I have been looking for a custom firmware for this router...but haven't found anything on the net! Microsofts firmware for this thing SUCKS! But I think it could be an awesome router with the right firmware. (great signal and range). I knew it was a broadcom, so I took a few snaps of the innards to see if it was another router branded with the "microsoft" name.
http://scatcat.fhsu.edu/~cmhansen/router.jpg

sure enough, the Microsoft name is on the PCB...but all the chips look very standard...like they could run Linux!

Here is the radio (wireless card):
http://scatcat.fhsu.edu/~cmhansen/radio.jpg

PLEASE let me know if you find ANY compatible firmware for this thing...even if it is a stock netgear/buffalo/etc. Stock Linksys wouldn't be bad. Most of all, I want to enable wireless bridge/AP Client mode. Please email me if you find out anything
email me (chuckman@gmx.net)
Thanks
Chuck

to me it looks very familair to the WL500g, if you are willing to risk you can try to flash a custom WL500g or WLHDD firmware into it

but you should not do this when you are not familair recovering the unit from dead

Linksys firmware will not run, cause it uses different design for ethernet ports. Asus, Belkin, Buffalo firmwares are potentially able to run. Openwrt also.
Are you familar with hardware? Your device has JTAG port, so you could save current flash content (to analyze bootloader - one option is really make sense) and then flash whatever you want. This is risk free.

I don't know what kind of pinout the jtag has...could you point me to a site that gives the pinout? I assume I just have to solder a DB-9 cable to the jtag header with the right pinout. If you could help me with that and saving the firmware, I could email it to you for analysis (since I don't know what I'm looking for in the firmware) Soldering is no biggie for me. (don't tell M$ since its Windows CE :)
Chuck

http://openwince.sourceforge.net/jtag/iPAQ-3600/

Scrolling down through the article, the hack got this simple cable to work on his ipaq. Of course, my JTAG is 12pin, not 10pin. I assume the pinout is the same??? And can someone point the flash chip out on this thing? (maybe under the wireless card)....the software on the site says it supports intel or amd flash chips...maybe it would work.

It has 16MB RAM, and im guessing 4MB flash (M$ can't fit CE on less than that im guessing)

Chips seem to be the same, minus the layout.

So I wonder if there is any opperational difference between this and an Asus WL500g...

Also, the BCM4702 natively supports USB...so I can add a usb port to this router? Maybe someone can figure out the connections to do such a thing

http://openwince.sourceforge.net/jtag/iPAQ-3600/

Scrolling down through the article, the hack got this simple cable to work on his ipaq. Of course, my JTAG is 12pin, not 10pin. I assume the pinout is the same??? And can someone point the flash chip out on this thing? (maybe under the wireless card)....the software on the site says it supports intel or amd flash chips...maybe it would work.

Check this:
http://www.openwrt.org/forum/viewtopic.php?t=647


It has 16MB RAM, and im guessing 4MB flash (M$ can't fit CE on less than that im guessing)

Chips seem to be the same, minus the layout.

So I wonder if there is any opperational difference between this and an Asus WL500g...

The difference are in GPIO mappings (this includes LEDs, reset buttons, etc...).

I have the cable made, but have been looking for easy to use, compatible software. What JTAG programs are best for the BCM4702? For Windows?

well, you need linux box and the package from the above link, which supports access based on the ejtag specs. to my knoweledge broadcom does not publically release any detailed specs for the bcm47xx.

Thanks for the link to the pdf!

I am trying to run the wrt54g flash tool on windows under Cygwin, but I can't figure out how to compile it. I don't know much about Linux either, that is why I was trying to find a jtag flashing program for windows. Is there a link to a pre-compiled version? I assume I can't just compile it under any C compiler since it was written to be compiled under Linux.

Im a newb when it comes to using Unix and Linux. :confused:

this program uses direct access to printer port, so you should use real linux for this to work. You could try distros like Knoppix, which are booting right from CD. As for compiling - just decompress the zip and type "make".

Thanks for steering me clear of Cygwin for this project! The "make" command was absent from cygwin (or I wasn't using it right???). I compiled the source without a hitch in Knoppix, and ran it (gave me the options), but after running -backup:wholeflash (with options) it said something of the sort "access to port0 not allowed". So I thought AH root user! So I read im supposed to use su and that loggs me on as root. So I do, browse to the Desktop folder, type DIR and enter, and I see the wrt54g exe I compiled. So I simply type "wrt54g" and hit enter like I had before and it said "FIle not found".

Maybe I need to be logged into desktop as "root" instead of "knoppix"
How do I do that?

How do I gain access to read/write to hard drive/flash drive in Knoppix?

As soon as I get this figured out, I will try to flash. I noticed in the c code, his program does a check for a BCM47xx processor and displays an error if one isn't found. So hopefully this bit of code works on the MN700 BCM4702.

I know I gotta be doing something stupid...

Thanks,
Chuck

hi! so any news so far? I've yet another guy, which is trying to get wl500g running, so far he was able to download entire flash, but bootloaded looks like corrupted.
I suspect problems with his cable.
So, I'm looking for your whole flash.

Your problems is probably due to loaded lp module - try doing
lsmod
and if it's there - rmmod lp, then run it again.

Good point on device access/ 1p module. I will try to disable the module if running.

Is that what is causing "file not found" when I try to run the exe under root?
It runs ok otherwise. (but no access to parallel port...which could be fixed by what you are saying, so I wouldn't have to worry about running it as root)

I am confident my cable is good as I have checked/double checked it, and I have made cables before too. I made it overly short--with cat5 too boot--, which probably wasn't needed, but should ensure a good connection (and it looks nice :)

I should be able to dink around with it tomorrow. I will keep you posted and thanks for the good help.
Chuck

well, looks like your problem is that it should be launched like this: ./wrt54g, not just wrt54g, i.e. you should prepend path to the name.
Please try to extract current flash (I have one, but bootloaded seems to be corrupted, other parts could be identified - non-volatile params, registry, runtime image). Also, upgrade to latest microsoft firmware, so it would be possible to identify firmware parts in the flash.

I wonder why knoppix ran just "wrt54g" fine under the knoppix user, as I didn't have to typ ./ infront. Well, I knew it had to be something stupid. I will try that and let you know where I get tomorrow.

My MN700 is updated, (as I was hoping to see AP client mode in it) and I will see about saving a copy of the fw. I wonder if there is another possible source of the corruption besides his cable...different flash chip maybe? But if the program only depends on the BCM47xx, and if the BCM47xx has standard flash interface, I don't see a problem there, but this is purely a guess on my part.
Chuck

Got past the weird port error, but now...
Cable problemo...

According to this...
http://scatcat.fhsu.edu/~cmhansen/diag.jpg
and this...
http://scatcat.fhsu.edu/~cmhansen/connector.jpg
I made my connector completely right but completely wrong by pic # 2. I counted the pins on the top (12) and 13 on the bottom (db25) in his pic. According to the pinout, there are only supposed to be resistors @ pin 2,3,4 and 13, and pins 20 and 25 connected (ground) with a common wire. OK. Now on my db25, the 12 pins, when on top, are pins 14-25, from left to right. judging by his connector, since his 3 resistors are on the bottom left, the pins on his go from 1-13 on the bottom, right to left, and 14-25 on top, right to left. On mine, it is 1-13, LEFT TO RIGHT, and 14-25, LEFT TO RIGHT on top. Are db25 connectors for older serial cables labeled differently than for parallel ports? At first seeing the chip detection error, I thought "i'll check my cable". And I looked at his connector and HOLY CRAP mine is reversed. Im just ticked right now so im gonna maybe change my pinout to match his db25 tonight, or some other night. Im working on HW tomorrow so I might not mess wit it then. I didn't connect pins 1 and 11, as he said they are un-needed.
Any clue why we would have differently labeled pinouts on our db25's, besides maybe mine being for serial, his for parallel? I thought all db25's were standard.
Thanks,
Chuck

update...
cable updated. It looks like his now. It will take too long to try it tonight, I'll wait till tomorrow. (can I cancel it if it begins to read the flash?)

yes, you could cancel reading. btw, most of the time during the reading is spent in the code, which shows you fancy progress messages... You could change the code, so it will output progress every 256 bytes, not 16 as it doing now.

What tests can I run in Knoppix to verify my parallel port is running?
No lp module is loaded. After updating cable to match Sveasoft's, I get the same error (and the pwr WAS on the router). Otherwise, it should have worked. My mobo is an Nforce2, and I don't know if knoppix would have fits with it or not.

Me and a few others have been pushing for a hack on this router. The microsoft firmware doesn't seem to cut it. We asked sveasoft, right here http://www.dslreports.com/forum/remark,12466800~mode=flat

Also if someone can program in .NET, maybe they can provide modules?

"The Wireless Base Station MN-700 is powered by Windows® CE .NET 4.2,enabling Microsoft, its partners and other developers to create additional applications and benefits for customers"


Hopefully someone figures out a Hack!

this was a great router, and microsoft had a really slick interface for it. It is a crying shame they refused to fix the bugs.

Well, we've already 1.9.2.7-3c firmware running on this box. Minor cleanups are needed for both firmware and bootloader.

So this is doable, and already running for some? Will it be doable for the end user, or do we hack our way through to get it to work.

At the moment JTAG cable is required, but it's very simple. See above.
Probably it's also possible to reflash it directly from WinCE, but we've not tried this.

I am very intrested in this, dont have a jtag cable though. Hm, if flashing from WinCE were possible... This default Microsoft firmware just seems too buggy right now, it keeps freezing using bittorent or emule or something that creates lots of load for a long time. This work is truely wonderful :P

You need to build cable yourself, it's extremely cheap...
I do not have any plans to play with WinCE and original loader, this requires to much time and I do not have this unit at all. The only problem is that MS loader uses 192k of flash, while we're using 256k, so I'm not sure if MS firmware will accept larger loader image (this is the only part which needs to written, once done it will flash firmware itself).
Finally, the device is now works with WL-500g firmware. I've also prepared new bootloader image, which should be flashed via JTAG using Linux. I will post instructions later, including some info required to make application above to work with Macronix flash chip used in the MN-700.
To make this work I've remotely controlled guy, owning this unit, which has build jtag cable and gathered required info. So, now it just works. He has about 7 units, which would be flashed this way.
BTW, mn-700 is the most inexpensive unit in the USA ($35), which is based on the broadcom reference design and it could work with linux based firmwares now.

I bought this router because it was cheap, and used that broadcom chipset! Now does that bootloader stuff interfere with the working of the router while being updated with the JTAG? Well, I'm a novice at using JTAG cables and such, from what i've seen only it looks like serial port things (lack of better terms). Do you need special hardware, or just a PC a cable and the router. Also, if this firmware works, and it works well, will it be periodically updated, or just a one time flash and thats what you got. Sorry for all the questions, but I like information that I dont know, and it may come to benefit me :P

Now does that bootloader stuff interfere with the working of the router while being updated with the JTAG? Well, I'm a novice at using JTAG cables and such, from what i've seen only it looks like serial port things (lack of better terms). Do you need special hardware, or just a PC a cable and the router.

no special hardware required, just read pdf from the zip in the openwrt link above. Yes, you need PC with parallel port, cable and the router.

