1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

ASUS ROUTERS CFE DUMPS COLLECTION

Discussion in 'ASUS Wireless' started by hggomes, Jun 13, 2014.

  1. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    ASUS ROUTERS CFE DUMPS COLLECTION
    ============================

    Check your CFE version at:

    http://192.168.1.1/Tools_Sysinfo.asp

    Or via Telnet/SSH:

    nvram get bl_version


    RT-N18U (ARM) - (HW Revisions: 2.20)
    ==========


    Flash Chip (NAND): SPANSION(AMD)

    2.0.0.7 (EU)
    2.0.0.7 (US)


    RT-N66U B1 (MIPS) - (HW Revisions: 2.40, 3.00, 3.20)
    =============


    Flash Chip (NOR/CFI): SPANSION(AMD)

    1.0.1.1 (US)
    1.0.1.2 (EU)
    1.0.1.2 (US)
    1.0.1.3 (EU)
    1.0.1.4 (EU) *
    1.0.1.9 (EU) *
    1.0.1.9 (US) *

    * OC capability

    RT-N66R (MIPS)
    ===========


    1.0.1.3 (US)


    RT-N66W (MIPS)
    ===========


    1.0.1.4 (US)


    RT-AC66U (MIPS) - (HW Revisions: 1.30, 1.50, 1.60)
    ============


    Flash Chip (SPI+NAND): MACRONIX + SAMSUNG/ZENTEL/OTHERS

    AMD/SPANSION/SAMSUNG
    *HW REV. 1.30 ONLY*
    1.0.0.7 (US)
    1.0.0.8 (US)
    1.0.1.0 (US) *
    1.0.1.4 (EU)
    1.0.1.4 (US)

    * Dump from HW Rev. 1.30

    ZENTEL
    *ATTENTION!! THESE CFE VERSIONS (ZENTEL) ARE *NOT COMPATIBLE* WITH HW REV. 1.30 , IT WORKS ON HW REV. 1.50 OR SUPERIOR ONLY, "nflash_swecc=1" VALUE IT'S PRESENT ON IT*

    1.0.1.6 (EU)
    1.0.1.7 (US)
    1.0.1.7 (US_TW)
    1.0.1.8 (US)


    RT-AC66R (MIPS)
    ============


    1.0.1.4 (US)


    RT-AC56U (ARM) - (HW Revisions: 1.60, 2.00, 2.20, 2.30)
    ===========


    Flash Chip (NAND): SPANSION(AMD)

    1.0.1.9 (US) *
    1.0.2.3 (EU)
    1.0.2.6 (EU)
    1.0.2.7 (EU) *
    1.0.2.8 (US) *
    1.0.2.9 (EU) *
    1.0.2.9 (US) *

    * DDR3 unlocked to 800MHZ

    RT-AC56R (ARM)
    ===========


    1.0.2.3 (US) *
    1.0.2.7 (US) *

    * DDR3 *locked* to 666MHZ

    RT-AC56S (ARM)
    ===========


    1.0.2.7 (SG)


    RT-AC68U (ARM) - (HW Revisions: 1.21, 1.60, 1.61, 1.68, 1.70, 1.80)
    ===========


    Flash Chip (NAND): SPANSION(AMD) / ESMT

    1.0.1.1 (US)
    1.0.1.6 (US) **
    1.0.1.6 (EU) *
    1.0.1.7 (EU) **
    1.0.1.8 (EU) **
    1.0.2.0 (EU) **
    1.0.2.0 (US) **
    1.0.2.0 (US) ASUS => Compiled from ASUS *increase rootfs/mtd3 to 64MB*
    1.0.2.0 (US) ESMT => Compiled from ASUS for AC68U with ESMT NAND *increase rootfs/mtd3 to 64MB*
    *DO NOT USE THIS CFE ON SPANSION(AMD) NAND*
    1.0.2.1 (US) => DDR3 *unlocked* to 800MHZ

    * DDR3 locked to 666MHZ
    ** DDR3 unlocked to 800MHZ


    RT-AC68P/V2 (ARM) - (HW Revisions: 2.20)
    =============


    1.0.2.5 (US)


    RT-AC1900P (ARM)
    ============

    2.0.0.6 (US)


    RT-AC87U (ARM) - (HW Revisions: 1.30, 1.50, 1.51)
    ===========


    Flash Chip (NAND): SPANSION(AMD)

    1.0.3.2 (EU)
    1.0.3.2 (US)
    1.0.3.2 (JP)
    1.0.3.3 (US)


    RT-AC3200 (ARM) - (HW Revisions: 2.34)
    ============


    Flash Chip (NAND): SPANSION(AMD)

    1.0.1.5 (US) *
    2.0.0.3 (EU)

    * Allow overclocking.


