Jozerworx

Installing DD-WRT on the Microsoft MN-700 Router

Introduction

The Microsoft MN-700 was a great router, but crippled by the buggy firmware that Microsoft abandoned support for relatively quickly.  With the stock firmware, the router crashes frequently and has issues with features like port forwarding.  Microsoft was too lazy to design their own circuit board for the MN-700, and so they designed a new case for the Asus WL500G router, and put their own Windows CE operating system on it. One update was released, fixing the port forwarding issue, but the router still frequently crashed, and its feature set was definitely lacking.  

Fortunately for those with lots of time, but little money, it is possible to replace the firmware on these routers with a different one.  Many of these alternative firmwares are not only more stable, but enable more advanced features like QoS and VPN support.  These firmware updates can bring these routers back from the dead, my router crashed every few hours before the firmware update, making it useless.

My personal favorite firmware is DD-WRT.  However, many other alternative firmwares exist, including Open-WRT, tomato, and even the stock Asus firmware, which is superior to the Microsoft one, yet still simple and easy to use.  Any firmware that supports the WL500G router should work with the MN-700, however, DD-WRT offers a special version especially for the MN-700 that fixes a few minor annoyances (like the switching of the status and power lights) that plague some firmwares intended only for the Asus WL500G. 

This project is not for the complete hacking newbie.  It involves some soldering on the router’s circuit board.  This is not surface mount soldering, but it does require a bit of experience with a soldering iron.  Potential hackers should also be familiar enough with Windows that they can navigate the control panel and command prompt (DOS box) with some confidence.  Linux will be used very briefly, but I am mostly a Linux newb, and I survived. 

Note:Tutorial follower ED tells me that he could not get the tutorial to work using a Windows 7 PC. Please use a Windows XP PC for the flashing step of this tutorial.

I did not pioneer any of these techniques, nor did I write any of this software. I simply collected everything together into one easy to use tutorial (something that many hacking geniuses are not so good at). The following people deserve the credit for most of the information here:

  • Liam M – Liam M wrote a comprehensive tutorial on flashing, which has great pictures, but leaves out some steps which might not be obvious to a computer newb. Many of the software links are dead.
  • DD-WRT Wiki – This wiki contains a lot of good general information on the MN-700, and how to use alternative firmware.
  • Will iam – Provided invaluable feedback, and several of the photos in the tutorial.

This tutorial is broken into six parts, for the sake of clarity. The parts are as follows:

  • Part I – Disassembling the router
  • Part 2 – The JTAG Cable
  • Part 3 – Create a new CFE
  • Part 4 – Flashing the CFE onto your router
  • Part 5 – Writing a new operating system to your router
  • Part 6 – Reassemble the router

Part 1: Disassembling the Router

What you will Need

  1. MN-700 Router
  2. Small phillips head screwdriver
  3. Small, thin, flat head screwdriver
  4. Flat and moderately sharp object for prying (I used a dull pocket knife)
  5. Pencil and paper

Step by Step Instructions

  1. Remove the power cable and all ethernet cables from the back of the router.
  2. On one side of the router, there is a sticker with the model number and MAC address.  Write down the MAC address, you will need it later. 
  3. On the bottom of the router, there are four rubber feet.  Pry these off with your pointy object.  Save them to put back on when you are done.
Prying off the rubber feet

4. Under the rubber feet, there are four screws. Remove them.

Removing the screws
First the top latch

5. Place the router so that the “front” is facing towards you (the side with the lights). Th e clear plastic cover for the lights needs to come off so that the case can open. There are two latches that hold the clear plastic part on, at the top and bottom. With a small flat-head screwdriver and some gentle prying and pulling, you should be able to get the plastic bit off without breaking anything. Pull outwards on the top latch until it pops out. Then pry at the bottom latch until the plastic detaches completely.

Then the bottom

6. The router can now be opened. The internal antenna is mounted to one side of the case, and the “motherboard” to the other side, connected to the antenna by a thin wire, so be careful not to snap it when you open the case.

