User Tools

Site Tools


doc:howto:generic.debrick

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:generic.debrick [2013/02/09 01:18]
pierotofy
doc:howto:generic.debrick [2015/07/04 18:22] (current)
Maqi Links to Bootloader/CFE
Line 1: Line 1:
 ====== OpenWrt Debricking Guide ====== ====== OpenWrt Debricking Guide ======
-When people say a router is //​bricked//,​ this very generally means, that it does not function properly any longer and the reasons can be various. First of all, you should calm down, relax and read [[doc:​techref:​flash layout]], [[doc:​techref:​filesystems#​implementation.in.openwrt|file systems in OpenWrt]] and [[doc:​techref:​bootloader#​Additional Functions|bootloader CLI]]. Now depending on what exactly is broken, you have several possibilities:​+When people say a router is //​bricked//,​ this very generally means, that it does not function properly any longer and the reasons can be various. First of all, you should calm down, relax and read [[doc:​techref:​flash.layout]], [[doc:​techref:​filesystems#​implementation.in.openwrt|file systems in OpenWrt]] and [[doc:​techref:​bootloader#​Additional Functions|bootloader CLI]]. Now depending on what exactly is broken, you have several possibilities:​
  
   - if only something on the **[[doc:​techref:​filesystems#​JFFS2]]** partition is broken, you are still able to -> **[[doc:​howto:​generic.failsafe|boot into OpenWrt failsafe mode]]**   - if only something on the **[[doc:​techref:​filesystems#​JFFS2]]** partition is broken, you are still able to -> **[[doc:​howto:​generic.failsafe|boot into OpenWrt failsafe mode]]**
Line 23: Line 23:
 It's one of those amazingly useful things that allows you to recover from pretty much anything that doesn'​t involve a hardware failure. While the JTAG can technically be used to watch every instruction and register as the system boots, the recovery software only uses it for DMA access to the flash chip, making it somewhat a blind recovery mechanism. It's one of those amazingly useful things that allows you to recover from pretty much anything that doesn'​t involve a hardware failure. While the JTAG can technically be used to watch every instruction and register as the system boots, the recovery software only uses it for DMA access to the flash chip, making it somewhat a blind recovery mechanism.
  
-The biggest mistake people seem to make with JTAG is the "wipe everything and reload CFE" approach; they either can't find the correct CFE version after wiping the device, or they reflash with a CFE which is incompatible with their device. You should always try to use the CFE version that came with the device rather than attempting to replace it with some random CFE you found on the internet.+The biggest mistake people seem to make with JTAG is the "wipe everything and reflash [[doc:​techref:​bootloader|bootloader]]" ​([[doc:​techref:​bootloader:​cfe|CFE]] for broadcom devices) ​approach; they either can't find the correct CFE version after wiping the device, or they reflash with a CFE which is incompatible with their device. You should always try to use the CFE version that came with the device rather than attempting to replace it with some random CFE you found on the internet.
  
 Second mistake - embedded within CFE is a set of NVRAM defaults to be used if the NVRAM partition is missing. This means that in most cases you can just wipe everything but CFE and it'll happily boot, recreate NVRAM and start waiting for a firmware via TFTP. In some cases however, the defaults embedded defaults (in the CFE shipped with the device) don't match the actual hardware and CFE will fail to boot. This is why we have the warnings not to wipe NVRAM. To recover from this situation you need either the original NVRAM contents, or a version of CFE with the correct defaults. Second mistake - embedded within CFE is a set of NVRAM defaults to be used if the NVRAM partition is missing. This means that in most cases you can just wipe everything but CFE and it'll happily boot, recreate NVRAM and start waiting for a firmware via TFTP. In some cases however, the defaults embedded defaults (in the CFE shipped with the device) don't match the actual hardware and CFE will fail to boot. This is why we have the warnings not to wipe NVRAM. To recover from this situation you need either the original NVRAM contents, or a version of CFE with the correct defaults.
Line 31: Line 31:
  
 Serial console allows you to interact with the CFE command line, watch the kernel boot and console access to linux. This is probably the only way you'll every get any meaningful feedback about the device boot up. Serial console allows you to interact with the CFE command line, watch the kernel boot and console access to linux. This is probably the only way you'll every get any meaningful feedback about the device boot up.
 +
 +== Serial modes ==
 +
 +Some [[doc/​hardware/​port.serial#​serial.modes | serial modes]] allow you to upload a binary directly to ram or to the flash memory from the serial connection, allowing you to repair a broken bootloader
  
 === Arduino === === Arduino ===
Line 178: Line 182:
  
