Please post anything that you need to debrick in here.

This is JTAG to debrick any JTAG device. Modem, cable boxes, dish boxes routers.
Post Reply
joedirtz
Junior Member
Posts: 4
Joined: Sat Feb 07, 2009 11:37 am
Contact:

Post by joedirtz » Wed Nov 02, 2011 12:09 pm

usbbdm wrote:First you need to find the JTAG port and being able to detect the CPU. Then you need to find if existing XML will work with your device. The script is the last thing and optional.
Tell us back if you can detect the CPU first.
Thanks for your reply, I would like to restore the a uboot file thats start 0x000000 and end 0x100000

Copyright (C) 2010,2011,2012
USB JTAG NT 0.54
Target: WRTDebrick
-detect
IDCODE 20A023D3
Marvell Part NotFound 0A02
IMPCODE 00000000
EJTAG V1, V2.0
DMA supoorted
Unknown flash type!
Report these values http://www.usbjtag.com/vbforum 0000,0000

usbbdm
Junior Member
Posts: 8662
Joined: Mon Jul 18, 2005 9:33 pm
Contact:

Post by usbbdm » Wed Nov 02, 2011 12:27 pm

I do not know if it is MIPS or not. If it is then your IRLength is not right.

joedirtz
Junior Member
Posts: 4
Joined: Sat Feb 07, 2009 11:37 am
Contact:

Post by joedirtz » Wed Nov 02, 2011 12:56 pm

usbbdm wrote:I do not know if it is MIPS or not. If it is then your IRLength is not right.
copy/paste fr:
http://wiki.openwrt.org/toh/seagate/dockstar
Architecture: armv5te (big endian, runs also with little endian)
Vendor: Marvell
Bootloader: U-Boot
System-On-Chip: Marvell MV88F6281 A0 (DDR2) with ARM926EJ-S CPU (Marvell Feroceon)
CPU Speed: 1200 Mhz
Flash-Chip: Manufacturer ID: 0x2c, Chip ID: 0xda (Micron NAND 256MiB 3,3V 8-bit)
Flash size: 256 MiB (PartNo 100576825C, 100576827B) or 512 MiB (PartNo 100576825B)
RAM: 128 MiB / 1x Nanya NT5TU64M16DG-AC
Wireless: n/a
Ethernet: 1x GigE port / Marvell "Alaska" 88E1116R
USB: 3x USB 2.0 ports, 1x mini USB 2.0 port for harddisk
Serial: Yes
JTAG: Yes

usbbdm
Junior Member
Posts: 8662
Joined: Mon Jul 18, 2005 9:33 pm
Contact:

Post by usbbdm » Wed Nov 02, 2011 5:26 pm

joedirtz wrote:copy/paste fr:
http://wiki.openwrt.org/toh/seagate/dockstar
Architecture: armv5te (big endian, runs also with little endian)
Vendor: Marvell
Bootloader: U-Boot
System-On-Chip: Marvell MV88F6281 A0 (DDR2) with ARM926EJ-S CPU (Marvell Feroceon)
CPU Speed: 1200 Mhz
Flash-Chip: Manufacturer ID: 0x2c, Chip ID: 0xda (Micron NAND 256MiB 3,3V 8-bit)
Flash size: 256 MiB (PartNo 100576825C, 100576827B) or 512 MiB (PartNo 100576825B)
RAM: 128 MiB / 1x Nanya NT5TU64M16DG-AC
Wireless: n/a
Ethernet: 1x GigE port / Marvell "Alaska" 88E1116R
USB: 3x USB 2.0 ports, 1x mini USB 2.0 port for harddisk
Serial: Yes
JTAG: Yes
This is ARM926 then you need ARM JTAG not MIPS target. SInce it is NAND only the current software do not support NAND only yet.I could add support latter.
Since NAND can have bad sector, so JTAG might only program the u-boot at the beginning of the chip.

joedirtz
Junior Member
Posts: 4
Joined: Sat Feb 07, 2009 11:37 am
Contact:

Post by joedirtz » Wed Nov 02, 2011 5:32 pm

Thanks for the info, would you please info how i could program the u-boot. I do have the a u-boot file 164 KB but not sure how to write it

Spray
Junior Member
Posts: 6
Joined: Mon Jan 02, 2012 11:51 am
Contact:

WRT54GS v.2

Post by Spray » Mon Jan 02, 2012 4:17 pm

Hello,

This is what I get from detect on my USB JTAG.

-detect
IDCODE 1471217F
Broadcom BCM4712
IMPCODE 00800904
EJTAG V1, V2.0
DMA supoorted
Found Address= 9fc00000 CFI Intel 28F640J3

What do I need to do from here?

