMPA Lite's 20 PIN JTAG Header
Or if you use TUMPA Lite's GPIO Header 2 P2: (which is what I am using)
Use a flex female to female to connect TDI together (PIN 3 on Router to PIN 5 (AD1) on TUMPA Lite's P2 header Use a flex female to female to connect TCK together (PIN 9 on Router to PIN 9 (AD0) on TUMPA Lite's P2 header Use a flex female to female to connect TMS together (PIN 7 on Router to PIN 7 (AD3) on TUMPA Lite's P2 header Use a flex female to female to connect TDO together (PIN 5 on Router to PIN 13 (AD2) on TUMPA Lite's P2 header Use a flex female to female to connect GND together (PIN 4 on Router to PIN 4 (GND) on TUMPA Lite's P2 header
So, it would look like this:
OK, double check the connections, do not power on both router and TUMPA Lite yet.
Get zJTAG Ready
Download zJTAG and unzip it to an empty directory. In my example, I unzipped it to E:\diy\zjtag directory.
Double check connections make sure they are correct and secure. Then, connect router to the power outlet and connect TUMPA Lite to your computer's USB port via an USB cable (USB A to Mini B, most digital cameras and camcorders use this kind of cable).
Run zJTAG to Debrick Your Router
It's time to debrick your router now. First, open a DOS prompt window, runzjtagwithout parameters will give you all the command line options.
The following are useful commands:
-probeonly -> Detect router's CPU and Flash chip. -erase:<area name> -> example: -erase:NVRAM -backup:<area name> -> example: -backup:CFE -flash:<area name> -> example: -flash:KernelAlso, the most important flag is JTAG clock speed divider
/L1:<divider>. TUMPA Lite can clock TCK as high as 30Mhz, however most router's CPU cannot handle such high clock speed, thus you will have to slow down the clock to make it work.
This is the formula:
Speed in KHz = 30000 / (divider + 1)
For example, if you give the following option:
/L1:3
The TCK clock speed is 7500KHz or 7.5MHz (30000/(3+1)).
By default, zJTAG will detect TUMPA. However since we are using TUMPA Lite, we need to pass TUMPA Lite's cable id to zJTAG. The cable id is 3 for TUMPA Lite:
/cable:3
Let's detect the CPU and Flash now by running the following command:
zJTAG -probeonly /cable:3 /L1:3
Most time, you only need to erase NVRAM, so let's do it:
E:\diy\zjtag>zjtag.exe -erase:NVRAM /cable:3 /L1:3 ============================================== zJTAG EJTAG Debrick Utility V0.9 ============================================== cableid=3, cabletype=0 Set I/O speed to 7500 KHz USB TAP device has been initialized. Please confirm VREF signal connected! Press any key to continue... ONCE target board is powered on! Probing bus ... Done Detected IR chain Length is 8 CPU assumed running under LITTLE endian CPU Chip ID: 00010100011100010010000101111111 (1471217F) *** Found a Broadcom manufactured BCM4712 REV 01 CPU *** - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904) - EJTAG Version ....... : 1 or 2.0 - EJTAG DMA Support ... : Yes - EJTAG Implementation flags: R4k MIPS32 Issuing Processor / Peripheral Reset ... Done Enabling Memory Writes ... Done Halting Processor ... <Processor Entered Debug Mode!> ... Done Clearing Watchdog ... Done Loading CPU Configuration Code ... Skipped Probing Flash at Address: 0x1FC00000 ... Detected Chip ID (VenID:DevID = 0089 : 0017) *** Found a Intel 28F640J3 4Mx16 (8MB) Flash Chip from Intel - Flash Chip Window Start .... : 1C000000 - Flash Chip Window Length ... : 00800000 - Selected Area Start ........ : 1C7E0000 - Selected Area Length ....... : 00020000 *** You Selected to Erase the NVRAM.BIN *** ========================= Erasing Routine Started ========================= Total Blocks to Erase: 1 Erasing block: 64 (addr = 1C7E0000)...Done ========================= Erasing Routine Complete ========================= elapsed time: 3 seconds *** REQUESTED OPERATION IS COMPLETE *** E:\diy\zjtag>
It's always a good idea to check the result of an erase or flash by running a backup command to compare the output.
In the case of erase, after the action, each bit of the whole area should be 1 (or each byte should be 0xFF). In the case of flash, always use a binary comparator software to compare the backup image after the flash with the original one.
So, let's do a backup and see if erase command was indeed good:
E:\diy\zjtag>zjtag.exe -backup:NVRAM /cable:3 /L1:3 ============================================== zJTAG EJTAG Debrick Utility V0.9 ============================================== cableid=3, cabletype=0 Set I/O speed to 7500 KHz USB TAP device has been initialized. Please confirm VREF signal connected! Press any key to continue... ONCE target board is powered on! Probing bus ... Done Detected IR chain Length is 8 CPU assumed running under LITTLE endian CPU Chip ID: 00010100011100010010000101111111 (1471217F) *** Found a Broadcom manufactured BCM4712 REV 01 CPU *** - EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904) - EJTAG Version ....... : 1 or 2.0 - EJTAG DMA Support ... : Yes - EJTAG Implementation flags: R4k MIPS32 Issuing Processor / Peripheral Reset ... Done Enabling Memory Writes ... Done Halting Processor ... <Processor Entered Debug Mode!> ... Done Clearing Watchdog ... Done Loading CPU Configuration Code ... Skipped Probing Flash at Address: 0x1FC00000 ... Detected Chip ID (VenID:DevID = 0089 : 0017) *** Found a Intel 28F640J3 4Mx16 (8MB) Flash Chip from Intel - Flash Chip Window Start .... : 1C000000 - Flash Chip Window Length ... : 00800000 - Selected Area Start ........ : 1C7E0000 - Selected Area Length ....... : 00020000 *** You Selected to Backup the NVRAM.BIN *** ========================= Backup Routine Started ========================= Saving NVRAM.BIN.SAVED_20120922_154936 to Disk... Done (NVRAM.BIN.SAVED_20120922_154936 saved to Disk OK) bytes written: 131072 ========================= Backup Routine Complete ========================= elapsed time: 4 seconds *** REQUESTED OPERATION IS COMPLETE *** E:\diy\zjtag>Open the file
NVRAM.BIN.SAVED_20120922_154936in any Hex editor you will see all bytes are changed to 0xFF. This should resolve your problem. If this doesn't work, erase the kernel (firmware):
zJTAG -erase:kernel /cable:3 /L1:3then reflash the kernel via TFTP (see TFTP Flashing)
Or still doesn't work, you may need to flash CFE:
zJTAG -flash:CFE /cable:3 /L1:3
The CFE bin files in the repository all have MAC addresses that DO NOT MATCH your hardware, you will need to edit it before you flash it to your router. Please read Debrick Routers Using JTAG Cable first.
Again, to make sure flash is really successful, run a backup command after flash and compare the content with the original one to make sure.
If flash doesn't work or erase doesn't work, try to lower the speed by giving a larger divider, e.g. in my case, use
/L1:4
will decrease TCK to 6Mhz.
One more suggestion is, always backup each area and whole flash before you do anything to it. You never know!
Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from http://www.easymg.com and http://www.diygadget.com
10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!