Linksys WRT310N v1

Overview
"3763-17140302R REV:XB" is silkscreened on the board shown below.

The default SSID is linksys.

Wikis

 * On the DD-WRT Wiki

DD-WRT Forum threads

 * ddwrt WRT310N Support (high res pictures on page 3)
 * jtag wrt310n (additional pictures)
 * WRT310N v1 Client / Repeater toubles (OUI 00:22:6B)

OpenWrt Forum threads

 * Linksys WRT310N?

Flashing dd-wrt
Supported by dd-wrt as of = v24 build 9524

The WRT310N accepts only the mini, standard, and VPN builds; no other versions are supported on this device. Do not even attempt to flash it with the micro (does not support gigabit ethernet so switch will not work for LAN ports) or mega-build (requires 8MB of flash, WRT310N only has 4MB), you will end up with a non-responding router or worse, a very expensive brick! Flashing a virgin WRT310N with the default Linksys firmware will require a special "trailed" mini-build to be flashed first. You should use a build from the BS Broadcom folder 12874 for the initial flash. The name of this file specifically is "dd-wrt.v24_mini_wrt310n.bin". You may proceed to flash it with a generic STD or VPN build next. Remember to do the 30/30/30 Hard Reset after every successful flash. It is absolutely essential.

The proper process for flashing is:


 * 1) Read Note 1 of the peacock announcement http://www.dd-wrt.com/phpBB2/viewtopic.php?t=51486
 * 2) Read Note 3 of the peacock announcement
 * 3) Download svn 12874 dd-wrt.v24_mini_wrt310n.bin ftp://dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/09-08-09-r12874/broadcom/dd-wrt.v24_mini_wrt310n.bin
 * 4) Do a HARD reset on your router. You will not get a password renewal page as you have stock linksys firmware on the router still.
 * 5) Plug a cable into the lan port of the router and your computer, and disable any wireless to the computer. Disable all firewalls and virus protection. (Setting your computer to a static IP should not be required)
 * 6) Set your browser to 192.168.1.1. This will open up the linksys webgui
 * 7) Enter the username admin and password admin
 * 8) Go to the administration tab. Click on firmware upgrade.
 * 9) BROWSE to the dd-wrt.v24_mini_wrt310n.bin file you downloaded.
 * 10) Click on the upgrade button and WAIT for the upgrade successful message.
 * 11) Power cycle your router. (very important) WAIT until you can relogin at 192.168.1.1
 * 12) Do a PROPER HARD 30-30-30 reset on your router (very important) WAIT until you can login at 192.168.1.1
 * 13) Click on any tab. Reset your username/password by TYPING in a new username/password
 * 14) Configure your router

You can now upgrade to any generic dd-wrt build except Mega and Micro. Be sure to always do a hard reset prior to flashing another build, do a power cycle followed by another hard reset after flashing, and NEVER re-use a configuration file from a previous build or another router. Reconfigure from scratch. Recovery information available in this thread.

Flashing Tomato
Please insert instructions here

JTAG Pinouts
nTRST  1o o2	GND TDI  3o o4	GND TDO  5o o6	GND TMS  7o o8	GND TCK  9o o10	GND nSRST 11o o12  N/C

JTAG Recovery
To perform JTAG recovery, you'll need to solder a JTAG header onto the appropriate pads on the router's board. Debricking a router via JTAG is a common procedure with generally the same steps: To complete the procedure, you'll need:
 * 1) Solder on JTAG header to the correct place on the board
 * 2) Connect the JTAG cable's signal wires to the correct pins
 * 3) Run software to clear the router's nvram and kernel storage areas in flash memory
 * 4) Re-flash the router with a new kernel (firmware)
 * 1) Screwdriver with Torx bits & flathead bit (for prying)
 * 2) Soldering iron
 * 3) Lead free electronics solder
 * 4) JTAG Cable (I used a Xilinx Parallel Cable III DLC5, but any supported by tjtag will do)
 * 5) JTAG Software
 * 6) A kernel to re-flash the device with

I recommend tjtag. Source Code can be found here: https://github.com/oxplot/tjtag-pi. You may also want to try zjtag or one of the forks listed here