Also, if this firmware works, and it works well, will it be periodically updated, or just a one time flash and thats what you got. Sorry for all the questions, but I like information that I dont know, and it may come to benefit me :P
Yes, once you upgrade bootloader, you will then be able to use ANY ASUS WL-500g firmware including custom firmwares from this forum.
You need to use JTAG only once to flash bootloader. The bootloader itself is able to flash ANY firmware. Once done - you will have everything.

Alright thats about all I need to know, well I also wonder if the extra features like print server and webcam server will mess anything up, since the MN700 does not support that. I guess I'll just wait for instructions on how to do this! If not too much trouble too, if someone could post where to connect the jtag and how to make it, that'd help me, I'd like to say it'd help others too, but I maybe just misinformed! I do see some jtag stuff at the beginning of the thread, but naturally, I dont really understand some of it, only the basic concept, of cable to router, you run linux like knoppix. Soldering required?

Why not? All you need is a usb port(chips are the same), and maybe some minor mods. I remember reading the BCM4702 nativley supports USB. It might be as simple as soldering four wires to the board :) The mass storage aspect is quite appealing.
Anyway, I haven't tried to read the flash under Knoppix again. I don't see anything wrong with my cable, so I might try a true linux distro (or different computer??). If anyone knows a trick or two, let me know. My router is fine, it works still (but it STILL has windows on it) : ]

Oleg...thanks for the info! On your cable, is your VCC and TRST connected with a resistor? (pins 1 and 11 on JTAG, right?) I made mine without. Problem? I might have to wait for the detailed step by step :(
At least I feel like I have contributed a bit to the cause.

Excellent work!

Alright thats about all I need to know, well I also wonder if the extra features like print server and webcam server will mess anything up, since the MN700 does not support that, my guess is if you dont use it, it wont mess anything up! I guess I'll just wait for instructions on how to do this! If not too much trouble too, if someone could post where to connect the jtag and how to make it, that'd help me, I'd like to say it'd help others too, but I maybe just misinformed!

I did post the pinout for the jtag and serial. You should be able to make it just by looking at the picture and matching it up with the pinout. (what I had to do, as my db25 was labeled differently than the pinout for the db25 indicated)

this was a great router, and microsoft had a really slick interface for it. It is a crying shame they refused to fix the bugs.
Chupa will take off where M$ left it [to die]
my sentiments exactly! They could have at least added functioning AP client mode to the list of to-do's.
As for custom firmwares, I think the Asus was the answer right off the bat.

Oleg...thanks for the info! On your cable, is your VCC and TRST connected with a resistor? (pins 1 and 11 on JTAG, right?) I made mine without. Problem? I might have to wait for the detailed step by step :(

No, this pins are stays disconnected, so your cable is right.
Were you able to detect CPU?

It didn't detect the CPU. It listed possible causes, and one was a different chip version on the WRT54g. My cable was wrong at first (flipped from left to right), then I made it right. It's connected to the proper jtag pins (though I don't have a header on the jtag) My router still works ok. No lp module running
i'm stumped...but I am glad someone has been able to save the flash for you to look over. Sorry it's taking me so long just to get THIS far!

Well, no flash contents is needed at this time. This was needed just in case if you want to move back.
The CPU should be detected with no problems (but you need to play with pressing Enter and turning your device on). Check you cable once again...
The only minor modification is to change flash detection for Macronix and flash write function.
But you need to detect your CPU first. At first there was some detection problems, but this was cable related - it should be really short (finally that guy ended up with 25 inch long cable made of CAT5 twisted pair, althought he had problems with reading - it's still noisy). Also you may want to remove resistor which is coming to LPT pin 13 - mn-700 already has 470 ohm here.
which id your cable returns for cpu?

My cable is almost exaclty 25 inches also.
the cpu id I was getting was the exact same as if it wasn't plugged in at all.
I will try again, playing with the timing and trying to remove the resistor.

if you get 0xffff as an id - then your cable is not correctly wired.

my ID I get is FFFFFFFF (ie all ones, 32 of em)
but...that is ONLY when loading 2.4 kernel and running under su (root)
When running under su in 2.6, I get
Failed to lock /dev/parport0: No such device or address
Like I say, I am new to Linux and might just need to config my parallel port.

without su :
Failed to open /dev/parport0: Permission Denied
on both 2.4 and 2.6 kernel.

That isn't a prob though, as su seems to be working for root access.
I have the wires connected properly on the jtag, according to the pinout (unless my jtag on my MN700 is "reversed" from left to right : )

Hm, this upgrade looks complicated, *sigh*. My router just crashed again too, bittorrent killed it or something, but at least I got Tom Clancy's Splinter Cell 3 - Chaos Theory Single Player demo!! All these cable problems, and for a person like me who hasn't done it before, things are sort of looking hopeless, hopefully things get sorted!

Maybe this would be useful. Anyways, could someone try to update the firmware with software, obviously someone who can restore it incase a major fault. Although I have no idea of how to do this, but you could replace the MSBNDownloader.exe's MN700_02.01.02.0590_EBOOT_REL16.BIN and MN700_02.01.02.0590_NK_REL16_COMP.BIN with the linux ones? Sure it isn't that easy, but probably not impossible. http://hri.sourceforge.net/hw/mn100/logbook.html

my ID I get is FFFFFFFF (ie all ones, 32 of em)
but...that is ONLY when loading 2.4 kernel and running under su (root)

ok, try connecting pin 13 to ground. Your readings should be 00000000, if it does not - you've not correctly numbered pins...

ok, try connecting pin 13 to ground. Your readings should be 00000000, if it does not - you've not correctly numbered pins...
That is what I did. My pins WERE numbered incorrectly on my db25, so I made my cable to look exaclty like the one in the photo from the debrick guide. I will double check connections at jtag. BTW, with 2.4 kernel, with nothing plugged into the parallel port, I get the same cpu ID, FFFFFFFF.
In 2.6 kernel, the program plain doesn't work with the parallel port. I get the "Failed to lock" error.

so, any ETA on the modified bootloader? I have one MN700 and i want to try it.

Hi! I have mn-700, JTAG cable ready and working (it detects processor), and jtag tools and wrt54g programs compiled and working on my linux box. So obviously I want to flash new firmware on my router. Can sameone answer this for me:

1. which of two (jtag or wrt54g) programs is better/more convenient to backup my original flash "just in case..." :)

2. someone wrote that bootloader and/or custom firmware for wl500g needs little modification, is this still true with firmware 1.9.2.7-4 (changelog states that it has basic support for mn-700) and if it needs mod. can someone give more info about what needs to be changed to the sources

3. and the most lame question (sorry). how to flash it?? I mean is the file wl500g-1.9.2.7-4.trx whole flash, kernel part or what, sorry but i just don't know. What would be the best procedure to flash this firmware to the router using either one of the programs i mentioned i have.

PLEASE HELP - THANKS IN ADVVANCE

so, any ETA on the modified bootloader? I have one MN700 and i want to try it.
As you can mention it's already available. :)

1. which of two (jtag or wrt54g) programs is better/more convenient to backup my original flash "just in case..." :)

I never heard of program called "jtag". :) Could you please provide a link to it? We've used wrt54g program for flashing unit (but we've modified it a bit to support MX flash chips).


2. someone wrote that bootloader and/or custom firmware for wl500g needs little modification, is this still true with firmware 1.9.2.7-4 (changelog states that it has basic support for mn-700) and if it needs mod. can someone give more info about what needs to be changed to the sources

You need to flash firmware independent bootloader. It's already available, just PM me with MAC address of your unit - I will need to encode it.


3. and the most lame question (sorry). how to flash it?? I mean is the file wl500g-1.9.2.7-4.trx whole flash, kernel part or what, sorry but i just don't know. What would be the best procedure to flash this firmware to the router using either one of the programs i mentioned i have.

PLEASE HELP - THANKS IN ADVVANCE
You need to flash bootloader using wrt54g program by issuing command like this

./wrt54g -flash:cfe

once done your unit will work just like wl500g unit does and you will be able to flash 1.9.2.7-4 (and future versions) wl500g firmware using Firmware Restoration Tool. You will no longer need to use JTAG then.

currently i'm getting this:

wrtjtag -flash:cfe /noreset

Probing bus...
CHIP ID: 00000100011100010000000101111111 (0471017F)
*** Found a Broadcom BCM4702 Rev 1 chip ***

Enabling Memory Writes...Done

Configuring Memory...Done


*** You Selected to Flash the CFE.BIN ***
=========================
Flashing Routine Started
=========================
Probing for AMD Flash...ID:(000000C2)... *** Unable to Locate AMD Flash Chip ***

i can backup the cfe/nvram/kernel fine. but it won't erase or flash.

using WRT54G EJTAG DeBrick Utility v2.2, win32 version. also if i don't use /noreset, it hangs after "Resetting processor...\nDone"

You need to adjust utility to support MX flash chips. There should be a check for 0x1 as an ID - you should add 0xc2 as one of the possibilities. Do you've source code?

ah, ok. i'll boot from linux and fix it source. thanks.

Once bootloader is correctly flashed, the power LED should start blinking with yellow indicating recovery mode. Use ASUS utility to upload 1.9.2.7-4 firmware. Once done, the unit should reboot, and the led should become yellow (bootloader), then it will be turned off by firmware and finally become green indicating that unit is completely booted with firmware.

ok, booted from a slackware installation cd and used the modified wrt54g binary (which i compiled on another box) to flash pmon.

after booting back from windows, the asus utility didn't see the device at first. rebooted the device. ping replys started coming back, but asus util still couldn't update.

so i just tftp'd the firmware and it's now working. hellooo, WL500!

fixing wrtjtag.exe

back up the file, and then open it with an hex editor. (ultraedit is good)

look for: 01 5E 74 14 68 B8 AA
replace with: 01 5E EB 14 68 B8 AA (replace the 74 with EB)

that removes the amd-flash check from wrtjtag.exe. so you can use it with the mn700.

by the way, that wrtjtag.exe i'm talking about is located at: http://www.ranvik.net/prosjekter-privat/jtag_for_wrt54g_og_wrt54gs/
just get it and replace the byte before using with mn700. (if you don't edit it, you won't be able to erase/write to flash. backup always works)

and everybody thank Oleg for the info and pmon images :)


edit: by the way, the win32 wrtjtag.exe is twice as slow compared to the linux "wrt54g" binary. (23 secs to go up 1% in win32, 11 secs in linux. also in windows if you set it to low priority or use some cpu power -like watching a movie while flashing-, it tends to hang sometimes.)

if asus flash util fails (in recovery mode), the appropriate way to flash is:

