Asus RT-AC3200 Flash Procedure and Regulatory Code Patch

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
ClixTrix
DD-WRT Novice


Joined: 15 Jan 2023
Posts: 4

PostPosted: Mon Jan 23, 2023 15:10    Post subject: Asus RT-AC3200 Flash Procedure and Regulatory Code Patch Reply with quote
Flash Procedure Background and Analysis:

DD-WRT flash upgrade to Asus RT-AC3200 was originally designed to work from the AsusWRT Firmware Upgrade menu. This method apparently drew upon essential NVRAM customization settings during the upgrade flash. Asus has subsequently changed their firmware to prevent non-certificate, 3rd-Party, firmware loading from the Firmware Upgrade menu. This necessitates a procedure that mimics that method to correctly upgrade from AsusWRT to DD-WRT.

Other methods that incorporate clearing of NVRAM by Hard Factory Reset post-flash were bench tested and found to create unstable results, e.g. LAN/WAN port skewing with port 1 becoming the WAN port, port 2 becoming port 1, etc. Because alternatives produced unstable results, it was concluded that settings drawn from prior use of AsusWRT NVRAM customization were necessary and essential to a successful flash update process and continued use with DD-WRT. The following procedure is a best attempt to duplicate the prior working method.

Flash Procedure Steps:

1. Begin with AsusWRT installed and basic customization, e.g. reset router and simply do the minimum settings for Wireless Router to complete setup ending with the AsusWRT main menu screen. Select REBOOT from top of main menu to complete. This leaves the router with customized AsusWRT settings stored in NVRAM, which are essential for DD-WRT use during upgrade.

2. Upon completion of reboot, power-off the router.

3. Download a select beta version from the DD-WRT build repository to your workstation. DO NOT USE THE EXPERIMENTAL DRIVER BUILDS.

3. Setup a workstation for the flash process using a fixed IP address with 4th octet between 2 and 254 and subnet mask /24 (or 255.255.255.0), e.g. with 250 for 4th octet set address to 192.168.1.250/24. Connect an Ethernet cable between port 1 (or 2, 3, 4, but not WAN port) and workstation. (Note: Recommend not having other devices/cables connected including WAN cable during this process.)

3. Enter the recovery CFE miniWeb Server using the power-on button while holding reset button depressed method. Watch for the transition from solid to alternating Off/On flash by the power light and then release reset. The recovery CFE miniWeb Server screen is accessed from a web browser on workstation at address 192.168.1.1. (Note: Recommend using the Firefox browser, as Chrome/Chromium based browsers are sometimes unstable with the CFE Recovery method.)

4. From CFE recovery screen, use the Browse button to locate and select the DD-WRT file previously downloaded. Once selected, use the Upload Button to initiate flash. Let the flash fully complete and router to reboot - don't interrupt the process. (Note: DO NOT USE the "Restore Default NVRAM Values" on the CFE Recovery screen, or essential NVRAM settings will not be properly converted to use by DD-WRT.)

5. When the Flash is completed, go directly into DD-WRT setup from browser. Further steps for current/past builds with incorrect regulatory codes are outlined below.

DO NOT USE HARD FACTORY RESET (Power-on with WPS button held-down) after flash or for ANY FUTURE USE WITH DD-WRT installed, or necessary NVRAM Customization settings will be dropped. To properly Reset Router to DD-WRT defaults, use the Reset button with powered-up router method or the soft Reset method in DD-WRT Administration settings ONLY. Using the "Reset to Factory Defaults" in DD-WRT Administration Firmware Upgrade is also permitted.

Regulatory Codes Background and Problem Analysis:

Asus utilizes a combination of Regulatory Domain (Region/Country) and Regulatory Code that is passed to the Broadcom wireless driver to achieve correct channel specs and operation for the target Regulatory Domain usage of the router. Over the years, the Regulatory requirements and enforcement have motivated the manufacturer to increased lock-down through changes to the boot loader and wireless drivers. This necessitated the introduction of a more complex combination of codes that operate to lock-in wireless features and functions by Domain, and lock-out manipulation. Legacy code combinations that may have initially provided workable results have been obsoleted and replaced by newer code combinations reflecting stricter regulatory enforcement.