For the wrt310n, you need a mini build of dd-wrt with a special "310N" header for the first flash. I had success using the custom build that redhawk0 posted in this forum thread, but you may have good results with any mini brainslayer build after March 2009. The official wrt310n dd-wrt wiki page recommends this build: BrainSlayer-V24-preSP2-2010-08-12-10-r14929-dd-wrt.v24_mini_wrt310n.bin

Soldering on a JTAG header
To solder on a JTAG header to the wrt310n, you first need to open up the plastic chassis using a torx tamper-resistant security bit (#T-9H). Next, gently pry open the plastic chassis near the left and right sides of the router. There should be 2 plastic clips on either side of the top clamshell piece that you'll need to release. There are also 2 plastic clips near the front of the bottom clamshell piece that need to be released. After the plastic clamshell chassis is opened, you should see 2 potential pin header locations on the lower right of the board. The one to the left with the through-holes is NOT the correct place to solder the JTAG header.

The one to the right with copper pads is the CORRECT one (See image near bottom right where pin header is soldered)

Connecting the JTAG Cable
In order to connect the JTAG cable you will have to identify the number of each pin. The correct pinout is listed above. To identify the pin numbering, look at the numbers printed on the PCB next to the pins. You should see some numbers like '1', '11', on top and '2', '12' on the bottom. Pin numbering starts from 1 on the top and continues left to right, top to bottom. This pattern works out such that the odd numbers are all on the top, and even pin numbers are all on the bottom of the PCB. Here is a photo of the top of some JTAG flying wires connected to the wrt310n's JTAG header which has been soldered to the top and bottom of the PCB. As you can see, pins 3, 5, 7, and 9 are the necessary JTAG data pins to connect like this: (TDI = 3, TDO = 5, TMS = 7, TCK = 9). On the bottom of the board, the pinout shows many ground pins. I have used pin 6 for GND.

Installing tjtag
After connecting the JTAG cable, you will need to make sure you have the tjtag software installed. If you don't have a compiled binary executable for tjtag (binaries can be found here), you'll need to download and compile the source code for tjtag like this:

git clone https://github.com/oxplot/tjtag-pi.git cd tjtag-pi make    # for standard linux make pi # for Raspberry Pi CFLAGS='-D WINDOWS_VERSION' make  # for Windows CFLAGS='-D __FreeBSD__' make     # for FreeBSD

You should end up with a binary executable called 'tjtag' ('tjtag.exe' for Windows). You'll use this tool to clear the flash memory. If you are using a parallel port cable on linux, make sure to load the kernel module if it was not autoloaded. Sometimes the lp printer driver will grab the parallel port and prevent tjtag from accessing it. You may have to unload the lp driver first, and reload the parallel port drivers:

sudo rmmod lp ## This should prevent tjtag error: "Failed to lock /dev/parport0: No such device or address" for driver in ppdev parport_pc parport; do sudo modprobe -r $driver; done for driver in ppdev parport_pc parport; do sudo modprobe -i $driver; done
 * 1) Remove drivers
 * 1) Re-insert drivers

Detecting Hardware via JTAG
To run a quick test to see if your router and flash chip are detected, run: ./tjtag -probeonly /noreset. The router's microprocessor chip will sometimes halt and prevent the detection from working. (You will see the probeonly command hang at "Issuing Processor / Peripheral Reset ... Skipped"). Just retry a couple times, or try doing a 30/30/30 reset on the router and it should work. If you see error message "Failed to open /dev/parport0: Permission denied", you need to run the command as root with sudo. You'll see output like this:

$ sudo ./tjtag -probeonly /noreset ============================================== EJTAG Debrick Utility v3.0.1 Tornado-MOD ============================================== Probing bus ... Done Instruction Length set to 8 CPU Chip ID: 00000100011110000101000101111111 (0478517F) *** Found a Broadcom BCM4785 Rev 1 CPU chip *** - EJTAG IMPCODE ....... : 00000000100000010000100100000100 (00810904)   - EJTAG Version ....... : 1 or 2.0 - EJTAG DMA Support ... : Yes - EJTAG Implementation flags: R4k MIPS16 MIPS32 Issuing Processor / Peripheral Reset ... Skipped Enabling Memory Writes ... Done Halting Processor ...  ... Done Clearing Watchdog ... Done Probing Flash at (Flash Window: 0x1fc00000) ... Done Flash Vendor ID: 00000000000000000000000001111111 (0000007F) Flash Device ID: 00000000000000000010001011111001 (000022F9) *** Found a EON EN29LV320 2Mx16 BotB  (4MB) Flash Chip *** - Flash Chip Window Start .... : 1fc00000 - Flash Chip Window Length ... : 00400000   - Selected Area Start ........ : 00000000   - Selected Area Length ....... : 00000000 *** REQUESTED OPERATION IS COMPLETE ***