- open up a "ping -t 192.168.1.1" window
- get in recovery mode: power off, hold reset, power on, wait one second, release reset. the power led should start blinking slowly in orange.
- ping replys should start coming shortly. you can now close the ping window.
- run the asus flash util, select the firmware, hit upload (it will fail, just wait till it fails)
- close the flash util
- use a tftp client to upload the firmware. like this, in winxp: tftp.exe -i 192.168.1.1 put firmwareimage.trx
- wait a few (around 10, for example) seconds just to be safe

- if you are flashing an ASUS firmware, it won't self-boot. just plug the power off, and replug it. it should boot and the green leds should light up. (login from web with admin/admin)

- if you are flashing openwrt, it will take some time until the self-init is complete. do not turn the device off. and wait until you see the green leds come up. if everything goes OK, you should be able to telnet to the box. after logging in, reboot the box (via the "reboot" command, or by cycling power) so the filesystem is completely initialized. (firmware i used was: OpenWRT Experimental Generic JFFS2 4MB ( http://openwrt.org/downloads/experimental/bin/openwrt-generic-jffs2-4MB.trx))

fixing wrtjtag.exe

back up the file, and then open it with an hex editor. (ultraedit is good)

look for: 01 5E 74 14 68 B8 AA
replace with: 01 5E EB 14 68 B8 AA (replace the 74 with EB)

that removes the amd-flash check from wrtjtag.exe. so you can use it with the mn700.

by the way, that wrtjtag.exe i'm talking about is located at: http://www.ranvik.net/prosjekter-privat/jtag_for_wrt54g_og_wrt54gs/
just get it and replace the byte before using with mn700. (if you don't edit it, you won't be able to erase/write to flash. backup always works)

and everybody thank Oleg for the info and pmon images :)


edit: by the way, the win32 wrtjtag.exe is twice as slow compared to the linux "wrt54g" binary. (23 secs to go up 1% in win32, 11 secs in linux. also in windows if you set it to low priority or use some cpu power -like watching a movie while flashing-, it tends to hang sometimes.)
if possible please include the (altered) util in your post so other people can use it as well

the modified wrtjtag-modified.exe along with the required files to run it is attached. you would still want to read HairyDairyMaid_WRT54G_v2_DeBrick_Guide.pdf first, which is available in several places, including the above url.

ok, booted from a slackware installation cd and used the modified wrt54g binary (which i compiled on another box) to flash pmon.

after booting back from windows, the asus utility didn't see the device at first. rebooted the device. ping replys started coming back, but asus util still couldn't update.

so i just tftp'd the firmware and it's now working. hellooo, WL500!
The reason for that is what your PC has multiple network interfaces. ASUS utility is buggy so it could not handle this.

The reason for that is what your PC has multiple network interfaces. ASUS utility is buggy so it could not handle this.

i even tried disabling all the extra interfaces with no luck. anyway, openwrt kernel doesn't recognize the radio, (tho it's kinda working anyhow, captured it's beacon signal via another AP running kismet) do you exactly know what steps to take (in the openwrt source tree, prolly just kernel configuration) to get it running?

also, what does the "Basic MN-700 support" you added to the latest firmware consist of? i'm too lazy and tired to fetch both versions and do a diff, maybe you can sum it up for us?

i even tried disabling all the extra interfaces with no luck. anyway, openwrt kernel doesn't recognize the radio, (tho it's kinda working anyhow, captured it's beacon signal via another AP running kismet) do you exactly know what steps to take (in the openwrt source tree, prolly just kernel configuration) to get it running?

I've no idea.


also, what does the "Basic MN-700 support" you added to the latest firmware consist of? i'm too lazy and tired to fetch both versions and do a diff, maybe you can sum it up for us?
LED and RESTORE button support (this is hw dependent).

Just wanted to let you know that after few tries I was able to flash new firmware to my mn700

Right now I'm using 1.9.2.7-4 customized firmware and it's working great.

NOTE to anyone trying to make it work:
YOUR CABLE CAN'T BE LONGER THAN 20-25 cm!!!!!!!!!!!!!!!

At first my was a little longer and I was able to flash new bootloader.... but it just didn't work. And I tried it many times - believe me it's very annoying. But once I cut my cable almost in half - one flashing was enough. The rest is very easy just as it is explained in forum. IMHO it's worth it :))))

THANKS TO OLEG FOR BOOTLOADER AND FIRMWARE!

Woo, the stuff works :P I think......someone should send me a cable lol.

EDIT: OK, that's better.

Cool! Nice work you guys. But... don't you think this thread should be somewhere else? I can't imagine anyone looking for it would think of it being here.

tomilius, this forum is directly linked from google :P so people know where to find it!

NEWBIE so please don't chew me alive!

There is a hack for mn700 now? Can you please describe the process in short as I don't quite get it (yes I read all 61 posts before mine twice over).

Second, what does the new firmware people are putting on it do as it is not mentioned and I would like to know the benefits of such firmware.

Thanks a mil,

Rico

the mn700 seems to reboot whenever i try to transfer something via the wireless interface. after 4 or 5 megabytes transferred, it reboots. probably kernel panic. (and can't attach a serial to see what's going on because they didn't include the uart)

tried with the latest Oleg firmware and the latest (Mar28) OpenWrt experimental, same result.

also the unit sometimes reboots itself (sometimes 1-3 times per hour) whenever I use it or not. disabled the radio and it didn't reboot then.

any recommendations? other mn700 owners having the same problems?

The same thing happens with wl500g as well, there seems to be wireless module issue. So, just wait for the next GPL ball from ASUS - it should contain an updated driver (1.9.3.5 binary has it).

I will try using the altered windows debrick utility Disq posted, and shorten my cable to 6" (currently 24"), that could have been one reason why I wasn't getting pwr to the par port--(FFFFFFFF) cpu id.

Also, would it be much trouble to write a script to code a specific MAC in the bootloader? Or hex editor replace instructions??? Also, the current firmware for the wl500g has the HW led and reset support for the mn700, right? Good work on the firmware!
Chuck

I will try using the altered windows debrick utility Disq posted, and shorten my cable to 6" (currently 24"), that could have been one reason why I wasn't getting pwr to the par port--(FFFFFFFF) cpu id.

Also, would it be much trouble to write a script to code a specific MAC in the bootloader? Or hex editor replace instructions??? Also, the current firmware for the wl500g has the HW led and reset support for the mn700, right? Good work on the firmware!
Chuck
FFFFFFFF means, that your cable is either disconnected or not correctly wired. As for bootloader - PM me your MAC address and I will prepare bootloader for you.
Yes, mn700 led and button are supported now.

I've read thru all of the posts on here regarding the MN-700, but it's kinda kludgy. Can somone post a decent step by step guide to flashing the firmware with either the wrt54g or wl500g stuff. Perhaps some specifics on the JTAG cable and what needs to be modified in the software.

Thanks!

Well, I found this page through google, which I've read through several times. It seems that I will have a little project on my hands playing with an old MN-700 my roomates and I replaced with a WRT54G.

As I hate to see hardware not be utilized, I figured perhaps we could do some sort of wireless bridge to the xbox across the house, only to find the MN-700 firmware doesn't support it. Hopefully I can figure this out, as this will be my first time working with jtag, but I have worked with soldering and reflashing small chips in some of my classes.

After I build my cable and start playing I am sure I will have some questions, but right now I'd just like to thank you guys for the work you've put into this!

First, thank you all for this great work.

After having build a jtag cable I tried to backup the whole flash. It seems that this worked, so I thought my cable should be ok. But when trying to flash the new cfe, I get a few (10-15) "ERROR ON READ". And when I backup the newly flashed cfe it differs from the file on disk and after powering on the device I can't tftp the new firmware. So I think something (flashing) isn't working yet. Is this a cable problem? My cable is around 8 cm and I used the v2.2 of the debrick util.
Anybody an idea?

Thanks!

flash the new cfe, I get a few (10-15) "ERROR ON READ". And when I backup the newly flashed cfe it differs from the file on disk and

that sometimes happened to me too, especially when i loaded the system (watching a movie etc) whilst flashing, and everytime i got that i had to restart (restart flashing). you might try using linux (you'll need to a) edit the source, remove the chiptype check and b) "insmod lp" before flashing)

Hi
I was wondering, would the pin trick (http://openwrt.org/OpenWrtDocs/Troubleshooting) work on the mn-700 with stock firmware/bootloader? If npt, guess I'll have to build a jtag cable soon ;-)

cheers
/Stig

Hi All
Just wanted to say that now (thanks to Oleg!) my MN-700 rouns the 1.9.2.7-5 firmware. Did the flashing from my Novell Linux Desktop installation on my old laptop. Had to make an alias for parport0 in modprobe.conf before it worked. Also, doing a telinit 1 made a lot of difference, as all flash attempts from runlevel 3/5 failed...

About the cable... THE PICTURES IN THE DEBRICK PDF ARE MIRRORED!!! Just pay attention to the pin diagrams, and youll be fine :-p

Now, how do i solder on a USB port? ;-)

cheers
/Stig

Now, how do i solder on a USB port? ;-)

Do you really need this? If so, post your system log (reboot first) and make a hi-res picture of the BCM4702 and surroundings on the top side of PCB and from the reverse side of PCB.

Well, the router is *so* much better than with the MS WinCE on it, so I'm quite happy as it is. Still, I wouldn't mind beeing able to hook my printer or a USB flashdisk up to it. It all depends on the risk involved in the process ;-) The top-side of the PCB is just like the picture in this thread, I'll see what I can do about the bottom PCB picture and the syslog when I get home.

cheers!
/Stig

Well, if you do not have experience in playing with hw, then it's risky.
I need a really hi-res picture to be able to read labels on the resistors. Picture from the first post is not so clear.

Well, I'm mostly a software guy, but I have done a bit of tinkering with hardware in the past. I'm afraid I can't produce pictures of proper quality of the PCB, perhaps someone else can help out here?

cheers!
/Stig

Here is the log...

