The theory that the jtag pins has been swapped is in my opinion a bit far-fetched.
The mfgr uses professional jtag equipment which usually comes with a ribbon cable and a pogo pin header and they don't want to re-wire it for one certain router model.
Swapping the pins does not add any higher level of security (it is not difficult to figure it out) and it would only create a "non-standard" problem for themselves.
Input signals (TDI, TMS, and TCLK) has pullups to Vcc, usually 5-10 Kohm (weak pullup), nTRST is pulled down to ground by 500ohm-1Kohm (strong pulldown).
TDO is as mentioned in Dark_Shadows link neither pulled down nor pulled up, it is undefined (floating).
TDO and nTRST should be easy to find with a multimeter and if they are in the correct place then you can be sure the other 3 pins are also where they should be. _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 31 Aug 2009 Posts: 2448 Location: Third Rock from the Sun
Posted: Sat Aug 04, 2012 14:34 Post subject:
I and a couple others sources agree with you, however the author of zJTAG is insisting otherwise. Just want to cover all the bases. Especially since the PCB traces aren't visible.
@BW, can you post your -probeonly with the pinouts of the first post? _________________ Peacock Thread-FAQ -- dd-wrt Wiki
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Sat Aug 04, 2012 16:52 Post subject:
Dark_Shadow wrote:
I and a couple others sources agree with you, however the author of zJTAG is insisting otherwise. Just want to cover all the bases. Especially since the PCB traces aren't visible.
@BW, can you post your -probeonly with the pinouts of the first post?
I did.. all ffff's but as said, it did change the behavior of the leds so it is doing something. I believe the pinouts in the 1st post are correct. The software just needs a little work.
I agree with LOM. It would make no sense for the oem to change the jtag pinout from standard, or at least diff from their other routers.. case in point, the n16 uses the same pinout.
I was just taking a break from a project at home (ejector pump.. ick ) to see if there were any new developments in this thread. _________________ [Moderator Deleted]
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Sat Aug 04, 2012 18:47 Post subject:
Dark_Shadow wrote:
barryware wrote:
Dark_Shadow wrote:
@BW, can you post your -probeonly with the pinouts of the first post?
I did..
I went back through the thread and didn't see the post, did I miss something?
the very 1st post. I didn't post a screen shot or capture.. no need, I explained it.. all ff's in regard to the processor id.
removing the sd card didn't change anything. I am certain that the pinout is correct as posted in the 1st post of this thread.
1). I don't think asus would change the pinout of this router vs the other routers they build.
2). this is the only connection config that changed the status of the led's when doing a probeonly with jtag (tjtag).
I'm just trying to get jtag working incase flashing the rt-ac66 to this router doesn't turn out right. As we know, you do not need jtag to flash a cfe to a working router. butt if doing so leaves the router inoperable, then jtag will be needed to flash the original cfe back.
besides.. this is fun.. _________________ [Moderator Deleted]
Joined: 21 Nov 2010 Posts: 278 Location: North America
Posted: Sun Aug 05, 2012 11:33 Post subject:
Sample RT-N66U JTAG Runs Using Tiao Universal JTAG Parallel Port Adapter And
TJTAG302RC2-1 Software On Windows XP PC
Wiring:
1.) Standard MIPS EJTAG
2.) Vref and nTRST not needed
Instructions:
1.)Type in command at the prompt but don't press enter.
2.)Power off router.
3.)Power on router and the instant that all leds flash press enter. Timing is somewhat critical.
4.)To execute another command follow steps 1 to 3 above.
Intial value of Control register is 000000EC
Intial value of status register is 0000007F
01111111 (0000007F)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000EC
value of status register after init 0x0000007F
system reset complete
Detected IR chain length = 32
Number of device(s) = 1
idcode 0x000c317f 32
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000000000011000011000101111111 (000C317F)
*** Unknown or NO CPU Chip ID Detected ***
*** Possible Causes:
1) Device is not Connected.
2) Device is not Powered On.
3) Improper JTAG Cable.
4) Unrecognized CPU Chip ID.
Intial value of Control register is 000000EC
Intial value of status register is 0000007F
01111111 (0000007F)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000EC
value of status register after init 0x0000007F
system reset complete
Detected IR chain length = 32
Number of device(s) = 1
idcode 0x000c317f 32 <=== Processor ID
Probing bus ... Done
Instruction Length set to 0
CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... DMA Read Addr = FF300000 Data = (FFFFFFFF)ERROR ON READ
DMA Write Addr = FF300000 Data = ERROR ON WRITE
Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Skipped
Clearing Watchdog ... DMA Write Addr = B8000080 Data = ERROR ON WRITE
Done
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Write Addr = 1FC00555 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Read Addr = 1FC00000 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC00002 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC0001C Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC0001E Data = (FFFFFFFF)ERROR ON READ
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Write Addr = 1FC00555 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Read Addr = 1FC00000 Data = (FFFFFFFF)ERROR ON READ
00000000111111111111111100000000 (00FFFF00)
DMA Read Addr = 1FC00200 Data = (FFFFFFFF)ERROR ON READ
00000000111111111111111111111111 (00FFFFFF)
DMA Read Addr = 1FC00002 Data = (FFFFFFFF)ERROR ON READ
00000000000000001111111111111111 (0000FFFF)
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Write Addr = 1FC00554 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Read Addr = 1FC00000 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC00002 Data = (FFFFFFFF)ERROR ON READ
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC0AAAA Data = ERROR ON WRITE
DMA Write Addr = 1FC05554 Data = ERROR ON WRITE
DMA Write Addr = 1FC0AAAA Data = ERROR ON WRITE
DMA Read Addr = 1FC00000 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC00002 Data = (FFFFFFFF)ERROR ON READ
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Read Addr = 1FC00000 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC00002 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 11300000 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 11300000 Data = (FFFFFFFF)ERROR ON READ
^C <=== Got tired of watching
C:\WINDOWS\system32>
Update:
I think Mr.T has some software work to do!
- Magnetron1.1
Last edited by Magnetron1.1 on Sun Aug 05, 2012 12:13; edited 1 time in total
17F should be BRCM mfgr ID. But strange processor id 000C3 ? I was expecting something like 04706
Quote:
Yes, timing does matter, from the zjtag options:
Code:
*) When using this utility, usually it is best to type the command line
out, then power up the router, about 0.5 second delay, hit <ENTER>
quickly to avoid bad CFE code lead to <CPU NOT enter Debug mode>
or the CPUs watchdog interfering with the EJTAG operations.
Please note: When using TJTAG with /skipdetect parameter, unlike zJTAG, you must also use /instrlen parameter. For example :
Code:
/skipdetect /instrlen:5
Last edited by CT9LFT on Sun Aug 05, 2012 12:36; edited 1 time in total
) to see if there were any new developments in this thread.
if doing so leaves the router inoperable, then jtag will be needed to flash the original cfe back.
