1 (edited by jake1981 2007-07-21 01:17:10)

Topic: JTAG wholeflash.bin from another router(clone router)

This guide is designed for wrt54gs v1/v4 routers, but can inspire on help for other brands/models also. Do not replicate these instructions to other brands/models without caution and serious thinking before committing actions. Even if you would have wrt54gs v1/v4, do not just do, think carefully before committing these actions.

Remember that you can't clone wrt54gs v1 flash contents to wrt54gs v4, for cloning to succeed these routers need to be exactly the same hardware.

Okay. I have this one wrt54gs that never has accepted a image with tftp transfer. Initial openwrt was installed trough web interface. So one day I decided to tweak a little this system and I got it to not boot. Also failsafe mode wasn't very helpful for me as it was already tweaked because it was a custom built image and when I telnet'd in it asked a userid. This was a failure as root password isn't initially set.

So I had no way to tftp new firmware and I was not able to login as failsafe's login was broken and non-failsafe mode no longer had network. I could had easily salvaged this issue with serial cable, but I wasn't aware that it's easy if you use cellular cables. Most cellular cables are no longer available in finland except nokia's DKU-5 (at moment of writing), but it doesn't matter. I built a jtag cable.

Finally after I had multiple times tried to fix my router with all kinds of variations with jtag interface, I came up with idea to clone another (booting) router's flash contents over this. I had 3 wrt54gs v4's and this broken one was one of those 3. 2 of them was working just fine. Problem was that I didn't have jtag connector soldered to those 2 other routers.

Well, there is a way to get wholeflash.bin from a working router without jtag. Here's what you need to do in a working router:

# dd if=/dev/mtd/0 of=/tmp/cfe.bin
# dd if=/dev/mtd/1 of=/tmp/linux.bin
# dd if=/dev/mtd/3 of=/tmp/nvram.bin

After this, copy these files to linux pc/mac/etc with bigger storage capacity, as wrt does not have enough capacity for next:

# cat cfe.bin linux.bin > whole.bin
# cat whole.bin nvram.bin > wholeflash.bin

There you go. Wholeflash.bin is now generated.

For flashing and backing up parts of flash of your router, you need HairyDairyMaid_WRT54G_Debrick_Utility, download latest version from: http://downloads.openwrt.org/utils

Take a backup of your CFE:

# ./wrt54g -backup:cfe

You also should backup current contents of wholeflash.bin just for case(atleast then you can return image if hardware wasn't same with these 2 routers after all). Backup of wholeflash is done like this:

# ./wrt54g -backup:wholeflash

warning! backing up wholeflash.bin with jtag cable is going to take hours. Be wiser, if you have jtag interface done for your router, use instructions below to create wholeflash.bin before you need to do this.

Then just flash it to your router

# ./wrt54g -flash:wholeflash

You might need other options like /noemw or /noreset for it to work, depending on your router.
Okay, after flash is success, go to router you used as source for wholeflash.bin and disconnect it from your network, why? Because now you have 2 routers with identical MAC addresses and ip addresses, it's not going to work properly. Then you can reboot router you just flashed and check that it works.

After this you can flash your original cfe back so you can get your original MAC address back.
If you forgot to take backup of CFE, or CFE is broken or for some other reason, you need to have alternate CFE, go to http://www.wlan-skynet.de/download/index.shtml and download latest skynet repairkit (windows only), use web update and then choose version of your router from dropdown list, check mac address from bottom of router and fill it into MAC address field, then you can generate your new CFE.BIN

Rename your backup of CFE to CFE.BIN or save new CFE.BIN with skynet repairkit to location of wrt54g/wrt54g.exe (depends whether you use linux or windows;)) and flash it like this:

# ./wrt54g -flash:cfe

WARNING! erasing nvram is not safe for all routers, it's safe atleast for wrt54gs v1 and v4.

Once again, you might need more parameters, I had to use /noemw for mine.
After flashing is done, reboot your router and use mtd utility to erase nvram so:

# mtd -r erase nvram

Then your router reboots once again, after it comes up, set different IP address for it and you can plug router that you used as source back to your network.

Use nvram utility to set boot wait now on (it's off because we erased nvram):

# nvram set boot_wait=on
# nvram commit

After this you are ready again for action, you can for e.g. install new firmware image with mtd or what ever you wanted to do before you locked yourself out from the router.

Flashing process took about 3 hours 10 minutes for wrt54gsV4. wrt54gsV1 has double amount of memory, so it will take twice that time.

Thanks for erska_ from #openwrt's irc channel for helping me out with de-bricking my router..