|
|
本帖最后由 kevinstar888 于 2014-11-10 23:34 编辑
前几天入手了一个网件WNDR4500的故障机,到手的时候以为是不开机,不过通电发现电源灯亮,插网线相应的LED灯亮。
感觉故障不严重,可是事与愿违。打不开后台网页,也PING不通192.168.1.1
到这里,基本上我就傻眼了,因为我以前也没碰过路由器,于是上恩山,ANYWLAN,问度娘,可惜WNDR4500这款路由器的资料很少,可以说就是没有。这也是我写这篇文章的原因,留给别人一些参考。
好了下面开始:
首先通过搜索了解到可以通过tftp模式救砖,可惜我这台根本就进不了tftp模式,没办法,只有拆机了。
拆开看了下,做工很不错,网上也有拆机图,我就不发了(其实是没拍)。根据我的经验和观察,找到了TTL口(一个预留6PIN接口,但是只有2根信号线),焊上串口线,连电脑看信息。
信息如下:
- CFE for WNDR4500 version: v1.0.3
- Build Date: Thu Jul 21 19:28:03 CST 2011
- Init Arena
- Init Devs.
- Boot partition size = 262144(0x40000)
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
- CPU type 0x19749: 600MHz
- Tot mem: 131072 KBytes
- Device eth0: hwaddr 00-FF-FF-FF-FF-FF, ipaddr 192.168.1.1, mask 255.255.255.0
- gateway not set, nameserver not set
- load default!
- Decompressing...done
- CFE for WNDR4500 version: v1.0.3
- Build Date: Thu Jul 21 19:28:03 CST 2011
- Init Arena
- Init Devs.
- Boot partition size = 262144(0x40000)
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
- CPU type 0x19749: 600MHz
- Tot mem: 131072 KBytes
- Committing NVRAM...done
- Waiting for reset button release...
,发现卡在Waiting for reset button release..这里,
于是根据这个上百度,上谷歌搜索,可惜也没搜到有用的信息,只搜到一个老外的故障和我的一样(他的串口信息也是卡在这里)
没办法,只有自己想办法了,自己看串口信息
根据字面意思是等待复位按钮释放,我就查了复位电路,发现复位脚的电压只有1.2V,明显不合常理,接着用万用表查,发现是电容漏电,当时拆下电容量阻值130欧。。。。。
发现了问题,当然是立马解决,找了个104换上去,上电量电压3.3V,应该没问题了
接着看串口信息,故障依旧,还是一样。。。。
在这里,基本上是没办法了,大概在网上泡了一天,大概了解了CFE。
然后我把板上的SPI FLASH焊下来,用编程器把里面的CFE提取出来,然后用WINHEX打开,发现里面的一些配置是明文的,比如MAC地址,网关等等,如图:
我把复位脚的定义修改成别的脚,然后再烧进FLASH,焊到板子上,看串口信息:
- CFE for WNDR4500 version: v1.0.3
- Build Date: Thu Jul 21 19:28:03 CST 2011
- Init Arena
- Init Devs.
- Boot partition size = 262144(0x40000)
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
- CPU type 0x19749: 600MHz
- Tot mem: 131072 KBytes
- Device eth0: hwaddr 10-0D-7F-83-EB-FD, ipaddr 192.168.1.1, mask 255.255.255.0
- gateway not set, nameserver not set
- load default!
- Decompressing...done
- CFE for WNDR4500 version: v1.0.3
- Build Date: Thu Jul 21 19:28:03 CST 2011
- Init Arena
- Init Devs.
- Boot partition size = 262144(0x40000)
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
- CPU type 0x19749: 600MHz
- Tot mem: 131072 KBytes
- Committing NVRAM...done
- Waiting for reset button release...donDecompressing...done
- CFE for WNDR4500 version: v1.0.3
- Build Date: Thu Jul 21 19:28:03 CST 2011
- Init Arena
- Init Devs.
- Boot partition size = 262144(0x40000)
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
- CPU type 0x19749: 600MHz
- Tot mem: 131072 KBytes
- Device eth0: hwaddr 10-0D-7F-83-EB-FD, ipaddr 192.168.1.1, mask 255.255.255.0
- gateway not set, nameserver not set
- load default!
- Decompressing...done
- CFE for WNDR4500 version: v1.0.3
- Build Date: Thu Jul 21 19:28:03 CST 2011
- Init Arena
- Init Devs.
