网件WNDR4500路由器修砖经验分享
本帖最后由 kevinstar888 于 2014-11-10 23:34 编辑前几天入手了一个网件WNDR4500的故障机,到手的时候以为是不开机,不过通电发现电源灯亮,插网线相应的LED灯亮。
感觉故障不严重,可是事与愿违。打不开后台网页,也PING不通192.168.1.1
到这里,基本上我就傻眼了,因为我以前也没碰过路由器,于是上恩山,ANYWLAN,问度娘,可惜WNDR4500这款路由器的资料很少,可以说就是没有。这也是我写这篇文章的原因,留给别人一些参考。
好了下面开始:
首先通过搜索了解到可以通过tftp模式救砖,可惜我这台根本就进不了tftp模式,没办法,只有拆机了。
拆开看了下,做工很不错,网上也有拆机图,我就不发了(其实是没拍)。根据我的经验和观察,找到了TTL口(一个预留6PIN接口,但是只有2根信号线),焊上串口线,连电脑看信息。
信息如下:
CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
Device eth0:hwaddr 00-FF-FF-FF-FF-FF, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
load default!
Decompressing...done
CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
Committing NVRAM...done
Waiting for reset button release...
,发现卡在Waiting for reset button release..这里,
于是根据这个上百度,上谷歌搜索,可惜也没搜到有用的信息,只搜到一个老外的故障和我的一样(他的串口信息也是卡在这里)
没办法,只有自己想办法了,自己看串口信息
根据字面意思是等待复位按钮释放,我就查了复位电路,发现复位脚的电压只有1.2V,明显不合常理,接着用万用表查,发现是电容漏电,当时拆下电容量阻值130欧。。。。。
发现了问题,当然是立马解决,找了个104换上去,上电量电压3.3V,应该没问题了
接着看串口信息,故障依旧,还是一样。。。。
在这里,基本上是没办法了,大概在网上泡了一天,大概了解了CFE。
然后我把板上的SPI FLASH焊下来,用编程器把里面的CFE提取出来,然后用WINHEX打开,发现里面的一些配置是明文的,比如MAC地址,网关等等,如图:
我把复位脚的定义修改成别的脚,然后再烧进FLASH,焊到板子上,看串口信息:
CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
Device eth0:hwaddr 10-0D-7F-83-EB-FD, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
load default!
Decompressing...done
CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
Committing NVRAM...done
Waiting for reset button release...donDecompressing...done
CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
Device eth0:hwaddr 10-0D-7F-83-EB-FD, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
load default!
Decompressing...done
CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
Committing NVRAM...done
Waiting for reset button release...donDecompressing...done
发现不会卡了,只会反复重启。。。
到这里,我感觉应该是主控也就是BCM4706坏了,不过把握不大,淘宝了一下,这个IC价格不一,有一家是33.88,不过我没买,我直接找华强北专门卖IC的,当时给的价格是45。。。。。有点小贵。
当时怀着忐忑的心情买了下来。下面是拆芯片图
后来芯片到手,焊了上去,通电串口信息如下:(基本上好了,可以说瞎猫碰上死耗子,蒙对了)
CFE for WNDR4500 version: v1.0.3
Build Date: Thu Jul 21 19:28:03 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
Device eth0:hwaddr 10-0D-7F-83-EB-FD, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Checking crc...Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
Loading: ....... 3874949 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
Linux version 2.6.22 (dennis@localhost.localdomain) (gcc version 4.2.3) #192 Fri Aug 17 17:17:45 CST 2012
CPU revision is: 00019749
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
Determined physical RAM map:
memory: 07fff000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0 -> 32767
HighMem 32767 -> 32767
early_node_map active PFN ranges
0: 0 -> 32767
Built 1 zonelists.Total pages: 32767
Kernel command line: root=/dev/mtdblock16 console=ttyS0,115200 init=/sbin/preinit
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 512 (order: 9, 2048 bytes)
CPU: BCM5300 rev 1 at 600 MHz
Using 300.000 MHz high precision timer.
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 125524k/131068k available (2939k kernel code, 5408k reserved, 617k data, 228k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
SCSI subsystem initialized
PCI: Initializing host
PCI: Reset RC
PCI: Initializing host
PCI: Reset RC
PCI: Fixing up bus 0
PCI/PCIe coreunit 0 is set to bus 1.
