Apr 13, 2013

Understanding JTAG

JTAG is a program for fixing your router if it is in an otherwise unrecoverable state. Jtag is done with a cable hooked from a computer 25 pin printer port (USB might also be available) to an electrical connection on your router called a jtag port. There are sometimes two similar ports on a router; one is the jtag port and the other is a serial port. These ports do not usually have the pins there to connect to, but are just holes in your router motherboard. You often need to solder a pin connector to your motherboard. This pin connector is called a header.

In order to understand jtag, you need to understand the three parts of the program that runs inside your router (known as the router's firmware). The firmware is composed of a bootloader, (that starts up the router's operating system), the NVRAM, (where information particular to your router are stored, like it's IP address and your ssid name) and the kernel which is the program that your router uses.

These three parts together are known as the WHOLEFLASH.

The bootloader on a DD-wrt is a linux bootloader, known as a CFE. Linksys also used a VXworks bootloader on some routers that has to be replaced with a CFE linux bootloader using a VXKiller program. So, when people talk about the CFE of the router, they are talking about the bootloader. Every router has it's own particular CFE. It has the MAC addresses embedded in it for your router, so each one is a little different. That is why it is so important not to ever delete this without backing it up. If you delete it, you at least have to find another one that is for your make and model of router. This can be tricky in some cases, so don't delete the bootloader!

The nvram is the place where variable information is stored. This is often where things get mucked up and is often the reason why people need to jtag their router. You can erase the nvram by doing a HARD reset of the router but sometimes the router will not respond. Then it is jtag time. If you delete the nvram, and have a proper CFE and kernel on the router, the nvram will rebuild itself. You don't need to jtag the nvram.

The kernel is the firmware. This is what you flash when you flash dd-wrt. DD-wrt IS the kernel. Again, if you have a CFE on the router, you don't need to flash the kernel with Jtag. If the CFE is working, you can flash using TFTP.exe or an equivalent program. Although you CAN flash the kernel using JTAG, it takes a LONG time and flashing using a jtag cable is not completely reliable, so you can end up with problems. You should not need to do this.

So if you have followed the bouncing ball, you should now understand that you should use JTAG primarily for two things:

1. Replacing a CFE

2. Erasing the NVRAM or kernel.

With that understanding, we can now turn to the brjtag program
Setting up the JTAG Program

To JTAG a router you can download a copy of hugebird's program from the SF.net files:


You will note that there is a version 1.9, and a folder for a v.2.0. The 2.0 supports more router chipsets, but you have to rename it .exe from .bin.

You have to, on a Windows system, load giveio.sys. First you have to put it in the c:\windows\system32\drivers\ folder and then you have to load it using the loaddrv.exe program. Make sure you put the full path of the driver in the loaddrv.exe program as well as the file name. (c:\windows\system32\drivers\giveio.sys). Also note the giveio.sys driver needs to be installed only once. Subsequent needs for the driver during additional jtag sessions, or if your computer needs a re-boot, it only needs to be "started" by clicking on the "start" button of the loaddrv.exe driver loader utility.

Here are the steps:

1. Start your computer and unarchive the contents of 2.0.5 to your C:

2. Put giveio.sys in the proper directory: c:\windows\system32\drivers\

3. Start the loaddrv program and hit install. Make sure you add "giveio.sys" to the end of what appears in the window so it looks like this:

c:\windows\system32\drivers\giveio.sys [1]

4. Then hit start.

5. Then hit OK.

6. Remove the power supply from your router.

7. Hook up your jtag cable. Make sure you have pin one on pin one and the cable is not upside down on your router, and that you have the cable is hooked to your 25 pin parallel port

8. Plug your power supply into your router.

9. You might have to set the parallel port communications settings, but I have always found default settings work. If they don't please note that your rig needs to have a real printer port, not a usb to printer port adapter. The printer port should be set for ecp mode and standard io of 0x378.

Using JTAG


You should check to make sure your cable is working with a probeonly command:

brjtag -probeonly

If you don't get a response that recognizes your chipset, check your soldering carefully with a multimeter.

If you get a response that recognizes your chipset, the next command should always be to backup your CFE first, even if you think it is FUBAR. Better safe then sorry.

This is done with the command:

brjtag -backup:cfe

Do this twice and make sure the files match.

With most bricked routers, ALL you have to do is erase the nvram and the kernel. You do that with these commands:

brjtag -erase:nvram

brjtag -erase:kernel

DO NOT erase:nvram on a Belkin F5D7230-4 router. Doing so will erase important values and require you to have to jtag the kernel back on.

Doing that should put you back to a position where you can tftp the firmware back on. Stop and try that. You must disconnect your jtag cable to flash the firmware. Follow the guidelines for flashing by tftp found at note 11 of the peacock thread announcement, at the top of the broadcom forum.


DO NOT REPLACE THE CFE unless it is corrupt. A bad flash should NOT normally corrupt the CFE. However, if you have to replace the CFE, you must rename the CFE file CFE.bin, and then use this command

brjtag -flash:cfe

It is important to know, that if you do need to replace the CFE, an erase of wholeflash should be done prior to flashing the CFE.

brjtag -erase:wholeflash

The reason for this is if the kernel and nvram are left intact and only the CFE (bootloader) is replaced, when the bootloader boots the device, it will load the kernel. If a corrupt kernel or a bad nvram variable caused the bootloader damage in the first place, the offending pieces of the program are still present and may cause bootloader damage again as soon as the router is power cycled after the CFE flash.

If you need a CFE for a Broadcom router, you can find most through this link: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=25971

However, these CFEs will contain generic Mac addresses, so you will likely have to hexedit your Mac address to the generic CFE prior to flashing.

JTAG on a Laptop Computer

Laptops don't normally have parallel ports anymore, and if your laptop doesn't you would be hooped. USB Jtag is expensive, and doesn't appear to work consistently well. The best option is to get a ExpressCard Parallel port adapter. Further information is in this thread:



Post a Comment