wrtP54g unbrick restore help
Links: home · search · speed test · login · more ·
Links: Reply New Topic
Forums » Voice Over IP - VOIP » VOIP Tech Chat » wrtP54g unbrick restore help
page: 1 · 2
boredwild @ 24th Aug 04:52PM:
wrtP54g unbrick restore help
Bought a Vonage wrtP54g off Ebay. To my dismay it was firmware 5.1.04. Tried to unlock using CYT46 to no avail. JTAGed the unit, and backed up and erased flash according to the wrtP54g-ER procedure, resulting in a brick with a fast-flashing power light. WRT54g literature indicates that this means the bootloader is corrupted. I understand that the wrtP54g uses a different bootloader (PSPBoot) than the WRT54g (CTE). Have tried to write a new complete flash to the unit using JTAG; erased all the memory blocks but was unable to write, even after leaving it to run all night. Tried the pin-short method while running a continuous ping to the unit, but unsure of what pins to use as it has the 8MB Spansion flash chip. First tried 15-16, but then I tried pins 5-6, as I read that this works on the wrt54g with the 8MB Intel flash; only received a 'hardware failure' message.
I would greatly appreciate any helpful suggestions, thanks.
reply
voiplover @ 24th Aug 05:10PM:
Re: wrtP54g unbrick restore help
Wow.
I've never dealt with the vonage wrtp54g, just the wrtp54-er.
The er model had an A and B page so it was possible to reflash the B page to the A page.
Don't recall the exact locations but I think they were listed in RCIlinks thread.
Does it still have a MAC address?
Edit: Sorry, it should have 3 mac address'.
One for the router
One for the wireless card
One for the Voip ATA
reply
mazilo @ 24th Aug 07:25PM:
Re: wrtP54g unbrick restore help
said by boredwild :
JTAGed the unit, and backed up and erased flash according to the wrtP54g-ER procedure, resulting in a brick with a fast-flashing power light... Have tried to write a new complete flash to the unit using JTAG; erased all the memory blocks but was unable to write, even after leaving it to run all night...
I just suspect that writing to the flash chip must be under a 4KByte boundary. In other words, you can't just write to the flash with a 20 Bytes of data. Can someone please confirm this?
reply
boredwild @ 25th Aug 06:49AM:
Re: wrtP54g unbrick restore help
Or any idea if the Vonage version has come type of "fail-safe" recovery mode? Alternatively, does anybody have an idea on how to go about extracting the bootloader form the backup image and writing it back to the unit using the Debrick Utility? My understanding is that, if I can get the thing to boot successfully and respond to pings, then I can flash it with a new firmware image via the Linksys tftp program.
reply
mazilo @ 25th Aug 07:55AM:
Re: wrtP54g unbrick restore help
said by boredwild :
JTAGed the unit, and backed up ...
What was your main purpose to perform this backup?
reply
meister_sd @ 25th Aug 02:16PM:
Re: wrtP54g unbrick restore help
said by boredwild :
erased all the memory blocks but was unable to write, even after leaving it to run all night.
I have the vonage version and unlocked mine. I also made a backup of the whole router. What area(s) do you need? I may be able to give you something.
said by mazilo :
I just suspect that writing to the flash chip must be under a 4KByte boundary. In other words, you can't just write to the flash with a 20 Bytes of data. Can someone please confirm this?
Yes, there is a minimum limit to write. I don't know what it is but I tried to erase a small area and it didn't write. When I made the erase area larger - it wrote. All this in the same session, so it wasn't wiring.
reply
boredwild @ 25th Aug 06:50PM:
Re: wrtP54g unbrick restore help
Mazilo: the purpose of the backup was to allow me to restore the unit if req'd. When the erase of the small part of the NVRAM that allegedly locks the unit to a particular provider resulted in a non-booting unit, I made the decision to attempt a complete flash rather than replace the bytes of the NVRAM that were erased, as a unit that is locked to Vonage is of no use to me.
reply
boredwild @ 25th Aug 07:03PM:
Re: wrtP54g unbrick restore help
Hi meister_sd, thanks for the offer. Because I am a complete noob at this router-hacking business, I don't exactly know wat I need to restore this router. Does anyone know if it is possible to write just a new bootloader to this unit via JTAG and HairyDairyMaid's Debrick Utility (4.6 with spansion supporty)? I'm quite confident that interface is working properly as the utility seems to be able to communicate with the wrtP45g and, of course, erase aspects of the NVRAM. To confirm, it is only the flash chip that is programmable during firmware flashing, correct? I won't be dealing with any other chip than the 8MB Spansion, or are parts of the AR7 also modified? Thanks all for your advice thus far...
reply
mazilo @ 25th Aug 10:36PM:
Re: wrtP54g unbrick restore help
said by boredwild :
Mazilo: the purpose of the backup was to allow me to restore the unit if req'd.
That's exactly what I thought so. Can you reflash your unit with the backup data? I hope you have a backup for the part you erased; otherwise, a complete flash may take pretty long with this unbuffered JTAG, IIRC.
reply
boredwild @ 27th Aug 06:59AM:
Re: wrtP54g unbrick restore help
Really can't say what's wrong as I replaced the bytes that were changed with the "flash:custom" command and I reflashed the NVRAM with my backup copy, but still "no dice". Since then I have used the "flash:wholeflash" command with my backup of the flash but, as I said earlier, it appears to erase successfully, and never progresses past 0% when it comes to the write operation. Perhaps HairyDairy's Unbrick Utility 4.6 (with Spansion support) is not quite compatible in this application, but probably I don't have an appropriate understanding of the possible differences in the memory mapping of the Spansion vs. the Intel flash. Is it likely that a complete reflash of the Spansion will require a custom command rather than "wrt54g -flash:wholeflash"? I am operatin g under the assumption that these various chips are similar enough that they will accept a complete wrtp54g bin from these forms. Perhaps that is the problem though. Should I be using a Vonage bin? Doesn't make sense though because it won't accept its own backup bin...
reply
boredwild @ 27th Aug 06:37PM:
Re: wrtP54g unbrick restore help
Perhaps the Spansion flash always requires the use of the "custom" command when using WRT54g Unbrick 4.6 (with Spansion support), as yesterday I began to flash a new firmware image (3.XX.17ETSI) using the "-flash:custom" command starting at the base address (b0000000) and setting the size to 400000. It is progressing through the flash although after 7 hours it was up to 42%. We'll see what happens later today...
reply
voiplover @ 27th Aug 07:15PM:
Re: wrtP54g unbrick restore help
It does take a long time. That's why it's so important to keep the unshielded part down to less than 6 inches.
reply
mazilo @ 27th Aug 07:20PM:
Re: wrtP54g unbrick restore help
said by voiplover :
It does take a long time. That's why it's so important to keep the unshielded part down to less than 6 inches.
That's why you only see a JTAG cable pretty short. I did an experiment making this unbeffered JTAG cable with a 1.8M (about 6ft) cat5e cable and it works without any problem even though I don't see any shielding on this cat5e cable, except four twisted paired wires.
reply
boredwild @ 27th Aug 07:23PM:
Re: wrtP54g unbrick restore help
Just using a bit of CAT5 LAN cable, and the entire cable is about 8 inches long in total.
Question: Is there any reason to believe that a firmware .bin would have to be altered in any way in order to load it via JTAG as opposed to via TFTP or the web update page?
reply
voiplover @ 27th Aug 07:35PM:
Re: wrtP54g unbrick restore help
If I'm right, with a Jtag you are connecting right to the chip. The firmware has not loaded when you are halting the process.
reply
boredwild @ 27th Aug 07:52PM:
Re: wrtP54g unbrick restore help
Not sure if I'm communicating this clearly, so I'll say a different way: Since I haven't seen any literature documenting a complete reflash of the Spansion in a wrtP54g via JTAG, I was wondering if there needs to be any changes made to the .bin to be loaded in this manner as, to my [limited] knowledge, complete firmware updates are not intended, by the manufacturer, to be loaded in this way (the one I am presently loading is one that was intended to be applied via TFTP).
