Hi all!
  As You probably have figured out I have some problems with my motorola.
I got it bricked by some stupid errors while playing with nvram. At that point now I know everything was very easy to recover. But I have (probably) used a wrong image to recover the firmware and the router died.
So I built a JTAG cable , got the hairydairymaid debrick tool and I have stopped at the reflashing procedure.
I have two choices : reflash the CFE or the whole flash .
As I have read on the forum CFE is the bootloader. I have only some limited  idea what does  the whole flash contain ( CFE + NVRAM + some things I don't recall).
I have two questions :
Does any of binary images  ( openwrt-motorola-jffs2-4MB.bin openwrt-motorola-jffs2-8MB.bin openwrt-motorola-squashfs.bin ) have anything in common with any of those two above ? Can it help me at the debrick utility ?  I know that if I had a WRT54 I would need to find a CFE ( which   I have already found over the forum).

If binaries are no good where can I find those CFE files ? Correct me if I am wrong - but if a CFE is a bootloader and I will put a wrong version on my router I can say goodbye even through JTAG cable.... ?

I will really appreciate any help.
Michal

Michal,

First, before anything else, try erasing the NVRAM settings through the HairyDairyMaid JTAG utility.  On my v3, the bootloader recreated everything from defaults on the subsequent boot.

At this point, hook up a serial terminal to the router ( pinout in this thread: http://www.dslreports.com/forum/remark,14434922 ) and see if the CFE utility is booting.  If you didn't enable boot_wait previously, you will have to keep pressing enter very quickly and try to get a CFE> prompt.  Turn boot_wait on, commit to NVRAM, and reboot.

Then try to TFTP the default Motorola image to the router.  You'll know, based on the serial console output, when to start the TFTP and when it is successful.

It is impossible to disable the JTAG interface--that is hardware that's built in to the processor.  If the CFE is NOT booting, that's beyond my expertise.

Hope this helps,

Tim

(Last edited by whitepines on 4 Dec 2005, 03:49)

Thanks - that's gonna be the first thing I will do in the morning. I will have to work on the serial cable next. I will let You know of the results.
Once again - grate thanks.
Michal

Hi again !
It is gonna be a longer one - I will share some thing I have discovered.
I did reseted the NVRAM settings - I thought it worked.
I am having problems with the serial cable - I asked my neighbour who knows more about electronics and he made the cable using some kit - but it does not work - I don't know if it's the constructions fault or the broken CFE.
Question 1 : If the CFE is broken should I still see some output from the terminal ?
Coming back to resetting parts of flash:
I did a simple test - I wanted to know how the CFE resets NVRAM settings - in my case it does nothing . I have erased the NVRAM , reseted , erased WHOLEFLASH , reseted , flashed  CFE, reseted. Then I tried backing up the NVRAM - guess what - it was the same as the NVRAM before erasing- that surprised me.
I got confused - I wasn't sure if the JTAG really flashes the chip. That was the begging of couple bad steps that I took.
I was looking through couple of guides and I found that my backed up  CFE has a common thing with all the images -the "HRD0". So I figured out to do a test ( that I REALLY DON'T RECOMMEND) - I wanted to take get CFE out of regullar firmware images. I did " dd if=openwrt-motorola-squashfs.bin of=CFE.BIN count=512 ".  Then I flashed the chip wth that. I was yesterdays evening- router stopped reacting to Debrick utility - I had to use the extra options like the chip model argument and so on ... But still - only limited usage- flashing , erasing was freezing at the first sector.I thought I bricked it for good.
But today in the morning I figured out to give it another chance - I managed to restore the original WHOLEFLASH. But the trick is that after that backups were giving me nulls of FF's. After couple hours of leaving it unplugged I managed to get a backup of CFE from the router ( even cuple of times) - but It always had only the right beginning (like 1%) and the rest was garbage ( like FF or some strange pattern of couple signs). Now I'm waiting till the morning to flash the CFE again.
Cuple of things that I would like to share with others who may have some similar problems:
First thing after reading the HairyDairyMaid_WRT54G_v2_DeBrick_Guide is to MAKE A BACKUP OF CFE NVRAM and WHOLEFLASH - it can really help.
Don't play with the CFE - if You manage to put some garbage on it's place You will have a lot of problems.
I don't know why but router responds for JTAG commands after plugging in when all the led are on  - that's when I manage to flash it ( it does not halt on first section)
If Your router does not respond to JTAG - leave it for couple of hours TOTALLY unplugged (including JTAG SERIAL and POWER)  - it should help a bit.
  I would suggest also suggest to add a sentence in bold somewhere in the beginning of the Install Docs for Motorola about turning the boot_wait on as a must - it won't hurt anybody and may only help.

