What's new

[rt-ac86u] very easy to brick

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Fitz Mutch

Senior Member
Been flashing my own custom firmware to the RT-AC86U without issue for quite some time now. Then one day it just got bricked, after completing another flash. Maybe it is the flash memory has failed? I noticed there is two different firmwares that get built, so there's a choice of which one to use: "_cferom_ubi.w" and "_ubi.w". Does the "_cferom_ubi.w" firmware mean that it re-writes the bootloader every time?

The serial console reports the following message, at power on:
Code:
----
BTRM
V1.6
CPU0
L1CD
MMUI
MMU7
DATA
ZBBS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
FAIL
 
I don't know if the cferom image also overwrites the whole bootloader or only provides with default settings. Asus didn't give me any additional details about the difference, so I always used cferom to match what their own firmware release do. If it does overwrite the whole bootloader as well, then it's a rather risky procedure indeed.
 
It could also be bad flash memory too.

MXIC S170709
MX30LF2G18AC-TI
8C526600B1

huoy8w.jpg


The serial console isn't specific, or maybe it is? The source code is all assembly language. I found where it prints the word "NAND", but there is no more source code beyond that point. I couldn't find where it prints "IMG?" and "FAIL".
https://github.com/RMerl/asuswrt-me...bcm63xx_rom/src/bcm63xx_impl3_ddr_init.S#L383
 
It could also be bad flash memory too.

I guess that's possible. I'm not familiar enough with the RT-AC86U's boot process, it's quite different from previous models.
 
If the flash memory is dud does that mean you would have to replace it, as in De solder and the old one re solder a new chip.
 
If the flash memory is dud does that mean you would have to replace it, as in De solder and the old one re solder a new chip.
I think you'd have to replace the bad flash NAND chip with a clone of a good one from another RT-AC86U. I don't know any other way to put a CFE bootloader on a new flash NAND chip.

I'm definitely going to de-solder the bad flash NAND chip because it probably still has bits of my data, like private keys, etc. I was able to disassemble the router without voiding the warranty.
 
After de-soldering the flash NAND chip from the RT-AC86U circuit board, the error codes did not change. So it's either a bad flash chip or the failure is occurring before it accesses the flash chip.

Serial console output, at power on:
Code:
----
BTRM
V1.6
CPU0
L1CD
MMUI
MMU7
DATA
ZBBS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
FAIL
 
I think the 1st level bootloader is in ROM chip and is referred to as BTRM, and the 2nd level bootloader is what we've known as the "CFE bootloader" and it is stored within the flash NAND chip. Apparently, it is the 2nd level bootloader that recently went missing on my RT-AC86U router. The cause is still unknown.

Here's what the console boot looks like on a good router. The BTRM begins the 1st level bootloader within the ROM chip. And the HELO begins the 2nd level bootloader within the flash NAND chip.
Code:
----
BTRM
V1.6
CPU0
L1CD
MMUI
MMU7
DATA
ZBBS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
IMGL
UHD?
UHDP
RLO?
RLOP
UBI?
UBIP
PASS
----
HELO
5.0202HNDrc7-1.0.38-161.122
CPU0
L1CD
MMUI
MMU>
CODE
ZBBS
MAIN
NVRAM memcfg 0x1427
MCB chksum 0xa89ec7d9, config 0x1427

MemsysInit lpf0_generic_aarch64 1.3.0.1 20150910
DDR3
900017E8 80018000 8001A000 00000000 00000000 0050371A
MCB rev=0x00040301 Ref ID=0x0371A Sub Bld=0x005
Dram Timing 11-11-11

DDR3-1600 CL11 total 512MB 1 16bits part[s] %1 SSC

Add/Ctl Alignment
no adjustment

ZQ Cal LP PHY
 R in Ohm
 P: Finger=0x2D0 Term=0x78 Drv=0x2D
 N: Finger=0x2D0 Term=0x78 Drv=0x2D

