You’ve all heard of hacking the Linksys WRT54G routers.
But what about some other routers. I thought I’d try my luck with a router some consider to be one of the worst on the market the Microsoft MN-700. This router runs a version of Windows CE by default but we’ll see if we can change that.
Here’s what we’re going to need
- Microsoft MN-700 (you can pick one up on ebay for around $30)
- JTAG Connector (Diagram for making a JTAG Connector)
- WRT54G JTAG software
Linux wrt54g.zip
Windows (untested by me) wrtjtag-modified.zip - Linux
- Firmware independant bootloader and config template (here or here)
- nvserial (you can get this from the openWRT webpage here)
- New Firmware (I recommend either Olegs Custom Firmware or OpenWRT)
This will void your warranty and could possibly destroy your router. Do not attempt these instructions unless you’re cofortable with hardware modification.
Thanks to James Couzens for all the help and research that went into this mod. Visit his site at http://6o4.ca
UPDATE
I’ve added some pictures of our JTAG cable HERE
Read on for instructions
The first thing that needs to be done is open up the router and attach a set of JTAG headers to the board. You have to solder pins to the board in the area indicated by the red circle.
Click on the Following picture for a full size wiring diagram for your JTAG cable.
Once you have the headers you can attach your JTAG cable. (make sure the router is off)
Then power on your router.
My JTAG connection
the next step is to upgrade the bootloader on the router (The current bootloader prevents us from running any non Microsoft firmware)
Download the reference firmware and configuration template from this website. Then download the nvserial program from the OpenWRT website.
Once you have these files modify the config template (mn700.txt) by replacing the two occurances of “@@MAC@@” with your MN-700’s MAC address (usually it starts with 00:0D:3A it should be printed on a sticker on the routers mainboard somewhere.
Once you’ve made these changes run the nvserial program on the mn700.bin file by executing the following command.
nvserial -i mn700.bin -o cfe.bin mn700.txt
my MN-700 having the bootloader flashed
the resulting cfe file is what we will use to replace the bootloader of our MN-700
the next step is to use the WRT54G program to flash the MN-700 with the new bootloader. This is acomplished with the following command (note you must have the cfe.bin and cfe.txt in the same folder as WRT54G)
./wrt54g -flash:cfe
Now sit back and wait for the program to finish running.
Once the bootloader has sucessfully been updated you can close the router up as you will no longer need to do any updates via the JTAG connector.
To update your firmware to openWRT, Olegs Custom Firmware or any other firmware compatable with the Asus WL500G you simply use the ASUS Firmware Restoration Tool for the WL-500g router which you can download from the ASUS website here
This utility must be run from a Windows machine connected to the router.
Congratulations if you’ve now successfully flashed your new firmware your Microsoft device is now running Linux and has gone from one of the worst routers available (IMHO) to something comparable to a Linksys WRT54G.
Here’s a screen of my MN-700’s new web interface
For all the pics of my mod in progress go to http://gallery.liamm.com/v/Tech-Stuff/MN700/
If you enjoyed this post, make sure you subscribe to my RSS feed!
sweet
Im not sure how to build the jtag. is there a guide on how to do this other then just a diagram?
since i cant edit the above post will a jtag from the WRT54G work on this one? i noticed that this hack uses a lot of the same stuff. gorac369@gmail.com
For a little more info and some different diagrams showing how to build a JTAG adapter you can visit the openWRT wiki at the following address
http://openwrt.org/OpenWrtDocs/Troubleshooting#head-d1e14acb3488c8f4b91727d72dce9f59583f9d65
Also you may be able to buy a JTAG adapter at your local electronics store.
I am currently working on a better How-To on building the JTAG adapter.
And yes this is the same JTAG connection as on a WRT54G.
will this work on a mn-500? im eyeballing mine right now… mwahahaha.
I am curious if it will work on the mn-500 as well. Guess it all depends on what hardware is inside…
We unfortunately don’t have an MN-500 to hack apart here. Hopefully we’ll be able to procure one in the near future and see if it’s sporting the same hackability
I have a mn-500….maybe I should hack it apart and see if it works. the internet keeps cutting in and out on it anyways, so maybe an “upgrade” would fix the problem
.
