Unbricking Asus RTN10+ B1

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Ralink SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
shimbo
DD-WRT Novice


Joined: 14 Dec 2014
Posts: 6

PostPosted: Sun Dec 14, 2014 19:19    Post subject: Unbricking Asus RTN10+ B1 Reply with quote
I have an Asus router (RT-N10+ B1 hardware) that suddenly stopped working (only power led turns on).
Hopping that I could fix it, I've been working in this side project for the last few weeks, but I am stuck and I would appreciate any help.

I will list bellow the actions that I've already done:
- Power supply:
I replaced its power supply to see if there was any difference.
Original power supply ouput: 12 V, 0.3A
Power supply I am using now: 12V, 2.5 A
- Hard reset:
Following the router's manual, I tried to do a hard reset holding reset button duting power-up for 10 s. WPS led should start blincking, but it didn't work.
- 30-30-30 (hold reset button 30 sec while it is turned on, turn off with button pressed, hold for 30 sec, turn on while mantaining the button pressed)
I tried the 30-30-30 method several times, using the reset button, WPS button, both, etc, but no luck
- Pinging adress 192.168.1.1
No answer on this address (router's default address).
- Asus recovery utility
I tried to use the asus recovery utility to try to download a firmware through tftp, but since I was unable to put the router on
recovery mode, the software did not find the router.
- Serial recovery:
I connected a serial sniffer on its com port (I had a Freescale development board around which has a USB to COM port converter that I plugged in, http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=FRDM-KL25Z ).
This sniffer already has a built-in 3v3 level shifter so there was no risk of burning my board nor the router.
Using the information that I found here: http://techinfodepot.shoutwiki.com/wiki/Asus_RT-N10%2B_rev_B1

I connected the serial sniffer on J2:
J2
[4 3 2 1]
RX TX GND VCC
Serial Config: 57600 Baud rate, 8 data bits, 1 stop bit, no flow control, etc..., but I was unable to read any data.
The serial converter is working correctly, since if I put a jumper on its TX/RX (loopback test) I can read what I send data through hyper terminal.
Since I was unable to access the router's through serial connection only jtag remains as an option.

- jtag
I found no documentation for jtag connection using this router's model, so I needed to figure out on my own how to do it.
Identifying the board conectors:



The JTAG jumper was unpopulated, so I soldered the headers. I and managed to identify the jtag pinout; it's the same as
the d-link dir-615 http://wiki.openwrt.org/toh/d-link/dir-615

Pinout:

[/url]
OBS: I need to solder a jumper on R28 to connect the TDO signal to the Ralink 3050. Without this jumper, jtag won't work.

I installed openOCD (version 0.8.0) and I am using a segger j-link EDU as jtag programmer.
The debricking utilities that I found around are based on a parallel port jtag programmer, and even them don't support
this router's model (debricking utilities that I investigated: Hairydairymaid, UrJTAG)
The only one that I managed to work with is openOCD:

http://openocd.sourceforge.net/

I found a openOCD configuration file for the ralink rt3050 here:
http://www.8devices.com/community/viewtopic.php?f=1&t=347&start=10

I then modified it specifying the flash areas (info found here:

http://wiki.openwrt.org/toh/asus/rt-n10plus

Code:

rt3050.cfg

set _CHIPNAME rt3050
set _ENDIAN little
set _CPUTAPID 0x1335024F

log_output c:/temp/openOCDSession.log

#daemon configuration
telnet_port 4444
gdb_port 3333

#interface
interface jlink
#jtag_speed 0
adapter_khz 100

adapter_nsrst_delay 200
jtag_ntrst_delay 200

# jtag scan chain
# format L IRC IRCM IDCODE (Length, IR Capture, IR Capture Mask, IDCODE)
jtag newtap $_CHIPNAME cpu -irlen 5  -ircapture 0x1 -irmask 0x3 -expected-id $_CPUTAPID

set _TARGETNAME [format "%s.cpu" $_CHIPNAME]
target create $_TARGETNAME mips_m4k -endian $_ENDIAN -chain-position $_TARGETNAME

