De-bricking Linksys AG241v2

Preso da http://ag241.ickz.com/node/2:

Preparation

You will need:

  • A TFTP client for your operating system
  • A known working firmware image to upload to the device (e.g. from Linksys’s website)
  • Small screwdriver(s)
  • A steady hand!

Cracking the device open

First, the anti-tamper label was carefully removed from the base of the device with a piece of paper. It should be possible to preserve it so it can be re-attached later if necessary – the rings didn’t appear until after I’d accidentally stuck it to my desk.

Unlike the WRT54G, the blue front cannot just be snapped off – there are two retaining screws, one in each blue foot. To access these, remove the rubber on each of the feet by inserting a small screwdriver through the opening in the rubber and applying pressure upwards, while loosening the rubber on the opposite edge with your other hand.

After removing the screws the blue front can be removed. As recommended by Void Main, turning the device upside down and applying pressure to the blue feet with your thumbs should allow you to detach it easily. Afterwards the board can be slid right out and placed on an appropriate surface.

Locating the flash chip

On my board the flash chip can be identified by an orange sticker that says “Ver: 00.003; CS: 7DE0”. Looking underneath this sticker reveals that it is a Macronix MX29LV320C flash chip. Unlike the WRT54G’s board there are no printed pin numbers, but pin 1 can be identified by the white printed triangle and by the embossed circle on the corner of the chip. To put the system into failsafe mode you will need to short pins 17-18 (indicated in the picture) while the device is booting. Locate pin 17 by counting downwards from pin 1. You might want to repeat this a couple of times – it’s easy to lose count as the joints are so small. On my board there were tracks running alongside a couple of the pins that I could use to locate them again quickly afterwards.

Re-flashing the device

Next, be ready to provide the device with a working firmware image. With the power switch in the off position, connect the power cable and connect an ethernet cable between your PC and the device. Give your network interface a static IP in the 192.168.1.x range (e.g. 192.168.1.2, netmask 255.255.255.0). The router will put itself on 192.168.1.1 when in failsafe mode, whether it was configured at that address previously or not. Get your TFTP client and working firmware image ready and prepare the following command in a command prompt (don’t hit enter yet):
tftp -i 192.168.1.1 put name_of_working_firmware.bin upgrade_code.bin
It is important that the destination filename is “upgrade_code.bin”, or the device will just reject it.

When you have located pin 17, insert a jeweller’s screwdriver (not one that has insulating coating), the flat edge of a razor blade, or some other fine metal object into the space between pin 17 and pin 18 below it to make a connection between the two. Now, flick the power switch to turn the device on. At first you should see the power light blinking green as before, but after a few seconds you should be surprised to see it turn solid red. Carefully remove the screwdriver and the red light should remain on. Hit enter in the command window and if you’re lucky the image should transfer in around 6-7 seconds. Don’t turn the device off – it takes a little while for it to install the new firmware, but when it’s done it should restart itself and the blinking green light should turn solid green! You can now turn it off and put it back into its casing.

Notes

  • The device would not respond to my pings when in failsafe mode, like WRT54Gs do. Nevertheless, it accepted the TFTP transfer straight away, so don’t let that put you off!
  • I couldn’t get it to go into failsafe mode every time. If the power LED doesn’t turn red after several seconds, turn it off and try again – it may be that you haven’t made a good enough connection between the pins.
  • On one occasion I was unable to get this process to work – for whatever reason I could not get the device to respond to shorting pins, or accept an image over TFTP. If this happens to you, you could try connecting the Serial Console and putting PSPBoot into command mode before sending the image.

Good luck! Let us know how you get on in the comments.

Share

Leave a Reply