Tutorial ASUS ROUTERS JTAG RECOVERY

[hggomes]

This will be the new thread for JTAG discution started on ASUS ROUTERS CFE DUMPS COLLECTION:

http://forums.smallnetbuilder.com/showthread.php?t=17793&page=11
http://forums.smallnetbuilder.com/showthread.php?t=17793&page=15

 

[bbsc]

Run this:

openocd --debug 3 -f C:\openocd-0.8.0\scripts\interface\ftdi\tumpa.cfg -f C:\openocd-0.8.0\scripts\target\asus-rt-n66u.cfg -c "adapter_khz 3000"

Where was asus-rt-n66u.cfg taken from?
There's no such file in the source.

 

[Vaesel]

Where was asus-rt-n66u.cfg taken from?
There's no such file in the source.

http://openocd.zylin.com/#/c/2153/

Ill try the "--debug 3" later today.

 

[Vaesel]

Asus AC66U

http://postimg.org/image/p4ztqvfgf/ Thanks to the user bbsc
http://postimg.org/image/g7f3tin0f/ Thanks to the user bbsc
http://postimg.org/image/qirgm6epr/ Thanks to the user bbsc

openocd -f C:\openocd-0.8.0\scripts\interface\ftdi\tumpa.cfg -f C:\openocd-0.8.0\scripts\target\asus-rt-n66u.cfg -c "adapter_khz 3000"

Open On-Chip Debugger 0.8.0 (2014-04-28-08:42)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.sourceforge.net/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'jtag' none separate

adapter speed: 3000 kHz
Info : clock speed 3000 kHz
Info : JTAG tap: bcm4706.cpu tap/device found: 0x000c317f (mfg: 0x0bf, part:0c3, ver: 0x0)
Warn : JTAG tap: bcm4706.cpu       UNEXPECTED: 0x000c317f (mfg: 0x0bf, part:0c3, ver: 0x0)
Error: JTAG tap: bcm4706.cpu  expected 1 of 1: 0x1008c17f (mfg: 0x0bf, part:08c, ver: 0x1)
Error: Trying to use configured scan chain anyway...
Error: IR capture error at bit 5, saw 0x01 not 0x...3
Warn : Bypassing JTAG setup events due to errors
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
target state: halted
target halted in MIPS32 mode due to undefined, pc: 0x00000000
And so on.

openocd --debug 3 -f C:\openocd-0.8.0\scripts\interface\ftdi\tumpa.cfg -f C:\openocd-0.8.0\scripts\target\asus-rt-n66u.cfg -c "adapter_khz 3000"

I cant get the first 99 lines to copy and paste (windows dos/terminal wont let me) And the forum dosent allow a long post so ill upload the .txt file of the output:

[URL="http://rghost.net/57641509"]http://rghost.net/57641509[/URL]

 

[hggomes]

See if you can trace the marked red A16 pin.

 

[bbsc]

Here's what I have now.

 

[hggomes]

That's AC66U or N66U? It seems inicialized, try to telnet to device now.

 

[bbsc]

That's AC66U. The same as Vaesel has with the same problem after the same actions.

Teltet it? Via what connection?

 

[hggomes]

Your output is different from Vaesel output.

telnet localhost 4444

 

[bbsc]

Here we go:

root@D630:/home/s# telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
>

 

[hggomes]

Now you only need to upload the CFE and you will have your router back.

It's really curious that with the same hardware you were able to inicialize it and Vaesel don't, are you sure the revision / hardware is EXACTLY the same?

 

[bbsc]

Good news.
Can you tell me the necessary commands?

My router is exactly the same - it was my photos taken by myself above.
But I use dlc5 cable and LPT port. Maybe it's the reason.

 

[hggomes]

Try this commands:

init
flash info 0
erase_part CFE
flash_part CFE /pathofcfe.bin

 

[bbsc]

> init
> flash info 0
Target not halted
auto_probe failed
in procedure 'flash'
> bcm4706.cpu arp_halt
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0xbfc0038c
> flash info 0
Flash Manufacturer/Device: 0xb800 0x3c12
Could not probe bank: no QRY
Try workaround w/0x555 instead of 0x55 to get QRY.
Could not probe bank: no QRY
auto_probe failed
in procedure 'flash'
>

What's that workaround?

 

[hggomes]

That's great news, it's the cable then.

It's Xilinx Cable II/III Parallel Cable right?

That message is showing because the flash is not the same as on N66U, you will need to change the .cfg file to match your nand flash on ac66u (Zentel).

 

[bbsc]

It's really curious that with the same hardware you were able to inicialize it and Vaesel don't, are you sure the revision / hardware is EXACTLY the same?

One more tip.
I've soldered that pullup 10k resistor.
The place is obvious: unpopulated footprint.

I'm not shure Vaesel did the same, need to ask him.

As for my cable, it's the simplest dlc5: only 5 wires and 4 resistors.
But I have a Dell Latitude D630 with docking station here. It's equipped with a real LPT

 

[hggomes]

Dah, so that's why

Like i said before it was weird the different outputs

He didn't, that's the reason to be stucked on MIPS32 MODE.

That unpopulated footprint is the one connected to the A16 pin, thank you for your confirmation and feedback.

When i suggest to add the resistor to that pin was based on N66U hardware configuration (A16), even it's a different place on the PCB of AC66U.

 

[bbsc]

That message is showing because the flash is not the same as on N66U, you will need to change the .cfg file to match your nand flash on ac66u (Zentel).

Looks like cfe and nvram are in the SPI....
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=703187#703187
Damn...

On the one side, I can always solder it off and reprogram.
On the other hand, things become more interesting

 

[GoNz0]

so what jtag kit are you using as I have to do this on my N66u

 

[bbsc]

No kits
I have a computer with LPT port (it's such a big connector with 25 pins in it)
That's why I can use a simple dlc5 cable: just 5 wires and 4 100-Ohm resistors.