$_TARGETNAME configure -event reset-init {
  #reset 
  halt
  echo "init SDRAM controller.."
  mww 0x10000300 0xd1825272
  mww 0x10000304 0xe0120300
  echo "init Flash controller.."
  mww 0x10000308 0x0511FFA3
  echo "Find flash..."
  flash probe 0
}

flash bank Bootloader cfi 0x1f000000 0x30000 2 2 $_TARGETNAME
flash bank Config cfi 0x1f030000 0x10000 2 2 $_TARGETNAME
flash bank Factory cfi 0x1f040000 0x10000 2 2 $_TARGETNAME
flash bank Kernel cfi 0x1f050000 0x3b0000 2 2 $_TARGETNAME


Since the router does not boot anymore, I believe that or the Config area or the bootloader are
(or both) is/are corrupted. I am trying to erase the Config area (which I believe is the
NVRAM config area in some routers).

obs: registers 0x10000300 and 0x10000304 config SDRAM
register 0x10000308 config flash controller, only field that I modified in this reg from its initial value is b01:
Address setup time prior to Chip Select in number of system clock cycles: from 01 to 03
Other parameters seem to be ok (16 bit memory, timmings are maxed)

When I connect to openOCD through telnet, I halt and reset the processor, but flash probe 0 fails (command to query external flash info).
The ouput log file is this:

openOCDSession.log
Code:

Info : only one transport option; autoselect 'jtag'
adapter speed: 100 kHz
adapter_nsrst_delay: 200
jtag_ntrst_delay: 200
Info : J-Link initialization started / target CPU reset initiated
Info : J-Link V9 compiled Nov 28 2014 09:34:59
Info : J-Link caps 0xb9ff7bbf
Info : J-Link hw version 90000
Info : J-Link hw type J-Link
Info : J-Link max mem block 70952
Info : J-Link configuration
Info : USB-Address: 0x0
Info : Kickstart power on JTAG-pin 19: 0xffffffff
Info : Vref = 3.330 TCK = 1 TDI = 0 TDO = 0 TMS = 0 SRST = 0 TRST = 0
Info : J-Link JTAG Interface ready
Info : clock speed 100 kHz
Info : JTAG tap: rt3050.cpu tap/device found: 0x1335024f (mfg: 0x127, part: 0x3350, ver: 0x1)
Info : accepting 'telnet' connection from 4444
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x0bf53974
Info : JTAG tap: rt3050.cpu tap/device found: 0x1335024f (mfg: 0x127, part: 0x3350, ver: 0x1)
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x0bf53974
init SDRAM controller..
init Flash controller..
Find flash...
Info : Flash Manufacturer/Device: 0x00ff 0x1000
Error: Could not probe bank: no QRY
Try workaround w/0x555 instead of 0x55 to get QRY.
Error: Could not probe bank: no QRY
Error: auto_probe failed
in procedure 'flash'


Therefore I managed to execute jtag commands, but I am unable to access the external flash memory where
the bootloader, the current configuration and the main firmware are located.

From the info found in its datasheet, this memory is CFI complient, so I am using the right openOCD driver.

The memory used in this router is a 32 Megabit NOR flash, model S29GL032N90TFI04 manufactured by Spansion:
[img=http://s24.postimg.org/qy4g9z7ap/Flash_Asus_RTN10.jpg]

The unpopulated resistors R76,,R78 are pull ups R77,R799 are pull downs.
Pin 11 is the WE (write enable), I didn`t find any unpopulated resistor separating this pin to the main chip.
My assumption is that this pin should remain connected after production, because it would be impossible
to update the firmware otherwise.

In the attached log file we have the openOCD debug output with the same script and the same actions (halt, then reset init).

What I found odd are the commands:
Debug: 411 8229 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000aaa, size: 0x00000002, count: 0x00000001
Debug: 412 8292 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000554, size: 0x00000002, count: 0x00000001
Debug: 413 8338 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000aaa, size: 0x00000002, count: 0x00000001
Debug: 414 8417 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000000, size: 0x00000002, count: 0x00000001
Debug: 415 8448 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000002, size: 0x00000002, count: 0x00000001
Info : 416 8479 cfi.c:2613 cfi_probe(): Flash Manufacturer/Device: 0x00ff 0x1000

Adress 0x1F000000 is the starting address to access external flash (found from rt3050 datasheet)
http://www.tracermcc.ru/foto/bender/RT3050_5x_V2.0_081408_0902.pdf

openOCD executes 3 writes prior to execute the read to query Manufacturer/Device info, which I believe
are used to put the memory in the CFI mode.

The memory`s datasheet http://www.spansion.com/Support/Datasheets/S29GL-N_01.pdf
indicates that to enter CFI mode we need to write 0x98 to address 0x55, which openOCD is not doing; and to read
the manufacturer/device ID, the addresses are 13h and 15h respectively (not 0x00 and 0x02).
My conclusion is that openOCD is not doing the right writes to put the device on CFI mode nor is reading the correct bytes
to get CFI data.

Sadly, even if I try to write 0x98 @ address 0x1f000055 to enter CFI mode mannualy, it does not work.
I`ve read the addresses 0x1f000010, 0x1f000011, 0x1f000012 after doing it, but instead
of getting 0x51, 0x52 and 0x59 (Characters `Q`, `R` and `Y` in ASCII) I got 0x1F 0x02 and 00.
I am following the spansion`s quick guide to CFI as reference:
http://www.spansion.com/Support/Application%20Notes/Quick_Guide_to_CFI_AN.pdf

That`s it folks, if someone can give me a hand to access this router`s external flash memory I think I can revive it.
Sponsor
pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Wed Dec 17, 2014 3:48    Post subject: Unbricking, JTAG, OpenOCD, CFI QRY Reply with quote
Hi shimbo, nice detailed post

Try zjtag, according to http://zjtag.sourceforge.net/cables.shtml , it supports yours

The command line should be:

Code:
zjtag -backup:wholeflash /cable:6 /skipdetect /fc:080

(or backup/erase: kernel / cfe / nvram)
Skipdetect is necessary because Chip is not recognized, instrlen (5) and endianness (little) are.
( fc may also be 81 or 84) – see output of: zjtag /showflashlist
You could use custom and window parameter if you want to use other base address other than 1fc00000. I tested several (bf000000, 1bf00000, 1f000000) and apparently maps to the same physical address.

Interesting this is that you could run openocd server , telnet session simultaneously with zjtag (no opened parallel port issues) and monitor on openocd console events occurring as zjtag runs.


In the past I managed to debrick one rt3050 based router, see
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=718166&highlight=#718166
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=718248&highlight=#718248
that where bricked by accidentally overwriting uboot. I used BrJtag and self made wiggler and xillink dlc5 cables.

In the mean time I received others Encore N3 damaged (unknown cause) which I could debrick with Jtag tools and yesterday I received yet another one. I was trying today other Jtag tools with no luck.

(I have set up EPP+ECP port in BIOS and Normal with the same results)

BrJtag 1.9, 2.05, ZJtag 1.7 1.8 -> Can backup but no erase or flash. CFI not detecting flash->manual select with /fc
HairyDairyMaid_WRT54G_Debrick_Utility_v48~cshore ->I couldn’t get it to work with router, chip detected as FFFFFFFF, hung up clearing watchdog and trying to detect flash
Increasing learning curve:
UrJtag-> have installed exe version, copied libraries requested (libusb and ft2xx although I used wiggler cable) and tested. Command sequence: cable wiggler parallel 0x378 / detect / initbus ejtag (this step didn’t work)
OpenOCD->after configuring things and testing commands with telnet, get stuck on cfi query.

Searching Internet I reached your post and felt identified at every step you took. It is very interesting how human mind works, how challenges drives oneself to find a solution. At least for me the important thing here is the experience and knowledge acquired because the hardware itself don’t worth the effort, which increases when device doesn’t respond as expected and the enormous combinations of options, to mentions only some I imagine you (as I) were testing, SDRAM and flash timings, byte/word addressing, hardware lines asserting to enable write protection (with a hardware mod or the chance of finding some gpio or special register which could achieve that effect)
Another chance is that device is damaged and the problem is on who ever knows which faulty component and not in flash content which we are intending to rewrite.

Please let me know if you have news with this.


For reference:

F:\Util\jtag\HairyDairyMaid_WRT54G_Debrick_Utility_v48~cshore\windows>wrt54g.exe -probeonly /wiggler /skipdetect /nocwd /instrlen:5

Code:
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF)
*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 11111111111111111111111111111111 (FFFFFFFF)
    - EJTAG Version ....... : Unknown (7 is a reserved value)
    - EJTAG DMA Support ... : No

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Skipped

Probing Flash at (Flash Window: 0x1fc00000) ... ^C


F:\Util\jtag\zjtag.source_1.7>zjtag -probeonly /wiggler /skipdetect /fc:033

Code:
        ==============================================
               zJTAG EJTAG Debrick Utility v1.7 R4
        ==============================================

cable=wiggler, cabletype=3

Selected port = 0x378

Detected IR chain length = 5

Probing bus ... Done

Detected IR chain Length is 5 bits

CPU assumed running under LITTLE endian

CPU Chip ID: 00010011001101010000001001001111 (1335024F)
    CPU Manufacturer :Unknown(ID=0X24E)
    CPU Device ID :3350
    CPU Revision  :1

*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
    - EJTAG Version ....... : 3.1
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a MX29LV320AT/BT 2Mx16 TopB  (4MB) from Macronix



 *** REQUESTED OPERATION IS COMPLETE ***


F:\Util\jtag\zjtag.source_1.8>zjtag -erase:cfe /wiggler /skipdetect /fc:033 /instrlen:5 /srst

Code:
        ==============================================
               zJTAG EJTAG Debrick Utility v1.8 RC3
        ==============================================

cable=wiggler, cabletype=3

Selected port = 0x378

Detected IR chain length = 32

There are 1 device(s) in the JTAG chain
 IDCODE for device 1 is 0x1335024F (IR length:1)

Probing bus ... Done

Instruction Length manually set to 5

CPU assumed running under LITTLE endian

CPU Chip ID: 00010011001101010000001001001111 (0x1335024F)
    CPU Manufacturer :Unknown(ID=0x24E)
    CPU Device ID :3350
    CPU Revision  :1

*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 01100000010000010100000000000000 (0x60414000)
    - EJTAG Version ....... : 3.1
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a MX29LV320AT/BT 2Mx16 TopB  (4MB) from Macronix

    - Flash Chip Window Start .... : 1FC00000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 1FC00000
    - Selected Area Length ....... : 00040000

*** You Selected to Erase the CFE.BIN ***

=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 4

Erasing block: 1 (addr = 1FC00000)...Done
Erasing block: 2 (addr = 1FC10000)...


F:\Util\jtag\win32>brjtag -erase:cfe /wiggler /skipdetect /fc:033 /instrlen:5 /srst

Code:
        ===============================================
         Broadcom EJTAG Debrick Utility v1.9o-hugebird
        ===============================================


Probing bus ... Done

Detected IR Length is 5

CPU assumed running under LITTLE endian

CPU Chip ID: 00010011001101010000001001001111 (1335024F)
*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
    - EJTAG Version ....... : 3.1
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a MX29LV320AT/BT 2Mx16 TopB  (4MB) from Macronix

    - Flash Chip Window Start .... : 1FC00000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 1FC00000
    - Selected Area Length ....... : 00040000

*** You Selected to Erase the CFE.BIN ***

=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 4

Erasing block: 1 (addr = 1FC00000)...Done
Erasing block: 2 (addr = 1FC10000)...


F:\Util\jtag\brjtag2.05_exe\win32>brjtag -erase:cfe /wiggler /skipdetect /fc:033 /instrlen:5 /srst

Code:
        ===============================================
         Broadcom EJTAG Debrick Utility v2.0.5-hugebird
        ===============================================


Probing bus ... Done

Detected IR Length is 5

CPU assumed running under LITTLE endian

CPU Chip ID: 00010011001101010000001001001111 (1335024F)
*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 01100000010000010100000000000000 (60414000)
    - EJTAG Version ....... : 3.1
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a MX29LV320AT/BT 2Mx16 TopB  (4MB) from Macronix

    - Flash Chip Window Start .... : 1FC00000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 1FC00000
    - Selected Area Length ....... : 00040000

*** You Selected to Erase the CFE.BIN ***

=========================
Erasing Routine Started
=========================
Total Blocks to Erase: 4

Erasing block: 1 (addr = 1FC00000)...Done
Erasing block: 2 (addr = 1FC10000)...


UrJTAG Shell

Code:
UrJTAG 0.10 #1502
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable wiggler parallel 0x378
Initializing parallel port at 0x378
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00010011001101010000001001001111 (0x000000001335024F)
  Unknown manufacturer!
chain.c(149) Part 0 without active instruction
chain.c(200) Part 0 without active instruction
chain.c(149) Part 0 without active instruction
jtag> initbus ejtag
ejtag.c(292) EJCONTROL or EJIMPCODE register not found
bus initialization failed!
jtag>

pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Thu Dec 18, 2014 3:40    Post subject: Unbricking, JTAG, OpenOCD, CFI QRY, Ram problems Reply with quote
shimbo Did you try to load uboot and boot from ram?

On my router I did several tests with openocd, following failed

-cfi qry mentioned before
-memory test with memtest script (openocd 0.8.0), also writing with mww and comparing with mdw some memory positions returns 0000 and not the written value, on another try it returns correct values
-load_image (required to boot from ram) command fails:
Debug: 16279 11659829 mips32_pracc.c:122 wait_for_pracc_rw(): DEBUGMODULE: No m-emory access in progress!
-mass memory writes fails
> mww 0x80000000 0xaa 0x100
Fastdata access Failed
Falling back to non-bulk write
in procedure 'mww'
Code:
Debug: 16286 11783532 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_mww 0x80000000 0xaa 0x100
Debug: 16287 11783532 command.c:145 script_debug(): command - mww ocd_mww 0x80000000 0xaa 0x100
Debug: 16289 11783532 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x80000000, size: 0x00000004, count: 0x00000100
Debug: 16290 11783532 mips_m4k.c:1137 mips_m4k_bulk_write_memory(): address: 0x80000000, count: 0x00000100
Debug: 16291 11783532 mips32_pracc.c:1032 mips32_pracc_fastdata_xfer(): mips32_pracc_fastdata_xfer using 0x00000000 for write handler
Debug: 16294 11784563 mips32_pracc.c:122 wait_for_pracc_rw(): DEBUGMODULE: No memory access in progress!
Error: 16295 11784563 mips_m4k.c:1178 mips_m4k_bulk_write_memory(): Fastdata access Failed
Warn : 16296 11784579 mips_m4k.c:1016 mips_m4k_write_memory(): Falling back to non-bulk write
Debug: 16299 11785594 mips32_pracc.c:122 wait_for_pracc_rw(): DEBUGMODULE: No memory access in progress!
Debug: 16300 11785594 command.c:628 run_command(): Command failed with error code -107
User : 16301 11785594 command.c:666 command_run_line(): in procedure 'mww'


I tested several initialization scripts, different timings on registers 0x10000300 SDRAM_CFG0 0x10000304 SDRAM_CFG1 and 0x10000308 FLASH_CFG0 with no success.

I think there are little chances problems being configuration thing and more chances being physical damaged components probably by electric or temperature problems.


Serial console always outputs :

Code:
U-boot Ver:1.0.1.2 2009/09/24


Board: Ralink APSoC DRAM:  16 MB  1*16 MB
shimbo
DD-WRT Novice


Joined: 14 Dec 2014
Posts: 6

PostPosted: Thu Dec 18, 2014 4:51    Post subject: Reply with quote
Thanks a lot for the tips Pilber, I`ll give a try next weekend.
I took like 2 hours to write the first post, I apologize for the grammar errors (I was in a hurry to finish it lol)
Indeed, the amount of time/effort to fix this is not worth the price of the equipment; I am doing it because I want to learn and I because the challenge seems interesting.
I am an electronics engineer and currently I am developing embedded software for an ARM based processor (STM32) so fooling around the router has been useful to understand other systems.

Regards
shimbo
DD-WRT Novice


Joined: 14 Dec 2014
Posts: 6

PostPosted: Thu Dec 18, 2014 5:04    Post subject: Reply with quote
pilber: Which jtag probe are you using? j-link as me, parallel port? Maybe you could try to decrease the probe's clock to see if you can increase read/write stability.

Since you have some intermittent failures (sometimes the write/read is ok, others it fails) it could be some bad electrical contact between the jtag header/cable/probe.

Another thing you can try to do is verify if there are non populated resistors close to the jtag header, they might be pull-up or pull-down resistors. If it's the case you can try to solder 10k ohms resistors (my router has some pull ups of 4.7k ohms, anything greater than 1k should be ok I think) These resistors are used to increase signal integrity, although if you decrease the clock it should help too.

If none of these work, it's probably a bad chip, in which case you are screwed Confused .

Regards
pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Thu Dec 18, 2014 13:02    Post subject: Reply with quote
Thanks Shimbo

It is the same for me about writing time and grammar, even in Spanish (I 'm from Argentina) simple emails would take some time to write.
I am Systems Engineer mainly involved in software development, desktop, web and mobile, but also network infrastructure and web/mail server maintenance, and Electronics enthusiast. I took this as a research too. I did interesting appliances with these routers, print server (android clients), openvpn clients, usb over ip (for this I finally used ready packed firmware).

I use the parallel port with self made cables, in wiggler and dlc5 variants, both with same results. It is difficult to get tools here.

I’m not very familiar with populating resistors, only if I follow a clear guide and get the components (not so easy). Board is like this http://www.dd-wrt.com/phpBB2/files/dscf0002_168.jpg and pinout is this http://www.jtagtest.com/pinouts/ejtag. I sold “L” pin headers on the surface. All pins tested individually (strength of sold, ohms resistance unpowered, voltage when powered on). The picture show some resistors and one capacitor, and just one free place near jtag header if am not wrong. Did not test anything on that place.

Because of the lack of some pin headers I did not connect all ground pins (2, 4, 6, Cool just 10. I understand there is a risky of interference (http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka13407.html find “strictly”).

Several flash backups made with zjtag and brJtag presents no differences (binary compare with “fc /b”) bring me to think interface was ok, but who knows.. it could not. Also brings me to think it was an openocd configuration (i.e. jtag_rclk or adapter_khz) or timings issue (router config). I tested many possibilities already (jtag_rclk 500, 250, adapter_khz 0, 1, 100, 500, 1000, 3000, 53000), and register 0x10000300 0xd1825272 & 0xd1825282, register 0x10000304 0xe0120300 0xe0120600 0xe1110600 as seen on some rt3050.cfg on internet, and also lower and higher values) .

The script tool “memTestAddressBus 0x80000000 0x10000” test ok 0x80000000, 0x80000200, 0x80000400, 0x80000800 and always fails on 0x80001000, if you write and read that particular address you get the right value, if you write (mww) some address like 0x80001000 0x80002000 0x80004000 0x80008000 and then read (mdw) could get fine ones and wrong others. What do you think it could be?

Regards
pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Thu Dec 18, 2014 13:14    Post subject: Reply with quote
The smile on previous post was a reference to pin 8 that was changed automatically by the message render, but it can also be interpreted on how I feel for not connecting those pins Cool
shimbo
DD-WRT Novice


Joined: 14 Dec 2014
Posts: 6

PostPosted: Thu Dec 18, 2014 18:21    Post subject: Reply with quote
If I understood correctly, your router is a based on the ralink rt3050 as it mine.
From the chip datasheet: http://www.tracermcc.ru/foto/bender/RT3050_5x_V2.0_081408_0902.pdf

Check the memory map for the device, its greatest valid address is 0x1FFFFFFF so you might be writing in wrong memory areas (maybe configuration registers that can have bits that are read only)
If my hypothesis is right, that would explain why the write/read cycle fails, since some bits will not change with the write.
If you are using openOCD, the 1st thing to do is verify if you have a NOR or NAND memory since openOCD there are different flash commands depending on the memory type.
pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Fri Dec 19, 2014 11:49    Post subject: Reply with quote
Hi
It should be the same SoC although registers 0x10000000 and 0x10000004 contains string ‘RT3352’ instead of ‘RT3052’ as stated on the datasheet. The datasheet is superb as are the features of the SoC. I used it very frequently before. I wonder if exist a RT3350/52 version.

As I mentioned in my first post some blocks of address seems to be mapped to the same physical address, 0x1fc00000, 0xbf000000, 0x1bf00000, 0x1f000000, all refers to start of flash address. The same for several SDRAM address. You can write on 0x80000000 and read on 0x20000000 or on 0 that value.
shimbo
DD-WRT Novice


Joined: 14 Dec 2014
Posts: 6

PostPosted: Fri Dec 19, 2014 18:03    Post subject: Reply with quote
The assumption that a write on address 0x20000000 is the same as a write on address 0x00000000 can be false. I saw some chips where if you try to access an address greater then a threshold, it will always redirect the access to external Flash. Since I didn`t find any info indicating the expected behaviour in this scenario, I think it would be best to don`t try to access addresses not specified by the device's memory map.
One test that can be made is to try to write/read the external flash in a sequence where you modify only 1 address bit per iteration (i.e. 0x00000000, 0x00000001, 0x00000002, 0x00000004, etc) this way you can identify a possible pin soldering problem or a falty memory region.
pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Tue Dec 23, 2014 0:19    Post subject: Reply with quote
Hi,
When I try to write to address 0x00000000 and then read it again, it shows 0 not the value written. The same for several values I tested. Only on the range from 0x80000000 to 0x8FFFFFFF, written values can be read next, but writing fast several positions between that range and reading it next, you get wrong values (0x0) on some positions. Writing that specific position and reading it alone you get the correct value. Other regions seems to cycle on flash positions.

If you query registers with reg you can see PC one interrupting on 0x8xxxxxxx when you halt target. Halting several times get different address but starting on 0x8.. . Reading contents of those address are 0x0. If you do “resume 0x1fc00000” (flash start) you get output on serial console (the two lines I mentioned on previous post “u-boot 1.0.1.2”...)

The flash is MX29LV320DTTI-70G. This is the product page http://www.macronix.com/en-us/Product/Pages/ProductDetail.aspx?PartNo=MX29LV320D%20T/B with links to the datasheet and other documents like migrating to newer versions and migrating from Spansion. It also links to a Low Level Driver which is a small code where you could see how it implements the CFI query algorithm.

Did you test zjtag with your router?
shimbo
DD-WRT Novice


Joined: 14 Dec 2014
Posts: 6

PostPosted: Tue Dec 23, 2014 17:02    Post subject: Reply with quote
That is a very odd behavior.
Addresses from 0x00000000 up to 0x03FFFFFF are mapped to SDRAM. If you cannot write/read these addresses maybe your RAM chip is damaged.
Are you able to write/read on config registers like 0x10000010 (SYSCFG, offset 0x10 from 0x10000000)?

I tried to use zjtag but I was unable to make it work with my jtag probe (segger j-link EDU). In the zjtag website it is written that they support it but when I ran your command line to use this probe, it shows an error message: "cannot load libusb library". I checked your command and it seems to be ok.

I looked for instructions on how to use my probe with zjtag but I didn`t find it anywhere.

I analysed the zjtag source code and it tries to load the dll "libusb0.dll" which is not present in the program`s directory; I suspect that it uses the same usb driver as openOCD (libusb-1.0), so I copied the file libusb0.dll from openOCD to zjtag directory but it didn`t work (no error message this time, it simply exits without doing anything)
I recompiled the source code with visual studio 2012 C++, both for x86 and x64 architectures, taking care to use the appropriate dll for each architecture (I am running windows 8 x64). Since openOCD works, it is clearly a bug in zjtag.

I will try to post this problem at zjtag forums to check if there is a work around and/or if I am using the right dll, nonetheless if you have any suggestions I would appreciate.

BTW, I loaded an U-BOOT kernel in ram memory and ran it (using openOCD) but I didn`t manage to put the router in recovery mode pressing the reset button. I will try to connect a serial probe to see if there is any reaction when I do this.
dulluj
DD-WRT Novice


Joined: 24 Dec 2014
Posts: 7

PostPosted: Wed Dec 24, 2014 21:05    Post subject: Reply with quote
Hello All,

I am new here, but on the same boat!
I bricked my router a few days back.
router is Aztech - hw550-3g.
Ralink RT3052 based with Spansion Flash.
Tried to debrick the same with many tools but find it difficult to get rt3052 config/Spansion Flash config at same time or in same utility. I will post detail soon.
good-night.
pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Mon Dec 29, 2014 15:12    Post subject: Reply with quote
Welcome Dulluj . Thank you for joining us. I am glad you want to share your experience. Tell us if we could help.