Does this actually improve anything on the router? I.e. can you boost the signal strength or does it add any new features?
That all depends on the firmware you flash it with. Oleg’s custom firmware and OpenWRT both allow you to up the signal power and a big thing for me was the addition of WDS mode to bridge AP’s
Ok, anybody want to do mine for me? I’m no good w/ linux (no experience) and I really don’t want to do the soldering… I’d love to boost my power.
Also, would there be any way to incorporate a blocklist of IP’s that could be updated automatically on the router? (kinda like having protowall on the router?) Cause that would be cool.
Got the jtag connector built but the nverial command for nvserial -i mn700.bin mn700.txt -o cfe.bin cfe.txt, keeps giving me a cfe.txt no such file or directory?
Any clue?
Whoops. Looks like you caught a step I skipped I had this command listed
“nvserial -i mn700.bin -o cfe.bin cfe.txt” it should actually be
“nvserial -i mn700.bin -o cfe.bin mn700.txt”
So this router works now? I remember trying to set it up over a year ago and it shutting off randomly (not power but networking abilities) Can I take this out of the basement and use it now as a proper router?
Did everything, compiled the wrt54g program and started it it goes through found broadcom bcm4702 Rev 1 Chip. Enabling Memory Writes…Done, Configuring Memory..Done, Resetting Processor…Done, then just hangs…my cable is less than 8cm longs everyhting seems to be in order. Any special parallel port settings? EPP? SPP? ECP?
Mines on EPP. How long does it actually take because it hangs for hours…
Any help?
Mudskipper, I’m at that same point now. Note, I couldn’t get the wrt54g program to give me anything other than an all-ones error when I had it all cabled up before power on. However, I pulled my JTAG cable off the header and then put it on after power up and got to where you are. I’m at about 15 mins so far, so I’m willing to wait a while longer. Note, NO lights are on at this point. They went off just after the resetting processor message.
output so far:
====================================
WRT54G EJTAG DeBrick Utility v2.2
====================================
Probing bus…
CHIP ID: 00000100011100010000000101111111 (0471017F)
*** Found a Broadcom BCM4702 Rev 1 chip ***
Enabling Memory Writes…Done
Configuring Memory…Done
Resetting Processor…
Done
OK, new update. I assumed the code looked for cfe.bin. Turns out that it looks for CFE.BIN (remember Linux is case sensitive.) I got an error after 45 minutes of:
*** You Selected to Flash the CFE.BIN ***
Could not open CFE.BIN for reading
so, I’ve copied cfe.bin to CFE.BIN (probably could have symlinked it, but thought copy was safer–% cp cfe.bin CFE.BIN).
Trying again now. This time, after the resetting processor message, I have a solid yellow power light.
Sure would be nice if the wrt54g program gave some sort of progress info…. oh well. more update soon.
I think I have the cable built correctly, and it seems to be getting the right binary for the MN700, but it still won’t do anything…
Here’s what I get:
CHIP ID: 00000100011100010000000101111111 (0471017F)
*** Unrecognized Chip ***
*** This is not a Broadcom BCM47XX chip ***
Any ideas?
edwinx2 it sounds like you’re using a wrt54g debrick util thats modifed for a specific chip we actually ran into this when developing this hack. Make sure your compiling the wrt54g debrick util from this link. http://www.ranvik.net/prosjekter-privat/jtag_for_wrt54g_og_wrt54gs/linux%20(not%20tested)/
Well, I am attempting to this with my router, I have a question. does the Microsoft router have also de VCC pin of the JTAG port already connected to VCC. And if not, what VCC a should use? the same as the router(12Volts) ?? With this answer I would move forward, I just finish building my JTAG cable, took me a lot a patience and burns.
Finally! got it to work..Here is what i did.
1.Make the JTAG cable as in the diagram.
2.Bootup linux and do the nvserial command.
3.copy the resulting cfe.bin to a windows xp machine.
