Professional Documents
Culture Documents
There are many different JTAG cables available in the market, often they are not compatible to each
other. The problem was cause by the software. JTAG standard only defines a few hardware pinouts.
However there is no standard definition on the PC side, e.g. which DB25 pin is for TDI? This is really
depending on the software, some JTAG softwares may assume TDI is connected to pin 2 of DB25, but
others may assume it is on pin 3. Even for the JTAG connector side, there are many different pinouts,
20 pin JTAG, 14 PIN, 12 PIN, 10 PIN etc... in a nutshell, you need a JTAG cable/adapter is flexible
enough to allow you configure it for different softwares/programmers so you only need to invest on one
JTAG adapter.
Buffered or unbuffered
The product comes with 6 x 50cm color coded flexible cable and 6 x 10cm color coded flexible cable.
If you want to use the adapter in unbuffered mode, you only use the 6 x 50cm flexible cables. Do not
connect USB cable to your PC in this case.
If you want to use the adapter in buffered mode, you need all the cables plus you need to connect the
adapter to your PC's USB port via a USB A to Mini USB B cable. Once the USB cable is connected,
the PWR LED will light.
Unbuffered mode
You just need 5x50cm flexible cable connected in such way:
Insert one end of the red flexible cable to D2, and the other end to your router's
TDI, in this case is PIN 3.
Insert one end of the yellow flexible cable to D3, and the other end to your
router's TCK, in this case is PIN 9.
Insert one end of the green flexible cable to D4, and the other end to your
router's TMS, in this case is PIN 7.
Insert one end of the blue flexible cable to D13, and the other end to your
router's TDO, in this case is PIN 5.
Insert one end of the black flexible cable to GND, and the other end to your
router's GND, in this case is 2, 4, 6, 8 or 10.
Once connected, connect the adapter to your PC's parallel port, then you are all set.
Buffered mode
In buffered mode, you will need 5-7 pieces 10 cm flexible cable and 5-8 pieces of 50 cm flexible cable
(again, they come with the package).
On board configuration:
Insert one end of the 10cm orange flexible cable to D2, and the other end to A1 ->
this is optional, if pin "n_SRST" is not active, do not connect it.
Insert one end of the 10cm green flexible cable to D3, and the other end to A2
Insert one end of the 10cm yellow flexible cable to D4, and the other end to A3
Insert one end of the 10cm red flexible cable to D5, and the other end to A4
Insert one end of the 10cm white flexible cable to D6, and the other end to A5
Insert one end of the 10cm purple flexible cable to D7, and the other end to A6 ->
this is optional. If pin "DINT" is not active, do not connect it.
Insert one end of the 10cm blue flexible cable to D11, and the other end to Y8
Configure it to use with Blackcat software for your cable modem (Motorola,
Webstar etc.)
You can connect your cable modem and your pc via JTAG cable to do some interesting test, such as
change MAC address, serial number, bootloader and firmware.
Unbuffered mode
In this mode, the JTAG adapter is configured to be acting as a unbuffered JTAG, thus you do NOT need
to power it using USB cable.
This is a schematic of the unbuffered Surfboard and Webstar JTAG cable:
From above schematic, you can figure out that there are six (6) connections (RST, TDI, TDO, TMS,
TCK and GND).
You also notice that Motorola's JTAG header is different than the Webstar. Motorola has a 10 pin
header and Webstar has a 8 pin header. However, with our Universal JTAG, this don't matter because
you can use the flex cable.
Here is how to configure our Universal JTAG Adapter to work with cable modems:
Insert one end of the red flexible cable to D6, and the other end to your modem's
RST, (Motorola: PIN 1, Webstar: PIN 6)
Insert one end of the yellow flexible cable to D7, and the other end to your
router's TMS, (Motorola: PIN 7, Webstar: PIN 3)
Insert one end of the green flexible cable to D8, and the other end to your
router's TDI, (Motorola: PIN 3, Webstar: PIN 4)
Insert one end of the blue flexible cable to D9, and the other end to your router's
TCK, (Motorola: PIN 9, Webstar: PIN 5)
Insert one end of the white flexible cable to D11, and the other end to your
router's TDO, (Motorola: PIN 5, Webstar: PIN 1)
Insert one end of the black flexible cable to GND, and the other end to your
router's GND, (Motorola: PIN 2, 4, 6, 8, 10, Webstar: PIN 2 or 7)
Buffered mode
In this mode, the JTAG adapter is configured to be acting as a buffered JTAG, thus you need to power
it using USB cable (USB A to Mini USB B, comes with most digital camera).
Use the unbuffered schematic above as the reference, we need 6 connects plus an USB cable.
On board configuration:
Insert one end of the 10cm red flexible cable to D6, and the other end to A1
Insert one end of the 10cm yellow flexible cable to D7, and the other end A2
Insert one end of the 10cm green flexible cable to D8, and the other end to A3
Insert one end of the 10cm blue flexible cable to D9, and the other end to A4
Insert one end of the 10cm white flexible cable to D11, and the other end to Y8
You are done. Power your modem and run the application to finish your testing work!
What is TJTAG
This program reads/writes flash memory on the WRT54G/GS and compatible routers via EJTAG using
either DMA Access routines or PrAcc routines (slower/more compatible).
