I bought two of the D-Link DI-604 Ver.E3 REFURBISHED router about 5-6 years ago (for ~ $15USD each), 1 of which I'm still using, and the other kept as a spare (both still fully functional)

I noticed there's no mention at all of the DI-604 Rev. E* on http://wiki.openwrt.org/oldwiki/unsupported
and thought of doing a little research (and later opening its guts to see what was refurbished)

Closest and most helpful matches were:

1. in the "noMMU-based hardware" table, brief details on "DLINK DI-604 rev E" at:
http://hri.sourceforge.net/hw/index.html
Mentions:

(ThreadX-based firmware?)
and link to (#2) "Jerome's details"

2. Jerome's details, page titled "Dlink DI-604 rev E internals": http://www.ljmsite.com/tech/DLink_DI-604/
Same info as #1, except it adds a little more specific info, like the "Altera EPM3032A" PLD chip?
Jerome's page also contains a clear picture of the PCB: http://www.ljmsite.com/tech/DLink_DI-604/DI-604.jpg

3. DI-604 Rev E1, E3 (non-refurbished) comparison:
http://www.dslreports.com/forum/remark,15693750
Looks like main difference is 88E6208 is up to 133Mhz and 88E6218 is up to 150Mhz.

---

I opened my REFURBISHED DI-604 Ver.E3 to compare, and found almost same PCB layout, except for a few (notable) differences:

Board Version: WL WRT CG4 B10 - Ver:V1.0 - with "B11" hand-written over it with black marker, since it was "refurbished" (instead of GLWRT-CG0-B10)

Marvel 88E6218-LGO Chip (instead of the Marvell 88E6208)
http://www.datasheetarchive.com/pdf-dat … 328306.pdf
Brief description from the datasheet:
ARM9E CPU at up to 150 MHz (ARM9E CPU with DSP processor instruction extensions)

RAM: ISSI IS42S32200B-6T
http://pdf1.alldatasheet.com/datasheet- … 0B-6T.html
Brief description from the datasheet:
512K Bits x 32 Bits x 4 Banks (64MB)
Clock frequency: 166, 143 MHz

Unfortunately, however, same "MX 29LV800BTC-90" 1MB Flash (AMD/Macronix?)
http://www.macronix.com/web/P_flash.nsf … AB-2.2.pdf
http://www.amd.com/us-en/assets/content … /21490.pdf

Original Router firmware version: 3.38
Latest Router firmware version: 3.53
Size: 917,504 bytes

----

Found what looks like a replica of this board/router in in page 17 of the following pdf:

(Exploiting embedded systems)
http://www.blackhat.com/presentations/b … 6-Jack.pdf

Only differences I think is the RAM chip (the one pictured has the original IC-Mart 8MB SDRAM) and the soldered JTAG interface/connector - connected to an ARM Multi-ICE / In-Circuit emulator (of course I don't own one myself).

Page 5 shows the older version of this board (GLWRT-CG0-B10, w/ Marvell 88E6208), but very similar to the one I have - which is on page 17 - and pinpoints the Serial/UART port location

Page 10 - The Marvell 88E6218:

Page 22 - Firmware Reversing:

Personal Note: I believe the UPnP stack overflow vulnerability (mentioned on page 26) was fixed in latest firmware (3.53) from D-Link, I always have UPnP disabled anyway since reading a few years back about the widespread flaws in its implementations which could allow it to be used as a step-stone to bypass firewall filters

----

A somewhat related article on "DLINK DI-604 rev A", though DIFFERENT rev/ver & HW (ARM7TDMI based ADM5106 SoC):
http://hri.sourceforge.net/di_604/
Has a small section at the bottom about reverse engineering the firmware:

Flash details (bootloader, initialisation and so on)
http://hri.sourceforge.net/di_604/flash_mem.html
A bit old (Mar 2004), Flash image with firmaware version 2.10 flash.bin , but gives a general idea

from "Procedure to restore original firmware" page: http://hri.sourceforge.net/di_604/reflash.html

This is the same behavior as my DI-604 Rev.E3, as I've done this before a few times (D-Link calls it "Crashing Router" for de-bricking it), and quite comforting to know I could always fall back to that. TFTP is also possible and I've done before (after "crashing" the router) iirc..

----

Conclusion:

1. Even with 64MB SDRAM , the 1MB Flash makes it impossible to add (even minimal) support for this ARM9E based router? Do I get a cookie at least?

If not /impossible/ to build and load a "micro" or stripped-down openwrt for it:

2a. Would it be sensible?
2b. Can I tap into the UART port on this board with a "modified" mobile phone serial cable? or would I still need to built a MAX232 adapter?

----

N.B.:
Though by all means I'm no expert, I've worked a little bit with embedded systems before (and participated in development of what was previously known as LRP - Linux Router Project), have an intermediate background knowledge in linux kernel dev / programming, and fairly long experience in network arch & net administration.

I've been reading a lot about OpenWRT and some of the forum's dev threads (and played around with derivatives such as ddwrt few years back) and have been quite impressed by it, and so I thought maybe this would be a good start for me to experiment, at least until I get other hardware to play with..

