Flash Panteltje

Debrik utility for linksys WAP54G-V31 (soft 3.05) via JTAG based on HairyDairyMilkMaid's EJTAG wrt54g.
Works with SST FLASH chip SST39VF160
Contains a correct FLASH image that you can put into the FLASH.

board_with_jtag_connector.jpg
cable_jtag_connector.jpg
cable_d_connector.jpg

Download

Full source in C:
Note: This is Linux software, also if you download this file use right mouse 'save as', else you get a messed up screen,
the filesize is 5711310 bytes, check after download.
flash_panteltje.tgz


Intro:



How to reprogram the FLASH on a Linksys WAP54g V31 with BCM5352 processor and SST39VF160 FLASH chip using JTAG.

To really repair a messed up FLASH, you first need a correct image.
I have more then one WAP54G, so I grabbed the FLASH from a good one, and provided it here as MASTER_NO_MAC_10.0.0.153,
and here you can read how to put a good (original) flash into your WAP54G-V31.

The sotware is based on the WRT54g EJAG debrick utility by HairyDairyMilkMaid, but has the following advantages:
1) It works on the WAP54G-V3
2) I have supplied a correct image.

Copyright:
All source Linksys provides is GPL, so is the image (compiled with 3.05), Broadcom has CFE as open source, so
for all I know this is all open source.
I have removed the MAC in the image, and supplied a program to enter the MAC as indictated on your box.

I fixed my WAP54G with it, and that is all, it is working again, no other method worked.
Perhaps some out there have defective WAPs-V31 and here is the way out.


Howto


1)
Check if your PC has a parport device:
ls /dev/parport0

If not:
make sure no parport services are running, like a printer for example:
lpq (shows printer job, gives a number for each).
if any jobs, kill these jobs with lprm (see man lprm)
Show the parport using modules with
lsmod | grep par
now remove any modules using parport:
rmmod lp
rmmod parport_pc
rmmod parport

Make the device
mknod /dev/parport0 c 99 0
chmod a+rw /dev/parport0
modprobe ppdev


So now we should have a /dev/parport0


2)
compile the software:
Make
gcc -o replace_mac replace_mac.c



3)
Open the WAP54G, and solder in a JTAG connector and make a JTAG cable,
as described by hairydairymilkmaid or as I did here, see pictures above.
I have used a high quality IC socket, cut it with cutters, used
75 Ohm resistors.... and the cut of wire ends as pins....
You can solder these too of course.
IMPORTANT:
Connect the separate wire FIRST, this is ground, and prevents you
killing the chips with electric charge.
use a special fine tip soldering iron, temp controlled, not one for fixing sinks.
The connections are:
D_connector Jtag
2 - R - 3
3 - R - 9
4 - R - 7
13 - R - 5
23,24,25 ----- 12

The ^ mark is NOT pin one on the Linksys board!!! pin 1 is on the opposite site!!!!

3)
Plug in the AC linksys adapter in the mains, THEN connect the JTAG cable, and connect the DC plug to the WAP54G.

4)
Now try reading the flash:
./wrt54g -backup:wholeflash
Some zeros should show, followed after a while (minute or so) by lots of numbers.
If this works you are ready to flash.
If not check your cables and if /dev/parport0 is present.
If none of this ever works .... then I have no solution.


5)
Before you flash you MUST _M_U_S_T_ __ __ M __ U __ S __ T __ __ set the correct MAC address.
The correct MAC address is printed on the bottom of the WAP54g box, something like this:
MAC 0018A1B2C3D4

Change your MAC by adding a ':' every two characters, so you get something like this:
00:18:A1:B2:C3:D4

Check you MAC at least 3 times against the one written on the box, a wrong MAC will not work, and 2 the same
MACs in a network may cause BAD THINGS to happen.

Now use it with the replace_mac program you just compiled, use exactly this command line, with YOUR MAC as you just made:
cat MASTER_NO_MAC_10.0.0.153 | ./replace_mac RE:PL:AC:E_:TH:IS 00:18:A1:B2:C3:D4 > WHOLEFLASH.BIN

Panteltje (c) replace_mac version-0.1
REPLACED ONE at 0x1f80c2
REPLACED ONE at 0x1f80f1
REPLACED ONE at 0x1f893c
REPLACED ONE at 0x1f92ff


Now reboot (power off / on) type the magic words:
./wrt54g -flash:wholeflash

This will program WHOLEFLASH.BIN into the FLASH.

I suggest you start it late at night, took all night long on my PC, was ready in the morning.

After you wake up and the flash has ended OK (if not I have no solution to this but check all of the above) remove the DC power
plug and insert it again.
The WAP54G should now start up normally.
It will first listen on 10.0.0.153 (because I am on a 10.0.0.xxx LAN).
I expect RESET to reboot it and listen on the usual 192.168.1.245, so this also supports people on a 192.168.1.xxx LAN.


Point your web browser at it and correct the settings for your networks needs (this one is configured as client, first thing you likely want to
set access point, broadcast on, encryption off, SSID to linksys, so you can test).


Background:
I got a WAP54G because it runs Linux/
Was adding some telnet and thought I had some free space, added an other shell (ash), and some more code, flashed it, middle
LED out, no way (tried all files on the net I could find) could it be brought back to life.
Did read about hairydairymilkmaid flash, downloaded it, but it did not want to even read flash of the WAP54Gv31.
I decided to pursue this as I have 2 WAP54G, and one was still virgin, never flashed (I think ;-)).