So there's no reason to believe that a JTAG .bin should be any different (in length or content) than one intended to be loaded via the web interface?
reply
boredwild @ 29th Aug 10:01PM:
Re: wrtP54g unbrick restore help
Can't remember if I applied 3.1.14 or 3.1.17, but Debrick says it completed successfully in about 14 hours. Power light now stays on after power is applied (not flashing), but still can't connect with web interface, and pings just timeout. Have difficulty resetting this device: pushing the 'reset' button does not flash the power light or any other light (is it supposed to?). Up to now I have been cycling this device by holding the button for 30 s, removing power, restoring power, and continuing to hold the reset button, uninterrupted, for another 30 s or so. Thought I remember the unit cycling through all the lights on startup (when it was locked and working). How I long for those days...
reply
mazilo @ 29th Aug 10:43PM:
Re: wrtP54g unbrick restore help
said by boredwild :
Power light now stays on after power is applied (not flashing), but still can't connect with web interface, and pings just timeout.
Your best chance here is to return (for exchange) the product to Fry's Electronics while time is still permitted. Otherwise, purchase another one and use this receipt to return the bricked one to get your money back.
reply
mazilo @ 29th Aug 10:45PM:
Re: wrtP54g unbrick restore help
said by boredwild :
So there's no reason to believe that a JTAG .bin should be any different (in length or content) than one intended to be loaded via the web interface?
IIRC, a complete Flash dump is about 8MB in size whereas a WRTP54G firmware is about 3.5MB in size. So, they must be different.
reply
boredwild @ 30th Aug 12:31AM:
Re: wrtP54g unbrick restore help
Fry's is too far away (I'm in New Zealand), but if the info at openwrt.org is correct the bootloader may be fine and it may simply need a firmware image that has been correctly prepared for application via JTAG: »wiki.openwrt.org/OpenWrtDocs/Har···/WRTP54G
Apparently the web interface changes one of the bytes so that it can be accepted by the flash, and the entire firmware image should be eight bytes shorter if applied directly rather than through the web interface. Looks like it's time to try my hand at hex editing...
reply
boredwild @ 12th Sep 08:03AM:
Re: wrtP54g unbrick restore help
Pretty sure now that I overwrote the bootloader as I started the flash at b00000000 rather than starting at b0020000 (after the bootloader). My backup is no good as it is all FFs because I made it using the generic Debrick commands rather than the Spansion-specific commands. I would be very appreciative if someone would give me a dump of the bootloader of a WRTP54g (20000 bytes from b00000000 -> b0001ffff). Mine is a Vonage, but any provider's bootloader would probably work. I'll just have to match the brand of firmware to the bootloader. Thanks
reply
boredwild @ 11th Oct 09:09PM:
Re: wrtP54g unbrick restore help
Thanks to a generous member, was able to flash my vonage unit with a complete rom dump from an earthlink unit (33 hours via unbuffered JTAG), effectively making it an -ER unit, I guess. Unit will now respond to pings but I can't access the web interface at 192.168.15.1. Is this vonage default web interface IP address different for an earthlink unit? Noticed when editing the -ER image to include the MAC & Serial of my vonage unit, and blanking the crypt key (all FFs), that the -ER image contains 2 serial numbers: one ending in an "A" and one ending in a "B". Presumably these 2 numbers correspond to 2 different firmware images (one a backup) contained on the flash ROM. I entered my serial number the same for both images because its length was the same as the Earthink serials which included the "A" and "B". Could this be the cause of the problem or should I be looking elsewhere?
reply
boredwild @ 30th Oct 08:19AM:
Re: wrtP54g unbrick restore help
Is there any reason why a complete dump of an -ER unit would not work when flashed to a Vonage unit via JTAG? Set the serial number in 2 places where "serialnumber" was followed by 12 digits. Entered my MAC address in the one place where "mac_ap" was followed by "00 01 02 03 04 07", although this seems as though it might be a variable rather than where the MAC address is stored - anyone know how to enter the MAC? I blanked the CRYPT_KEY with "20" (spacebar) as suggested by a fellow member. Does anyone know if this is correct, or if something else like "FF" should be used? Set the ADMIN_PWD to
"AB/PLgjMdnCMg" which is supposed to be a blank password. Unit will respond to pings which is better than it was, but does anyone have any additional suggestions? Thanks.
reply
boredwild @ 2nd Nov 07:25AM:
Re: wrtP54g unbrick restore help
Does anyone have a complete rom dump from a Vonage wrtp54g that they wouldn't mind sharing in an attempt to restore this device of mine? Not willing to give up, but at a bit of a standstill since flashing the Earthlink rom dump to my Vonage unit. Made it a bit less of a brick though as it did restore its response to pings.
Thanks
reply
DaveTap @ 4th Nov 09:13AM:
Re: wrtP54g unbrick restore help
wow sounds like you've got quite a challenge. I've got several ex-vonage WRTP54Gs and an ex-earthlink how do I do the rom dump?
reply
mazilo @ 4th Nov 01:03PM:
Re: wrtP54g unbrick restore help
said by DaveTap :
wow sounds like you've got quite a challenge. I've got several ex-vonage WRTP54Gs and an ex-earthlink how do I do the rom dump?
I have never done this; however, I wouldn't be surprise if you will need a programmer to read the contents of the ROM in order to dump the ROM. IIRC, DogFace05 may be able to do this through his software and remotely, but for a PAP2v1 and/or most first generation of SIPURA ATA devices, i.e. SPA1001, SPA2K, SPA3K, etc. I hope DogFace05 can clarify this.
reply
boredwild @ 28th Nov 09:29PM:
Re: wrtP54g unbrick restore help
Success (for the most part)!
A complete JTAG dump (bootloader&firmware) from an -ER unit can be written to the flash of a wrtp54g Vonage unit. Thanks to Maz, who provided the Earthlink dump, and showed me how to patch in my serial and MAC and blank the admin password for the voice section, I now have a functioning VOIP router. It took about 32 hours to write the image via JTAG. The voice section had a blank password after the restore, but it became locked after I entered my provider's provisioning script. Nevertheless, perhaps this means that a bootloader or complete image from an -NA unit could be written to ANY wrtp54g?
Is there a way to prevent locking of the unit by the provider if they require provisiong via a script?
On another note, a problem has come to light in the voice functionality - lots of background hiss with occasional popping and crackling that makes it nearly unusable; the noise appears much worse on my end than for the other party. Have tried both corded and cordless handsets, and the provider has changed the active phone port to #2, but nothing has helped. Considered that it might be a heat problem, so the unit is out of it's enclosure and resting vertically. Still this has not helped. Results of testing on www.testyourvoip.com indicates that the call quality should be reasonable. Interestingly, a PAP2 adapter provides excellent call quality when run on my internet connection (Motorola cable modem). Is it at all likely that these symptoms are due to the restore, or is it more likely that some internal component is failing (I bought the unit used on ebay)?
I could try a restore using a Vonage JTAG dump if someone on the forums would be so kind as to provide one...
reply
mazilo @ 28th Nov 09:40PM:
Re: wrtP54g unbrick restore help
said by boredwild :
I could try a restore using a Vonage JTAG dump if someone on the forums would be so kind as to provide one...
Before you do this, can you try to unlock this using a modded config.bin approach? Once unlocked, you may want to try to flash it with the same or newer firmware to see if this will eliminate the problem.
reply
ogdensburg @ 1st Dec 10:37AM:
Re: wrtP54g unbrick restore help
I believe this WRTP54G is defective . I have a Vonage RTP300 which has same problem(very loud background noise). You bought a defective unit.
said by boredwild :
lots of background hiss with occasional popping and crackling that makes it nearly unusable
reply
voiplover @ 1st Dec 11:08AM:
Re: wrtP54g unbrick restore help
Low bandwidth between you and the other caller can cause this.
reply
boredwild @ 1st Dec 06:08PM:
Re: wrtP54g unbrick restore help
The noise is present from when the receiver is lifted and is not dependent on being connected to another party. No noise through the voice ports if the voice section is not activated. Thought there was a possibility that the noise was being induced through the power supply, but ogdensburg's comment indicates that there is likely a component failure. Any electronics engineers out there have an idea of where I might go looking for a fault?
reply
voiplover @ 1st Dec 06:52PM:
Re: wrtP54g unbrick restore help
Does the same thing happen on both phone ports?
Check the RJ11 cables and connectors.
Try a different phone.
reply
boredwild @ 1st Dec 09:02PM:
Re: wrtP54g unbrick restore help
Noise is on both ports and occurs when using either a cordless or corded phone plugged directly into the router.
reply
Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC