Recover from a Bad Flash
From DD-WRT Wiki
So, you're afraid you've bricked
your router. Don't worry, there are a number of things you can try to
get your router working again before giving up and living with the fact
that your router is now a paperweight.
It is also unfortunately possible to configure your router in ways which make it dead to the world. These techniques may be useful in these cases also.
Before you continue below, make sure you tried these steps first:
- Disconnect the router from UTP cables (not the power cable).
- Push reset button for 30 secs
- Without releasing reset button disconnect power cord.
- Hold the reset button for another 30 secs.
- Replug the power button.
- Still hold the reset button for another 30 secs.
- Release the reset button and give the router about 10 secs to resettle
- Disconnect power cord for another 10 secs and the reconnect.
- All should be in default settings now.
Contents |
[edit] WRT54G/GL/GS
The LED display at the front of the router is the best way to determine what type of brick you have and its recovery method. You should at least check this to prevent unnecessarily opening the router.
When the web interface is no longer available, switch the router off first (remove the power jack) and remove all network cables from the equipment. After some seconds you restart the WRT54G. Now take note of the flashing LEDs.
- The power LED flashes very fast. If it keeps on flashing longer than 2 minutes, without having lit up the other LED's, then a defective bootloader is present. If you can ping 192.168.1.1 you can try the TFTP recovery, otherwise you may need to open the router and use the JTAG recovery method below.
- The power LED flashes very fast and after some seconds the DMZ LED lights up for approximately 5 seconds. In this case the Bootloader is intact and only the kernel (firmware) is defective. In this case you could possibly still recover with an ethernet cable if you reflash the firmware via TFTP (see TFTP below).
- The power LED flashes very fast and after about 20 seconds it lights permanently, but the DMZ LED did not light up. In this case Bootloader and Kernel (firmware) are intact, only a wrong configuration from locked up the router. This can happen if a wrong or corrupt value exists in the NVRAM. Here simply clearing the NVRAM should solve the problem.
The Linksys site mentions 'Management Mode' which makes it trivial to recover from bad flashing (answer id 3176). Here's how to do it:
- Unplug the power cord from the back of the router.
- Hold down the Reset button.
- While holding down the Reset button, plug back in the power cord to the router.
- Continue to hold the Reset button for five (5) seconds. After five (5) seconds, release the button.
- Wait for about one (1) minute. Then, on a computer connected to the router, launch a web browser (for example, Internet Explorer or Mozilla Firefox).
- Type in the router's IP address of http://192.168.1.1 into the Address field and press the [Enter] key.
- The Management Mode - Firmware Upgrade interface should appear.
Note This technique only officially applies to hardware version 5 of the router ( what version do I have?). However, some version of the DD-WRT seem to have this ability on other versions of the hardware, so you might find it works anyway.
[edit] Linksys Firmware
If you cannot find a Firmware Auto-Upgrade utility at the Linksys Download Page, use a Setup Wizard as an alternative from other Linksys router (make sure to use your router's firmware).
Another tftp program is called tftp2 and is available here (this will start the download): tftp2.exe
[edit] Recovering with TFTP
During startup, the router will pause to accept a temporary firmware upload via tftp. This is only used for booting and does not go into the router NVRAM.
If pinging 192.168.1.1 does not work, check the IP Address of your computer and make sure it is assigned an IP address in the subnet of the router IP. For simplicity sake you can assume "192.168.1.x" is good. If you do not have a good IP, the DHCP Server might not be working. So set your IP manually to something like 192.168.1.77 with 192.168.1.1 as your gateway and then try pinging the router again.
Power the router on with a continuous ping running in a command window:
ping -t 192.168.1.1
You should see at least some seconds, at least 2-3 pings, where it responds to ping of 192.168.1.1 address. Do this several times to be sure. If it does you have good chance of simple recovery. If you still receive no response, the IP address may be something other than 192.168.1.1. You should attempt to obtain the IP address of the router. Especially if previous firmware set the boot_wait variable to on, the router pauses even longer than normal during bootup to accept a recovery flash. All you need to do is provide a firmware to it via TFTP during this window of time.