The Asus RT-AC3200 was introduced to the US Market in 2015. A USA router operates with regulatory domain "Q2" and regulatory code "96" as stored codes. Similarly, the European market router operates with domain "E0" and code "989". "Q2" replaced the older country code of "US", and "E0" operating in the European Union replaced older individual country codes, e.g. "DE", "FR", "UK". AsusWRT specifically used the stored codes for wireless operation. The wireless drivers and binary code at introduction and use by DD-WRT were permissive of use of the older country code and regulatory code "0". However, update of drivers and binary over the years has necessitated replacement of older country/regulatory codes with lock-down codes, i.e. combinations US and 0, Q2 and 0, were also observed in bench testing with older DD-WRT beta builds.

Henceforth, the code combinations are expressed in this report as cc/reg, e.g. Q2/96.

Routers manufactured for other markets have unique code combinations that can be obtained by dumping the codes from CFE stored memory. The following commands from a Telnet or SSH session or the Administrative Commands menu from a login session to DD-WRT can obtain the codes:

cat /dev/mtd0ro | grep ccode
cat /dev/mtd0ro | grep regrev

Results of the commands from a USA Market RT-AC3200 produce the following. Note that the three results for each reflect the three wireless radios for this model.

0:ccode=Q2
1:ccode=Q2
2:ccode=Q2

0:regrev=96
1:regrev=96
2:regrev=96

While these codes are stored in the CFE boot loader mtd0ro storage partition, they can be overridden and stored in NVRAM by firmware. The current, in-use codes by firmware can be obtained via commands:

nvram show | grep ccode
nvram show | grep regrev
nvram show | grep country

Results from AsusWRT:

0:ccode=Q2
0:regrev=96
wl0_country_code=Q2
wl0_country_rev=96 ....and so-on for each radio.

An examination of recent build DD-WRT stored NVRAM codes for each of the selectable Wireless Domain settings obtained the following list:

United States ( Q2/992 )
Canada ( Q2/992 )
Europe* ( E0/962 )
Australia ( AU/8 )
China ( CN/65 )
Japan ( JP/72 )
Singapore ( SG/994 )
Taiwan ( TW/990 )
Brazil ( BR/23 )
Korea ROK ( KR/982 )
Russian Fed. ( RU/993 )
Lao PDR ( LA/6 )
*Also includes selectable Euro Countries Germany/France/UK/Spain/Italy/Netherlands

It was noted in testing that specific Domains, e.g. South Africa, which have regulatory requirements and import/sales of the RT-AC3200 were missing from the list.

One test of a code combinations effect on the wireless driver is obtained by use of the following command to obtain channel specs.

wl -i ethx chanspecs (where x=1,2,3 for the lower 5GHz band, 2.4GHz band, upper 5GHz band, respectively)

In checking chanspecs against a Domain change, a reboot of the router is necessary to reload the wireless driver. Normally, the chanspecs produced would include all channels and width capabilities supported by that specific radio band for the Domain, inclusive of 20, 40 and 80MHz widths for this router's 5GHz bands. Only, Australia, Singapore, and Lao produced results with selectable 80width channels from the Wireless menu. United States and Europe had no 80width channels and was reflected in the Wireless menu as Auto with no drop-down list for channel selection. This left the combinations Q2/992 and E0/962 suspect against the known working AsusWRT usage of Q2/96 and E0/989.

Regression testing of older builds discovered that a change(s) post build r411274 (09/26/2019) resulted in incorrect chanspecs with that last operable build using US/0. The next build r41212 (09/30/2019) and forward failed in testing inclusive of builds with US/0, Q2/0, and the current Q2/992 combinations. (Note: The code combination Q2/992 was recognized as a valid code combination for the Asus RT-AC3100 during bench testing and may be a clue to where there is a problem in DD-WRT code/tables. There is the possibility that all current codes are technically incorrect for the RT-AC3200.)