So I first hacked the hairy.. source, so it would read flash on the different processor.
I found SST39VF160x.txt on the SST website with the programming specs of the SST flash chip, and changed the hairy... code for that.
This flash is only 2MB, so I changed the flash size too.
I was very lucky I guess that the BCM4712 routines also worked for the BCM5352 chip used in the WAP54G.

YOU SHOULD ONLY USE ./wrt54g -backup:wholeflash and ./wrt54g -flash:wholeflash IN THIS VERSION!!!!!!!
==========================================================================================================

The other options will point to the wrong address.

My serial port interface without MAXIM parts (faster cheaper better), for Linux with minicom:
max_pantel diagram
wapcom-0.1.tgz You will need this too, if you use minicom.
Some pictures:
serial connector left side is input, right side is output.
max_panteltje the adapter.

batbox-wap54gv31-serial-0.2.tgz Batbox adapted for WAP54Gv31 serial on Linux.
Batbox runs in RAM, adds a second webserver, so you can play, test, and inspect things without changing the FLASH.

SDcard on WAP54G V31 EU with your web site


What is it?

A modified Linksys WAP54G V31 EU wireless access point as personal webserver, with your website on a SDcard.
Your website can then be accessed from the internet and or wireless locally.
Hollywoods nightmare... share your music locally.... this will get even hotter with mp3 capable phones that have wireless, like VOIP.
Total power consumption: about 5W, so can be on 24/7.

Hardware howto:


Diagram, and some notes for testing:
SDcard on WAP54G V31 How to run a webserver from data on SDcard without kernel recompile, but with serial link.

Pictures of SDcard connector and connections:
wapserver pictures

Software howto:


I have now compiled a firmware for WAP 54g V31 EU that mounts the SDcard automatically, and loads a bigger busybox with more commands
from the SDcard, but most of all: it runs a second webserver on port 82 from the SDcard.
All that with space left, as files come from the SDcard, not from the linux.trx flash :-)
This version supports both cramfs formatted SDcards and ext2 formatted!!
Maximum SDcard size supported by the sdcard driver module in this firmware is 1GB.
There are 2 versions of the firmware, one mounts the card read-only (after all my website is to *read*), but maybe if you need it,
use the other version that by default mounts the card read-write.

Here are the firmwares:
linux_wapserver_sdcard_ro.trx
linux_wapserver_sdcard_rw.trx
linux_wapserver_sdcard_ro_telnetd.trx
linux_wapserver_sdcard_rw_telnetd.trx (not tested)
Please note that SDcard FLASH has only a limited amount of write cycles, typical 1000000,
having a card mounted rw in ext2 can quickly use that up.
It is possible to remount the SDcard ro or rw via the serial link or via telnet.
You can remount the SDcard read write, and reduce writes to FLASH, like this:
mount -o rw,noatime,remount /dev/mmc/disc0/disc /mnt
The 'noatime' option prevents the inode access times from being updated on this filesystem (see man mount), this saves writes.
Now you change things on the SDcard, and after that mount it read only again:
mount -o ro,remount /dev/mmc/disc0/disc /mnt

Program sources here you find ;-) sources


To prepare the SDcard for ext2 do the following:
Insert card in PC and look with dmesg until the card is recognized, then mount the card (in this example /dev/sda, MAY DIFFER IN YOUR CASE):
mke2fs /dev/sda
Do not use /dev/sda1 or something!!
mkdir /mnt/test
mount /dev/sda /mnt/test
cd /mnt/test

Your http source (so your first index.html) should go in /mnt/test
To add the required scripts and new busybox download this file:
wapserver-0.6.tgz
and put it in /mnt/test and type:
tar -zxvf wapserver-0.6.tgz
This will create a directory 'linksys' with a script 'setwap', a httpd config file 'bb-httpd.conf', and a 'busybox' directory with
the bigger busybox.
The 'setwap' script will be automatically executed on boot, and create links to the new busybox in /tmp/var/bon (not bin)...
The extra webserver asks for a login, and at the same time displays what to type, you can change password, or comment it out
so no password is asked for, in 'bb-httpd.conf' where it says: /:guest:none
and in 'setwap' the line /tmp/var/bon/httpd -h /mnt -p 82 -c /mnt/linksys/bb-httpd.conf -r "Use user 'guest' and password 'none'"
Now you can add your website here in /mnt/test
When finsihed type:
sync
cd
umount /dev/sda
and you can now use the card in the modified WAP54G V31 EU.
But see also tricks.txt for more on programming the SDcard.

You can connect to 10.0.0.152 with a webserver for the old linksys setup screen.
If you connect to 10.0.0.152:82 you get the website you just created.
So 2 webservers are running all the time.
You can use serial link too of course.

Note:
Do NOT use the reset or ses buttons, (not even to go to defaults), as the buttons are used for the SDcard signals.
The firmware will listen on 10.0.0.152, so if you are on say a 192.168.1.xxx network you MUST change IP to say
10.0.0.150 with ifconfig, then use the normal Linksys setup, and change the WAP IP, and use ifconfig to set your
own IP address back to what is was.
The 'setwap' script you can edit on the SDcard in the PC, and gives you full control without need to reflash the WAP.
Without SDcard inserted the WAP will boot in the normal way, reboot by power cycle after inserting SDcard.

This is how far as I am now.

News:

Analog and digital I/O added to the WAP54G wapserver!
You can use this to measure and control things remotely!


return to main page