Fold open the case

Part 2: The JTAG Cable

What you will Need

  • 4x 100 Ohm resistors
  • Ribbon cable (like an old floppy drive or IDE cable)
  • DB25 Male connector
  • Solid Core wire
  • Solder
  • Soldering Iron
Male DB25 Connector
Ribbon cable

Step by Step Instructions

The diagram below shows the proper wiring of the new cable (credit liamm.com)

https://i2.wp.com/web.archive.org/web/20130423061752if_/http://jozerworx.com/tutorials/mn700/images/MN700_JTAG_Cable_Diagram.gif?w=600&ssl=1

You will be soldering resistors to the JTAG port on your router’s circuit board. The JTAG port is located directly below the wireless card on the circuit board, and I have highlighted it on the image below with a red square.

The JTAG port in composed of solder pads where you can attach your wires. Pin 1 is highlighted by the square drawn around the solder pad. On the DB25 connector, Pin 1 also marked with a square, or by some sort of colored marking.

  1. Solder one end of the resistors to each of the pads indicated.  For the ground pad, solder a piece of wire of the same length as a resistor.
  2. Solder the ribbon cable to the resistors.
  3. Solder the other end of the ribbon cable to the DB25 port as shown in the diagram. 
  4. Double and triple check your wiring to make sure everything is right.

Some Tips for Soldering

Try to solder the wires closest to the capacitor first, this way, you get the hard to reach stuff done first. If you do it last, then you will have to solder in a very tight spot. Using a multimeter to test the connection is always a good idea as well. Test your whole cable for continuity (make sure you test before the resistors, because they will count as enough resistance to not be an open circuit for some multimeters). If you don’t have a multimeter, just verify by eye that the connections look firm and that there is a layer of solder connecting every join.

Most people have found that soldering to one of the pins on the circuit board of the router, Pin 12 (see diagram), is very difficult. Keep trying, and you will eventually succeed, it just takes a lot more heat than the other pins. Some report more success by heating that solder pad from the back of the motherboard, not the top.

Note that the wire attached to pin 12 on the motherboard attaches to two pins on the parallel port connector, pin 20 and 25. You can solder this up any way you like, with a Y connection, or with a wire between pins 25 and 20, and one of those pins also connected to pin 12 on the motherboard. Some other tutorials mention that they used cables with every pin between 20 and 25 connected to pin 12. This probably also works, but is not necessary.

When you are done, you should have a cable connected to the router that looks like this:

Finished cable, DB25 end
Finished cable, router end

Part 3: Create a New CFE

What you will Need

  1. A PC with a CD-ROM drive.  If the PC runs windows, use a bootable Linux distro like Knoppix.  If you already run Linux, you are all set.  Knoppix will allow you to run Linux, without erasing your hard drive.  When you are done with Linux, simply take the CD out and reboot, and you are back in Windows.   
  2. A bootable Linux CD like Knoppix (link). I had some trouble with Ubuntu, but I have heard Knoppix works. Bootable CD is not necessary if you already have a PC running Linux or some other *nix.
  3. The nvserial linux/unix program. It is easy to find with a google search, or possibly here [DD-WRT Forum].
  4. mn700.zip (download here or a mirror here)
  5. Your MN-700 router with attached JTAG cable.

Step by Step Instructions

  1. Boot into Linux. 
  2. Unzip the MN-700.zip file.  There should be two files, one labeled mn700.bin, the other labeled mn700.txt.  Place these files in the same directory as the nvserial program. 
  3. Open mn700.txt with a text editor (double clicking it should do this automatically). 
  4. In the text file, there are two lines that have “@@[email protected]@” written on them.  Replace the “@@[email protected]@” with your actual MAC address, in the following format: AA:BB:CC:DD:EE:FF:GG…”, make sure you have the colons every two characters.  You can find your MAC address by looking on the bottom of the router, there should be a sticker.  The sticker may not have the colons every two characters, but make sure you use the colons in the text file.  Make sure you write the MAC address in the file at both locations, and that you use exactly the same MAC address both times.  Save the file when you are done. 
  5. Open a terminal window (usually located in the program menu somewhere).  Navigate to the same directory as you unzipped your files in.  (Basic linux commands are not covered here, but “ls” lists the contents of the current directory you are in, and “cd dir_name” opens a new directory, where dir_name is replaced by the name of the directory you want). 
  6. Once you are at the correct directory, run the following command in the terminal:
nvserial -i mn700.bin -o cfe.bin mn700.txt 

