Skip to main content
Topic: Unbricking a WRT320N with Bus Pirate? (Read 27981 times) previous topic - next topic

Unbricking a WRT320N with Bus Pirate?

Hello Everyone.

I recently bricked my Linksys WRT320N and i am trying to recover it. It does not respond to pings so i can't use the normal method of sending the firmware over tftp to fix it.

I also read that on this particular router you can not use JTAG to flash it.

So the last option i have is connection to the serial interface. The serial interface is a 3.3v RS232 connection. The pinout is supossedly the same pinout as the WRT610N (http://www.twam.info/hardware/adding-rs ... ys-wrt610n)

Since i have no usb to serial adapters i figured this would be a good time to try out my bus pirate

has anybody ever done this? I am new to the bus pirate and i have read a few tutorials to try and get my bearing.

From what it seems this should be set to UART 8N1 mode with normal voltages. It also looked like I may want to use Macro (1), but every time i try to use this it says "NO SUCH MACRO IN THIS MODE, TRY ? OR (0) FOR HELP"


Does anyone have any suggestions, tips? is this even possible?

Re: Unbricking a WRT320N with Bus Pirate?

Reply #1
Can you please show the log from your terminal?

What firmware version are you using ('i' menu)?
Got a question? Please ask in the forum for the fastest answers.

Re: Unbricking a WRT320N with Bus Pirate?

Reply #2
i returns
Quote
Hack a Day Bus Pirate v2go
http://www.buspirate.com
Firmware v2.0
*----------*
POWER SUPPLIES ON
VOLTAGE MONITOR: 5V: 5.0 | 3.3V: 3.3 | VPULLUP: 0.0 |
AUX: DEFAULT SETTING (AUX PIN)
Normal outputs (H=Vcc, L=GND)
PULLUP RESISTORS OFF
BITORDER CONFIGURATION NOT ALLOWED IN THIS MODE
*----------*


log
Quote
M
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. JTAG
7. RAW2WIRE
8. RAW3WIRE
9. PC KEYBOARD
10. MIDI
11. LCD
(1) >3
MODE SET
Set serial port speed: (bps)
 1. 300
 2. 1200
 3. 2400
 4. 4800
 5. 9600
 6. 19200
 7. 38400
 8. 57600
 9. 115200
(1) >9
Data bits and parity:
 1. 8, NONE *default
 2. 8, EVEN
 3. 8, ODD
 4. 9, NONE
(1) >1
Stop bits:
 1. 1 *default
 2. 2
(1) >1
Receive polarity:
 1. Idle 1 *default
 2. Idle 0
(1) >1
Output type:
 1. High-Z outputs (H=input, L=GND)
 2. Normal outputs (H=Vcc, L=GND)
(1) >2
NOTE: UART TX IS ON MOSI PIN
UART READY
UART>W
POWER SUPPLIES ON
UART>(1)
NO SUCH MACRO IN THIS MODE, TRY ? OR (0) FOR HELP
UART>


Re: Unbricking a WRT320N with Bus Pirate?

Reply #3
You know...i tried to upgrade the firmware on this before i posted the origional post but i think i re-flashed v2.0 instead of the nightly v2.9 under trunk on the svn. I'm going to try flashing this again.

Re: Unbricking a WRT320N with Bus Pirate?

Reply #4
Ok, now it is updated to v2.9
Quote
i
Bus Pirate v2go
Firmware v2.9-nightly
DEVID:0x0447 REVID:0x3042 (B4)
http://dangerousprototypes.com
HiZ>

and i can use macro (1) now...

now i just need to figure out what I am doing...lol

Re: Unbricking a WRT320N with Bus Pirate?

Reply #5
The newest firmware is actually 3.0, available on the google code page. I'd recommend that because it's the best release yet, and I remember fixing a few bugs and making some more corrections to the UART library in 3.0.
Got a question? Please ask in the forum for the fastest answers.

Re: Unbricking a WRT320N with Bus Pirate?

Reply #6
Oh,

didn't realize the v3 firmware worked with the v2go. Updated to that now.

Does it make sense to use macro (1) to to put it into (Transparent UART bridge) mode? When i reboot the router all it shows is

Quote
UART>(1)
UART bridge. Space continues, anything else exits.
Reset to exit.
ÿ


could this mean i am using the wrong baud rate?

Re: Unbricking a WRT320N with Bus Pirate?

Reply #7
You're expecting output similar to the link? Could be wrong baud rate, might be a problem with a Bus Pirate. If your router is bricked, is there firmware present to drive the serial port?

A side note, are you using the power supplies for anything? I noticed that you turned them on (W) in the example.

You mentioned that it should have the same pinout, maybe it's slightly different? I'd probe around with a multimeter a bit and look at the pins during reboot. Another option is to use the Bus Pirate in logic analyzer mode to see what each pin does during a reboot - check the manual for a link to the LA instructions.


Is your ground connection good? Maybe the pinout is slightly different and you're not connected to ground. Be sure to connect the ground pin to a known good ground point.
Got a question? Please ask in the forum for the fastest answers.

Re: Unbricking a WRT320N with Bus Pirate?

Reply #8
I can't speak for the WRT320N as I have unbricked WRT-54G models, NSLU2s and some non-Linksys products only.

Just for a better understanding, do you intend to follow the procedure for unbricking the WRT320N as described by Eko on the DD-WRT forum?

The factory/default settings for the serial port of WRT54Gs and NSLU2s are:115200 baud, 8 bits, no parity, 1 stop bit (8N1).

The UART mode settings you used before updating your BP firmware to Ver. 3.0 look ok - I tested them with a WRT54G and a NSLU2:

- 'M' (select mode)
- '3' (UART)
- '9' (115200 Baud)
- '1' (8 bit, NO parity)
- '1' (1 Stop bit)
- '1' (Idle 1)
- '2' (H=3.3V, L=GND)
- '(1)' (transparent UART bridge mode)
- '  '   (SPACE to enter transparent UART mode)



(red circle --> I got two "wild" characters when I connected the power supply - before switching on the NSLU2)

The routers serial port (r_uart) should be connected to the BP I/O header as follows:

[font=courier:]r_uart       BP I/O
---------------------
GND    ----    GND
RX     <---    MOSI
TX     --->    MISO[/font:]

If the router's serial port would be set to a different baudrate you would most likely see a stream of "wild" characters during boot-up.

I tested the above configuration (picture shows BusPirate 3.0 connected to the UART of a NSLU2):



NLSU2 has completed the init/boot phase and accepts commands in the Tera Term window with BusPirate in transparent UART bridge mode:



First you should check the BusPirate on a serial port (3.3-5V!!) that is known to work ... the simplest test is looping back pin MOSI to pin MISO on the BusPirate I/O header. For the test use exactly the same settings as for the router. Once you are in transparent UART mode press some keys on your keyboard. If the characters show in the terminal window (echo) the BusPirate is good! ;)



// EDIT - Attention: Please read my next post before attempting the next step ("hard-erasing" the NVRAM)!!!! //

If you still can't use the console of the WRT320N, the hardware is either broken or the firmware  (in Flash) and/or the variables (in NVRAM memory) are corrupted. If it's "just corrupted kernel image variables" in NVRAM you may still have a chance by first executing Eko's NOVRAM "hard-erase" procedure:

Quote
Quoted from "Linksys WRT320N now supported" by Eko on dd-wrt.com

Right...here is "erase nvram" procedure. You need to open the router. Next to cpu you will see some gpio dots labeled like this:
Code:
   GPIO11 o  <-copper dot here
     GPIO12
GPIO15GPIO9
      GPIO6
          o    <- copper dots
       oo
         o    <--- this is gpio6 - short to ground

And you see 4 copper dots at corner of cpu.
Cfe listens on gpio6 (like most other linksyses).

Disconnect power from router.
Now get thin wire or needle and you need to ground GPIO6 (e.g to radio shield).
Keep grounded, plug power (let somebody help you if needed), keep grounded for 6-8 s, release.
This should erase nvram.

If the firmware image in Flash memory is not corrupted, the router may load it and boot the original firmware after the NVRAM "hard-erase" (some router models won't boot after NVRAM has been wiped) ... However, this should be the last measure to be taken because if the firmware can't be loaded from Flash after the NVRAM has been wiped, the router must be considered KIA (unless some way to use a JTAG interface can be found).

Good luck

P.S. all information given without any guarantee ;)

P.S.S. sorry for the edits and post-edits, took a bit for my unbricking/modding memories to resurface ...

