Why you need an universal JTAG adapter?

There are many different JTAG cables available in the market, often they are not compatible to each
other. The problem was cause by the software. JTAG standard only defines a few hardware pinouts.
However there is no standard definition on the PC side, e.g. which DB25 pin is for TDI? This is really
depending on the software, some JTAG softwares may assume TDI is connected to pin 2 of DB25, but
others may assume it is on pin 3. Even for the JTAG connector side, there are many different pinouts,
20 pin JTAG, 14 PIN, 12 PIN, 10 PIN etc... in a nutshell, you need a JTAG cable/adapter is flexible
enough to allow you configure it for different softwares/programmers so you only need to invest on one
JTAG adapter.

What is our universal JTAG adapter?

Our parallel universal JTAG adapter allows you to easily configure it to be a buffered or unbuffered
JTAG. With provided flexible jumper wire you can move the pin configuration easily to suit different
programmers.
PW is the power output. Remember this board utilizes the USB power, which by default only provides
100mA at 5V. If you connect the power header to a component requires more current, it will damage
your USB port.
PW provides two GND, two 5.0V and two 3.3V outputs.
PWR is a power on LED. When USB cable is connected, the LED will light. If you want to use it in
unbuffered mode, you do not need to connect the USB cable.
PDB is the header which directly connected to DB25's pin from 1 to 17 via a 100 Ohm resistor. E.g
header D1 is connected to Pin 1 of parallel port via 100 Ohm resistor, header D9 is connected to Pin 9
of parallel port via 100 Ohm resistor, etc.
Bin is the buffer input header. We use 74HCT244 as the buffer chip. Bout is buffer output header.
Y1 is the buffered output of A1 Y2 is the buffered output of A2 and so on...

Buffered or unbuffered
The product comes with 6 x 50cm color coded flexible cable and 6 x 10cm color coded flexible cable.
If you want to use the adapter in unbuffered mode, you only use the 6 x 50cm flexible cables. Do not
connect USB cable to your PC in this case.
If you want to use the adapter in buffered mode, you need all the cables plus you need to connect the
adapter to your PC's USB port via a USB A to Mini USB B cable. Once the USB cable is connected,
the PWR LED will light.

Configure it to use with TJTAG for wireless routers

In the following example, I am using Linksys WRTG54 wireless router as one example.
Linksys Series Routers JTAG Pinout
DB25 Router Function
2 3 TDI
3 9 TCK
4 7 TMS
5 1 TRST (Not Connected)
13 5 TDO
18-25 2,4,6,8,10 GND
Since TRST is not used, you only need 5 flexible cables.

Unbuffered mode
You just need 5x50cm flexible cable connected in such way:
Insert one end of the red flexible cable to D2, and the other end to your router's
TDI, in this case is PIN 3.
Insert one end of the yellow flexible cable to D3, and the other end to your
router's TCK, in this case is PIN 9.
Insert one end of the green flexible cable to D4, and the other end to your
router's TMS, in this case is PIN 7.
Insert one end of the blue flexible cable to D13, and the other end to your
router's TDO, in this case is PIN 5.
Insert one end of the black flexible cable to GND, and the other end to your
router's GND, in this case is 2, 4, 6, 8 or 10.

Once connected, connect the adapter to your PC's parallel port, then you are all set.

Buffered mode
In buffered mode, you will need 5-7 pieces 10 cm flexible cable and 5-8 pieces of 50 cm flexible cable
(again, they come with the package).