What I am still asking for is the CFE.BIN and the NVRAM.BIN. I found couple of sites where You can download those for Linksys models but I guess not really many people use WR850G.
Can somebody  who has them contact me pls??  What I can offer is nothing special but once I confirm it working I will place it one couple of ftp servers where somebody else with that problem may get them ...

Finally - because of today's date - I would like to wish everybody merry Christmas , all the best to openwrt developers and users...

Michal

Did you ever get the Wr850G back up and running??

I have a bricked wr850gV3 and i bought another... just to put a jtag on it... and get the wholeflash ...etc off of it... and try to revive my now bricked one....

have and tips on how to get her back up and running??

I sure did. 
First I read that post - http://forum.openwrt.org/viewtopic.php?id=5050
I modified the debrick utility - patched it (http://wiki.openwrt.org/OpenWrtDocs/Cus … JTAG_Cable) .
Then I flashed the router with the CFE (I can get You one). I have modified the CFE that the boot_wait is on by default.
Then the router asked for the firmware and I fed it via TFTP.
I remember that I had some problem with the openwrt firmware. There are instructions for the original motorola firmware in the wiki (http://wiki.openwrt.org/OpenWrtDocs/Har … 7d8a9bdaf1).
If You need more help - post it here - I will try to be more specific.

Sorry for the delay - my mail got stuck for a week - and a moment ago I got bombarded by tons of new messages.

Cheers
Michal

Hi Michal,

may I ask for a copy of your CFE.

I have a used WR850GP that I can only access through wireless port but no access to internet. The unit originally had moto 6.1.4 firmware I had since flashed ddwrt and openwrt onto it but made no difference. The wanport was unabled to obtain dhcp address from my ipcop router, even if I assigned static address to the wanport it still could not communicate with ipcop. All 5 ports could function as a switch.

I  follow instructions from the knowledgeable people here in this forum to build a jtag cable to erase the nvram and restore the mac addresses and vlans settings but I suspect the cfe might have been corrupted.

as you can see my vlans are not receiving any packets.

vlan0     Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:1B 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1599 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:437638 (427.3 KiB)

vlan1     Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:1C 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:319 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:189486 (185.0 KiB)

thanks,
Hans

Hi Hans!
I am afraid that my CFE will not really help You - I have a wr850g (v3) and I am not really sure if that can work on GP models. If You really want to give it a try - let me know.
I guess it is better to try talking with people the same hardware (LSU_guy, RockyGryphon, rreiner, robertmena). Then just ask for the following dump "dd if=/dev/mtdblock/0 of=/tmp/cfe.bin" (not everybody is so "lucky" to have the jtag cable:P).

Did You try manually setting the addresses?
As far as I know the CFE is like the bootloader - if it is corrupted. than You don't have to worry about incorrect settings - there are not going to be any settings. My best shoot would be going back to the motorola firmware - that would probably fix Your problems but DO NOT do it over wireless connection....

Cheers
Michal

PS. Seth7 - did You fix You box ?

YES... putting in the wholeflash from another wr850gV3 did the trick... but i also have 2 rouers with the same mac's

I also have a wr850gv.1 that iv briked.. even used the Wiki to try to avoid the pitfalls.. ... well i fell in anyways.. i can get to the web gui .. and telnet in too.. but cant get the original firmware back in .. to try again ..

Hi! I have a totally bricked WR850Gv3. Could you send this CFE to me too, please? Thanks!!

(Last edited by vinicius.vbf on 25 Oct 2006, 20:52)

Soure I can.
Before that can tell us a little bit more what has happened ? Maybe there is a simpler way to bring it back to life ...

Michal

Of course! Sorry, I'm not that selfish I'm a bit desperate, only.