Re: Unbricking a WRT320N with Bus Pirate?

Reply #9
Thanks for the information IPenguin

Yes, I did try grounding GPIO6 like suggested in that long 30+ page thread (I had read that whole thread trying to find a solution before trying this serial method)

I bricked the router in the flashing process (it had said the update was complete so i rebooted it, but i think that was a mistake because now the power LED just sits there blinking). I'm sure its possible i corrupted the boot loader

From your information it seems like I was doing this right (with the exception of turning on the power supplies). What you are seeing (the boot process) is what i expected to see.


The serial connection information came from the 3rd post down here (http://www.dd-wrt.com/phpBB2/viewtopic. ... 43c47052d9). I need to get some new batteries for my meter, so right now i can't test this.

I will test out the Bus Pirate later on today

Re: Unbricking a WRT320N with Bus Pirate?

Reply #10
Bus pirate seems to be fine. set it to use all the same settings and the keys i pressed are showing in the console

seems it may have been KIA....I'm gunna try a few more thing....like confirming the jtag port doesn't work

Re: Unbricking a WRT320N with Bus Pirate?

Reply #11
First: Many Linkysy/Cisco routers have a ("hidden") serial port that is brought out inside the WAN/Internet port (RJ45 connector used to connect to the internet). This port is the same as the internal port (on the PCB you can see the traces leading to the same pins). Signal level is 3.3V!

You can connect to this port with a BusPirate (or a 3.3V serial to USB cable) as described above. From a terminal emulation (Hyperterminal, Tera Term etc.) you gain access to the console by holding down/typing the SPACE or ENTER key (not sure which, maybe any key) until the console responds and a prompt is displayed.

//EDIT: The "hidden" debug adapter inside the WAN/Internet port of the WRT320G is connected to the UART pads of the internal connector - given you have an adapter (very unlikely) there is no need to open the router for accessing the serial port/console. //

and a close-up:

I strongly suggest to attempt clearing the NVRAM via the serial port if possible before using the "hard-erasing" procedure (connecting GPIO6 to GND for about 10 seconds after powering on the router)!

@ACalcutt: I think there will be a way to unbrick your unit without using the JTAG gun.

I saw a number of people  in the +30 page "Linksys WRT320N now supported" thread who reported the same or a very similar sounding problem - bricking their WRT320N when rebooting the router after they had received the message that the update had completed ... some never booted, others booted but failed later - in all cases the bricked WRT320Ns misbehaved in similar ways as described in this post and what you reported.

However, most (if not all) managed to recover their bricked WRT320G ... by "hard-erasing" the NVRAM following this procedure:

1. disconnect the router from power

2. open the case and connect contact GPIO6 to GND (i.e. the metal shield cover over the BCM4328 Draft n transceiver chip).



3. make sure that GPIO6 and GND are connected when applying power and stay connected for up to 10 sec. after you have applied power (you may have to repeat this a couple of times and it may take more than 2 hands ;)



4. Once the blue power LED changes from blinking to steady on you have succeeded - the router is unbricked.

After this there should be no need to use the console/BusPirate - firmware updates/swaps (with original Linksys firmware or the latest DD-WRT release) can be installed via the web interface  ... just make sure to set the router back to factory settings immediately before starting the firmware update.

Good luck ...

Re: Unbricking a WRT320N with Bus Pirate?

Reply #12
Thank you for your help, my router is now working again

First i retried grounding GPIO6, but i still had no luck with that

Then, randomly i tried switching the RX and TX wires and rebooting the router and i actually saw the boot process and was able to issue the commands.

"erase nvram" did not work (like stated in that thread), but it said nvram was a option so i tried "nvram erase" and that worked. After the reboot command it booted right up :-)


PS. if i had read your thread better i would have realized my mistake. You had given the proper connections to the board (TX to MISO, RX to MISI), but i was using the io header descriptions from the bit pirate manual which said (TX to MISI, RX to MISO). I imagine this just means this needs to be connected in crossover? (TX to RX and RX to TX)


Again, thanks for all the help IPenguin and Ian

Re: Unbricking a WRT320N with Bus Pirate?

Reply #13
ACalcutt, I am happy to hear that you finally succeeded in unbricking your WRT320N with the help of your Bus Pirate. :)

I am sorry to hear that the I/O header description for the Bus Pirate confused you. I checked the I/O header description and it is correct.



