Hi,
I'm an owner of the Netgear WGR614v7 router (Atheros AR2317, 2MB Flash MX25L1605 and 8MB RAM). One day I decided to upgrade its firmware to DD-WRT (DLINK DIR-300). I got into VxWorks bootloader by serial console and configure to boot "ap61.ram" image via ftp. Everything was fine until I entered: "fis create -l 0x30000 -e 0xbfc00000 RedBoot" command, after that my router is dead.
ar531xPlus rev 0x00000090 firmware startup...
Netgear WGR614v7 version 4.1.4.17
Creation date: Apr 7 2006, 09:24:090
auto-booting...Attached TCP/IP interface to et0.
Attaching network interface lo0... done.
Loading... 257792
Starting at 0x800410bc...+Invalid PHY ID1 for enet0 port0. Expected 0x0243, read 0x0000
Ethernet eth0: MAC address 00:1b:2f:05:de:e9
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 0.0.0.0RedBoot(tm) bootstrap and debug environment [RAM]
production release, version "2.1.3" - built 18:43:37, Sep 20 2007Platform: ap61 (Atheros WiSOC)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2007, NewMedia-NET GmbH.Board: DLINK DIR-300
RAM: 0x80000000-0x81000000, [0x8007ff00-0x80fe1000] available
FLASH: 0xbfc00000 - 0xbfdf0000, 32 blocks of 0x00010000 bytes each.
DD-WRT>
DD-WRT> fconfig -i
Relocating Board Data to new location
Board Data is already relocated(1)!
Initialize non-volatile configuration - continue (y/n)? y
Run script at boot: false
Use BOOTP for network configuration: true
Default server IP address:
Console baud rate: 9600
GDB connection port: 9000
Force console for special debug messages: false
Network debug at boot time: false
Update RedBoot non-volatile configuration - continue (y/n)? y
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x80ff0000-0x81000000 at 0xbfde0000: .
DD-WRT> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
Relocating Board Data to new location.
Board Data is already relocated(1)!
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x80ff0000-0x81000000 at 0xbfde0000: .
DD-WRT> ip_address -h 192.168.1.100
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.100
DD-WRT> load -r -b %{FREEMEMLO} ap61.rom
Using default protocol (TFTP)
Raw file loaded 0x80080000-0x800a8717, assumed entry at 0x80080000
DD-WRT> fis create -l 0x30000 -e 0xbfc00000 RedBoot
An image named 'RedBoot' exists - continue (y/n)? y
... Erase from 0xbfc00000-0xbfc30000: ...
... Program from 0x80080000-0x800a8718 at 0xbfc00000: ...
... Erase from 0xbfde0000-0xbfdf0000: .
... Program from 0x80ff0000-0x81000000 at 0xbfde0000: .
DD-WRT> fis list
Name FLASH addr Mem addr Length Entry point
RedBoot 0xBFC00000 0x80080000 0x00030000 0xBFC00000
FIS directory 0xBFDE0000 0xBFDE0000 0x0000F000 0x00000000
RedBoot config 0xBFDEF000 0xBFDEF000 0x00001000 0x00000000
DD-WRT> reset
... Resetting.
So I built buffered wiggler cable and connected it to EJTAG connector in my router. Unfortunatelly urjtag and jtag-0.6 do not recognize flash therefore I decided to use tjtagv (v3.0 RC1 Tornado-MOD). The program recognize my hardware and allow to read/write flash. I copied "ap61.rom" to CFE.BIN and wrote it to flash by "tjtag -flash:cfe /wiggler" command. But when I read the flash (-backup:cfe) and compared it with original file I noticed that each byte is swapped:
Original file: 3C 04 B1 00 34 84 00 64
Read from flash: 00 B1 04 3C 64 00 84 34
As you see 1-st byte is swapped with 4-th byte, 2-nd with 3-rd, 3-rd with 2-nd and 4-th with 1-st. Is this normal? Do I have to prepare file with swapped bytes and write it to flash?
I'm not sure if "ap61.rom" bootloader file is suitable to my router, unfortunately the router doesn't boot after uploading it to flash.
I suspect that some nvram file is needed but don't have any.
Can anybody help me, what should I do to bring the router to live?
Best regards.
Tom Cea.
c:\2\tjtag>tjtag -probeonly /wiggler
==============================================
EJTAG Debrick Utility v3.0 RC1 Tornado-MOD
==============================================Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000000000000000000000001 (00000001)
*** Found a Atheros AR531X/231X CPU chip ***- EJTAG IMPCODE ....... : 01000000010000000100000000000000 (40404000)
- EJTAG Version ....... : 2.6
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R4k ASID_8 NoDMA MIPS32Issuing Processor / Peripheral Reset ... ECR: 0x80000000 Done
Enabling Memory Writes ... Skipped
Halting Processor ...
00000000000100010000000000000000 (00110000)
00000000000000000000000000000000 (00000000)
<Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Enabling Atheros Flash Read/Write ... Done.RE-Probing Atheros processor....
..Found a Atheros AR2317Probing Flash at (Flash Window: 0x1fc00000) ...
DoneFlash Vendor ID: 00000000000000000000000011000010 (000000C2)
Flash Device ID: 00000000000000000010000000010101 (00002015)
*** Found a Macronix MX25L1605D (2MB) Serial Flash Chip ***- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00200000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000*** REQUESTED OPERATION IS COMPLETE ***
Resuming Processor ...
DEBUGMODULE: Return from DEBUG!
ECR: 0x0000c000