Posted: Sun Nov 11, 2012 21:14 Post subject: [SOLVED] Need help debricking my RT-N66U
Hi
So it seems my N66 has been bricked after a CFE flash! At first I was v. pissed then I remembered that I had bought a parallel kit(Tornado's) a couple of years back as backup but had actually never utilized it.
After a couple of hours of going through old computer hardware boxes in the garage, I finally found my N66's savior - pic attached. However, there was one problem - I had no parallel interface available to use and so after several more hours of dirt, grime, dust and a couple of red bulls I managed to put together a working pc with a parallel interface and with debian 6.0.6 running on it... Oh, the old ways and days
Anyway, so now that I am ready to begin the surgical (technical) procedure of debricking my N66, I was wondering if a good samaritan can point me in the right direction of what I need to know/use in terms of:
Links are in peacock announcement, note 6. You might have to search for pinout for that router if it has a jtag port.... _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
Links are in peacock announcement, note 6. You might have to search for pinout for that router if it has a jtag port....
Thanks Murrkf - I read the post, tried the recommendations (of which none resulted in anything positive), soldered the pins to the board's JTAG (J2) with the following wiring layout:
Y2 (TMS) --> PIN 7 on N66U-J2
Y3 (TCK) --> PIN 9 on N66U-J2
Y4 (TDI) --> PIN 3 on N66U-J2
A8 (TDO) --> PIN 5 on N66U-J2
GND --> PIN 2 on N66U-J2
CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** Unknown or NO CPU Chip ID Detected **
*** Possible Causes:
1) Device is not Connected.
2) Device is not Powered On.
3) Improper JTAG Cable.
4) Unrecognized CPU Chip ID.
Ran ./tjtag3 -probeonly /skipdetect with output
Code:
Probing bus ... instruction_length 0
Done
Instruction Length set to 0
CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Intial value of Control register is 0000000C
Intial value of status register is 000000FE
11111110 (000000FE)
Status bit 7 Busy Inverted pin 11 = 0
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x0000000C
value of status register after init 0x000000FE
system reset complete
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Init PrAcc ... Skipped
Clearing Watchdog ... Done
Enter Flash Probe
Probing Flash at (Flash Window: 0x1fc00000) ...
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Enter SPI Flash Probe
Done
*** Unknown or NO Flash Chip Detected ***
*** REQUESTED OPERATION IS COMPLETE ***
I was able to backup the kernel, cfe, nvram but was unable to erase or flash the original CFE, NVRAM or KERNEL
Code:
Probing bus ... instruction_length 0
Done
Instruction Length set to 0
CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Intial value of Control register is 0000000C
Intial value of status register is 000000FE
11111110 (000000FE)
Status bit 7 Busy Inverted pin 11 = 0
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x0000000C
value of status register after init 0x000000FE
system reset complete
Have you confirmed whether that router is supported by jtag? _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
I was able to erase / flash the original cfe using fc:149 (Macronix 32MB) vs fc:92/93 (Spansion 32MB) - however, the router failed to boot properly... I find it strange that only three leds are dimly lit and the power/lan3,4 haven't lit since the CFE flash.
Can you confirm whether the kernel can be restored through CFE so that I may focus my efforts on the CFE recovery?
I also ordered the latest TUMPA board to use with zjtag to see if I could recover the unit... tjtag (windows32 3.0.2.1) appears to be more stable than the linux version) which is why I decided to use windows 7 x86 arch for restoration/debricking...
I am now considering a new wifi router - any recommendations on the current best available unit in the market?
Detected IR chain length = 0
Number of device(s) = 0
Probing bus ... instruction_length 0
Done
Instruction Length set to 0
CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111111 (FFFFFFFF)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R3k DINTsup ASID_8 ASID_6 MIPS16 NoDMA MIPS64
*** DMA Mode Forced On ***
Intial value of Control register is 000000CC
Intial value of status register is 0000007E
01111110 (0000007E)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x0000007E
system reset complete
Detected IR chain length = 32
Number of device(s) = 1
IDCODE for device 1 is 0x000C317F
Idcode 0x000c317f IR Length 32
Probing bus ... instruction_length 32
Done
Instruction Length set to 32
CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
*** DMA Mode Forced Off ***
Intial value of Control register is 000000CC
Intial value of status register is 0000007F
01111111 (0000007F)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000CC
value of status register after init 0x0000007F
system reset complete
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Init PrAcc ...
I had already gone over the source code and have been in contact with Tornado (who couldn't assist as he didn't have the RT-N66U) - tried using tjtag, brjtag and zjtag with mixed results. From all the testing I have been doing, I can confirm that zjtag supports the spansion flash chip - http://components.arrow.com/part/detail/43432630S9438540N3310 (placed an order for a couple of those chips - jic) and I was able to delete and flash the flash chip with the brjtag tool... the key is in the type and length of connection (unbuffered vs buffered - sub 10cm).
I was able to get the router out of whatever sleep mode it was in and had the power and usb lights turn on with activity on the wan leds, confirmed by wireshark, but I was still unable to ping the 192 gateway.
A power reboot didn't help either as it resulted in the router going back into deep sleep.
I am waiting on the Tumpa board I ordered yesterday and will report back with more findings.
It is only Tornado who can add support 4706 in tjtag so you have to contact him at his tjtag web.
Trying to skip cpu detection will take you nowhere and whatever you backed up does not contain any valid data. _________________ Kernel panic: Aiee, killing interrupt handler!
I figured that out after opening up some of the backup files I was able to generate (blanks) - glad I have the original bootloader on hand.
Can you confirm if cpu support is required for erases / flashes (uploads)? I am bit surprised that current available tools lack support for the 4706 chip when they readily support >4706<.
If I am unable to resurrect the unit then I'll just donate it to Tornado and the community.
Can you confirm if cpu support is required for erases / flashes (uploads)? I am bit surprised that current available tools lack support for the 4706 chip when they readily support >4706<.
Cpu support is needed for any operation, you can not even erase flash without it.
4706 is a new cpu even though there are others in the same family with slightly higher numbers. _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Thu Nov 15, 2012 13:44 Post subject:
/byte_mode = 8 bit buss.
Using tjtag and a wiggler (parallel port), it takes almost 3 hours to flash a cfe.
I would like to suggest that you consider sending your rt-n66u to Tornado (Tornado is now in the US).
Tornado, myself, and Dark_Shadow were planning on working on adding jtag support for this router.
Tornado & I never were online at the same time. Dark_Shadow & Tornado did work on it but tmk, it was never finished.
It is difficult at best for Tornado to add support for a router he does not have in front of him for obvious reasons. _________________ [Moderator Deleted]
Posted: Wed Dec 19, 2012 11:55 Post subject: Success @ last!!
Hey guys
Just thought I'd share with you all that I have successfully resurrected my bricked RT-N66U (Bad CFE Flash) using a combination of jtag software, some pretty nifty reverse engineering, JTAG/Serial terminals (J2/J1), and loads of patience!!
Edit: I'll update this post with a link to a "How-to unbrick the RT-N66U" guide soon.
In the meantime, do no attempt to short the #RESET(p14) or #OE(p34) pins on the spansion flash chip. There is hope!