There is no easy rescue method yet. I am focusing on adding activation method to 0.20 and then I will add features on the wish list to 0.20.
Debrick method is one that I wish to see in 0.20.
Wrt54g v6 not Wrt54gs
-
usbbdm
- Junior Member
- Posts: 8974
- Joined: Mon Jul 18, 2005 9:33 pm
I am using sprogram to program the WRT54GS while I erase it. 0.19 does not seems to be stable. After lower the speed the program succeed now. I will test a little more tomorrow. Virtually the speed optimization for "sprogram" is a "BUG" for in some cases. The Intel28F160 sprogram was not reliable. 0.20 will solve this issue. I need to brick this router more in different way and debrick it in my newer software.
-
usbbdm
- Junior Member
- Posts: 8974
- Joined: Mon Jul 18, 2005 9:33 pm
If you are using current version of software, the bug of "sprogram" on some 28F160 chip can be masked by issue command of "erase" and "sprogram" with same boot.
If you do the "erase' first and then power off and on the target, the "sprogram" might not work in some case. That is a bug in 0.19 and earlier version. Not sure if AMD is affected since I only gave Intel chip to test.
If you do the "erase' first and then power off and on the target, the "sprogram" might not work in some case. That is a bug in 0.19 and earlier version. Not sure if AMD is affected since I only gave Intel chip to test.
-
jgyat
- Junior Member
- Posts: 4
- Joined: Tue Nov 18, 2008 6:30 pm
I'm experiencing problems similar to those explained in this thread namely:
1) the detect command fails to detect the flash type. I get the following output:
-detect
IDCODE 0535217F
Broadcom BCM5352
IMPCODE 800904
DMA supoorted
Unknown flash type!
Report these two value to http://www.usbjtag.com/vbforum 0000,0000
I can detect the flash using the tjtag program (an updated version of the wrt54g program) with a parallel port cable. The flash type I detected using this method is already listed in the flash.def file. The command I used was:
tjtag -probeonly /noemw
I got the following output:
==========================================
EJTAG Debrick Utility v2.1.4-Tornado-MOD
==========================================
Probing bus ... Done
Instruction Length set to 8
CPU Chip ID: 00000101001101010010000101111111 (0535217F)
*** Found a Broadcom BCM5352 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x1fc00000) ... Done
Flash Vendor ID: 00000000000000000000000000000001 (00000001)
Flash Device ID: 00000000000000000010001011000100 (000022C4)
*** Found a AMD 29lv160DT 1Mx16 TopB (2MB) Flash Chip ***
- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00200000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE ***
I'm not sure if this is part of the problem, but this command will fail if I omit the /noemw flag.
This first issue is troubling but not a show stopper; I can always set the flash type manually. Which leads to my second problem:
2) If I manually set the flash type (via the flshset command) and then attempt to erase and sprogram I get the following:
-flshset CFE 89 88C3
Intel 28F160C3B
-erase CFE
Erase starts...
Erase time 00:00:00 (.203)
-ldram CFE
-sprogram CFE
Program Starts...
The program has been in this state for over 30 minutes. It appears to be stuck. Any ideas? Also, I was a bit surprise how fast the erase operation finished. The documentation seems to indicate that is takes a while.
The status on the bottom right says DEBUG ON (after several minutes) so I assume the the watchdog was clear (this may be a bad assumption in my part).
FYI: I'm using version 0.30 of USB JTAG with the USBJTAG hardware (not the NT version).
Any help would be greatly appreciated.
Also, I have several WRT54G routers at my disposal. If you need someone to test changes you make with different flash types, hardware revisions, etc. -- sign me up.
cheers,
jgyat
1) the detect command fails to detect the flash type. I get the following output:
-detect
IDCODE 0535217F
Broadcom BCM5352
IMPCODE 800904
DMA supoorted
Unknown flash type!
Report these two value to http://www.usbjtag.com/vbforum 0000,0000
I can detect the flash using the tjtag program (an updated version of the wrt54g program) with a parallel port cable. The flash type I detected using this method is already listed in the flash.def file. The command I used was:
tjtag -probeonly /noemw
I got the following output:
==========================================
EJTAG Debrick Utility v2.1.4-Tornado-MOD
==========================================
Probing bus ... Done
Instruction Length set to 8
CPU Chip ID: 00000101001101010010000101111111 (0535217F)
*** Found a Broadcom BCM5352 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x1fc00000) ... Done
Flash Vendor ID: 00000000000000000000000000000001 (00000001)
Flash Device ID: 00000000000000000010001011000100 (000022C4)
*** Found a AMD 29lv160DT 1Mx16 TopB (2MB) Flash Chip ***
- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00200000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE ***
I'm not sure if this is part of the problem, but this command will fail if I omit the /noemw flag.
This first issue is troubling but not a show stopper; I can always set the flash type manually. Which leads to my second problem:
2) If I manually set the flash type (via the flshset command) and then attempt to erase and sprogram I get the following:
-flshset CFE 89 88C3
Intel 28F160C3B
-erase CFE
Erase starts...
Erase time 00:00:00 (.203)
-ldram CFE
-sprogram CFE
Program Starts...
The program has been in this state for over 30 minutes. It appears to be stuck. Any ideas? Also, I was a bit surprise how fast the erase operation finished. The documentation seems to indicate that is takes a while.
The status on the bottom right says DEBUG ON (after several minutes) so I assume the the watchdog was clear (this may be a bad assumption in my part).
FYI: I'm using version 0.30 of USB JTAG with the USBJTAG hardware (not the NT version).
Any help would be greatly appreciated.
Also, I have several WRT54G routers at my disposal. If you need someone to test changes you make with different flash types, hardware revisions, etc. -- sign me up.
cheers,
jgyat
-
usbbdm
- Junior Member
- Posts: 8974
- Joined: Mon Jul 18, 2005 9:33 pm
I am sure NT is a great tool to debrick the routers. I am 100% sure if the router is soft bricked you can use USBJTAG NT to debrick them. I have tested V2 V6 (G and GS) and V8.
The problem you have can easily be use tap command to fix them.
WRT54G is great router and the combination with USBJTAG NT (dd-wrt) is everything you can image of.
The NT can fix the router that pjtag cannot fix.
The problem you have can easily be use tap command to fix them.
WRT54G is great router and the combination with USBJTAG NT (dd-wrt) is everything you can image of.
The NT can fix the router that pjtag cannot fix.
-
jgyat
- Junior Member
- Posts: 4
- Joined: Tue Nov 18, 2008 6:30 pm
Upgraded to NT, Issue still present
As suggested, I upgraded to USBJTAGNT. I am experiencing the same problem as before. The "detect" command fails to identify the flash; here is the output:
-detect
IDCODE 0535217F
Broadcom BCM5352
IMPCODE 00800904
DMA supoorted
Unknown flash type!
Report these two value to http://www.usbjtag.com/vbforum 0000,0000
I then set the flash type manually:
-flshset cfe 89 88c3
Intel 28F160C3B
and attempt to flash:
-erase cfe
Erase starts...
Erase time 00:00:00 (.546)
-sprogram cfe
Program Starts...
At this point, the program gets stuck (no progress after 30 minutes).
Any idea?
-detect
IDCODE 0535217F
Broadcom BCM5352
IMPCODE 00800904
DMA supoorted
Unknown flash type!
Report these two value to http://www.usbjtag.com/vbforum 0000,0000
I then set the flash type manually:
-flshset cfe 89 88c3
Intel 28F160C3B
and attempt to flash:
-erase cfe
Erase starts...
Erase time 00:00:00 (.546)
-sprogram cfe
Program Starts...
At this point, the program gets stuck (no progress after 30 minutes).
Any idea?
-
usbbdm
- Junior Member
- Posts: 8974
- Joined: Mon Jul 18, 2005 9:33 pm
-
jgyat
- Junior Member
- Posts: 4
- Joined: Tue Nov 18, 2008 6:30 pm
It now works!
Thanks for your help. It now works.
Could you point me to the documentation for the tap command? I tried to do a search of the forum and failed to get any results (the word tap is too small). Thanks again.
Could you point me to the documentation for the tap command? I tried to do a search of the forum and failed to get any results (the word tap is too small). Thanks again.
-
usbbdm
- Junior Member
- Posts: 8974
- Joined: Mon Jul 18, 2005 9:33 pm
Tap is added to debrick. it uses EJTAG tap command. Not very well documented. I found this combo works 100% on all WRT54G modems. No need to do CE trick (risk to really brick it).
Basically what it tells is to pause the CPU and force to debug mode.
The NT software allow to detect flash when in debug mode and do erase and sprogram.
Compare to pjtag it is about 1 million faster. With a few commands your router is back to life.
Just before typing this post I had programmed my WRT54G V6 back to WRT54GS V6 (16M flash) and the router works with dd-wrt happily.
Basically what it tells is to pause the CPU and force to debug mode.
The NT software allow to detect flash when in debug mode and do erase and sprogram.
Compare to pjtag it is about 1 million faster. With a few commands your router is back to life.
Just before typing this post I had programmed my WRT54G V6 back to WRT54GS V6 (16M flash) and the router works with dd-wrt happily.
Who is online
Users browsing this forum: No registered users and 6 guests