SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > ASUS N Routers & Adapters

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-13-2013, 08:06 PM
socal87 socal87 is offline
New Member
 
Join Date: Jan 2013
Location: The interwebs
Posts: 2
Thanks: 0
Thanked 1 Time in 1 Post
socal87 is just starting out
Default RT-N66U (Broadcom 4706) Jtag

Following ryzhov_al's thread on the 64K CFE mod, I went through the process and somehow wrote a corrupted CFE to my router. WAN, LAN1, and LAN2 would glow, while serial would show "Decompressing...error 01" on boot. So, I'm opening this thread for anyone who has experience with jtag software to offer their suggestions, and to share what has been discovered so far.

I am using a Tiao USB MultiProtocol Adapter with zJTAG and have soldered a pin header to J2 on the N66's board. Pinout is as follows:
Quote:
Note: Pin 1 has a white square on top of the board and a square solder pad
nTRST 1 2 GND
TDI 3 4 GND
TDO 5 6 GND
TMS 7 8 GND
TCK 9 10 GND
Connections between TUMPA and J2:
Quote:
RT-N66 J2 TUMPA JTAG
1-----------------3
3-----------------5
4-----------------4 (Ground, to prevent leak current)
5-----------------13
7-----------------7
9-----------------9
So far I have not been able to successfully erase CFE or NVRAM. zJTAG does not support the 4706 as of yet, but using /fc: and /instrlen: there has been some breakthroughs although with no results. The router seems to like 15Mhz test clock best.

I was able to write CFE using
Quote:
zjtag -flash:cfe /l1:1 /noerase /fc:115
where /L1:1 tells the TUMPA to use 15MHz TCK, and /fc:115 assumes flash chip is a 16MB S29GL128N (I am aware the router has 32MB flash but zJTAG does not seem to have any working code for 32MB chips). Here's the output:
Quote:
==============================================
zJTAG EJTAG Debrick Utility V0.6
==============================================


Set I/O speed to 15000 KHz

USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!

Probing bus ... Done

Detected IR Length is 0

Warning: detected/set IR Length isn't same as knew!
(Defined IR length: 5, detected/set: 0)

CPU assumed running under LITTLE endian

CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** Found a AMD manufactured Atheros AR531X/231X REV 01 CPU ***

- EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a S29GL128N/M29W128G Uni (16MB) from AMD/Spansion

- Flash Chip Window Start .... : 1C000000
- Flash Chip Window Length ... : 01000000
- Selected Area Start ........ : 1C000000
- Selected Area Length ....... : 00040000

*** You Selected to Flash the CFE.BIN ***

=========================
Flashing Routine Started
=========================

Loading CFE.BIN to Flash Memory...
Done (CFE.BIN loaded into Flash Memory OK)

=========================
Flashing Routine Complete
=========================
elapsed time: 83 seconds


*** REQUESTED OPERATION IS COMPLETE ***
Looks as though it worked, but still no response from the router. Serial doesn't get ANYTHING now.

Here is the thread at the Tiao forums requesting 4706 support in zJTAG:
http://www.tiaowiki.com/forums/index...ic,4102.0.html
Reply With Quote
The Following User Says Thank You to socal87 For This Useful Post:
  #2  
Old 03-14-2013, 10:24 PM
socal87 socal87 is offline
New Member
 
Join Date: Jan 2013
Location: The interwebs
Posts: 2
Thanks: 0
Thanked 1 Time in 1 Post
socal87 is just starting out
Default

I haven't updated this in a while, but there have definitely been some useful discoveries. zjtag v1.0 identifies the CPU as Broadcom when properly initialized; it seems using a divider of /L1:3 and instruction length of /instrlen:27 results in proper CPU identification. A good way to narrow it down is pay attention to the Detected IR Chain Length - it should be 5.

There are some bugs in the zjtag software, and other jtag software that supports the TIAO USB Multi Protocol Adapter don't recognize the BCM4706 present in this router. We're still working on it, but there have been some successes in recovery.

Here are other threads with very useful information:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=167147
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=164504

Also, the thread I linked in my previous post has reflected ongoing discoveries as well.

I would like to point out that the new Asus RT-AC66U uses the same Broadcom 4706 chipset, and its 2MB Macronix SPI flash chip should already be supported, so once we have JTAG software capable of properly handling the 4706, we'll have viable hardware level recovery for both the N66 and AC66.

If you've managed to brick your 4706 based router, don't give up on it yet...mine has all but stopped responding after several false flashes, but we still think we can get it back up and running. Read the threads...they're good info, especially if you're someone who tinkers with bootloaders a lot; understanding JTAG can help out with a wide range of embedded electronics.
Reply With Quote
  #3  
Old 08-21-2013, 06:08 PM
mstombs mstombs is offline
Member
 
Join Date: Jul 2012
Posts: 33
Thanks: 1
Thanked 1 Time in 1 Post
mstombs is just starting out
Default

Small update on this. I have a RTN-66U with JTAG pins, and using simple parallel port cable and URJTAG on Ubuntu get this

Code:
UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable DLC5 ppdev /dev/parport0
Initializing ppdev port /dev/parport0
jtag> detect
IR length: 32
Chain length: 1
Device Id: 00000000000011000011000101111111 (0x000C317F)
Can also get the same ID from TJTAG3.01 or zjtag 1.8 (bleeding edge RC) by forcing an instructlen of 7 (not 27 as above with usb tool).

The problem seems to be that Broadcom have implemented multi TAPs (Test Access Port Controller) in their embedded CPU. There's an LV mode which uses an IR of 32, but we need to discover how to bypass that and get to the mips 74K core TAP which uses an IR of 5.

These modes (and another of 8 bit width) are defined in a commonly available header file hndjtagdefs.h, for example:-

https://github.com/RMerl/asuswrt-mer.../hndjtagdefs.h

But I haven't seen any GPL sourcecode file that uses this, nor do I understand how to use!

Tornado "GPL ignoring" version of OpenWRT wrt54g JTAG tool TJTAG 3.02 does know something about LV mode, so does commercial usbjtag usbbdm, but presumably anybody who has access to Broadcom material is under NDA - so can anybody guess what initialisation sequence is needed?
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 12:57 PM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  341
sm00thpapa  232
stevech  185
azazel1024  155
KGB7  138
htismaqe  83
jim769  83
philmiami  76
AcostaJA  69
ColinTaylor  59
RMerlin  5085
stevech  315
ryzhov_al  250
TeHashX  209
RogerSC  187
L&LD  186
joegreat  123
jlake  122
sfx2000  111
sinshiva  111
Most Viewed Threads* Hottest Threads*
Old ASUS RT-N66U...  23913
Old NETGEAR...  13020
Old Switched...  7597
Old 3.0.0.4.376.1...  6752
Old NEW RT-AC68R...  6629
Old ASUS...  6034
Old ASUS RTAC68U...  3519
Old Netgear...  3320
Old ASUS...  3173
Old N66U daily...  2856
Old ASUS RT-N66U...  169
Old NETGEAR...  161
Old Switched...  65
Old NEW RT-AC68R...  56
Old ASUS...  51
Old N66U daily...  47
Old Which router...  41
Old Netgear...  41
Old ASUS RTAC68U...  41
Old TP-Link...  38


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.