Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-N66U (Broadcom 4706) Jtag

Discussion in 'ASUS N Routers & Adapters' started by socal87, Jan 13, 2013.

  1. socal87

    socal87 New Around Here

    Jan 13, 2013
    The interwebs
    Following ryzhov_al's thread on the 64K CFE mod, I went through the process and somehow wrote a corrupted CFE to my router. WAN, LAN1, and LAN2 would glow, while serial would show "Decompressing...error 01" on boot. So, I'm opening this thread for anyone who has experience with jtag software to offer their suggestions, and to share what has been discovered so far.

    I am using a Tiao USB MultiProtocol Adapter with zJTAG and have soldered a pin header to J2 on the N66's board. Pinout is as follows:
    Connections between TUMPA and J2:
    So far I have not been able to successfully erase CFE or NVRAM. zJTAG does not support the 4706 as of yet, but using /fc: and /instrlen: there has been some breakthroughs although with no results. The router seems to like 15Mhz test clock best.

    I was able to write CFE using
    where /L1:1 tells the TUMPA to use 15MHz TCK, and /fc:115 assumes flash chip is a 16MB S29GL128N (I am aware the router has 32MB flash but zJTAG does not seem to have any working code for 32MB chips). Here's the output:
    Looks as though it worked, but still no response from the router. Serial doesn't get ANYTHING now.

    Here is the thread at the Tiao forums requesting 4706 support in zJTAG:
  2. socal87

    socal87 New Around Here

    Jan 13, 2013
    The interwebs
    I haven't updated this in a while, but there have definitely been some useful discoveries. zjtag v1.0 identifies the CPU as Broadcom when properly initialized; it seems using a divider of /L1:3 and instruction length of /instrlen:27 results in proper CPU identification. A good way to narrow it down is pay attention to the Detected IR Chain Length - it should be 5.

    There are some bugs in the zjtag software, and other jtag software that supports the TIAO USB Multi Protocol Adapter don't recognize the BCM4706 present in this router. We're still working on it, but there have been some successes in recovery.

    Here are other threads with very useful information:

    Also, the thread I linked in my previous post has reflected ongoing discoveries as well.

    I would like to point out that the new Asus RT-AC66U uses the same Broadcom 4706 chipset, and its 2MB Macronix SPI flash chip should already be supported, so once we have JTAG software capable of properly handling the 4706, we'll have viable hardware level recovery for both the N66 and AC66.

    If you've managed to brick your 4706 based router, don't give up on it yet...mine has all but stopped responding after several false flashes, but we still think we can get it back up and running. Read the threads...they're good info, especially if you're someone who tinkers with bootloaders a lot; understanding JTAG can help out with a wide range of embedded electronics.
  3. mstombs

    mstombs Very Senior Member

    Jul 18, 2012
    Small update on this. I have a RTN-66U with JTAG pins, and using simple parallel port cable and URJTAG on Ubuntu get this

    UrJTAG is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    There is absolutely no warranty for UrJTAG.
    warning: UrJTAG may damage your hardware!
    Type "quit" to exit, "help" for help.
    jtag> cable DLC5 ppdev /dev/parport0
    Initializing ppdev port /dev/parport0
    jtag> detect
    IR length: 32
    Chain length: 1
    Device Id: 00000000000011000011000101111111 (0x000C317F)
    Can also get the same ID from TJTAG3.01 or zjtag 1.8 (bleeding edge RC) by forcing an instructlen of 7 (not 27 as above with usb tool).

    The problem seems to be that Broadcom have implemented multi TAPs (Test Access Port Controller) in their embedded CPU. There's an LV mode which uses an IR of 32, but we need to discover how to bypass that and get to the mips 74K core TAP which uses an IR of 5.

    These modes (and another of 8 bit width) are defined in a commonly available header file hndjtagdefs.h, for example:-


    But I haven't seen any GPL sourcecode file that uses this, nor do I understand how to use!

    Tornado "GPL ignoring" version of OpenWRT wrt54g JTAG tool TJTAG 3.02 does know something about LV mode, so does commercial usbjtag usbbdm, but presumably anybody who has access to Broadcom material is under NDA - so can anybody guess what initialisation sequence is needed?

Share This Page