Tutorial ASUS ROUTERS JTAG RECOVERY

[RMerlin]

WPS 5 sec hold on power on - No indication the router noticed (I would assume the LEDs should blink off to indicate power cycling?). Let it sit for a good 5 minutes while I checked the mail. Power cycled and wondered off for a few more minutes, still no response to ping or attempts to bring up the GUI. Luckliy I kept my old RT-N16 (running Merlin actually) so that's keeping me up and running.

Doing a reset through the WPS button does not provide any visual cue from what I remember. Did you try again going into recovery mode with the reset button after that?

Beyond that, the next steps would be either hook it with a serial cable, or have it replaced. It's highly unlikely to require JTAG, as that would mean that the CFE got corrupted, which is doubtful.

 

[velmeran42]

Doing a reset through the WPS button does not provide any visual cue from what I remember. Did you try again going into recovery mode with the reset button after that?

Beyond that, the next steps would be either hook it with a serial cable, or have it replaced. It's highly unlikely to require JTAG, as that would mean that the CFE got corrupted, which is doubtful.

Still no luck with getting it into recovery mode. Since I have to pull it apart to get to the serial pins I'll have to check out the reset button, never had to use it on this router, maybe I got "lucky" and it's just a bad button.

 

[agentsmith23]

Another "bricked" RT-AC68U, formerly an AC-1900. I had successfully upgraded the CFE and had Tomato installed. I wasn't impressed by the wireless range and wanted to try out the Asus firmware. I tried flashing the Asus firmware from within Tomato, DD-WRT and the recovery site. Every time I flashed the firmware it said it was successful but upon rebooting it was still on the firmware I started with.

During the flashing trials I noticed that my PC would get a connection during the boot up and then drop it then come back about a minute later. During one of the flashes I tried to go to the web GUI during the first connection and realized it was going to the recovery site. On the last flash attempt I decided to clear the NVRAM when the recovery site was available. The site indicated that the NVRAM clear was successful and it appeared to reboot after that.

Now I can no longer get into the router. I cannot ping the router. I have a static IP of 192.168.1.5 set. I have tried an NVRAM clear by powering on with the WPS button being held in. I have also tried to get into recovery by holding reset button but it doesn't seem to work. The power light stays solid until I have held it for 20 seconds then it starts to flash but very very slow. The light goes off for 15 seconds then it comes on for 15 seconds. The only lights that come on now are the power light and the Ethernet port light that I am connected to.

Is this recoverable with serial, JTAG or some other way? If it requires JTAG or serial is there anything showing how to open this router? I haven't been able to find any screws.

Thanks for any possible help!

 

[Engineer]

agentsmith23,

Since you stated that the power light flashes very slowly, have you tried to get into the router at address 192.168.29.1 instead of 192.168.1.1?

Set your IP to 192.168.29.2 and try getting into 192.168.29.1 (or just ping it) just to make sure that the CFE wasn't somehow updated to the TMobile CFE 2.1.2.2 since you were using the Asus firmware updater. Not likely, but worth a shot.

 

[agentsmith23]

Sorry I didn't mention it but I did try that already. Prior to not being able to get into recovery mode the power light would flash once every 2-3 seconds and it would start within a few seconds of plugging in the power cable.

 

[stefauresi]

Hi ,

I need your help for debrick my second RT-AC68U

I made a mistake when CFE flash, I forgot to change the MAC address

With serial console i have this :

BOOT:

CFE version 6.37.14.86 (r456083) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Mon Jun  9 16:50:11 CST 2014 (defjovi@localhost.localdomain)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 666 MHz
Info: DDR frequency set from clkfreq=800,*666*
CPU type 0x0: 800MHz
Tot mem: 262144 KBytes

CFE mem:    0x00F00000 - 0x01795660 (9000544)
Data:       0x00F4DCBC - 0x00F4E188 (1228)
BSS:        0x00F4E198 - 0x00F93660 (283848)
Heap:       0x00F93660 - 0x01793660 (8388608)
Stack:      0x01793660 - 0x01795660 (8192)
Text:       0x00F00000 - 0x00F44374 (279412)

Null Rescue Flag.
boot the image...
go load
Loader:raw Filesys:tftp Dev:(null) File:: Options:(null)
Loading: TFTP Server.
Failed.
Could not load :: Error
Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
Loading: .... 4001504 bytes read
Entry at 0x00008000
Starting program at 0x00008000
console [ttyS0] enabled, bootconsole disabled
serial8250.0: ttyS1 at MMIO 0x18000400 (irq = 117) is a 16550
brd: module loaded
loop: module loaded
pflash: found no supported devices
bcmsflash: found no supported devices
Boot partition size = 524288(0x80000)
lookup_nflash_rootfs_offset: offset = 0x200000
nflash: squash filesystem with lzma found at block 28
Creating 4 MTD partitions on "nflash":
0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000200000 : "nvram"
0x000000200000-0x000002000000 : "linux"
0x0000003988d0-0x000002000000 : "rootfs"
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPTP driver version 0.8.5
=== PPTP init ===
u32 classifier
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (3992 buckets, 15968 max)
xt_time: kernel timezone is -0000
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 17
L2TP core driver, V2.0
PPPoL2TP kernel driver, V2.0
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Registering the dns_resolver key type
Northstar brcmnand NAND Flash Controller driver, Version 0.1 (c) Broadcom Inc. 2012
NAND device: Manufacturer ID: 0x01, Chip ID: 0xf1 (AMD NAND 128MiB 3,3V 8-bit)
Spare area=64 eccbytes 56, ecc bytes located at:
 2 3 4 5 6 7 8 9 10 11 12 13 14 15 18 19 20 21 22 23 24 25 26 27 28 29 30 31 34 35 36 37 38 39 40 41 42 43 44 45 46 47 50 51 52 53 54 55 56 57 58 59 60 61 62 63
Available 7 bytes at (off,len):
(1,1) (16,2) (32,2) (48,2) (0,0) (0,0) (0,0) (0,0) 
Scanning device for bad blocks
[B]Bad eraseblock 92 at 0x000000b80000
Bad eraseblock 527 at 0x0000041e0000[/B]
Options: NO_AUTOINCR,NO_READRDY,BBT_SCAN2NDPAGE,
Creating 2 MTD partitions on "brcmnand":
0x000002000000-0x000007ec0000 : "brcmnand"
0x000007ec0000-0x000008000000 : "asus"
VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
devtmpfs: mounted
Freeing init memory: 212K
## mknod /dev/null: File exists
## mknod /dev/console: File exists
set_action 0


Hit ENTER for console...

firmware version: 3.0.0.4.376.47_0
[1 preinit:init_nvram +7] init_nvram for 29
num_of_mssid_support(0x0092): [mssid] support [3] mssid