After helpless retries to take a semi-decent picutre, I failed (crappy 3MP generic cam), so I just photoshop'ed it, just for reference

R U definitely sure this is a 64MB and not a 64Mb?

you're right, it is a 64Mbit... so, that makes is a 8MB chip (64Mbit / 8bits = 8MB) ?

Yes, 64Mb = 8MB.

Bad news..

I was reading up unicorn's instructions about disassembling and reassembling the DI-624 firmware (which is very similar to the DI-604, from my observations) https://forum.openwrt.org/viewtopic.php … 218#p60218

And while doing a little search , I found some info that stated that VDI-604 (Verizon's firmware for the DI-604 + QoS support) could be cross-flashed on the DI-604... here:
http://www.antifart.com/2006/09/02/d-li … rev-e.html

I figured what the heck, its a old spare, if I could get some QoS control on the thing, I'd be more than happy..

I followed the link on the said page to verizon's VDI-604 firmware download page, did a little snooping around inside the ARJ-packed NML.MEM , and in fact, found a few static pages with many references to QoS options etc. and so I was thrilled to try it. Checksum seemed very similar to the D-Link's original firmware, and since many have cross-flashed the VDI-604-loaded versions with D-Link's, I figured it is A-OK ..

Verizon's supplied "VDI-604_110ddm_Tue_2_Aug_2005.bin", however, would not be accepted through D-Link's firmware upgrade screen, resulting with a clueless error like "the setting file is not compatible" 8) Crash recovery firmware upgrade & TFTP in crash recovery mode didn't seem to flash the firmware either.

So I downgraded from D-Link's official latest "3.53" version to 3.52, then 3.51, then 3.39, followed by retries to flash the VDI firmware, both in the normal admin interface, in crash recovery mode's firmware upgrade http page and via ftp, no luck..

eventually found this page: http://fioswatch.com/downloads/dlink-VDI-604/ with a few older VDI firmware images, and 1 slightly newer (110ddm sept 2005). The newer one didn't work, nor the 107, nor the 105 (which doesn't follow the checksum as all the others)..

I eventually gave up, and thought well, just put back original firmware to get out of crash recovery mode. But... I can no longer do that

Normally, in crash recovery mode, once I upload /correct/ firmware, the upload (either via the http server or tftp) would take 2-3 seconds, the routers lights all flash once, then router reboots and comes back up in normal mode.
However, now upload stops soon as it begins - does not complete, web page times out, or if done via tftp, tftp times out soon after the put request, evident from a bit of wireshark analysis, client gets RST packet soon after a few packets are sent to upload firmware, and I can no longer ping the router, then I have to manually unplug power to restart the router, gets me back in recovery mode (HTTP and tftp open and accessible), but same issue persists.

I tried numerous times with different "original" firmware versions, various resetting cycles, but router connectivity dies at the moment I try to upload /ANY/ firmware (original or VDI one)..

Its a bit frustrating due to not having UART or JTAG connectivity. I sort of gave up for now. JTAG seems a bit too expensive of an investments for such a piece of junk, but serial is doable, if I can figure out the pinout of the serial port on the board, without having to buy an oscilloscope..

any ideas? perhaps a faulty flash chip or "stuck bits"?

thx

After closer inspection, I don't think there's a UART port on this board as some sources said..

JP1 (8pin) matches the pinout schematic for PLD-JTAG header here:
http://www.jtagtest.com/pinouts/pld-jtag

and the JP4 (2x5) right beneath JP1 matches the pinout schematic for AVR JTAG header here:
http://www.jtagtest.com/pinouts/altera_byteblaster

and both of the above make sense due to mention of "Altera" and the presence of the Altera PLD Chip..

And JP2 (2x10) indeed looks like a standard ARM-20 JTAG Header:
http://www.jtagtest.com/pinouts/arm20

Another schematic of the ARM-20 here:
http://www.olimex.com/dev/images/arm-jtag-layout.gif

Datasheet on ARM-JTAG:
http://www.olimex.com/dev/pdf/arm-jtag.pdf

Unfortunately, there's no mention of the ARM-20 "poor-man's" parallel cable (or schematic for it) on openwrt's wiki, neither the jtag page nor the AR7 page
http://nuwiki.openwrt.org/oldwiki/openw … jtag_cable
http://nuwiki.openwrt.org/oldwiki/AR7Port

Though seems readily available and cheap (I'm not in the US, far from it):
http://www.sparkfun.com/commerce/produc … cts_id=275
http://microcontrollershop.com/product_ … cts_id=589

Would love to see a schematic of that (ARM-20) cable, similar to the one from jtag_cable openwrt wiki page (which seems to be originally from http://ar7.wikispaces.com/JTAG )

Any clues / pointers  on that would be very much appreciated..

From one of the previously referenced threads, particularly one of unicorn's posts, this seems quite interesting to try:

Of course, the case here is different. I'm not sure what a "ThreadX" based router like this one would use for a boot loader.. custom one? Also, without a Serial console it would be quite difficult to try to implement I think.. Too bad, ugh.. This is probably the end of this endeavor