Thanks all!

Edit:
I've gotten the router into a state where it can be pinged now. I think the next step to debricking would be to TFTP a compatible firmware and restart the router. What is the best TFTP software for this?

usbbdm
Junior Member
Posts: 8662
Joined: Mon Jul 18, 2005 9:33 pm
Contact:

Post by usbbdm » Mon Jan 02, 2012 8:52 pm

You can use TFTP or USB JTAG NT to program the router.

Spray
Junior Member
Posts: 6
Joined: Mon Jan 02, 2012 11:51 am
Contact:

Post by Spray » Tue Jan 03, 2012 12:18 am

I brought the router back home to play since TFTP wasn't enabled on the machine that was able to detect the flash. I have TFTP enabled on my home computer, but the USB JTAG NT at home won't detect the flash. So freaking weird. Now the router is back to the unpingable state. Only the power LED is flashing indefinitely. I'll have to wait until tomorrow morning to see if the computer at work can still detect.

edit: So I decided to try USB JTAG on all my other computers at home and found out they were able to detect the flash and run all the commands from this tutorial found here: viewtopic.php?t=2724&highlight=Steps+de ... outer+JTAG

Eventually, after running those commands a billion times, I was able to get the router into a pingable state. I proceeded with TFTP and the WRT54GS.bin for tomato 1.28 transfered in 5 seconds (wow fast!). Then it went back to being it's former self - a brick. Jesus.

usbbdm
Junior Member
Posts: 8662
Joined: Mon Jul 18, 2005 9:33 pm
Contact:

Post by usbbdm » Tue Jan 03, 2012 8:41 am

Spray wrote:I brought the router back home to play since TFTP wasn't enabled on the machine that was able to detect the flash. I have TFTP enabled on my home computer, but the USB JTAG NT at home won't detect the flash. So freaking weird. Now the router is back to the unpingable state. Only the power LED is flashing indefinitely. I'll have to wait until tomorrow morning to see if the computer at work can still detect.

edit: So I decided to try USB JTAG on all my other computers at home and found out they were able to detect the flash and run all the commands from this tutorial found here: viewtopic.php?t=2724&highlight=Steps+de ... outer+JTAG

Eventually, after running those commands a billion times, I was able to get the router into a pingable state. I proceeded with TFTP and the WRT54GS.bin for tomato 1.28 transfered in 5 seconds (wow fast!). Then it went back to being it's former self - a brick. Jesus.
When router is bricked you should try to use slower JTAG clock speed.

Spray
Junior Member
Posts: 6
Joined: Mon Jan 02, 2012 11:51 am
Contact:

Post by Spray » Tue Jan 03, 2012 10:23 am

When I do the following:

-tap c
-tap a ffffffff
-detect
-ldram cfe (let's me pick my CFE.bin)
-erase cfe (pretty quick)
-sprogram cfe (writes at like 8-9kbps - isn't this slow?)

I didn't know USB JTAG had adjustable speeds. How do I adjust USB JTAG clock speed? What am I doing wrong?

edit: These are the guides and resources I've been going off of:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=51486
http://www.dd-wrt.com/phpBB2/viewtopic. ... hlight=cfe
http://www.dd-wrt.com/phpBB2/viewtopic. ... e&start=75
http://www.dd-wrt.com/phpBB2/viewtopic. ... 4ebf24c972
http://blog.rim3y.net/?p=1492
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=45024
http://www.dd-wrt.com/phpBB2/viewtopic. ... c&start=15
http://www.dd-wrt.com/wiki/index.php/Li ... T54GS_v2.0
http://www.dd-wrt.com/wiki/index.php/Re ... _Bad_Flash

files used from guides and resources:
WRT54GS v2 w/boot_wait on + sdram_init=0x010b
http://www.dd-wrt.com/phpBB2/download.p ... f4bbba298e
WRT54GS_4.71.4.001_fw,2.bin (GS v1-3)
http://www.dd-wrt.com/phpBB2/download.p ... a04ef5a225

These are the guides have I read over and over and the two files that I've slow programmed enough to memorize all the commands from this guide:
viewtopic.php?t=2724&highlight=Steps+de ... outer+JTAG

usbbdm
Junior Member
Posts: 8662
Joined: Mon Jul 18, 2005 9:33 pm
Contact:

Post by usbbdm » Tue Jan 03, 2012 12:04 pm

Spray wrote:When I do the following:

-tap c
-tap a ffffffff
-detect
-ldram cfe (let's me pick my CFE.bin)
-erase cfe (pretty quick)
-sprogram cfe (writes at like 8-9kbps - isn't this slow?)