PCI: Fixing up bridge
PCI: Fixing up bridge
PCI: Enabling device 0000:01:00.1 (0004 -> 0006)
PCI: Fixing up bus 1
PCI/PCIe coreunit 1 is set to bus 2.
PCI: Fixing up bridge
PCI: Fixing up bridge
PCI: Enabling device 0000:02:00.1 (0004 -> 0006)
PCI: Fixing up bus 2
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
fuse init (API version 7.8)
io scheduler noop registered (default)
Serial: 8250/16550 driver $Revision: 1.1.1.1 $ 4 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 8) is a 16550A
serial8250: ttyS1 at MMIO 0x0 (irq = 8) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
loop: module loaded
PPP generic driver version 2.4.2
NET: Registered protocol family 24
PPPoL2TP kernel driver, V0.17
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
pflash: found no supported devices
sflash: Couldn't find valid ROM disk image
Creating 15 MTD partitions on "sflash":
0x00000000-0x00200000 : "boot"
0x00000000-0x00140000 : "linux"
0x00000000-0x00200000 : "rootfs"
0x00140000-0x00150000 : "ML1"
0x00150000-0x00160000 : "ML2"
0x00160000-0x00170000 : "ML3"
0x00170000-0x00180000 : "ML4"
0x00180000-0x00190000 : "ML5"
0x00190000-0x001a0000 : "ML6"
0x001a0000-0x001b0000 : "ML7"
0x001b0000-0x001c0000 : "T_Meter1"
0x001c0000-0x001d0000 : "T_Meter2"
0x001d0000-0x001e0000 : "POT"
0x001e0000-0x001f0000 : "board_data"
0x001f0000-0x00200000 : "nvram"
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
lookup_nflash_rootfs_offset: offset = 0x0
nflash: squash filesystem with lzma found at block 10
Creating 2 MTD partitions on "nflash":
0x00000000-0x02000000 : "kernel"
0x0014a56c-0x02000000 : "rootfs"
NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
Creating 1 MTD partitions on "brcmnand":
0x02000000-0x07f00000 : "brcmnand"
u32 classifier
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
6WIND/LSIIT IPv6 multicast forwarding 0.1 plus PIM-SM/SSM with *BSD API
lo: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
sit0: Disabled Privacy Extensions
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 228k freed
Warning: unable to open an initial console.
Failed to execute /init
: No more events to be processed, quitting.
: Waiting for children.
: All children terminated.
Restoring defaults...Reading board data...
WSC UUID: 0x5321e6fa63bc8ca1324d1a99922245b7
NTP synchronized date/time: Fri Feb8 01:02:36 2013
MAC address of 1st STA connected: 4C-8D-79-60-1A-B3
invalid RF magic!
No RF parameters! Use default.
Doing nvram commit by pid 1 !
done
Reading board data...
WSC UUID: 0x5321e6fa63bc8ca1324d1a99922245b7
NTP synchronized date/time: Fri Feb8 01:02:36 2013
MAC address of 1st STA connected: 4C-8D-79-60-1A-B3
invalid RF magic!
No RF parameters! Use default.
Initialise conn table 2048 entries
insmod: wl_high.ko: no module by that name found
eth3: No such device
wl1 not up in 3 sec
Hit enter to continue...wlconfig(eth1): configuring bsscfg #0 (eth1) with SSID "NETGEAR81"
wlconf: PHYTYPE: 7
wlconfig(eth2): configuring bsscfg #0 (eth2) with SSID "NETGEAR81-5G"
wlconf: PHYTYPE: 7
wlconfig(eth1): configuring bsscfg #0 (eth1) with SSID "NETGEAR81"
wlconf: PHYTYPE: 7
wlconfig(eth2): configuring bsscfg #0 (eth2) with SSID "NETGEAR81-5G"
wlconf: PHYTYPE: 7
killall: upnp: no process killed
upnp: No such file or directory
WARNING: console log level set to 1
killall: wps_monitor: no process killed
killall: wps_ap: no process killed
killall: wps_enr: no process killed
### wps_wfi_init(): <wl0_wfi_enable=(null)><wl1_wfi_enable=(null)>WFI is not enabled ###
Reading board data...
WSC UUID: 0x5321e6fa63bc8ca1324d1a99922245b7
info, udhcp server (v0.9.8) started
error, unable to parse 'option wins '
error, unable to parse 'option domain '
Can't find handler for ASP command: devices_cgi_get_acl_device_table("DEV_control");
Can't find handler for ASP command: devices_cgi_get_acl_white_table();
Can't find handler for ASP command: devices_cgi_get_acl_black_table();
Can't find handler for ASP command: devices_cgi_get_show_access_ctrl_settings();
Can't find handler for ASP command: devices_cgi_get_acl_device_table("DEV_device", "wired");
Can't find handler for ASP command: devices_cgi_get_acl_device_table("DEV_device", "wireless");
mevent start...
opened loopback socket 4
Can't find handler for ASP command: eco_get_redirect_link();
Can't find handler for ASP command: rst_get_param("link_rate");
Can't find handler for ASP command: rst_get_param("connection");
Can't find handler for ASP command: rst_get_param("dhcpc");
POT integrity check OK.
POT time is up.
Doing nvram commit by pid 2257 !
Doing nvram commit by pid 2262 !
Doing nvram commit by pid 2269 !
Doing nvram commit by pid 2274 !
Doing nvram commit by pid 2279 !
Doing nvram commit by pid 2286 !
Doing nvram commit by pid 2297 !
Info: No FWPT default policies.
agnat QOS disable!
rmmod: l7_filter
Doing nvram commit by pid 2307 !
: 0 partitions found.
: disk mountd:0hfsplus mounted:0
: no disk mounted.
Doing nvram commit by pid 2333 !
Doing nvram commit by pid 2336 !
/tmp/samba/private/smb.conf: no files!
insmod: cannot insert '/lib/modules/2.6.22/kernel/drivers/usb/core/usbcore.ko': Success (17)
insmod: cannot insert '/lib/modules/2.6.22/kernel/drivers/usb/host/ehci-hcd.ko': Success (17)
killall: bftpd: no process killed
httpd: socket bound in 0.0.0.0:80.
httpd: socket bound in 0.0.0.0:443.
add n_lan_addr here 1
mount: mounting none on /proc/bus/usb failed: Device or resource busy
IOCTL_AG_REGION_SET: English
minidlan :scan files
minidlan:scan finished
Start DHCP client daemon
info, udhcp client (v0.9.8) started
eth0: No such process
route: ioctl 0x890c failed: No such process
killall: dhcp6c: no process killed
killall: IPv6-relay: no process killed
killall: pppdv6: no process killed
killall: rtsol: no process killed
killall: dhcp6s: no process killed
killall: radvd: no process killed
ifconfig: invalid number ''
ifconfig: invalid number ''
route: ioctl 0x890c failed: No such process
killall: dhcp6s: no process killed
killall: radvd: no process killed
Hit enter to continue...Hit enter to continue...
到这里是基本好了,不过网线连接不上
手机能搜到WIFI信号,不过要密码,又从恩山上下了个救砖的CFE,刷上,不用密码连上了。
不过网口还是没作用。。。。
我怀疑我是没焊接好,于是重新焊接了下,通电还是不行。。。。。。。
到这里我已经不抱希望了,我只是抱着试试的态度,硬初始化了一下:通电开机状态下按复位脚30秒,不松手关机等待30秒,不松手开机(一直按住复位键),等待30秒,然后断电松开复位键,再开机。。。。。
本来我是想靠这个让它进入tftp模式,没想到等路由器开机后,我没等到电源绿灯闪,我还是PING了一下,没想到柳暗花明又一村,PING通了,哈哈,后台也能连接上去了,上图:
至此,可以说路由器已经被我救活了。现在我已经把我的老路由器换了下来
虽然已经能用了,不过还是有一些小问题,比如:MAC识别不了(识别成00ffffff),还有无法更新固件这些小问题。
后面还得折腾。
打算下周回公司了,把修改后的CFE刷进去,再刷DD-WRT。。。。。
生命在于折腾{:titter:} ,完结,希望对路由器变砖的有帮助。
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
11月10日更新
前面说的改boot_wait情况,后面证实是错的(已经删除)。
原先发现的小问题都是刷的CFE不完整造成的(刷的网上的救砖CFE)。
刷回原版的CFE问题就解决了,然后刷上DD-WRT爽死了{:lol:}
LZ动手能力强,厉害! 楼主这个芯片你是怎么换的啊?用热风枪还是专用的做BGA的机器换的? srygg 发表于 2014-11-9 08:06
楼主这个芯片你是怎么换的啊?用热风枪还是专用的做BGA的机器换的?