4. use the latest windows xp jtag software from here
http://www.ranvik.net/prosjekter-privat/jtag_for_wrt54g_og_wrt54gs/new-winxp_ejtag_debrick_v%5b1%5d.99beta/
its called WRTJTAG.exe to your xp machine
5. hook up the Jtag and router to your xp machine, and use the software to program the flash ( i did an erase first). After the flash the power light will be flashing orange and green.
6. Then run the ASUS update software, with it hooked up via ethernet to your network, wait a few minutes and voila! I used Olegs custom firmware.
I have a Macronix flash chip so i don’t think the linux debrick utility supports yet. The XP one works fine.
hmm last port didn’t go through. I got it to work using the new windows xp beta jtag programing software from the site the liamm mentioned above. use the nvserial on linux to make the cfe.bin then copy it to windows xp and use the windows xp jtag software to flash it. The linux wrt54g programmer doesn’t seem to support the Macronix flash, while the xp one does.
I’ve got the same problem as edwinx2. I created the cable and I’ve tried all varieties of Linux and Windows WRT/JTAG programs. I’ve also tried two different machines thinking that the parallel port might be the problem.
I took the Linux code and noticed that it reports a chip ID “ShowData(id);” which looks to match the first check perfectly, so I sprinkled a few “ShowData(id);” calls before each id check. What I found, is that after the first call, the id returned is 11111111111111111111111111111110 or 0xFFFFFFFE.
Subsequent calls find 0×0471017F and would have identified the chip as a BCM4702. I tried to modify the code some more and get the program to correctly identify the chip now, but it seems to hang forever at “Enableing Memory Writes… “. I’m going to forward a copy of this to HairyDairyMaid for comment, but I thought I’d contribute my findings as well.
Well, the saga continues…
I can’t get the new XP wrtjtag to go beyond 4% even after dozens of tries. It probes correctly, erases parts or whole flash correctly, but won’t flash beyond a small amount.
So, back to my Linux machine for progress. I had to mod the code to avoid the Flash chip probe that was causing it to take something like 8 hours to probe and then fail to ID the flash chip (I just commented out the exit() on line 768 to force it to think it was an AMD chip). Then, I can get it to accept a new .trx file via tftp at 192.168.1.1 (fetching the weird filename “ASUSSPACELINK\x01\x01\xa8\xc0″ and then putting my new .trx file as ASUSSPACELINK). Alas, it doesn’t seem to flash the image in after that.
LiamM and/or HairyDairyMaid, any chance we can get the new flash probe routines into the current Linux version or the source for the XP version that knows about the proper Macronix 2Mx16 chip that is in the MN-700?
Thanks guys! While I’m still not live, I’m at least enjoying the challenge so far.
Updates as I make progress…
BTW, I finally timed it… The Linux code took me 40 minutes to flash the CFE.
Bad news is that in all my efforts, I now have a MN-700 that gives me no power lights at all. I get all four LAN lights lit green during power on (about 2 secs) and then only the cable I have connected is litgreen. All others are dark. I’ve tried erasing the kernel and the nvram, but still nothing.
Any ideas? Anyone want to share a full up WHOLEFLASH.BIN file from a working MN-700 that’s already upgraded? (Yeah, I know, I’m a very patient person–by my calculations that would take about 11 hours to flash). Anyone want to help a poor soul out? catch me at narwhal@yahoo.com if you can help.
-tv
narwhal: It does take some time to flash (11 hours for the whole thing sounds about right) I thought I’d add the following links for some of you that are having trouble
This link is a modified windows wrtjtag debrick util for flashing the MN700 (note that I don’t run windows so I haven’t tested this)
http://oregonstate.edu/~byerss/programs/wrtjtag-modified.zip
and Here’s an alternate Linux version for those experiencing problems.
http://oregonstate.edu/~byerss/programs/wrt54g.zip
(I’ve added both these links to the How-To as well)
Just a note flashing will take a REALLY long time I reccomend only using jtag to flash the CFE.BIN a nd then using either the asus update util from the asus website or the firmware updater on the routers GUI to update the firmware.