I didn't know USB JTAG had adjustable speeds. How do I adjust USB JTAG clock speed? What am I doing wrong?

edit: These are the guides and resources I've been going off of:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=51486
http://www.dd-wrt.com/phpBB2/viewtopic. ... hlight=cfe
http://www.dd-wrt.com/phpBB2/viewtopic. ... e&start=75
http://www.dd-wrt.com/phpBB2/viewtopic. ... 4ebf24c972
http://blog.rim3y.net/?p=1492
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=45024
http://www.dd-wrt.com/phpBB2/viewtopic. ... c&start=15
http://www.dd-wrt.com/wiki/index.php/Li ... T54GS_v2.0
http://www.dd-wrt.com/wiki/index.php/Re ... _Bad_Flash

files used from guides and resources:
WRT54GS v2 w/boot_wait on + sdram_init=0x010b
http://www.dd-wrt.com/phpBB2/download.p ... f4bbba298e
WRT54GS_4.71.4.001_fw,2.bin (GS v1-3)
http://www.dd-wrt.com/phpBB2/download.p ... a04ef5a225

These are the guides have I read over and over and the two files that I've slow programmed enough to memorize all the commands from this guide:
viewtopic.php?t=2724&highlight=Steps+de ... outer+JTAG
"speed 2" can adjust to 3MHz.
"speed 1" 6Mhz
default (speed 0) 12MHz.
That is not slow when the router is bricked.
Use "scmpram cfe" after the sprogram.
Once OK then you can power off /on and use faster speed. If your wire is long (then you should also consider use slow JTAG clock)

Spray
Junior Member
Posts: 6
Joined: Mon Jan 02, 2012 11:51 am
Contact:

Post by Spray » Tue Jan 03, 2012 1:29 pm

-tap c
Eco :00000000
-tap a ffffffff
Eco :04C92000
-detect
IDCODE 1471217F
Broadcom BCM4712
IMPCODE 00800904
EJTAG V1, V2.0
DMA supoorted
Found Address= 9fc00000 CFI Intel 28F640J3
-speed 2
-ldram cfe
-erase cfe
Erase starts...
Erase time 00:00:01 (.985)
-sprogram cfe
Program Starts...
Program speed 2.11 KB/s
Program time 00:02:04 (.151)
Program pass, if no further programming needed, power off/on the target
-scmpram cfe
Time 00:01:03 (.906)
Compare data OK

To my surprise, the router debricked without me having to re-program the kernel! YOU ARE THE BEST! My soul belongs to you.

usbbdm
Junior Member
Posts: 8662
Joined: Mon Jul 18, 2005 9:33 pm
Contact:

Post by usbbdm » Tue Jan 03, 2012 2:46 pm

Spray wrote:-tap c
Eco :00000000
-tap a ffffffff
Eco :04C92000
-detect
IDCODE 1471217F
Broadcom BCM4712
IMPCODE 00800904
EJTAG V1, V2.0
DMA supoorted
Found Address= 9fc00000 CFI Intel 28F640J3
-speed 2
-ldram cfe
-erase cfe
Erase starts...
Erase time 00:00:01 (.985)
-sprogram cfe
Program Starts...
Program speed 2.11 KB/s
Program time 00:02:04 (.151)
Program pass, if no further programming needed, power off/on the target
-scmpram cfe
Time 00:01:03 (.906)
Compare data OK

To my surprise, the router debricked without me having to re-program the kernel! YOU ARE THE BEST! My soul belongs to you.
Glad see it is fixed. With DEBUG ON and on slow clock, you should fix anything.
Someone claim LPT JTAG is better science LPT JTAG is slow. If NT goes to slow mode it can also have the job done. But LPT will never have faster mode which is NT's default.

Spray
Junior Member
Posts: 6
Joined: Mon Jan 02, 2012 11:51 am
Contact:

Post by Spray » Tue Jan 03, 2012 10:01 pm

Hi again,

I re-wired my computers at home to rely on this revived router, but when I powered it on it became a brick again. I didn't do anything to it besides logging into the router to see that it's working again before re-assembling it. Slow programming at reduced usb jtag of the cfe doesn't revive it. What could be the problem this time? Any suggestions? Thank you in advance.

usbbdm
Junior Member
Posts: 8662
Joined: Mon Jul 18, 2005 9:33 pm
Contact:

Post by usbbdm » Tue Jan 03, 2012 10:35 pm

Spray wrote:Hi again,

I re-wired my computers at home to rely on this revived router, but when I powered it on it became a brick again. I didn't do anything to it besides logging into the router to see that it's working again before re-assembling it. Slow programming at reduced usb jtag of the cfe doesn't revive it. What could be the problem this time? Any suggestions? Thank you in advance.
If you want I can take a look remotely with teamviewer.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests