Reflashing a WRT54G with JTAG (my debricking experience)

Some days ago, in my office, we had to reorganize our spaces and change our desks. It was also the chance to scrape out some stuff from our lockers. So, I noticed that one of my colleague was trashing a brand new Linksys WRT-54g! Of course I was asking why she was getting rid of it and the answer was "it's broken, it could not be repaired, they tried also resetting the hardware but there's no way". I kindly asked if I could have it and try to repair it.

This way I won the chance to have a great wireless router for free, or to have some hundred grams of rubbish if I was not able to fix it. Good challenge, I was happy anyway :o).

Before taking it I tried to switch it on and I saw that some LEDs were on (so there was at least something working) and, on top of all, that WAN and LAN LED behaviour was changing after some seconds. This was meaning that there were some working circuits and, most probably, the processor was unsuccessfully attempting to load something. Reading though forum posts and debricking guides I understood that my blinking power LED was confirming my suspects.

I understood that there was an unsuccessful attempt to upgrade or change the firmware. So, luckily, it was not hardware failed but just "bricked"!

As you may know, last year I worked a lot with OpenWRT on the Fonera, so I already heard about low level re-flashing this kind of devices through a so called JTAG cable.

So I went straight on searching more informations about this method and how I could accomplish it. I found the great guide from HairyDairyMaid (aka LightBulb). This guide is very famous and it gives all the needed informations to complete the job, that's why I'm not trying to write down a tutorial about this.

On the other hand I found few resources showing how to proceed practically, so my intention is to give my 2 cents illustrating with some photos and (hopefully) useful hints about how I managed to fix my WRT router.

I used the unbuffered version of the JTAG cable. It is a damn simple circuit, so simple that you need just 4 resistors and a DB25 male parallel port connector and, of course, a PC.

I bought the four resistors thinking to find a DB25 connector at home. Unfortunately I had no spare connectors so I had to take out it from another flashing cable.
It was an old LanC cable that I made to hack a Sony camcorder in order to enable the DV-in feature. Luckily I didn't trash this cable so I was able to reuse the connector.

So, preparing the cable is really the easy part and all the needed informations may be found in the great guide from LightBulb that i mentioned above. It's just about soldering 4 wires on 4 resistors!

The part that is more difficult to do is to prepare the WRT54g mainboard to accept this JTAG connection.

You can follow two paths: you can just solder the JTAG cable on the mainboard itself or you can solder a connector on the mainboard
and then use a connector as well on the JTAG cable so it will be more easy to unplug it and.....to plug it back in case you need it again in the future!

Of course I followed the second option. So, the first step was to unsolder the pin hole on the mainboard to make room for the pin connector.

There is just one tool that is absolutely essential for this task: it is the unsoldering pump.

I used it quite a lot to suck out all the tin that is normally filling the holes where I should solder the JTAG connector. I have to be honest saying that it took quite a lot because I needed to warm as much as possible the tin in the hole, from both sides of the mainboard, in order to suck it out completely. On the other hand I could not stay too much time on the mainboard with the soldering iron otherwise I risked to burn out some component. So I had to wait a little bit beetween each pin hole "evacuation" in order to let the the board cool down.

After three-four shots per hole of unsoldering pump I voided all holes and I was able to solder in two 5 pins strips of contacts. Then I soldered a female connector on the other end of the JTAG cable and voilà, the cable was done.

Few minutes after I was dealing with software to understand what was wrong with my router and how I could fix it.

As all the guides are suggesting I quickly erased the NVRAM thinking that there was something wrong with it that was preventing the router from booting. I later discovered that I was right but the router didn't went on soon.

This was because there was not only bad data in the NVRAM, there was also a corrupted kernel image in the flash!

So, basically, after clearing the NVRAM, I had to solder another pair of pin strips in the holes on the right of the JTAG interface in order to connect to the serial port of the WRT. Of course I used the RS232-to-TTL serial interface converter that I made for hacking my MRT StorLink NAS. What a luck, I was really happy of finding already on my desk the right circuit that I needed! :o)

I used the serial interface to connect to the CFE bootloader in order to instruct it to load a new kernel and system image from the TFTP server on my laptop and save those image in the flash.

So, at the end of the game, I was able to fix the WRT54g in less than 3 hours, including the time needed to build the cables and interfaces, definitvely a good price for a brand new router!

Thank you for reading and........thanks to Lidia for the router! :o)