On board configuration:
Insert one end of the 10cm orange flexible cable to D2, and the other end to A1 ->
this is optional, if pin "n_SRST" is not active, do not connect it.
Insert one end of the 10cm green flexible cable to D3, and the other end to A2
Insert one end of the 10cm yellow flexible cable to D4, and the other end to A3
Insert one end of the 10cm red flexible cable to D5, and the other end to A4
Insert one end of the 10cm white flexible cable to D6, and the other end to A5
Insert one end of the 10cm purple flexible cable to D7, and the other end to A6 ->
this is optional. If pin "DINT" is not active, do not connect it.
Insert one end of the 10cm blue flexible cable to D11, and the other end to Y8

Connect to your router:

Insert one end of the 50cm orange flexible cableto Y1, and the other endto the
routers n_SRST pin, in this case pin 11 -> this is optional, if pin "n_SRST" is not
active, do not connect it.
Insert one end of the 50cm green flexible cable to Y2, and the other end to your
router's TMS pin, in this case is PIN 7.
Insert one end of the 50cm yellow flexible cable to Y3, and the other end to your
router's TCK pin, in this case is PIN 9.
Insert one end of the 50cm red flexible cable to Y4, and the other end to your
router's TDI pin, in this case is PIN 3.
Insert one end of the 50cm blue flexible cable to A8, and the other end to your
router's TDO pin, in this case is PIN 5.
Insert one end of the 50cm black flexible cable to GND, and the other end to your
router's GND pin, in this case is 2, 4, 6, 8 or 10.
Insert one end of the 50cm white flexible cable to Y5, and the other end to your
router's n_TRST pin, in this case is PIN 1.
Insert one end of the 50cm purple flexible cable to Y6, and the other end to the
routers DINT pin, in this case pin 13 -> this is optional. If pin "DINT" is not
active, do not connect it.

Connect the JTAG board to your PC:

Connect the board to the parallel port of your PC
Connect the board to your pc's USB port via a USB cable

You are all set.

You can following the following instructions to debrick your router:
• TJTAG manual
• Debrick Routers Using JTAG Cable
• Wireless router JTAG Pinouts

Configure it to use with Blackcat software for your cable modem (Motorola,
Webstar etc.)
You can connect your cable modem and your pc via JTAG cable to do some interesting test, such as
change MAC address, serial number, bootloader and firmware.

Unbuffered mode
In this mode, the JTAG adapter is configured to be acting as a unbuffered JTAG, thus you do NOT need
to power it using USB cable.
This is a schematic of the unbuffered Surfboard and Webstar JTAG cable:
From above schematic, you can figure out that there are six (6) connections (RST, TDI, TDO, TMS,
TCK and GND).
You also notice that Motorola's JTAG header is different than the Webstar. Motorola has a 10 pin
header and Webstar has a 8 pin header. However, with our Universal JTAG, this don't matter because
you can use the flex cable.
Here is how to configure our Universal JTAG Adapter to work with cable modems:
Insert one end of the red flexible cable to D6, and the other end to your modem's
RST, (Motorola: PIN 1, Webstar: PIN 6)
Insert one end of the yellow flexible cable to D7, and the other end to your
router's TMS, (Motorola: PIN 7, Webstar: PIN 3)
Insert one end of the green flexible cable to D8, and the other end to your
router's TDI, (Motorola: PIN 3, Webstar: PIN 4)
Insert one end of the blue flexible cable to D9, and the other end to your router's
TCK, (Motorola: PIN 9, Webstar: PIN 5)
Insert one end of the white flexible cable to D11, and the other end to your
router's TDO, (Motorola: PIN 5, Webstar: PIN 1)
Insert one end of the black flexible cable to GND, and the other end to your
router's GND, (Motorola: PIN 2, 4, 6, 8, 10, Webstar: PIN 2 or 7)

Bingo! you are all set.

Now connect your universal JTAG adapter to your PC's parallel port, turn on the modem, launch the
blackcat software and have fun modding it!

Buffered mode
In this mode, the JTAG adapter is configured to be acting as a buffered JTAG, thus you need to power
it using USB cable (USB A to Mini USB B, comes with most digital camera).
Use the unbuffered schematic above as the reference, we need 6 connects plus an USB cable.

