Skip to main content

WRT Bricking Issue

Normally I post stuff that is working, so I have instructions to repeat it.   This seems to be a saga to TRY to get something working, and a large fail has caused a lot of effort just to return to where I started, which is starting to become a project in itself, so I'm posting my progress as I go.   So these instructions are an attempt to revive my dead router, to get it back to a usable state.  

Goal:  Get a WRT set up for pentesting and defensive purposes (Snort, Nmap, TCPdump, Nessus, etc).  I wanted a wifi IDS, and an IDS even for the wired side, which wouldn't require me dedicating a PC (more power, noise, expensive, etc)
Hardware: WRT54GL V1.1
Problem:  Bricked router

I recently bought two routers, a WRT54GS V7.2 (~$30), and a WRT54GL V1.1 (~$70)

I tried putting a captive portal on the GS, but with only 2MB of RAM, it was crippled (see previous post).  So I made it into a guest network without a portal, and moved on to my GL.

The firmware for the GL which appealed to me the most (and which was suggested by the Linksys WRT54G Hacking book), was the Fairuzawrt firmware.  This is mostly undocumented firmware, and I knew I was getting to murky waters installing it.  I looked around their site to try to find out documentation to what versions were supported, and they don't mention it at all.  That worried me.  But since I had success bringing my GS back from the dead (due to a corrupt NVRAM) previously, I thought I'd still try.   I had corrupted the NVRAM on the GS a handful of times trying to find captive portal firmware, and had always managed to bring it back.  Besides, I really wanted a WIDS and a pentesting suite on a WRT.

As a trial run, I enabled the boot loading option in case I ran into problems, and I installed eWRT.  That was to check out the NoCatSplash portal, which I couldn't get working in the GS.   It seemed like I COULD set up a portal with the GL using NoCatSplash, but I had already set up a guest network with the GS, and I wanted to use this hardware for something with more umph.  Besides, I didn't want to spend $70 on a router just for a guest portal.

I installed Openwrt-wrt54g3g-squash.bin, and that seemed to be a pretty nice platform.  It seemed very stable and usable, as a router.  I looked through their packages, and didn't see Snort anywhere, so that firmware seemed out.  I could have gone down the dd-wrt route, and this may be a project in the future, but since Fairuzawrt seemed to have the applications I wanted, I thought I'd try that.  I used the seemingly stable web interface of OpenWRT to upload the Fairuzawrt-02.bin firmware, and here is where my problems started.  The firmware upload hung in the middle of the upload.  

Rebooted the router.  Power light blinks steadily (indicating bad firmware).  Tried to tftp up the afore-mentioned OpenWRT firmware several times, no success.  Tried to ping the router=fail.  An arp table shows an "incomplete hardware address"--not good.  The Ethernet port that I'm plugged into on the router is solid, and it blinks when I ping it, which is a good sign.  It is also a good sign that ALL the Ethernet ports are not solid, which indicates a bricked router.   But it still won't ping or upload firmware.  

I tried holding down the reset button for 30 seconds, unplugging power, holding for 30 more seconds, plugging power back in, and holding the reset for 30 more seconds, to reset the NVRAM in case the configuration file was corrupt.  No help.  

I voided the warranty on the two-day-old router, and pulled out the motherboard.   Shorted out pins 15-16, 16-ground, and 16-17.  No help.  

So now I have a steadily blinking power light, and can't communicate it.  The steady one Ethernet port, which blinks when I ping it is promising, but the lack of address in the arp table is disheartening.  I thought I'd at least get the switch port to show something in the arp table (I installed a switch between my router and my laptop to make it more stable).   It looks like a JTAG cable is my only choice.  

I'm currently doing research to build a JTAG cable.  This seems like a lot of work, but something geeky, so I tried it anyway.  Plus, I hated to have a two-day old, $70 brick.

Using The WRT book, the HairyDairyMaid Guide, also this URL to build a JTAG cable, I came up with the below necessary parts.  I was surprised when I looked at my Geek inventory that I had no parallel printer cables anywhere!  So I thought of going to Radio Shack with the below parts list.

Radio Shack:
PN 276-1547          25 pin make solder D-sub connector
PN 276-1549          25-pin D-Sub hood
PN 271-1131          100 Ohm resistors (pack of 5)

and then ordering the rest from Digikey.
PN WM 8124-ND          2 by 6 pin header  ($1.28)
PN MSC-12K                Socket Connector  (can't find)
PN MSSR-12-ND           Socket Connector Strain Relief (Can't find)

But that seemed like too much of a pain, and the Radio Shacks around here kind of blow, and in the end I'd probably spend more in gas driving to Radio Shacks, so I decided to just order the JTAG cable for $10.90 (including shipping) from eBay.

I got the JTAG cable, and was all set to solder the header pin to the board.  Here is what the equipment looked like:

Here is a closeup of the board without any connector:

OK, from here I broke out the Soldering Iron, and soldered on the Pin Header.   Here are a couple of pics:

OK, so my Soldering needed a little work.   Actually, this was the first attempt.  I then installed the JTAG reading software on a Windows box with a parallell port (installed the driver).  That looked like this:

After I plugged in the cable and probed the card, I couldn't read the CPU.  So I broke out the Soldering Iron again and fixed a few connectors.  After that, I plugged the board in and probed it with success!!!   I tried to erase the NVRAM, but couldn't.  See the screenshot:

  The NVRAM Erase just sat there forever.  Since I couldn't erase the NVRAM, I tried to erase the flash.  Still no success, as below shows.

Like the NVRAM, erasing the flash hung forever also.  Since I couldn't get to the NVRAM, or to the FLASH, the next logical place was the bootloader.  In Linksys it's called a CFE.  Luckily, I had the CFE for my current router, and I just replaced the one on the WRT with my file by using the command:

>tjtagv2.ext -backup:cfe /noemw /noreset.  

 Success!   The tjtag program happily stomped all over the bootloader, and I replaced it completely.  This scrolled off the screen, so I have no screen capture but the end.  Then, when I tried to erase the NVRAM, it worked!  See below:

  I tried to erase the Flash, but it still hung.   It was really screwed if the JTAG couldn't replace it.  So, I thought I'd just reboot the router and tftp up the original Linksys firmware image (FW_WRT54GL_4.30.12.3_US_EN_code.bin).   Luckily, that tftp'd up with no issues!  So, I rebooted the router, and it came up like a champ!  SUCCESS at last!  

The JTAG Cable worked GREAT!  I recommend it for bricked routers!


Popular posts from this blog

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms:

I could tftp a file from-to any Kali box from-to another Kali box
I could NOT tftp files to a specific Windows 7 box from any Kali box
I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box

After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable.

Thus, I switched to tftpd-hpa.   To install:
apt-get install tftpd-hpa

files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to:
chroot -R /srv/tftp

Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa:
change "TFTP_OPTIONS="--secure" to "TFTP_OPTIONS="--secure --create"

I also changed the IP li…

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from:
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:…