You can get the latest copy of TJTAG from [here]
Usage
USAGE: tjtag [parameter] </noreset> </noemw> </nocwd> </nobreak> </noerase>
</notimestamp> </dma> </nodma>
<start:XXXXXXXX> </length:XXXXXXXX>
</silent> </skipdetect> </instrlen:XX> </fc:XX> /bypass /st5
Required Parameter
------------------
-backup:cfe
-backup:nvram
-backup:kernel
-backup:wholeflash
-backup:custom
-backup:bsp
-erase:cfe
-erase:nvram
-erase:kernel
-erase:wholeflash
-erase:custom
-erase:bsp
-flash:cfe
-flash:nvram
-flash:kernel
-flash:wholeflash
-flash:custom
-flash:bsp
-probeonly
-probeonly:custom
Optional with -backup:, -erase:, -flash: wgrv8bdata, wgrv9bdata,
cfe128
Optional Switches
-----------------
/noreset ........... prevent Issuing EJTAG CPU reset
/noemw ............. prevent Enabling Memory Writes
/nocwd ............. prevent Clearing CPU Watchdog Timer
/nobreak ........... prevent Issuing Debug Mode JTAGBRK
/noerase ........... prevent Forced Erase before Flashing
/notimestamp ....... prevent Timestamping of Backups
/dma ............... force use of DMA routines
/nodma ............. force use of PRACC routines (No DMA)
/window:XXXXXXXX ... custom flash window base (in HEX)
/start:XXXXXXXX .... custom start location (in HEX)
/length:XXXXXXXX ... custom length (in HEX)
/silent ............ prevent scrolling display of data
/skipdetect ........ skip auto detection of CPU Chip ID
/instrlen:XX ....... set instruction length manually
/wiggler ........... use wiggler cable
/bypass ............ Unlock Bypass command & disable polling
/st5 ............... Use Speedtouch ST5xx flash routines instead of WRT
routines
/reboot............. sets the process and reboots
/swap_endian........ swap endianess during backup - most Atheros
based routers
/flash_debug........ flash chip debug messages, show flash MFG and
Device ID
3) If you have difficulty with the older bcm47xx chips or when no CFE
is currently active/operational you may want to try both the
/noreset and /nobreak command line options together. Some bcm47xx
chips *may* always require both these options to function properly.
4) When using this utility, usually it is best to type the command line
out, then plug in the router, and then hit <ENTER> quickly to avoid
the CPUs watchdog interfering with the EJTAG operations.
***************************************************************************
* Flashing the KERNEL or WHOLEFLASH will take a very long time using JTAG *
* via this utility. You are better off flashing the CFE & NVRAM files *
* & then using the normal TFTP method to flash the KERNEL via ethernet. *
***************************************************************************
Router Basics
I think it is very important to introduce some router basics before we get started. Because we are going
to work on these stuff later on to save your router.
You probably already heard of terms like, NVRAM, CFE, FLASH ect. So what are they?
NVRAM
NVRAM stands for nonvolatile RAM. It can hold its contents when the main power source is lost. You
may even know this type of memory as static RAM (SRAM), Broadcom based router uses NVRAM to
store the startup configuration file. Most bricked routers are caused by a wrong configuration file.
Kernel
The kernel is the central component of router. Its responsibilities include managing the router's
resources (the communication between hardware and software components).
A corrupted kernel can also brick a router. The kernel is stored in the onboard FLASH chip.
Load Drv
5. Click the load button and then the start button, they should both confirm success. If this does
not happen go no further, go back and fix this. You need to make sure this works first.
Leave the loaddrv.exe running.
Top view when solderless pins are inserted into the header
Now, let's see how we make the connection. Put the spring loaded solderless pins on top of the JTAG
pads, align the pins with the pads, make sure all 6 pins are connected to the corresponding pads. Give it
a little pressure, you will feel the little resistance. The pins are spring loaded with crown headers, so if
you give it a little pressure and it will 'clamp' to the pads and won't move at all. Try it!
Debrick it!
Let's debrick your router!
1. Attach the router's power adapter to the wall outlet.
2. From the command prompt cd to your unzipped TJTAG's windows directory and run
tjtagv2.exe to get a list of options.
3. To check your cable, run command tjtagv2.exe -probeonly. It will automatically detect the CPU
type (see pic below for an example of LINKSYS WRT54GS). If not then check your cable.
4. Backup NVRAM (command tjtagv2.exe -backup:nvram):
It took 32 seconds to backup my WRT54GS' NVRAM.
5. Backup CFE (command tjtagv2.exe -backup:cfe):
It took 60 seconds to backup my WRT54GS' CFE.
6. Backup the whole flash (command tjtagv2.exe -backup:wholeflash):
It took 1931 seconds (or 33 minutes) to backup my WRT54GS' whole flash.
7. Try above steps at least 2 times, generate backups again, then use a binary comparison software
to compares the backups, make sure they are exactly the same before you erase anything.
8. Finally to erase your NVRAM (the usual cause of the problem) with command tjtagv2.exe
-erase:nvram
9. If that doesn't work, erase the kernel (firmware): tjtagv2.exe -erase:kernel, then reflash the
kernel via TFTP. This is a very good tutorial on how to flash your router with TFTP: [TFTP
Flash]
10.If it still doesn't work, try to find a CFE for your router (make sure model/version matches)
first. Here are two repositories of some router's CFE: [CFE collection project] and [CFE
collection 2]
11.The CFE bin files in the repository all have MAC addresses that DO NOT MATCH your
hardware. Use the CFE editing tool "IMGTOOL_NVRAM" available from The [Bitsum Wiki]
to set the et0macaddr and il0macaddr before uploading the CFE. et0macaddr is the address
printed on the outside; il0macaddr is that same address, plus one. Example: If the printed
address is 00:90:4d:83:00:01, then et0macaddr is 00:90:4d:83:00:01 and il0macaddr is
00:90:4d:83:00:02. These are HEX numbers, so HEX 09 plus one is 0A, not 10.
12.Erase the CFE of your router and flash the working CFE back. tjtagv2.exe -erase:cfe will erase
your router's CFE and tjtagv2.exe -flash:cfe will flash the CFE back to your router. Remember
to use the modified CFE bin.