Clearing Flash Memory via JTAG
You will need to reset both the kernel and nvram from flash memory.

To reset: If tjtag does not detect the flash chip, you might need to pass the correct flag depending on the flash chip you have. Different revisions of the wrt310n have been built using different flash chips. To identify your chip, look on the bottom of the board. It should be marked by a couple dots (See this forum thread for help identifying the location). The chip manufacturer and ID should be printed on it. Some common chips found in wrt310n are:
 * kernel - run: ./tjtag -erase:kernel /noreset
 * nvram - run: ./tjtag -erase:nvram /noreset

/fc:19 ............. K8D3216UBC  2Mx16 BotB     (4MB)

/fc:102 ............. EON EN29LV320 2Mx16 BotB   (4MB)

The output from erasing kernel & nvram should look like this:

$ sudo ./tjtag -erase:kernel /fc:102 /noreset ============================================== EJTAG Debrick Utility v3.0.1 Tornado-MOD ============================================== Probing bus ... Done Instruction Length set to 8 CPU Chip ID: 00000100011110000101000101111111 (0478517F) *** Found a Broadcom BCM4785 Rev 1 CPU chip *** - EJTAG IMPCODE ....... : 00000000100000010000100100000100 (00810904)   - EJTAG Version ....... : 1 or 2.0 - EJTAG DMA Support ... : Yes - EJTAG Implementation flags: R4k MIPS16 MIPS32 Issuing Processor / Peripheral Reset ... Skipped Enabling Memory Writes ... Done Halting Processor ...  ... Done Clearing Watchdog ... Done Manual Flash Selection ... Done Flash Vendor ID: 00000000000000000000000001111111 (0000007F) Flash Device ID: 00000000000000000010001011111001 (000022F9) *** Manually Selected a EON EN29LV320 2Mx16 BotB  (4MB) Flash Chip *** - Flash Chip Window Start .... : 1fc00000 - Flash Chip Window Length ... : 00400000    - Selected Area Start ........ : 1fc40000 - Selected Area Length ....... : 003b0000 *** You Selected to Erase the KERNEL.BIN *** ========================= Erasing Routine Started ========================= Total Blocks to Erase: 59 Erasing block: 12 (addr = 1fc40000)...Done Erasing block: 13 (addr = 1fc50000)...Done Erasing block: 14 (addr = 1fc60000)...Done Erasing block: 15 (addr = 1fc70000)...Done Erasing block: 16 (addr = 1fc80000)...Done Erasing block: 17 (addr = 1fc90000)...Done Erasing block: 18 (addr = 1fca0000)...Done Erasing block: 19 (addr = 1fcb0000)...Done Erasing block: 20 (addr = 1fcc0000)...Done Erasing block: 21 (addr = 1fcd0000)...Done Erasing block: 22 (addr = 1fce0000)...Done Erasing block: 23 (addr = 1fcf0000)...Done Erasing block: 24 (addr = 1fd00000)...Done Erasing block: 25 (addr = 1fd10000)...Done Erasing block: 26 (addr = 1fd20000)...Done Erasing block: 27 (addr = 1fd30000)...Done Erasing block: 28 (addr = 1fd40000)...Done Erasing block: 29 (addr = 1fd50000)...Done Erasing block: 30 (addr = 1fd60000)...Done Erasing block: 31 (addr = 1fd70000)...Done Erasing block: 32 (addr = 1fd80000)...Done Erasing block: 33 (addr = 1fd90000)...Done Erasing block: 34 (addr = 1fda0000)...Done Erasing block: 35 (addr = 1fdb0000)...Done Erasing block: 36 (addr = 1fdc0000)...Done Erasing block: 37 (addr = 1fdd0000)...Done Erasing block: 38 (addr = 1fde0000)...Done Erasing block: 39 (addr = 1fdf0000)...Done Erasing block: 40 (addr = 1fe00000)...Done Erasing block: 41 (addr = 1fe10000)...Done Erasing block: 42 (addr = 1fe20000)...Done Erasing block: 43 (addr = 1fe30000)...Done Erasing block: 44 (addr = 1fe40000)...Done Erasing block: 45 (addr = 1fe50000)...Done Erasing block: 46 (addr = 1fe60000)...Done Erasing block: 47 (addr = 1fe70000)...Done Erasing block: 48 (addr = 1fe80000)...Done Erasing block: 49 (addr = 1fe90000)...Done Erasing block: 50 (addr = 1fea0000)...Done Erasing block: 51 (addr = 1feb0000)...Done Erasing block: 52 (addr = 1fec0000)...Done Erasing block: 53 (addr = 1fed0000)...Done Erasing block: 54 (addr = 1fee0000)...Done Erasing block: 55 (addr = 1fef0000)...Done Erasing block: 56 (addr = 1ff00000)...Done Erasing block: 57 (addr = 1ff10000)...Done Erasing block: 58 (addr = 1ff20000)...Done Erasing block: 59 (addr = 1ff30000)...Done Erasing block: 60 (addr = 1ff40000)...Done Erasing block: 61 (addr = 1ff50000)...Done Erasing block: 62 (addr = 1ff60000)...Done Erasing block: 63 (addr = 1ff70000)...Done Erasing block: 64 (addr = 1ff80000)...Done Erasing block: 65 (addr = 1ff90000)...Done Erasing block: 66 (addr = 1ffa0000)...Done Erasing block: 67 (addr = 1ffb0000)...Done Erasing block: 68 (addr = 1ffc0000)...Done Erasing block: 69 (addr = 1ffd0000)...Done Erasing block: 70 (addr = 1ffe0000)...Done ========================= Erasing Routine Complete ========================= elapsed time: 15 seconds *** REQUESTED OPERATION IS COMPLETE ***

$ sudo ./tjtag -erase:nvram /fc:102 /noreset ============================================== EJTAG Debrick Utility v3.0.1 Tornado-MOD ============================================== Probing bus ... Done Instruction Length set to 8 CPU Chip ID: 00000100011110000101000101111111 (0478517F) *** Found a Broadcom BCM4785 Rev 1 CPU chip *** - EJTAG IMPCODE ....... : 00000000100000010000100100000100 (00810904)   - EJTAG Version ....... : 1 or 2.0 - EJTAG DMA Support ... : Yes - EJTAG Implementation flags: R4k MIPS16 MIPS32 Issuing Processor / Peripheral Reset ... Skipped Enabling Memory Writes ... Done Halting Processor ...  ... Done Clearing Watchdog ... Done Manual Flash Selection ... Done Flash Vendor ID: 00000000000000000000000001111111 (0000007F) Flash Device ID: 00000000000000000010001011111001 (000022F9) *** Manually Selected a EON EN29LV320 2Mx16 BotB  (4MB) Flash Chip *** - Flash Chip Window Start .... : 1fc00000 - Flash Chip Window Length ... : 00400000    - Selected Area Start ........ : 1fff0000 - Selected Area Length ....... : 00010000 *** You Selected to Erase the NVRAM.BIN *** ========================= Erasing Routine Started ========================= Total Blocks to Erase: 1 Erasing block: 71 (addr = 1fff0000)...Done ========================= Erasing Routine Complete ========================= elapsed time: 1 seconds *** REQUESTED OPERATION IS COMPLETE ***

Installing New Firmware/Kernel
To install new firmware & kernel, you will need to tftp the mini build of dd-wrt to the router. Upon booting after a 30/30/30 reset, the router will accept a tftp upload of the firmware. The important part here is to get the timing right, have a kernel with appropriate wrt310n header, and WAIT at least 2-3 minutes AFTER a successful flash for nvram settings to be rebuilt. Failing to wait for nvram to be rebuilt will usually re-brick the router and you will have to start over from clearing the nvram & kernel via JTAG. To install the new firmware, the procedure is as follows: Use these settings:
 * Plug a cable into the LAN port of the router and your computer, and disable any wireless to the computer. Disable all firewalls and virus protection.
 * Set your computer to a static IP (see image)

