1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Desolder and Flash Chip question

Discussion in 'ASUS Wireless' started by dribgnikcom, Jan 1, 2018.

Tags:
  1. dribgnikcom

    dribgnikcom Occasional Visitor

    Joined:
    Dec 31, 2016
    Messages:
    10
    I'm convinced that some revisions of the Asus RT-AC3200 have a fatal flaw in that there is an issue where it can become irreversibly bricked and the recovery mode won't help.

    As such, I'm considering desoldering the flash chip from it and have it sent to someone for external flashing.

    Now my question is the following:

    Asus firmwares are offered as 40mb or so .trx file.

    The latest one for example is:
    "RT-AC3200_3.0.0.4_382_19466-g27029b5.trx"

    The flash chip is the 128MB Spansion/Cypress S34ML01G100TFI00.

    Now the question is, does the process just involve flashing said chip with the .trx file (and perhaps padding it to 128MB if required), or will this only work if the CFE is first flashed onto the chip and then the .trx manually uploaded?

    And if the latter is the case, can someone please provide me with a raw dump of their RT-AC3200 so that I can do it as I intend?

    Thanks

    P.S. Does anyone know someone with a flashing device capable of flashing the Spansion chip who would be willing to do so?
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. s3n0

    s3n0 Occasional Visitor

    Joined:
    Dec 5, 2017
    Messages:
    39
    Location:
    Slovakia
    @dribgnikcom:

    It depends on exactly how you made the brick from your router.

    If CFE is undamaged, just use the TFTP recovery method. You can restore your firmware manually using a TFTP client running on your computer (for example, installing it as part of Windows or downloading a replacement TFTP client from internet). Or, you can also use the "Firmware Restoration Tool" (TFTP principle) from the ASUS manufacturer.

    First, you need to boot the router in "recovery mode" (if the CFE bootloader code in the flash memory is not corrupted). The procedure can also be found on this discussion forum, for example: https://www.snbforums.com/threads/rt-ac3200-recovery-mode-tricky.39803/ . Then you set the basic static IP on the client computer - 192.168.1.2. Router bootloaded in "recovery mode" has its static IP set to 192.168.1.1. ASUS router in recovery mode waits for TFTP commands. Through the binary protocol (after switching with the binary command if you use the TFTP client), you will then send the .trx firmware to the ASUS router and wait at least 10-15 minutes. (depending on the type of router or flash memory type, speed, etc.). After successful flashing, do not forget to perform Factory Reset again. The procedures for ASUS TFTP flash can be found on the Internet.

    If it is not possible to boot the router into "recovery mode", the next option is to use JTAG - the serial interface inside the router (you must open the router box). So, use the JTAG interface in your router to flash a specific CFE bootloader. On the Internet, you'll also find ways to flash routers via JTAG.

    Not every router has this JTAG serial interface - in that case, unfortunately you have to remove the flash chip out. The CFE bootloader can then be programmed via an external flash memory programmer. The flash process runs faster because we need to flash CFE code only (it's a small code). Then you put the flash memory back into the PCB board and boot the router into recovery mode (thanks to the CFE bootloader). Then use the standard firmware recovery method (TFTP upload firmware via TFTP client or via "Asus Firmware Restoration Tool").
     
    Last edited: Jan 4, 2018
  4. TonyH

    TonyH Very Senior Member

    Joined:
    Feb 19, 2012
    Messages:
    1,600
    Location:
    Calgary AB Canada
    I'd think safely removing the chip may not be easy task unless OP has proper tools. As already mentioned there are few more things to try.
     
  5. dribgnikcom

    dribgnikcom Occasional Visitor

    Joined:
    Dec 31, 2016
    Messages:
    10
    Gentlemen,

    Please let's not get into recovery methods... The router is bricked, KAPUT. Recovery is broken on this model, or something else is wrong with this router. I cannot use JTAG because JTAG locations are unknown/unpublished on this router.

    The question is simple. If you do not know, then please do not reply.

    Here is the TLDR version:

    If I desolder the 128MB NAND off the router, is flashing it externally as simple as taking the 40MB .trx file and padding it to 128MB and then flashing it?
     
  6. TonyH

    TonyH Very Senior Member

    Joined:
    Feb 19, 2012
    Messages:
    1,600
    Location:
    Calgary AB Canada
    Do you know whether CFE is intact and memory map?
     
  7. dribgnikcom

    dribgnikcom Occasional Visitor

    Joined:
    Dec 31, 2016
    Messages:
    10
    I think the CFE is corrupt, I don't know what the memory map is.

    I could once get it to show the recovery page, but after using it to flash the stock firmware, it no longer shows up (or maybe it will after leaving it unplugged for a few months, waiting for a full moon, and then standing on one foot while holding my finger high up in the air - I don't mean to sound facetious -- this is really how touchy it is). I've tried discharging the primary input cap to make sure that anything retained is only in the NVRAM and then booting again to try and get it to show, I've tried using the serial console (it has always only just shown gibberish)... The fact of the matter is that I BOUGHT it this way because it was sold at a discount because of its condition.

    Is something physically wrong with it? Who knows... If the main CPU was defective, then how did the (albeit dysfunctional) recovery page show up initially.

    I want to rule that out by desoldering the flash chip and flashing it externally. If it works, fine. If not, then at least I know there's something wrong hardware-wise.

    Is there a way to flash it with what's publicly available (The CFE is available on this forum and the flash from Merlin or Asus), or do I need a dump of a working model?

    Thanks
     
  8. s3n0

    s3n0 Occasional Visitor

    Joined:
    Dec 5, 2017
    Messages:
    39
    Location:
    Slovakia
    The chance to recognize the goods claim is great. Of course, it depends on the particular seller ! Some sellers send the goods for review to a specialized service center. In other cases, the vendor will only turn the router on to the electricity, and this will result in complete verification of the router damage. So, it depends only on how your salesperson proceeds in handling complaints. If the dealer detects an attack on CFE, then it's over.

    I would recommend first try this router to complain to the dealer.

    If a product complaint fails, then try to diagnose your CFE through the serial interface inside the router. The AC3200 router does not contain the JTAG interface, but you can find the serial interface there (as I mentioned above). You can try check the CFE maybe over TTL serial interface inside of router.

    But I do not know what the procedures are, and whether they apply to all routers as well. Theoretically yes ... for example, read this:
    https://www.snbforums.com/threads/r...nal-firmware-374-291.13628/page-3#post-127088
     
    Last edited: Jan 13, 2018
  9. dribgnikcom

    dribgnikcom Occasional Visitor

    Joined:
    Dec 31, 2016
    Messages:
    10
    I bought the router like this, knowing it would need to be repaired. I paid a good price too :)

    No, serial recovery will not work because the CFE is not working.

    I have already spoken to someone and have arranged to have the NAND re-flashed for me.

    For anyone that's curious on how to do it, all I know is that I need to have the CFE flashed to the NAND first. After that, I will be able to use the serial console. I'm not sure where to go from there, but having a working serial console is the first step. From there it should be pretty easy to look up the procedure of uploading the firmware.
     
  10. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    12,752
    Location:
    San Diego, CA
    One could preflash the CFE onto a NAND, and drop it in - seems like a lot of rework when this is really a SW issue with a corrupt NAND.

    In the real world - your NAND chip is likely just fine - you just need to erase it, use JTAG to find the boot vector of the ARM, and load the CFE in-situ from there. You'll need to have the bootvector at a minimum, as the memory mapping and intefaces for a compatible CFE configuration are already there.

    I'm not going to tell you step by step, as I generally get good money to do bootstraps like this - but if you search around you'll find it - check the openwrt wiki... you probably won't get a full answer, but you'll find enough info to sort things.

    One more tip - if you're going to go forward with desoldering the NAND - put on a socket, makes things much easier afterwords if one is doing board/chip level work.
     
  11. dribgnikcom

    dribgnikcom Occasional Visitor

    Joined:
    Dec 31, 2016
    Messages:
    10
    I can't JTAG -- there is no info available on that for this model. I'd already considered it, and I have had my eye on a JTAG device I've wanted to purchase for a while now.

    Regarding the socket -- SMT TSOP48 sockets are expensive... Not to mention that I don't have a proper reflow setup, so that's out of the question (whereas with re-flowing the bare TSOP48, I can make manual corrections later if there are bridged pins and whatnot).

    I have purchased a new S34ML01G100TFI00, and I am paying Bad_Ad84 over at AmiBay to have it flashed for me. We'll use the CFE posted in this thread.

    (I should note that my H/W revision is 2.35 and the CFE offered is for 2.34, but that is almost certainly not an issue). After it's soldered back in, I will look up the procedure for restoring the firmware from a serial console (having a CFE re-flashed externally should now give me access to it).

    I will post an update, G-D willing, when it's done.
     
  12. dribgnikcom

    dribgnikcom Occasional Visitor

    Joined:
    Dec 31, 2016
    Messages:
    10
    Unfortuntely, flashing the CFE on to a new chip and soldering that one on did not fix the problem.

    I think that the router has other issues and the problem isn't the flash.

    With the new chip in, it behaves as though no chip is present at all. I resoldered the old chip back on, and the old behavior is still there.

    There is no output on the serial console with either chip.

    Oh well.
     
  13. nicnec

    nicnec New Around Here

    Joined:
    May 18, 2018
    Messages:
    3
    There was something else at Router that I also have a rt-ac68u that at the start illuminate Lan1.2.3.4 and WAN and otherwise nothing else. I tried reset but no result. I think there is a need for CFE rewriting.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!