So, as I said, I have a Motorola WR850G v3, with intel chipset inside. I had installed the last version of dd-wrt (dd-wrt v23 SP2) and then set the overclock option to 300 MHz by accident. Since then, my router has a fixed (not blinking) red power light. It responds to pings for the first 10 seconds after turned-on, but I reflashed it a thousand times, even by the wan port, waiting more than 15 minutes for automatic rebooting, and nothing changed. I don't know what to do.

Things that I already have tried:

- Flashed with original Motorola Firmware (Motorola_WR850_6.1.4 and Motorola_WR850G_4.03) -> Nothing;
- Flashed with dd-wrt micro version (dd-wrt.v23_micro_moto.bin) -> It will responds to pings ever. But I'm unable to access the admin pages or telnet console neither.
- Flashed with dd-wrt mini and generic versions -> Nothing.
- Flashed with openwrt-wr850g-jffs2.bin -> The wireless light will turn on and nothing else. No ping.
- Flashed with openwrt-wr850g-squashfs.bin -> Same as jffs2.
- Put the router in the freezer more than 12 hours, trying to ping and enter admin pages -> Then the red power light turns to green again (!!!), but I'm unable to even ping ( After 30 secs the light turns to red.
- Remove the header section (8 first bytes before the "HDR0") of all firmwares above using a hexadecimal editor. Then waited more than 15 minutes -> Nothing.
- Pressed reset quickly / slowly / after / during / between the above tests -> Nothing.
- Kick the router -> Just kidding... hehehe.

I have build my own JTAG cable and backed-up CFE and NVRAM. I was advised by dd-wrt documentation to not clear the nvram using mtd command. So, I'm afraid to make my router totally unrecoverable by (another) mistake of mine.

I'm really lost. Think I need the WHOLEFLASH.BIN but I'm hopeless.... maybe I have fried it.

I tried to find it (the wholeflash) googling, but nothing. I found your posts

Thanks Yans and Seth7... your posts are really helpful for anyone who have Motorola's WR580G.

[]'s

Vinicius

PS: I don't use to write in english. I just read it "technically" So, sorry for errors in this post.

(Last edited by vinicius.vbf on 27 Oct 2006, 04:09)

OK, update: I flashed a new CFE.BIN and NVRAM.BIN last night. Now the red power light turns to green again. But I can't ping the router (by 192.168.10.1 or 192.168.1.1).

Think I need to modify the debrick utility too...

Now I think I need a CFE with boot_wait set to on. As I said, I'm really lost... hehehe...
I don't need to modify the debrick utility because my cable is not buffered, it that right?
Thanks!

(Last edited by vinicius.vbf on 27 Oct 2006, 14:22)

Sorry for the delay.
The debrick tool modification - it is only needed when You see that when You erase or program the flash with a image , then read the image and these  two don't match.  If You don't see that kind of effects forget about the modification - You don't need it.

Once You flash the router with the correct (working) CFE and NVRAM settings You need to feed it with a firmware - I would say original motorola (4.0.3 ? ) with the stripped header.

This should help.

As I remember I had some extra effects like I had to send the firmware after the first reset occurring after flashing. I am not sure of that, but have it on Your mind...

I was also very desperate and figured that I broke my router - so be optimistic - You will bring it back to life.
Michal

PS. If I am not posting back in more than one day sent me a email via the openwrt - I had some problems with the notifications form the forum.

I don't mean to hijack the thread here, but I have a question for Yans.

You helped me unbrick my v3 WR850G a while back.  The router has stopped responding since then (when I looked at the serial output, it said "invalid boot block"). Now I try to flash with the same software I used to unbrick it the first time, but the tftp will not take.

It either says "Invalid boot block on device" and keeps reading for another tftp, or will say "Cannot load Flash.0" and dump me at a CFE prompt.

Any ideas on why it will not flash now?? I have a Linux box now, so any updates to the flashing software I can run now.

Thanks for any help.

Thanks a lot Michal!!!

I'll try again tonight with the tool modification. The two images do not match after CFE flash. I was lost again but, up to you, I'm optimistic now

Your cable is the buffered or the unbuffered version?

I'll keep you guys in touch.