    SP-AC2015 (MIPS)
    ============

    2.0.0.2 (US)


    TM-1900AC (ARM) - (HW Revisions: 1.70)
    ============


    2.1.2.1 (Q2)
    2.1.2.2 (US)
    2.1.2.4 (US)

    Note: TM-1900AC use RT-AC68U CFE's (same hardware) to unlock and "convert" it to a regular RT-AC68U router.


    TOOLS:
    ======

    CFE Editor
    NVSimple v0.3d


    MTD-WRITE (ARM):

    ==============

    MTD-Write v1 => *Original version (v1) from ASUS* (602KB)
    MTD-Write v2 => *New version (v2), fix update on some specific situations that couldn't complete the process* (716KB)
    MTD-Write v3 => *New version (v3) from ASUS* (511KB)


    AIO FILE:
    =======

    ALL IN ONE

    * This file contains some more CFEs not showed in this post.


    CFE UPDATE COMMAND:
    ================

    MIPS:


    mtd-write -i new_cfe.bin -d pmon

    mtd-write (MIPS) file it's part of the FW already.

    ARM:

    mtd-write new_cfe.bin boot (v1)
    mtd-write -i new_cfe.bin -d boot (v2)
    mtd-write new_cfe.bin boot (v3)

    mtd-write (ARM) needs to be copied to the USB drive or downloaded (wget on /tmp or USB) so you can use it.


    CHECK YOUR ROUTER FLASH CHIP:
    ========================

    After a reboot:

    dmesg | grep -e "flash" -e "nand" -e "amd" /tmp/syslog.log

    Possible brands are: Spansion aka AMD, Numonyx, Micron, Toshiba, Hynix, Samsung, Esmt, Mxic, Zentel, Winbond.


    You can follow CFE dumping procedures on this thread:

    Link

    WARNING: DO IT AT YOUR OWN RISK!

    BE AWARE, IF SOMETHING GOES WRONG WITH CFE UPDATE YOU WILL BRICK YOUR ROUTER AND THE ONLY WAY TO RECOVER IT IS VIA JTAG IF DEVICE IS ALREADY SUPPORTED OR UNSOLDERING AND PROGRAMMING THE CHIP.

    CFE/BOOTLOADER IS A CRITICAL PART OF THE SYSTEM THAT SHOULD NOT BE TOUCHED, ONLY FOR THOSE WHO REALLY KNOW WHAT THEY ARE DOING AND AWARE OF THE CONSEQUENCES THAT CAN RESULT FROM IT.



    Thank you.
    ________________

    JOIN US: RMerlin ASUS FW on IRC via Web Client: http://www.dal.net:9090
    IRC Channel: #asuswrt
     
    Last edited: Sep 27, 2016
    Lowcarb, Nullity, cvx01 and 3 others like this.
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Shonk

    Shonk Senior Member

    Joined:
    May 7, 2014
    Messages:
    399
    I just dumped it on my AC66U

    with

    cat /dev/mtd0 > /tmp/mnt/C/C/original_cfe.bin
    or..
    dd if=/dev/mtd0 of=/tmp/mnt/C/C/original_cfe1.bin


    Bootloader (CFE) 1.0.1.4
    EU

    but it contains unique info mac address's and such

    Like So

    boardtype=0xF5B2 boardnum=00 boardrev=0x1100 boardflags=0x00000110 boardflags2=0x00000000 sromrev=8 clkfreq=600,300,150 xtalfreq=25000 et0phyaddr=30 et0mdcport=0 et0macaddr=edit vlan1ports=1 2 3 4 8* vlan1hwname=et0 vlan2ports=0 8u vlan2hwname=et0 landevs=vlan1 wl0 wl1 wandevs=et0 lan_ipaddr=192.168.1.1 lan_netmask=255.255.255.0 gpio4=wps_button boot_wait=on gpio7=robo_reset watchdog=3000 pci/1/1/venid=0x14E4 pci/1/1/boardvendor=0x14E4 pci/1/1/sromrev=9 pci/1/1/boardflags=0x00003200 pci/1/1/boardflags2=0x00100000 pci/1/1/devid=0x4332 pci/1/1/macaddr=edit pci/1/1/aa2g=7 pci/1/1/ag0=0 pci/1/1/ag1=0 pci/1/1/ag2=0 pci/1/1/txchain=7 pci/1/1/rxchain=7 pci/1/1/antswitch=0 pci/1/1/tssipos2g=1 pci/1/1/extpagain2g=3 pci/1/1/pdetrange2g=0 pci/1/1/triso2g=3 pci/1/1/antswctl2g=0 pci/1/1/elna2g=0 pci/1/1/maxp2ga0=0x64 pci/1/1/pa2gw0a0=0xFE74 pci/1/1/pa2gw1a0=0x1A2D pci/1/1/pa2gw2a0=0xF999 pci/1/1/maxp2ga1=0x64 pci/1/1/pa2gw0a1=0xFE85 pci/1/1/pa2gw1a1=0x1C2D pci/1/1/pa2gw2a1=0xF924 pci/1/1/maxp2ga2=0x64 pci/1/1/pa2gw0a2=0xFE75 pci/1/1/pa2gw1a2=0x1971 pci/1/1/pa2gw2a2=0xF9C8 pci/1/1/cckbw202gpo=0x1111 pci/1/1/cckbw20ul2gpo=0x1111 pci/1/1/legofdmbw202gpo=0x74111111 pci/1/1/legofdmbw20ul2gpo=0x74111111 pci/1/1/mcsbw202gpo=0xDA741111 pci/1/1/mcsbw20ul2gpo=0xDA741111 pci/1/1/mcsbw402gpo=0xFC963333 pci/1/1/mcs32po=0x9999 pci/1/1/legofdm40duppo=0x4444 pci/1/1/parefldovoltage=35 pci/1/1/ccode=US pci/1/1/ledbh0=2 pci/1/1/ledbh1=5 pci/1/1/ledbh2=4 pci/1/1/ledbh3=11 pci/1/1/ledbh12=7 pci/1/1/leddc=0xFFFF pci/1/1/temps_period=5 pci/1/1/tempthresh=120 pci/1/1/temps_hysteresis=5 pci/1/1/phycal_tempdelta=0 pci/1/1/tempoffset=0 pci/1/1/ATE_Brand=ASUSTek pci/2/1/boardrev=0x1305 pci/2/1/boardflags=0x10000000 pci/2/1/boardflags2=0x00300002 pci/2/1/boardflags3=0x0 pci/2/1/boardnum=21059 pci/2/1/boardtype=0x621 pci/2/1/boardvendor=0x14e4 pci/2/1/devid=0x43a2 pci/2/1/venid=0x14e4 pci/2/1/macaddr=edit pci/2/1/ccode=US pci/2/1/rxgains5gtrelnabypa0=1 pci/2/1/rxgains5gtrelnabypa1=1 pci/2/1/rxgains5gtrelnabypa2=1 pci/2/1/rxgains5gtrisoa0=7 pci/2/1/rxgains5gtrisoa1=6 pci/2/1/rxgains5gtrisoa2=5 pci/2/1/rxgains5gelnagaina0=1 pci/2/1/rxgains5gelnagaina2=1 pci/2/1/rxgains5gelnagaina1=1 pci/2/1/pa5ga0=0xff39,0x1a55,0xfcc7,0xff38,0x1a7f,0xfcc3,0xff33,0x1a66,0xfcc4,0xff36,0x1a7b,0xfcc2 pci/2/1/pa5ga1=0xff3a,0x1b0b,0xfcba,0xff38,0x1b37,0xfcb4,0xff37,0x1aa1,0xfcc0,0xff37,0x1aef,0xfcb7 pci/2/1/pa5ga2=0xff3a,0x1b28,0xfcb4,0xff38,0x1aaa,0xfcc2,0xff35,0x1a93,0xfcc1,0xff38,0x1aab,0xfcbe pci/2/1/maxp5ga0=100,100,100,100 pci/2/1/maxp5ga1=100,100,100,100 pci/2/1/maxp5ga2=100,100,100,100 pci/2/1/mcsbw205glpo=0x99753333 pci/2/1/mcsbw405glpo=0x99975333 pci/2/1/mcsbw805glpo=0x99975333 pci/2/1/mcsbw1605glpo=0 pci/2/1/mcsbw205gmpo=0x99753333 pci/2/1/mcsbw405gmpo=0x99975333 pci/2/1/mcsbw805gmpo=0x99975333 pci/2/1/mcsbw1605gmpo=0 pci/2/1/mcsbw205ghpo=0x99753333 pci/2/1/mcsbw405ghpo=0x99975333 pci/2/1/mcsbw805ghpo=0x99975333 pci/2/1/mcsbw1605ghpo=0 pci/2/1/mcslr5glpo=0 pci/2/1/mcslr5gmpo=0 pci/2/1/mcslr5ghpo=0 pci/2/1/sb20in40hrrpo=0 pci/2/1/sb20in80and160lr5glpo=0 pci/2/1/sb40and80hr5glpo=0 pci/2/1/sb20in80and160hr5gmpo=0 pci/2/1/sb40and80hr5gmpo=0 pci/2/1/sb20in80and160hr5ghpo=0 pci/2/1/sb40and80hr5ghpo=0 pci/2/1/sb20in40lrpo=0 pci/2/1/sb20in80and160hr5glpo=0 pci/2/1/sb40and80lr5glpo=0 pci/2/1/sb20in80and160lr5gmpo=0 pci/2/1/sb40and80lr5gmpo=0 pci/2/1/sb20in80and160lr5ghpo=0 pci/2/1/sb40and80lr5ghpo=0 pci/2/1/dot11agduphrpo=0 pci/2/1/dot11agduplrpo=0 regulation_domain=EU regulation_domain_5G=EU secret_code=unsure if unique hw_version=1.5 bl_version=1.0.1.4 bootflags=1 ntype=0 serial_no=unsure if unique odmpid=ASUS model=RT-AC66U wait_time=3 pci/1/1/regrev=13 pci/2/1/regrev=13
     