One result during prior DD-WRT firmware install testing suggested that the Q2/96 combination may be correct for DD-WRT's licensed Broadcom driver. When a Hard Factory Reset was done post DD-WRT firmware install, a temporary condition of working 80width channels from Wireless menu was observed. The probability that the Q2/96 combination was obtained from CFE stored codes was implied from this result. However, after first reboot, the temporary working was replaced with the previously noted non-working regulatory code and 80width channels were lost. A check of chanspecs before and after reboot was further evidence of the loss.

NVRAM Patch:

From extensive testing, the following NVRAM code patch was created and requires loading at Startup to override the incorrect regulatory code. This is done by adding the patch from the Administration Commands menu in DD-WRT. Copy and paste the following code into the Administration Command menu window and use the Save Startup button to commit the change to NVRAM.

Code:
nvram set 0:ccode=Q2
nvram set 1:ccode=Q2
nvram set 2:ccode=Q2
nvram set 0:regrev=96
nvram set 1:regrev=96
nvram set 2:regrev=96
nvram set wl0_country_code=Q2
nvram set wl1_country_code=Q2
nvram set wl2_country_code=Q2
nvram set wl_country_code=Q2
nvram set wl0_country_rev=96
nvram set wl1_country_rev=96
nvram set wl2_country_rev=96
nvram set wl_country_rev=96
nvram commit


Once this code patch is loaded, Reboot the router TWICE (two times is absolutely needed) from the Administration Management menu. If you wish to test this patch for non-USA use, please substitute your Domain and Regulatory codes for Q2 and 96 in the code patch. Also, check the Wireless Domain menu setting to see that it is set consistent with your intended Domain for use. This patch may not work correctly outside those Domains listed and is not intended to change the router from its default Regulatory Domain. After the second reboot, proceed to the Wireless Settings menu for setup. This patch was tested as an immediate step after first login to DD-WRT using the correct flash procedure (see above), i.e. after setting Login User Name and Password - go immediately to the Administration Commands menu to install the patch.

For test reporting, please provide the following information:
- The cc/reg codes stored in mtd0ro partition for your router
- The Domain used in the DD-WRT Wireless menu
- The chanspecs list of channels achieved from the wl chanspecs command for each radio band
- The list of channels available from the Wireless menu, using different bandwidth, u/l combinations (most importantly the availability of 80width channels)
- Any noted improvements/problems in radio band performance, e.g. range, signal strength, client connection rates, etc.

Please note that opening a bug report against these findings will occur when there is sufficient feedback by Forum members to testing the patch. This will aid in both substantiating the bug and verifying the regulatory code(s) substitution as working beyond a single tester/reporter/domain. Should DD-WRT developers concur with these findings and wish to correct the Regulatory Codes for RT-AC3200 in a future build (with/without bug submission), please post back with the beta build number for testing.

Bug Report: Ticket #7648 opened on 2023-01-30.


Last edited by ClixTrix on Mon Jan 30, 2023 14:27; edited 4 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jan 23, 2023 17:06    Post subject: Reply with quote
Thanks excellent job!
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Hapi12021
DD-WRT User


Joined: 22 Jul 2021
Posts: 84

PostPosted: Tue Jan 24, 2023 22:02    Post subject: Reply with quote
Do we assume the same patch is accurate for AC-5300 / AC-3100 / AC-88U?

Thanks!
ClixTrix
DD-WRT Novice


Joined: 15 Jan 2023
Posts: 4

PostPosted: Tue Jan 24, 2023 23:01    Post subject: Reply with quote
Hapi12021 wrote:
Do we assume the same patch is accurate for AC-5300 / AC-3100 / AC-88U?

Thanks!


The simple answer is no for working models. The findings and need for the patch were specific to the Asus RT-AC3200 cc/reg problem. However, should another router have the same cc/reg problem, the patch is worth testing with the caveat that the RT-AC3200 is a tri-band model. The patch code is specific for override to each of the three radios for the tri-band. You'd need to remove the unneeded code for the 3rd band for dual-band models.

I have just today done "limited" bench testing of the Asus RT-AC3100 with the latest DD-WRT beta build and found that my speculation on the US and Euro domains regulatory codes matching the problem codes on the RT-AC3200 is correct. This model using the flash method I posted is (so far) working well with wireless operating correct to US specs.

The code combinations are generally unique in Asus models, e.g. the Q2/96 is specific to the RT-AC3200 and Q2/992 is specific to the RT-AC3100 for the US Domain. The patch is ONLY needed if the Domain and Reguatory code combination are INCORRECT for the model. I have not tested the other two Asus models you mentioned. You could try the patch if the other models are showing similar symptoms to those mentioned in the report. No 80width channels in chanspecs is certainly a clue. I would dump the cc/reg codes stored in CFE and check them against the NVRAM stored codes as a start.
Hapi12021
DD-WRT User


Joined: 22 Jul 2021
Posts: 84

PostPosted: Wed Jan 25, 2023 3:39    Post subject: Reply with quote
I brought this up in another thread, but the AC-5300 is missing all of the DFS channels, but 80MHz channels are there:

Code:
# wl chanspecs
36 (0xd024)
40 (0xd028)
44 (0xd02c)
48 (0xd030)
149 (0xd095)
153 (0xd099)
157 (0xd09d)
161 (0xd0a1)
165 (0xd0a5)
40u (0xd926)
48u (0xd92e)
153u (0xd997)
161u (0xd99f)
36l (0xd826)
44l (0xd82e)
149l (0xd897)
157l (0xd89f)
36/80 (0xe02a)
149/80 (0xe09b)
40/80 (0xe12a)
153/80 (0xe19b)
44/80 (0xe22a)
157/80 (0xe29b)
48/80 (0xe32a)
161/80 (0xe39b)


It doesn’t matter which region the system is set to, all of the mid-band channels don’t appear.

I haven’t tried the method of flash directly from Asus-WRT with the two reboots, and maybe that would help.

Code:
cat /dev/mtd0ro | grep ccode
cat /dev/mtd0ro | grep regrev


Both of these commands produce no output on the AC-5300, FYI.
ClixTrix
DD-WRT Novice


Joined: 15 Jan 2023
Posts: 4

PostPosted: Thu Jan 26, 2023 14:29    Post subject: Reply with quote
The lack of stored ccode/regrev in the CFE is a possible indication of Domain lock, i.e. the router is factory locked to operate in a specific market ONLY. I don't have that router (yet), so can't poke around for confirmation and other settings. Looking at the wl chanspecs listed, they look like those I'd expected for a US Market router with no DFS range channels. I believe Merlin has stated something around that issue in the past for this router.

Another observation on the wl command list - those chanspecs are defaulting to the first adapter with that command (no adapter selected with "i eth1/2/3"). I'm noting that the list includes upper band channels for 5GHz (149-165). I saw that exact problem with the RT-AC3200 when an incorrect flash procedure that cleared essential NVRAM parameters was used. With correct procedure, I got segregated upper and lower bands from chanspecs for each 5GHz band AND the drop-down list in Wireless settings was also correct for each band. It was one other reason that using the posted flash method was necessary to achieve stable (and optimal) results for the RT-AC3200 and may be necessary on other Asus routers released around the same time.

From what you've posted, I don't believe the patch would help you, but the flash procedure method from AsusWRT is something I'd try to see if it operates correct for your router's Domain. In fact, it might be essential to get correct NVRAM settings.
tickerguy
DD-WRT Novice


Joined: 15 Dec 2016
Posts: 13

PostPosted: Thu Feb 09, 2023 22:41    Post subject: Reply with quote
I have one of these routers, went through the configuration and this is what I have:

Asus RT-AC3200
Firmware Version DD-WRT v3.0-r51617 std (02/09/23)
Domain: United States