Regards.
pilber
DD-WRT Novice


Joined: 27 Aug 2012
Posts: 18

PostPosted: Mon Dec 29, 2014 15:21    Post subject: Reply with quote
Shimbo,
Did you get support from the forums? Serial Console did help?

I don’t have any USB JTAG probes, only parallel. But I could say that URJTAG didn’t run after downloading and installing it. It complained about libusb0.dll. Then I copied libusb0.dll and libusb-1.0.dll from OpenOCD-0.6.1\bin folder to URJTAG folder and next complain was for ftd2xx.dll then I copied libftdi.dll and had to rename it to ftd2xx.dll and finally URJTAG Shell opened and could send commands and get responses from parallel JTAG. UrJtag comes with inpout32.dll already on its program folder. I don’t know if it is necessary but did you try to register dll with regsvr32? You could try also to run it on a 32bit virtual machine or on another win32 pc.

About my router, it could be something related to ram chip as you said. The first range seems read only. But 0x80000000 is r/w (but fails on repeated accesses). Where that range could be stored if not in Ram? U-Boot appears to use it in 0x8* range. Serial output from a same-hardware working router is:
Quote:
U-Boot 1.1.3 (Nov 10 2008 - 10:10:57)
Board: Ralink APSoC DRAM: 16 MB
relocate_code Pointer at: 80fa8000
The MANUFACT ID =000000C2
The Flash ID =000022A7
Set info->start[0]=BFC00000
flash_protect ON: from 0xBFC00000 to 0xBFC24DA7
protect on 0
protect on 1
protect on 2
flash_protect ON: from 0xBFC30000 to 0xBFC3FFFF
protect on 3
============================================
Ralink UBoot Version: 3.1
--------------------------------------------
ASIC 3050_MP1 (MAC to GigaMAC Mode)
Product Name: ESR-9753
DRAM COMPONENT: 128Mbits
DRAM BUS: 16BIT
Total memory: 16 MBytes
Flash: 4 MBytes
Date:Nov 10 2008 Time:10:10:57
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384
##### The CPU freq = 320 MHZ ####
SDRAM bus set to 16 bit
SDRAM size =16 Mbytes
SDRAM CAS = 3(d1835272)


OpenOCD RT3050.CFG file appears to use that range too. The one you linked in your first post at 8devices have work_area_phys set to 0x8* range.

Other thing that doesn’t work is the CFI mode. Flash address can be read but not written. CFI commands issued manually don’t work. On other working router they do, even with ddwrt running.

Soc Registers that are r/w can be written and read new value without any problem. Especially the internal 4KB boot SRAM located in USB OTG (0x101E_0000 – 0x101E_3FFF). I ran OpenOCD memTest script with it and passed correctly.

The register you mentioned 0x10000010 SYSCFG is mostly r/o and w/o, but it is interesting what it does. I tested writing several values to it. Especially the TEST_CODE[7:0] bootstrap signal. Some values turn on some lights (router start with only two steady lights). Other (0x10) resets the router (serial console shows the uboot first two lines again) and all registers resets to default value.
Quote:
> mdw 0x10000010
0x10000010: 01400000
> mww 0x10000010 0x01401000
in procedure 'mww'
> halt
Halt timed out, wake up GDB.
timed out while waiting for target halted
in procedure 'halt'
> halt
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x80000180
> mdw 0x10000010
0x10000010: 01400000


What I would like to know if you could help me, is how I could set bootstrap to boot from ROM just to test it. ROM mode uses internal SRAM from USB OTG which works. If it could be setting the TEST_CODE vector it would be simpler, but if it has to do by hardware modification I would like to know how to do it. It has to have MA9/MA8 address lines set to 1. I did some research but only found this unanswered question from other person: https://forum.openwrt.org/viewtopic.php?id=38546 and other hardware mods to enlarge RAM from 16 to 32 MB and from 32 to 64, adding one chip on the unpopulated memory bank or replacing the existing one (and recompiling/replacing u-boot and kernel).

I wonder if instead of having to use resistors they couldn’t design the Soc with some non-volatile EEPROM registers for bootstrap purposes.
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Ralink SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum