" class="title" title="home again woohoo">Home ?> pages bg right
 Currently Browsing: Chit-Chat


WRT54g2 – From DD-WRT to Original Firmware

So…A friend asked me to restore the original firmware on his Linksys WRT54g2 after having installed DD-WRT. Well, it isnt as straightforward as it is the other way around. In fact, it isnt doable just by software.

First, you need to open the router. Damn thing uses the only screwdriver i don’t have.

Safe Torx

It was easy to force a normal flat headed screwdriver. So , got it opened.
Next, Surprise. No serial or jtag port visible right away. *sigh*
Taking a good look, you’ll see adjacent black boxes where it was supposed to be some pins, only they are all green.
WRT Board

Looking around, you’ll find the 5 pins in the middle of the top face of the mainboard are a serial port. And the 6 boxes in the right (6 on top face, 6 on bottom face) are pins for jtag. You’ll have to scratch the green stuff out (carefully) using a screwdriver, nail, or something sharp. After leaving enough copper surface visible, you can proceed to solder cables or some kind of surface connector. (or, adapt a standard connector)

So far, so good.
You’ll need a jtag cable. You can get some online, from cheap ones, to really expensive ones. Plus, you need to know if it will support the chip the router uses.
Cheap solution : Use a home-made cable consisting in 4 resistors + 1 DB25 male connector (using the printer port. Note that it needs to be a REAL printer port. Not an USB “printer” port).
WRT Board
* Taken from OpenWRT Wiki

This easy to make cable (Unbuffered cable) has to be short. No more than 6 inches, or noise will be your enemy. I made one about 3 inches long.

WRT Board WRT Board

Get tjtag to tinkle with the board. Runs on windows and linux. As none of my laptops have a printer port, i used a colleague’s computer (WinXP). Now this becomes nasty xD

Running test commands, the software recognized the board and memory chip. All good!
Cable was good, board was alive (duh! it was working), and software was compatible.

tjtag3.exe -probeonly
Probe

Then, (just in case) i made a wholeflash backup. This will save all the flash content bit by bit, allowing a future restore to DD-WRT (in this case).

tjtag3.exe -backup:wholeflash

Flash Backup
(2MB backup, took 623 seconds to complete.)

Now, according to dd-wrt forums, once installed dd-wrt on this router, there is no way back. Well, this is partly true.
As i commented before, there is no “easy” way back. Better yet, if you do not make a wholeflash backup yourself, the “not easy” way back, becomes more “not easy”.
Well.. I received this router with dd-wrt preinstalled, and was asked to return it to firmware factory. All system hardware was “pristine”, so nobody mangled it, and… nobody made a flash backup. Fortunately , a guy in the forums was nice enough to post a wholeflash backup of his router. (different flash chip).

When decided to try it out, i renamed the file to wholeflash.bin and run

tjtag -flash:wholeflash

Started running…..
Continued running…..
A couple of numbers showed up on screen….
Flash Write
….. (i let it run, and i went back to work)
If you consider the time between the numbers on screen, it would have taken about 120 hours to flash the whole flash. I know jtag is slow, but this is ridiculous.

So, Control-C, and try again using some parameters.
Now the board started to act weird. Some times it didnt detected the flash chip, some times it complained about not being able to set debug mode on processor, hanged while enabling memory writes, etc.

After some time trying and reading, i decided to use the /dma, /noreset and /noemw parameters. (force enable dma (speed), disable reset and memory writes). Some times i had to force the flash id (/fc:09). Now it was running fast. (read, about 2 minute per each percent).
Off to work again.

Checked about 60 minutes later, and the damned thing hanged at 27%.

After that, came a series of erase of the flash, followed by differents tries to flash. Each attempt failed in different places. (6%, 12%, the most i got, was 37%).
Checked the cable, any interference around, etc. Same result.
I went home, and let the stupid board flashing. Didnt care anymore :D

Next day i tried a couple of things.
One of them lead me to success (hours later!)

The important steps were this :

- Connected the pin 1 of the unbuffered cable , to a Vcc source (used serial’s port) with a 100ohm resistor. (In the pictures the pin is connected…. i took the pictures after all this)
- Left each cable a couple of millimeters away from each other.
- Put the router in its own case, to isolate it from external noise. (however, i used the original casing.. Some suggest using some tinfoil around).

