I have my WNR2000v1 upgraded to 8MB Flash and running BB14.07 now.
The procedure is not simple but not that complicated if you are able to work with hardware. Moderate to expert soldering and de-soldering skill is essential.
You will need a serial console and a SPI chip programmer (I used a Bus Pirate 3 with flashrom, which works but is very slow), and an 8 MB SPI flash chip (I used a M25P64).
Boot up stock firmware with the serial console and extract your ART (described by others in this thread). You should have a 65536 byte binary file. Most of it is empty but you can tell it is a real ART by finding your factory MAC address in it.
Using a hex editor, dd, etc. assemble an image of the complete new chip:
Offset Binary file
0x000000 -- Fuhry's modified u-Boot
( about 90kB empty space)
0x050000 -- http://downloads.openwrt.org/barrier_br … pgrade.bin
0x7f0000 -- your ART
Write this file to the new 8 MB chip with your SPI programmer.
Replace the original flash chip with this chip.
Note: You can save a lot of soldering and make for an easy reversion to stock by just lifting pin 7 (CS) of the old chip off of the board, and jumper it to pin 1(3.3V) so the old 4 MB chip is permanently inactive. Piggyback the new chip on top of the old one and hook up pins 1,2,8,9,10,15,and 16. The chip manufacturer says not to connect anything to the center 4 pins on each side and you should respect that. Run a lead from pin 7 of the new chip past pin 7 of the old chip to the pin 7 pad on the board.
[ A variation on this would involve a switch on the CS line so you can boot the original chip, then (since the bootloader copies itself and runs from RAM) throw the switch and write the new chip. This would potentially eliminate the need for an external programmer. If I ever have to do this again, I will try it. ]
With new chip installed, connect serial console, boot up and interrupt the boot at the bootloader stage.
Note 1: The Fuhy bootloader is hard-coded for a 4 MB chip. It will say you have 4 MB flash, ignore that. It can still erase and write the first 4 MB of your 8 MB chip though.
Note 2: If you want to use Ethernet under the bootloader you will need to erase block 3F and reboot so it puts a default MAC address to the Ethernet port instead of 0:0:0:0:0:0. You should not need to do this here though. Erasing block 3F will trash the firmware you programmed in.
In the bootloader:
setenv bootcmd bootm 0xbf550000
saveenv
I think this is all you need. The OpenWrt kernel mostly ignores the boot command line. You may need root=31,2 if it can't mount root.
Reboot. You now have OpenWrt BB with about 2.8 MB of free space.
Ethernet works (WAN and LAN), wifi works, LED's do not work (other than the 4 LAN LEDs that are driven directly from the switch chip)
You can replace the firmware as usual with 'mtd write <file> firmware'
To debrick this modified router, boot up to serial console, erase block 3F so you have Ethernet as described above, and tftp an initramfs Openwrt and boot from RAM.
(Your tftp server: 192.168.1.27. Router IP 192.168.1.10. These are in printenv / setenv / saveenv)
tftpboot 0x8100000 <file>
bootm 0x8100000
A RAM-based OpenWrt will come up. scp a good firmware and mtd it. The reason you need to do this is because the bootloader can't write beyond 4 MB, but the OpenWRT mtd can.
Thanks again to the OpenWRT team and fuhry for making this possible.
(Last edited by mk24 on 3 Dec 2014, 04:38)