Unbricking Linksys WRE54G and WAP54G - When you think you can start digging their graves...

This entry follows an older one I posted almost eight years ago here (link). Although I tried to make it really clear, I realize that it is not the case, even to me.

tempReprogWAP54G_1.png tempReprogWAP54G_2.png tempReprogWAP54G_3.png tempReprogWAP54G_4.png

I've been contacted recently by someone who visited that other website and who was facing the same frustrating issue with his WAP54G. The device was totally bricked, as well as his two WARE54G.
Sometimes you can strap pins, sometimes you can access the shell and enter the magic commands, and sometimes (should I say most of the time) you can just hate yourself for having done something wrong. Hopefully, such mistakes can be easily fixed as long as you have the appropriate tools.

To do so, you'll need:

  • a soldering iron, preferably a good one like a Weller WSD50 & TCP-S (a smaller one for SMDs would even be better) with a reasonably thin conical tip. I wouldn't recommend using a plumber soldering iron, or anything approaching;
  • tin, lead-free or not, that's up to you;
  • desoldering braid (or the shielding of a coaxial cable if you feel like MacGyver or Bear Grylls);
  • anti-flux or flux cleaner (or alcohol but not the one you drink unless you live in Macedonia), if you want to wow your family, friends, colleagues and neighbors with shiny solderings;
  • a cutter with a breakaway blade (it can be a dull one, we won't cut anything with it anyway);
  • an universal programmer with a TSOP48 adapter (you can find really cheap adapters on ebay or aliexpress).

The universal programmer is certainly the missing device on your workshop but you might have access to one at the university, at work or at your local electronics shop. You can e-mail me in last resort but you should check the shipping costs to/from France first because it might be more costly than a new device.

05/01/2015:

The whole detailed procedure for desoldering & soldering the chip is now available here.
The second procedure for building a working Flash image and programming it is available here.
Please note that the first release of each document (Rev. 05/01/15) shall be considered as a draft. As stated in these documents, any comment or remark is more than welcome.

Ouaps "Jojo" is not only a toy for your kid!

Jojo pot de colle

Christmas is not too far away from now and Santa Claus already brought me a gift: a nice faulty electronic toy :) When people usually take back the faulty device to the mall, I prefer to repair it myself as long as it's possible (and also because I bought it from Amazon and I didn't want to send it back since I could not find it elsewhere). This toy called "Jojo pot de colle" (I only know its French name) was supposed to follow the kid, guided by a carrot shaped infrared remote control that the kid attaches to his wrist. Actually, it wasn't able to do anything else than running round and round. So, my first guess was a battery issue: wrong! A motor issue: wrong too! So after opening it and re-soldering a broken wire with no luck, I've played with the oscilloscope around the IR receivers that the toy uses to move towards the kid. One of these receivers seemed to be faulty (no IR reception), but it was actually a PCB issue. These components pins are bent so much that one of them pushed the pad away from the single side PCB and broke the connection to the ground. One more soldering later, the toy was working like it should have since the beginning.

http://dl.shibby.fr/blog.shibby.fr/Toy_repair/JojoPotDeColleRemoteControlProtocol.pdf

IR receiver pinout IR receiver re soldered pin Bent IR receivers pins

The war is not over!

Kenwood RC-20 I just couldn't stay with so many questions and so few answers, so come check back the protocol descritpion in the next few weeks ;)
I've made a scan of the RC-20 Instruction manual, since it's not available anywhere else, maybe it will be useful to someone.

Trying to find RC-20 commands

RC-20 (picture shot by AD6MI) Well, I think the protocol description I've made is pretty much complete, now it's time to try every other command than the ones sent by the RC-10 and see what happens (by "see what happens" I mean "pray that the transceiver won't blow up"). I'll write a simple program on a Renesas microcontroller that will convert UART frames sent from my computer with Docklight into a synchronous "SPI like" data frame to the TM-241.
I'll try to update this entry ASAP with some test results.






10/07/2012: Well, after trying to use the R8C/25's integrated USART peripheral for days and a strong headache, I've finally capitulated and written a software protocol based on the Timer RA in "Pulse Width Measurement" mode. It uses the clock signal generated by the transceiver to send and receive data. That's the good news.
The bad news is that the transceiver doesn't seem to accept any command above 0x3F, so after all this hard work I still don't know how the RC-20 sends its commands, which is a little bit frustrating.
I did not waste my time anyway since I've found the purpose of some other bits from the LCD indicators bit field, but I would have liked to find more about the RC-20... I've updated the protocol specifications with my latest finds. I'm interested by any information about the operation of the RC-20 (yes, this is an SOS).

First steps...

TM-241E with RC-10 and LA1034 The LA1034 is now connected to the MIC plug. The communication protocol seems to be SPI, at least that how I'm decoding it with the "Synchronous Serial" interpreter.
The frequency can be easily identified but there are still lots of things to discover:
LA1034__F_freq_146.837.5_BUSY_LOW.png







09/19/2012: One more evening spent playing with the RC-10. I've found how to set the TM-241E to correctly send the frequency to the RC-10, but it disables all other informations in the data frame. At least I know my RC-10 is not faulty, the TM-241E seemed to use the RC-20 protocol to send the data out, which caused the erroneous frequency on the RC-10's LCD.
Now that I have almost all data frames I think I can start to write the protocol specifications. I've also found hidden functions on the RC-10. I'll post all that stuff in a PDF ASAP.

09/21/2012: I've finally had some time to write some description of the protocol. This is still a draft though. Protocol Specifications

Just received my RC-10!

RC-10 Well, I have nothing much to say, excepted that it seems to work, which is a pretty good thing for what I intend to do with it. However, its LCD displays disjointed stuff, like 40.00 all the time, or 40.40, or 40.80 ... don't know why. I can only see the frequencies stored in the transceiver's memories and call channel, but not the VFO. The VFO data sent by the transceiver seems to be followed by some other data that are mistakenly interpreted as the frequency, so every frequency I set is displayed on the RC-10 then automatically erased with the 40."something". This "something" seems to be a bit field that indicates the power level (LOW, MID & HIGH). Anyways, it shouldn't stop me from hacking it!
Now I have to open the MIC plug and connect the logic analyzer.
To be continued...

First entry....

TM-241E I've been looking for informations about Kenwood's RC-20 remote control for a long time and I've finally stumbled upon this blog recently: http://n9xlc.blogspot.fr/search/label/TM-241a
I've never been able to lay hands on one of these remote controls on eBay, mainly because they were too expensive or because the sellers didn't want to ship it to France. So thanks to this blog I've discovered that there was another device that could control my transceivers: the RC-10. I don't know if they both have the same functions, but I've found an RC-10 that I should receive next week and I'll torture it with my protocol analyzer to hack its protocol too, because I just can't wait for N9XLC to provide the whole commands list :) Besides the technical challenge, my goal is to be able to build a stand-alone board that would allow me to control my transceivers from anywhere, via an embedded web server for instance. This could lead me to build some kind of repeater controller board... who knows... what do you think about that?