This table is intended to describe the function of the I/O header pins for the side of the Bus Pirate depending on the selected mode but does not show the signals on the side of the connected device!

For UART mode this means that pin MOSI is TX (Transmit Data) and pin MISO is RX (Receive Data) for the Bus Pirate.



Thank you for pointing out that the description confused you (I am sure Ian will look into clearifying it or adding an example that will actually show how to connect the Bus Piarte to a UART or even better give examples how to connect devices to the Bus Pirate in all modes). Please let us know if this was not the part in the Bus Pirate manual that confused you.

You are absolutely right, the command "[font=courier:]erase nvram[/font:]" can't work as nvram ist the command and erase the option. The correct command/procedure for erasing all entries/variables from NVRAM and rebooting the router from the command console was given in a post on the second page of the "Linksys WRT320N now supported" thread on the DD-WRT forum:

Quote
[font=courier:]nvram erase
reboot[/font:]

I should have noticed it but I didn't pay any real attention to the details of the procedure for "unbricking" the WRT320N described on the DD-WRT forum except for the hardware part (hard reset via GPIO6). For those who are interested in CFE  and the Linux utility [font=courier:]nvram[/font:], here are a few details:

CFE (Common Firmware Environment) is a firmware developed by Broadcom for 64-bit SB1 (Swarm) and 32-bit  BCM47xx SOCs (the latter being the MCUs found in many Linksys, Buffalo and other brand routers). The CFE source including a functional specification is available from Broadcom. CFE is the environmet you connect to via the serial port (UART) of the router, [font=courier:]nvram[/font:] is one of the utilities provided by CFE. The source of the Broadcom implementation of the [font=courier:]nvram[/font:] utility is included in CFE - file: [font=courier:]/cfe-1.4.2/cfe/cf/ui_nvramcmds.c[/font:]

Quote
[font=courier:]nvram get[/font:] - Get the value of an nvram variable
[font=courier:]nvram set[/font:]- Set the value of an nvram variable
[font=courier:]nvram unset[/font:] - Delete an nvram variable and its value from memory
[font=courier:]nvram show[/font:] - Display the names and values of all defined nvram variables
[font=courier:]nvram commit[/font:] - Commit the current nvram variables and values to non-volatile memory
[font=courier:]nvram erase[/font:] - This command deletes all nvram variables from both memory and non-volatile memory
[font=courier:]nvram import[/font:] - This command converts standard environment variables into the corresponding nvram variables

nvram is a Unix/Linux (command line) utility for managing system variables stored in NVRAM (non-volatile RAM) which control the boot-time behaviour of the system. However the implementation of [font=courier:]nvram[/font:] (options) can vary in details depending on the platform/release:

Quote
[font=courier:]NAME
       nvram - manipulate firmware NVRAM variables

SYNOPSIS
       nvram [ -p ] [ -f filename ] [ -d name ] [ name [= value ]] ...

DESCRIPTION
       The  nvram  command  allows manipulation of firmware NVRAM variables.  It can be used to get or set a
       variable.  It can also be used to print all of the variables or set a list of variables from a  file.
       Changes to NVRAM variables are only saved by clean restart or shutdown.

       In  principle,  name  can  be  any string.  In practice, not all strings will be accepted.  New World
       machines can create new variables as desired.  Some variables require administrator privilege to  get
       or set.

       The  given  value  must  match the data type required for name.  Binary data can be set using the %xx
       notation, where xx is the hex value of the byte.  The type for new variables is always binary data.[/font:]

Thank your for your feedback! For those who try to be helpful good feedback - regardless if the reported result is negative or positive, even critique on how the help was provided - is the best help for the helper and a confirmation that their attempts to be helpful are appreciated. It will encourage them to continue to give help and improve on how they do it.

On the side: Oh memories, good old memories ... the days we hacked every device we could get our fingers on ... seem to return ... I just ordered a WRT610N and a WRT320N ... :)

Re: Unbricking a WRT320N with Bus Pirate?

Reply #14
Thanks for the great description guys. May I have your permission to condense it to a guide?

I'll add a note to the pinout table now. If Uwe is willing to release the UART connection table under an open license, I'll add it to the UART page too.
Got a question? Please ask in the forum for the fastest answers.