Sunday, July 8, 2012

Bringing a Bricked WRT54GL back from the Dead

router Recently, I found myself attempting to upgrade my network infrastructure in order to support IPv6 technology. I was using a WRT54GL running the Tomato Firmware as my primary router and I was delighted to discover that a modified build of the Tomato Firmware would support IPv6 without issue and the quest began to find some functional firmware. When selecting the correct firmware I learned the hard way that it is all too easy to load the incorrect firmware onto the router rendering it useless. In this guide I will outline the rather radical steps I followed to breathe new life into my bricked WRT54GL router.

After loading the new firmware onto my router it quickly became apparent that the router was inaccessible over the LAN and a quick trip to the server closet confirmed that the router was a brick. The easiest way to determine the state of your bricked router is to examine the power LED on the front panel. In my case the LED was constantly blinking quickly which indicated a corrupt bootloader, meaning it would not be possible to recover the router using traditional network methods. Faced with the prospect of a permanently bricked router, I began to search the Internet for a more "outside-the-box" solution and I found one over at the WRT54GL recovery guide.

First of all a little disclaimer: although this recovery method worked for me it may not work in your case. Use this method of restoration only as an absolute last resort, as the potential for permanently damaging your router is very high. It is also needless to say that following this procedure will void your router’s warranty.

In the next few steps I will explain how to remove the WRT54GL’s cover and expose the main circuit board. Next, I will explain how to short two pins on the flash memory chip in order to force the router to enter its “firmware recovery mode.” Finally, I will explain how to use a TFTP program to load the recovery firmware to the router using Telnet.

Start by popping the front cover off the router. The router simply “snaps” together so there are no screws to worry about removing. The easiest way to remove the front cover is to place the thumbs of your left and right hands below the rubber “feet” and push. You will need to press fairly hard to accomplish this. After you have removed the front panel, the plastic top should easily fall away, exposing the main motherboard. Locate the flash chip, on my router the chip is located near the LEDs, however, different revisions of the router may have the chip located in a different spot. The flash chip should be a 48-pin surface-mount component. In my router the chip was marked as MX 29LV320CTB. This guide only works for the 29LV320CTB. If your router has a different flash chip you should stop right now and investigate farther, likely this recovery method will not work and following this procedure will damage your router farther.

Using a magnifying glass, locate pins 16 and 17 and place a small piece of wire or other conductive material to them. This will short the two pins together causing the router to enter “firmware recovery mode” at boot. Be careful to ensure that ONLY pins 16 and 17 are connected as shorting additional pins together will likely cause serious damage to the flash chip. With pins 16 and 17 shorted, turn on the router by plugging it into the wall and wait 15 seconds. After the 15 second wait, remove the piece of wire and connect your computer to one of the LAN ports on the router. Set your computer to have a static IP of ‘192.168.1.2’ and a subnet mask of ‘255.255.255.0’ and try to ping ‘192.168.1.1,’ the IP address of the router. If the ping has been successful then you know you have entered “firmware recovery mode” and can proceed to the next step.

Next, download the firmware for your WRT54GL, note that the firmware you choose MUST be 3MB or smaller in file size. I would recommend you download the DD-WRT Mini version. After you load the initial firmware onto the recovered router, you may upgrade to a larger image from the web-interface. Next, you will have to install the TFTP client in windows by navigating to control panel, add remove programs, turn windows features on or off. After the TFTP client has been installed, open up a command prompt window and cd to the directory where your firmware is located. Enter the following command to load the firmware onto the router:

tftp -i 192.168.1.1 PUT "name of firmware".bin

The command should take 15-30 seconds to execute, afterwards a success message will display. Once the firmware has been successfully TFTPed to the device wait 3 minutes WITHOUT rebooting the router or removing power. After about 3 minutes you should be able to bring up the DD-WRT web-interface by typing ‘192.168.1.1’ into a web browser. If you see the DD-WRT web-interface then you have successfully recovered your router and can re-assemble the chassis. Hopefully, after following this guide, you have managed to save your WRT54GL from a future as a paperweight. If this guide hasn’t worked for you or you would like some additional tips, have a look at the WRT54GL recovery guide.

4 comments:

  1. Your blog is awesome! I mean, Ive never been so excited by useful and interesting material! Your explanation style is perfect for this. Keep up
    pst recovery

    ReplyDelete
  2. Shorting the pins worked. You saved the day. Thanks!

    ReplyDelete
  3. shorting pins 16 and 17 worked on v1.1

    ReplyDelete