[SOLVED] Need help debricking my RT-N66U

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Sun Nov 11, 2012 21:14    Post subject: [SOLVED] Need help debricking my RT-N66U Reply with quote
Hi

So it seems my N66 has been bricked after a CFE flash! At first I was v. pissed then I remembered that I had bought a parallel kit(Tornado's) a couple of years back as backup but had actually never utilized it.

After a couple of hours of going through old computer hardware boxes in the garage, I finally found my N66's savior - pic attached. However, there was one problem - I had no parallel interface available to use and so after several more hours of dirt, grime, dust and a couple of red bulls I managed to put together a working pc with a parallel interface and with debian 6.0.6 running on it... Oh, the old ways and days Smile

Anyway, so now that I am ready to begin the surgical (technical) procedure of debricking my N66, I was wondering if a good samaritan can point me in the right direction of what I need to know/use in terms of:

1. Software
2. Diagrams / Pin Layout
3. Procedure / Recovery
4. Dos / Donts

Thanks
Wiss Very Happy



IMG_20121112_004942.jpg
 Description:
 Filesize:  141.89 KB
 Viewed:  32383 Time(s)

IMG_20121112_004942.jpg




Last edited by W1SS on Sat Mar 09, 2013 5:29; edited 2 times in total
Sponsor
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Sun Nov 11, 2012 22:40    Post subject: Reply with quote
Links are in peacock announcement, note 6. You might have to search for pinout for that router if it has a jtag port....
_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Mon Nov 12, 2012 12:37    Post subject: Reply with quote
Murrkf wrote:
Links are in peacock announcement, note 6. You might have to search for pinout for that router if it has a jtag port....


Thanks Murrkf - I read the post, tried the recommendations (of which none resulted in anything positive), soldered the pins to the board's JTAG (J2) with the following wiring layout:

Y2 (TMS) --> PIN 7 on N66U-J2
Y3 (TCK) --> PIN 9 on N66U-J2
Y4 (TDI) --> PIN 3 on N66U-J2
A8 (TDO) --> PIN 5 on N66U-J2
GND --> PIN 2 on N66U-J2


D2 --> A1
D3 --> A2
D4 --> A3
D5 --> A4
D6 --> A5
D7 --> A6
D11 --> Y8

Ran ./tjtag3 -probeonly with output:

Code:
Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** Unknown or NO CPU Chip ID Detected **

*** Possible Causes:
    1) Device is not Connected.
    2) Device is not Powered On.
    3) Improper JTAG Cable.
    4) Unrecognized CPU Chip ID.


Ran ./tjtag3 -probeonly /skipdetect with output

Code:
Probing bus ... instruction_length 0
Done

Instruction Length set to 0

CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Intial value of Control register is 0000000C
Intial value of status register is  000000FE
11111110 (000000FE)

Status bit 7 Busy Inverted pin 11 = 0
Status bit 6 *Ack          pin 10 = 1
Status bit 5 Paper-out     pin 12 = 1
Status bit 4 Select        pin 13 = 1
Status bit 3 *Error        pin 15 = 1
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x0000000C
value of status register after init   0x000000FE
system reset complete

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Init PrAcc ... Skipped
Clearing Watchdog ... Done
Enter Flash Probe

Probing Flash at (Flash Window: 0x1fc00000) ...
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Done

*** Unknown or NO Flash Chip Detected ***

 *** REQUESTED OPERATION IS COMPLETE ***


I was able to backup the kernel, cfe, nvram but was unable to erase or flash the original CFE, NVRAM or KERNEL

Code:
Probing bus ... instruction_length 0
Done

Instruction Length set to 0

CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32

Intial value of Control register is 0000000C
Intial value of status register is  000000FE
11111110 (000000FE)

Status bit 7 Busy Inverted pin 11 = 0
Status bit 6 *Ack          pin 10 = 1
Status bit 5 Paper-out     pin 12 = 1
Status bit 4 Select        pin 13 = 1
Status bit 3 *Error        pin 15 = 1
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x0000000C
value of status register after init   0x000000FE
system reset complete

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Init PrAcc ... Skipped
Clearing Watchdog ... Done

Manual Flash Selection ... Done

Flash Vendor ID: 00000000000000000000000000000001 (00000001)
Flash Device ID: 00000000011111100010001000000001 (007E2201)
*** Manually Selected a Spansion S29GL256P U      (32MB) Flash Chip ***

    - Flash Chip Window Start .... : 1C000000
    - Flash Chip Window Length ... : 02000000
    - Selected Area Start ........ : 1C000000
    - Selected Area Length ....... : 00040000

*** You Selected to Erase the CFE.BIN ***

=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 2

Erasing block: 1 (addr = 1C000000)...

nothing seems to happen after this step.

Ideas?
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12675

PostPosted: Mon Nov 12, 2012 16:02    Post subject: Reply with quote
Have you confirmed whether that router is supported by jtag?
_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Tue Nov 13, 2012 7:34    Post subject: Reply with quote
I was able to erase / flash the original cfe using fc:149 (Macronix 32MB) vs fc:92/93 (Spansion 32MB) - however, the router failed to boot properly... I find it strange that only three leds are dimly lit and the power/lan3,4 haven't lit since the CFE flash.

Can you confirm whether the kernel can be restored through CFE so that I may focus my efforts on the CFE recovery?

I also ordered the latest TUMPA board to use with zjtag to see if I could recover the unit... tjtag (windows32 3.0.2.1) appears to be more stable than the linux version) which is why I decided to use windows 7 x86 arch for restoration/debricking...

I am now considering a new wifi router - any recommendations on the current best available unit in the market?
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Tue Nov 13, 2012 7:50    Post subject: Reply with quote
Ran tjtag -probeonly /skipdetect /fc:93 /dma and I am now seeing:

Code:

================================================
 EJTAG Debrick Utility v3.0.2.1 Tornado-MOD
================================================

Selected  port  = 0x378

Detected IR chain length = 0
Number of device(s) = 0

Probing bus ... instruction_length 0
Done

Instruction Length set to 0

CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF)
*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 11111111111111111111111111111111 (FFFFFFFF)
    - EJTAG Version ....... : Unknown (7 is a reserved value)
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R3k DINTsup ASID_8 ASID_6 MIPS16 NoDMA MIPS64
    *** DMA Mode Forced On ***

Intial value of Control register is 000000CC
Intial value of status register is  0000007E
01111110 (0000007E)

Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack          pin 10 = 1
Status bit 5 Paper-out     pin 12 = 1
Status bit 4 Select        pin 13 = 1
Status bit 3 *Error        pin 15 = 1
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x000000CC
value of status register after init   0x0000007E
system reset complete

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Skipped
Clearing Watchdog ... DMA Write Addr = B8000080  Data = ERROR ON WRITE
Done

Manual Flash Selection ... DMA Write Addr = 1C000000  Data = ERROR ON WRITE
Done

Flash Vendor ID: 00000000000000000000000000000001 (00000001)
Flash Device ID: 00000000011111100010001000000001 (007E2201)
*** Manually Selected a Spansion S29GL256P U      (32MB) Flash Chip ***

    - Flash Chip Window Start .... : 1C000000
    - Flash Chip Window Length ... : 02000000
    - Selected Area Start ........ : 00000000
    - Selected Area Length ....... : 00000000



 *** REQUESTED OPERATION IS COMPLETE ***



Any idea what "DMA Write Addr = B8000080" and "Manual Flash Selection ... DMA Write Addr = 1C000000 Data = ERROR ON WRITE Done" translates into?

UPDATE: using /nodma switch I was able to stop the "ERROR on WRITE / READ" from occuring, however, it's now stuck on Init PrAcc...


Code:
C:\Users\Wiss\Desktop\tjtag3>tjtag3 -probeonly /flash_debug /skipdetect /nodma /
start:1C000000 /length:02000000 /nocwd

================================================
 EJTAG Debrick Utility v3.0.2.1 Tornado-MOD
================================================

Selected  port  = 0x378

Detected IR chain length = 32
Number of device(s) = 1

IDCODE for device 1 is 0x000C317F

Idcode 0x000c317f IR Length 32
Probing bus ... instruction_length 32
Done

Instruction Length set to 32

CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
    - EJTAG Version ....... : 1 or 2.0
    - EJTAG DMA Support ... : Yes
    - EJTAG Implementation flags: R4k MIPS32
    *** DMA Mode Forced Off ***

Intial value of Control register is 000000CC
Intial value of status register is  0000007F
01111111 (0000007F)

Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack          pin 10 = 1
Status bit 5 Paper-out     pin 12 = 1
Status bit 4 Select        pin 13 = 1
Status bit 3 *Error        pin 15 = 1
* means low = true, e.g., *Error

VCC connected
values of Control register after init 0x000000CC
value of status register after init   0x0000007F
system reset complete

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Init PrAcc ...
zyxeu
DD-WRT Novice


Joined: 29 Oct 2012
Posts: 13

PostPosted: Wed Nov 14, 2012 12:05    Post subject: Reply with quote
As far as I know the BCM4706 is not yet supported, but maybe looking at the source code of the debrick tools could help you:


There was a discussion between Dark_Shadow and Volkan K. over zjtag and BCM4706 support here:
http://www.tiaowiki.com/forums/index.php/topic,4102.0.html
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Wed Nov 14, 2012 14:33    Post subject: Reply with quote
Thanks Zyxeu Smile

I had already gone over the source code and have been in contact with Tornado (who couldn't assist as he didn't have the RT-N66U) - tried using tjtag, brjtag and zjtag with mixed results. From all the testing I have been doing, I can confirm that zjtag supports the spansion flash chip - http://components.arrow.com/part/detail/43432630S9438540N3310 (placed an order for a couple of those chips - jic) and I was able to delete and flash the flash chip with the brjtag tool... the key is in the type and length of connection (unbuffered vs buffered - sub 10cm).

I was able to get the router out of whatever sleep mode it was in and had the power and usb lights turn on with activity on the wan leds, confirmed by wireshark, but I was still unable to ping the 192 gateway.

A power reboot didn't help either as it resulted in the router going back into deep sleep.

I am waiting on the Tumpa board I ordered yesterday and will report back with more findings.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Wed Nov 14, 2012 14:35    Post subject: Reply with quote
It is only Tornado who can add support 4706 in tjtag so you have to contact him at his tjtag web.

Trying to skip cpu detection will take you nowhere and whatever you backed up does not contain any valid data.

_________________
Kernel panic: Aiee, killing interrupt handler!
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Wed Nov 14, 2012 14:55    Post subject: Reply with quote
The man himself - Thanks for your input, Lom.

I figured that out after opening up some of the backup files I was able to generate (blanks) - glad I have the original bootloader on hand.

Can you confirm if cpu support is required for erases / flashes (uploads)? I am bit surprised that current available tools lack support for the 4706 chip when they readily support >4706<.

If I am unable to resurrect the unit then I'll just donate it to Tornado and the community.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Wed Nov 14, 2012 15:59    Post subject: Reply with quote
W1SS wrote:


Can you confirm if cpu support is required for erases / flashes (uploads)? I am bit surprised that current available tools lack support for the 4706 chip when they readily support >4706<.



Cpu support is needed for any operation, you can not even erase flash without it.
4706 is a new cpu even though there are others in the same family with slightly higher numbers.

_________________
Kernel panic: Aiee, killing interrupt handler!
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Thu Nov 15, 2012 8:49    Post subject: Reply with quote
Thanks- I ordered a new AC66U and am awaiting delivery of the Tumpa board for further testing on the bricked RT-N66U.

How long does it usually take to flash a 256KB vs 132KB CFE file via the wiggler setup in normal / byte_mode? seconds, minutes or hours?
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Thu Nov 15, 2012 13:44    Post subject: Reply with quote
/byte_mode = 8 bit buss.

Using tjtag and a wiggler (parallel port), it takes almost 3 hours to flash a cfe.

I would like to suggest that you consider sending your rt-n66u to Tornado (Tornado is now in the US).

Tornado, myself, and Dark_Shadow were planning on working on adding jtag support for this router.

Tornado & I never were online at the same time. Dark_Shadow & Tornado did work on it but tmk, it was never finished.

It is difficult at best for Tornado to add support for a router he does not have in front of him for obvious reasons.

_________________
[Moderator Deleted] Shocked
W1SS
DD-WRT Novice


Joined: 11 Nov 2012
Posts: 13

PostPosted: Wed Dec 19, 2012 11:55    Post subject: Success @ last!! Reply with quote
Hey guys Very Happy

Just thought I'd share with you all that I have successfully resurrected my bricked RT-N66U (Bad CFE Flash) using a combination of jtag software, some pretty nifty reverse engineering, JTAG/Serial terminals (J2/J1), and loads of patience!!

Edit: I'll update this post with a link to a "How-to unbrick the RT-N66U" guide soon.

In the meantime, do no attempt to short the #RESET(p14) or #OE(p34) pins on the spansion flash chip. There is hope!

Cheers
W1SS



resurrected-rt-n66u.png
 Description:
 Filesize:  235.78 KB
 Viewed:  31540 Time(s)

resurrected-rt-n66u.png


Facepalm
DD-WRT Novice


Joined: 21 Dec 2012
Posts: 1

PostPosted: Mon Dec 24, 2012 16:54    Post subject: I could lend you my RT-N66U. Reply with quote
> Tornado, myself, and Dark_Shadow were planning on working on adding jtag support for this router.

I bricked mine the other day. (I checked note 6 - no ping response - it's bricked good.)

I have a fallback, so I'd be willing to lend you my router, pay the shipping each way (in the US), and make a donation.

Let me know how to proceed.

Thank you.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum