Asus RT-AC66U recovering from paperweight with TUMPA Lite and zJTAG / tJTAG

[marv15]

Hello,

I'm trying to recover from a bad cfe flash on my Asus rt-ac66u rev 1.30 (https://wikidevi.com/wiki/ASUS_RT-AC66U). I found guides for recovering similar model - n66u, however flash chips are different in ac66u. Would welcome any guidance on what to do since I'm a bit lost after a few hours of fruitless googling and checking solder (seems fine). Cheers.

Here is the output I'm getting from zJTAG:

.\zjtag.exe -probeonly /cable:3 /L1:3 /skipdetect

        ==============================================
               zJTAG EJTAG Debrick Utility v1.8 RC3
        ==============================================

cableid=3, cabletype=0

Dev 0:
 Flags=0x2
 Type=0x8
 ID=0x4038a99
 LocId=0x14
 SerialNumber=TITL0510
 Description=USB Multi-Protocol Adapter Lite
 ftHandle=0x0
 Set I/O speed to 7500 KHz

USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!

Detected IR chain length = 32

There are 0 device(s) in the JTAG chain

Probing bus ... Done

Detected IR Length is 2 bits

CPU assumed running under LITTLE endian

CPU Chip ID: 11111111111111111111111111111111 (0xFFFFFFFF)
    CPU Manufacturer :Unknown(ID=0xFFE)
    CPU Device ID :FFFF
    CPU Revision  :15

*** CHIP DETECTION OVERRIDDEN ***

    - EJTAG IMPCODE ....... : 11111111111111111111111111111111 (0xFFFFFFFF)
    - EJTAG Version ....... : Unknown (7 is a reserved value)
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R3k DINTsup ASID_8 ASID_6 MIPS16 NoDMA MIPS64

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped

Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = 0000 : 0000)
*** Unknown or NO Flash Chip Detected ***


 *** REQUESTED OPERATION IS COMPLETE ***

And output I'm getting from tJTAG (I think i don't have a proper /cable:xxxxx value to use with tJTAG and wasnt able to find it):

.\tjtag302RC2-1.exe -probeonly

==============================================
 EJTAG Debrick Utility v3.0.2 RC2-1 Tornado-MOD
==============================================

Selected  port  = 0x378

Couldn't access giveio device

 

[Pierino]

There are rt-ac66u listed for sale near me for $25. Seems like it would not be worth it unless for fun.

 

[marv15]

Unfortunately they're £80-120 here.

 

[Pierino]

Why were you flashing the cfe? There should have been no reason to mess with it.
Unless you were trying to flash one from a region that is not yours...

 

[FatherLandDescendant]

There are rt-ac66u listed for sale near me for $25. Seems like it would not be worth it unless for fun.

Surely that's for a used unit. Those routers still go for $125ish even on Amazon. And their worth it, mine was given to me by my Dad when I moved to a BB ISP, been a pretty good router for what I'm using it for

 

[Pierino]

Of course it's used. Still work though.

 

[FatherLandDescendant]

Of course it's used. Still work though.

Yea I'm fickle about my components, if I buy something out of my pocket I usually go new, saves me a lot of headaches that way. Now if someone gives it to me, that's a different story.

 

[marv15]

Why were you flashing the cfe? There should have been no reason to mess with it.
Unless you were trying to flash one from a region that is not yours...

Was having some problems with random resets every 30h or so, read somewhere that new CFE might help. And the cheapest used one I found was £78. :/

 

[mstombs]

I believe the way forward is with OpenOCD, but the N66U needs an extra resistor soldered onto the board

https://www.snbforums.com/threads/how-to-asus-routers-jtag-recovery.19077/

But this really is a last resort, did you see if you can et anything out of serial console first?

 

[marv15]

I believe the way forward is with OpenOCD, but the N66U needs an extra resistor soldered onto the board

https://www.snbforums.com/threads/how-to-asus-routers-jtag-recovery.19077/

But this really is a last resort, did you see if you can et anything out of serial console first?

I couldn't get any other interface to work, all I get is 3 constant led lights. Are you sure about the resistor? Thought it was only for Spansion chips on N66U. Was thinking that maybe way forward is to find the address for the AC66U's Macronix MX25L1606EM2I-12G 2MB chip to use with /start:xxxxxxx /window:xxxxxx switches on zJTAG

Or am I looking at the wrong chip? It has two, I just assumed that it is the smaller one that holds CFE.

 

[marv15]

Tried to give OpenOCD a try, cannot get it working with TUMPA lite board so far, only getting ' LIBUSB_ERROR_NOT_FOUND' despite the board showing to have VID and PID defined corretly in the interface config file.

EDIT: Ok, got past that, now I'm getting this from openocd:

.\openocd.exe -f ..\scripts\interface\ftdi\tumpa-lite.cfg -f ..\scrip
ts\target\bcm4706.cfg
Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
adapter speed: 6000 kHz
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
bcm4706.cpu
Info : clock speed 6000 kHz
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: bcm4706.cpu: IR capture error; saw 0x1f not 0x01
Warn : Bypassing JTAG setup events due to errors

Checked jtag soldering with multimeter on continuity setting, seems fine.

 

[mstombs]

Well done for getting openocd to run - but it seems you may be the first to try with the AC66. I recall the main developer was very helpful with the N16 and N66U, there some magic Broadcom commands to switch mode etc. But this was a few years ago - suggest you try to make contact.