Unbrick hard bricked (no ping) Linksys E3000 via serial connection.

| October 1, 2011

I accidentally flashed the wrong dd-wrt firmware on my Linksys E3000.
This prevented me from recovering with any firmware. I was unable to reset the router, ping the default address, or communicate with it in any way.

To recover I had to initiate a serial connection.

This router, along with others has serial contacts inside, on the bottom of the WAN port.
I tried to make a cable out of a 40 PIN IDE cable that would touch these contacts, but got tired of fiddling with it. Instead I opted to solder directly to the board.

The first step in this process was to open the router. This requires a TORX T-10 Security screwdriver bit. I was able to purchase this for about $8 at my local lowes. It’s the TORX bit with a hole in the center.

Next, I had to pull the plastic chassis off, which was quite difficult. I found it easiest to seperate the pieces from the front.

After the casing was removed, I had to unclip the three antenna wires, and flip the board around. The serial contacts are located on the underside.

After locating the contacts for the serial port, I had to identify which of them needed to be used.
My Serial->USB adapter was a CA-42 Nokia cable that I bought off ebay. There were 3 wires in the cable. Blue (GND), Green (RXD), and White (TXD).

These three wires had to be attached to contacts 5 (GND), 3 (TXD), and 2 (RXD).
Note it’s important that the RXD wire must be attached to the TXD contact, and TXD on the wire to the RXD contact.

Once these wires have been soldered to the appropriate contacts, the serial connection should work.
Connect to it from a terminal using 115200 baud, 8N1 with No Flow Control (hardware or software) and ANSI emulation. I use linux, so I used minicom as a terminal, but you could also use hyperterminal in windows.

Now, plug in the USB end of the cable to your computer, and plug in, and power on the router.
You should see activity in the terminal as the router powers up.

Once you’ve verified that there’s activity, turn off the router and turn it back on. Quickly begin hitting CTRL-C in the terminal until you reach the CFE> prompt.

Once you’ve reached the CFE> prompt the router should be up with networking. At this point you should be plug an ethernet cable into the router and ping 192.168.1.1

First, clear the nvram by typing:

CFE> nvram erase

Once that has completed, you can begin to send the ORIGINAL linksys firmware to the device.

Using another terminal (or command prompt) prepare the TFTP command to put the firmware on the device.
In linux, I connected to tftp 192.168.1.1, then set the mode to binary, set the timeout to 90 seconds, and entered:

CFE> put

.
Don’t execute the put yet, just get it ready.

Back at the CFE> prompt, type:

CFE> flash -ctheader : flash1.trx

As soon as you execute the flash command, execute the tftp command. This will upload the firmware.

After the firmware is copied to the router, in the CFE prompt, type:

CFE> go

The router will reboot and load it’s new firmware.

Once it’s done, you’ve got a restored router. Desolder the connections on the board, put it all back together and… good as new.

Tags:

Category: Uncategorized

About the Author ()