- Boot partition size = 262144(0x40000)
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
- CPU type 0x19749: 600MHz
- Tot mem: 131072 KBytes
- Committing NVRAM...done
- Waiting for reset button release...donDecompressing...done
发现不会卡了,只会反复重启。。。
到这里,我感觉应该是主控也就是BCM4706坏了,不过把握不大,淘宝了一下,这个IC价格不一,有一家是33.88,不过我没买,我直接找华强北专门卖IC的,当时给的价格是45。。。。。有点小贵。
当时怀着忐忑的心情买了下来。下面是拆芯片图
后来芯片到手,焊了上去,通电串口信息如下:(基本上好了,可以说瞎猫碰上死耗子,蒙对了)
- CFE for WNDR4500 version: v1.0.3
- Build Date: Thu Jul 21 19:28:03 CST 2011
- Init Arena
- Init Devs.
- Boot partition size = 262144(0x40000)
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138
- CPU type 0x19749: 600MHz
- Tot mem: 131072 KBytes
- Device eth0: hwaddr 10-0D-7F-83-EB-FD, ipaddr 192.168.1.1, mask 255.255.255.0
- gateway not set, nameserver not set
- Checking crc...Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
- Loading: ....... 3874949 bytes read
- Entry at 0x80001000
- Closing network.
- Starting program at 0x80001000
- Linux version 2.6.22 (dennis@localhost.localdomain) (gcc version 4.2.3) #192 Fri Aug 17 17:17:45 CST 2012
- CPU revision is: 00019749
- Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
- Determined physical RAM map:
- memory: 07fff000 @ 00000000 (usable)
- Initrd not found or empty - disabling initrd
- Zone PFN ranges:
- Normal 0 -> 32767
- HighMem 32767 -> 32767
- early_node_map[1] active PFN ranges
- 0: 0 -> 32767
- Built 1 zonelists. Total pages: 32767
- Kernel command line: root=/dev/mtdblock16 console=ttyS0,115200 init=/sbin/preinit
- Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
- Primary data cache 32kB, 4-way, linesize 32 bytes.
- Synthesized TLB refill handler (20 instructions).
- Synthesized TLB load handler fastpath (32 instructions).
- Synthesized TLB store handler fastpath (32 instructions).
- Synthesized TLB modify handler fastpath (31 instructions).
- PID hash table entries: 512 (order: 9, 2048 bytes)
- CPU: BCM5300 rev 1 at 600 MHz
- Using 300.000 MHz high precision timer.
- Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
- Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
- Memory: 125524k/131068k available (2939k kernel code, 5408k reserved, 617k data, 228k init, 0k highmem)
- Mount-cache hash table entries: 512
- NET: Registered protocol family 16
- SCSI subsystem initialized
- PCI: Initializing host
- PCI: Reset RC
- PCI: Initializing host
- PCI: Reset RC
- PCI: Fixing up bus 0
- PCI/PCIe coreunit 0 is set to bus 1.
- PCI: Fixing up bridge
- PCI: Fixing up bridge
- PCI: Enabling device 0000:01:00.1 (0004 -> 0006)
- PCI: Fixing up bus 1
- PCI/PCIe coreunit 1 is set to bus 2.
- PCI: Fixing up bridge
- PCI: Fixing up bridge
- PCI: Enabling device 0000:02:00.1 (0004 -> 0006)
- PCI: Fixing up bus 2
- Time: MIPS clocksource has been installed.
- NET: Registered protocol family 2
- IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
- TCP established hash table entries: 4096 (order: 3, 32768 bytes)
- TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
- TCP: Hash tables configured (established 4096 bind 4096)
- TCP reno registered
- squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
- fuse init (API version 7.8)
- io scheduler noop registered (default)
- Serial: 8250/16550 driver $Revision: 1.1.1.1 $ 4 ports, IRQ sharing disabled
- serial8250: ttyS0 at MMIO 0x0 (irq = 8) is a 16550A
- serial8250: ttyS1 at MMIO 0x0 (irq = 8) is a 16550A
- RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
- loop: module loaded
- PPP generic driver version 2.4.2
- NET: Registered protocol family 24
- PPPoL2TP kernel driver, V0.17
- tun: Universal TUN/TAP device driver, 1.6
- tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
- pflash: found no supported devices
- sflash: Couldn't find valid ROM disk image
- Creating 15 MTD partitions on "sflash":
- 0x00000000-0x00200000 : "boot"
- 0x00000000-0x00140000 : "linux"
- 0x00000000-0x00200000 : "rootfs"
- 0x00140000-0x00150000 : "ML1"
- 0x00150000-0x00160000 : "ML2"
- 0x00160000-0x00170000 : "ML3"
- 0x00170000-0x00180000 : "ML4"
- 0x00180000-0x00190000 : "ML5"
- 0x00190000-0x001a0000 : "ML6"
- 0x001a0000-0x001b0000 : "ML7"
- 0x001b0000-0x001c0000 : "T_Meter1"
- 0x001c0000-0x001d0000 : "T_Meter2"
- 0x001d0000-0x001e0000 : "POT"
- 0x001e0000-0x001f0000 : "board_data"
- 0x001f0000-0x00200000 : "nvram"
- Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
- lookup_nflash_rootfs_offset: offset = 0x0
- nflash: squash filesystem with lzma found at block 10
- Creating 2 MTD partitions on "nflash":
- 0x00000000-0x02000000 : "kernel"
- 0x0014a56c-0x02000000 : "rootfs"
- NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
- Creating 1 MTD partitions on "brcmnand":
- 0x02000000-0x07f00000 : "brcmnand"
- u32 classifier
- TCP cubic registered
- NET: Registered protocol family 1
- NET: Registered protocol family 10
- 6WIND/LSIIT IPv6 multicast forwarding 0.1 plus PIM-SM/SSM with *BSD API
- lo: Disabled Privacy Extensions
- IPv6 over IPv4 tunneling driver
- sit0: Disabled Privacy Extensions
- NET: Registered protocol family 17
- 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
- All bugs added by David S. Miller <davem@redhat.com>
- VFS: Mounted root (squashfs filesystem) readonly.
- Freeing unused kernel memory: 228k freed
- Warning: unable to open an initial console.
- Failed to execute /init
- [sighandler]: No more events to be processed, quitting.
- [cleanup]: Waiting for children.
- [cleanup]: All children terminated.
- Restoring defaults...Reading board data...
- WSC UUID: 0x5321e6fa63bc8ca1324d1a99922245b7
- NTP synchronized date/time: Fri Feb 8 01:02:36 2013
- MAC address of 1st STA connected: 4C-8D-79-60-1A-B3
- invalid RF magic!
- No RF parameters! Use default.
- Doing nvram commit by pid 1 !
- done
- Reading board data...
- WSC UUID: 0x5321e6fa63bc8ca1324d1a99922245b7
- NTP synchronized date/time: Fri Feb 8 01:02:36 2013
- MAC address of 1st STA connected: 4C-8D-79-60-1A-B3
- invalid RF magic!
- No RF parameters! Use default.
- Initialise conn table 2048 entries
- insmod: wl_high.ko: no module by that name found
- eth3: No such device
- wl1 not up in 3 sec
- Hit enter to continue...wlconfig(eth1): configuring bsscfg #0 (eth1) with SSID "NETGEAR81"
- wlconf: PHYTYPE: 7
- wlconfig(eth2): configuring bsscfg #0 (eth2) with SSID "NETGEAR81-5G"
- wlconf: PHYTYPE: 7
- wlconfig(eth1): configuring bsscfg #0 (eth1) with SSID "NETGEAR81"
- wlconf: PHYTYPE: 7
- wlconfig(eth2): configuring bsscfg #0 (eth2) with SSID "NETGEAR81-5G"
- wlconf: PHYTYPE: 7
- killall: upnp: no process killed
- upnp: No such file or directory
- WARNING: console log level set to 1
- killall: wps_monitor: no process killed
- killall: wps_ap: no process killed
- killall: wps_enr: no process killed
- ### wps_wfi_init(): <wl0_wfi_enable=(null)><wl1_wfi_enable=(null)>WFI is not enabled ###
- Reading board data...
- WSC UUID: 0x5321e6fa63bc8ca1324d1a99922245b7
- info, udhcp server (v0.9.8) started
- error, unable to parse 'option wins '
- error, unable to parse 'option domain '
- Can't find handler for ASP command: devices_cgi_get_acl_device_table("DEV_control");
- Can't find handler for ASP command: devices_cgi_get_acl_white_table();
- Can't find handler for ASP command: devices_cgi_get_acl_black_table();
- Can't find handler for ASP command: devices_cgi_get_show_access_ctrl_settings();
- Can't find handler for ASP command: devices_cgi_get_acl_device_table("DEV_device", "wired");
- Can't find handler for ASP command: devices_cgi_get_acl_device_table("DEV_device", "wireless");
- mevent start...