热风枪换的{:titter:} kevinstar888 发表于 2014-11-9 08:40
热风枪换的
手艺不错啊! 赞一个~生命在于折腾~ 楼主换BGA的水平很高啊 楼主动手能力很强啊! 生命在于折腾 楼主运气不错 楼主的焊功十分了得,我只能做到把BGA吹下来的水平 johnlj 发表于 2014-11-9 16:12
楼主的焊功十分了得,我只能做到把BGA吹下来的水平
能吹下来,就有能力吹上去,把焊盘拖平,抹点助焊膏,放上BGA对准丝印外框,有点偏也没关系,拿上风枪使劲吹,吹到锡融化就可以了。(判断标准是用镊子之类的东西轻轻碰一下BGA,能动且能复位的就说明焊接好了) 这个bga应该是无铅的高熔点焊锡吧,容易吹吗? kevinstar888 发表于 2014-11-9 16:40
能吹下来,就有能力吹上去,把焊盘拖平,抹点助焊膏,放上BGA对准丝印外框,有点偏也没关系,拿上风枪使 ...
谢谢,学习了,改天找个片子练练手 leezee 发表于 2014-11-9 17:10
这个bga应该是无铅的高熔点焊锡吧,容易吹吗?
不好吹,这个PCB散热好,用了大口吹了很久 CFE for WNDR4000 version: v1.0.6
Build Date: Wed May 18 17:25:10 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 128 64KB blocks; total size 8MB
CPU type 0x19740: 480MHz
Tot mem: 65536 KBytes
Decompressing..........done
Decompressing..........done
CFE for WNDR4000 version: v1.0.6
Build Date: Wed May 18 17:25:10 CST 2011
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Found an ST compatible serial flash with 128 64KB blocks; total size 8MB
CPU type 0x19740: 480MHz
Tot mem: 65536 KBytes
Startup canceled
CFE> ^C
CFE> ^C
我也在修一个网件的路由器,CFE只启动到:
Decompressing..........done
Decompressing..........done
之后就没反应了。
启动中如果按Alt+C也可以进入到CFE模式,但在配置eth0网口时会提示:
CFE> ifconfig eth0 -addr=192.168.77.140
Could not activate network interface 'eth0': Error
*** command status = -1
这会不会也是硬件问题? 以上,仰大侠指点,Best regards! yan_hua 发表于 2015-5-22 15:39
CFE for WNDR4000 version: v1.0.6
Build Date: Wed May 18 17:25:10 CST 2011
Init Arena
估计是,先看看有没有电压不正常的,重点检查网卡芯片 楼主BGA手艺高。头像也赞。{:titter:} 楼主动手能力很强呀,佩服 kevinstar888 发表于 2015-5-22 22:15
估计是,先看看有没有电压不正常的,重点检查网卡芯片
谢谢,问题确认了,是千兆网络交换芯片虚焊了。
故障的时候CFE里无法发现eth0,按住芯片后,启动信息里正确显示了。 故障机几多钱买的? wzyllgx 发表于 2015-5-25 11:27
故障机几多钱买的?
80 楼主威武哈!必须赞啊!!! 膜拜,手工焊BGA,牛。 楼主好手艺
能刷openwrt就上吧,ss+china__dns 透明穿wall 很爽。手机连上该wifi后打开小鸟、油管的app能直接上。 手上有个3700v4 偶尔重启,看来也要拆了看日志了。 学习了... 也有一个网件,5G网络经常会自动消失,重启一下就好了,也不知啥原因,将就用用
有机会也拆下来弄弄。 厉害,自己修好了路由器
页:
[1]