I tried to install OpenWRT on my Linksys E2500 v3 model. I previously used Advanced Tomato but for the reasons of old Linux kernel I tried to install OpenWRT which uses newer Linux kernel.
I followed instructions on OpenWRT site for vendor installation. I firstly reflashed router to vendor firmware and from vendor firmware I flashed OpenWRT. But after that the router bricked.
I connected router to serial interface but I noticed that router is stuck at Starting program at 0x8000100. I tried to read the W25Q128 EEPROM but when reading the EEPROM whole router booted up. That caused that I somehow corrupted data in EEPROM which caused that router is no longer stuck at Starting program at 0x8000100.
Now router starts HTTP server. I can see the Management Mode Firmware Upgrade website but when trying to upload older version of OpenWRT (or even the same version - which bricked the router) I am getting Programming...Failed.: Not an ELF-format executable
When trying to upload original (stock) firmware (which has around 12 MB) while uploading the file router will disconnect or turn off eth0 interface. I am using ping utility to see If I still have connection with router but after a second or two after submitting file to upload router will just lose connection with my PC. But when I quit the HTTP utility on router and manually started eth0 interface
CFE> et down eth0
CFE> et up eth0
connection with my PC is established again.
I also tried commands like flash -ctheader : flash.trx or boot -tftp but it seem like the router is not responding to TFTP sending something. I am using tftp utility on Linux.
$ tftp 192.168.1.1
tftp> status
Connected to 192.168.1.1.
Mode: octet Verbose: on Tracing: on
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> put ~/orifw.bin
putting orifw.bin to 192.168.1.1:~/orifw.bin [octet]
sent WRQ <file=~/orifw.bin, mode=octet>
sent WRQ <file=~/orifw.bin, mode=octet>
sent WRQ <file=~/orifw.bin, mode=octet>
sent WRQ <file=~/orifw.bin, mode=octet>
sent WRQ <file=~/orifw.bin, mode=octet>
Transfer timed out.
What am I doing wrong? Why the router does not respond to the TFTP running on my PC?
Typically, the easiest way to flash these devices is to start with the OEM firmware and then perform the flash upgrade directly from the firmware upgrade feature within that original firmware. Have you tried that (i.e. flashing back from Tomato to the Linksys software, then upgrading to OpenWrt)?
Also, it is worth mentioning that this device is only worth flashing to OpenWrt if you are planning to use this as a wired-only device. The wifi chipset uses closed-source proprietary drivers that are not available in OpenWrt -- this means that the wifi will work very poorly or not at all.
Yes that is exactly what I have done. I reflashed from Advanced Tomato to Vendor (Stock) Firmware and form there (of course after reseting the router to default settings) I flashed OpenWRT.
Yes I only plan to use the device wired only for a little python/go automation project but I need newer Linux kernel than it is on Advanced Tomato.
Did you use the standard web interface with the stock firmware to flash OpenWrt onto the router? Did it succeed? I'm confused where the TFTP part comes into play unless you're trying TFTP due to a failure of the process with the web UI.
I used standard web interface with stock firmware to flash OpenWRT and flashing succeeded. After flashing the router rebooted and then the problem occurred. Router was not responding to anything. I hooked up serial to router and I saw that router is stuck at loading program. Even after several hours it was still trying to load a program from EEPROM. Then I accidentally corrupted data on EEPROM by reading the EEPROM by EEPROM programmer (specifically CH341A). After corruption the serial was reporting that checksum of program on EEPROM is wrong so the router is waiting for TFTP firmware upgrade.
But as mentioned, using Management Mode Firmware Upgrade I cannot upgrade the router. When trying to flash OpenWRT the programming will fail due to Not an ELF-format executable. When trying to upload original (stock) firmware It will stop the upload process after couple of seconds (because stock firmware is 12MB) and the router will put eth0 interface down as I will lose connection with the router.
Then the TFTP problem came. Router is not responding to my TFTP put command neither using flash -ctheader : flash.trx or boot -tftp. It will just always timeout even though my computer is trying to send (put) data to router.
You may need to find a method to get a full dump of the original EEPROM contents and reprogram it.
Unfortunately, I don't think I'll be able to help you with the recovery of this device, though, as I'm not well versed in these types of TFTP errors or recovery from the corruption you have described.
Depending on your situation, this device may be in a state that makes it more suited to e-waste than further work trying to recover it... it is an old device with limited capabilities, and you may end up spending a lot of time (and possibly money if you need to buy an EEPROM programmer, etc.) to the point where a newer device would be more cost effective. YMMV where that crossover point happens, of course.
You are right. But really I just need it for a little project which is just for home use. But I do not understand why router will shut down ethernet port if the file is 12MB but a 5MB OpenWRT firmware will be uploaded fine. Also I do not understand that router is not responding to TFTP. Maybe I am using it wrong.
I thought about lifting one EEPROM leg and reprogramming i that way as I own EEPROM programmer but that would be too much work. Just want to upgrade it via TFTP but somehow it is not working. That is what I am concerned about.
Ok. Somehow I managed to upload a file via TFTP. TFTP uploading is working now but when I upload stock firmware or OpenWRT it will always shout:
CFE> flash -ctheader : flash1.trx
Reading :: CODE Pattern is CORRECT!
upgrade_ver[v3.0.5] upgrade_ver[30005] 4712_ver[0]
Done. 12906603 bytes read
fname=flash1.trx
CODE Pattern is correct! (25V3)
Programming...Failed.: Not an ELF-format executable
Why the router can't flash even stock firmware? I tried uploading via
HTTP
flash -ctheader : flash1.trx
flash -noheader : flash1.trx
upgrade code.bin
but it will always say that programming failed because it is Not an ELF-format executable.
I tried various other choices as I was reading the old DD-WRT forums and their wiki. But nothing worked.
I also tried flashing it with defined offset to tell the flash program to flash from my selected offset but no change.
CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 08/01/13 19:16:00 CST (lzh@team2compiler2)
Copyright (C) 2000-2008 Broadcom Corporation.
...
Boot partition size = 262144(0x40000)
...
CFE> flash -offset=262144 -noheader 192.168.1.101:code1.bin flash0
Reading 192.168.1.101:code1.bin: Done. 3564544 bytes read
fname=(null)
Programming...Failed.: Not an ELF-format executable
**Exception 8: EPC=8070FA88, Cause=00008008 (TLBMissRd)
RA=80717C4C, VAddr=00000000
0 ($00) = 00000000 AT ($01) = 80740008
v0 ($02) = 00000000 v1 ($03) = 66000000
a0 ($04) = 00000000 a1 ($05) = 8073241C
a2 ($06) = 00000000 a3 ($07) = 00000000
t0 ($08) = 8073C500 t1 ($09) = A0000000
t2 ($10) = 00000001 t3 ($11) = 0000000B
t4 ($12) = 00000000 t5 ($13) = 00752248
t6 ($14) = 807A1D50 t7 ($15) = FB45E5FD
s0 ($16) = 00000002 s1 ($17) = 8074AE48
s2 ($18) = 807A22D8 s3 ($19) = 8074AE78
s4 ($20) = 00000000 s5 ($21) = 00040000
s6 ($22) = 00000000 s7 ($23) = 00000000
t8 ($24) = 04000000 t9 ($25) = 00000000
k0 ($26) = 00000000 k1 ($27) = 807A21B0
gp ($28) = 8073D190 sp ($29) = 807A2220
fp ($30) = 00000003 ra ($31) = 80717C4C
Router is showing an error Not an ELF-format executable. If I do binwalk on the firmware (I mean every firmware even stock, OpenWRT and DD-WRT) I can only see squashfs file-system, TRX header and so one. ELF is executable and even after reading every possible site referring to recovering bricked router I cannot find anything about this error. Now I am thinking that even manually flashing the EEPROM would not change anything (I assume) as it is not an executable but RAW .bin file with data, kernel, file-system and so one.
Where can I find an Executable than can be flashed? Or how to create/compile one? (I found stock firmware's source code that is why I am asking If it is even possible)
Links:
DD-WRT Forum: Linksys E2500 v3 is now TomatoUSB cant get it back to DD-WRT
DD-WRT: Serial Recovery
DD-WRT: TFTP Flash
CFE shipped with Linksys E2500 v3 seems to have broken support for Linksys formatted images (images with Linksys specific header).
It includes -ctheader option support but it doesn't flash such images. There is no Programming... stage.
Bad:
CFE> flash -ctheader 192.168.1.2:openwrt.bin flash1.trx
Reading 192.168.1.2:openwrt.bin: Done. 3739680 bytes read
fname=(null)
**Exception 8: EPC=8070FA88, Cause=40008008 (TLBMissRd)
Good:
CFE> flash -noheader 192.168.1.2:openwrt.trx flash1.trx
Reading 192.168.1.2:openwrt.trx: Done. 3739648 bytes read
fname=(null)
Programming...done. 3739648 bytes written
**Exception 8: EPC=8070FA88, Cause=40008008 (TLBMissRd)
You basically need to strip Linksys header from image you want to flash:
dd if=openwrt.bin bs=32 skip=1 of=openwrt.trx
I still don't know why Ethernet doesn't work with OpenWrt though.
1 Like