Help. ASUS RT-AC68U bricked

Installing and Using OpenWrt
1

Good.
If any charitable soul could help me, I would greatly appreciate it.

After working perfectly with Merlin I came up with the idea of ​​installing LEDE and it did not start anymore. After a lot of searching I can not find anything to recover the router.

It stays with the power LED on and the WAN flashes if an ethernet port is connected but it does not work in any direction that I have tried (192.168.1.1 192.168.0.1).

I can not access the cfe miniweb server or leaving the reset reset nor the WPS.
Any ideas?
regards

2

Use the windows asus recovery tool. It always works for me.

3

I can not enter recovery mode. Power LED always on.

4

Open it up and hook up serial

5

For that I would need a USB - TTL interface and I have seen that there are several with different integrated. Are they all worth it or would I have to buy a certain one?

6

Would there be any manual on the procedure?

7

Hi. I have managed to connect through the serial port and get the CFE, but the ctri-c does not work to put the commands. Any ideas?

done
Found a Winbond NAND flash:
Total size:  128MB
Block size:  128KB
Page Size:   2048B
OOB Size:    64B
Sector size: 512B
Spare size:  16B
ECC level:   8 (8-bit)
Device ID: 0xef 0xf1 0x00 0x95 0x00 0x00


CFE version 6.37.14.93 (r469350) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Sun Sep 18 09:25:08 CST 2016 (root@localhost.BSPLJF)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 400 MHz
Warning: invalid DDR setting of 0 MHz ignored. DDR frequency will be set to 400                                                                              MHz.
CPU type 0x0: 800MHz
Tot mem: 262144 KBytes

CFE mem:    0x00F00000 - 0x017D888C (9275532)
Data:       0x00F5FC18 - 0x00F612C4 (5804)
BSS:        0x00F612D0 - 0x00FD688C (480700)
Heap:       0x00FD688C - 0x017D688C (8388608)
Stack:      0x017D688C - 0x017D888C (8192)
Text:       0x00F00000 - 0x00F53D54 (343380)
Boot:       0x017D9000 - 0x01819000
Reloc:      I:00000000 - D:00000000

upgrade wait time is 3s
**upgrade_wait over!
Loader:raw Filesys:tftp Dev:(null) File:: Options:(null)
Loading: Failed.
Could not load :: Error
Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
Loading: .. 1433424 bytes read
Entry at 0x00008000
Starting program at 0x00008000
Uncompressing Linux... done, booting the kernel.
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.4.92 (buildbot@builds-02.infra.lede-project.org)                                                                              (gcc version 5.4.0 (LEDE GCC 5.4.0 r3103-1b51a49) ) #0 SMP Tue Oct 17 17:46:20 2                                                                             017
[    0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=10c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instructio                                                                             n cache
[    0.000000] Machine model: Asus RT-AC68U (BCM4708)
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] PERCPU: Embedded 11 pages/cpu @c6dcd000 s12928 r8192 d23936 u4505                                                                             6
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pag                                                                             es: 65280
[    0.000000] Kernel command line: console=ttyS0,115200
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Memory: 255312K/262144K available (3334K kernel code, 113K rwdata                                                                             , 484K rodata, 228K init, 285K bss, 6832K reserved, 0K cma-reserved, 131072K hig                                                                             hmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xc8800000 - 0xff800000   ( 880 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xc8000000   ( 128 MB)
[    0.000000]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000]       .text : 0xc0008000 - 0xc03c2e44   (3820 kB)
[    0.000000]       .init : 0xc03c3000 - 0xc03fc000   ( 228 kB)
[    0.000000]       .data : 0xc03fc000 - 0xc04185c8   ( 114 kB)
[    0.000000]        .bss : 0xc04185c8 - 0xc045fdb8   ( 286 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] L2C: DT/platform modifies aux control register: 0x0a130000 -> 0x0                                                                             a530000
[    0.000000] L2C-310 enabling early BRESP for Cortex-A9
[    0.000000] L2C-310 full line of zeros enabled for Cortex-A9
[    0.000000] L2C-310 ID prefetch enabled, offset 1 lines
[    0.000000] L2C-310 dynamic clock gating enabled, standby mode enabled
[    0.000000] L2C-310 cache controller enabled, 16 ways, 256 kB
[    0.000000] L2C-310: CACHE_ID 0x410000c8, AUX_CTRL 0x7e530001
[    0.000016] sched_clock: 64 bits at 400MHz, resolution 2ns, wraps every 43980                                                                             46511103ns
[    0.000042] clocksource: arm_global_timer: mask: 0xffffffffffffffff max_cycle                                                                             s: 0x5c4093a7d1, max_idle_ns: 440795210635 ns
[    0.000300] Calibrating delay loop... 1594.16 BogoMIPS (lpj=7970816)
[    0.090151] pid_max: default: 32768 minimum: 301
[    0.090251] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.090264] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.090871] CPU: Testing write buffer coherency: ok
[    0.091220] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.091301] Setting up static identity map for 0x82a0 - 0x82d4
[    0.130149] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
[    0.130247] Brought up 2 CPUs
[    0.130271] SMP: Total of 2 processors activated (3188.32 BogoMIPS).
[    0.130281] CPU: WARNING: CPU(s) started in wrong/inconsistent modes (primary                                                                              CPU mode 0x13)
[    0.130288] CPU: This may indicate a broken bootloader or firmware.
[    0.132935] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, ma                                                                             x_idle_ns: 19112604462750000 ns
[    0.132965] futex hash table entries: 512 (order: 3, 32768 bytes)
[    0.133157] pinctrl core: initialized pinctrl subsystem
[    0.133961] NET: Registered protocol family 16
[    0.134759] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.162647] clocksource: Switched to clocksource arm_global_timer
[    0.163938] NET: Registered protocol family 2
[    0.164672] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.164701] TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
[    0.164727] TCP: Hash tables configured (established 1024 bind 1024)
[    0.164810] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.164851] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.165055] NET: Registered protocol family 1
[    0.166874] Crashlog allocated RAM at address 0x3f00000
[    0.173968] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.173999] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORIT                                                                             Y) (c) 2001-2006 Red Hat, Inc.
[    0.176148] bounce: pool size: 64 pages
[    0.176167] io scheduler noop registered
[    0.176176] io scheduler deadline registered (default)
[    0.176710] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.179277] console [ttyS0] disabled
[    0.179366] 18000300.serial: ttyS0 at MMIO 0x18000300 (irq = 18, base_baud =                                                                              6250000) is a 16550
[    0.614101] console [ttyS0] enabled
[    0.619308] nand: Could not find valid ONFI parameter page; aborting
[    0.625730] nand: device found, Manufacturer ID: 0xef, Chip ID: 0xf1
[    0.632073] nand: Unknown NAND 128MiB 3,3V 8-bit
[    0.636671] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB siz                                                                             e: 64
[    0.644244] iproc_nand 18028000.nand: detected 128MiB total, 128KiB blocks, 2                                                                             KiB pages, 16B OOB, 8-bit, BCH-8
[    0.654159] Scanning device for bad blocks
[    1.068597] mtd_read error while parsing (offset: 0x20000): -74
[    1.074968] mtd_read error while parsing (offset: 0x40000): -74
[    1.081329] mtd_read error while parsing (offset: 0x60000): -74
.......
[    6.089281] 5 bcm47xxpart partitions found on MTD device brcmnand.0
[    6.095536] Creating 5 MTD partitions on "brcmnand.0":
[    6.100665] 0x000000000000-0x000000080000 : "boot"
[    6.106588] 0x000000080000-0x000000200000 : "nvram"
[    6.112454] 0x000000200000-0x000008000000 : "firmware"
[    6.119189] 0x00000020001c-0x000000600000 : "linux"
[    6.125115] 0x000000600000-0x000008000000 : "ubi"
[    6.132517] libphy: Fixed MDIO Bus: probed
[    6.136695] bgmac_bcma: Broadcom 47xx GBit MAC driver loaded
[    6.142905] bcma: bus0: Found chip with id 53010, rev 0x00 and package 0x02
[    6.149931] bcma: bus0: Core 0 found: ChipCommon (manuf 0x4BF, id 0x800, rev 0x2A, class 0x0)
[    6.158625] bcma: bus0: Core 1 found: Chipcommon B (manuf 0x4BF, id 0x50B, rev 0x01, class 0x0)
[    6.167476] bcma: bus0: Core 2 found: DMA (manuf 0x4BF, id 0x502, rev 0x01, class 0x0)
[    6.175540] bcma: bus0: Core 3 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x05, class 0x0)
[    6.184027] bcma: bus0: Core 4 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x05, class 0x0)
[    6.192502] bcma: bus0: Core 5 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x05, class 0x0)
[    6.201004] bcma: bus0: Core 6 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x05, class 0x0)
[    6.209392] bcma: bus0: Core 7 found: PCIe Gen 2 (manuf 0x4BF, id 0x501, rev 0x01, class 0x0)
[    6.218001] bcma: bus0: Core 8 found: PCIe Gen 2 (manuf 0x4BF, id 0x501, rev 0x01, class 0x0)
[    6.226630] bcma: bus0: Core 9 found: PCIe Gen 2 (manuf 0x4BF, id 0x501, rev 0x01, class 0x0)
[    6.235290] bcma: bus0: Core 10 found: ARM Cortex A9 core (ihost) (manuf 0x4BF, id 0x510, rev 0x01, class 0x0)
[    6.245372] bcma: bus0: Core 11 found: USB 2.0 (manuf 0x4BF, id 0x504, rev 0x01, class 0x0)
[    6.253822] bcma: bus0: Core 12 found: USB 3.0 (manuf 0x4BF, id 0x505, rev 0x01, class 0x0)
[    6.262308] bcma: bus0: Core 13 found: SDIO3 (manuf 0x4BF, id 0x503, rev 0x01, class 0x0)
[    6.270613] bcma: bus0: Core 14 found: ARM Cortex A9 JTAG (manuf 0x4BF, id 0x506, rev 0x01, class 0x0)
[    6.280037] bcma: bus0: Core 15 found: Denali DDR2/DDR3 memory controller (manuf 0x4BF, id 0x507, rev 0x01, class 0x0)
[    6.290850] bcma: bus0: Core 16 found: ROM (manuf 0x4BF, id 0x508, rev 0x01, class 0x0)
[    6.298967] bcma: bus0: Core 17 found: NAND flash controller (manuf 0x4BF, id 0x509, rev 0x01, class 0x0)
[    6.308657] bcma: bus0: Core 18 found: SPI flash controller (manuf 0x4BF, id 0x50A, rev 0x01, class 0x0)
[    6.318125] bcma: bus0: Flash type not supported
[    6.326467] bgmac_bcma bcma0:3: Found PHY addr: 0
[    6.331253] bgmac_bcma bcma0:3: Invalid MAC addr: 00:00:00:00:00:00
[    6.337524] bgmac_bcma bcma0:3: Using random MAC: be:c3:71:bd:6c:40
8

Why not use TFTP?

9

it seems to boot right (see little wrong with the start at least). isn't it just reachable over ssh on port 22 at 192.168.1.1?

10

No se como hacerlo. El router ni me da IP ni me pide ninguna, con lo cual no se a que dirección mandarle el fichero del firmware. He probado con 192.168.1.1 y con 192.168.0.1 pero no consigo nada. No contesta al servidor TFTP.
Por JTAG tan solo me da 3 segundos al arrancar para un firmware upgrade pero por mas que le doy al control-C ni se inmuta.
Por SSH tampoco responde ni en 192.168.1.1 ni en 192.168.0.1.

11

Please use English.

I do not know how to do it. The router neither gives me IP nor asks me for any, so I do not know which address to send the firmware file to. I have tried 192.168.1.1 and 192.168.0.1 but I get nothing. It does not answer the TFTP server.
By JTAG only gives me 3 seconds to boot for a firmware upgrade but for more that I give control-C or is unchanged.
For SSH, neither responds in 192.168.1.1 nor in 192.168.0.1.

12 
[    1.068597] mtd_read error while parsing (offset: 0x20000): -74
[    1.074968] mtd_read error while parsing (offset: 0x40000): -74
[    1.081329] mtd_read error while parsing (offset: 0x60000): -74

STEP #1: Flash Stock Firmware

Unplug any USB drive First!

  1. Perform a Factory reset on the router with the WPS method:
    Turn off the router, press the WPS button without releasing it, then turn on the router, Wait about 20 seconds, then release the WPS button.
  2. Download and Install Firmware Restoration and Device Discovery:
    Firmware Restoration v2.1.0.2 (2018/07/23)
    Device Discovery v1.4.8.2 (2018/07/23)
  3. Download and Unzip on the desktop the Official Firmware:
    v3.0.0.4.384.21140 or Newer for RT-AC68U
    04. Add a Static IP in the Computer:
    IP address: 192.168.1.5
    Subnet mask: 255.255.255.0
  4. Turn off the router.
  5. Connect the Router to the Computer via Ethernet Cable.
  6. [OPTIONAL] Open command prompt (CMD) and write "ping -t 192.168.1.1" and press Enter.
  7. Use Rescue mode in the Router:
    Press the Reset button without releasing it and Turn on the router about 10 seconds, then release the Reset button. (If the power is flashing-slow, the router is on rescue mode)
  8. Open the program Firmware Restoration, click on Browse and found the Official Firmware.
  9. After click on Upload.
  10. Wait 5 minutes to assure flash integrity.
  11. After in the Browser write "192.168.1.1".
  12. If you can not log in to Web GUI, then reset NVRAM with WPS method:
    Turn off the router, press the WPS button without releasing it, then turn on the router, Wait about 20 seconds, then release the WPS button.
  13. Remove the Static IP in the Computer.
  14. Perform Factory default Initialize:
    Administration -> Restore/Save/Upload Setting -> Click in Initialize
  15. After the factory reset, log in to the Web GUI, press Ctrl+F5 to reload the cache.

( courtesy Mr HowIFix snbforum )

Looks like these things are fussy / have some serious timing quirks with self erase / integrity checking..... i'm guessing that's why you got here in the first place. So MAKE SURE you try to wait when your supposed to, check for signs when your supposed to! :wink:

13

Hi,
I'm not sure if I should revive this thread or start a new one.
I've got a bricked ASUS ac68u /tm-ac1900 that was previously running Merlin.
I was doing an upgrade to try and enable aimesh and somehow managed to brick the router.
I get a solid USB 2.0 lite and very dim power led.
I need some assistance from a kind soul with using JTAG to access the board clear the nvram and reflash the CFE.

Things that I've tried.(and failed)

  • Rescue mode - reset held for while applying power and hold until slow power light flashes
    I've done this before to get Merlin installed and clear the TM code.. this time.. no power light at all
    -WPS method to clear NVRAM - same.. no response. I've tried various methods in combination with
    Rescue mode, and no results. I've done this with wireshark running attached to LAN1 and I'm not
    anything from the router.
  • Serial port - using arduino and level shifter to 3.3 volts. No activity or response on serial port

So. I've configured a Raspberry Pi as a JTAG interface and connected to the JTAG connector pins at J4. and have installed openocd on the Raspberry 4B and added the libraries I've found for Jim-tcl and firmware recovery.
I'm able to access the router on the JTAG port, but need help from here because it there doesn't seem to be any support past the asus n16 which doesn't use the BCM4708 cpu.

about as far as I've got..

Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> scan_chain
   TapName             Enabled  IdCode     Expected   IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
 0 auto0.tap              Y     0x502bf17f 0x00000000    60 0x01  0x03

any help or ideas appreciated!

14

Is this OpenWrt related?

15

Yes, because I need to get the router unbricked to load software on it. The CFE best I can tell is hosed. I'd rather load something open sourced rather than the closed code that is underneath Merlin and the SNB forum that supports them have basically deleted any useful information for jtag recovery.

16

:confused:

Huh?

If I understand, you don't have OpenWrt installed...and you think you bricked it upgrading another firmware...it's related...how???

OK, common advice in the forums is this:

  • Start with OEM firmware

From your device page, there seems to be TFTP (if that wasn't wiped somehow too).

In any case, I would think the other firmware's support would better know how the device may have been bricked.

17

Can't get the TFTP to go.. believe me, I've researched and tried that one, configuring a 3.3v serial interface before going the JTAG route. Would be so much easier, and if the CFE is there, it is easy to invoke TFTP. All indications are the CFE is what got corrupted.

The purpose in being here is that the Merlin/ASUS code is all proprietary based and the support boards (mainly homed at SNBforums) have completely shut down low level stuff on this model because of people reflashing the T-mobile branded version of the product.
It would seem quite useful to the community to have JTAG recovery on this one documented, as it doesn't seem to exist anywhere at the moment.

Anyway, I hope there may be more JTAG low-level help here because of the focus on alternative code.
I'll look through the link you've provided. Perhaps someone will spot the JTAG reference with the model and have some ideas.
Thaks,
M

1 Like