This may be of help for people with broken firmware.
I had problems with my router after doing a factory reset. Turns out some of the CFE default NVRAM parameters were corrupt and the firmware would no longer boot. CFE version is 1.0.1.2. The corrupted CFE parameters prevented recovery mode.
To recover I used the internal serial port using a 3.3V USB to TTL, connecting RX to TX and TX to RX and GND to GND. Hitting Ctl-C very quickly on power up can catch the CFE> prompt. From there the 'nvram show' command revealed some corrupt values and different values from the stock CFE. They were fixed in NVRAM with the following:
Code:
CFE>nvram show
...
lan_b!tmask=255.255.255.0 <---- prevents CFE recovery mode connection
pci/2/1/pa5gw0a1=0XFEAC
pci/2/1/pa5gw1a1=0X1776 <----- not sure if this was changed from an aborted firmware upgrade
pci/2/1/pa5gw2a1=0XFA58
CFE>nvram unset lan_b!tmask
CFE>nvram set lan_netmask=255.255.255.0
CFE>nvram set pci/2/1/pa5gw0a1=0xFEA
CFE>nvram set pci/2/1/pa5gw1a1=0x1676
CFE>nvram set pci/2/1/pa5gw2a1=0xFA82
CFE>nvram commit
It is important NOT to factory reset the NVRAM parameters after this. The CFE boot prompt will still be using the corrupted values but booting other firmware will use the NVRAM adjusted parameters.
The procedure outlined in this CFE bootloader update topic will not help recover CFE with corrupted values. My procedure was to follow some of the steps in the update script, but first I needed some version of firmware that would boot. I tried OpenWrt, which uploaded and booted. It is possible that an older version of askuswrt-merlin may also work, such as RT-N66U_3.0.0.3_162.trx but this version does not have SSH.
To be able to upload firmware with tftp I restored the ifconfig at the CFE> prompt, set laptop IP to 192.168.1.2. Check the connection. Set up TFTPD32 to work on 192.168.1.2 after network is up. Put firmware in the tftp directory.
Code:
CFE>ifconfig -addr=192.168.1.1 -mask=255.255.255.0 -gw=192.168.1.2 eth0
CFE>ping 192.168.1.2
CFE>flash -noheader 192.168.1.2:openwrt-15.05.1-brcm47xx-mips74k-asus-rt-n66u-squashfs.trx flash1.trx
Rebooting and with OpenWrt running I setup SSH connection from laptop using putty to test SSH. I then used WinSCP to also connect to the router. I obtained 1.0.1.2 version of the CFE firmware from the
CFE Dumps Collection. I also downloaded ryzhov_al's
update script and tools.
Unpacking into the tftp directory I copied the new 1.0.1.2 CFE firmware and the nvsimple-mipsel utility with WinSCP. Then:
Code:
root@OpenWrt:~# cp rt-n66u_b1_1.0.1.2_us.bin cfe.new
root@OpenWrt:~# ./nvsimple-mipsel -e cfe.new -o 1024 | sort > nvram_updated.txt
root@OpenWrt:~# cat /dev/mtd0 > cfe.old
root@OpenWrt:~# ./nvsimple-mipsel -e /dev/mtd0ro -v -o 1024 | sort > nvram_orig.txt
root@OpenWrt:~# cat nvram_orig.txt | grep -v ^odmpid > nvram.txt
Using WinScp I copied the nvram_updated.txt and nvram.txt files to the laptop. Using WinMerge I merged the MAC addresses but not the corrupted parameters. I copied nvram_updated.txt to cfe_new.txt and back to the RT-N66U. I generated new CFE firmware from the patched text.
Code:
root@OpenWrt:~# ./nvsimple-mipsel -i cfe_new.txt cfe.new -v -o 1024 -l 4092
I then attempted to use OpenWrt mtd unlock and mtd write commands, but write permission was not enabled in the partition and I received:
Could not open mtd device: mtd0
I copied the patched cfe.new firmware back to laptop and installed an old version of asuswrt-merlin. Back at the CFE prompt:
Code:
CFE>ifconfig -addr=192.168.1.1 -mask=255.255.255.0 -gw=192.168.1.2 eth0
CFE>ping 192.168.1.2
CFE>flash -noheader 192.168.1.2:RT-N66U_3.0.0.3_162.trx flash1.trx
This version of asuswrt-merlin does not have SSH so I used a USB stick to copy the new firmware to the router. Using the serial port command line I wrote the new CFE.
Code:
mtd-write -i cfe.new -d pmon
Rebooted and tested it works. I then uploaded a more recent version of asuswrt-merlin, but one before 3.0.0.4.380_300, which
prevents reverting to previous versions .
Code:
CFE>ping 192.168.1.2
CFE>flash -noheader 192.168.1.2:RT-N66U_380.58_0.trx flash1.trx
Router is now working. I am probably done mucking with this router.