Argh… still dead
I think I need to flash the WHOLEFLASH.BIN (using the Linux util since I still hang w/ the Win version at 0% or 4%). Anyone wanna take the time to suck one off and let me download it? I can get either the WIN or Linux versions to erase (probably how I got to the really dead state I’m in now), but the Win version won’t flash and the Linux one doesn’t understand the Macronix flash chip that’s in it. argh….
any ideas? anyone want to offer me a WHOLEFLASH.BIN file that’s already upgraded so I can try to blast it back on?
Thanks all! loving the challenge even if at the moment M$’s h/w is winning. (I hate it when M$ wins
)
-tv
Hey, it looks like the openwrt site is down and has been for a while. Can anyone provide a link (or a copy of) nvserial? I have an MN700 and I am anxious to hack it. Let me know at: the1fido@hotmail.com
Ok, I could really use some help with this one. I hate is all set up, and wrt54g runs. However, when it gets to:
====================================
WRT54G EJTAG DeBrick Utility v2.2
====================================
Probing bus…
CHIP ID: 00000100011100010000000101111111 (0471017F)
*** Found a Broadcom BCM4702 Rev 1 chip ***
Enabling Memory Writes…Done
Configuring Memory…Done
Resetting Processor…
Done
It just hangs…Looking at the source code, it hangs when it gets to calling setup_Watchdog(). I have no idea what to do… BTW: I also have no idea how to make that show up formatted correctly.
Well, VERY interesting results that may help others. I found that at home (where I presumably have less EMI) I can flash my MN-700 fine, but at work, it appears to flash, but is corrupted every time. In fact, if I do a backup of the CFE, it’s different everytime at work, but not at home.
Anyway, got to the point where I can tftp the .trx file in, but still can’t get it to flash it. I’ll tackle trying the ASUS firmware tool again tonight. Anyone know precisely how to do it w/ an MN-700? Do I have to hit the reset button? before power or after? When I tried using the ASUS tool before, it just complained that it couldn’t find a router in recovery state…
pointers?
-tv
That is a VERY interesting result indeed. I performed this mod in a fairly low EMI environment so that’s not something I encountered. One thing I would suggest trying is the ASUS update util for windows if you haven’t already. I’ll consult with my associate http://www.6o4.ca who has much more experience reviving routers from the dead than I. And see if I can get anything that can get you moving in a more benificial direction. Cheers and Thanks for documenting your “speedbumps” in this process here I’m sure it has and or will be of use to others.
In case anyone is interested or having the same problem as me, I emailed and have been discussing my problem with HairyDairyMaid. Even with modifying the code, my setup gets hung while enableing memory writes. The app tries to perform a read write, but the address returned on where to write to goes back to the 0xFFFFFFFE that it was initially returning.
I’ve practically exausted all possibilities now as I’ve tried three different computers running Windows and Linux (using Knoppix in runlevel 2 (console only)). I resoldered the header pins to the board as that was suspect and I’ve rebuilt the cable a number of times now using slightly different plans that I’ve found online. The only cable that gives me any result, although it ultimately fails, is the modern drawing found on the OpenWrt Wiki ( http://openwrt.org/OpenWrtDocs/Troubleshooting ). All other plans, including the one found on this page give me all 1’s, and there are significant differences between them as to which JTAG pin connects to which data pin on the Parallel Port.
LiamM, if you could take some closeup pictures of your mess of wires, I might be able to work from that. As it stands now, in the photos you’ve posted so far, it is difficult to distinguish where individual wires go since they mix and match and weave together. HairyDairyMaid is working on yet another version which will communicate with the board differently, so I’m hoping that this will finally let me flash the bootstrap, increasingly I suspect that this board might have some sort of hardware lock to prevent this kind a manipulation — something that Microsoft may have started doing with late generation boards.
Yet another update… At home (presumably a lower EMI environ), I have successfully loaded the CFE that I created (and when I back it up I get an identical file). But alas, again, I can get it to take a tftp upload (after the tftp download of the magic filename), but it just doesn’t seem to flash. Ugh! So close and yet so far… I still can’t get the ASUS util to see it either. Any chance I created a bogus CFE that has some small error? Anyone want to share a sample MN700 CFE?
