What's new

ASUS ZenWiFi AX (XT8) hard-bricked?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

gzb90

New Around Here
Hi guys,

I found yours forum looking for solution for my bricked router. After power-on nothing happen - no leds, no wifi etc. It draws 0.09A, and are stuck. The bootlog from uart doesn't look optimistic:

Code:
BTRM
V1.3
MEM?
MEMP
CACH
CODE
ZBSS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
IMGL
UHD?
UHDP
RLO?
RLOP
UBI?
UBIF
IMG?
IMGL
UHD?
UHDP
RLO?
RLOP
UBI?
UBIF
IMG?
IMGL
UHD?
UHDP
RLO?
RLOP
UBI?
UBIF
IMG?
FAIL

I tried holding down the reset and/or wps button while connecting power, nothing change.

It's any hope for this device? I don't know past of this device, i got it like this.
 
Unfortunately device does not go in recovery mode, LAN ports are dead - Windows tell me "Ethernet cable is unplugged"

Chipoff or jtag are my only chance? From bootlog i understand is something wrong with "UBI?", what's that?
UBI is a flash filesystem. That's why I suspected it was just a corrupted boot image, but it's possible the bootloader itself is also corrupted. Maybe someone force flashing the wrong model on it. In that case, you'd need JTAG to recover it, however I do not know if there is public JTAG support for that platform.

It could also be a NAND failure, in which case there's nothing that can be done. I don't know if this model puts the initial bootloader in the same NAND as the firmware, or inside the CPU's own flash.
 
UBI is a flash filesystem. That's why I suspected it was just a corrupted boot image, but it's possible the bootloader itself is also corrupted. Maybe someone force flashing the wrong model on it. In that case, you'd need JTAG to recover it, however I do not know if there is public JTAG support for that platform.

It could also be a NAND failure, in which case there's nothing that can be done. I don't know if this model puts the initial bootloader in the same NAND as the firmware, or inside the CPU's own flash.

So i did some tests, first I desoldered nand from motherboard and bootlog look like this:
Code:
----
BTRM
V1.3
MEM?
MEMP
CACH
CODE
ZBSS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
FAIL
----
----
BTRM
V1.3
MEM?
MEMP
CACH
CODE
ZBSS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
FAIL
----

And bootlooping with the same instructions. So i assume the initial bootloader is in CPU itself.

I think there are no public jtag solutions atm, so I made some measurment on socket places: voltage dropout in diode mode and voltages. Atm I think i found a vref voltage on J4. Anyone has idea what pins can be jtag?

For information: I have a wide range electronics repair equipment like osciloscope(all voltages I found are solid), logic analyzer, hot air, bga station but unfortunately I don't have a nand programmer.

As a last resort if somebody know pinout from BCM6755 I can desolder it from board and found corresponding JTAG pins.
 

Attachments

  • IMG_20220617_165101.jpg
    IMG_20220617_165101.jpg
    208.4 KB · Views: 283
  • IMG_20220617_165109.jpg
    IMG_20220617_165109.jpg
    251.4 KB · Views: 215
My memory may be wrong, but I think there has been reports of people reflashing an empty/corrupted NAND. I don't remember the details however (whether they used special equipment, or swapped nands), the discussion was probably here on SNBForums.

I would assume the JTAG would be the unsoldered connector on the left side of your picture.
 
My memory may be wrong, but I think there has been reports of people reflashing an empty/corrupted NAND. I don't remember the details however (whether they used special equipment, or swapped nands), the discussion was probably here on SNBForums.

I would assume the JTAG would be the unsoldered connector on the left side of your picture.
I just realized nothing is visible on this processed photos, originals are here: https://drive.google.com/drive/folders/11QFQ6zuWti0Axo2eS7vRNQY7pi7UhbJz?usp=sharing

I will check tommorow, resolder this nand and use logic analyzer to find out some communication on this pins.
 
The four-pin header is probably the TTL serial port (I can`t see the pin IDs, but every Asus routers I've disassembled only had one single four pin header, always the TTL port). The pin with a white square is VCC, the rest is TX, RX and GND (don't remember the order for TX and RX).

I suspect the JTAG is the pinless 5x2 unsoldered connector just above it.
 
I found jtag on the J4 header. I'll post details later. What I need to do next? I seen using OpenOCD is useful in some cases but my board is unsupported.

Any thoughts?
 
No idea, I never used JTAG, sorry.
 
I cannot find way to flash nand memory using jtag. On OpenOCD there are examples but for routers with NOR memory, nothing about nand.

If anyone needs jtag access:

J4:
TDI 1
TDO 3
TMS 5
TCK 7
nTRST 9
GND 6,8,10

So i think I need reprogram nand using external programmer. I will have it in two weeks, any advices?
 
I also have a bricked XT8. I get normal LED responses, but it does not create a WiFi network and when I plug in an ethernet cable I get "Unidentified network" in Windows. A factory reset does not fix it, and the router enters rescue mode successfully but the recovery tool cannot access it to push new firmware.

So I'm looking at other options. gzb90, zw.W did you guys figure out something? Can it be fixed via JTAG?
 
Last edited:
Hi guys a year later!

Meanwhile I managed to get a full nand dump from another router and reprogram my memory using external programmer. I didn't change the mac address on cfe because of ECC checksums in spare area. Now i got an error:
"MDIO Error: MDIO got failure status on phy 7"

Using firmware restoration tool didn't change anything.

Do you think it can be caused by wrong mac ?

Here is the whole uart log(I changed my address for privacy reasons):

Edit:
I just found diffrence in ETHERNET chip beetwen two boards, on source board is BCM50991E but on mine is BCM54991E. On sources I found corresponding function:
And what I found is, that function should detect chip ID automaticly from table "phy_desc". But unfortunatly it does not. My only idea is my binary file contain a old version without definition of my chip.

@RMerlin Could you help me to understand this mechanism ?
 
Last edited:
Hi guys a year later!

Meanwhile I managed to get a full nand dump from another router and reprogram my memory using external programmer. I didn't change the mac address on cfe because of ECC checksums in spare area. Now i got an error:
"MDIO Error: MDIO got failure status on phy 7"

Using firmware restoration tool didn't change anything.

Do you think it can be caused by wrong mac ?

Here is the whole uart log(I changed my address for privacy reasons):

Edit:
I just found diffrence in ETHERNET chip beetwen two boards, on source board is BCM50991E but on mine is BCM54991E. On sources I found corresponding function:
And what I found is, that function should detect chip ID automaticly from table "phy_desc". But unfortunatly it does not. My only idea is my binary file contain a old version without definition of my chip.

@RMerlin Could you help me to understand this mechanism ?

I've got this exact issue, did you manage to resolve it ?

See my thread....

Help - ASUS XT8 - Wrong FW flashed - Rescue not available - CFE OK

 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top