Jtag
This led me to flash to 15% almost every time. (it was still hanging).
Then, i got fed up. Decided to split the bin file into smaller pieces (256KB seemed about right) and started flashing it by parts (8 parts). For this, you need to calculate the beginning area of the flash memory, and the length to program. With all the information you get with tflash, this is fairly easy.

Some more failures. Still dont know why, but after flashing part2 (256 to 512KB) i got some hangs in specific address. Tired, decided to go backwards (literally). Erased the flash, and started flashing from part 8 to 1.

It went smooth! No errors, about 560 seconds each part (something about 75 minutes total).
To confirm the procedure, made a wholeflash backup and compared it to the file… Damn. Differences. First difference occurred about 750KB from beggining.

If you check the addresses where the BSP or CFE is stored, you will realize that 750KB from the beggining is just past that. Im not going too write much about this, but it is important to know, CFE is the boot system used to boot linux (dd-wrt in this case), and BSP is the system used by linksys firmware based on VxWorks.

Taking that into account, i just rebooted the router. Lights went all on, then off…. Success !
Power light was blinking. That means firmware loading problem. Not that bad. Configured the computer to use 192.168.1.20 , and connected via WEB to 192.168.1.1. A simple page titled “Management Mode – Firmware Upgrade” asking me to select a file, appeared.
I went to Linksys.com, browsed for the latest firmware for this router (1.04.00) and selected it. Run!
A couple of minutes passed by, and the page asked me to reboot the router.

Power Off.
Power On.

Normal boot !

We are back to the original firmware.

Utilities and files :

- tjtag v0.3 [ from : here ]
- Whole flash backup [ from : here ]
- Original Linksys Firmware 1.0.04US [ from : here ]
- Splitted Flash : Each of the files to flash manually and by segments of 256KB.
* (including bat files with the command line)

PS:
All the files here, were taken from the sites specified.
If you think i am violating some copyright, please write me.



How to kill your laptop….

* pictures taken from notebookreview forums. this post

Well…
It is known, that when using laptops, updating the BIOS has to be one of the most careful things to do.

When you say careful, you mainly mean : DONT DO IT UNDER WINDOWS.

Most of these warning are from old days. I figured… lot of time has passed, and they wont apply. (I use linux 64bit all the time… but that day, i was running windows (playing Red Alert 3), and just saw the right moment to try Asus WinFlash)

Big mistake.

Flashed correctly… Verified Ok, then said just reboot. Rebooted, and black screen. No signs of life other than the fan running steadly.
Damn, i said.

* This was my rescue kit setup :-)

I figured, as my laptop is an Asus G1 with Ami Bios, i could try and access the bootblock to restore the bios image.
Wrong. Tried USB Floppy drive, cdrom containing only the file (amiboot.rom), turned on the laptop pressing esc, alt f2, control esc, control pgup, etc, etc.
Nothing.
It looked like something was interfering the bootblock code. (Im not certain on this, but it seems the media playback feature of the laptop, avoided the bootblock code from ever executing).

So… Go to the Asus website (and forums) to ask for some pointers.
Tech support didn’t have a clue. They said i’ll have to take my laptop to service. (good one). or try different combo keys (all of them tried before).
Service said (without even looking at it) bad mainboard, replace and give us lots of money. (yeah, right).
I tried again support, and ask them to pointers on how to open the system to access the bios chipset. They said “we can’t give you that info, because is private”.

Turns out the laptop is pretty easy to crack open.

* A little overview in the process. Unfortunately, i forgot to take pictures of the non-socketed chip :-(

I did it. Cracked it open, found the flash chip (SST 49LF004B rev CA), desoldered using a hot air station, soldered a nice PLCC32 socket, reprogrammed the flash chip with latest bios (yes, bin file provided by asus is a straight image of the chip), put it all together. IT’S ALIVE!!!

* Thats how the socketed bios looks now. And, the process of programming.

So.. now that i have a pretty socket and the ability to get the flash chip when i want, i’ll be trying some bios mods. (i.e. I want to be able to access more than the 3GBs the bios recognize. This is because the memory chipset only beign able to address 4GB, and bios not providing some remap functions.. but that’s another story).

Sounds easy right ? Well… it isn’t so difficult. Just be patient and careful. I already broke a pin in the LCD connector… I’m lucky it isn’t used.

Page 1 of 212»