Jan 1 01:00:04 syslogd started: BusyBox v1.00 (2005.05.11-18:29+0000)
Jan 1 01:00:04 dnsmasq[54]: started, version 2.17 cachesize 150
Jan 1 01:00:04 dnsmasq[54]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 24h
Jan 1 01:00:04 dnsmasq[54]: DHCP, /tmp/dnsmasq.log will be written every 28800s
Jan 1 01:00:04 dnsmasq[54]: read /etc/hosts - 5 addresses
Jan 1 01:00:04 dnsmasq[54]: reading /tmp/resolv.conf
Jan 1 01:00:04 kernel: MPPE/MPPC encryption/compression module registered
Jan 1 01:00:04 kernel: Amd/Fujitsu Extended Query Table v1.1 at 0x0040
Jan 1 01:00:04 kernel: Physically mapped flash: Swapping erase regions for broken CFI table.
Jan 1 01:00:04 kernel: number of CFI chips: 1
Jan 1 01:00:04 kernel: Flash device: 0x400000 at 0x1fc00000
Jan 1 01:00:04 kernel: Physically mapped flash: squashfs filesystem found at block 941
Jan 1 01:00:04 kernel: Creating 5 MTD partitions on "Physically mapped flash":
Jan 1 01:00:04 kernel: 0x00000000-0x00040000 : "pmon"
Jan 1 01:00:04 kernel: 0x00040000-0x003e0000 : "linux"
Jan 1 01:00:04 kernel: 0x000eb5b4-0x003e0000 : "rootfs"
Jan 1 01:00:04 kernel: 0x003f0000-0x00400000 : "nvram"
Jan 1 01:00:04 kernel: 0x003e0000-0x003f0000 : "config"
Jan 1 01:00:04 kernel: sflash: chipcommon not found
Jan 1 01:00:04 kernel: NET4: Linux TCP/IP 1.0 for NET4.0
Jan 1 01:00:04 kernel: IP Protocols: ICMP, UDP, TCP
Jan 1 01:00:04 kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
Jan 1 01:00:04 kernel: TCP: Hash tables configured (established 1024 bind 2048)
Jan 1 01:00:04 kernel: ip_conntrack version 2.1 (128 buckets, 1024 max) - 344 bytes per conntrack
Jan 1 01:00:04 kernel: ip_conntrack_pptp version 1.9 loaded
Jan 1 01:00:04 kernel: ip_nat_pptp version 1.5 loaded
Jan 1 01:00:04 kernel: ip_tables: (C) 2000-2002 Netfilter core team
Jan 1 01:00:04 kernel: ipt_time loading
Jan 1 01:00:04 kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Jan 1 01:00:04 kernel: IPv6 v0.8 for NET4.0
Jan 1 01:00:04 kernel: IPv6 over IPv4 tunneling driver
Jan 1 01:00:04 kernel: NET4: Ethernet Bridge 008 for NET4.0
Jan 1 01:00:04 kernel: 802.1Q VLAN Support v1.7 Ben Greear <greearb@candelatech.com>
Jan 1 01:00:04 kernel: All bugs added by David S. Miller <davem@redhat.com>
Jan 1 01:00:04 kernel: FAT: bogus logical sector size 2560
Jan 1 01:00:04 kernel: FAT: bogus logical sector size 2560
Jan 1 01:00:04 kernel: NTFS: Unable to set blocksize 512.
Jan 1 01:00:04 kernel: VFS: Mounted root (squashfs filesystem) readonly.
Jan 1 01:00:04 kernel: Mounted devfs on /dev
Jan 1 01:00:04 kernel: Freeing unused kernel memory: 72k freed
Jan 1 01:00:04 kernel: Warning: unable to open an initial console.
Jan 1 01:00:04 kernel: Algorithmics/MIPS FPU Emulator v1.5
Jan 1 01:00:04 kernel: eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.7.0
Jan 1 01:00:04 kernel: eth1: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.7.0
Jan 1 01:00:04 kernel: PCI: Enabling device 01:01.0 (0004 -> 0006)
Jan 1 01:00:04 kernel: eth2: Broadcom BCM4325 802.11 Wireless Controller 3.90.23.0
Jan 1 01:00:04 kernel: device eth0 entered promiscuous mode
Jan 1 01:00:04 kernel: device eth2 entered promiscuous mode
Jan 1 01:00:04 kernel: br0: port 2(eth2) entering listening state
Jan 1 01:00:04 kernel: br0: port 1(eth0) entering listening state
Jan 1 01:00:04 kernel: br0: port 2(eth2) entering learning state
Jan 1 01:00:04 kernel: br0: port 1(eth0) entering learning state
Jan 1 01:00:04 kernel: br0: port 2(eth2) entering forwarding state
Jan 1 01:00:04 kernel: br0: topology change detected, propagating
Jan 1 01:00:04 kernel: br0: port 1(eth0) entering forwarding state
Jan 1 01:00:04 kernel: br0: topology change detected, propagating
Jan 1 01:00:05 kernel: usb.c: registered new driver usbdevfs
Jan 1 01:00:05 kernel: usb.c: registered new driver hub
Jan 1 01:00:05 kernel: usb-ohci.c: USB OHCI at membase 0xb8004000, IRQ 2
Jan 1 01:00:05 kernel: usb-ohci.c: usb-00:04.0, PCI device 14e4:4715
Jan 1 01:00:05 kernel: usb.c: new USB bus registered, assigned bus number 1
Jan 1 01:00:05 kernel: hub.c: USB hub found
Jan 1 01:00:05 kernel: hub.c: 2 ports detected
Jan 1 01:00:06 kernel: lp0: using parport0 (polling).
Jan 1 01:00:07 kernel: usb.c: registered new driver usblp
Jan 1 01:00:07 kernel: printer.c: v0.13: USB Printer Device Class driver
Jan 1 01:00:07 kernel: hub.c: new USB device 00:04.0-2, assigned address 2
Jan 1 01:00:07 kernel: usb.c: USB device not accepting new address=2 (error=-145)
Jan 1 01:00:07 kernel: hub.c: new USB device 00:04.0-2, assigned address 3
Jan 1 01:00:07 kernel: usb.c: USB device not accepting new address=3 (error=-145)
Jan 1 01:00:07 kernel: hub.c: new USB device 00:04.0-1, assigned address 4
Jan 1 01:00:07 kernel: usb.c: USB device not accepting new address=4 (error=-145)
Jan 1 01:00:08 kernel: hub.c: new USB device 00:04.0-1, assigned address 5
Jan 1 01:00:08 kernel: usb.c: USB device not accepting new address=5 (error=-145)
Jan 1 01:00:09 kernel: usb.c: registered new driver audio
Jan 1 01:00:09 kernel: audio.c: v1.0.0:USB Audio Class driver
Jan 1 01:00:09 kernel: Linux video capture interface: v1.00
Jan 1 01:00:10 udhcpc[80]: udhcpc (v0.9.9-pre) started
Jan 1 01:00:10 kernel: lp driver: get device ID
Jan 1 01:00:10 kernel: neg fail
Jan 1 01:00:11 dnsmasq[54]: read /etc/hosts - 5 addresses
Jan 1 01:00:11 dnsmasq[54]: reading /tmp/resolv.conf
Jan 1 01:00:11 dhcp client: deconfig: lease is lost
Jan 1 01:00:12 kernel: lp driver: get device ID
Jan 1 01:00:12 dropbear[94]: Running in background
Jan 1 01:00:12 kernel: neg fail
Jan 1 00:00:12 kernel: neg fail
Jan 1 00:00:12 kernel: lp driver: get device ID
Jan 1 00:00:12 kernel: neg fail
Jan 1 00:00:12 kernel: neg fail
Jan 1 00:00:13 udhcpc[80]: Lease of 10.0.0.3 obtained, lease time 259200
Jan 1 00:00:13 dnsmasq[54]: read /etc/hosts - 5 addresses
Jan 1 00:00:13 dnsmasq[54]: reading /tmp/resolv.conf
Jan 1 00:00:13 dnsmasq[54]: using nameserver 212.242.40.51#53
Jan 1 00:00:13 dnsmasq[54]: using nameserver 212.242.40.3#53
Jan 1 00:00:14 dhcp client: bound IP : 10.0.0.3 from 10.0.0.1
Jan 1 00:00:18 kernel: lp driver: get device ID
Jan 1 00:00:18 kernel: neg fail
Jan 1 00:00:18 kernel: neg fail
May 12 23:51:38 kernel: lp driver: get device ID
May 12 23:51:38 kernel: neg fail
May 12 23:51:38 kernel: neg fail
May 12 23:51:44 ntp client: Synchronizing time with time.nist.gov ...
May 12 23:51:44 kernel: lp driver: get device ID
May 12 23:51:44 kernel: neg fail
May 12 23:51:44 kernel: neg fail
May 12 23:51:50 kernel: lp driver: get device ID
May 12 23:51:50 kernel: neg fail
May 12 23:51:50 kernel: neg fail
May 12 23:51:56 kernel: lp driver: get device ID
May 12 23:51:56 kernel: neg fail
May 12 23:51:56 kernel: neg fail
May 12 23:52:02 kernel: lp driver: get device ID
May 12 23:52:02 kernel: neg fail
May 12 23:52:02 kernel: neg fail
May 12 23:52:08 kernel: lp driver: get device ID
May 12 23:52:08 kernel: neg fail
May 12 23:52:08 kernel: neg fail
May 12 23:52:14 kernel: lp driver: get device ID
May 12 23:52:14 kernel: neg fail
May 12 23:52:14 kernel: neg fail
May 12 23:52:20 kernel: lp driver: get device ID
May 12 23:52:20 kernel: neg fail
May 12 23:52:20 kernel: neg fail

Ok, you're out of luck then. It's seems USB port is not wired out of the chip.

No usb hardwired out of chip??? Maybe it's still mod-able??? Here are the pics just in case. Let me know which resistors you need to know the resistance of, cause it's still kinda hard to read.

http://scatcat.fhsu.edu/~cmhansen/front.JPG

http://scatcat.fhsu.edu/~cmhansen/back.JPG

I don't know if that helps...if not, I can delete this post since it takes up a bit of space : ].

Success!

For my first trials to flash I used the parallel port of my notebook. Both Linux and Windows tools didn't worked: the written cfe always differed from the binary I used to flash.
Today I tried it with an old Pentium using the Linux tool: it worked perfectly after 2 trials.

Maybe the notebook port isn't shielded enough and captures too much "interference".

Now, I use the latest firmware from Oleg's page and all seems to be fine :-)

Again, thank you for this great work!

Can someone just post the bootloader and how to modify it correctly. This is extremely inefficient if everyone has to PM Oleg to get a bootloader.

Specific questions I have

1. Where can I obtain the bootloader? (link please)

2. When modifying it does the MAC have to match the actual MAC of the MN-700 or the MAC I intend to use?

3. Once the MN-700 is updated with the new bootloader what utility do we use to update the firmware? (link if possible please)


Thanks for your help

Can someone just post the bootloader and how to modify it correctly. This is extremely inefficient if everyone has to PM Oleg to get a bootloader.

That's fine, and it's automated. So, just PM me MAC addresses. :)


Specific questions I have

1. Where can I obtain the bootloader? (link please)

2. When modifying it does the MAC have to match the actual MAC of the MN-700 or the MAC I intend to use?

You could use any MAC address of your choice.


3. Once the MN-700 is updated with the new bootloader what utility do we use to update the firmware? (link if possible please)
ASUS Firmware Restoration Tool, browse ASUS wl500g downloads section on their website for utilities.

Just wanted to post a reply on this thread thanking Oleg and all the other people that have posted info on this project, thanks oleg for the bootloader, excellent work on it BTW. I finally have my mn-700 running custom firmware, and it performs much better so far, haven't had much time to play with it yet though. It took me about 20 tries to get the bootloader installed, the wrtjtag-modified.exe kept hanging up during updates, but it eventually worked. I'm almost positive it had something to do with the configuration of my workstation. But, Nevertheless, it works now. Thanks for this thread. :)

Well, I am posting this message via wireless internet through my MN-700 that is now running the 1.9.2.7-5 firmware. Thanks to everyone with the info for this project, especially Oleg with the bootloader, it went rather smoothly.