Thanks again

(Last edited by vinicius.vbf on 31 Oct 2006, 14:53)

Hi !
toca13579 :
I took a look at our earlier chat http://forum.openwrt.org/viewtopic.php?id=5776 . You wrote that "router is working again". So what has happened that it is not working now ? Are You using stripped images for tftp ? I understand that You want to just get the router back ? Are You following http://wiki.openwrt.org/OpenWrtDocs/Har … 7d8a9bdaf1 ? Don't use the openwrt firmware via tftp - in my case that was impossible - any other images (dd wrt minimal or original motorola) worked but not openwrt.
About these errors You are getting - can You copy them exactly ? We will try to compare them with other peoples problems.....
And my simple answer for Your question - You are probably unable to flash it because You forgot about some small detail... That is at least the most common thing in my case.

vinicius.vbf:
I was using unbuffered cable. What happens if You erase a block - let's say nvram. You power off the router and then dump the image of nvram - does it have any interesting pattern - like whole image consisting of FF or 00 ?

Good luck to both of You guys !
Michal

:Yans

That is the puzzling part, I get the same error messages before even though I am using the sowftware that worked after you helped me.

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Thu Jul 29 16:20:32 CST 2004 (xavier@cvs.gemtek.com.tw)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.50.21.0
CPU type 0x29007: 200MHz
Total memory: 0x2000000 bytes (32MB)

Total memory used by CFE:  0x8032C060 - 0x80431560 (1070336)
Initialized Data:          0x8032C060 - 0x8032E1B0 (8528)
BSS Area:                  0x8032E1B0 - 0x8032F560 (5040)
Local Heap:                0x8032F560 - 0x8042F560 (1048576)
Stack Area:                0x8042F560 - 0x80431560 (8192)
Text (code) segment:       0x80300000 - 0x80309860 (39008)
Boot area (physical):      0x00432000 - 0x00472000
Relocation Factor:         I:00000000 - D:00000000

Checking MAC address...
Device eth0:  hwaddr 00-11-22-33-44-55, ipaddr 192.168.10.1, mask 255.255.255.0
        gateway not set, nameserver not set

    *CFE for Motorola WR850G v4.00[FEM1], Release date: Jul. 29, 2004

Invalid boot block on disk
Reading :: Failed.: Timeout occured
Reading :: .......Done. 1662984 bytes read
Programming...done. 1662984 bytes written
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 0 bytes read
Failed.
Could not load flash0.os:: Error
CFE>

I tried using dd-wrt, open-wrt, and motorola firmwares.  I stripped everything before HDR0, and tried unstripped also.

I also tried wrt54g.exe, wrtjtag.exe, and wrtjtag-modified.exe under Windows XP/2000. And tried under Linux also.

The router was working fine, then one day I came home from work and the lights were yellow/red. I connected to the serial port to see what was happening and it was reading for tftp.

It works!!! Yahooooooo!

What I did:

- Tried to use the hdm unbrick tool v48 (I was using v45) -> Nothing. The nvram backup differs from nvram.bin (provided by Michal aka yans)

- Compiled a patched version of the unbrick tool. This version was used with an unbuffered cable (not wiggler), so, the only changes was the delay function and the uses of it.

- Tried to flash CFE.BIN and NVRAM.BIN -> Success! The versions are the same. The constant red power light returns. Only one bad news: I can't ping it yet.

- Tried to erase NVRAM -> Error. I don't know why, but the program ALWAYS marks 0 (zero) blocks to erasing. So, the only way to erase nvram (in my case) was erase the wholeflash.

- Tried to erase the WHOLEFLASH -> The program halts (I don't know why). It simply breaks and stay as is.

- Tried to erase the WHOLEFLASH with the unmodified unbrick tool v48  -> Success! The wholeflash was correctly erased, including the nvram. From this moment on I always used the v48 unmodified version of the unbrick tool and it works perfectly. I think the modified v45 version has unlocked or unbricked something in my intel flash chip. The red power light became green again.

- Tried to flash CFE.BIN and NVRAM.BIN using the unmodified v48 tool -> Success! The versions are the same, red power light is there. I can't ping.

- Repeat the last operations some times...

