Debricking a WRT54GS v1.0 using JTAG after nvram problems prevent booting

So, you've bricked your WRT54GS, most likely let a few profanities fly, and then thought "hey, maybe i can fix this without too much pain?"

You're partially right. Yes you can fix it. There will be pain involved. :)

I bricked my router by trying a clkfreq nvram tweak on my WRT54GS v1.0. I tried 216. It cost me a good 9 hours to fix it. I mention this because just maybe it will save you some pain :)

So, you can't do a boot_wait fix, because the problem is in the nvram. You MUST make a JTAG cable. I followed the directions from hairydairymaid_debrickv22.zip: JTAG debricking guide
- Full credit to hairydairymaid (a.k.a. lightbulb) for this guide. My guide would not be possible without that starting point.

The instructions for the JTAG connector are pretty good although the pin numbering could have been a bit more concisely stated :)
e.g.

LPT Pin	LPT Purpose	JTAG Pin	Purpose
13	/Select	5	TDO
2	D0	3	TDI
4	D2	7	TMS
3	D1	9	TCK
20,25	GND	2,4,6,8,10,12	GND
N/A	N/A	1,11	No Connection

All unspecified LPT pins are Not Connected.

I also modified mine a bit - I use slightly higher value resitors, but I was quite sure that this would not be an issue, and it wasn't.
Also, something I forgot about initially was that the JTAG software is designed for a WRT54G, not GS. The GS has different offsets, so the JTAG software must be tweaked before compilation. Luckily I didn't take out anything critical in the flash before realising this. I changed this block of defines in wrt54g.h after looking at some IRC logs:


#define  FLASH_MEMORY      0x1C000000

#define  NVRAM_START       0x1C7F8000

#define  NVRAM_LENGTH      0x10000

#define  CFE_START         0x1C000000

#define  CFE_LENGTH        0x40000

#define  KERNEL_START      0x1C040000

#define  KERNEL_LENGTH     0x7B8000

#define  WHOLEFLASH_START  0x1C000000

#define  WHOLEFLASH_LENGTH 0x800000

#define  BLOCK_SIZE        0x1000

Once this is done, the flash tool can be compiled and works beautifully, if you ignore the speed. The best compromise is to try and get the router back to a state where you can tftp in new firmware (if required), or reconfigure it. It is worth the time to do a full flash dump, and a CFE dump. If you loose the CFE, well, let's not entertain that thought any longer....To do this you need to:
1. Use wrt54g to dump the CFE firmware. Copy (copy, NOT rename - you want a backup!) the dump to CFE.BIN
2. Erase the nvram with wrt54g.
3. Get a hex editor (on windows, hiew is nice) and edit the CFE.BIN:
Before:


00001250:  63 34 30 30-30 30 00 6C-61 6E 5F 69-70 61 64 64  c40000 lan_ipadd

00001260:  72 3D 31 39-32 2E 31 36-38 2E 31 2E-31 00 6C 61  r=192.168.1.1 la

00001270:  6E 5F 6E 65-74 6D 61 73-6B 3D 32 35-35 2E 32 35  n_netmask=255.25

00001280:  35 2E 32 35-35 2E 30 00-73 63 72 61-74 63 68 3D  5.255.0 scratch=

00001290:  61 30 31 38-30 30 30 30-00 62 6F 6F-74 5F 77 61  a0180000 boot_wa

000012A0:  69 74 3D 6F-66 66 00 77-61 74 63 68-64 6F 67 3D  it=off watchdog=

000012B0:  35 30 30 30-00 00 00 00-00 00 00 00-00 00 00 00  5000

000012C0:  00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00

After:


00001250:  63 34 30 30-30 30 00 6C-61 6E 5F 69-70 61 64 64  c40000 lan_ipadd

00001260:  72 3D 31 39-32 2E 31 36-38 2E 31 2E-31 00 6C 61  r=192.168.1.1 la

00001270:  6E 5F 6E 65-74 6D 61 73-6B 3D 32 35-35 2E 32 35  n_netmask=255.25

00001280:  35 2E 32 35-35 2E 30 00-73 63 72 61-74 63 68 3D  5.255.0 scratch=

00001290:  61 30 31 38-30 30 30 30-00 62 6F 6F-74 5F 77 61  a0180000 boot_wa

000012A0:  69 74 3D 6F-6E 00 77 61-74 63 68 64-6F 67 3D 35  it=on watchdog=5

000012B0:  30 30 30 00-72 65 73 65-74 5F 67 70-69 6F 3D 36  000 reset_gpio=6

000012C0:  00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00

This enables boot wait at the CFE level, even after a reset to defaults and the reset_gpio=6 forces a reset to defaults when the reset button is pushed. Hopefully recovering from future bricking will be much easier with it like this :)
4. Re-flash the edited CFE.BIN in with wrt54g.
5. Restart and attempt a normal tftp-on-boot style firmware update.

At this point, you should be able to CFE-in or tftp-in new firmware. Rejoice. :)
If you can't, hook up a serial console (use the even numbered set of pins in the serial connector - see Serial Port mod) and try to get some more hitns as to what is wrong. If you find something new out, add it here, please. :)

I haven't included any pictures as they wouldn't add anything to that already shown by the stuff I have referenced.

Good luck and happy debricking! :)

Note: This worked for me, it might not work for you. Don't blame me if it has unforseen far-reaching consequences (i.e. planes falling out of the sky, your mariage failing, etc). You will void your warranty if you do any of this. Don't RMA the unit, buy a new one if you broke it and can't fix it - it's not fair on other comsumers who pay for your mistakes through overall higher prices for future units.

References:
1. JTAG debricking guide
2. Serial Port mod