RT-N66U (Broadcom 4706) Jtag

[socal87]

Following ryzhov_al's thread on the 64K CFE mod, I went through the process and somehow wrote a corrupted CFE to my router. WAN, LAN1, and LAN2 would glow, while serial would show "Decompressing...error 01" on boot. So, I'm opening this thread for anyone who has experience with jtag software to offer their suggestions, and to share what has been discovered so far.

I am using a Tiao USB MultiProtocol Adapter with zJTAG and have soldered a pin header to J2 on the N66's board. Pinout is as follows:

Note: Pin 1 has a white square on top of the board and a square solder pad
nTRST 1 2 GND
TDI 3 4 GND
TDO 5 6 GND
TMS 7 8 GND
TCK 9 10 GND

Connections between TUMPA and J2:

RT-N66 J2 TUMPA JTAG
1-----------------3
3-----------------5
4-----------------4 (Ground, to prevent leak current)
5-----------------13
7-----------------7
9-----------------9

So far I have not been able to successfully erase CFE or NVRAM. zJTAG does not support the 4706 as of yet, but using /fc: and /instrlen: there has been some breakthroughs although with no results. The router seems to like 15Mhz test clock best.

I was able to write CFE using

zjtag -flash:cfe /l1:1 /noerase /fc:115

where /L1:1 tells the TUMPA to use 15MHz TCK, and /fc:115 assumes flash chip is a 16MB S29GL128N (I am aware the router has 32MB flash but zJTAG does not seem to have any working code for 32MB chips). Here's the output:

==============================================
zJTAG EJTAG Debrick Utility V0.6
==============================================


Set I/O speed to 15000 KHz

USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!

Probing bus ... Done

Detected IR Length is 0

Warning: detected/set IR Length isn't same as knew!
(Defined IR length: 5, detected/set: 0)

CPU assumed running under LITTLE endian

CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** Found a AMD manufactured Atheros AR531X/231X REV 01 CPU ***

- EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a S29GL128N/M29W128G Uni (16MB) from AMD/Spansion

- Flash Chip Window Start .... : 1C000000
- Flash Chip Window Length ... : 01000000
- Selected Area Start ........ : 1C000000
- Selected Area Length ....... : 00040000

*** You Selected to Flash the CFE.BIN ***

=========================
Flashing Routine Started
=========================

Loading CFE.BIN to Flash Memory...
Done (CFE.BIN loaded into Flash Memory OK)

=========================
Flashing Routine Complete
=========================
elapsed time: 83 seconds


*** REQUESTED OPERATION IS COMPLETE ***

Looks as though it worked, but still no response from the router. Serial doesn't get ANYTHING now.

Here is the thread at the Tiao forums requesting 4706 support in zJTAG:
http://www.tiaowiki.com/forums/index.php/topic,4102.0.html

 

[socal87]

I haven't updated this in a while, but there have definitely been some useful discoveries. zjtag v1.0 identifies the CPU as Broadcom when properly initialized; it seems using a divider of /L1:3 and instruction length of /instrlen:27 results in proper CPU identification. A good way to narrow it down is pay attention to the Detected IR Chain Length - it should be 5.

There are some bugs in the zjtag software, and other jtag software that supports the TIAO USB Multi Protocol Adapter don't recognize the BCM4706 present in this router. We're still working on it, but there have been some successes in recovery.

Here are other threads with very useful information:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=167147
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=164504

Also, the thread I linked in my previous post has reflected ongoing discoveries as well.

I would like to point out that the new Asus RT-AC66U uses the same Broadcom 4706 chipset, and its 2MB Macronix SPI flash chip should already be supported, so once we have JTAG software capable of properly handling the 4706, we'll have viable hardware level recovery for both the N66 and AC66.

If you've managed to brick your 4706 based router, don't give up on it yet...mine has all but stopped responding after several false flashes, but we still think we can get it back up and running. Read the threads...they're good info, especially if you're someone who tinkers with bootloaders a lot; understanding JTAG can help out with a wide range of embedded electronics.

 

[mstombs]

Small update on this. I have a RTN-66U with JTAG pins, and using simple parallel port cable and URJTAG on Ubuntu get this

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable DLC5 ppdev /dev/parport0
Initializing ppdev port /dev/parport0
jtag> detect
IR length: 32
Chain length: 1
Device Id: 00000000000011000011000101111111 (0x000C317F)

Can also get the same ID from TJTAG3.01 or zjtag 1.8 (bleeding edge RC) by forcing an instructlen of 7 (not 27 as above with usb tool).

The problem seems to be that Broadcom have implemented multi TAPs (Test Access Port Controller) in their embedded CPU. There's an LV mode which uses an IR of 32, but we need to discover how to bypass that and get to the mips 74K core TAP which uses an IR of 5.

These modes (and another of 8 bit width) are defined in a commonly available header file hndjtagdefs.h, for example:-

https://github.com/RMerl/asuswrt-me...release/src-rt-6.x.4708/include/hndjtagdefs.h

But I haven't seen any GPL sourcecode file that uses this, nor do I understand how to use!

Tornado "GPL ignoring" version of OpenWRT wrt54g JTAG tool TJTAG 3.02 does know something about LV mode, so does commercial usbjtag usbbdm, but presumably anybody who has access to Broadcom material is under NDA - so can anybody guess what initialisation sequence is needed?