- Now its more than 01:00 am, and I'm still awake trying to ping the router. So I got to my bed and look at the router board one last time... and.... what a f*ck.... WHAT IS THAT?? There is a particle of weld between the pins of the network chipset (not the intel or bcm ones, the another one, close to the LAN ports). It could stopped there when I desoldering some pins (I have to change the JTAG contact pins because the first pins broken). I removed it and FINALLY I COULD PING MY ROUTER!!!!!! OOHHHHH YEAH!!!!!!!

- Just flashed it with the original motorola firmware 4.07 without the first 8 bytes (before HDR0) like Michal said.. wait 3 seconds.... automatic reboot... and... voi-la!!! Now I have a dynamic IP address provided by the router and can browse in the admin pages!!!

Thanks a lot Michal aka yans!!!!! I could never fix it without your help. I'll never forget it

(Last edited by vinicius.vbf on 1 Nov 2006, 15:34)

vinicius.vbf:  I am very glad to hear that.

toca13579:
  I have never managed to get serial (usb) cable working with my laptop so I have couple of questions :
Do You really have such a beautiful MAC address ?
Your wr850g is v3 - right ?
Does this output occur with tftp flashing or is it a standard that You are getting ? The part after "Invalid boot block on disk" is the most interesting...
Sorry - so far I have no ideas - I am asking more questions than the number of tips I am giving....
The good thing is that You have the CFE command line.... maybe it is worth to get some more info about that ... ?  I.e. see http://forum.openwrt.org/viewtopic.php?pid=22991 and similar.
About the jtags... Are You able to erase/program parts of the flash - ie the NVRAM ?  Are You able to verify that the image that You are sending is the same with the one that You are reading ... ?
And You are saying that programming the wholeflash is not giving any results also .... ?

Michal (aka yans )

>>Do You really have such a beautiful MAC address ?
That's what it is set to. I think it is either in the CFE you sent me, or maybe because my NVRAM is erased.

>>Your wr850g is v3 - right ?
Yes. v3 with the black casing.

>>Does this output occur with tftp flashing or is it a standard that You are getting ? The part after "Invalid boot >>block on disk" is the most interesting...
This was after one tftp flash, then I got the Invalid boot block and tried another tftp. Then I get the Flash.0 error.

>>The good thing is that You have the CFE command line.... maybe it is worth to get some more info about >>that ... ?  I.e. see http://forum.openwrt.org/viewtopic.php?pid=22991 and similar.
I was trying to flash from CFE, but unsure of the command.

>>About the jtags... Are You able to erase/program parts of the flash - ie the NVRAM ?  Are You able to verify >>that the image that You are sending is the same with the one that You are reading ... ?
I can erase wholeflash, and when reading it back it is all 00. If I erase NVRAM alone, it comes back all FF.

>>And You are saying that programming the wholeflash is not giving any results also .... ?
I am not sure on the process to make a wholeflash.bin file, and my router was screwed up before I could make a backup of it.

I am at a loss on the fact that the process worked the first time but not now.

toca13579: Have you tried to flash it using the original 4.03 motorola firmware without the first-8-bytes-header? Are you using a buffered (wiggler) cable? Are you using the patched version of the unbrick tool? If you erase the wholeflash and look at this "serial terminal", what is displayed? The same error?

toca13579 I had to leave the town - I will be back on Sunday.
I will try to get the wholeflsh for You then. Or maybe vinicius.vbf could get one for You ... ?
Then we will try helping You with more detailed instructions - right now I don't remember all the possibilities and there are too many way to try (playing with cfe command line, tftp, flashing nvram, cfe , patching the debrick tool etc....).
Until then You can :
a) try playing with cfe command line - maybe there are some manuals for that ? Maybe it is worth asking people like nbd,mbm,Kaloz etc about it ?
b) verify that the debrick tool is working correctly (I am worried that You are getting different reads after erasing different parts of flash [00,FF]). Take a hex editor - edit something harmless in the NVRAM.bin line the name of the router or something like that. Flash the router with it and read it back - then find the variable that You have changed - has it been correctly flashed ?

Michal

PS.
Maybe we should respond to
http://forum.openwrt.org/viewtopic.php?id=7839

Yes, I tried the stripped 4.03, get the same messages.

I have an unbuffered cable, and when I erase the wholeflash all I get is the lights turn yellow and no output on serial because the CFE is gone.

I have tried the patched and unpatched versions of wrt54g v48.