OpenWrt Forum Archive

Topic: Buffalo WZR-HP-AG300H bootloader bricked, have openOCD debug access...

The content of this topic has been archived on 6 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have a Buffalo WZR-HT-AG300H that I have erased the bootloader from and am attemping to recover it.
I do have an identical device and have copied (via dd) the contents of the flash from the previous device.
I also currently have full debug access through openOCD JTAG as I have connected into the JTAG port.

However, the thing that I am missing is a way to boot the device.
I have been attempting to build das U-Boot for the device, but it seems to not load.
I can connect to the openOCD interface with telnet localhost 4444 then issue the load_image and resume commands, however, I don't seem to have any code that is sutiable.

What I am really after is just a way to boot the device so I can rewrite the bootloader "redboot" or any other sutible, and recover the device.

Initially what happened is I overwrote mtd0 by mistake instead of the proper flash area when attempting to modify the current firmware image.

If you have any recommendations or can provide any assistance, it would be greatly appreciated.

Other useful information,
from http://wiki.openwrt.org/toh/buffalo/wzr-hp-ag300h
Architecture:    MIPS
Vendor:    Qualcomm Atheros
Bootloader:     crippled U-Boot
System-On-Chip:     AR7161 rev 2 (MIPS 24Kc V7.4)
CPU/Speed     24Kc V7.4 680 MHz
Flash-Chip:     ?
Flash size:     32 MiB
RAM:     128 MiB
Wireless:     Atheros AR9223 (2.4GHz) and AR9220 (5.0GHz) 802.11abgn
Ethernet:     AR8316

I have this router working with OpenWRT. If you have JTAG working, I could send you an image of my CFE (it reports itself as U-Boot, not redboot, but it is the stock CFE). You could then load the CFE back to mtd0 using JTAG if you know how.

Did you also delete mtd8? That would be unfortunate...

I am fascinated by your statement that you have connected the JTAG, since I had mine open and didn't find a JTAG header.  I didn't remove the RF shielding, was it under there? I also haven't found any documentation even hinting that it could be done...

Anyway, back to your problem. I know it's been months since you posted, but if you still need it, I can get you my CFE. You'll need to edit it in a binary editor to change some things, like the mac addresses, pin, default WPA password, etc. I will of course anonymize these things before sending...

The discussion might have continued from here.