So…A friend asked me to restore the original firmware on his Linksys WRT54g2 after having installed DD-WRT. Well, it isn’t as straightforward as it is the other way around. In fact, it isn’t doable just by software. (That is, when you don’t have access to tftp)
First, you need to open the router. Damn thing uses the only screwdriver i don’t have.
It was easy to force a normal flat headed screwdriver. So , got it opened.
Next, Surprise. No serial or jtag port visible right away. *sigh*
Taking a good look, you’ll see adjacent black boxes where it was supposed to be some pins, only they are all green.
Looking around, you’ll find the 5 pins in the middle of the top face of the mainboard are for a serial port. And the 6 boxes in the right (6 on top face, 6 on bottom face) are pins for jtag. You’ll have to scratch the green stuff out (carefully) using a screwdriver, nail, or something sharp. After leaving enough copper surface visible, you can proceed to solder cables or some kind of surface connector. (or, adapt a standard connector)
So far, so good.
You’ll need a jtag cable. You can get some online, from cheap ones to really expensive ones. Plus, you need to know if it will support the chip the router uses.
Cheap solution : Use a home-made cable consisting in 4 resistors + 1 DB25 male connector (using the printer port. Note that it needs to be a REAL printer port. Not an USB “printer” port).
This easy to make cable (Unbuffered cable) has to be short. No more than 6 inches, or noise will be your enemy. I made one about 3 inches long.
Get tjtag to tinkle with the board. Runs on windows and linux. As none of my laptops have a printer port, i used a colleague’s computer (WinXP). Now, this will become nasty xD
Running test commands, the software recognized the board and memory chip. All good!
Cable was good, board was alive (duh! it was working), and software was compatible.
Then, (just in case) i made a wholeflash backup. This will save all the flash content bit by bit, allowing a future restore to DD-WRT (in this case).
(2MB backup, took 623 seconds to complete.)
Now, according to dd-wrt forums, once installed dd-wrt on this router there is no way back. Well, this is partly true.
As i commented before, there is no “easy” way back. Better yet, if you do not make a wholeflash backup yourself, the “not easy” way back, becomes more “not easy”.
I received this router with dd-wrt preinstalled, and was asked to return it to firmware factory. All system hardware was “pristine”, so nobody mangled it, and… nobody made a flash backup. Fortunately , a guy in the forums was nice enough to post a wholeflash backup of his router. (different flash chip).
When decided to try it out, i renamed the file to wholeflash.bin and run
A couple of numbers showed up on screen….
….. (i let it run, and went back to work)
If you consider the time between the numbers on screen, it would have taken about 120 hours to flash the whole flash. I know jtag is slow, but this is ridiculous.
So, Control-C, and try again using some additional parameters.
Now the board started to act weird. Some times it didn’t detected the flash chip, some times it complained about not being able to set debug mode on processor, hanged while enabling memory writes, etc.
After some time trying and reading, i decided to use the /dma, /noreset and /noemw parameters. (force enable dma (speed), disable reset and memory writes). Sometimes i had to force the flash id (/fc:09). Now it was running fast. (read, about 2 minute per each percent).
Off to work again.
Checked about 60 minutes later, and the damned thing hanged at 27%.
After that, came a series of erase of the flash, followed by different tries to flash. Each attempt failed in different places. (6%, 12%, the most i got, was 37%).
Checked the cable, any interference around, etc. Same result.
I went home, and let the stupid board flashing. Didn’t care anymore
Next day i tried a couple of things.
One of them lead me to success (hours later!)
The important steps were this :
– Connected the pin 1 of the unbuffered cable , to a Vcc source (used serial’s port) with a 100ohm resistor. (In the pictures the pin is connected…. i took the pictures after all this)
– Left each cable a couple of millimeters away from each other.
– Put the router in its own case, to isolate it from external noise. (however, i used the original casing.. Some suggest using some tinfoil around).
This led me to flash to 15% almost every time. (it was still hanging).
Then, i got fed up. Decided to split the bin file into smaller pieces (256KB seemed about right) and started flashing it by parts (8 parts). For this, you need to calculate the beginning area of the flash memory, and the length to program. With all the information you get with tflash, this is fairly easy.
Some more failures. Still don’t know why, but after flashing part2 (256 to 512KB) i got some hangs in specific address. Tired, decided to go backwards (literally). Erased the flash, and started flashing from part 8 to 1.
It went smooth! No errors, about 560 seconds each part (something about 75 minutes total).
To confirm the procedure, made a wholeflash backup and compared it to the file… Damn. Differences. First difference occurred about 750KB from the beginning.
If you check the addresses where the BSP or CFE is stored, you will realize that 750KB from the beginning is just past that. I’m not going too write much about this, but it is important to know, CFE is the boot system used to boot linux (dd-wrt in this case), and BSP is the system used by linksys firmware based on VxWorks.
Taking that into account, i just rebooted the router. Lights went all on, then off…. Success !
Power light was blinking. That means firmware loading problem. Not that bad. Configured the computer to use 192.168.1.20 , and connected via WEB to 192.168.1.1. A simple page titled “Management Mode – Firmware Upgrade” asking me to select a file appeared.
I went to Linksys.com, browsed for the latest firmware for this router (1.04.00) and selected it. Run!
A couple of minutes passed by, and the page asked me to reboot the router.
Normal boot !
We are back to the original firmware.
Utilities and files :
- tjtag v0.3 [ from : here ]
- Whole flash backup [ from : here ]
- Original Linksys Firmware 1.0.04US [ from : here ]
- Splitted Flash : Each of the files to flash manually and by segments of 256KB. (including bat files with the command line)
All the files here, were taken from the sites specified.
If you think i am violating some copyright, please write me.