Again, thanks to all, while still not up, the challenge is worth the effort…
It’s ALIVE!
Once I got a CFE.BIN that was correct (mine was bogus and kept failing to flash the kernel after I would transfer the .trx file over) I was up and running with no issues.
Looking forward to running it for a while and seeing how stable it becomes w/ this image instead of the WinCE gunk that was on it before.
-tv
so does this make the router stable and prevent that spontaneous shutoff of network services bug in it?
Hey liamm, I know your probably a busy guy and all, I would like to task you a uestion on your hack. In your pictures i notices you soldered a new (black wire?) antenna to your mn-700. Someone told me not to fool around with mn-700 antennas, cause there is two antenna’s the wire one and the pcb one and it screws up the signal balancing. Anyways my question is did the thick black wire work? Did you get good gain, if so what type of cable did you use? Length etc..
thorndruid: The wire I’m using is about 3 feet long. I’ll have to get the exact type of wire used from my partner in crime here. I haven’t taken before and after readings on the gain but I am noticing significant improvement in range however the signal fluxuates more than it did pre mod (this may be due to the “pcb” antenna)
If only you didn’t need to use a JTAG cable. I can’t solder
, nor do I own a soldering iron. Oh well.
I was able to successfully (or so I think from the results of HairyDairyMaid’s windows utility) flash the bootloader, but now the Asus utility doesn’t find the router. On initial power up of the router the power led flashes alternating green/yellow about once per second. Once I try the Asus utility the power led goes to solid green, but the utility bails after 30 seconds, error message “no wireless device in recovery mode found”.
Any ideas?
Just a quick note and thanks to Oleg that is the guy that did most of the leg work to get this project to work. I feel he needs just a bit more credit than is given here to get the bootloader to work on the mn-700. Drop him a note and say thanks!
http://wl500g.dyndns.org/
the only thing that isnt shown in any of the guides is the wattage of the resistors used. info would be a +
on the subject of external antenna mods i have seen only one but it is not described in any detail. im not sure if antenna length matters. i know on other kinds of hardware it does as being if the swr is too positive or negitave one can blow out the unit. I would like to incoperate 1 or 2 powered uni or bi directional ones as i dont need a omni and would like to get a boost in only 1 or 2 specific directions and an omni cuts down on signal strength by throwing it in all directions rather than focusing it . also has anyone done nething with the uart port inside this thing? is it the same as the asus wl500xxxx by that i mean do the mods that work for that model router be converted to work with the msn700 with changes to the gpio mappings?
Oh the humanity, I found a JTAG cable at my college and I was gonna ask to borrow it on wed but when i opened my mn700 i found they didnt even sodder in the jtag or uart connector pins*sigh*
Ok one quick question. When looking at the router’s motherboard which jtag pin(as in #) corresponds to JTAG_TRST_L on the diagram? Is it pin 12 or pin 1?
Stupid question, but an important one…
What is the form of the MAC address that gets entered? Do we put 00:3D:…(like a normal mac address) or 003D… (like it’s printed on the router)?
I ask because depending on how you enter them, you get a different CFE file generated.
Chance:
All the even number pins on the PCB (jtag connector) are grounds. The signal ones are the odd ones.
Answering my own question. From the bootloader site, it should be: 00:0D:3A:xx:xx:xx
hi,
i tried to follow your instruction. olegs firmware workes fine. but when i try to flash open wrt
(white russian rc4 jffs 4mb.trx) the router doesnt come up again.
what can i do?
ok, i solved the problem.
i created a firmware with the freifunk.net “kit” firmware
./gen-openwrt trx 192.168.1.1 255.0.0.0 > firmware.bin
so i can access the router via wifi with this ip, the ssid was “linksys” or make a scan…
Just a note DO NOT erase WHOLEFLASH it will for some reason keep the utility from flashing the CFE back on. Just use wrt54g -flash:cfe /nobreak while the M$ firmware is on the router
I need wholeflash.bin for wrt54G v2.2… Is there anybody who can send it 4 me. insighter@dir.bg
Could someone please send me the wholeflash.bin file for the MN-700. Greatly Appreciated! Please email to staticstream@gmail.com
I’m trying to open the case of my MN-700, but the clear plastic shield in front of the LEDs keeps me from completely opening it. I have tried to remove it but was unsuccessful – is there a way of removing it other than applying a Dremel?
Mine was just attached via clips (part of the clear plastic) I don’t really remember it being an issue. I just squeezed the sides a little and it came off fairly easily. What were everyone elses experiences with removing the clear plastic cover? Easy/hard/impossible (circle one answer only)
Ah. squeezing! I hadn’t tried that… With a bit of squeezing it did come off easily. Thanks for the hint.
OKAPI is, I believe the photo gallery’s ugliest animal’s name you’re looking for
(mammal cousin of the giraffe).
Has anyone tried putting dd-wrt on their MN700? I am able to flash mine, but i cant seem to save anything to nvram. Rebooting resets all defualt settings….
help?
I just completed installing dd-wrt on MN-700.. I followed the instructions here and the ones I found at http://www.macsat.com/macsat/content/view/13/30/ . The reset power -on setup puts the router in recovery mode which the ASUS tool looks for to complete upgrade. This helped me when the flash didn’t automatically change the router status.
I also used this build: DD-WRT v23 SP2 (09/21/06) std – build 3953.
Everything seems to working as expected.. very pleased with the results and consider well worth the long night and effort.
would anyone be willing to mod my MN-700 to DD-WRT for $?
Thanks for all of the info…. This is going to make a great War Voiping Box…. To think, the office called this thing JuNk.!
Can someone pls post a link to the bootloader template? The link the the tut is not working anymore.
Here’s the new link http://oleg.wl500g.info/mn700/mn700.zip I’ve downloaded it and will be updating the main post shortly with the new info
Thanks for putting this page up! I recently came across a pre-bricked MN-700 and hopefully I will be able to get dd-wrt running on it now. BTW, I just finished creating the CFE.BIN in Linux, and a couple problems I ran into as a Linux newb (in case anyone else is new to Linux)
#1. the linux command to use with nvserial is actually ./nvserial -i mn700.bin -o cfe.bin mn700.txt … remember the “./”
#2. for a while I was getting “permission denied” errors when running nvserial. Go into the properties of the file and make sure the permissions to execute the file are checked.
for DD-WRT, go to this wiki page: http://dd-wrt.com/wiki/index.php/MN-700
I am trying this mod now, cleaned the solder holes on PCB board, mounted a 12pin header, solder it back in, poorly(i cant tell?). I still don’t fully understand the relation between jtag 12-pin header and the wires i’m supposed to solder to the DB25. I cut a floppy drive cable and sawed off the extra slack of the plastic plug, after this I count wire 1, far left, is this the top pin 1? wire 2 to the right, is it pin 2 (bottom row first pin?) wire 3 is top row pin 2?
Am I making this counting too complicated for myself?
Could you update the pictures? I’m trying to figure out where to connect the JTAG on my NM-700.
Thanks
@ag903 Sorry. I didn’t notice Mod_rewrite had stopped working on my gallery. All images should be back up and working now.
Trying to open the case. Do not want to break it, so I will ask: Where did you guys (or gals) start? I have successfully removed the clear plastic over the lights, but no amount of squeezing/prying has yielded any result.
thanks for your help!
Ben
Nevermind my last post. I looked at the pictures more closely…lightbulb went off…saw the screw “towers” on the inside of the case…
Hey, this tutorial was really helpful to me in flashing my own MN-700. I am planning on writing my own tutorial and I was wondering if I could mirror some of the images and files from your tutorial (with credit, of course). My tutorial will cover the process of hacking and flashing the MN-700 to DD-WRT a bit more step by step for beginners who may have a bit of trouble with more technical tutorials like this one.
I did this to my MN-700 and its now running perfectly with DD-WRT as a Wireless Bridge.
Thanks so much for the documentation. It took 9 tries to flash but it eventually worked!