PLL Ref(Hz)=0x02FAF080 UI STEPS=0x038
 DDR CLK(MHz)=0x31B WL CLK dly(ps)=0x0C8 bitT(ps)=0x274 VDLsize(fs)=0x2BCE CLK_V                                                                  DL=0x01A

SHMOO 28nm
8001A000 80018800 00000000 00020000 00000000

Shmoo WL

One UI Steps : 0x43

auto-clk result = 00B (filter=0C steps)
initial CLK shift = 01A
final CLK shift   = 00B

   0000000000111111111122222222223333333333444444444455555555556666666
   0123456789012345678901234567890123456789012345678901234567890123456
00 S-------------X+++++++++++++++++++++++++++++++++++++++++++++++++++-
01 S---------------X++++++++++++++++++++++++++++++++++++++++++++++++++

Shmoo RD En
FORCED WR ODT = 0x18001800
 DQSN DRIVE PAD CONTROL (from) (to)
 B0 00031A10 00079A10
 B1 00031A10 00079A10
B0 RISE UI=1 VDL=16 PICK UI=2 VDL=16
B1 RISE UI=1 VDL=0C PICK UI=2 VDL=0C
   0000000000111111111122222222223333333333444444444455555555556666666
   0123456789012345678901234567890123456789012345678901234567890123456
00 --S-------------------X++++++++++++++++++++++++++++++++++++++++++++
01 --S---------X++++++++++++++++++++++++++++++++++++++++++++++++++++++

Shmoo RD DQ NP
DQS :
B0 VDL=3A ok
B1 VDL=38 ok
   0000000000111111111122222222223333333333444444444455555555556666666
   0123456789012345678901234567890123456789012345678901234567890123456
00 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
01 --------++++++++++++++++++++++++X+++++++++++++++++++++++++---------
02 ---++++++++++++++++++++++++X+++++++++++++++++++++++++--------------
03 ---------+++++++++++++++++++++++++X+++++++++++++++++++++++++-------
04 ---+++++++++++++++++++++++++X++++++++++++++++++++++++++------------
05 -------++++++++++++++++++++++++X++++++++++++++++++++++++-----------
06 -+++++++++++++++++++++++++X+++++++++++++++++++++++++---------------
07 --------++++++++++++++++++++++++X+++++++++++++++++++++++++---------
08 -----++++++++++++++++++++++++X++++++++++++++++++++++++-------------
09 --+++++++++++++++++++++++++X+++++++++++++++++++++++++--------------
10 ----++++++++++++++++++++++++X++++++++++++++++++++++++--------------
11 -++++++++++++++++++++++++X+++++++++++++++++++++++++----------------
12 -----+++++++++++++++++++++++++X+++++++++++++++++++++++++-----------
13 ---+++++++++++++++++++++++X++++++++++++++++++++++++----------------
14 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
15 ----+++++++++++++++++++++++++X++++++++++++++++++++++++++-----------

Shmoo RD DQ P
   0000000000111111111122222222223333333333444444444455555555556666666
   0123456789012345678901234567890123456789012345678901234567890123456
00 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
01 -------+++++++++++++++++++++++++X+++++++++++++++++++++++++---------
02 --+++++++++++++++++++++++++X+++++++++++++++++++++++++--------------
03 ---------+++++++++++++++++++++++++X+++++++++++++++++++++++++-------
04 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
05 --------+++++++++++++++++++++++X++++++++++++++++++++++++-----------
06 -+++++++++++++++++++++++++X+++++++++++++++++++++++++---------------
07 --------++++++++++++++++++++++++X+++++++++++++++++++++++++---------
08 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
09 -+++++++++++++++++++++++++X++++++++++++++++++++++++++--------------
10 ----++++++++++++++++++++++++X++++++++++++++++++++++++--------------
11 +++++++++++++++++++++++++X+++++++++++++++++++++++++----------------
12 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++------------
13 --++++++++++++++++++++++++X++++++++++++++++++++++++----------------
14 --+++++++++++++++++++++++++X++++++++++++++++++++++++++-------------
15 ----+++++++++++++++++++++++++X++++++++++++++++++++++++++-----------

Shmoo RD DQ N
   0000000000111111111122222222223333333333444444444455555555556666666
   0123456789012345678901234567890123456789012345678901234567890123456
00 ---++++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
01 --------+++++++++++++++++++++++++X+++++++++++++++++++++++++--------
02 --++++++++++++++++++++++++++X++++++++++++++++++++++++++------------
03 --------++++++++++++++++++++++++++X+++++++++++++++++++++++++++-----
04 ---++++++++++++++++++++++++++X+++++++++++++++++++++++++++----------
05 -------+++++++++++++++++++++++++X+++++++++++++++++++++++++---------
06 -++++++++++++++++++++++++++X++++++++++++++++++++++++++-------------
07 --------++++++++++++++++++++++++++X++++++++++++++++++++++++++------
08 ----++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
09 --++++++++++++++++++++++++++X++++++++++++++++++++++++++------------
10 ----+++++++++++++++++++++++++X+++++++++++++++++++++++++------------
11 -++++++++++++++++++++++++++X++++++++++++++++++++++++++-------------
12 -----+++++++++++++++++++++++++X++++++++++++++++++++++++++----------
13 --+++++++++++++++++++++++++X++++++++++++++++++++++++++-------------
14 ---++++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
15 ----+++++++++++++++++++++++++++X+++++++++++++++++++++++++++--------

RD DQS adjustments :
BL0: Start: 0x38 Final: 0x3A
BL1: Start: 0x38 Final: 0x38

Shmoo WR DQ
   0000000000111111111122222222223333333333444444444455555555556666666
   0123456789012345678901234567890123456789012345678901234567890123456
00 --++++++++++++++++++++++++X+++++++++++++++++++++++++---------------
01 -----++++++++++++++++++++++++X+++++++++++++++++++++++++------------
02 -++++++++++++++++++++++++X+++++++++++++++++++++++++----------------
03 ------+++++++++++++++++++++++++X++++++++++++++++++++++++++---------
04 --++++++++++++++++++++++++++X++++++++++++++++++++++++++------------
05 ------+++++++++++++++++++++++++X++++++++++++++++++++++++++---------
06 -++++++++++++++++++++++++++X++++++++++++++++++++++++++-------------
07 ------++++++++++++++++++++++++++X++++++++++++++++++++++++++--------
08 ------+++++++++++++++++++++++X++++++++++++++++++++++++-------------
09 -----++++++++++++++++++++++++X+++++++++++++++++++++++++------------
10 ------++++++++++++++++++++++++X++++++++++++++++++++++++------------
11 --+++++++++++++++++++++++++X+++++++++++++++++++++++++--------------
12 ------+++++++++++++++++++++++++X+++++++++++++++++++++++++----------
13 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
14 ----+++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
15 ------+++++++++++++++++++++++++X++++++++++++++++++++++++++---------

Shmoo WR DM
WR DM
   0000000000111111111122222222223333333333444444444455555555556666666
   0123456789012345678901234567890123456789012345678901234567890123456
00 ------++++++++++++++++++++++++++X++++++++++++++++++++++++++--------
01 -++++++++++++++++++++++++++X++++++++++++++++++++++++++-------------
DDR test done successfully
FPS0
----
PAR0
nand_flash_read_buf(): Attempt to read bad nand block 171
nand_flash_read_buf(): Attempt to read bad nand block 171
UBI#
FFFF
NAN9
----
PAR1
J003
JFFS
BT03
0768
----
TRY1
NAN3
JFS2
RFS2
JFFS
JFS2
NAN5


Base: 5.2_02HNDrc7
CFE version 1.0.38-161.122 for BCM94908 (64bit,SP,LE)
Build Date: Thu Mar 30 10:35:41 CST 2017 (defjovi@ubuntu-eva01)
Copyright (C) 2000-2015 Broadcom Corporation.

