Unbricking Asus RTN10+B1 using openOCD

Community Projects
1

I have an Asus router (RT-N10+ B1 hardware) that suddenly stopped working (only power led turns on).

Hopping that I could fix it, I’ve been working in this side project for the last few weeks, but I am stuck and I would appreciate any help.

I will list bellow the actions that I’ve already done:

  • Power supply:

I replaced its power supply to see if there was any difference.

Original power supply ouput: 12 V, 0.3A

Power supply I am using now: 12V, 2.5 A

  • Hard reset:

Following the router’s manual, I tried to do a hard reset holding reset button duting power-up for 10 s. WPS led should start blincking, but it didn’t work.

  • 30-30-30 (hold reset button 30 sec while it is turned on, turn off with button pressed, hold for 30 sec, turn on while mantaining the button pressed)

I tried the 30-30-30 method several times, using the reset button, WPS button, both, etc, but no luck

  • Pinging adress 192.168.1.1

No answer on this address (router’s default address).

  • Asus recovery utility

I tried to use the asus recovery utility to try to download a firmware through tftp, but since I was unable to put the router on

recovery mode, the software did not find the router.

  • Serial recovery:

I connected a serial sniffer on its com port (I had a Freescale development board around which has a USB to COM port converter that I plugged in, http://www.freescale.com/webapp/sps/sit … FRDM-KL25Z ).

This sniffer already has a built-in 3v3 level shifter so there was no risk of burning my board nor the router.

Using the information that I found here: http://techinfodepot.shoutwiki.com/wiki … %2B_rev_B1

I connected the serial sniffer on J2:

J2

[4 3 2 1]

RX TX GND VCC

Serial Config: 57600 Baud rate, 8 data bits, 1 stop bit, no flow control, etc…, but I was unable to read any data.

The serial converter is working correctly, since if I put a jumper on its TX/RX (loopback test) I can read what I send data through hyper terminal.

Since I was unable to access the router’s through serial connection only jtag remains as an option.

  • jtag

I found no documentation for jtag connection using this router’s model, so I needed to figure out on my own how to do it.

Identifying the board conectors:

[

The JTAG jumper was unpopulated, so I soldered the headers. I and managed to identify the jtag pinout; it’s the same as

the d-link dir-615 http://wiki.openwrt.org/toh/d-link/dir-615

Pinout:

http://s17.postimg.org/yetejche3/ASUS_RTN10_B1_JTAG.jpg

OBS: I need to solder a jumper on R28 to connect the TDO signal to the Ralink 3050. Without this jumper, jtag won’t work.

I installed openOCD (version 0.8.0) and I am using a segger j-link EDU as jtag programmer.

The debricking utilities that I found around are based on a parallel port jtag programmer, and even them don’t support

this router’s model (debricking utilities that I investigated: Hairydairymaid, UrJTAG)

The only one that I managed to work with is openOCD:

http://openocd.sourceforge.net/

I found a openOCD configuration file for the ralink rt3050 here:

http://www.8devices.com/community/viewt … 7&start=10

I then modified it specifying the flash areas (info found here:

http://wiki.openwrt.org/toh/asus/rt-n10plus

rt3050.cfg

set _CHIPNAME rt3050
set _ENDIAN little
set _CPUTAPID 0x1335024F

log_output c:/temp/openOCDSession.log

#daemon configuration
telnet_port 4444
gdb_port 3333

#interface
interface jlink
#jtag_speed 0
adapter_khz 100

adapter_nsrst_delay 200
jtag_ntrst_delay 200

# jtag scan chain
# format L IRC IRCM IDCODE (Length, IR Capture, IR Capture Mask, IDCODE)
jtag newtap $_CHIPNAME cpu -irlen 5  -ircapture 0x1 -irmask 0x3 -expected-id $_CPUTAPID

set _TARGETNAME [format "%s.cpu" $_CHIPNAME]
target create $_TARGETNAME mips_m4k -endian $_ENDIAN -chain-position $_TARGETNAME

$_TARGETNAME configure -event reset-init {
  #reset  
  halt
  echo "init SDRAM controller.."
  mww 0x10000300 0xd1825272
  mww 0x10000304 0xe0120300
  echo "init Flash controller.."
  mww 0x10000308 0x0511FFA3
  echo "Find flash..."
  flash probe 0
}

flash bank Bootloader cfi 0x1f000000 0x30000 2 2 $_TARGETNAME
flash bank Config cfi 0x1f030000 0x10000 2 2 $_TARGETNAME
flash bank Factory cfi 0x1f040000 0x10000 2 2 $_TARGETNAME
flash bank Kernel cfi 0x1f050000 0x3b0000 2 2 $_TARGETNAME

Since the router does not boot anymore, I believe that or the Config area or the bootloader are

(or both) is/are corrupted. I am trying to erase the Config area (which I believe is the

NVRAM config area in some routers).

obs: registers 0x10000300 and 0x10000304 config SDRAM

register 0x10000308 config flash controller, only field that I modified in this reg from its initial value is b01:

Address setup time prior to Chip Select in number of system clock cycles: from 01 to 03

Other parameters seem to be ok (16 bit memory, timmings are maxed)

When I connect to openOCD through telnet, I halt and reset the processor, but flash probe 0 fails (command to query external flash info).

The ouput log file is this:

openOCDSession.log

Info : only one transport option; autoselect 'jtag'
adapter speed: 100 kHz
adapter_nsrst_delay: 200
jtag_ntrst_delay: 200
Info : J-Link initialization started / target CPU reset initiated
Info : J-Link V9 compiled Nov 28 2014 09:34:59
Info : J-Link caps 0xb9ff7bbf
Info : J-Link hw version 90000
Info : J-Link hw type J-Link
Info : J-Link max mem block 70952
Info : J-Link configuration
Info : USB-Address: 0x0
Info : Kickstart power on JTAG-pin 19: 0xffffffff
Info : Vref = 3.330 TCK = 1 TDI = 0 TDO = 0 TMS = 0 SRST = 0 TRST = 0
Info : J-Link JTAG Interface ready
Info : clock speed 100 kHz
Info : JTAG tap: rt3050.cpu tap/device found: 0x1335024f (mfg: 0x127, part: 0x3350, ver: 0x1)
Info : accepting 'telnet' connection from 4444
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x0bf53974
Info : JTAG tap: rt3050.cpu tap/device found: 0x1335024f (mfg: 0x127, part: 0x3350, ver: 0x1)
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x0bf53974
init SDRAM controller..
init Flash controller..
Find flash...
Info : Flash Manufacturer/Device: 0x00ff 0x1000
Error: Could not probe bank: no QRY
Try workaround w/0x555 instead of 0x55 to get QRY.
Error: Could not probe bank: no QRY
Error: auto_probe failed
in procedure 'flash'

Therefore I managed to execute jtag commands, but I am unable to access the external flash memory where

the bootloader, the current configuration and the main firmware are located.

From the info found in its datasheet, this memory is CFI complient, so I am using the right openOCD driver.

The memory used in this router is a 32 Megabit NOR flash, model S29GL032N90TFI04 manufactured by Spansion:

[[

The unpopulated resistors R76,R78 are pull ups R77,R799 are pull downs.

Pin 11 is the WE (write enable), I didn`t find any unpopulated resistor separating this pin to the main chip.

My assumption is that this pin should remain connected after production, because it would be impossible

to update the firmware otherwise.

Bellow is the log file with debug level =3, same script and the same actions (halt, then reset init).

Debug: 17 23 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_telnet_port 4444
Debug: 18 23 command.c:145 script_debug(): command - telnet_port ocd_telnet_port 4444
Debug: 20 23 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_gdb_port 3333
Debug: 21 23 command.c:145 script_debug(): command - gdb_port ocd_gdb_port 3333
Debug: 23 23 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_interface jlink
Debug: 24 23 command.c:145 script_debug(): command - interface ocd_interface jlink
Debug: 26 23 command.c:325 command_new(): BUG: command 'jlink' does not have the '.usage' field filled out
Debug: 27 23 command.c:325 command_new(): BUG: command 'jlink caps' does not have the '.usage' field filled out
Debug: 28 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 29 23 command.c:325 command_new(): BUG: command 'jlink info' does not have the '.usage' field filled out
Debug: 30 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 31 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 32 23 command.c:325 command_new(): BUG: command 'jlink config' does not have the '.usage' field filled out
Debug: 33 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 34 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 35 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 36 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 37 23 command.c:325 command_new(): BUG: command 'config reset' does not have the '.usage' field filled out
Debug: 38 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 39 23 command.c:325 command_new(): BUG: command 'config save' does not have the '.usage' field filled out
Debug: 40 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 41 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Debug: 42 23 command.c:325 command_new(): BUG: command 'jlink pid' does not have the '.usage' field filled out
Debug: 43 23 command.c:366 register_command_handler(): registering 'ocd_jlink'...
Info : 44 23 transport.c:118 allow_transports(): only one transport option; autoselect 'jtag'
Debug: 45 23 command.c:366 register_command_handler(): registering 'ocd_jtag_flush_queue_sleep'...
Debug: 46 23 command.c:366 register_command_handler(): registering 'ocd_jtag_rclk'...
Debug: 47 23 command.c:366 register_command_handler(): registering 'ocd_jtag_ntrst_delay'...
Debug: 48 23 command.c:366 register_command_handler(): registering 'ocd_jtag_ntrst_assert_width'...
Debug: 49 23 command.c:366 register_command_handler(): registering 'ocd_scan_chain'...
Debug: 50 23 command.c:366 register_command_handler(): registering 'ocd_jtag_reset'...
Debug: 51 23 command.c:366 register_command_handler(): registering 'ocd_runtest'...
Debug: 52 23 command.c:366 register_command_handler(): registering 'ocd_irscan'...
Debug: 53 23 command.c:366 register_command_handler(): registering 'ocd_verify_ircapture'...
Debug: 54 23 command.c:366 register_command_handler(): registering 'ocd_verify_jtag'...
Debug: 55 23 command.c:366 register_command_handler(): registering 'ocd_tms_sequence'...
Debug: 56 23 command.c:366 register_command_handler(): registering 'ocd_wait_srst_deassert'...
Debug: 57 23 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 58 23 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 59 23 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 60 23 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 61 23 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 62 23 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 63 39 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 64 39 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 65 39 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 66 39 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 67 39 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 68 39 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 69 39 command.c:366 register_command_handler(): registering 'ocd_jtag'...
Debug: 70 39 command.c:366 register_command_handler(): registering 'ocd_svf'...
Debug: 71 39 command.c:366 register_command_handler(): registering 'ocd_xsvf'...
Debug: 72 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_adapter_khz 100
Debug: 73 39 command.c:145 script_debug(): command - adapter_khz ocd_adapter_khz 100
Debug: 75 39 core.c:1644 jtag_config_khz(): handle jtag khz
Debug: 76 39 core.c:1611 adapter_khz_to_speed(): convert khz to interface specific speed value
Debug: 77 39 core.c:1611 adapter_khz_to_speed(): convert khz to interface specific speed value
User : 78 39 command.c:546 command_print(): adapter speed: 100 kHz
Debug: 79 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_adapter_nsrst_delay 200
Debug: 80 39 command.c:145 script_debug(): command - adapter_nsrst_delay ocd_adapter_nsrst_delay 200
User : 82 39 command.c:546 command_print(): adapter_nsrst_delay: 200
Debug: 83 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_jtag_ntrst_delay 200
Debug: 84 39 command.c:145 script_debug(): command - jtag_ntrst_delay ocd_jtag_ntrst_delay 200
User : 86 39 command.c:546 command_print(): jtag_ntrst_delay: 200
Debug: 87 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_jtag newtap rt3050 cpu -irlen 5 -ircapture 0x1 -irmask 0x3 -expected-id 0x1335024F
Debug: 88 39 command.c:145 script_debug(): command - ocd_jtag ocd_jtag newtap rt3050 cpu -irlen 5 -ircapture 0x1 -irmask 0x3 -expected-id 0x1335024F
Debug: 89 39 tcl.c:554 jim_newtap_cmd(): Creating New Tap, Chip: rt3050, Tap: cpu, Dotted: rt3050.cpu, 8 params
Debug: 90 39 tcl.c:571 jim_newtap_cmd(): Processing option: -irlen
Debug: 91 39 tcl.c:571 jim_newtap_cmd(): Processing option: -ircapture
Debug: 92 39 tcl.c:571 jim_newtap_cmd(): Processing option: -irmask
Debug: 93 39 tcl.c:571 jim_newtap_cmd(): Processing option: -expected-id
Debug: 94 39 core.c:1319 jtag_tap_init(): Created Tap: rt3050.cpu @ abs position 0, irlen 5, capture: 0x1 mask: 0x3
Debug: 95 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_target create rt3050.cpu mips_m4k -endian little -chain-position rt3050.cpu
Debug: 96 39 command.c:145 script_debug(): command - ocd_target ocd_target create rt3050.cpu mips_m4k -endian little -chain-position rt3050.cpu
Debug: 97 39 target.c:1722 target_free_all_working_areas_restore(): freeing all working areas
Debug: 98 39 command.c:366 register_command_handler(): registering 'ocd_mips32'...
Debug: 99 39 command.c:366 register_command_handler(): registering 'ocd_mips32'...
Debug: 100 39 command.c:366 register_command_handler(): registering 'ocd_mips_m4k'...
Debug: 101 39 command.c:366 register_command_handler(): registering 'ocd_mips_m4k'...
Debug: 102 39 command.c:366 register_command_handler(): registering 'ocd_mips_m4k'...
Debug: 103 39 command.c:366 register_command_handler(): registering 'ocd_mips_m4k'...
Debug: 104 39 command.c:366 register_command_handler(): registering 'ocd_mips_m4k'...
Debug: 105 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 106 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 107 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 108 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 109 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 110 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 111 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 112 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 113 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 114 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 115 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 116 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 117 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 118 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 119 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 120 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 121 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 122 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 123 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 124 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 125 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 126 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 127 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 128 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 129 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 130 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 131 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 132 39 command.c:366 register_command_handler(): registering 'ocd_rt3050.cpu'...
Debug: 133 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_rt3050.cpu configure -event reset-init 
  #reset  
  halt
  echo "init SDRAM controller.."
  mww 0x10000300 0xd1825272
  mww 0x10000304 0xe0120300
  echo "init Flash controller.."
  mww 0x10000308 0x0511FFA3
  echo "Find flash..."
  flash probe 0

Debug: 134 39 command.c:145 script_debug(): command - ocd_rt3050.cpu ocd_rt3050.cpu configure -event reset-init 
  #reset  
  halt
  echo "init SDRAM controller.."
  mww 0x10000300 0xd1825272
  mww 0x10000304 0xe0120300
  echo "init Flash controller.."
  mww 0x10000308 0x0511FFA3
  echo "Find flash..."
  flash probe 0

Debug: 135 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_flash bank Bootloader cfi 0x1f000000 0x30000 2 2 rt3050.cpu
Debug: 136 39 command.c:145 script_debug(): command - ocd_flash ocd_flash bank Bootloader cfi 0x1f000000 0x30000 2 2 rt3050.cpu
Debug: 138 39 tcl.c:804 handle_flash_bank_command(): 'cfi' driver usage field missing
Debug: 139 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_flash bank Config cfi 0x1f030000 0x10000 2 2 rt3050.cpu
Debug: 140 39 command.c:145 script_debug(): command - ocd_flash ocd_flash bank Config cfi 0x1f030000 0x10000 2 2 rt3050.cpu
Debug: 142 39 tcl.c:804 handle_flash_bank_command(): 'cfi' driver usage field missing
Debug: 143 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_flash bank Factory cfi 0x1f040000 0x10000 2 2 rt3050.cpu
Debug: 144 39 command.c:145 script_debug(): command - ocd_flash ocd_flash bank Factory cfi 0x1f040000 0x10000 2 2 rt3050.cpu
Debug: 146 39 tcl.c:804 handle_flash_bank_command(): 'cfi' driver usage field missing
Debug: 147 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_flash bank Kernel cfi 0x1f050000 0x3b0000 2 2 rt3050.cpu
Debug: 148 39 command.c:145 script_debug(): command - ocd_flash ocd_flash bank Kernel cfi 0x1f050000 0x3b0000 2 2 rt3050.cpu
Debug: 150 39 tcl.c:804 handle_flash_bank_command(): 'cfi' driver usage field missing
Debug: 151 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_init
Debug: 152 39 command.c:145 script_debug(): command - init ocd_init
Debug: 154 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_target init
Debug: 155 39 command.c:145 script_debug(): command - ocd_target ocd_target init
Debug: 157 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_target names
Debug: 158 39 command.c:145 script_debug(): command - ocd_target ocd_target names
Debug: 159 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_rt3050.cpu cget -event gdb-flash-erase-start
Debug: 160 39 command.c:145 script_debug(): command - ocd_rt3050.cpu ocd_rt3050.cpu cget -event gdb-flash-erase-start
Debug: 161 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_rt3050.cpu configure -event gdb-flash-erase-start reset init
Debug: 162 39 command.c:145 script_debug(): command - ocd_rt3050.cpu ocd_rt3050.cpu configure -event gdb-flash-erase-start reset init
Debug: 163 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_rt3050.cpu cget -event gdb-flash-write-end
Debug: 164 39 command.c:145 script_debug(): command - ocd_rt3050.cpu ocd_rt3050.cpu cget -event gdb-flash-write-end
Debug: 165 39 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_rt3050.cpu configure -event gdb-flash-write-end reset halt
Debug: 166 39 command.c:145 script_debug(): command - ocd_rt3050.cpu ocd_rt3050.cpu configure -event gdb-flash-write-end reset halt
Debug: 167 39 target.c:1285 handle_target_init_command(): Initializing targets...
Debug: 168 39 command.c:366 register_command_handler(): registering 'ocd_target_request'...
Debug: 169 39 command.c:366 register_command_handler(): registering 'ocd_trace'...
Debug: 170 39 command.c:366 register_command_handler(): registering 'ocd_trace'...
Debug: 171 39 command.c:366 register_command_handler(): registering 'ocd_fast_load_image'...
Debug: 172 39 command.c:366 register_command_handler(): registering 'ocd_fast_load'...
Debug: 173 39 command.c:366 register_command_handler(): registering 'ocd_profile'...
Debug: 174 39 command.c:366 register_command_handler(): registering 'ocd_virt2phys'...
Debug: 175 39 command.c:366 register_command_handler(): registering 'ocd_reg'...
Debug: 176 39 command.c:366 register_command_handler(): registering 'ocd_poll'...
Debug: 177 39 command.c:366 register_command_handler(): registering 'ocd_wait_halt'...
Debug: 178 39 command.c:366 register_command_handler(): registering 'ocd_halt'...
Debug: 179 39 command.c:366 register_command_handler(): registering 'ocd_resume'...
Debug: 180 39 command.c:366 register_command_handler(): registering 'ocd_reset'...
Debug: 181 39 command.c:366 register_command_handler(): registering 'ocd_soft_reset_halt'...
Debug: 182 39 command.c:366 register_command_handler(): registering 'ocd_step'...
Debug: 183 39 command.c:366 register_command_handler(): registering 'ocd_mdw'...
Debug: 184 39 command.c:366 register_command_handler(): registering 'ocd_mdh'...
Debug: 185 39 command.c:366 register_command_handler(): registering 'ocd_mdb'...
Debug: 186 39 command.c:366 register_command_handler(): registering 'ocd_mww'...
Debug: 187 39 command.c:366 register_command_handler(): registering 'ocd_mwh'...
Debug: 188 39 command.c:366 register_command_handler(): registering 'ocd_mwb'...
Debug: 189 39 command.c:366 register_command_handler(): registering 'ocd_bp'...
Debug: 190 39 command.c:366 register_command_handler(): registering 'ocd_rbp'...
Debug: 191 39 command.c:366 register_command_handler(): registering 'ocd_wp'...
Debug: 192 39 command.c:366 register_command_handler(): registering 'ocd_rwp'...
Debug: 193 39 command.c:366 register_command_handler(): registering 'ocd_load_image'...
Debug: 194 39 command.c:366 register_command_handler(): registering 'ocd_dump_image'...
Debug: 195 39 command.c:366 register_command_handler(): registering 'ocd_verify_image'...
Debug: 196 39 command.c:366 register_command_handler(): registering 'ocd_test_image'...
Debug: 197 39 command.c:366 register_command_handler(): registering 'ocd_reset_nag'...
Debug: 198 39 command.c:366 register_command_handler(): registering 'ocd_ps'...
Debug: 199 39 command.c:366 register_command_handler(): registering 'ocd_test_mem_access'...
Debug: 200 109 libusb1_common.c:156 jtag_libusb_get_endpoints(): usb ep in 81
Debug: 201 109 libusb1_common.c:156 jtag_libusb_get_endpoints(): usb ep out 01
Info : 202 109 jlink.c:515 jlink_init(): J-Link initialization started / target CPU reset initiated
Info : 203 125 jlink.c:891 jlink_get_version_info(): J-Link V9 compiled Nov 28 2014 09:34:59
Info : 204 125 jlink.c:904 jlink_get_version_info(): J-Link caps 0xb9ff7bbf
Info : 205 125 jlink.c:922 jlink_get_version_info(): J-Link hw version 90000
Info : 206 125 jlink.c:927 jlink_get_version_info(): J-Link hw type J-Link
Info : 207 125 jlink.c:941 jlink_get_version_info(): J-Link max mem block 70952
Info : 208 125 jlink.c:784 jlink_config_dump(): J-Link configuration
Info : 209 125 jlink.c:743 jlink_config_usb_address_dump(): USB-Address: 0x0
Info : 210 125 jlink.c:752 jlink_config_kickstart_dump(): Kickstart power on JTAG-pin 19: 0xffffffff
Info : 211 125 jlink.c:711 jlink_get_status(): Vref = 3.322 TCK = 1 TDI = 0 TDO = 0 TMS = 0 SRST = 0 TRST = 0
Info : 212 125 jlink.c:538 jlink_init(): J-Link JTAG Interface ready
Debug: 213 125 jlink.c:666 jlink_reset(): trst: 0, srst: 0
Debug: 214 140 core.c:1611 adapter_khz_to_speed(): convert khz to interface specific speed value
Debug: 215 140 core.c:1614 adapter_khz_to_speed(): have interface set up
Debug: 216 140 core.c:1611 adapter_khz_to_speed(): convert khz to interface specific speed value
Debug: 217 140 core.c:1614 adapter_khz_to_speed(): have interface set up
Info : 218 140 core.c:1400 adapter_init(): clock speed 100 kHz
Debug: 219 140 openocd.c:132 handle_init_command(): Debug Adapter init complete
Debug: 220 140 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_transport init
Debug: 221 140 command.c:145 script_debug(): command - ocd_transport ocd_transport init
Debug: 223 140 transport.c:240 handle_transport_init(): handle_transport_init
Debug: 224 140 jlink.c:666 jlink_reset(): trst: 0, srst: 0
Debug: 225 140 core.c:717 jtag_add_reset(): SRST line released
Debug: 226 140 core.c:741 jtag_add_reset(): TRST line released
Debug: 227 140 core.c:321 jtag_call_event_callbacks(): jtag event: TAP reset
Debug: 229 704 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_jtag arp_init
Debug: 230 704 command.c:145 script_debug(): command - ocd_jtag ocd_jtag arp_init
Debug: 231 704 core.c:1413 jtag_init_inner(): Init JTAG chain
Debug: 232 704 core.c:321 jtag_call_event_callbacks(): jtag event: TAP reset
Debug: 233 704 core.c:1046 jtag_examine_chain(): DR scan interrogation for IDCODE/BYPASS
Debug: 234 705 core.c:321 jtag_call_event_callbacks(): jtag event: TAP reset
Info : 235 707 core.c:949 jtag_examine_chain_display(): JTAG tap: rt3050.cpu tap/device found: 0x1335024f (mfg: 0x127, part: 0x3350, ver: 0x1)
Debug: 236 707 core.c:1206 jtag_validate_ircapture(): IR capture validation scan
Debug: 237 707 core.c:1263 jtag_validate_ircapture(): rt3050.cpu: IR capture 0x01
Debug: 238 707 openocd.c:145 handle_init_command(): Examining targets...
Debug: 239 707 target.c:1401 target_call_event_callbacks(): target event 21 (examine-start)
Debug: 240 707 mips_ejtag.c:352 mips_ejtag_init(): impcode: 0x60414000
Debug: 241 707 mips_ejtag.c:368 mips_ejtag_init(): EJTAG: Version 3.1 Detected
Debug: 242 707 mips_ejtag.c:387 mips_ejtag_init(): EJTAG: features: R4k ASID_8 MIPS16 noDMA MIPS32
Debug: 243 707 target.c:1401 target_call_event_callbacks(): target event 22 (examine-end)
Debug: 244 707 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_flash init
Debug: 245 707 command.c:145 script_debug(): command - ocd_flash ocd_flash init
Debug: 246 707 mips_m4k.c:207 mips_m4k_poll(): Reset Detected
Debug: 248 707 tcl.c:870 handle_flash_init_command(): Initializing flash devices...
Debug: 249 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 250 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 251 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 252 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 253 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 254 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 255 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 256 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 257 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 258 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 259 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 260 707 command.c:366 register_command_handler(): registering 'ocd_flash'...
Debug: 261 707 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_mflash init
Debug: 262 707 command.c:145 script_debug(): command - ocd_mflash ocd_mflash init
Debug: 264 707 mflash.c:1379 handle_mflash_init_command(): Initializing mflash devices...
Debug: 265 707 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_nand init
Debug: 266 707 command.c:145 script_debug(): command - ocd_nand ocd_nand init
Debug: 268 707 tcl.c:497 handle_nand_init_command(): Initializing NAND devices...
Debug: 269 707 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_pld init
Debug: 270 707 command.c:145 script_debug(): command - ocd_pld ocd_pld init
Debug: 272 707 pld.c:207 handle_pld_init_command(): Initializing PLDs...
Info : 273 4041 server.c:83 add_connection(): accepting 'telnet' connection from 4444
Debug: 274 7656 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_halt
Debug: 275 7656 command.c:145 script_debug(): command - halt ocd_halt
Debug: 277 7656 target.c:2636 handle_halt_command(): -
Debug: 278 7656 mips_m4k.c:264 mips_m4k_halt(): target->state: running
Debug: 279 7656 mips_ejtag.c:283 mips_ejtag_enter_debug(): ejtag_ctrl: 0x4004c008
Debug: 280 7956 mips_m4k.c:946 mips_m4k_read_memory(): address: 0xff300000, size: 0x00000004, count: 0x00000001
Debug: 281 7994 target.c:2064 target_read_u32(): address: 0xff300000, value: 0x000303db
Debug: 282 7994 mips_m4k.c:946 mips_m4k_read_memory(): address: 0xff301000, size: 0x00000004, count: 0x00000001
Debug: 283 8024 target.c:2064 target_read_u32(): address: 0xff301000, value: 0x44000000
Debug: 284 8024 target.c:2152 target_write_u32(): address: 0xff301000, value: 0x00000000
Debug: 285 8024 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0xff301000, size: 0x00000004, count: 0x00000001
Debug: 286 8040 mips_m4k.c:946 mips_m4k_read_memory(): address: 0xff302000, size: 0x00000004, count: 0x00000001
Debug: 287 8085 target.c:2064 target_read_u32(): address: 0xff302000, value: 0x42000000
Debug: 288 8085 target.c:2152 target_write_u32(): address: 0xff302000, value: 0x00000000
Debug: 289 8085 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0xff302000, size: 0x00000004, count: 0x00000001
Debug: 290 8107 mips32.c:562 mips32_configure_break_unit(): DCR 0x303db numinst 4 numdata 2
Debug: 291 8107 mips_m4k.c:117 mips_m4k_debug_entry(): entered debug state at PC 0x80000180, target->state: halted
Debug: 292 8107 target.c:1401 target_call_event_callbacks(): target event 0 (gdb-halt)
Debug: 293 8107 target.c:1401 target_call_event_callbacks(): target event 1 (halted)
User : 294 8107 target.c:1774 target_arch_state(): target state: halted
User : 295 8107 mips32.c:237 mips32_arch_state(): target halted in MIPS32 mode due to debug-request, pc: 0x80000180
Debug: 296 26006 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_mwb 0x1f000055 0x98
Debug: 297 26006 command.c:145 script_debug(): command - mwb ocd_mwb 0x1f000055 0x98
Debug: 299 26007 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000055, size: 0x00000001, count: 0x00000001
Debug: 300 55321 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_mdb 0x1f000010
Debug: 301 55321 command.c:145 script_debug(): command - mdb ocd_mdb 0x1f000010
Debug: 303 55321 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000010, size: 0x00000001, count: 0x00000001
User : 304 55352 command.c:546 command_print(): 0x1f000010: 1f 
Debug: 305 58077 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_mdb 0x1f000011
Debug: 306 58077 command.c:145 script_debug(): command - mdb ocd_mdb 0x1f000011
Debug: 308 58078 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000011, size: 0x00000001, count: 0x00000001
User : 309 58106 command.c:546 command_print(): 0x1f000011: 02 
Debug: 310 61397 command.c:145 script_debug(): command - ocd_command ocd_command type ocd_mdb 0x1f000012
Debug: 311 61397 command.c:145 script_debug(): command - mdb ocd_mdb 0x1f000012
Debug: 313 61398 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000012, size: 0x00000001, count: 0x00000001
User : 314 61422 command.c:546 command_print(): 0x1f000012: 00

What I found odd are the commands:

Debug: 411 8229 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000aaa, size: 0x00000002, count: 0x00000001

Debug: 412 8292 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000554, size: 0x00000002, count: 0x00000001

Debug: 413 8338 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000aaa, size: 0x00000002, count: 0x00000001

Debug: 414 8417 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000000, size: 0x00000002, count: 0x00000001

Debug: 415 8448 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000002, size: 0x00000002, count: 0x00000001

Info : 416 8479 cfi.c:2613 cfi_probe(): Flash Manufacturer/Device: 0x00ff 0x1000

Adress 0x1F000000 is the starting address to access external flash (found from rt3050 datasheet)

http://www.tracermcc.ru/foto/bender/RT3 … 8_0902.pdf

openOCD executes 3 writes prior to execute the read to query Manufacturer/Device info, which I believe

are used to put the memory in the CFI mode.

The memory`s datasheet http://www.spansion.com/Support/Datashe … L-N_01.pdf

indicates that to enter CFI mode we need to write 0x98 to address 0x55, which openOCD is not doing; and to read

the manufacturer/device ID, the addresses are 13h and 15h respectively (not 0x00 and 0x02).

My conclusion is that openOCD is not doing the right writes to put the device on CFI mode nor is reading the correct bytes

to get CFI data.

Sadly, even if I try to write 0x98 @ address 0x1f000055 to enter CFI mode mannualy, it does not work.

I`ve read the addresses 0x1f000010, 0x1f000011, 0x1f000012 after doing it, but instead

of getting 0x51, 0x52 and 0x59 (Characters Q, R and Y in ASCII) I got 0x1F 0x02 and 00.

I am following the spansion`s quick guide to CFI as reference:

http://www.spansion.com/Support/Applica … CFI_AN.pdf

Thats it folks, if someone can give me a hand to access this routers external flash memory I think I can revive it.](http://s24.postimg.org/qy4g9z7ap/Flash_Asus_RTN10.jpg "](http://postimg.org/image/qy4g9z7ap/)

The unpopulated resistors R76,R78 are pull ups R77,R799 are pull downs.

Pin 11 is the WE (write enable), I didn`t find any unpopulated resistor separating this pin to the main chip.

My assumption is that this pin should remain connected after production, because it would be impossible

to update the firmware otherwise.

Bellow is the log file with debug level =3, same script and the same actions (halt, then reset init).

§_DISCOURSE_HOISTED_CODE_2_§

What I found odd are the commands:

Debug: 411 8229 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000aaa, size: 0x00000002, count: 0x00000001

Debug: 412 8292 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000554, size: 0x00000002, count: 0x00000001

Debug: 413 8338 mips_m4k.c:1005 mips_m4k_write_memory(): address: 0x1f000aaa, size: 0x00000002, count: 0x00000001

Debug: 414 8417 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000000, size: 0x00000002, count: 0x00000001

Debug: 415 8448 mips_m4k.c:946 mips_m4k_read_memory(): address: 0x1f000002, size: 0x00000002, count: 0x00000001

Info : 416 8479 cfi.c:2613 cfi_probe(): Flash Manufacturer/Device: 0x00ff 0x1000

Adress 0x1F000000 is the starting address to access external flash (found from rt3050 datasheet)

http://www.tracermcc.ru/foto/bender/RT3 … 8_0902.pdf

openOCD executes 3 writes prior to execute the read to query Manufacturer/Device info, which I believe

are used to put the memory in the CFI mode.

The memory`s datasheet http://www.spansion.com/Support/Datashe … L-N_01.pdf

indicates that to enter CFI mode we need to write 0x98 to address 0x55, which openOCD is not doing; and to read

the manufacturer/device ID, the addresses are 13h and 15h respectively (not 0x00 and 0x02).

My conclusion is that openOCD is not doing the right writes to put the device on CFI mode nor is reading the correct bytes

to get CFI data.

Sadly, even if I try to write 0x98 @ address 0x1f000055 to enter CFI mode mannualy, it does not work.

I`ve read the addresses 0x1f000010, 0x1f000011, 0x1f000012 after doing it, but instead

of getting 0x51, 0x52 and 0x59 (Characters Q, R and Y in ASCII) I got 0x1F 0x02 and 00.

I am following the spansion`s quick guide to CFI as reference:

http://www.spansion.com/Support/Applica … CFI_AN.pdf

Thats it folks, if someone can give me a hand to access this routers external flash memory I think I can revive it.")](http://postimg.org/image/qy4g9z7ap/)](http://postimg.org/image/lafyq6l7v/)