    Last edited: Jun 13, 2014
  4. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    Hi Shonk, thank you for your reply.

    The "secret_code" is the same on all routers (RT-N66U) i've seen so far so it's not a problem.

    secret_code=74867707

    This is the one on all RT-N66U i've seen so far, i bet the same happens with RT-AC66U, but the number is different if it's from another region from what i could see.

    Regarding "serial_no" it does not exist on RT-N66U you should see if it matches with the serial number of your router, you can compare it with the router box/router label.

    You can delete those two entries and upload the file with the same number of "X" characters instead your real info.

    Thank you.

    ________________
    JOIN US: RMerlin ASUS FW on IRC via Web Client: http://www.dal.net:9090
    IRC Channel: #asuswrt
     
    Last edited: Aug 1, 2014
  5. Shonk

    Shonk Senior Member

    Joined:
    May 7, 2014
    Messages:
    399
    secret_code=79xxx8xx

    not sure if its wise editing out stuff there will most prob be crc checks in the image

    i have done this sort of thing before with uboot images

    take a look here though the imageshack images seem to have died
    so its harder to follow..

    http://forum.buffalo.nas-central.org/viewtopic.php?f=68&t=23439

    the crc has to be manually worked out and edited
     
    Last edited: Jun 13, 2014
  6. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    Thanks for the info.

    Can you upload the file so i can test it next week?!? I will have one RT-AC66U for testing and i can compare and try to understand differences between them.

    What about serial_no info?!! Does it match your device serial number?!

    ________________
    JOIN US: RMerlin ASUS FW on IRC via Web Client: http://www.dal.net:9090
    IRC Channel: #asuswrt
     
    Last edited: Aug 1, 2014
  7. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    The "secret_code" number is the WPS AP Pin Code, confirmed. :)

    The interesting part is that anyone can change it and update CFE with the new one.
     
    Last edited: Jun 16, 2014
  8. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    New CFE's uploaded, AC56S, N18U and AC3200 are the next W.A.N.T.E.D to the list.

    Please upload your CFE if it's a different version or region from the ones listed on the 1st post.