It took me about 6 hours from cable assembly to connecting to the internet. I got my cable made right on the first try! It cost me about $5 in parts from the local electronics shop. It found the chip with no problems, although I thought something was wrong as it was freezing after "rebooting processor". I added the /noreset switch and it worked fine after that. I had to flash in Windows because I wasn't sure what to change in the source code for Linux.

There should be a check for 0x1 as an ID - you should add 0xc2 as one of the possibilities.
I am not sure what that means. I am new to Linux so even though I already flashed in windows, could someone explain this a little more in depth so I can learn?

Thanks again for this!

Since I am so grateful for the work put into this project and I like to give back the community, I will type a quick step-by-step guide for those that were asking for one.

This mod requires you to open your hardware and to solder on the board. If you are uncomfortable with desoldering/soldering or unwilling to risk frying your router in the process, this mod may not be for you. If you are like me and had one lying around because you upgraded the piece of crap with something better, then have at it.

There are really only three steps, but they are a little involved.

1) Build a JTAG cable
This is outlined in the earlier posts, but all you need to do is follow these diagrams:

http://oregonstate.edu/~byerss/Images/diag.jpg

http://oregonstate.edu/~byerss/Images/ref.jpg

You will need:
1 - Male DB-25 Connector (with solder cups)
4 - 100ohm resistors
1 - 5 to 12 wire ribbon cable (only 5 wires will be connected)
1 - 12 pin connector
1 - 12 pin header

The pictures of the actual cable in the pdf (http://oregonstate.edu/~byerss/programs/hairydairymaid_debrickv22.zip) posted earlier are reversed so just follow the diagram above. My DB-25 connector was labeled with pin numbers next to the solder cups. From the back (looking at the solder cups) it looked like:

http://oregonstate.edu/~byerss/Images/db25fem.gif

Once you open up the case of the MN-700, you will find the pin numbers for the JTAG port are printed on the board so it should be pretty easy to follow. The finished cable should be no longer than 25cm or about 10 inches, otherwise you will have too much noise in the line. You can use a parallel port extension cord to reach the back of your computer, but I just pulled out my computer and piled up some reams of paper to support the router while flashing.

The last thing, and most time consuming for myself, was to clean out the JTAG port holes on the board and solder in the 12-pin header. You need a soldering iron and either a solder sucker or solder braid to clean out the holes.

Once you have all of this done you are ready to move on to the next step.


2) Use cable to backup/flash bootloader

First you need to get a copy of the modified bootloader from Oleg. Send him a private message with your MAC address of the router and he will hook you up (and make sure you thank him).

Now you can use software either under Windows or Linux. Using a Linux distribution will flash about twice as fast compared to windows, but either work. Since I had to use Windows, as I am sure a lot of people will, I will outline that. First get a copy of your software, which I have mirrored.

Windows (http://oregonstate.edu/~byerss/programs/wrtjtag-modified.zip)
Linux (http://oregonstate.edu/~byerss/programs/wrt54g.zip)

In windows extract the zip to a known location. Then go to start > run and type "cmd" and hit enter. This brings up the command prompt. Browse to the directory you unzipped to and type "wrtjtag-modified" and hit enter. It will display all of the options and switches to use. For example you will want to backup your bootloader from the router in case you run into trouble. To do this type

wrtjtag-modified -backup:cfe /noreset
Connect the JTAG cable and plug in the power to the router, then hit enter. It will start to backup the bootloader. If you get an error you've built your cable wrong.

Next you need to flash the bootloader you obtained from Oleg. Place it in the directory you are running the program from and rename it to "cfe.BIN". Type

wrtjtag-modified -flash:cfe /noreset
Once you hit enter it will start flashing the new bootloader onto the router. If it completes successfully, continue on to the next step. The hard part is over.

3) Flash new firmware with ASUS firmware utility

Head on over to ASUS website and download the utilities package (http://www.asus.com.tw/pub/ASUS/wireless/WL-500g-03/Eng_1380.zip) for the WL-500. Included is a firmware restoration tool we will use to flash the new firmware. You will also need the firmware you are planning on using. I used the 1.9.2.7-5 firmware found on this website. You will also need to turn off all network devices except for the one needed to connect to the router (disable them in the device manager).

Install the ASUS utilities and open the firmware restoration tool. Click "Browse" to tell it where you downloaded your firmware to and hit "Open". To start the firmware update click on "Upload". Once completed you will have a brand new "WL-500g". Hope this helps! Good Luck!

Thanks to the great info I found here, I have managed to reflash my bootloader and firmware to a REAL OS. Who needs WinCE!? Linux rocks!

Now the sky is the limit, and I'd like to add a serial (can I add 2) port to my mn700, so I can adapt it to my home automation system. I haven't found any specific info on the mn700 (I might just not be looking in the right lace) serial ports.

Is the pinout the same as the wl500g? On the openwrt site they indicate you need to convert 3.3V to 12V with a MAX233A, but nothing more.

Can anyone provide any help?

Thanks!

Now the sky is the limit, and I'd like to add a serial (can I add 2) port to my mn700, so I can adapt it to my home automation system. I haven't found any specific info on the mn700 (I might just not be looking in the right lace) serial ports.

Is the pinout the same as the wl500g? On the openwrt site they indicate you need to convert 3.3V to 12V with a MAX233A, but nothing more.

It's not so simple. mn700 requires uart to be soldered on the back side of the PCB...

I'd be happy to do it, if only I knew which parts to use. Has it been done? Is the info available?

I'm willing to lend my MN700 to science

I'd be happy to do it, if only I knew which parts to use. Has it been done? Is the info available?

Unfortunatly no. Should be similar to wrt54g 1.x, which requires uart (read seattle wireless).

OK gang, I've been beating my head up on this for about 10 days now. I successfully got the CFE upgraded, but then couldn't get it to flash from the net (it would take the tftp image, but never seemed to flash it). many tries later, I've succeeded in fully bricking it (I think erasing the WHOLEFLASH.BIN was probably not a good idea). I get all four LAN lights green for ~2 sec on boot, then only a cable connected LAN light. No power lights at all.

I plan on rebuilding my cable thinking that it's flaked out somehow (it concerns me that backing up the CFE.BIN doesn't give me the same data as the CFE.BIN that I flashed). But in the mean time, anyone want to let me download a WHOLEFLASH.BIN backup? That would give me the option of rebuilding the whole thing with a known state (albeit that it would surely take ~12 hours to do so)....

Any other suggestions?

thanks again gang, while I'm stuck I am enjoying the challenge anyway.

-tv
narwhalDC @t gmail d.ot com

You do not need full flash. Just reflash cfe.bin (and check that flashed image is identical to file) and erase nvram.

Just a quick thanks for the work on this project, which I did on one of my mn-700 this morning. hats off oleg,thanks.

will have another one to do, but for now let see how this performs this week.

Just a quick thanks for the work on this project, which I did on one of my mn-700 this morning. hats off oleg,thanks.

will have another one to do, but for now let see how this performs this week.


Just another quick note, and THANKS. This has raised my 700 from the dead and possible trash heap. Did my second unit and now have WDS working in my home. Talk about a great way to recycle!

Off to locate couple of more if I can find them..

Thanks Oleg!

Unfortunatly no. Should be similar to wrt54g 1.x, which requires uart (read seattle wireless).

Woooohooooo!!!!!

[root@MN700-Shared root]$ cat /proc/tty/driver/serial
serinfo:1.0 driver:5.05c revision:2001-07-08
0: uart:ST16650 port:BF800000 irq:2 baud:120535 tx:606 rx:0 RTS|CTS|DTR|DSR|CD|RI
1: uart:ST16650 port:BF800008 irq:0 tx:0 rx:0 CTS|DSR|CD|RI


http://www.kegit.com/albums/MN700/100_0314.sized.jpg

I haven't installed a MAX232 yet (and I'm missing 2 caps for the crystal), but the fact that the kernel sees it is encouraging.

Oleg, thanks for the info and great work!

I figured out that it appeared to be a problem of too much EMI at the office. Works fine to flash the CFE I built at home, but not at work. Strange.

Anyway, I now can tftp to 192.168.1.1 and get the magic file name to set it to accept an image (and the power light goes from green/amber blink to green-solid). I then put my .trx file as ASUSSPACELINK. Lots of net activity for a couple of seconds, green/amber blink on power LED for a couple of secs, then amber solid power LED, and it sits there--forever (like I've given it hours and no change). In this case, no ping response either. I power cycle it, erase the nvram, power cycle it and back to the top of this paragraph. Argh!

Is it possible I build a bogus CFE? Anyone want to share one w/ me that is known good?

Any other ideas? I'm so close I can taste it, but still not there. Thanks again to all the players here, it's been a great project so far even if it's still not working. At least it doesn't have WinCE on it anymore ;-)

Ok. Steps to be done.

1) Flash the bootloader, which I've prepared for you
2) Read it back to check, that it has byte to byte match.
3) run wrt54g utility again and erase nvram
4) off/on your device, so it would start blinking
5) Use ASUS Windows restoration tool from windows, do not use tftp and flash wl500g 1.9.2.7-6b firmware
6) Once flashed it should reboot and turn on AIR led, as well power led should switch to other color in the end of boot
7) Let me know of your progress :)

x) if it does not boot - use wrt54g utility to read kernel from the flash and send this image to me (or compare it with trx image - should be the same)

Ok, you're out of luck then. It's seems USB port is not wired out of the chip.


Sorry to drag this post out again, but have an interest in using usb on this device as well if it can be hacked in.

I take your statement to mean that MS did not lay traces on the board for usb support? But could one carefully tie into the chip directly from the bottom of the board? If the chipset provides native support are any other support componets needed outside of a usb port? Is there pinout of the chipset posted anywhere on the net?

Thanks..

I take your statement to mean that MS did not lay traces on the board for usb support?

They do not trace usb pins from the bottom of the chip

But could one carefully tie into the chip directly from the bottom of the board?

Unlikely.

If the chipset provides native support are any other support componets needed outside of a usb port? Is there pinout of the chipset posted anywhere on the net?

Well, yes several resistors are needed. The pinout is as following

USB1+ P20
USB1- P21
USB1ctrl P22
USB2+ N21
USB2- N22
USB2ctrl N20

For the first you should try grounding + or - via 15K resistors, so dmesg should stop saying can't assign address. Can't remember which line exactly should be grounded - for now it acts as presense indicator, due to a missing grounding.

They do not trace usb pins from the bottom of the chip




Cool thanks for fast reply, some careful googling did turn up post elsewhere within your site of needed info of whats needed.. just needed to be more skillful with my searches..

http://wl500g.info/showthread.php?t=846

Thanks to Oleg and a corrected CFE.BIN file, my MN-700 is up and running. Ran out of time to play with it before work this morning, so no comments on how it works yet. More updates as they occur.