Note: You may need to add a “./” before this command to make it run. If you try try this, and still get an error, try running:

chmod +x nvserial

Then run the command again. This should work. If not, you may need to try another Linux computer, or another Linux distribution. I have heard nvserial works fine on Knoppix. I ended up running the program on a Solaris box that I have telnet access to, after Ubuntu didn’t work, and it worked fine.
This command tells the nvserial program to make a new CFE file for your router, and call it cfe.bin. In the folder with the nvserial program, there should be a new file called cfe.bin. Copy this file to a flash drive, you will need it when you boot into Windows XP.

7. Shut down the computer and boot Windows

Part 4: Flashing the New CFE Onto Your Router

What you will Need

  1. JTAG cable we made in Step II. 
  2. MN-700 router
  3. PC running Windows XP with a parallel port (the port must be built into the motherboard, USB to Parallel adapters, or Parallel port PCI cards probably won’t work).
  4. The cfe.bin file you created in Step III. 
  5. Wrtjtag-modified.zip available here or mirrored here.

Step by Step Instructions

Note: Helpful user ED reports that he was unable to get this part of the tutorial to work on Windows 7. Please use Windows XP to insure that everything works.

  1. Boot your computer into Windows XP. 
  2. Unzip the wrtjtag-modified.zip file to the C:\ directory.  Also place the cfe.bin file there.
  3. Connect the JTAG cable to your PC’s parallel port.  Connect the other end to your router.  If you made a header and connector, make sure you have it on the right way. 
  4. Open a command window (Start->Run->”cmd”, and press OK)
  5. Navigate the command window to C:\, by typing “cd ..” until the prompt reads “C:\>”. 
  6. Plug in the router’s power supply, so that it turns on. 
  7. In the command window, type:
wrtjtag-modified.exe -flash:cfe /noreset

This command tells the program to put your new CFE file onto the router. This process will take a long time (30 min to 2 hours). You will know it is working correctly if you see lots of numbers scrolling down the command window. If no numbers scroll down after 10 minutes, you may have a problem (see the troubleshooting section). Here is what it should look like if it is working correctly:

8. After 2 hours or so, your new CFE should be on the router.  JTAG communications are very unreliable, so sometimes your CFE can get corrupted as it is transferred to your router.  You can check this easily as follows:

8a.Unplug the router, wait 10 seconds, and plug it back in. 

8b. In the command window, type the following command:

wrtjtag-modified.exe -backup:cfe /noreset

Just like when you were writing the new CFE, lots of numbers should begin scrolling down the screen. This time, the process should be faster, only 15-30 minutes.

8c. After the backup has finished, you should have a a new file in your C:\ directory, called something like CFE.BIN_SAVED_4389543598.  We can check and see if the CFE was corrupted by comparing your backup to the CFE file we made earlier

8d. In the command line window, type:

comp cfe.bin CFE.BIN_SAVED_438954359.bin

Substitute in the name of your new backup file as the last argument, if different from mine.

8e. The compare program will run. At the end, it will either say it found no differences, or it will give you a list of differences it found. If it found no differences, that means your CFE is good. If it found one or more differences, you need to re flash the CFE again. Go back to Step 7 (on this page), and flash the CFE again. It took me 4 tries before my CFE didn’t have any errors. If you keep getting errors, your JTAG cable may be too long. Cut a few inches off and re solder it together, then try the tutorial again. Your room may also have to much electrical interference. Move any TVs, CRT monitors, or florescent lights as far away as possible, or try moving everything to a room with less electrical equipment in it. JTAG cables can be very sensitive to the leaked electricity put out by these sorts of devices.

9. Once the router has an error free CFE on it, we need to clear the nvram, or the part of the memory where the router stores information temporarily.  The new CFE will be confused by the information left there by the old CFE, and this may not allow it to work right. 

10. Unplug the router, wait 10 seconds, and plug it back in. 

11. In the command window, run

wrtjtag-modified.exe -erase:nvram /noreset

This should only take a minute or two finish.

