[TM-AC1900 (RT-AC68U)] - Bricked while flashing from Tomato to Merlin

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.
Status
Not open for further replies.

that1geek

Occasional Visitor
Greetings SNB community!

Setup: T-Mobile TM-AC1900 successfully flashed (CFE) to RT-AC68U long ago

Background: Was on latest Asus stock firmware for a while. Decided to try out Tomato. Wasn't happy with WiFi performance, so decided to try flashing to Merlin last night.

Flashing steps:
  1. Tried flashing latest stable Merlin firmware "RT-AC68U_378.56_2.trx" via Tomato interface, got "Bad TRX header" error
  2. Put router into recovery mode and tried flashing via Asus Restore utility, uploaded to 100% but then said "Unable to restore router" or something to that effect
  3. Connected to MiniCFE flashing page while in recovery and flashed "RT-AC68U_378.56_2.trx". Sat on page for a while, then took me to http://192.168.1.1/f2.html, but was a broken page
Symptoms:
  • Can't ping 192.168.1.1 while PC set to static IP 192.168.1.10/Mask 255.255.255.0/Gateway 192.168.1.1 and PC connected to LAN1-4 port(s)
  • Power light comes on, as does any LAN/WAN port which is connected. WiFi lights are off. LAN ports flicker periodically as though it sees activity
  • Recovery mode process makes power light flash extremely slowly - comes on for about 30 seconds, then goes off for about 30 seconds, then comes back on, and so on.
  • Windows displays "Unidentified network" while setup with static IP. "Packets sent" increments, but "Packets received" does not
  • Loaded Wireshark in Promiscuous mode; could not see any traffic except from my own machine on the network
Have tried:
  1. Can't ping or access router via web or telnet
  2. Recovery mode (with unusually slow flashing power LED) does not work. Can't ping router. TFTP times out, Asus recovery utility doesn't work (don't recall error), and can't get to MiniCFE web page
  3. Clearing NVRAM by holding WPS button during power up. I've read Power light is supposed to flash rapidly during that process but it stays solid
My thoughts:
  • I've read having a solid power light and LAN lights is a promising sign that I haven't totally fried it (I hope)
  • Prior to the flashing mess last night, I'd notice seeing the stock "Your ASUS Router IP has changed" page while Tomato was rebooting sometimes, makes me wonder if something didn't get cleared that should have been
  • I've also ready maybe I didn't wait long enough after the MiniCFE flash for the router to boot/reboot [Turned on router before leaving for work this morning; should have been on for around 12 hours by the time i get home tonight]
  • Sounds like I might need to pick up a USB to Serial TTL cable too see what's going on or (hopefully) fix it, but I don't know and can't seem to find instructions for how to open this router up
Any suggestions or instructions would be greatly appreciated! I have no objections to trying something again even if it would seem as though I've already tried it. Thank you.
 

that1geek

Occasional Visitor
Leaving the router on for 12 hours didn't help. And, just confirmed Wireshark's findings - the switch isn't switching traffic on this router.
I gave one PC an IP of 192.168.1.10/Mask 255.255.255.0 and another with 192.168.1.11/Mask 255.255.255.0. Confirming the Windows firewalls were off, I could not ping one PC from the other from either PC by IP through the switch in my router.


I ordered a USB TTL cable, which should arrive on Monday. But I haven't stumbled upon any clear guides to opening up the router to access the serial pins. Some good pictures around, like here: http://linustechtips.com/main/topic/159308-project-siren-custom-mod-asus-rt-ac68u-sponsored-by-asus/, once the case is opened, but I need some photos or guides for where to start (step 1) for getting the router open.

Actually... do you have to peel off the label in the middle of the back of the router?
 

that1geek

Occasional Visitor
Doing some more research, it looks like the steps I need to proceed with:
  1. Remove long ASUS sticker from back of router (enough to expose screws)
  2. Remove 2 screws
  3. Pry open case
  4. Connect GND to GND, VCC to VCC, TX to RX and RX to TX
  5. Open Putty set to: Baud: 115200 Data bits: 8 Stop Bits: 1 Parity: none No Flow control
  6. [Hopefully] Get to a cfe> prompt during boot (CTRL+C right at boot)
  7. Run "nvram erase" followed by "reboot"
  8. See if issue resolved, if so, flash stock firmware via normal tftp/recovery process
  9. If not, run "flash -noheader : flash1.trx" and immediately upload stock firmware via tftp followed by "go" command
Once again, any re-assurance or confirmation whether this is the correct process to follow from the well-experienced people on this forum would be greatly appreciated before I get the tools necessary to perform this process tomorrow and tackle it right after work.
 

that1geek

Occasional Visitor
Success!