-tv
PS. The tftp process of loading a .trx image works fine...

First, thanks to Oleg for the cfe, and thanks to sbyers77 for the detailed guide.

I'm not very good with a soldering iron...the longest part of the whole process was trying to clean out the plugs for the pin header. After 4 hours of trying 15W and 25W irons, desoldering braid, desoldering bulb, and even trying to dig the melted solder out with a dental pick, I gave up and just soldered the jtag wires directly to the board. It wasn't pretty but it was effective.

I was able to use wrtjtag-modified.exe to backup cfe and write the new one, but it wouldn't let me do anything else (i.e. erase NVRAM). It just seemed to get stuck. In searching for some help, I came across another guide that is a good supplement for the one here.

http://www.liamm.com/blogtest4/archives/000169hacking_the_microsoft_mn-700.html

Reading the comments section, I saw that other people were having the same problem. There's a posting from July 4 that links to a Windows GUI version of wrtjtag. Not only was that version faster for flashing cfe, it also erased NVRAM without a problem.

Once I used the GUI tool, it was a breeze. Thanks again to everyone who developed this project.

http://www.liamm.com/blogtest4/archives/000169hacking_the_microsoft_mn-700.html

Well, nice guide, except it does not mention the origin of the info (both my site and this forum) and the original author as well... :confused:
Preparing bootloader was not so simple and required A LOT of work. This guide has no credits at all... Also some info provided is just a wild guesses...

Well, nice guide, except it does not mention the origin of the info (both my site and this forum) and the original author as well... :confused:
Preparing bootloader was not so simple and required A LOT of work. This guide has no credits at all... Also some info provided is just a wild guesses...


I do think there was a link there to your site(not here but your own), but agree, should be more credit given where it is due.

Again, thanks for restoring value to this orphaned router....

Adding mmc/sd memory an option?

Just came across this on the openwrt site and was wondering if something like this could be applied to our mn-700s?

Not sure if this would be easier to do than trying to add usb or not. Just was looking for a way for extra memory...

adding mcc/sd memory card (http://wiki.openwrt.org/OpenWrtDocs/Customizing#head-00b294c0c885db1d544fbfcd48e9367d20b38b5a)

Yes, this is possible in the way similar to wrt54g. Probably you will need to change gpio numbers in the kernel module.
BCM5325M pins:

5 MISO GPIO5
6 MOSI GPIO4
7 SCK GPIO3
8 SS# GPIO2

Yes, this is possible in the way similar to wrt54g. Probably you will need to change gpio numbers in the kernel module.
[/code]

no fear of hardware mods, but not having a good programming background this might be just beyond my reach. Maybe a wishlist item in the future if enough folks show interest? I need to find the reader slot gizmo to load the sd card first anyway.

not sure this is the right place to post this, but since i have the mn-700 I started here. But what would keep from turning one of these into a DNS server?

The only problem is the available space. You've to recompile firmware or switch to openwrt.

Well I have my 3rd mn-700 that I'm working with. Same laptop and cable that I used for the first 2. But won't flash. Getting all 1's and F's. Tried a 2nd computer same error. Cable is only about 4 inches long so cable lenght should not be a factor. Using winxp. Nothing really different other than I'm using a different AV, AVG on the machine. But the second machine I tried did not have any AV on it.

Only thing I can see is this one might be an older unit than the first 2 that I worked with. The flash chip has a different sticker on it than the others. But the wrtjtag util will not see the chip.

Just won't detect the chip. Ohm'ed out cable, resistors etc... But I suppose I could make another one.

Still boots microsoft software and did update the microsoft bin so its still working .

Any clues??

edit:

Looking at the board I'm concerned that I have good conx back to the chip, I see that not only do I go thru the 100 ohm resistor but the board also has its own resistors (4.7k?) but after that hard to trace back (using a lupe), and checking for cold solder joints or bridges. Where do the jtag conx go back to? The broadcom chip? If so what pins so I can trace it back. Since microsoft never put the connector on I'm sure it was never tested and may have never worked,any ideas? Wonder if they left anything off this one, I will open one of my working units to compare.

More info: error
CHIP ID: 11111111111111111111111111111111 (FFFFFFFF)

if I remove the power from the rtr I get

CHIP ID: 00000000000000000000000000000000 (00000000)


I saw the message about removing resistor from pin 13 but still same error.


Why the other 2 went so smooth and this one giving me fits.. dunno


logic probe shows pulse from pc up to the resistors on the mn-700, but nothing on the backside of the mn-700 onboard resistors. (guess I should note that I mounted my 100 ohm resistors on the board itself, just as I had done before) so I have signal up to onboard resistors from the jtag conx. Probe shows logic low at all points behind the resistors on mn-700.

ok see now that the resistors are to tie the logic low when not in use. So need to probe back to the broadcom chip somehow and find out why its not getting/reading the chip.

Any timing issues between chips?

Hi all:

Would anyone know what the GPIO is for the power led? I've installed openwrt on the MN700, but the power led remains off at all times. Theres an S99done in init.d that should set the led on, but I assume the address is wrong.

Thanks in advance.

Hi all:

Would anyone know what the GPIO is for the power led? I've installed openwrt on the MN700, but the power led remains off at all times. Theres an S99done in init.d that should set the led on, but I assume the address is wrong.

Thanks in advance.
Restore button is GPIO7, power LED is GPIO6.

Well ok see now that the resistors are to tie the logic low when not in use. So need to probe back to the broadcom chip somehow and find out why its not getting/reading the chip.

Any timing issues between chips?
Most likely some resistors are not mounted or something like this. If you make a hi-res picture of jtag surroundings, then probably we would find an answer. :)
BCM4702 JTAG pins:

TRST A3
TDO B3
TDI C3
TCK B4
TMS A4
TEST_ENABLE E4

Restore button is GPIO7, power LED is GPIO6.

Stupid question, but how can I flick the led on? What memory location is GPIO6, and what values does it support (various colors are possible for the LED I think).

The number stays for the bit number. The gpio port itself is accessible via /dev/gpio/*. You've to read outen, OR it with 0x40 (GPIO6) and write back - this should turn power led on. Then you will need to play with bit 6 in the /dev/gpio/out to change LED color.

That did the trick, thanks!

so, it works now? :)

so, it works now? :)


Yes Sir!!! ty

I deleted that image, all we need is someone looking at it as being correct. :o

Just finished my 4th unit. Got your bin/overlay and nvserial. Fired up knoppix and made the bin myself. ( feeling better now!)

I'm thinking 4 units covers my home pretty well. 2 upstairs and 2 downstairs.

Maybe I need one to hang out the back to cover my deck area. :D

Now that I have these working was wonder what if anyone is doing for cooling, noticed that asus has heatsinks on cpu and switch..

Is it worthwhile doing, or just add a small fan. Hate to add moving parts. Maybe just a few more cooling vents?

Oleg, are you still handing out Boot ROM files for MN-700 routers? I have one that I bought about a year ago that I would like to get Linux running on.

Do you need anything from me besides the MAC address of my MN-700?

By the way, have you seen this post about flashing the MN-740? It seems that the same process should be used to flash a new boot ROM for the MN-700 as well. Maybe it could save some time and elimate the need for the JTAG?

http://www.dslreports.com/forum/remark,13360873

Oleg, are you still handing out Boot ROM files for MN-700 routers? I have one that I bought about a year ago that I would like to get Linux running on.

Do you need anything from me besides the MAC address of my MN-700?

By the way, have you seen this post about flashing the MN-740? It seems that the same process should be used to flash a new boot ROM for the MN-700 as well. Maybe it could save some time and elimate the need for the JTAG?

http://www.dslreports.com/forum/remark,13360873
MN-740 is a completely different product, which do not use windows ce. It's just an MS branded OEM stuff.
Yes, you need MAC only.

Sorry have a 2 part question, is there a wl command that will allow me to extract signal levels at the rtr? Want to somehow monitor levels at each rtr within my wds.

Is there a command reference for the wl command posted anywhere?

Thanks.

First off, the link that everyone seems to be posting on the subject (besides this thread) has moved. The blog entry is now here:

http://www.liamm.com/?p=77

Second, I'm wondering if the wl-500g firmware supports a couple features the MN-700 is missing:

- DHCP reservations (by name and/or MAC address)
- Some sort of QoS or TCP/IP prioritizing (by destination port and/or source IP, etc)

Also, is there a decent comparison of the OpenWRT vs the stock/modified wl500g? Stability and/or features?

My MN-700 has been quite stable with the latest Microsoft firmware, but I managed to crash it with bittorrent last night, even though it hasn't been a problem before. Has anyone successfully gone back to the Microsoft firmware, or even tried to?

Second, I'm wondering if the wl-500g firmware supports a couple features the MN-700 is missing:

- DHCP reservations (by name and/or MAC address)
- Some sort of QoS or TCP/IP prioritizing (by destination port and/or source IP, etc)


After successfully reflashing my MN-700 with the modified WL-500g firmware (1.9.2.7-6b), I'll answer my own questions for the next person.

Yes, the WL500 firmware has DHCP reservations and some sort of QoS (min and max for ip/port combinations for upload and download). It also has a ton of other features I'll probably never use.

On a side note, I noticed my PPTP VPN to work connects a heck of a lot faster than it used to. The WL-500 firmware must be a heck of a lot faster at setting up the GRE protocol mapping.

No complaints so far (except maybe the terrible color scheme in the web interface. :D )

jus wonderin if anyone has made an adapter for an external antenna could one just take it off j1 wheere the main anttenna port is and add a mini jack for say an external powered antenna for extra range??

jus wonderin if anyone has made an adapter for an external antenna could one just take it off j1 wheere the main anttenna port is and add a mini jack for say an external powered antenna for extra range??

This guy looks like he just soldered some coax where the old antenna was:

http://gallery.liamm.com/gallery/v/Tech-Stuff/MN700/S4010162.jpg.html

on the subject of external antenna mods i have seen only one but it is not described in any detail. i need to know what the awg of the coax coming off the antenna lead on the broadcom board is.

as per directions i went out and bought a set of resistors 1/2w 100ohm is this correct? no guides show the minimum wattage needed if there is one i just wanna know it would help.and as far as the gpio mappings being different from the asus wl500 does that mean most the mods discussed about the asus can be done with tweaking (ie the digital display). and has anyone succssfullt made a rs232 port for it the openwrit site says it can be done however i can find no info (i guess im blind). and what about the uart port on the inside has anyone done anything with this?

esgrove, those are the same resistors I got and seem to have acheived communication with the MN700.

I now have a problem when I'm trying to write the cfe.bin to the device it keeps crapping out on me at about 4%. I've shortened up my cables pretty good.

do they have to be REALLY short? Use a special kind of cable? I'm using UNtwisted cat5 at the moment.

The device seems to erase and backup fine, although I've found with my shortend cable the "80 Iteration Hammering" phase of the process seems to be taking longer.

I'm using 0.99 beta gui on XP laptop, I made my cfe.bin in Slax then moved it to my windows box.

So I've gone through this entire procedure up to the ASUS upload part. There I'm having problems. First however, a summary of what I did. I'm going to be overly verbose so that anyone else doing this in a 'rig' way can not feel so bad about it, and learn from my problems. Also, in between steps I unplugged/plugged in my router.

I built the JTAG connector fine, however, I couldn't get the solder out of the grounds on the mn-700. No matter how long I left my little radio shack soldering iron (set to 30w) on the hole, the solder would not melt. This happened on all the holes, so I'm assuming the heat was just transferring down the ground path. Anyway, no big deal, I just made a dent in it, globbed some solder on, and soldered all the wires to their corresponding holes (rigged it).

So I was having a couple problems in the jtag upload. Whenever I'd try and upload it would just sit there at the "Resetting Processor...\nDone" screen. So going off one of the other posts, I changed my command to ./wrt54g -flash:cfe /noreset. This did the trick, the firmware uploaded. I checked that the upload worked properly by checking the backup (./wrt54g -flash:cfe /noreset) with diff (diff CFE.BIN CFE.BIN.SAVED.#HERE) and they matched. So my rigged connector seems to be ok.

Next I erased the nvram (./wrt54g -erase:nvram /noreset). This went fine. The router now is in a state where the power light flashes green/amber (indicating recovery mode). However, I can't get the stupid ASUS util to work nor can I get the router to give me an ip. HOWEVER, if I set my ip as 192.168.1.NOT_ONE and make my gateway 192.168.1.1 I can ping 192.168.1.1 so I assume that means the router's doing something (note: i of course have all my other connections [wireless] disabled when I do this and this computer is NOT sharing it's internet, so this must be the router responding). Even when I do this the ASUS util says "No wireless device in recovery mode is found."

So now instead I tried to tftp up to it. So I did tftp -i 192.168.1.1 put wg01090207_WL500g_EN.trx. This completes successfully. But still, I can't connect to the router (through the web or telnet, after multiple plug in / unplug in). If I switch back to DHCP I'm still not getting an address, ... So I'm not sure what to do now.

I've tried plugging the ethernet cable into the router's lan ports, it's modem port, tried having my computer with and without connection sharing, and so on. All to no luck. I still have a router with a flashing amber/green led.

I'm thinking this might have to do with the same thing causing my ./wrt54g commands to require /noreset? Any pointers for what to try next? Do I have to connect to the lan jack and have something connected to the modem (shouldn't have to)? Should I try erasing all the memory and reuploading the cfe?

EDIT: Note, I've tried on a different computer to see if I can get the router to respond to a ping and I can't, so I may have had connection sharing on when I did the ping -t ... test, but I'm pretty sure I didn't.

Also, is there a way to run a set of diagnostics on the router? For instance, to make sure I didn't fry something when soldering?

Hopefully I've found the cause of my problem. I was using a CFE I generated (using Oleg's stuff (?, I think) from this site: http://wl500g.dyndns.org/mn700/). However, in my mn700.txt file I wasn't putting the : in the mac address. I assumed it wanted the mac address in the form it's written on the router, not in the true mac address form. I'll update when I know what happens (reflashing now).

:) One mn-700 up and running here. The problem was the MAC address thing. Funny (?) part of it is, I thought of checking that multiple times, but every time thought "No, don't check that, it's too obvious. I double checked that when I put it in."

Guess it shows to double check everything when debugging.

Quaffle,

What kind of cable did you use to make your jtag. I used untwisted cat5 (tried to keep it real short) but I think I'm getting EMI.

I'm going to try using IDE ribbon this time.

Quaffle,

What kind of cable did you use to make your jtag. I used untwisted cat5 (tried to keep it real short) but I think I'm getting EMI.

I'm going to try using IDE ribbon this time.

I'm not entirely sure what type of cable I'm using. It's just a little ribbon cable that I got from the store. It's basically just a bunch of really thin wires (30 gauge'ish) glued together.

My cable is only about 8 inches (20 cm'ish) long.

So I was messing with some settings on my router and decided I wanted to get everything back to normal. So ..., I decided to start over and reflash everything and go from there.

Well I believe I started to flash, then I realized the version I was flashing was the wrong version, so I stopped it (thinking I'm just going to write over it anyway, so who cares). But now it won't reflash.

Under windows or linux my flash stops at just over 5% and hangs. If I kill the process and retry it I get an error that it cannot locate the AMD Flash chip. So I unplug it and try again and ...

It always stops at the same place, so what could this be? Did I kill the router when I decided to stop the flash?

Under windows or linux my flash stops at just over 5% and hangs. If I kill the process and retry it I get an error that it cannot locate the AMD Flash chip. So I unplug it and try again and ...

It always stops at the same place, so what could this be? Did I kill the router when I decided to stop the flash?

Not sure what the problem was. But I just kept trying to flash it. Erased it a bunch of times, repeat. Eventually I just gave up, started it one last time and went to bed, then it worked...

Might have been the cable shorting or something, I double and triple checked and it didn't seem to be touching, but it was late and I couldn't really tell.

I should make a FAQ of all my problems...

Not sure if anyone is still reading this thread but thought I'd try anway.

I successfully flashed my MN-700 following the directions in this thread and was using Oleg's latest custom firmware 1.9.2.7-6b. I'm been very happy with the additional features and specifically the fact that I didn't have to reboot the router after heavy downloading periods as before with the MS firmware. However, I did notice the following problem where the wireless signal decreases over time and my laptop can't get an ip address. Here's the scenario:

1. after rebooting the router, all is fine. My laptop can pick up the ssid and the signal is good.
2. after a period of approx 12 hrs, sitting in the same spot as previously, the laptop can't pick up the ssid. It seems the wireless signal decreases over time.
3. only a reboot of the router will re-enable the wireless signal and allow my laptop to pick up the ssid.
4. i'm using wep, haven't tried with it wide open.
5. tried increasing the radio signal from 19 to 30 but still had the problem.
6. tried the official asus firmware but had problems with wired lan connections accessing the internet while using BT. Even the router config page was timing out.
7. currently have restored the MS firmware to see if it's a hardware problem with the router.

While using the MS firmware, I never had any of these issues. Just wondering if anyone is running into similar problems.

Thanks.

Hi,

i just installed OpenWRT on my MN-700 and now this beast is a really advanced DSL router including DynDNS, IPv6 and VPN support :)

Some hints to others:

Flashing the CFE seems to be the most tricky part. I had to retry several times until the read back CFE and the original one didn't differ. Maybe it's a side effect of using /noreset, as it looks like the CPU starts running after most of the CFE is flashed and this might cause the watchdog to interfer. No clue why the debrick tool hangs after resetting the CPU.

Directly installing OpenWRT after flashing CFE didn't work for me (OpenWRT simply hung). Probably, OpenWRT is confused by the empty NVRAM. So I installed Olegs firmware first, booted it once and than replaced it by OpenWRT.

The Broadcom ethernet driver et.ko runs unstable and causes reboots in WhiteRussian RC3 and RC4. Installing kmod-b44 and replacing et by b44 in /etc/modules fixes this problem. RC5 has fixed this problem.

Thanks to all to make this happen! :)

Jochen

Ok, I've:
(1)Built my passive JTAG.
(2) Ran Wrtmodified and backed up the firmware.


But I cannot run nvserial from kubuntu. It says command not recognized or something to that effect.

What am I doing wrong? Can somebody just email me a cfe.bin with the following mac:
00:0D:3A:23:FB:6A

edfcmc@(no spam)yahoo.(no spam).com

Ok, I've:
(1)Built my passive JTAG.
(2) Ran Wrtmodified and backed up the firmware.


But I cannot run nvserial from kubuntu. It says command not recognized or something to that effect.



Two things.

1: You have to be in the same directory as it and preface it with a period and a forward slash: ./nvserial

2: It has to be executable. It might not be. Try 'chmod +x nvserial' to make it executable.

I installed linux yesterday on an MN-700 that i bought used at a thrift store for $5.

It was essentially dead when i got it - the 1500uf cap right next to the jtag port was bulging and leaking, so i replaced it. 1500uf 6.3v isn't a size i keep around, so i replaced it with an old cap pulled from an old motherboard paralleled with a very new, low-esr 220uf and an 0.1uf ceramic disc.

An EE friend of mine suggested the old cap may have failed in part due to high frequency ripple that a small ceramic or film cap would take care of. I'll buy a nice Nichicon UPW 1500uf 6.3v the next time i order from Mouser, but for now this mess of caps seems to be working just fine.

While people are in there, they should check to make sure this capacitor is flat across the top, and is not leaking. It's the reservoir capacitor at the end of the switchmode dc-dc converter that turns the unregulated 12vdc power input into regulated 3.3vdc, and the whole board relies on it. If it looks like it's bulging on the top, you should replace it. Mouser part number 647-UPW0J152MPH is superior to the original capacitor. Please remember to observe polarity when replacing electrolytic caps.

A tip for people having trouble installing the header: It's nearly impossible to suck the solder out of the ground holes, since they're connected to ground plane on both sides of the board. I have a very good Weller WTCPn soldering iron and I'm reasonably well experienced with my solder sucker and i couldn't get it done.

It's much easier just to drill out the solder. You will need a fairly tiny bit - Harbor Freight Tools sells a selection of eensy carbide bits for use in rotary tools for a few bucks. They're essentially pcb drill bits - and they have a color-coded plastic ring on the shank. All you have to do is hold it between thumb and forefinger and twist - solder comes out like it's cheese.

As for the passive jtag interface: Using one of these things is just begging for trouble. Since you only have to get the CFE loaded once, I guess it's reasonable to go cheap & easy with the jtag interface.

If you have to do more than one, it might be worth your while to build a buffered jtag. All you need is a 74hc244 (or 74ls244 in a pinch), a 3v power supply (batteries work fine - even a single 3v lithium coin), and a few standard resistor networks. I can post a schematic & instructions if someone wants it.

In any case, it's unfortunate that the instructions floating around the 'net don't stress that the user should certainly read back the CFE after flashing it and diff it against the one they tried to load. There is a relatively high probability of corruption with a passive jtag like this. It may take a few tries.

It would help if people actually grounded the ground lines on the ribbon cable, too.

Also, iirc it wasn't clear in the instructions that /noreset may actually be required on this hardware. Which means that we're jtagging dangerously.

Here's the skinny: the JTAG debugger interface is a method of giving the cpu commands without having to modify memory. When you program a flash chip through jtag, you're very slowly giving the cpu commands that modify memory. If there's already a program running, it may shoot you in the foot.

Usually, in these situations, there's a jumper or pads somewhere on the board that you can short at power-on time to trap the bootloader, so that the board powers up but no programs are loaded - it doesn't actually boot up. If we have that on the mn-700 board, I don't know where it is.

That being the case, I'd recommend that people first erase the CFE (./wrt54g -erase:cfe /noreset) and then power cycle the board before attempting to program the new CFE. I'm certain you can get away without doing that, but I prefer to improve my odds of success rather than live dangerously.

While you're in there, you should probably -erase:nvram as well.

As for the rest of the process:

I started out trying to follow the recommended instructions, and have come to the conclusion that this was a waste of time. Maybe it's just because I'm a big geek, but as i started trying some different images, i found it to be much more convenient to stay in linux and use tftp per the openwrt instructions for the wl500g than to reboot into windows and use the asus utility.

Note that in linux, if your network is not already 192.168.1.x, you'll need to become root and "ifconfig eth0:0 192.168.1.2 netmask 255.255.255.0 up" to access the box until you change the address.

Note that unless the nvram has been erased, the bootloader will boot up with the last ip address the box was configured to use. If that wasn't 192.168.1.1, tftp won't find it there. if you erase the nvram, it'll default back to 192.168.1.1.

I also didn't find a way to erase the nvram from within windows - maybe I just didn't have all the right asus goo? doesn't matter at this point.

The modified version of 1.9.2.7-7b for the WL500g was horribly unstable on my mn-700. It seemed like it didn't always boot up, and then I'd go try to configure it to use the correct network, and it'd work as an access point but i could never get back into the administration interface until i reloaded the flash again.

The 1.7.5.9-5 version didn't have that problem, but it sure wasn't happy with the nvram left over from 1.9.

I have no stability problems with OpenWRT WhiteRussian RC4. As noted above, the et driver should be replaced with the b44 driver. In future OpenWRT releases, this is rumored to be the default.

The switch ports don't seem to work in OpenWRT - I think the bridge stuff just isn't set up properly, and I'll look at that later. There's a kmod-switch package for OpenWRT that's supposed to do a better job of this, but it isn't available for RC4. I may track it down anyway.

I recommend the jffs2 version of OpenWRT. you need the regular 'brcm' trx file.

I have had no stability issues whatsoever with OpenWRT. I never ran into the problems people have had witht he et driver, but i wonder if this is what was really causing the problems with the latest wl500g firmware. Maybe it's using the same driver, and when it starts up it's got a ton of daemons running and it's very chatty on the ethernet - maybe that's enough traffic to cause the instability. When OpenWRT boots up, it's not doing anything fancy, and the web administration interface isn't enough to give it fits.

Note that it's normal for the jffs2 version of openwrt to boot up with a read-only filesystem the first time around. But you can just reboot it. Or telnet in and 'mount -o remount,rw /', probably.

I haven't grokked what incantation i need to use to turn on the power LED when it's finished booting, but I'll figure it out. I'm aware of the gpio stuff that needs to be done, but my shell scripting mojo is very rusty.

Thanks Eric for the comments. Oleg was kind enough to send me a modified cfe.bin with the appropriate MAC, but I still want to figure out how to get nvserial to work. (I will try later on tonight when I have some time to devote to this project.).

Electrolytic Cap
Yeah, I noticed that my electrolytic cap was bulging just a tad. I guess even Microsoft was inflicted by the bad cap disaster that started in Taiwan. (See www.badcaps.net for pictures, story etc.) I plan on replacing it once I get a large enough order for Mouser.

Solder
Luckily my hardware skills are better than my software skills, but I picked up this tip either from Nuts & Volts forums or from badcaps.net forums, but a great way to clear holes from printed circuit boards is to use a stainless steel dental pick (or needle) while heating the hole and pushing through the hole since the solder cannot stick to stainless steel. Another option is to use a long piece of solid gauge coper wire like from a cat 5 cable or coax such as rg6 and use it like above (push trough the hole while heating it with the soldering iron). Obviously the solder is going to stick to the copper wire so once it is used it is useless afterwords. I've been able to clean holes using the dental pick technique with a 5 dollar soldering iron. ALthough I've been itching to get a Metcal pretty soon. SOlder wick might work in general if we are not talking about a multilayered through hole board also but it is more of an art to get used to desoldering stuff with it without pad lifting etc. THe drill technique works great too as i've had to use that trick also; the only downside to the drill technique is the loss of burning smell of flux and solder and the finger burns from mistakenly touching the wrong of the soldering iron when trying to clean the holes.

Jtag Cable
Can you please post your schematic for the buffered jtag? I've seen a couple on the 'net and I would just like to compare for reference. The one's I have seen make a big stink about the use of a 74HCT for TTL levels from the parrallel port. I plan I building a universal buffered jtag pretty soon since my passive one is pretty MN700/WRT54G specific due to the header and pinout of the device. I've come across some post somewhere ( I will edit this post once I find the reference) where the guy added some schmitt trigger buffers for noise before the the 74HC buffer because he claimed there was tons of noise spikes messing with the input of the buffers and he claimed everythign was hunky dory once he added the schmitt triggers. I did "purchase" a bufferd jtag from ebay, but the thing was so shoddily put together that I am afraid of buring up my parrallel port although the builder did take the effort of removing the flux from the solder connections; that design incorporated two SIP style resistors devices and a quad buffer chip but everything was sloppily put together....


EDITED FOR LINK TO JTAG CABLE DISCUSSION
http://neil.franklin.ch/Usenet/comp.arch.fpga/20010723_Homemade_Xilinx_parallel_cable_problem


Here is the link where people discussed cable length., schmitt triggers etc.

Electrolytic Cap
Yeah, I noticed that my electrolytic cap was bulging just a tad. I guess even Microsoft was inflicted by the bad cap disaster that started in Taiwan. (See www.badcaps.net for pictures, story etc.) I plan on replacing it once I get a large enough order for Mouser.


Yeah, I'm not sure how much of this is really the bad electrolyte issue.

Electrolytic caps have come a very long way in the last 15 years, and the new electrolyte chemistries may have specific implementation consdierations that are not well understood by the people who use them. Some capacitor manufacturers have insisted that failed caps in the field are the result of inappropriate implementation.

Higher voltage caps can sometimes be more durable. It might be reasonable to get something like a 25v version of that Nichicon UPW and lay it on it's side on the board (it'll be too tall to stand up in the case). Theoretically, the 6.3v cap should be fine since it's only 'seeing' 3.3 volts. Be certain you get the high temperature (105c) version, whatever cap you get.

Also, switching power supplies have gotten much, much faster. It's not uncommon to see switchers running at mhz speeds, and that's certainly going to put a different kind of strain on the cap.



Jtag Cable
Can you please post your schematic for the buffered jtag? I've seen a couple on the 'net and I would just like to compare for reference. The one's I have seen make a big stink about the use of a 74HCT for TTL levels from the parrallel port. I plan I building a universal buffered jtag pretty soon since my passive one is pretty MN700/WRT54G specific due to the header and pinout of the device. I've come across some post somewhere ( I will edit this post once I find the reference) where the guy added some schmitt trigger buffers for noise before the the 74HC buffer because he claimed there was tons of noise spikes messing with the input of the buffers and he claimed everythign was hunky dory once he added the schmitt triggers. I did "purchase" a bufferd jtag from ebay, but the thing was so shoddily put together that I am afraid of buring up my parrallel port although the builder did take the effort of removing the flux from the solder connections; that design incorporated two SIP style resistors devices and a quad buffer chip but everything was sloppily put together....

From your description, the schematic i have is identical to what you bought on ebay.

He probably followed the instructions to the letter, which results in a chip with two resistor networks soldered directly to the legs on one side, another on the other side, and two loose 100ohm resistors as well.

These cables are designed for use on STMicro (*cough*) systems.

It may look like hell, but it probably works just fine as long as he doesn't have wires shorting out or something.

It may be preferable to use HCT chips, or, heck, use the AHCT just to spend a few more cents. I built one with a Motorola 74ls244 that worked just as well as a later one i built with a Ti 74hct244. I never had a corrupt bit written with either one of them - keep in mind that i was always careful to trap the bootloader before programming. I've also used them on StrongARM based systems.

An increasing number of parallel ports signal at 3.3 volts. This doesn't seem to cause problems with printers, but makes some passive parallel port interfaces more problematic than they were on older parallel ports. In this case, the HCT version of the chip doesn't necessarily get you anything. The jtag port for sure is 3.3 volt, but parallel ports vary, so anybody screaming that i NEED the ttl version just isn't paying attention.

fwiw, the low-power schottky (LS) version of the chip actually switches faster than the HC and HCT versions, but the HC(T) are a tiny bit faster to notice that they're being signalled. The AHC(T) versions are an attempt to make the cmos chips as fast as the schottky chips. The HC versions were a failed attempt at making cmos chips as fast as schottky chips.

Inspite of having two of those things, I haven't used them in a while and couldn't find them, so i went with 4 resistors this time around, and i had to write twice before it read back properly.

However, the jtag side of the cable itself has two considerations that people always seem to ignore.

1: keep its short. Like 8 inches. If you want it to be further from your computer than that, feel free to buy a 6 foot IEEE1284 (high speed parallel) rated db25 cable. That's what i used. The distance between buffer and jtag interface should be short.

2: You really should use ribbon cable, and every other line really should be grounded, at both ends. Those ground pins are there for a reason.

However, different jtag programs twiddle different bits on the parallel port. The document i have may need to be interpreted vs. what the de-brick utility expects.

Gimme a few days and I'll look it over. I don't think it needs to be any more complex than it already is, with regard to the schmidt triggers.

THanks Oleg:
Here are a couple of pointers:

1. There is a "step by step" in this thread on page 6.
2. If you can't get nvserial to work, you need to PM OLEG for the CFE.BIN as stated on page 6 of this thread.
3.Keep your passive jtag cable short.
4. If you gotta use windows (like i did), you can use the wrtjtag-modified program that is linked in this thread. (You use this program with your jtag cable to backup cfe.bin and flash the modified cfe.bin). THis program also allows you to erase the nvram.
5. When disasemling the router, you need to remove the clear plastic cover from the front LED's to crack it open after you have unscrewed the four holding screws.

MN700 linux hack is on two other sites (Liamm and techimo--so google it) but this thread is has all the info that you need.

I haven't grokked what incantation i need to use to turn on the power LED when it's finished booting, but I'll figure it out. I'm aware of the gpio stuff that needs to be done, but my shell scripting mojo is very rusty.

This isn't hard either. There is a gpio tool at http://downloads.openwrt.org/utils/ or a precompiled package at http://www.ethernal.org/openwrt/ wich can be installed using ipkg. Then you can control the power LED with is connected to GPIO 6:

gpio disable 6
gpio enable 6

Ah, thanks for the link. I figured it would make sense for such an app to exist, but was not aware that it did.

Noticed some new attempts at this mod... For the new guys, have you experienced any wireless signal issues? See my post a bit further up on this page.

What firmware are you guys running? OpenWRT? I may give it another shot since RC5 is out. I had White Russian RC4 running on it and it was unstable. Ran fine for a while but then would stop running during the night. Sometimes had to reboot a few times before it was back.

I've since reverted back to the MS firmware but may give it another shot.

RC5 isn't out. I'm using RC4. You can get pre-RC5 i