Debrick Linksys WRT150N

25. February 2008
Comments (0)

Linksys WRT150N does not response to anything, no LAN response at all.

  • Step 1
    • Setup your PC with a static IP address 192.168.1.77 submask 255.255.255.1 and default gateway 192.168.1.1
    • Connect a LAN wire to one of the LAN port and start a ping -t 192.168.1.1 and look for the response. Try all the reset options: http://www.dd-wrt.com/wiki/index.php/Reset_And_Reboot
  • Step 2
    • Now we know that de device does not work. You do not receive any IP packaged's on your wire.
    • Disassemble the box. There is 4 tox screws on the button under the redeemable plastic cover.
    • IMG_7317 IMG_7326
      IMG_7327 IMG_7325
      IMG_7329 IMG_7318
      IMG_7319 IMG_7323
  • Step 3
    • Try short wiring two of the pins on the flash chip. Ping 16 & 17. http://voidmain.is-a-geek.net/redhat/wrt54g_revival.html
    • Short circuit ping 16 & 17 - Chip VER: 1.00.5 CS:F898 - the one with the two red dots on. Power the device up when short circuiting and se if the ping gets a response.
      IMG_7322
  • Step 4 Recovery by JTAG cable http://www.dd-wrt.com/wiki/index.php/Recover_from_a_Bad_Flash
    • Step 3 did not work. We the has to create a JTAG. To program the circuit directly from the computer. :-(
    • Construction a JTAG: There is a simple and easy way to construct such a device. You need:
      • A parallels connector
      • 4 x 100 Ohm resistors
      • Some wire not to long (15 cm)
      • A Connector socket for the circuit board & connector for the wire ass well.
    • Assemble the parts as shown below
      JTAG 
      IMG_7330 IMG_7331
      IMG_7332
    • Now the wire is ready now the circuit board has to be prepped as well. There is two connectors for the JTAG on the board. JP1 & JP3. Here it is the JP1 you have to use.
       IMG_7324
    • Download the tjtagv2.zip (769,27 kb). Connect the cable to the pc then the WRT150N JP1 and power up the WRT150N.
    • Set up the tjagv2 as described in the zip. Then start a command prompt and fire the commands:
      • tjagv2 /probeonly /noemw
        • Now you should get something like:

    =================================================
    WRT54G/GS EJTAG Debrick Utility v4.8-Tornado-MOD
    =================================================
    Probing bus ... Done
    Instruction Length set to 8
    CPU Chip ID: 00010101001101010100000101111111 (1535417F)
    *** Found a Broadcom BCM5354 KFBG Rev 1 CPU chip ***

    - EJTAG IMPCODE ....... : 00000000100000010000100100000100 (00810904)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes

    Issuing Processor / Peripheral Reset ... Done
    Enabling Memory Writes ... Skipped
    Halting Processor ... <Processor Entered Debug Mode!> ... Done
    Clearing Watchdog ... Done

    Probing Flash at (Flash Window: 0x1fc00000) ... Done

    Flash Vendor ID: 00000000000000000000000010001001 (00000089)
    Flash Device ID: 00000000000000001000100011000011 (000088C3)
    *** Found a Intel 28F160C3 1Mx16 BotB (2MB) Flash Chip ***

    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00200000
    - Selected Area Start ........ : 00000000
    - Selected Area Length ....... : 00000000

    *** REQUESTED OPERATION IS COMPLETE ***

    •  
      • tjagv2 -rease:nvram
        • it will show all the addresses it erases. Now the device should start responding to the pings, which was the case for me. :-) If you have accidentally delete the whole flash you need to put back a bootloader cfe.bin. I made a backup of mine here: CFE.BIN (256,00 kb) for WRT150N.

References:

Wireless router firmware