Problems using JTAG to install OpenWrt on Meraki Z1

Hello,
I have recently come across a Meraki Z1 AP and I wanted to install OpenWRT onto it. Because it is running what I assume is the latest firmware the UART exploits are patched out so I have resorted to using JTAG (and OpenOCD) to try to install the new OS on it. I have been using the MR18 tutorial on the wiki as a base for my attempts and modifying it slightly to fit my needs. Sadly however, I still am having problems with it. I will explain what I have done below, if you see anything I am doing wrong I would love to hear about it:

To start, I began by following the steps on the Wiki for the MR18. I dug out my Raspberry Pi 0w and attached the correct pins to some wire I soldered onto the JTAG and UART port of the Z1. I then copied the raspberrypi-native.cfg to my home directory. The only change I made to this file was uncommenting the bcm2835gpio_trst_num 7 line in it as the wiki says that "the raspberrypi-native.cfg is written for the Raspberry Pi models 1 and zero." Next, I made a new file called z1.cfg that is a copy of the mr18.cfg on the wiki. With all of that done opened the UART port to monitor the boot procedure and began trying to halt the chip with the sudo openocd -f raspberrypi-native.cfg -f z1.cfg -c "init; halt" command.

The behavior of the machine was interesting when I tried this. Whenever I would execute the command the the entire thing locks up. The link lights on the back blink once and the rainbow LED stop on whatever color it was on when I executed the command. The UART text stream also stops and occasionally will output a string of random characters. At first I thought that this was good but OpenOCD always gives me this output:

pi@raspberrypi:~ $ sudo openocd -f raspberrypi-native.cfg -f z1.cfg -c "init; halt"
Open On-Chip Debugger 0.10.0+dev-00114-g41bcbc67d-dirty (2021-01-18-16:43)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
DEPRECATED! use 'adapter driver' not 'interface'
BCM2835 GPIO config: trst = 7

Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
Warn : Transport "jtag" was already selected
adapter speed: 1000 kHz

Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 1006 kHz
Info : TAP ar9344.cpu does not have valid IDCODE (idcode=0xfffffffe)
Info : starting gdb server for ar9344.cpu on 3333
Info : Listening on port 3333 for gdb connections
Error: Failed to enter Debug Mode!
Info : Halt timed out, wake up GDB.
Error: timed out while waiting for target halted

pi@raspberrypi:~ $

With this UART output:

find_hif: bootstrap = 0xaf055b
WASP BootROM Ver. 1.1
Nand Flash init
Table[5]: Control setting = 0xb44
hdr: [0xbd001000 : 0xbd001000 : 0x6104 : 0xb8a746df]
nand_load_fw: read 12 pages
nand_load_fw: 0x10000 0x800 0xbd0017f0
nand_load_fw: 0x20000 0x800 0xbd001ff0
nand_load_fw: 0x30000 0x800 0xbd0027f0
nand_load_fw: 0x40000 0x800 0xbd002ff0
nand_load_fw: 0x50000 0x800 0xbd0037f0
nand_load_fw: 0x60000 0x800 0xbd003ff0
nand_load_fw: 0x70000 0x800 0xbd0047f0
nand_load_fw: 0x80000 0x800 0xbd004ff0
nand_load_fw: 0x90000 0x800 0xbd0057f0
nand_load_fw: 0xa0000 0x800 0xbd005ff0
nand_load_fw: 0xb0000 0x800 0xbd0067f0
nand_load_fw: 0xc0000 0x800 0xbd006ff0
f/w 0 read complete, jumping to 0xbd001000

Meraki Atheros LinuxLoader built Jul 23 2012 15:31:10
init_ddr ok
test_memory ok
D-cache size: 64K
I-cache size: 32K
init_dram_uncached ok
init_icache ok
init_dcache ok
enable_caches ok
test_memory ok
init_usb_phy ok
init_pcie_plls ok
nand_flash_init ok
loading fw at 64
hdr: [0x4d495053 : 0x80060000 : 0x5de8c0 : 0x8034e6c0, : 0x3fbedfba]
................▒.B.

I have tried this probably 50 odd times and every time the same thing happens.

I have also tried troubleshooting in a few different ways:

  1. Since the 0w's default clock is 1ghz instead of 700mhz I manually downclocked it.
  2. I tried to execute the OpenOCD command as early as possible in the boot cycle. Even though in the example above It got to the Meraki Atheros LinuxLoader stage I have been able to catch it before that beings
  3. I made sure that all of my solder joints and wire connections were good by using a continuity tester

Here are somethings I think I could be doing wrong:

  1. I am using SSH to get into the Pi so maybe the lag time of the network is too high and I end up coming in too late (I don't think that this is likely due to where the bootlog stops.)
  2. I am somehow connecting to the wrong ports on the JTAG and that is causing the whole thing to fail (I also don't think that this is likely.)
  3. My configurations are all screwed up because I just copied the ones for the MR18 and the two machines function completely differently (this seems the most likely.)
  4. My solder job is still the issue despite my tests with the continuity meter (probably not likely.)

Below are some photso of my setup, a copy of my specific raspberrypi-native.cfg and my z1.cfg.



pardon my drunken soldering, on the JTAG header, I ran out of headers and just resorted to using pins that I had lying around, like I said I checked them with a continuity tester.

raspberrypi-native.cfg:

#
# Config for using Raspberry Pi's expansion header
#
# This is best used with a fast enough buffer but also
# is suitable for direct connection if the target voltage
# matches RPi's 3.3V and the cable is short enough.
#
# Do not forget the GND connection, pin 6 of the expansion header.
#

# interface bcm2835gpio

adapter driver bcm2835gpio

bcm2835gpio_peripheral_base 0x20000000

# Transition delay calculation: SPEED_COEFF/khz - SPEED_OFFSET
# These depend on system clock, calibrated for stock 700MHz
# bcm2835gpio_speed SPEED_COEFF SPEED_OFFSET
bcm2835gpio_speed_coeffs 113714 28

# Each of the JTAG lines need a gpio number set: tck tms tdi tdo
# Header pin numbers: 23 22 19 21
bcm2835gpio_jtag_nums 11 25 10 9

# Each of the SWD lines need a gpio number set: swclk swdio
# Header pin numbers: 23 22
bcm2835gpio_swd_nums 11 25

# If you define trst or srst, use appropriate reset_config
# Header pin numbers: TRST - 26, SRST - 18

bcm2835gpio_trst_num 7
# reset_config trst_only

# bcm2835gpio_srst_num 24
# reset_config srst_only srst_push_pull

# or if you have both connected,
# reset_config trst_and_srst srst_push_pull

z1.cfg:

if { [info exists CHIPNAME] } {
        set _CHIPNAME $_CHIPNAME
} else {
        set _CHIPNAME ar9344
}

if { [info exists CPUTAPID] } {
        set _CPUTAPID $CPUTAPID
} else {
        set _CPUTAPID 0x00000001
}

jtag newtap $_CHIPNAME cpu -irlen 5 -expected-id $_CPUTAPID

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME mips_m4k -endian big -chain-position $_TARGETNAME

$_TARGETNAME configure -work-area-phys 0x81000000 -work-area-size 0x4000 -work-$

transport select jtag
adapter speed 1000

Edit: I know that there is another thread about this but that one is old and stagnating and nobody would ever see it unless they were searching for it.

2 Likes

I have the same problem, the board just freezes, while I'm looking for solutions, maybe the problem is in the script !? I used Raspberry PI 4 for flashing, two Meraki MR18 were stitched through it perfectly.

2 Likes

Regards. Could you help or guide to achieve flashing some mr18

Thank you

Assuming that you are running a new firmware you need to use JTAG, this guide worked for me perfectly with a Pi 3

Hope this helps,

sckzor

edit:
be absolutely sure to get the timing right, I needed to enlist the help of another person to do it.