- opened loopback socket 4
- Can't find handler for ASP command: eco_get_redirect_link();
- Can't find handler for ASP command: rst_get_param("link_rate");
- Can't find handler for ASP command: rst_get_param("connection");
- Can't find handler for ASP command: rst_get_param("dhcpc");
- POT integrity check OK.
- POT time is up.
- Doing nvram commit by pid 2257 !
- Doing nvram commit by pid 2262 !
- Doing nvram commit by pid 2269 !
- Doing nvram commit by pid 2274 !
- Doing nvram commit by pid 2279 !
- Doing nvram commit by pid 2286 !
- Doing nvram commit by pid 2297 !
- Info: No FWPT default policies.
- agnat QOS disable!
- rmmod: l7_filter
- Doing nvram commit by pid 2307 !
- [AFP]: 0 partitions found.
- [AFP]: disk mountd:0 hfsplus mounted:0
- [AFP]: no disk mounted.
- Doing nvram commit by pid 2333 !
- Doing nvram commit by pid 2336 !
- /tmp/samba/private/smb.conf: no files!
- insmod: cannot insert '/lib/modules/2.6.22/kernel/drivers/usb/core/usbcore.ko': Success (17)
- insmod: cannot insert '/lib/modules/2.6.22/kernel/drivers/usb/host/ehci-hcd.ko': Success (17)
- killall: bftpd: no process killed
- httpd: socket bound in 0.0.0.0:80.
- httpd: socket bound in 0.0.0.0:443.
- add n_lan_addr here 1
- mount: mounting none on /proc/bus/usb failed: Device or resource busy
- IOCTL_AG_REGION_SET: English
- minidlan :scan files
- minidlan:scan finished
- Start DHCP client daemon
- info, udhcp client (v0.9.8) started
- eth0: No such process
- route: ioctl 0x890c failed: No such process
- killall: dhcp6c: no process killed
- killall: IPv6-relay: no process killed
- killall: pppdv6: no process killed
- killall: rtsol: no process killed
- killall: dhcp6s: no process killed
- killall: radvd: no process killed
- ifconfig: invalid number ''
- ifconfig: invalid number ''
- route: ioctl 0x890c failed: No such process
- killall: dhcp6s: no process killed
- killall: radvd: no process killed
- Hit enter to continue...Hit enter to continue...
到这里是基本好了,不过网线连接不上
手机能搜到WIFI信号,不过要密码,又从恩山上下了个救砖的CFE,刷上,不用密码连上了。
不过网口还是没作用。。。。
我怀疑我是没焊接好,于是重新焊接了下,通电还是不行。。。。。。。
到这里我已经不抱希望了,我只是抱着试试的态度,硬初始化了一下:通电开机状态下按复位脚30秒,不松手关机等待30秒,不松手开机(一直按住复位键),等待30秒,然后断电松开复位键,再开机。。。。。
本来我是想靠这个让它进入tftp模式,没想到等路由器开机后,我没等到电源绿灯闪,我还是PING了一下,没想到柳暗花明又一村,PING通了,哈哈,后台也能连接上去了,上图:
至此,可以说路由器已经被我救活了。现在我已经把我的老路由器换了下来
虽然已经能用了,不过还是有一些小问题,比如:MAC识别不了(识别成00ffffff),还有无法更新固件这些小问题。
后面还得折腾。
打算下周回公司了,把修改后的CFE刷进去,再刷DD-WRT。。。。。
生命在于折腾 ,完结,希望对路由器变砖的有帮助。
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
11月10日更新
前面说的改boot_wait情况,后面证实是错的(已经删除)。
原先发现的小问题都是刷的CFE不完整造成的(刷的网上的救砖CFE)。
刷回原版的CFE问题就解决了,然后刷上DD-WRT爽死了
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?注册
x
阿莫论坛20周年了!感谢大家的支持与爱护!!
你熬了10碗粥,别人一桶水倒进去,淘走90碗,剩下10碗给你,你看似没亏,其实你那10碗已经没有之前的裹腹了,人家的一桶水换90碗,继续卖。说白了,通货膨胀就是,你的钱是挣来的,他的钱是印来的,掺和在一起,你的钱就贬值了。
|
发表于 2014-11-8 23:51:23
楼主