12. Unplug the router, wait 10 seconds, and plug it back in.  After a few seconds, the power light should start to slowly flash from green to orange, green to orange, etc…  This indicates that the router is in emergency firmware re flash mode, which in our case is a good thing. 

13. If your router is not flashing green and orange, see the troubleshooting section below. 

Part 5: Writing a new operating system to your router

Introduction

Now your router has a new, error free CFE on it, and it is ready to accept a new operating system.  The MN-700 router is very similar to the Asus W500g router, so most firmware for the Asus will run on the MN-700.  My personal favorite is DD-WRT, but other choices include OpenWRT, tomato, and the original Asus firmware.  In order to put a new operating system on the router, we have to put the router into “Emergency Firmware Restore Mode”, and flash the firmware with a program from Asus. 

What you will Need

  1. PC running Windows XP, with an Ethernet port. 
  2. MN-700 router
  3. JTAG cable
  4. Ethernet cable
  5. Asus WL-500g router utilities (download here, search for WL-500g, download the “Wireless Router Utility Program”, or mirror here)
  6. Your preferred firmware (a file with a .trx or .bin extension, and a few megabytes in size, I used DD-WRT v24sp1 Broadcomm VINT standard build, available here, although this link is not updated, so newer versions are probably available at the DD-WRT website).

Step by Step Instructions

  1. This part of the tutorial involves disconnecting your computer from the internet.  Make sure you either have another computer to view the web page on, or you have a saved copy that is viewable when you are not connected to the internet. 
  2. Install the Asus router utilities. One of the utilities should be called “Firmware Restoration”. Start this program.
  3. In the firmware restore window, it should have a button to browse for your firmware file. Click this, and locate your firmware file. Leave the firmware restore utility running, but do not tell it to start flashing your firmware.
Asus Firmware Utility

4. Connect one end of the Ethernet cable to one of the ports on the MN-700. Make sure it is connected to one of the LAN ports, not the WAN port.

5. Connect the other end of the cable to your PC’s Ethernet jack. 

6. Go to “Start->Control Panel->Network Connections” You should see a list of all of your network adapters.  Disable all of the adapters except for the Ethernet card your MN-700 is attached to.  You can disable network connections by right clicking on the icon, and clicking the “disable” item in the menu.  If you see only one network connection, do not disable it. 

7. Double click on the icon for your one remaining network connection.  You should get a properties window.  In the list of protocols on in this window, click “TCP/IP”.  Click the properties button right below it. 

8. In this new dialog box, you should be able to choose between “Obtain IP address automatically by DHCP” or “Enter IP address manually”.  Choose “manually”.  In the new text fields, enter the following information:

IP Address:  192.168.1.2
Mask: 255.255.255.0
Default Gateway: 192.168.1.1
Click “OK”.

Network Properties Dialog

9. Go back to the Asus Firmware Restore Window. 

10. Unplug your MN-700, wait 10 seconds, and plug it back in.  When it is plugged in, the power light should start flashing green, orange, green, orange, etc…  This lets you know that it is in emergency firmware restore mode.  If it does not flash this way, something is wrong, and you need to reflash the CFE.  Go back to Part 3. 

11. With the router plugged in to your PC, and the power light flashing green and orange, press the “Upload” button in the Asus Firmware Restore application.  The firmware restore app should take about 2 minutes to flash your router with your new firmware.  It should show a progress bar.  If it is not able to find your router, try unplugging your router, and trying again.  If this fails after several attempts, your CFE may be corrupted. Go back to Part 3. 

12. If the Firmware Restore application successfully flashes your firmware, let the router sit for a few minutes, then unplug it, wait 10 seconds, and plug it back in. 

13. Go back to the (or open a new) command window, and run the command

wrtjtag-modified.exe -erase:nvram /noreset

14. Wait until this command completes (1-2 minutes), then unplug your router, wait 10 seconds, and plug it back in. 

15. Your router is now flashed with your favorite firmware, congratulations! 

Part 6: Reassemble the router

Step by Step Instructions

  1. Power off the router and remove any Ethernet cables. 
  2. Remove the JTAG cable from your PC’s parallel port. 
  3. Cut the resistor leads as close to the motherboard as possible. Make sure none of the stubby wires that are left are touching anything.
  4. Make sure the motherboard is seated properly in the case, and that the ports line up with their holes. 
  5. Fold the top half of the case back onto the bottom half. 
  6. Screw in the case screws, and replace the rubber feet. 
  7. Snap in the clear plastic plate over the LEDs. 
  8. Your router is now finished! 
  9. You can delete all the files you used for this modification, and uninstall the Asus router utilities (unless you want to use them for some other purpose). 