I ordered this cable: JBtek® WINDOWS 8 Supported Debug Cable for Raspberry Pi USB Programming USB to TTL Serial Cable
And this toolkit: Professional Opening Pry Tool Repair Kit with Non-Abrasive Nylon Spudgers and Anti-Static Tweezers, 8 Piece Set

Got serial access and ran these commands
Code:
nvram erase
reboot
After the router came back up, I was back up and running on Tomato. Strange, because the WPS button, as I mentioned, did NOT work.

From there, I had to flash an old firmware version (less than 30MB) to get it to work. This was stock 3.0.0.4.376.3626. Then I flashed the latest stock firmware, 3.0.0.4.380.1031. Lastly, I flashed the latest Merlin build and cleared nvram one more time.

I've got some photos of the process I'm uploading so I can post. Just need to put it back together.
 

that1geek

Occasional Visitor
TM-AC1900/RT-AC68U Disassembly
Step 1:
Peel off ASUS sticker on back of router


Step 2:
Unscrew two screws on back (note the warranty seal sticker on the bottom screw)

 
Last edited:

that1geek

Occasional Visitor
Step 3:
Patiently pry open case (I used a combination of an old credit card [anybody get a mail in rebate lately?] and the plastic prying tools included in my toolkit)



Step 4:
Take inventory of broken tabs (I'm going to call it 2 and 2 fourths)

 
Last edited:

that1geek

Occasional Visitor
Step 7:
Unscrew 4 larger screws holding PCB to back side of case and gently lift PCB up, toward you, and out of the case (watch the antenna connectors at the top poking through the case)

Photo of serial header/connectors:

Step 9:
Connect wires of USB TTL Serial cable
Cable:
Red: Power
Black: Ground
White: RX (to USB)
Green: TX (from USB)
PCB:
Black to GND
White to TX
Green to RX
[The cable's TX goes to the router's RX, cable's RX goes to the router's TX]
Red - unconnected (thanks @buddyp)

 
Last edited:

that1geek

Occasional Visitor
Output from nvram erase and show devices commands:
Code:
CFE> nvram erase
*** command status = 0
CFE> show devices
Device Name          Description
-------------------  ---------------------------------------------------------
uart0                NS16550 UART at 0x18000300
uart1                NS16550 UART at 0x18000400
nflash0              AMD NAND flash size 131072KB
nflash0.boot         AMD NAND flash offset 0 size 512KB
nflash0.nvram        AMD NAND flash offset 80000 size 1536KB
nflash0.trx          AMD NAND flash offset 200000 size 1KB
nflash0.os           AMD NAND flash offset 20001C size 129024KB
nflash1.boot         AMD NAND flash offset 0 size 512KB
nflash1.nvram        AMD NAND flash offset 80000 size 1536KB
nflash1.trx          AMD NAND flash offset 200000 size 30720KB
nflash1.brcmnand     AMD NAND flash offset 2000000 size 98304KB
eth0                 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller
*** command status = 0
This suggested that the command to flash via tftp from the cfe console would have been:
Code:
flash -noheader : nflash1.trx
Also, that since the size of the nflash1.trx partition is only 30.72MB, that would explain why I had to go back to flashing a firmware of less than 30MB in order to flash successfully. It would seem this other larger partition - nflash1.brcmnand - is separate. From the later OS boot log:
Code:
/ # Unlocking 0x0 - 0x1ffff
Unlocking 0x20000 - 0x3ffff
Unlocking 0x40000 - 0x5ffff
Unlocking 0x60000 - 0x7ffff
Unlocking 0x80000 - 0x9ffff
[TRUNCATED FOR LENGTH]
Unlocking 0x3e40000 - 0x3e5ffff
Unlocking 0x3e60000 - 0x3e7ffff
Unlocking 0x3e80000 - 0x3e9ffff
Unlocking 0x3ea0000 - 0x3ebffff
1: set_action 0
"brcmnand" successfully unlocked.

Lastly, the full output of just typing "flash" in the CFE console displayed the help output:
Code:
CFE> flash

  flash [options] filename [flashdevice]

  Copies data from a source file name or device to a flash memory device.
  The source device can be a disk file (FAT filesystem), a remote file
  (TFTP) or a flash device.  The destination device may be a flash or eeprom.
  If the destination device is your boot flash (usually flash0), the flash
  command will restart the firmware after the flash update is complete

  -noerase  Don't erase flash before writing
  -norescue  Don't check anything
  -offset=*  Begin programming at this offset in the flash device
  -size=*  Size of source device when programming from flash to flash
  -noheader  Override header verification, flash binary without checking
  -ndump  dump nand flash
  -block=*  which block to dump
  -forceflash  Dangerous Command, Don't use if you don't know what you do
  -erase  Erase the partition, can set the  offset and length
  -cfe  write to flash and stay at cfe command mode
  -mem  Use memory as source instead of a device

*** command status = -2
Anyway, I hope this information is interesting or helpful. I'd have liked to have seen a thread containing this information (particularly the pictures) prior to delving into this myself, but it was fun nonetheless. Enjoying my first glimpse of Merlin's firmware now.
 

mckeven

New Around Here
This is absolutly brilliant!!! My router was in the same exact boat as yours, so I had to create an SNB account just to thank you for your amazing write-up, pictures, and ultimately reviving my router!

For those on Windows 10 64-bit, I was unable to get PuTTY to cooperate (the open button never opened a terminal window), but Tera Term did the trick.

Once I ran the erase nvram command, I was able to ping the router. I got into the recovery mode for the router and used the Asus Firmware Restoration program to successfully flash Merlin (my CFE was on 1.0.2.0 previously). For some reason, I couldn't issue the normal TFTP command to flash any firmware at the cfe> prompt; kept getting I/O errors.

Thanks again!!!
 

that1geek

Occasional Visitor
I appreciate your feedback @mckeven. I used Windows 7 Pro SP1 32-bit, so good tip regarding TeraTerm in Win10 x64. Also, I just noticed I had step 4 (broken tabs) listed twice. I've edited out the duplicate.
 

Wam7

Occasional Visitor
Many thanks for the detailed write up.

So which is the "correct" way to go from Shibby Tomato to Merlin? I'm just about to do it myself as also not happy with Tomato wifi performance. I tried the upgrade within Tomato and got the "Bad TRX Header..." message although the router is still working fine, I'd like to avoid having to go through the steps above.

I'm presuming.

1. Flash latest stock firmware.

2. Flash latest Merlin.
 
Last edited:

KevTech

Very Senior Member
For those on Windows 10 64-bit, I was unable to get PuTTY to cooperate (the open button never opened a terminal window), but Tera Term did the trick.

Have no issues with Putty on win 10 64 but I run on built in admin account.
 

Pierino

Very Senior Member
You should be able to use the asus firmware restoration tool.
Unplug the router, hold the reset button in while applying power.
Keep holding the reset till the power led flashes. Then use the restoration tool to upload rmerlin or stock fw.
 
Last edited:

Wam7

Occasional Visitor
That worked thanks. (though I see you correctly changed it to reset button instead of wps. ;))
 

qwertytheasdf

New Around Here
Going to revive this thread and ask for advice. I don't think my router is at that stage of disassembly yet, but I could be wrong. A few questions: Were you able to access the Tomato GUI? The symptoms Im having are that I can't access the internet at all. The router does broadcast the 2.4 ghz and 5 ghz signals. I am hoping its just a simple setting that went wrong. I'm on version 3.3-138 AIO. I did flash from an old Merlin version by using the upgrade firmware page. However, I can't flash back or get internet to work at all. I also can't get it into recovery mode. Tried holding down the reset button and powering it on, didnt work. The power light did turn off after a while though. The LED never lights up. Also tried holding down all 3 buttons: WPS, Reset and Wifi On/Off. I do get a rapid blinking power light but still am not able to boot into recovery mode.
 

Sablaky

New Around Here
I did install AdvancedTomato on Merlin last week. I was able to flash the AdvancedTomato on Merlin. I had to try several times to get the router in the rescue mode, it was almost impossible. After the flash the Tomato Admin Page did load. The router did not update DHCP so wifi was not enabled.

I created new admin password, renamed 2.5ghz and 5.0ghz wifi I rebooted the router. After the reboot the router is not functional anymore. I could not access the admin page or put the router in recovery mode after several attempts (I followed instructions from several sites). I think the NVRAM on router got corrupt. On the router the LED light turns on. The power light flashes very slowly ever 25/30 sec. on recovery mode, but cannot install any firmware using the ASUS firmware restoration tool or CFC. Since I rebooted the router the telnet is disabled (I did not enabled it either). I think I need to try the serial recovery. I need to buy the cable and find sometime. I ran out of any possible options.
 
Last edited:

that1geek

Occasional Visitor
@qwertytheasdf I was not able to access to GUI or ping the router on any of the possible IPs. If you can still ping the router and don't have the "painfully slow blinking power LED", you might be able to recover without cracking it open.

@Sablaky If you can't ping the router, the symptoms you describe match my situation. Clearing the NVRAM is what's needed, but the only way I was able to do it is via the serial method.
 
Status
Not open for further replies.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top