Debrick Wireless Router Using TUMPA and zJTAG

From TIAO's Wiki
Revision as of 02:09, 30 August 2011 by Admin (talk | contribs) (Make The Connections)
Jump to: navigation, search

10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!








Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from http://www.easymg.com and http://www.diygadget.com


Overview

The TIAO USB Multi Protocol Adapter (TUMPA) is a multi-functional USB communication adapter for hobbyists or engineers. The adapter is based on FDTI's flagship communication chip FT2232H, a USB 2.0 Hi-Speed (480Mb/s) to UART/FIFO IC. It has two multi-protocol synchronous serial engines (MPSSEs) which allow for communication using JTAG, I2C and SPI on two channels simultaneously.

In this tutorial, we are going to show you how to debrick a wireless router. We use WRT54GS as an example, however, it doesn't mean than you can only debrick WRT54GS with TUMPA. You can follow the same instruction to debrick other wireless routers.

Required Hardware and Software

Disassemble your router

The first step is to disassemble your router. In this example, the WRT54GS is very easy to disassemble. See reference here: Debrick Routers Using JTAG Cable. If you don't know how to disassemble your router, just search it on google :-)

Locate the JTAG Header/Pin on the router's PCB board

The JTAG pin on the WRT54GS is the JP2. See reference here: Debrick Routers Using JTAG Cable

Install TUMPA Drivers

Depending on your system, you can follow the following tutorials to install the drivers on your Windows machine:

How to install TIAO USB Multi Protocol Adapter Driver on Windows XP

How to install TIAO USB Multi Protocol Adapter Driver on Windows Vista or Windows 7

Once the driver is installed, unplug TUMPA from your USB port.

Make The Connections

Once you have identified the JTAG pins on your router, you can connect the router with TUMPA board with the supplied female to female flex cable now. We recommend to use the short cable.

The pinout on the router is as follows: 

nTRST  1   2 GND
TDI    3   4 GND
TDO    5   6 GND
TMS    7   8 GND
TCK    9  10 GND
nSRST 11  12 GND


and the pinout one the TUMPA is:


Tumpa.jtag.connector.1.png
Pin # Description
1 VTAR
3 nTRST
5 TDI
7 TMS
9 TCK
11 RTCK
13 TDO
15 RST
17 DBGRQ
19 DBGACK
2 Not Connected
4, 6, 8, 10, 12, 14, 16, 18, 20 GND


So, it is easy to make the connections: (Make sure both router and TUMPA are not powered on) 

Use a flex female to female to connect TDI together (PIN 5 on Router to PIN 3 on TUMPA's 20 PIN JTAG Header
Use a flex female to female to connect TCK together (PIN 9 on Router to PIN 9 on TUMPA's 20 PIN JTAG Header
Use a flex female to female to connect TMS together (PIN 7 on Router to PIN 7 on TUMPA's 20 PIN JTAG Header
Use a flex female to female to connect TDO together (PIN 13 on Router to PIN 5 on TUMPA's 20 PIN JTAG Header
Use a flex female to female to connect GND together (PIN 4 on Router to PIN 4 on TUMPA's 20 PIN JTAG Header

So, it will look like this:

Tumpa.wrt54tgs.jpg

OK, double check the connections, do not power on both router and TUMPA yet.

Get zJTAG Ready

Download zJTAG from here and unzip it to an empty directory. In my example, I unzipped it to d:\dev\debrick\zJTAG directory.

Double check connections make sure they are correct and secure. Then, connect router to the power outlet and connect TUMPA to your computer's USB port via an USB cable (USB A to Mini B, most digital cameras and camcorders use this kind of cable).

Run zJTAG to Debrick Your Router

It's time to debrick your router now. First, open a DOS prompt window, run 
zjtag
without parameters will give you all the command line options.

The following are useful commands: 

-probeonly -> Detect router's CPU and Flash chip.
-erase:<area name> -> example: -erase:NVRAM
-backup:<area name> -> example: -backup:CFE
-flash:<area name> -> example: -flash:Kernel

Also, the most important flag is JTAG clock speed divider </pre>/L1:<divider></pre>. TUMPA can clock TCK as high as 30Mhz, however most router's CPU cannot handle such high clock speed, thus you will have to slow down the clock to make it work.

This is the formula: 

Speed in KHz = 30000 / (divider + 1)

For example, if you give the following option: 

/L1:3

The TCK clock speed is 7500KHz or 7.5MHz (30000/(3+1)).

Let's detect the CPU and Flash now by running the following command: 

zJTAG -probeonly

Wrt54gs.zjtag.30Mhz.jpg

As you can see from the above photo, the TCK is set to 30Mhz, however, zJTAG won't be able to detect the CPU and Flash.

Now if we run it with /L1:3 option: 

zJTAG -probeonly /L1:3

Wrt54gs.zjtag.7500Khz.jpg

Once we set the TCK to 7.5Mhz, now zJTAG is able to detect CPU and Flash for my WRT54GS.










Buy various JTAG cables for your Satellite Receiver, Cable Modem, Wireless Router, Standard Wiggler from http://www.easymg.com and http://www.diygadget.com



10 PCS, 10cm x 10cm, 2 layers prototype for $38.80 shipped!
Retrieved from "http://www.tiaowiki.com/wiki/index.php?title=Debrick_Wireless_Router_Using_TUMPA_and_zJTAG&oldid=1538"