Boot Strap Register:  0x6fc42
Chip ID: BCM4906_A0, Broadcom B53 Quad Core: 1800MHz
Total Memory: 536870912 bytes (512MB)
Status wait timeout: nandsts=0x50000000 mask=0x40000000, count=0
NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: , id 0xc2da block 128KB size 262144KB
pmc_init:PMC using DQM mode

pmc_init slow 95, fast 70
pmc_init:7 0 ffb5043a 34d034a
Skip Rescue Mode

Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host/tftp (f/h/c)  : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name    :
Default ramdisk store address     :
Default DTB file name             :
Board Id                          : 94906REF
Number of MAC Addresses (1-64)    : 10
Base MAC Address                  : 2C:FD:A1:xx:xx:xx
PSI Size (1-128) KBytes           : 128
Enable Backup PSI [0|1]           : 0
System Log Size (0-256) KBytes    : 0
Auxillary File System Size Percent: 0
flow memory allocation (MB)       : 14
buffer memory allocation (MB)     : 32
DHD 0 memory allocation (MB)      : 0
DHD 1 memory allocation (MB)      : 14
DHD 2 memory allocation (MB)      : 0
WLan Feature                      : 0x00
Partition 1 Size (MB)             : 8M
Partition 2 Size (MB)             : 48M
Partition 3 Size (MB)             : 0M
Partition 4 Size (MB) (Data)      : 8M

..
..
..
 
cferom located in the firmware bootfs mtd6
is a data loader that reads some settings from a protected area
Code:
 cat /proc/mtd
dev:    size   erasesize  name
mtd0: 05aa0000 00020000 "rootfs"
mtd1: 05ac0000 00020000 "rootfs_update"
mtd2: 00800000 00020000 "data"
mtd3: 00100000 00020000 "nvram"
mtd4: 05f00000 00020000 "image"
mtd5: 05f00000 00020000 "image_update"
mtd6: 00460000 00020000 "bootfs"
mtd7: 00440000 00020000 "bootfs_update"
mtd8: 03000000 00020000 "misc2"
mtd9: 00800000 00020000 "misc1"
mtd10: 0557e000 0001f000 "rootfs_ubifs"
Code:
 mtdinfo s -a
Count of MTD devices:           11
Present MTD devices:            mtd0, mtd1, mtd2, mtd3, mtd4, mtd5, mtd6, mtd7, mtd8, mtd9, mtd10
Sysfs interface supported:      yes

mtd0
Name:                           rootfs
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          725 (95027200 bytes, 90.6 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:0
Bad blocks are allowed:         true
Device is writable:             true

mtd1
Name:                           rootfs_update
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          726 (95158272 bytes, 90.8 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:2
Bad blocks are allowed:         true
Device is writable:             true

mtd2
Name:                           data
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:4
Bad blocks are allowed:         true
Device is writable:             true

mtd3
Name:                           nvram
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          8 (1048576 bytes, 1024.0 KiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:6
Bad blocks are allowed:         true
Device is writable:             true

mtd4
Name:                           image
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          760 (99614720 bytes, 95.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:8
Bad blocks are allowed:         true
Device is writable:             true

mtd5
Name:                           image_update
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          760 (99614720 bytes, 95.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:10
Bad blocks are allowed:         true
Device is writable:             true

mtd6
Name:                           bootfs
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          35 (4587520 bytes, 4.4 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:12
Bad blocks are allowed:         true
Device is writable:             true

mtd7
Name:                           bootfs_update
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          34 (4456448 bytes, 4.2 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:14
Bad blocks are allowed:         true
Device is writable:             true

mtd8
Name:                           misc2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          384 (50331648 bytes, 48.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:16
Bad blocks are allowed:         true
Device is writable:             true

mtd9
Name:                           misc1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:18
Bad blocks are allowed:         true
Device is writable:             true

mtd10
Name:                           rootfs_ubifs
Type:                           ubi
Eraseblock size:                126976 bytes, 124.0 KiB
Amount of eraseblocks:          706 (89645056 bytes, 85.5 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
Character device major/minor:   90:20
Bad blocks are allowed:         false
Device is writable:             true
 
Last edited:
I think the 1st level bootloader is in ROM chip and is referred to as BTRM, and the 2nd level bootloader is what we've known as the "CFE bootloader" and it is stored within the flash NAND chip. Apparently, it is the 2nd level bootloader that recently went missing on my RT-AC86U router. The cause is still unknown.

Here's what the console boot looks like on a good router. The BTRM begins the 1st level bootloader within the ROM chip. And the HELO begins the 2nd level bootloader within the flash NAND chip.

Check EXTCSD on NAND (MMC)
erase rootfs_update / data / nvram / image_update / bootfs_update
write work dump bootfs / misc1 / misc2 / rootfs_ubifs
after
if the router is in recovery mode, the CFE console will open
there you will need to check what errors are associated with loading CFE CFG



I wonder why Merlin did not say that in this device 2 firmware are in the router
- the first old worker
- the second new (update) on which the router can work
If the new one does not load, the router will automatically start the old one.

the cafe is also duplicated 2 times bootfs and bootfs_update
loader kat to be in each of the specified places and is called
cferom.000 / cferom.003 / cferom.004 / .... cferom.xxx


cferom does not contain settings, it only starts the protected protocol and copies them, so the router starts up at lightning speed
 
Last edited:
Hi

I Re Initialized the NAND on my rt-ac86u "by Mistake" from the Serial Console, because im an idiot. Now NAND is completely empty....:

Code:
BTRM
V1.6
CPU0
L1CD
MMUI
MMU7
DATA
ZBBS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
FAIL

Is there any possibility to unbrick?

Flash NAND with Programmer?

Thanks
 
cferom located in the firmware bootfs mtd6
is a data loader that reads some settings from a protected area
Code:
 cat /proc/mtd
dev:    size   erasesize  name
mtd0: 05aa0000 00020000 "rootfs"
mtd1: 05ac0000 00020000 "rootfs_update"
mtd2: 00800000 00020000 "data"
mtd3: 00100000 00020000 "nvram"
mtd4: 05f00000 00020000 "image"
mtd5: 05f00000 00020000 "image_update"
mtd6: 00460000 00020000 "bootfs"
mtd7: 00440000 00020000 "bootfs_update"
mtd8: 03000000 00020000 "misc2"
mtd9: 00800000 00020000 "misc1"
mtd10: 0557e000 0001f000 "rootfs_ubifs"
Code:
 mtdinfo s -a
Count of MTD devices:           11
Present MTD devices:            mtd0, mtd1, mtd2, mtd3, mtd4, mtd5, mtd6, mtd7, mtd8, mtd9, mtd10
Sysfs interface supported:      yes

mtd0
Name:                           rootfs
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          725 (95027200 bytes, 90.6 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:0
Bad blocks are allowed:         true
Device is writable:             true

mtd1
Name:                           rootfs_update
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          726 (95158272 bytes, 90.8 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:2
Bad blocks are allowed:         true
Device is writable:             true

mtd2
Name:                           data
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:4
Bad blocks are allowed:         true
Device is writable:             true

mtd3
Name:                           nvram
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          8 (1048576 bytes, 1024.0 KiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:6
Bad blocks are allowed:         true
Device is writable:             true

mtd4
Name:                           image
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          760 (99614720 bytes, 95.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:8
Bad blocks are allowed:         true
Device is writable:             true

mtd5
Name:                           image_update
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          760 (99614720 bytes, 95.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:10
Bad blocks are allowed:         true
Device is writable:             true

mtd6
Name:                           bootfs
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          35 (4587520 bytes, 4.4 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:12
Bad blocks are allowed:         true
Device is writable:             true

mtd7
Name:                           bootfs_update
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          34 (4456448 bytes, 4.2 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:14
Bad blocks are allowed:         true
Device is writable:             true

mtd8
Name:                           misc2
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          384 (50331648 bytes, 48.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:16
Bad blocks are allowed:         true
Device is writable:             true

mtd9
Name:                           misc1
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          64 (8388608 bytes, 8.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
OOB size:                       64 bytes
Character device major/minor:   90:18
Bad blocks are allowed:         true
Device is writable:             true

mtd10
Name:                           rootfs_ubifs
Type:                           ubi
Eraseblock size:                126976 bytes, 124.0 KiB
Amount of eraseblocks:          706 (89645056 bytes, 85.5 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  2048 bytes
Character device major/minor:   90:20
Bad blocks are allowed:         false
Device is writable:             true

Just read your post, could you please tell me how did you unlock the AC86U region? Is it related to the hidden config loaded by cferom in mtd6?
Thanks!
 
Just read your post, could you please tell me how did you unlock the AC86U region? Is it related to the hidden config loaded by cferom in mtd6?
Thanks!
unlocking is performed using the official capabilities of the router
decoding change and saving changes

immediately after the change of region, you lose the warranty on the device
even if you change the region, you can see it, all operations with system memory are recorded (yes, it can be recreated, but it is a difficult and time-consuming process)
 
immediately after the change of region, you lose the warranty on the device
good to know but not a great deal for those who bought a used unit without or very short warrenty or like me bought outside and Asus refused RMA.
 
Ok...I unbricked my RT-AC86U now. But 5GHz Wifi is still completely dead, has no MAC-Address.

Any Ideas?
 
Ok...I unbricked my RT-AC86U now. But 5GHz Wifi is still completely dead, has no MAC-Address.

Any Ideas?

Check the output on the serial port during boot, look for any error related to initializing the wifi radio.
 
I only see eth5 coming up, no eth6. If the radio isn't disabled then it's most likely defective.

If you haven't tried it yet, try an electrical reset.

1) Turn off the router
2) unplug the power
3) Turn it on for 5 secs, then turn it back off
4) Plug the power back
5) Turn it on
 
I Reflowed the 5ghz chip (BCM4366) with hot-air station. Now it gets detected, but crashes shortly afterwards.....

What a piece of crap router.....


Code:
DUMP CONSOLE: 026738.691 wl1: Broadcom BCM43664 802.11 Wireless Controller 10.10.122.20 (r683106)
DUMP CONSOLE: 026738.691 SPLITRX_MODE_2 enabled : tcmsegsize 160
DUMP CONSOLE: 026738.691 TCAM: 512 used: 256 exceed:0
DUMP CONSOLE: 026738.691 reclaim section 1: Returned 180604 bytes to the heap
DUMP CONSOLE: 026738.692 ThreadX v5.6 initialized
DUMP CONSOLE:
DUMP CONSOLE: 026738.807 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
DUMP CONSOLE: 026738.807 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
DUMP CONSOLE: 026740.732 wl1: wl_open
DUMP CONSOLE: 026740.736 reclaim section ucodes: Returned 108592 bytes to the heap
DUMP CONSOLE: 026740.736 wlc_ucode_download: wl1: Loading non-MU ucode
DUMP CONSOLE: 026740.751 wl1: CORE INIT : nfifo 32 mu_tx_enab 0
DUMP CONSOLE: 026740.751
DUMP CONSOLE: FWID 01-47e84b5b
DUMP CONSOLE: flags 330005
DUMP CONSOLE: 026740.751
DUMP CONSOLE: TRAP 4(2ab390): pc 7ae2, lr 20ea1f, sp 2ab3e8, cpsr 20000193, spsr 20000033
DUMP CONSOLE: 026740.751   dfsr 5, dfar bf02f220
DUMP CONSOLE: 026740.751   r0 43b0cc, r1 0, r2 47, r3 bf02f204, r4 43b0cc, r5 0, r6 2ab428
DUMP CONSOLE: 026740.751   r7 0, r8 1, r9 7f, r10 10, r11 10, r12 2ab3b8
DUMP CONSOLE: 026740.751
DUMP CONSOLE:    sp+0 0041453c 00000008 002ab428 00000001
DUMP CONSOLE: 026740.751   sp+10 002ab41c 0020f6b5 0000000f 002ab41c
DUMP CONSOLE:
DUMP CONSOLE: 026740.751 sp+14 0020f6b5
DUMP CONSOLE: 026740.751 sp+64 00246c5b
DUMP CONSOLE: 026740.752 sp+74 0006efb5
DUMP CONSOLE: 026740.752 sp+78 00009f6d
DUMP CONSOLE: 026740.752 sp+a4 00246da1
DUMP CONSOLE: 026740.752 sp+c4 0023484b
DUMP CONSOLE: 026740.752 sp+ec 00232e0b
DUMP CONSOLE: 026740.752 sp+11c 00235593
DUMP CONSOLE: 026740.752 sp+134 0022ea8d
DUMP CONSOLE: 026740.752 sp+144 00021f7d
DUMP CONSOLE: 026740.752 sp+14c 0002a689
DUMP CONSOLE: 026740.752 sp+164 0001e88d
DUMP CONSOLE: 026740.752 sp+184 000a318d
DUMP CONSOLE: 026740.752 sp+1a4 00004a8b
DUMP CONSOLE: 026740.752 sp+1ac 00098a89
DUMP CONSOLE: 026740.752 sp+1c4 0020c7d5
dhdpcie_checkdied: msgtrace address : 0x00000000
console address  : 0x0043FCF0
Assrt not built in dongle

TRAP type 0x4 @ epc 0x7ae2, cpsr 0x20000193, spsr 0x20000033, sp 0x2ab3e8, lp 0x20ea1f, rpc 0x7ae2
Trap offset 0x2ab390, r0 0x43b0cc, r1 0x0, r2 0x47, r3 0xbf02f204, r4 0x43b0cc, r5 0x0, r6 0x2ab428, r7 0x0


CPU1: stopping
CPU: 1 PID: 0 Comm: swapper/1 Tainted: P                4.1.27 #2
Hardware name: Broadcom-v8A (DT)
Call trace:
[<ffffffc0000876d8>] dump_backtrace+0x0/0x150
[<ffffffc00008783c>] show_stack+0x14/0x20
[<ffffffc0004f9fa4>] dump_stack+0x90/0xb0
[<ffffffc00008e730>] handle_IPI+0x190/0x1a0
[<ffffffc000080c70>] gic_handle_irq+0x88/0x90
Exception stack(0xffffffc01e8c3dd0 to 0xffffffc01e8c3ef0)
3dc0:                                     620b3428 00000004 1ffe82f0 ffffffc0
3de0: 1e8c3f10 ffffffc0 0036837c ffffffc0 620b3428 00000004 4c000000 001a0193
3e00: 0004d097 00000000 14000000 00000000 00000c3e 00000000 00000018 00000000
3e20: 80000000 0019a147 6a9c309c 00000004 1e8b4620 ffffffc0 ffff922c 00000000
3e40: 00000000 00000000 00000040 00000000 00000000 00000000 ff91d664 00000000
3e60: f7512184 00000000 00000000 00000000 000f5b08 ffffffc0 00000000 00000000
3e80: 00000000 00000000 620b3428 00000004 1ffe82f0 ffffffc0 00000001 00000000
3ea0: 00000001 00000000 61c2909c 00000004 006c62e8 ffffffc0 007030a0 ffffffc0
3ec0: 00509000 ffffffc0 1e8c0000 ffffffc0 006c7000 ffffffc0 1e8c3f10 ffffffc0
3ee0: 00368374 ffffffc0 1e8c3f10 ffffffc0
[<ffffffc000083da8>] el1_irq+0x68/0xd8
[<ffffffc000368480>] cpuidle_enter+0x18/0x20
[<ffffffc0000c67a8>] cpu_startup_entry+0x1e8/0x250
[<ffffffc00008e1b4>] secondary_start_kernel+0x154/0ü----
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top