FA off.
ctf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
et_module_init: passivemode set to 0x0
et_module_init: txworkq set to 0x1
et_module_init: et_txq_thresh set to 0x400
------------[ cut here ]------------
WARNING: at net/core/dev.c:4836 rollback_registered_many+0xf8/0x29c()
module:  et	 bf00b000	 78446
module:  ctf	 bf000000	 17519
Modules linked in: et(P+) ctf(P)
[<c0044000>] (unwind_backtrace+0x0/0xf8) from [<c00616e0>] (warn_slowpath_common+0x4c/0x64)
[<c00616e0>] (warn_slowpath_common+0x4c/0x64) from [<c0061714>] (warn_slowpath_null+0x1c/0x24)
[<c0061714>] (warn_slowpath_null+0x1c/0x24) from [<c01f7208>] (rollback_registered_many+0xf8/0x29c)
[<c01f7208>] (rollback_registered_many+0xf8/0x29c) from [<c01f748c>] (unregister_netdevice_queue+0x70/0xb8)
[<c01f748c>] (unregister_netdevice_queue+0x70/0xb8) from [<c01f74ec>] (unregister_netdev+0x18/0x20)
[<c01f74ec>] (unregister_netdev+0x18/0x20) from [<bf00b19c>] (et_free+0x48/0x154 [et])
[<bf00b19c>] (et_free+0x48/0x154 [et]) from [<bf01718c>] (et_probe+0x510/0x58c [et])
[<bf01718c>] (et_probe+0x510/0x58c [et]) from [<c017391c>] (pci_device_probe+0x5c/0x80)
[<c017391c>] (pci_device_probe+0x5c/0x80) from [<c0190b84>] (driver_probe_device+0x78/0x174)
[<c0190b84>] (driver_probe_device+0x78/0x174) from [<c0190d0c>] (__driver_attach+0x8c/0x90)
[<c0190d0c>] (__driver_attach+0x8c/0x90) from [<c018fde0>] (bus_for_each_dev+0x54/0x80)
[<c018fde0>] (bus_for_each_dev+0x54/0x80) from [<c01904d8>] (bus_add_driver+0x98/0x230)
[<c01904d8>] (bus_add_driver+0x98/0x230) from [<c0190f10>] (driver_register+0x78/0x13c)
[<c0190f10>] (driver_register+0x78/0x13c) from [<c0173b84>] (__pci_register_driver+0x44/0xb4)
[<c0173b84>] (__pci_register_driver+0x44/0xb4) from [<c003d5bc>] (do_one_initcall+0x30/0x19c)
[<c003d5bc>] (do_one_initcall+0x30/0x19c) from [<c008edc4>] (sys_init_module+0x11c/0x1bac)
[<c008edc4>] (sys_init_module+0x11c/0x1bac) from [<c003dac0>] (ret_fast_syscall+0x0/0x30)
---[ end trace 964ee11f14f45a73 ]---
network todo 'eth%d' but state 0
[<c0044000>] (unwind_backtrace+0x0/0xf8) from [<c01f8eac>] (netdev_run_todo+0x1d0/0x21c)
[<c01f8eac>] (netdev_run_todo+0x1d0/0x21c) from [<bf00b19c>] (et_free+0x48/0x154 [et])
[<bf00b19c>] (et_free+0x48/0x154 [et]) from [<bf01718c>] (et_probe+0x510/0x58c [et])
[<bf01718c>] (et_probe+0x510/0x58c [et]) from [<c017391c>] (pci_device_probe+0x5c/0x80)
[<c017391c>] (pci_device_probe+0x5c/0x80) from [<c0190b84>] (driver_probe_device+0x78/0x174)
[<c0190b84>] (driver_probe_device+0x78/0x174) from [<c0190d0c>] (__driver_attach+0x8c/0x90)
[<c0190d0c>] (__driver_attach+0x8c/0x90) from [<c018fde0>] (bus_for_each_dev+0x54/0x80)
[<c018fde0>] (bus_for_each_dev+0x54/0x80) from [<c01904d8>] (bus_add_driver+0x98/0x230)
[<c01904d8>] (bus_add_driver+0x98/0x230) from [<c0190f10>] (driver_register+0x78/0x13c)
[<c0190f10>] (driver_register+0x78/0x13c) from [<c0173b84>] (__pci_register_driver+0x44/0xb4)
[<c0173b84>] (__pci_register_driver+0x44/0xb4) from [<c003d5bc>] (do_one_initcall+0x30/0x19c)
[<c003d5bc>] (do_one_initcall+0x30/0x19c) from [<c008edc4>] (sys_init_module+0x11c/0x1bac)
[<c008edc4>] (sys_init_module+0x11c/0x1bac) from [<c003dac0>] (ret_fast_syscall+0x0/0x30)
wl_module_init: passivemode set to 0x0
wl_module_init: txworkq set to 0x1
wl driver 6.37.14.86 (r456083) failed with code 22
wl driver 6.37.14.86 (r456083) failed with code 22
/ # [1 preinit:init_main +12] main loop signal/state=12
start_logger:
start_usb
no tune_bdflush
ready to modprobe usb3/xhci
xhci_hcd 0000:00:0c.0: Failed to enable MSI-X
xhci_hcd 0000:00:0c.0: failed to allocate MSI entry
usb usb1: No SuperSpeed endpoint companion for config 1  interface 0 altsetting 0 ep 129: using minimum values
start_lan 1267
update_lan_state(lan_, 0, 0)
generate_wl_para(0x0e00): unit 0 subunit -1
eth1: WLC_GET_VAR(cap): No such device
num_of_mssid_support(0x0092): [mssid] support [3] mssid
generate_wl_para(0x109b): bw: 0
generate_wl_para(0x109d): chanspec: 0
generate_wl_para(0x109e): bw_cap: 3
generate_wl_para(0x10a4): obss_coex: 1
wlconf_pre(0x02f6): set vhtmode 1
generate_wl_para(0x0e00): unit 1 subunit -1
eth2: WLC_GET_VAR(cap): No such device
num_of_mssid_support(0x0092): [mssid] support [3] mssid
chanspec_fix(0x0796): unit: 1, bw_cap: 7, chanspec: 0
generate_wl_para(0x109b): bw: 0
generate_wl_para(0x109d): chanspec: 0
generate_wl_para(0x109e): bw_cap: 7
generate_wl_para(0x10a4): obss_coex: 1
wlconf_pre(0x02f6): set vhtmode 1
start_lan: setting up the bridge br0
Unable to handle kernel NULL pointer dereference at virtual address 00000004
pgd = ce74c000
[00000004] *pgd=9e72a031, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] PREEMPT SMP
last sysfs file: /sys/module/nf_conntrack/parameters/hashsize
Digital core power voltage set to 0.9375V
Decompressing...done
Digital core power voltage set to 0.9375V

SHMOO VER 1.13

2 Bad eraseblock :

Bad eraseblock 92 at 0x000000b80000
Bad eraseblock 527 at 0x0000041e0000

Nvram = Macadress : XX:XX:XX:XX.......

I think the switch is not even recognized

it's possible to put CFE in usb key and flash with router ?
I trying to mount sda1 but not success.....

I did not find the wiring diagram of the port jtag on internet .....

Plz Help me

 

[hggomes]

You can fix it by changing your macaddress again via serial CFE prompt.

Upload the new CFE already fixed via TFTP or change it via nvram command.

 

[stefauresi]

I noob in terminal command

You can help me ?

if i try to run TFTP, no TFTP server running .....

By nvram command why not but how I do it ?

 

[hggomes]

Check if you have nvram command available on CFE, if so use:

nvram set et0macaddr=XX:XX:XX:XX:XX:XX
nvram set 0:macaddr=XX:XX:XX:XX:XX:XX
nvram set 1:macaddr=XX:XX:XX:XX:XX:XX

nvram commit
reboot

PS: Replace the XX:XX:XX:XX:XX:XX with your original CFE values.

Im not sure if that will work because i cannot remember at this time, if its done that way or via setenv i need to connect to one of my routers to confirm how its done, TFTP i also think it works only to FW upload not to CFE.

Give it a try if it doesnt work i can check it for you.

 

[stefauresi]

I love you

Decompressing...done
Detect CPU turbo button...

CFE version 6.37.14.86 (r456083) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Mon Jun  9 16:50:11 CST 2014 (defjovi@localhost.localdomain)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 666 MHz
Info: DDR frequency set from clkfreq=800,*666*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.14.86 (r456083)
CPU type 0x0: 800MHz
Tot mem: 262144 KBytes

CFE mem:    0x00F00000 - 0x01795660 (9000544)
Data:       0x00F4DCBC - 0x00F4E188 (1228)
BSS:        0x00F4E198 - 0x00F93660 (283848)
Heap:       0x00F93660 - 0x01793660 (8388608)
Stack:      0x01793660 - 0x01795660 (8192)
Text:       0x00F00000 - 0x00F44374 (279412)

[B]Device eth0:  hwaddr 40-16-7E-58-6C-90, ipaddr 192.168.1.1, mask 255.255.255.0[/B]
        gateway not set, nameserver not set
Null Rescue Flag.
boot the image...
go load
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: TFTP Server.
..tftp retry wait 0
Failed.
Could not load :: Timeout occured
Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
Loading: .... 4001504 bytes read
Entry at 0x00008000
Closing network.
Starting program at 0x00008000
console [ttyS0] enabled, bootconsole disabled
serial8250.0: ttyS1 at MMIO 0x18000400 (irq = 117) is a 16550
brd: module loaded
loop: module loaded
pflash: found no supported devices
bcmsflash: found no supported devices
Boot partition size = 524288(0x80000)
lookup_nflash_rootfs_offset: offset = 0x200000
nflash: squash filesystem with lzma found at block 28
Creating 4 MTD partitions on "nflash":
0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000200000 : "nvram"
0x000000200000-0x000002000000 : "linux"
0x0000003988d0-0x000002000000 : "rootfs"
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPTP driver version 0.8.5

I have to flash the CFE now? with correct Macadress

 

[hggomes]

Ok it worked, then you can now type "go" and see if it boots the FW fine.

I dont think you need anything else if the values are already saved on the CFE.

 

[stefauresi]

Yes work fine

 

[hggomes]

Im glad you have fix it

What i can tell you is that you had quite luck by still having an intact bootloader after you failed editing it, most of the times that doesn't happen and a brick will happen.

Keep in mind that CFE is something very sensitive, if you are not 100% sure of what you are doing you can kill the router, you would be forced to find a programmer and program your chip again, believe me thats not something you would like to do

 

[stefauresi]

I just made a backup of the CFE and there is always the 0macadress=XX:XX:XX:XX

I'll edit the CFE with winhex.

what is the best procedure to flash the CFE ?

 

[hggomes]

Take a look in here:

http://forums.smallnetbuilder.com/showthread.php?t=17793

 

[stefauresi]

CFE flashed ,everything is ok

Thank You

 

[hggomes]

You are welcome

 

[myvoip07]

CFE flashed ,everything is ok

Thank You

Hi stefauresi,
Appreciate if you please provide me details about how you connected serial/jtag to RT-AC86U? What kinds of jtag/serial interface you used?

I have a broken RT-AC66U which is probably due to CFE issue. I do have the original CFE.bin i think i can safely flash back to ac66u but will need to some tools to do it.

thanks in advance for your help.

 

[hggomes]

Press RESET without releasing it before turning ON the router, then keep it and see if you have powerled blinking.

What lights are on when you power up the router?

 

[myvoip07]

Press RESET without releasing it before turning ON the router, then keep it and see if you have powerled blinking.

What lights are on when you power up the router?

Unfortunately 3 solid blue lights on port 2, 1 and internet led