Startup:

nvram set 0:ccode=Q2
nvram set 1:ccode=Q2
nvram set 2:ccode=Q2
nvram set 0:regrev=96
nvram set 1:regrev=96
nvram set 2:regrev=96
nvram set wl0_country_code=Q2
nvram set wl1_country_code=Q2
nvram set wl2_country_code=Q2
nvram set wl_country_code=Q2
nvram set wl0_country_rev=96
nvram set wl1_country_rev=96
nvram set wl2_country_rev=96
nvram set wl_country_rev=96
nvram commit

I do NOT have the correct channel specs for the 5g radios; "auto" is there but only ONE channel (36 on wl0 and 161 on wl2)

I did use the exact flash procedure specified; from the ASUS base code, after doing basic setup only (IP address, set a password, etc) I then went into the recovery console and flashed DD-WRT as above.

root@AirGw:~# cat /dev/mtd0ro|grep ccode
1:ccode=Q2
0:ccode=Q2
2:ccode=Q2

root@AirGw:~# cat /dev/mtd0ro|grep regrev
1:regrev=96
0:regrev=96
2:regrev=96

root@AirGw:~# nvram show |sort|grep ccode
size: 34020 bytes (97052 left)
0:ccode=Q2
1:ccode=Q2
2:ccode=Q2
nvram set 1:ccode=Q2
nvram set 2:ccode=Q2
rc_startup=nvram set 0:ccode=Q2

root@AirGw:~# nvram show |sort|grep regrev
size: 34020 bytes (97052 left)
0:regrev=992
1:regrev=992
2:regrev=992
nvram set 0:regrev=96
nvram set 1:regrev=96
nvram set 2:regrev=96

root@AirGw:~# nvram show |sort|grep country
size: 34020 bytes (97052 left)
nvram set wl0_country_code=Q2
nvram set wl0_country_rev=96
nvram set wl1_country_code=Q2
nvram set wl1_country_rev=96
nvram set wl2_country_code=Q2
nvram set wl2_country_rev=96
nvram set wl_country_code=Q2
nvram set wl_country_rev=96
radius_country=DE
wl0_country_code=Q2
wl0_country_rev=992
wl1_country_code=Q2
wl1_country_rev=992
wl2_country_code=Q2
wl2_country_rev=992
wl_country_code=Q2
wl_country_rev=992

(Radius_country=DE?)

It appears that the "992" should not be there, rather it should be "96", and this may be why the channel list is incorrect. It appears to be working, but I can't select channels and a scanner says I have 40Mhz channels, where I have selected VHT80.

root@AirGw:~# wl chanspecs -b 2 -w 20
1 (0x1001)
2 (0x1002)
3 (0x1003)
4 (0x1004)
5 (0x1005)
6 (0x1006)
7 (0x1007)
8 (0x1008)
9 (0x1009)
10 (0x100a)
11 (0x100b)

root@AirGw:~# wl chanspecs -b 5 -w 40

(nothing, nor anything for 20 or 80)

After a couple more reboots ALL the channels (other than "Auto") disappear, other than for the 2.4g radio. All three radios, however, are working and show up on a scanner -- as 40Mhz channels, and they've picked their own apparently.

For grins and giggles I reset the unit to the factory (ASUS) image with the "rescue" reflash tool from the manufacturer and did it again, just to make sure I hadn't screwed something up. Same results.
ClixTrix
DD-WRT Novice


Joined: 15 Jan 2023
Posts: 4

PostPosted: Sun Feb 12, 2023 22:23    Post subject: Reply with quote
My best guess in looking at the NVRAM shows you posted - there was only a single reboot done after copying the patch into Command window and (Save Startup) to install. It requires two reboots (see instructions immediately following the code for copy): one to install the patch to NVRAM, the second to apply the patch during startup.

I've updated a bench system to the later release you're using to run some checks. Last test I did was the release back on 1/19.

Firmware Version DD-WRT v3.0-r51617 std (02/09/23)

My check of the patch does stick after 2nd reboot on this release. I'll have to do some additional tests to see if it holds after Wireless changes.

Edit: I recommend you test build r51440.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum