As with most geeks, I’m a HUGE fan of custom firmware on embedded routers.
Recently I heard about Linksys releasing their new WRT610n. This sucker had 2 radios (First operating 2.4Ghz, the second running 5Ghz). In the past I have done alot of work with WDS mesh nets, etc… so I HAD to get my hands on a few of these. I went to the local tech retailer and picked up two of the V2.0s.
Since these are new devices, most of the 3rd party firmware development is fairly fresh. I don’t know too much about the specifics but from what I understand these units use the 2.6 kernel, whereas most of the past custom development has been done on the 2.4 kernels.
Anyways, I had quite a bit of fun messing around with these, testing some firmware, until finally at one point I accidently flashed the incorrect firmware and bricked the device.
Typically with these new routers, they actually have a built in “Recovery Mode” if you’d want to call it that. Typically if you have a good firmware installed and just accidently messed something up, you can:
1) Unplug power to device, disconnect all network cables.
2) Plug in Power to device
3) Wait a few seconds (2 seconds), and then press the reset button with a paperclip, I’d hold it for about 3 seconds and release.
4) Plug in computer to device, computer will receive an IP from a DHCP Server. Point browser to http://192.168.1.1
5) Use the “Management Firmware update” site that pops up to install the normal linksys firmware.
The above method helped me out a few times, however as stated earlier in this blog entry eventually I overwrote everything and flashed an incorrect image on to the device. (I was freaking out since the method above would NOT work)
Typically in the past you could TFTP a firmware image on boot and it would accept it, however this is no longer the case with the WRT610n. It will accept the firmware file, however it will NOT flash it to the flash on the device.
Here is how I recovered it:
Please note: If you do not know what you are doing, or do something wrong you could fry your device. The serial voltages on the device DO NOT match the voltages on your computer.
You’ll notice there are serial port pins inside of the internet port on the router. This port can provide serial terminal communications to the device and it’s CFE boot loader. Unfortunately I didn’t have the electronics to chip up a voltage regulator to hook it up to my PC, so instead I came up with a different solution. I used a WRT54GS to establish a serial console on the WRT610n.
As some of you know, most of the linksys device serial ports run on 3.3v. I have a bunch of WRT54GS’s lying around so I pulled one out, installed DD-WRT. After installing DD-WRT, I went ahead and used ipkg to install picocom, which is a serial terminal communications application. I essentially could SSH in to the router, then use picocom to initate serial communications (using 3.3v ofcourse).
Unfortunately there is no special connector for the serial port inside of the internet port on the WRT610n. This is where I had to get creative…
You’ll notice above that I simply just used a stripped telephone cable, and simply “touched” the RX and TX pins to the contacts on the board. Maybe you can figure out a better solution, I couldn’t!
Here is the other end:
The serial connection requires RX, TX, and ground. To establish the ground, I simply plugged a USB cable into the USB port on the WRT610n, and had the WRT54G ethernet housing touch it on the other end (ghetto, I know!).
After troubleshooting the contact points (kept having trouble with the wires staying on the board contacts, I finally got it to work. I SSH’ed into the WRT54G, opened up a picocom session on the serial port, and plugged in the power to the WRT610N, instantly I saw the CFE boot loader initializing and trying to run the firmware. I FINALLY had access to the bootloader on the WRT610n.
Now was the annoying part, it has been a while since I have done this so it may be flawed:
After confirming your serial connect is working, restart the device and tap “ctrl+c” numerous times to gain access to the CFE prompt. Issue the “flash -ctheader : flash1.trx” (without quotations) command, and then initiate a TFTP upload to the router using your desktop computer. The device should accept it, and boot the image. In my experiences I noticed that after doing this, and restarting the router it would go back to being bricked after first reboot. After performing the above flash, goto the web interface and use the “Firmware Upgrade” to re-flash the image. After completing this, all should be good!
Again, please note that I’m not sure if I used that command in the CFE. Other users have reported that it works. If not, google is your friend and you should be able to figure it out. The hard portion is getting serial access! Please feel free to post the commands you used in the comments so I can update this article.
I just ran through these steps with my WRT610n v2 router! After attempting to TFTP the firmware dozens of times, and attempting to access the firmware management Web interface to no avail, I resorted to using the serial method. Since I happen to have a small serial TTL to USB converter (FTDI), I opened up the router and soldered a small 3-wire pigtail header and brought it out to the under side of the unit. There are easily accessible solder pads on the board inside the unit on the under side of the PCB on one of the sides. I didn’t want to attempt to use the pads located in the Ethernet connector for my serial connection. Once I had the lines brought out and accessible, I connected it to my converter and interfaced it directly to my Linux box’s USB port. Then a simple, “screen /dev/ttyUSB0 115200” and I had a serial console into my borked WRT610n! From there, the same steps you mentioned recovered my router and I’m up and running with it again! Anyway, if I get some time, maybe I’ll post a few pics on my Website, of what I did to bring out the serial lines. The serial TTL to USB converter is a small inexpensive ($15 USD, I’ve been told) device. The board has, “sparkfun.com” on the back of it. I picked up mine from a friend who plays with this sort of stuff a lot. Anyway, I can attest to the fact that this method of recovery for the WRT610n v2 definitely works! In fact, of all the things I tried while scouring the DD-WRT forums, it’s the only thing that worked!
I’m glad to hear it worked!
Keep in mind these routers use a different voltage on the serial connections. The reason why I used a WRT54GL is because it’s serial connection uses the same voltage at the WRT-610n.
I’m surprised it worked, usually when people ignore the voltage different, the unit/serial port on the Linksys device gets fried after one key is pressed.
Glad to hear though! When you get pics up, send me the URL and I’ll link it up at the end of my article!
Stephen
Yes, the levels are different from typical RS-232 signaling and I definitely would NOT connect the router directly up to a PC com port! The serial TTL to USB converter I’m using actually does interface nicely (and safely) to the router because there is no negative voltage swing as with RS-232 signals. Since we are keeping it in the TTL realm, there’s no need to convert levels. The little converter simply takes a serial TTL interface and converts it to USB! If you wanted to stick with a standard com port (RS-232 signaling), you could use something like a max232 IC to convert the levels for you, or you could use 4 transistors, a couple of diodes and a handful of resistors but that’s a different topic altogether! 🙂
Well thanks for the info. A lot of traffic comes in to this blog post. Your comments will definitely help some people!
Thanks again!
Stephen
I’ve been trying your method.
I have a WNR834B running DD-WRT v24-sp2 (08/07/10) mini.
I also have a bricked WRT610Nv2.
I wired the 160’s WAN port to the console on the 834B.
I fired up “picocom /dev/tts/0” but it just sits at “Terminal Ready”
I think it doesn’t work or wired it wrong.
Hi crzyruski,
So just to confirm, you have both devices grounded to each other, and you have the RX on the first device, going to TX on the other (likewise for TX to RX on the other)?
I’m not to familiar with the WNR834B, however I do see from a Google Search it’s doing the right voltage. I would first make sure that you have picocom accessing the right serial port (it may not be ttyS0, it could be ttyS1, etc…). I’d also double check the wiring as well. When I wired mine, I spent 2 hours trying to make the wiring come in contact with the contacts on the WRT-610Nv2.
Another thing to, I’m not sure if I’m wrong on this, but if your WNR834B is already listening on ttyS0, then you may not be able to use it to connect out (I’m not sure on this, but it makes sense).
One last thing, just in case if everything IS working. If you haven’t already, while you have picocom open, unplug power to the WRT610N and then plug it back in. This will show the boot loader on picocom if it is working.
Stephen
And PS. Serial connection speed can also play a factor!
ls /dev does not give me a listing for ttyS0, I gather you mean tts/0, right?
I had two telnet sessions both running picocom –b 115200 /dev/tts/0 and 1
also tried /dev/console
nothing each time i cycle router by power switch.
Im pretty sure i lined up with the contacts on the WAN port and the console on the 834B.
WAN ==> CONSOLE
—————————–
GND –> GND, RX –> TX, TX –> RX, NO POWER
I also tried your ghetto grounding…
I can’t wait for some hardware to arrive, I ghetto rigging everything and somewhere is too faulty.
I love that, my “ghetto” grounding 🙂
I know that some distributions use a different system for the /dev devices. I’m used to the /dev/ttyS0, /dev/ttyS1, etc… On yours it should be /dev/tts/0, /dev/tts/1, etc…
I’m wondering if your router is already configured to receive a serial console on the serial port. This is what could be causing the problems, but it’s odd that picocom reports “Terminal Ready”. Do a process list using ps and find out if there’s something already listening on the serial port on your 834b. If there is, try to kill that process and then start again.
Greetings,
i tryed the same thing. Bricked WRT610N and an WRT54GL with dd-wrt,ipkg and picocom….
i recieve an signal when i plugin the WRT610N but it shows only funny chars like:
D[ÅÂÂÃ
*áÒCD(ã¾e©Ôe
Ævâö³
ÒÎj0ÅZ×QÌðL
´ÂeŲ4ÉUâÙZÃ
§êm ¾%F_E
its moving so i can see there must be an stream but i cant read anything. My startoptions are:
root@DD-WRT:~# picocom –d 8 /dev/tts/1
picocom v1.4
port is : /dev/tts/1
flowcontrol : none
baudrate is : 9600
parity is : none
databits are : 8
escape is : C-a
noinit is : no
noreset is : no
nolock is : no
send_cmd is : ascii_xfr -s -v -l10
receive_cmd is : rz -vv
Removing stale lock: /var/lock/LCK..tts_1
Terminal ready
best regards
Stefan
Hi Stefan,
I’m not sure exactly what the baud rate was that I used, but I think it worked by default. I would try doing some googling to find out exactly what it is. I saw someone do a dump on the first start text and I noticed that the kernel logged it was listening on ttyS0, using a baud rate of 115200.
Try using 115200, but keep in mind, that during my whole efforts, that I had funky text scroll like you when my connections weren’t solid. I spent over 1 hour trying to get the contacts to stay on properly.
Hope this helps.
Stephen
Hello,
My device got bricked after flashing an OpenWRT firmware on this device with the recovery mode webpage. Using a cheap USB to RS232 TTL converter I also got garbage on my terminal, but I found a solution: use an Arduino board.
Arduino boards have a built-in USB to RS232 TTL level converter. Just plug the GND, TX and RX wires in the board and it works. I used “screen /dev/tty.usbserial-XXXX 115200” on both OSX and Linux without problems. On eBay you can buy an Arduino UNO for almost the same price as just a converter and those things are very useful for other purposes as well (and a lot of fun).
Hope this helps anyone.
Hi there… This is the best instructions.. so thanks. However.. it’s not quite working.. I can’t seem to get to the CFE prompt.
My connections are working, and I can see the bootloader text flying by, but I can’t interrupt it. I’m pressing Ctrl+C repeatedly, ESC, del.. everything.
Thoughts?
Thanks!
ALEC
Thinking like that is really amzaing
Just want to say THANK YOU !
Life saver 🙂
Broke wrt610nV2 and no one from reset options helped to restore it.
Used almost fully your method to get it back to work.
Instead of using another box to connect I opened broken one and soldered 4 cables (there is another serial connector inside the box on the board, not inside the WAN port) , then connected them to cp2105 based USB to UART bridge board (~$2 on ebay) and flashed the router.
Thank you !!! and excuse me for my English 🙂
Hello
Thanks a lot!
In the beginning I used a standard usb to serial cable which gave me weird symbols in the console. I then ordered a special usb to serial cable for 3.3V. Now I was able to load the proper firmware (tftp did not let me transfer the stock firmware which is bigger than 7MB, so I used an older dd-wrt mini build). I also had to call “load” after the tftp transmission ended.
By the way, I used the serial connectors on the mainboard of my WRT610N v1.
Kind regards!
Aurel