Part 7: Troubleshooting

Introduction

Unless something went wrong, you shouldn’t have to read this section. If your router is working, then close the window now.

Completing this tutorial is pretty difficult, and quite often your CFE will get corrupted either by human error, or in the process of being flashed to the router. Luckily, having a JTAG port is the best possible option for fixing problems like this. Most problems can be fixed simply by repeating the tutorial over and over until it works right. If this doesn’t work, check out these common issues below.

Frequently Asked Questions

Problem: Linux gives me an “unknown command” error (or something like that when I try to run nvserial.

Solution: First, try running the program with a dot slash (“./") in front of it. If that doesn’t work, try running the command “chmod +x nvserial“.

Problem: Linux gives me an error saying something like “do not have access to nvserial

Solution: Type chmod +x nvserial into the terminal window and press enter, this will allow you to run the program.

Problem: I tried both of the above, and nvserial still gives me an error!

Solution: Try using a different distribution of Linux. I had trouble with Ubuntu, but Knoppix worked for me. I ran the program on an ancient Solaris machine without any problems, so other *nixes are supported.

Problem: wrtjtag-modified.exe show my processor ID as CHIP ID: FFFFFFFF or CHIP ID: 00000000 and then freezes.

Solution: This indicates that your JTAG cable is bad. Recheck your cable, you might have a lose connection, a wire in the wrong spot, or it could be too long.

Problem: wrtjtag-modified.exe starts, and then freezes while saying “unlocking memory for writing” or “resetting processor

Solution: You forgot the /noreset flag when running the utility. Unplug and reboot the router, then try again with the /noreset flag.

Problem: I flashed the CFE, but the router’s power light isn’t blinking orange and green.

Solution: There are two possible problems. One possibility is that you forgot to clear your NVRAM. To do this, connect the router to the JTAG cable, and run wrtjtag-modified.exe -erase:nvarm /noreset. This should take only a minute or two. Run it several times to be safe. Then power off the router and retry the firmware flash. The other possibility is that your CFE is corrupt. Try reflashing the CFE and then resetting the NVRAM again.

Problem: I flashed the CFE, and now I am trying to use the Asus Firmware Restore tool to reflash the router. The restore tool says it is searching for Wireless devices, then times out.

Solution: If everything is set up correctly, the firmware tool should find your router almost instantly. The problem could be one of the following:

  1. You need to erase the NVRAM. See the FAQ above for instructions.
  2. Your CFE is corrupt. Go back to Part 4 and follow the instructions to re-flash the CFE. It took me four tries before I got a good CFE flash.
  3. You forgot to plug in an Ethernet cable between the PC and the router. You cannot restore the firmware over a wireless network. Go back to Part 5 and follow each step carefully.

Problem: I have flashed by CFE many times, and I always get a corrupt CFE.

Solution: There are three possible issues. One or more of these may be causing your difficulties:

  1. Your cable is too long. Six inches is the maximum cable length, and the shorter the better. The cable length is measured from the DB25 connector to the router motherboard. Try shortening and re-soldering the cable.
  2. There is too much electrical interference. Running your JTAG setup near other electrical equipment (lamps, computers, TV’s, etc) can cause electrical interference which can mess up your flash. Move your setup as far from other operating electrical devices as possible. Turn off any nearby electrical equipment.
  3. The CFE you create is bad. Check to make sure that the two MAC addresses in your mn700.txt file are identical. If they are different, the router may not work. Make sure that the MAC addresses have a colon between each set of two characters.
Right: AA:BB:CC:DD:EE...
Wrong: AABBCCDDEE…

If your mn700.txt file was wrong, you will need to start over from the beginning of Part 3.

Next Post

Previous Post

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2020 Jozerworx

Theme by Anders Norén