On board configuration:
Insert one end of the 10cm red flexible cable to D6, and the other end to A1
Insert one end of the 10cm yellow flexible cable to D7, and the other end A2
Insert one end of the 10cm green flexible cable to D8, and the other end to A3
Insert one end of the 10cm blue flexible cable to D9, and the other end to A4
Insert one end of the 10cm white flexible cable to D11, and the other end to Y8

Connect to your router:

Insert one end of the 50cm red flexible cable to Y1, and the other end to your
modem's RST, (Motorola: PIN 1, Webstar: PIN 6)
Insert one end of the 50cm yellow flexible cable to Y2, and the other end to your
router's TMS, (Motorola: PIN 7, Webstar: PIN 3)
Insert one end of the 50cm green flexible cable to Y3, and the other end to your
router's TDI, (Motorola: PIN 3, Webstar: PIN 4)
Insert one end of the 50cm blue flexible cable to Y4, and the other end to your
router's TCK, (Motorola: PIN 9, Webstar: PIN 5)
Insert one end of the 50cm white flexible cable to A1, and the other end to your
router's TDO, (Motorola: PIN 5, Webstar: PIN 1)
Insert one end of the 50cm black flexible cable to GND, and the other end to your
router's GND, (Motorola: PIN 2, 4, 6, 8, 10, Webstar: PIN 2 or 7)

Connect the JTAG board to your PC:

Connect the board to the parallel port of your PC
Connect the board to your pc's USB port via a USB A to mini USB B cable (comes with
most digital camera)

You are done. Power your modem and run the application to finish your testing work!
What is TJTAG
This program reads/writes flash memory on the WRT54G/GS and compatible routers via EJTAG using
either DMA Access routines or PrAcc routines (slower/more compatible).
You can get the latest copy of TJTAG from [here]

What are the supported chips?

Supported Chips
Broadcom BCM4702 Rev 1 CPU
Broadcom BCM4704 KPBG Rev 9 CPU
Broadcom BCM4704 Rev 8 CPU
Broadcom BCM4712 Rev 1 CPU
Broadcom BCM4712 Rev 2 CPU
Broadcom BCM4716 Rev 1 CPU
Broadcom BCM4785 Rev 1 CPU
Broadcom BCM5350 Rev 1 CPU
Broadcom BCM5352 Rev 1 CPU
Broadcom BCM5354 KFBG Rev 1 CPU
Broadcom BCM5354 KFBG Rev 2 CPU
Broadcom BCM5354 KFBG Rev 3 CPU
Broadcom BCM3345 KPB Rev 1 CPU
Broadcom BCM5365 Rev 1 CPU
Broadcom BCM5365 Rev 1 CPU
Broadcom BCM6345 Rev 1 CPU
Broadcom BCM6348 Rev 1 CPU
Broadcom BCM6338 Rev 1 CPU
Broadcom BCM6358 Rev 1 CPU
Broadcom BCM6368 Rev 1 CPU
Broadcom BCM4321 RADIO STOP
Broadcom BCM4321L RADIO STOP
TI AR7WRD TNETD7300GDU Rev 1 CPU
BRECIS MSP2007-CA-A1 CPU
TI TNETV1060GDW CPU
Linkstation 2 with RISC K4C chip
Atheros AR531X/231X CPU
XScale IXP42X 266mhz
XScale IXP42X 400mhz
XScale IXP42X 533mhz
ARM 940T
Marvell Feroceon 88F5181
LX4380

Usage
USAGE: tjtag [parameter] </noreset> </noemw> </nocwd> </nobreak> </noerase>
</notimestamp> </dma> </nodma>
<start:XXXXXXXX> </length:XXXXXXXX>
</silent> </skipdetect> </instrlen:XX> </fc:XX> /bypass /st5

Required Parameter
------------------
-backup:cfe
-backup:nvram
 -backup:kernel
-backup:wholeflash
-backup:custom
-backup:bsp
-erase:cfe
-erase:nvram
-erase:kernel
-erase:wholeflash
-erase:custom
-erase:bsp
-flash:cfe
-flash:nvram
-flash:kernel
-flash:wholeflash
-flash:custom
-flash:bsp
-probeonly
-probeonly:custom
Optional with -backup:, -erase:, -flash: wgrv8bdata, wgrv9bdata,
cfe128

Optional Switches
-----------------
/noreset ........... prevent Issuing EJTAG CPU reset
/noemw ............. prevent Enabling Memory Writes
/nocwd ............. prevent Clearing CPU Watchdog Timer
/nobreak ........... prevent Issuing Debug Mode JTAGBRK
/noerase ........... prevent Forced Erase before Flashing
/notimestamp ....... prevent Timestamping of Backups
/dma ............... force use of DMA routines
/nodma ............. force use of PRACC routines (No DMA)
/window:XXXXXXXX ... custom flash window base (in HEX)
/start:XXXXXXXX .... custom start location (in HEX)
/length:XXXXXXXX ... custom length (in HEX)
/silent ............ prevent scrolling display of data
/skipdetect ........ skip auto detection of CPU Chip ID
/instrlen:XX ....... set instruction length manually
/wiggler ........... use wiggler cable
/bypass ............ Unlock Bypass command & disable polling
/st5 ............... Use Speedtouch ST5xx flash routines instead of WRT
routines
/reboot............. sets the process and reboots
/swap_endian........ swap endianess during backup - most Atheros
based routers
/flash_debug........ flash chip debug messages, show flash MFG and
Device ID

/fc:XX = Optional (Manual) Flash Chip Selection

-----------------------------------------------
/fc:01 ............. MX29LV800BTC 512kx16 TopB (1MB)
/fc:02 ............. MX29LV800BTC 512kx16 BotB (1MB)
/fc:03 ............. AMD 29lv160DB 1Mx16 BotB (2MB)
/fc:04 ............. AMD 29lv160DT 1Mx16 TopB (2MB)
/fc:05 ............. EON EN29LV160A 1Mx16 BotB (2MB)
/fc:06 ............. EON EN29LV160A 1Mx16 TopB (2MB)
/fc:07 ............. MBM29LV160B 1Mx16 BotB (2MB)
/fc:08 ............. MBM29LV160T 1Mx16 TopB (2MB)
/fc:09 ............. MX29LV160CB 1Mx16 BotB (2MB)
/fc:10 ............. MX29LV160CT 1Mx16 TopB (2MB)
/fc:11 ............. K8D1716UTC 1Mx16 TopB (2MB)
/fc:12 ............. K8D1716UBC 1Mx16 BotB (2MB)
/fc:13 ............. ST M29W160EB 1Mx16 BotB (2MB)
/fc:14 ............. ST M29W160ET 1Mx16 TopB (2MB)
/fc:15 ............. Macronix MX25L160A (2MB) Serial
/fc:16 ............. Atmel AT45DB161B (2MB) Serial
/fc:17 ............. Atmel AT45DB161B (2MB) Serial
/fc:18 ............. K8D3216UTC 2Mx16 TopB (4MB)
/fc:19 ............. K8D3216UBC 2Mx16 BotB (4MB)
/fc:20 ............. Macronix MX25L1605D (2MB) Serial
/fc:21 ............. Macronix MX25L3205D (4MB) Serial
/fc:22 ............. Macronix MX25L6405D (8MB) Serial
/fc:23 ............. STMicro M25P16 (2MB) Serial
/fc:24 ............. STMicro M25P32 (4MB) Serial
/fc:25 ............. STMicro M25P64 (8MB) Serial
/fc:26 ............. STMicro M25P128 (16MB) Serial
/fc:27 ............. AMD 29lv320MB 2Mx16 BotB (4MB)
/fc:28 ............. AMD 29lv320MT 2Mx16 TopB (4MB)
/fc:29 ............. AMD 29lv320MT 2Mx16 TopB (4MB)
/fc:30 ............. TC58FVB321 2Mx16 BotB (4MB)
/fc:31 ............. TC58FVT321 2Mx16 TopB (4MB)
/fc:32 ............. AT49BV/LV16X 2Mx16 BotB (4MB)
/fc:33 ............. AT49BV/LV16XT 2Mx16 TopB (4MB)
/fc:34 ............. MBM29DL323BE 2Mx16 BotB (4MB)
/fc:35 ............. MBM29DL323TE 2Mx16 TopB (4MB)
/fc:36 ............. AMD 29lv320DB 2Mx16 BotB (4MB)
/fc:37 ............. AMD 29lv320DT 2Mx16 TopB (4MB)
/fc:38 ............. MBM29LV320BE 2Mx16 BotB (4MB)
/fc:39 ............. MBM29LV320TE 2Mx16 TopB (4MB)
/fc:40 ............. MX29LV320B 2Mx16 BotB (4MB)
/fc:41 ............. MX29LV320B 2Mx16 BotB (4MB)
/fc:42 ............. MX29LV320T 2Mx16 TopB (4MB)
/fc:43 ............. MX29LV320T 2Mx16 TopB (4MB)
/fc:44 ............. ST 29w320DB 2Mx16 BotB (4MB)
/fc:45 ............. ST 29w320DT 2Mx16 TopB (4MB)
/fc:46 ............. MX29LV640B 4Mx16 TopB (16MB)
/fc:47 ............. MX29LV640B 4Mx16 BotB (16MB)
/fc:48 ............. W19B(L)320ST 2Mx16 TopB (4MB)
/fc:49 ............. W19B(L)320SB 2Mx16 BotB (4MB)
/fc:50 ............. W19B(L)320SB 2Mx16 BotB (4MB)
/fc:51 ............. M29DW324DT 2Mx16 TopB (4MB)
/fc:52 ............. M29DW324DB 2Mx16 BotB (4MB)
/fc:53 ............. TC58FVM6T2A 4Mx16 TopB (8MB)
/fc:54 ............. TC58FVM6B2A 4Mx16 BopB (8MB)
/fc:55 ............. K8D6316UTM 4Mx16 TopB (8MB)
/fc:56 ............. K8D6316UBM 4Mx16 BotB (8MB)
/fc:57 ............. Intel 28F160B3 1Mx16 BotB (2MB)
/fc:58 ............. Intel 28F160B3 1Mx16 TopB (2MB)
/fc:59 ............. Intel 28F160C3 1Mx16 BotB (2MB)
/fc:60 ............. Intel 28F160C3 1Mx16 TopB (2MB)
/fc:61 ............. Intel 28F320B3 2Mx16 BotB (4MB)
/fc:62 ............. Intel 28F320B3 2Mx16 TopB (4MB)
/fc:63 ............. Intel 28F320C3 2Mx16 BotB (4MB)
/fc:64 ............. Intel 28F320C3 2Mx16 TopB (4MB)
/fc:65 ............. Sharp 28F320BJE 2Mx16 BotB (4MB)
/fc:66 ............. Intel 28F640B3 4Mx16 BotB (8MB)
/fc:67 ............. Intel 28F640B3 4Mx16 TopB (8MB)
/fc:68 ............. Intel 28F640C3 4Mx16 BotB (8MB)
/fc:69 ............. Intel 28F640C3 4Mx16 TopB (8MB)
 /fc:70 ............. Intel 28F160S3/5 1Mx16 (2MB)
/fc:71 ............. Intel 28F320J3 2Mx16 (4MB)
/fc:72 ............. Intel 28F320J5 2Mx16 (4MB)
/fc:73 ............. Intel 28F320S3/5 2Mx16 (4MB)
/fc:74 ............. Intel 28F640J3 4Mx16 (8MB)
/fc:75 ............. Intel 28F640J5 4Mx16 (8MB)
/fc:76 ............. Intel 28F128J3 8Mx16 (16MB)
/fc:77 ............. SST39VF1601 1Mx16 BotB (2MB)
/fc:78 ............. SST39VF1602 1Mx16 TopB (2MB)
/fc:79 ............. SST39VF3201 2Mx16 BotB (4MB)
/fc:80 ............. SST39VF3202 2Mx16 TopB (4MB)
/fc:81 ............. SST39VF6401 4Mx16 BotB (8MB)
/fc:82 ............. SST39VF6402 4Mx16 TopB (8MB)
/fc:83 ............. SST39VF6401B 4Mx16 BotB (8MB)
/fc:84 ............. SST39VF6402B 4Mx16 TopB (8MB)
/fc:85 ............. Spansion S29GL032M BotB (4MB)
/fc:86 ............. Spansion S29GL032M TopB (4MB)
/fc:87 ............. Spansion S29GL064M BotB (8MB)
/fc:88 ............. Spansion S29GL064M TopB (8MB)
/fc:89 ............. Spansion S29GL128P U (16MB)
/fc:90 ............. Spansion S29GL128M U (16MB)
/fc:91 ............. Spansion S29GL256P U (32MB)
/fc:92 ............. Spansion S29GL512P U (64MB)
/fc:93 ............. Spansion S29GL01GP U (128MB)
/fc:94 ............. Spansion S25FL016A (2MB) Serial
/fc:95 ............. Spansion S25FL032A (4MB) Serial
/fc:96 ............. Spansion S25FL064A (8MB) Serial
/fc:97 ............. Winbond W19B320AB BotB (4MB)
/fc:98 ............. Winbond W19B320AT TopB (4MB)
/fc:99 ............. Winbond W25X32 (4MB) Serial
/fc:100 ............. Winbond W25X64 (8MB) Serial
/fc:101 ............. EON EN29LV320 2Mx16 BotB (4MB)
/fc:102 ............. EON EN29LV320 2Mx16 TopB (4MB)
/fc:103 ............. EON EN29LV640 4Mx16 TopB (8MB)
/fc:104 ............. EON EN29LV640 4Mx16 BotB (8MB)
/fc:105 ............. AT49BV322A 2Mx16 BotB (4MB)
/fc:106 ............. AT49BV322A(T) 2Mx16 TopB (4MB)

NOTES: 1) If 'flashing' - the source filename must exist as follows:

CFE.BIN, NVRAM.BIN, KERNEL.BIN, WHOLEFLASH.BIN or CUSTOM.BIN
BSP.BIN

2) If you have difficulty auto-detecting a particular flash part

you can manually specify your exact part using the /fc:XX option.

3) If you have difficulty with the older bcm47xx chips or when no CFE
is currently active/operational you may want to try both the
/noreset and /nobreak command line options together. Some bcm47xx
chips *may* always require both these options to function properly.

4) When using this utility, usually it is best to type the command line
out, then plug in the router, and then hit <ENTER> quickly to avoid
the CPUs watchdog interfering with the EJTAG operations.

5) /bypass - enables Unlock bypass command for some AMD/Spansion type

flashes, it also disables polling

***************************************************************************
 * Flashing the KERNEL or WHOLEFLASH will take a very long time using JTAG *
* via this utility. You are better off flashing the CFE & NVRAM files *
* & then using the normal TFTP method to flash the KERNEL via ethernet. *
***************************************************************************

Things need to try before you JTAG the router

Please read carefully on this article:
Recover from a Bad Flash
If you have tried everything before the section "Recovery by JTAG cable" and it still doesn't work, you
can now proceed with the following tutorials on how to save your router by using DIYGADGET's
JTAG cable.

Router Basics
I think it is very important to introduce some router basics before we get started. Because we are going
to work on these stuff later on to save your router.
You probably already heard of terms like, NVRAM, CFE, FLASH ect. So what are they?

NVRAM
NVRAM stands for nonvolatile RAM. It can hold its contents when the main power source is lost. You
may even know this type of memory as static RAM (SRAM), Broadcom based router uses NVRAM to
store the startup configuration file. Most bricked routers are caused by a wrong configuration file.

Kernel
The kernel is the central component of router. Its responsibilities include managing the router's
resources (the communication between hardware and software components).
A corrupted kernel can also brick a router. The kernel is stored in the onboard FLASH chip.

Common Firmware Environment (CFE)

CFE stands for Common Firmware Environment. The Broadcom Common Firmware Environment
(CFE) is a collection of software modules for initialization and bootstrap of designs incorporating
Broadcom MIPS64™ processors. CFE is used to bootstrap the OS.
On startup, CFE performs the following low-level initialization:
1. Reset and ROM trap handler vectors
2. CPU and FPU initialization
3. L1 and L2 Cache initialization
4. Multiprocessor initialization
5. Memory controller initialization
6. PCI and LDT bus configuration
7. Environment variables
8. Console device initialization
9. Bootstrap device initialization
Corrupted CFE is an uncommon reason for a bricked router. But it could happen.

Using JTAG Cable to Repair Bricked Router

If you have read this far, it means the only way to debrick your router is by using a JTAG cable. Sorry
to hear that! However, don't worry, the steps are really straightforward!

DIYGADGET's Router JTAG Cable

The is the schematic of the JTAG cable:

Router JTAG Schematic

This is the JTAG pinout of the Linksys WRT54G(GS/GL) series routers:
nTRST 1 2 GND
TDI 3 4 GND
TDO 5 6 GND
TMS 7 8 GND
TCK 9 10 GND
nSRST 11 12 GND

Linksys Series Routers JTAG Pinout

DB25 Router Function
2 3 TDI
3 9 TCK
4 7 TMS
5 1 TRST (Not Connected)
 13 5 TDO
18-25 2,4,6,8,10 GND

The PCB Layout of DIYGADGET's Router JTAG Cable:

PCB Layout of DIYGADGET's Router JTAG Cable

The internal construction of DIYGADGET's Router JTAG cable:

Internal Construction of DIYGADGET's router JTAG Cable

Locate the JTAG Pins/Pads on the Router

The WRT54G(GS/GL) series routers have the standard JTAG pads on the PCB, It's the JP2 on the pcb
as shown in the following pictures
The initial version of the utility is the very famous HairyDairyMaid Debrick utility. You can get it from
here:
[HairyDairyMaid Debrick Utility]
However, we recommend to use [TJTAG] program which includes the Newer Router Models.
1. Download [TJTAG] program and unzip it to a temp directory on your harddrive.
2. Copy the giveio.sys and loaddrv.exe to C:\windows\system32\drivers for XP or
C:\winnt\system32\drivers for 2000.
3. Double click loaddrv.exe in the system32 dir.
4. Append the giveio.sys onto the path in the utility:

Load Drv
5. Click the load button and then the start button, they should both confirm success. If this does
not happen go no further, go back and fix this. You need to make sure this works first.
Leave the loaddrv.exe running.

Making The JTAG Connection

This is the exciting part of this tutorial. If your router (like the Linksys WRT54G series) already has the
standard 12 pin JTAG pads on the PCB, you mostly like do NOT need to solder wires on your PCB!
DIYGADGET provides solderless solution for these routers.
This is what you will receive in your purchase. In this package, you will receive a Router JTAG cable,
a 12 PIN header and 6 solderless pins. The solderless pins are provided for solderless operation:

DIYGADGET's Router JTAG Package

The 12 PIN header is for peoples who have the skills soldering on PCB. All you need to do is solder the
12 pin headers on the JTAG port of the router, and then connect the JTAG Cable's black header on the
12 pin header you just soldered on the pcb. Make sure pin 1 of the cable is connected to pin 1 on the
board. The pin 1 of the cable can be identified by a little triangle on the black header. Pin 1 on the pcb
is marked.
In this tutorial, I will show you how to make the connection using the solderless pins.
We only need 6 solderless pins for the connections because JTAG only uses 6 pins. From the schematic
above, we know only the following pins on the 12 pin headers are used: 3, 5, 7, 9 and GND.
Let's carefully insert the solderless pins into the 12 header's 3, 5, 7, 9 and 6 (WRT54G/GS/GL's
2,4,6,8,10 are all grounds and they are all interconnected on the PCB. The wire 6 is the only GND wire
of the header so make sure you insert a solderless pin in hole 6 not 2, 4, 8, 10 or 12):

Insert solderless pins

(I also insert a pin into 1, it is optional)

Top view when solderless pins are inserted into the header
Now, let's see how we make the connection. Put the spring loaded solderless pins on top of the JTAG
pads, align the pins with the pads, make sure all 6 pins are connected to the corresponding pads. Give it
a little pressure, you will feel the little resistance. The pins are spring loaded with crown headers, so if
you give it a little pressure and it will 'clamp' to the pads and won't move at all. Try it!

Feel the spring loaded solderless pins

Before we try to 'permanently' attach the pins to the pads, let's make sure other connections are
finished.
1. Connect the power adapter to the router's power input, but DO NOT attach the transformer to
the wall outlet yet.
2. Connect the network cable to one of the LAN port and another end of the network cable to your
PC.
3. Connect the DB25 side of the JTAG cable to your PC's parallel port:
4. Carefully put the pins on top of the JTAG pads, then put a book or something heavy on top of
the header, so the spring loaded pins will stay connected with the pads and you do not have to
hold the headers any more. In the example, I used a digikey catalog on top of the header:

Debrick it!
Let's debrick your router!
1. Attach the router's power adapter to the wall outlet.
2. From the command prompt cd to your unzipped TJTAG's windows directory and run
tjtagv2.exe to get a list of options.
3. To check your cable, run command tjtagv2.exe -probeonly. It will automatically detect the CPU
type (see pic below for an example of LINKSYS WRT54GS). If not then check your cable.
4. Backup NVRAM (command tjtagv2.exe -backup:nvram):
It took 32 seconds to backup my WRT54GS' NVRAM.
5. Backup CFE (command tjtagv2.exe -backup:cfe):
It took 60 seconds to backup my WRT54GS' CFE.
6. Backup the whole flash (command tjtagv2.exe -backup:wholeflash):
It took 1931 seconds (or 33 minutes) to backup my WRT54GS' whole flash.
7. Try above steps at least 2 times, generate backups again, then use a binary comparison software
to compares the backups, make sure they are exactly the same before you erase anything.
8. Finally to erase your NVRAM (the usual cause of the problem) with command tjtagv2.exe
-erase:nvram
9. If that doesn't work, erase the kernel (firmware): tjtagv2.exe -erase:kernel, then reflash the
kernel via TFTP. This is a very good tutorial on how to flash your router with TFTP: [TFTP
Flash]
10.If it still doesn't work, try to find a CFE for your router (make sure model/version matches)
first. Here are two repositories of some router's CFE: [CFE collection project] and [CFE
collection 2]
11.The CFE bin files in the repository all have MAC addresses that DO NOT MATCH your
hardware. Use the CFE editing tool "IMGTOOL_NVRAM" available from The [Bitsum Wiki]
to set the et0macaddr and il0macaddr before uploading the CFE. et0macaddr is the address
printed on the outside; il0macaddr is that same address, plus one. Example: If the printed
address is 00:90:4d:83:00:01, then et0macaddr is 00:90:4d:83:00:01 and il0macaddr is
00:90:4d:83:00:02. These are HEX numbers, so HEX 09 plus one is 0A, not 10.
12.Erase the CFE of your router and flash the working CFE back. tjtagv2.exe -erase:cfe will erase
your router's CFE and tjtagv2.exe -flash:cfe will flash the CFE back to your router. Remember
to use the modified CFE bin.