Prepare your PC, firmware file and TFTP software and play with the timing of powering it on and starting the TFTP session just after applying power. If you try it a number of times (at least 10) you will probably rescue the router with no fuss!
Microsoft Windows contains a TFTP client. Windows Vista will require that you enable it in Programs and Features. With TFTP, all of the information about the transfer is specified during the initial setup; there is little client/server interaction as compared with standard FTP. To flash a router using Microsoft Windows, open a command prompt, change to the directory containing the original Linksys firmware to use for this boot (this example assumes the firmware file name is code.bin), and then enter the following command (assuming your router IP 192.168.1.1):
tftp -i 192.168.1.1 PUT code.bin code.bin
After the PUT is complete the router will stop pinging for up to 30s while the firmware boots. Don't panic, this is normal. Once it pings again, give the router about 10-15 seconds to get the webserver started and at that point you should be able to re-upload the firmware to NVRAM via the web interface.
Notes: a) The -i specifies binary transfer mode; the two file names after the PUT command specify the SOURCE and DESTINATION file names.
b) Start the command and then power up the router. There is no indication of any transfer until it is complete.
c) The uploading via this command is pretty slow ~5.7kB/s so it will take about 10 minutes to upload ~3MB image. I would add another 2-4 minutes for it to write the image.
d) As mentioned elsewhere, you should use the Linksys image. You cannot use the dd-wrt images as the router will reject it. You will get "Error on server : code pattern incorrect" message.
e) If TFTP does not work, try changing your network adapter to 10 Mbps half duplex before attempting to flash the router
[edit] Recovery by JTAG cable
If the router isn't pingable anymore, there is little else you can do, but using a JTAG cable. For a pin-out see OpenWRT wiki. Then download the HairyDairyMaid Debrick Utility.
- solder the JTAG cable following the above linked pin-out.
- solder a 12 pin header on the PCB of the router.
- to install the giveio.sys copy this file and loaddrv.exe into {windows}\system32\drivers
- double click loaddrv.exe in the system32 dir. This is important.
- append the filename giveio.sys onto the path in the utility
- press the load button and the start button, they should both confirm success. If this does not happen go no further, go back and fix this.
- from the command prompt cd to your Hairy Dairy directory and run wrt54g.exe to get a list of options
- to check your cable, plugin and power up the router and do wrt54g -probeonly
- it will then detect the CPU type. If not then check your cable.
- finally to erase your NVRAM (the usual cause of the problem) wrt54g -erase:nvram
- if that didn't work, erase the kernel (firmware): wrt54g -erase:kernel Now reflash the kernel via TFTP.
- if you still have no luck, you need to erase your CFE, but make sure you have a working cfe.bin for your router model! wrt54g -erase:cfe After that you have to reflash your CFE: wrt54g -flash:cfe
Flashing the KERNEL or WHOLEFLASH will take a very long time using JTAG via this utility. You are better off flashing the CFE & NVRAM files & then using the normal TFTP method to flash the KERNEL via ethernet.
[edit] If That Doesn't Work
If the above methods do not work for you, the [WRT54G Revival Guide] includes a second technique that involves snapping open the plastic case of the router and using a small metal tool (or paper-clip) to "short" two particular "pins" on the circuit board. It is quite clear that this carries risk of permanently damaging your flash via static discharge, and should be a measure of EXTREME last resort, not the first thing to try. You can very likely recover from a bad flash WITHOUT opening the router if you have some patience with the TFTP technique.
If you do have to use the EXTREME measure #4 from the revival guide as I did here is a additional tip uncovered from this forum. Voidman forum
I used the "earthing" technique to get the WRT54g v3.1 to respond to pings. Whenever I tried to tftp the dd-wrt firmware, it would cause the router to stop responding to pings ans just give a "timeout" error.
The solution was to first tftp an official LINKSYS firmware (WRT54G_4.30.5_US_code.bin which I renamed to "code.bin"). The router accepted it and rebooted properly. I was then able to upgrade to the latest dd-wrt v.23 SP2 through the WebGUI. This was discovered on GS v.4 which responded to unofficial firmware with "incorrect code pattern." Apparently this happens when tftp'ing to an empty flash chip.
There's also a collection of pointers and tips on how to recover from a bad flash at the external link location, but most of the information in that forum seems to have been collected into the WRT54G Revival Guide. So far this is just a starter wiki. If someone could move the important parts into this wiki, that'd be great. Probably organize it by recovery methods and list variations of each method below the method, or something.
[edit] Buffalo WHR-G54S
If you have already tried pinging the Buffalo continuously through hard and soft resets, unplugging, plugging and any combination thereof, then you will need to open up the device in order to revive it, similar in practice to the WRT54G Revival Guide Method #3.
- Unplug the router, and slide off the side trim panels. One will be covering a torx screw (T-9).
- Undo the screw and open up the router.
- With the router unplugged, plug a patch cable into one of the 4 LAN ports on your router and plug the other end into a computer.
- Configure your network card on your computer with a static IP address: IP: 192.168.11.2, NETMASK: 255.255.255.0, no gateway.
- Run a the ping command in a terminal or command prompt. In Linux: "ping 192.168.11.1". In Windows "ping -t 192.168.11.1" so that it doesn't stop trying to ping after 4 pings.
- Locate pin 12 on the flash memory chip. It is the 12th pin counterclockwise from the dimple in the surface of the chip. See the specs for this chip here.
- Short this pin to ground (bare solder around antennas, screw points).
- While holding the screwdriver there, plug in the power and watch your ping screen. You should see the pings starting to succeed.
- Remove the screwdriver and the pings should continue.
- Now use the tftp method to rewrite the firmware.
[edit] Buffalo WHR-G125
I did the same as above with my whr-g125. It seemed bricked (not pingable), but connecting wires to pin 12 of the Samsung flash ram chip (the big one) restarted the router, which where pingable in 5-10 seconds afterwards. So i used the .bat script found elsewhere in the wiki to tftp the .bin after using this restarting method. And it worked!
[edit] Buffalo WHR-HP-G54 JTAG
Lets say the instant you switch on your buffalo it displays all GREEN LEDs, the switch is all green, the green power light is on but no other colours and nothing is blinking. Nothing changes and nothing you do has any effect, you can't ping 192.168.1.1 nore 192.168.11.1 and you have tried shorting pin 12 as above. This is the time for JTAG and the Hairy Dairy Maid utility! If you have heard of this then I expect you have been dieing to use it. JTAG is a 12 pin header on the board for which you will need to connect control 4 wires to your computers printer port (parallel) and 2 gound wires. JTAG allows the 'manual' operation of the boards circuits even if the CPU is well and trully crashed. A bit like brain surgery with the top of someones head removed. I did this on Windows 2000, it (and XP) does not like you messing with the parallel port so you need a special driver to allow this; giveio.sys. Without this nothing happens. You can get the program and instructions from here: Hairy Dairy Maid Now read those instructions and then read what I specifically had to do to get it working on our one.
- solder the 25 way D on your JTAG cable follow the standard pinout.
- solder the PCB end onto the JTAG header directly to the solder pads, evens are ground; 2+4+6+8=20+25, odds are signals; 3=2,5=13,7=4,9=3.
- this is standard JTAG, nothing special, forget the resistors the PCB already has them.
- to install the giveio.sys copy this file and loaddrv.exe into {windows}\system32\drivers
- double click loaddrv.exe in the system32 dir. This is important.
- append the filename giveio.sys onto the path in the utility
- press the load button and the start button, they should both confirm success. If this does not happen go no further, go back and fix this.
- from the command prompt cd to your Hairy Dairy directory and run wrt54g.exe to get a list of option
- to check your cable, plugin and power up the buffalo and do wrt54g -backup:nvram /noemw /fc:29
- it will detect the CPU type and you should see your data as FFFFFF and CFD1AFC nonsense whizz past. If not then check your cable.
- finnaly to erase your NVRAM (the usual cause of the problem) wrt54g -erase:nvram /noemw /fc:29
[edit] External Links
- Linksys WRT54G Revival
- Confirmed to work on a WRT54G v8 (the flash chip is the one with the pins on the short sides nearest the LEDs)
- How-To: Recover from a bad firmware flash
- Debricking the Linksys AG241
- Skynet RepairKit