   * [[http://​richard-burke.dyndns.org/​wordpress/​2009/​02/​programming-an-asus-p5b-bios|Programming an ASUS P5B BIOS | Adventures in Home Computing]]   * [[http://​richard-burke.dyndns.org/​wordpress/​2009/​02/​programming-an-asus-p5b-bios|Programming an ASUS P5B BIOS | Adventures in Home Computing]]
 +
 +
 +===== Write flash chip by USB =====
 +
 +This is the probably easiest way to "​burn"​ a flash chip: It is a cheap (cable ~20 EUR), universal (USB) and multiplatform (many OS) solution. Buy a FTDI cable C232HM-DDHSL-0 (in case of 3.3 Volts), connect the wires to the flash chip as shown below and write the data with [[http://​flashrom.org/​|flashrom]].
 +
 +<​code>​
 +C232HM-DDHSL-0 ​      ​SPI-Flash SOP8
 +     1 red    ------ 8 Vcc
 +     2 orange ------ 6 SCLK
 +     3 yellow ------ 5 SI
 +     4 green  ------ 2 SO
 +     5 brown  ------ 1 /CS
 +     6 grey   ​------ 3 /WP (with 4k7 Pullup)
 +     7 purple ------ 7 /HOLD (with 4k7 Pullup)
 +    10 black  ------ 4 Gnd
 +</​code>​
 +
 +Write command:
 +
 +<​code>​
 +# time ./flashrom -p ft2232_spi:​type=232H -c MX25L6406E/​MX25L6436E -w ../​../​dump.mtd 2>&1 |tee log
 +flashrom v0.9.7-r1711 on Darwin 8.11.0 (Power Macintosh)
 +flashrom is free software, get the source code at http://​www.flashrom.org
 +
 +Calibrating delay loop... OK.
 +Found Macronix flash chip "​MX25L6406E/​MX25L6436E"​ (8192 kB, SPI) on ft2232_spi.
 +Reading old flash chip contents... done.
 +Erasing and writing flash chip... Erase/write done.
 +Verifying flash... VERIFIED.
 +
 +real    7m1.731s
 +user    0m12.288s
 +sys     ​0m22.984s
 +</​code>​
 +
 +The example shows burning of a MX25L6406 for the [[toh/​alfa.network/​ap121|Alfa AP121]]. (No, I didn't brick it. ;-) I just wanted to replace a 4MB Flash with 8 MB flash.)
 +
 +Warning: If you use a FTDI cable for [[doc/​hardware/​port.serial#​prebuilt.cables|serial console]] then you probably must disable the FTDI serial port driver or exclude the product ID 0x6014 for the FT232H chip in the serial driver. Patch for MacOS:
 +
 +<​code>​
 +--- tmp/​FTDIUSBSerialDriver.kext/​Contents/​Info.plist ​   2012-08-08 14:​01:​40.000000000 +0200
 ++++ /​System/​Library/​Extensions/​FTDIUSBSerialDriver.kext/​Contents/​Info.plist ​    ​2013-11-17 10:​48:​54.000000000 +0100
 +@@ -2014,25 +2014,6 @@
 +                        <​key>​idVendor</​key>​
 +                        <​integer>​1027</​integer>​
 +                </​dict>​
 +-               <​key>​FT232H</​key>​
 +-               <​dict>​
 +-                       <​key>​CFBundleIdentifier</​key>​
 +-                       <​string>​com.FTDI.driver.FTDIUSBSerialDriver</​string>​
 +-                       <​key>​IOClass</​key>​
 +-                       <​string>​FTDIUSBSerialDriver</​string>​
 +-                       <​key>​IOProviderClass</​key>​
 +-                       <​string>​IOUSBInterface</​string>​
 +-                       <​key>​bConfigurationValue</​key>​
 +-                       <​integer>​1</​integer>​
 +-                       <​key>​bInterfaceNumber</​key>​
 +-                       <​integer>​0</​integer>​
 +-                       <​key>​bcdDevice</​key>​
 +-                       <​integer>​2304</​integer>​
 +-                       <​key>​idProduct</​key>​
 +-                       <​integer>​24596</​integer>​
 +-                       <​key>​idVendor</​key>​
 +-                       <​integer>​1027</​integer>​
 +-               </​dict>​
 +                <​key>​FT4232H_A</​key>​
 +                <​dict>​
 +                        <​key>​CFBundleIdentifier</​key>​
 +</​code>​
 +
 +//(Note: To get flashrom work on an old MacOS 10.4 PPC system as shown above you'll have to make some mods to flashrom.)//​
 +
doc/howto/generic.debrick.1360369108.txt.bz2 · Last modified: 2013/02/09 01:18 by pierotofy