192.168.1.10 ip 255.255.255.0 subnet 192.168.1.1  gateway 192.168.1.1  dns


 * Perform 30/30/30 reset
 * Unplug router
 * Start pinging router continuously
 * Plug in router while holding the reset button
 * Immediately tftp the firmware after the first successful ping
 * Timing is important! If you keep getting failed pings indefinitely or see an error from tftp like "Transfer timed out.", you are missing the upload window.
 * If you are having problems getting timing right running commands manually, I suggest using this script (change firmware name according to the filename you saved it as, run from same directory):

router_ip=192.168.1.1 firmware=dd-wrt.v24_mini_wrt310N-redhawk0.bin if $OSTYPE = *darwin* ; then ping_args='-W 5' elif $OSTYPE = *linux-gnu ; then ping_args='-w 130' else ping_args='' fi  result=1 while [ $result -ne 0 ]; do   ping -c 1 $ping_args $router_ip result=$? done && tftp $router_ip <<-EOF connect $router_ip binary put $firmware EOF
 * 1) !/bin/bash
 * 2) dd-wrt router tftp flashing script for *nix platforms
 * 3) To use:
 * 4)  - Make sure you are connected via LAN cable to router
 * 5)  - Press reset button on router & hold for 30 seconds
 * 6)  - Unplug router while holding reset button for 30 seconds
 * 7)  - Start this script and watch pings fail
 * 8)  - Plug in router while still holding reset button for 30 seconds
 * 9)  - Release reset
 * 10)  - With any luck a ping succeeds and tftp uploads the firmware

SET router_ip=192.168.1.1 SET firmware=dd-wrt.v24_mini_wrt310N-redhawk0.bin :loop ping -n 1 -w 5 %router_ip% IF NOT %ERRORLEVEL%==0 (     goto loop  ) tftp -i %router_ip% put %firmware%
 * 1) Windows batch script to upload firmware
 * 2) Make sure you have tftp installed via Control Panel first
 * 3) http://avtech.com/Support/index.php?action=kb&article=108
 * 4) To use:
 * 5)  - Make sure you are connected via LAN cable to router
 * 6)  - Press reset button on router & hold for 30 seconds
 * 7)  - Unplug router while holding reset button for 30 seconds
 * 8)  - Start this script and watch pings fail
 * 9)  - Plug in router while still holding reset button for 30 seconds
 * 10)  - Release reset
 * 11)  - With any luck a ping succeeds and tftp uploads the firmware

"Sent 2936864 bytes in 5.4 seconds"
 * If this step worked, you should see a success message from tftp like:


 * WAIT AT LEAST 2-3 minutes while the new kernel is booted and nvram settings are built! Do NOT power off the router until this time has elapsed. This step is important for the firmware to stick!
 * Go to the router's web interface at http://192.168.1.1

If it worked, you should see the Router Management page and password reset dialog for dd-wrt.

If it didn't work, try unplugging router, starting tftp script, and trying again!
 * After you have flashed the router with the special mini build, you can now use the dd-wrt web interface (Administration -> Firmware Upgrade) to upload the dd-wrt.v24_std_generic build.

Serial Pinouts
VCC 1 o  TX  2 o  RX  3 o N/C  4 o GND  5 o

Serial Recovery
Modified Redhawk0 instructions


 * 1) Connect Serial cable


 * 1) start a rapid fire Cntl-C as you plug the router to power
 * 2) nvram erase
 * 3) flash -noheader : flash1.trx
 * 4) but have tftp.exe ready
 * 5) flash -noheader : flash1.trx starts the tftp daemon
 * 6) Use Readhawk0's dd-wrt.v24_mini_wrt310N.bin
 * 7) give it 5 minutes after it finishes
 * 8) then power cycle....hard reset...then config
 * 9) when it stops spitting out txt....hit the enter key...you should get a login prompt...at that point, power cycle it, hard reset...then config
 * 10) you'll see it boot up

Pictures
User Images