    Thank you.
     
    Last edited: Jul 25, 2014
  9. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,640
    Location:
    Appalachia
    Overclocking is an obsession. I surely suffer from premature optimization. Good luck. :)

    I just checked my N66U (B1) and it has a bl_version of 1.0.1.9. I'll upload it in a bit, if it's of any use.

    I'm not sure if I'm an idiot for this, but when I'm screwing around with routers' files on my LAN, I usually "nc -l 2345 > file.out" on my comp and run "cat /dev/mtd0 | nc my.host 2345" on the router. Seems like every toaster and hair-dryer has BusyBox on it nowadays.
     
  10. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    Thanks for your info,

    I must say i'm a little bit surprised with 1.0.1.9 on N66U, are you sure?

    I can take a look at the file once you upload it.

    Connect a USB Drive:

    cat /dev/mtd0 > /tmp/mnt/sda1/original_cfe.bin
    or..
    dd if=/dev/mtd0 of=/tmp/mnt/sda1/original_cfe.bin

    Note: You could need to change the "sda1" to your mount point of your USB drive.

    You can also do:

    cat /dev/mtd0 > /tmp/original_cfe.bin

    Server:

    nc -l 2389 > original_cfe.bin

    Client:

    cat /tmp/original_cfe.bin | nc localhost 2389
     
    Last edited: Jul 17, 2014
  11. dextor

    dextor Occasional Visitor

    Joined:
    Jul 23, 2014
    Messages:
    13
    Awesome!

    Two quick questions for the experts here:

    1. What HW revisions can take 1.0.1.4 and 1.0.1.9?

    2. Where are the CRC bits and is there anything else I should know about the checksum?
     
  12. ryzhov_al

    ryzhov_al Very Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    646
    Location:
    Russia
    At least, 1.0.1.4 is working on my B1. I still waiting a confirmation 1.0.1.9 exists on B1 in wild:).

    Thanks god CFE is not checking CRC for now. DD-WRT guys ignores CRC but it's not right. Our CFE update utility calculates and writes right checksum into CFE.

    Here is all details.
     
  13. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    It exists and its working on B1, i already had another brand new RT-N66U with 1.0.1.9 CFE installed.

    DD-WRT guys ignore CRC check just because they know it's not checked, so it doesn't make any difference on this case.

    I agree, sure it's better having CFE with the right CRC info on it, just in case of CFE change the way they work.

     
    Last edited: Jul 23, 2014
  14. dextor

    dextor Occasional Visitor

    Joined:
    Jul 23, 2014
    Messages:
    13
    Are the HW revisions significant? Will we get a brick on HW 3.00?




    How is CRC done manually?

    CRC8, checkbit on 0x404 ?

    Or CRC16 checkbits on 0x404-405 ?
     
  15. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    B1 = REV 3.00
    B2 = REV 3.20

    No brick, JTAG on N66U is working with fully software support, so don't be afraid in case something go wrong, you can always ressurect it :)

    Btw: Tks for letting me know about 1.0.1.3, i will fix it right away
     
    Last edited: Jul 23, 2014
  16. ryzhov_al

    ryzhov_al Very Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    646
    Location:
    Russia
    Take a look at nvsimple.c.
     
  17. Pierino

    Pierino Very Senior Member

    Joined:
    Jul 13, 2012
    Messages:
    845
    Location:
    Columbus Ohio
    Which version of jtag is working on the rt-n66?
    I've got a bricked wndr4500 that can't be recovered by serial.
    It has the same CPU as the rt-n66. Maybe I can try it.
     
  18. dextor

    dextor Occasional Visitor

    Joined:
    Jul 23, 2014
    Messages:
    13
    Thank you. I looked at it. It went totally over my head!

    With a hex editor and a CRC8 calculator, how would I go about changing manually? I read somewhere that 0x404 has something to do with it.
     
  19. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
  20. Pierino

    Pierino Very Senior Member

    Joined:
    Jul 13, 2012
    Messages:
    845
    Location:
    Columbus Ohio
    Not that I don't like IRC. I don't know what I'm doing. Lol
     
  21. hggomes

    hggomes Very Senior Member

    Joined:
    Jan 2, 2012
    Messages:
    1,618
    Sorry i though you were "dextor" :)
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!