What's new

[rt-ac86u] very easy to brick

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Defective hardware happens, regardless of how much one pays for their hardware. My advice is to RMA it, it should have a 2 or 3 years warranty (I think the length varies between models/regions).
 
Do you know how many Netgear r8500, 7000p I have had with the same wl: wl driver adapter not found message? Almost a dozen and a few ASUS routers too.
All resulting in a boot loop.
Bad chip design I think.
 
Hi I'm new here. Very interesting topic. I somehow bricked my ac86u by issuing "nvram erase" through SSH and than power cycling it.
Now the device bootloops. I'm using UART to access it. It floods the console with "bcm63xx_nand ff801800.nand: uncorrectable error at 0xXXXX"
CFE still works and I've tried multiple restores with Asus Rescue but result is the same. It keeps sending uncorrectable errors and than reboots.
Seems like "nvram erase" erased things it shouldn't erase. Has anyone and idea what to do? I do have a second ac86u which I dumped all mtd partitions of with "dd if=/dev/mtdX of=/tmp/mnt/X/mtdX.bin"
CFE does support writing an entire nand "Write the whole image start from beginning of the flash" from an tftp image.
Maybe I could reconstruct a nand image from the partition dumps but I'm not sure where each partition starts and ends and that is a last resort because if that fails than CFE is also gone and than soldering starts.
 
Hi I'm new here. Very interesting topic. I somehow bricked my ac86u by issuing "nvram erase" through SSH and than power cycling it.
Now the device bootloops. I'm using UART to access it. It floods the console with "bcm63xx_nand ff801800.nand: uncorrectable error at 0xXXXX"
CFE still works and I've tried multiple restores with Asus Rescue but result is the same. It keeps sending uncorrectable errors and than reboots.
Seems like "nvram erase" erased things it shouldn't erase. Has anyone and idea what to do? I do have a second ac86u which I dumped all mtd partitions of with "dd if=/dev/mtdX of=/tmp/mnt/X/mtdX.bin"
CFE does support writing an entire nand "Write the whole image start from beginning of the flash" from an tftp image.
Maybe I could reconstruct a nand image from the partition dumps but I'm not sure where each partition starts and ends and that is a last resort because if that fails than CFE is also gone and than soldering starts.


For me, it worked like this:

- Go to CFE> Console.
- Connect LAN Cable to your PC. Configure PC IP to 192.168.1.100
- Connect to 192.168.1.1 Rescue Page in your Browser.
- Get newest Firmware file from Asus homepage. Upload file through Rescue Page.
- Router will start Flashing "image_update" mtd5 Partition.
- When Router Reboots, go to CFE> Console again. Upload Firmware file again.
- Router will start Flashing "image" mtd4.
- When Router Reboots, go to CFE> Console again.
- Select "1" on Rescue page. Select mtd9 file from your working router.
- Router will start Flashing "misc1" mtd9 Partition.
- When Router Reboots, go to CFE> Console again.
- Select "2" on Rescue page. Select mtd8 file from your working router.
- Router will start Flashing "misc2" mtd8 Partition.

This did it for me.

Maybe doing an "i Erase persistent storage data" in CFE> Console, and "nvram erase" in linux shell after this, will help clean everything up.


RT-AC86U Flash-Layout:

0x000000000000-0x000000100000 : "nvram" mtd3
0x000000100000-0x000006000000 : "image_update" mtd5
0x000006000000-0x00000bf00000 : "image" mtd4
0x00000bf00000-0x00000c700000 : "misc1" mtd9
0x00000c700000-0x00000f700000 : "misc2" mtd8
0x00000f700000-0x00000ff00000 : "data" mtd2
 
Well that was a good idea but unfortunately that also didn't do anything.

Code:
nand: Could not find valid ONFI parameter page; aborting
nand: device found, Manufacturer ID: 0xc2, Chip ID: 0xda
nand: Macronix NAND 256MiB 3,3V 8-bit
nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
bcm63xx_nand ff801800.nand: Adjust timing_1 to 0x65324458 timing_2 to 0x80040e54
bcm63xx_nand ff801800.nand: detected 256MiB total, 128KiB blocks, 2KiB pages, 27B OOB, 8-bit, BCH-8
Bad block table not found for chip 0
Bad block table not found for chip 0
Scanning device for bad blocks
bcm63xx_nand ff801800.nand: uncorrectable error at 0x400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xc00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x20400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x20c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x40400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x40c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x60400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x60c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x80400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x80c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0xa0400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xa0c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0xc0400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xc0c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0xe0400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xe0c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x100400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x100c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x220400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x220c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x240400
......
Also about the flash layout. I'm missing bootfs (CFE?) and rootfs with also bootfs_update and rootfs_update.
 
A well apart from all the errors I got something:

Creating 10 MTD partitions on "brcmnand.0":
0x000006440000-0x00000bf00000 : "rootfs"
0x000000540000-0x000006000000 : "rootfs_update"
0x00000f700000-0x00000ff00000 : "data"
0x000000000000-0x000000100000 : "nvram"
0x000000100000-0x000006000000 : "image_update"
0x000006000000-0x00000bf00000 : "image"
0x000006000000-0x000006440000 : "bootfs"
0x000000100000-0x000000540000 : "bootfs_update"
0x00000c700000-0x00000f700000 : "misc2"
0x00000bf00000-0x00000c700000 : "misc1"

Than I get like:
Code:
ubi0: attaching mtd0
bcm63xx_nand ff801800.nand: uncorrectable error at 0x6440400
ubi0 warning: ubi_io_read: error -74 (ECC error) while reading 64 bytes from PEB 0:0, read only 64 bytes, retry
bcm63xx_nand ff801800.nand: uncorrectable error at 0x6440400
ubi0 warning: ubi_io_read: error -74 (ECC error) while reading 64 bytes from PEB 0:0, read only 64 bytes, retry
bcm63xx_nand ff801800.nand: uncorrectable error at 0x6440400
ubi0 warning: ubi_io_read: error -74 (ECC error) while reading 64 bytes from PEB 0:0, read only 64 bytes, retry
bcm63xx_nand ff801800.nand: uncorrectable error at 0x6440400
ubi0 error: ubi_io_read: error -74 (ECC error) while reading 64 bytes from PEB 0:0, read 64 bytes
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.1.27 #2
Hardware name: Broadcom-v8A (DT)
Call trace:
[<ffffffc0000876d8>] dump_backtrace+0x0/0x150
[<ffffffc00008783c>] show_stack+0x14/0x20
[<ffffffc0004f9fa4>] dump_stack+0x90/0xb0
[<ffffffc00034481c>] ubi_io_read+0x16c/0x388
[<ffffffc000344c9c>] ubi_io_read_ec_hdr+0x54/0x250
[<ffffffc000349b44>] ubi_attach+0x164/0x13c0
[<ffffffc00033e848>] ubi_attach_mtd_dev+0x578/0xc78
[<ffffffc0006a72b4>] ubi_init+0x220/0x2e0
[<ffffffc000081034>] do_one_initcall+0x8c/0x1a8
[<ffffffc000690acc>] kernel_init_freeable+0x148/0x1e8
[<ffffffc0004f4f58>] kernel_init+0x10/0xe0

For a partial dump see attachment
 

Attachments

  • crash.txt
    120.3 KB · Views: 334
Well that was a good idea but unfortunately that also didn't do anything.

Code:
nand: Could not find valid ONFI parameter page; aborting
nand: device found, Manufacturer ID: 0xc2, Chip ID: 0xda
nand: Macronix NAND 256MiB 3,3V 8-bit
nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
bcm63xx_nand ff801800.nand: Adjust timing_1 to 0x65324458 timing_2 to 0x80040e54
bcm63xx_nand ff801800.nand: detected 256MiB total, 128KiB blocks, 2KiB pages, 27B OOB, 8-bit, BCH-8
Bad block table not found for chip 0
Bad block table not found for chip 0
Scanning device for bad blocks
bcm63xx_nand ff801800.nand: uncorrectable error at 0x400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xc00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x20400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x20c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x40400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x40c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x60400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x60c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x80400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x80c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0xa0400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xa0c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0xc0400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xc0c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0xe0400
bcm63xx_nand ff801800.nand: uncorrectable error at 0xe0c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x100400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x100c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x220400
bcm63xx_nand ff801800.nand: uncorrectable error at 0x220c00
bcm63xx_nand ff801800.nand: uncorrectable error at 0x240400
......
Also about the flash layout. I'm missing bootfs (CFE?) and rootfs with also bootfs_update and rootfs_update.

0x000006440000-0x00000bf00000 : "rootfs"
0x000000560000-0x000006000000 : "rootfs_update"
0x000006000000-0x000006440000 : "bootfs"
0x000000100000-0x000000560000 : "bootfs_update"

I think the CFE is "integrated" in "nvram" mtd3. Because after flashing mtd3 to my empty nand with external programmer I had cfe.

Maybe your NAND is broken, because even the "Bad block table" is missing...

You could try formatting the NAND completely with, "e Erase NAND flash", and Flash the firmware file IMMEDIATELY after this.
 
0x000006440000-0x00000bf00000 : "rootfs"
0x000000560000-0x000006000000 : "rootfs_update"
0x000006000000-0x000006440000 : "bootfs"
0x000000100000-0x000000560000 : "bootfs_update"

I think the CFE is "integrated" in "nvram" mtd3. Because after flashing mtd3 to my empty nand with external programmer I had cfe.

Maybe your NAND is broken, because even the "Bad block table" is missing...

You could try formatting the NAND completely with, "e Erase NAND flash", and Flash the firmware file IMMEDIATELY after this.


You can even use your router as NAND Flasher. I soldered in a socket. Or just press the Chip on the Solder pads, Ghetto style. :)

https://www.aliexpress.com/item/1957262861.html?spm=a2g0s.9042311.0.0.54f64c4dltMMQb

New NAND: https://www.ebay.de/itm/Macronix-MX...-Flash-Speicher-25ns-48-Pin-Tsop/401625925574

Just Boot into CFE. Remove NAND, put in new NAND. Go to 192.168.1.1, and Flash.
 
Very smart idea. I executed "e n" to erase nvram (it's a hidden command) and than reinitialized it with some variables.
The problem is I was testing what board id it would accept. It accepts every ID. I entered 1 so I wrote a wrong board id with the result that CFE now crashes when initializing memory.
Code:
Base: 5.2_02HNDrc7
CFE version 1.0.38-161.122 for BCM94908 (64bit,SP,LE)
Build Date: Thu Mar 30 10:35:41 CST 2017 (defjovi@ubuntu-eva01)
Copyright (C) 2000-2015 Broadcom Corporation.

Boot Strap Register:  0x6fc43
Chip ID: BCM4906_A0, Broadcom B53 Quad Core: 1800MHz
Total Memory: 134217728 bytes (128MB)
NAND ECC BCH-8, page size 0x800 bytes, spare size used 108 bytes
NAND flash device: , id 0xc2da block 128KB size 262144KB
ERROR: Can't initialize NVRAM

*** Board is not initialized properly ***

*** default values ***
Press:  <enter> to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
94908AC5300R               ------ 03
94906REF                   ------ 07
Board Id                          :

Invalid board ID;  Try again!
Board Id                          :

Invalid board ID;  Try again!
Board Id                          :

Invalid board ID;  Try again!
Board Id                          :

Invalid board ID;  Try again!
Board Id                          :  1
Number of MAC Addresses (1-64)    :  10
Base MAC Address                  :  00:10:18:00:00:00
PSI Size (1-128) KBytes           :  128
Enable Backup PSI [0|1]           :  0
System Log Size (0-256) KBytes    :  0
Auxillary File System Size Percent:  0
Memory Configuration Changed -- REBOOT NEEDED
flow memory allocation (MB)       :  14
buffer memory allocation (MB)     :  16
DHD 0 memory allocation (MB)      :  0
DHD 1 memory allocation (MB)      :  0
DHD 2 memory allocation (MB)      :  0

Press:  <enter> to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
WLan Feature                      :  0x00
Press:  <enter> to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
Partition 1 Size (MB)             :  ^C
^C
8M
Partition 2 Size (MB)             :  48M
Partition 3 Size (MB)             :  0M
Partition 4 Size (MB) (Data)      :  8M
Updating the NAND Flash Partition Table
Old Table
boot    offset=0xfffffc00, size=0xfffffc00
rootfs1 offset=0xfffffc00, size=0xfffffc00
rootfs2 offset=0xfffffc00, size=0xfffffc00
data    offset=0xfffffc00, size=0xfffffc00
bbt     offset=0xfffffc00, size=0xfffffc00

New Table
boot    offset=0x00000000, size=0x00100000
rootfs1 offset=0x00100000, size=0x05f00000
rootfs2 offset=0x06000000, size=0x05f00000
data    offset=0x0f700000, size=0x00800000
bbt     offset=0x0ff00000, size=0x00100000


Erasing data partition from block 1976 to 2040
................................................................
pmc_init:PMC using DQM mode

pmc_init slow 95, fast 70
pmc_init:7 0 e40427 33f033f
Use default boot line parameters: e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0 c= a=
Could not activate network interface 'eth0': CFE error -1
Skip Rescue Mode

Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host/tftp (f/h/c)  : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Default host ramdisk file name    :
Default ramdisk store address     :
Default DTB file name             :
Board Id                          : 94908DVT
Number of MAC Addresses (1-64)    : 10
Base MAC Address                  : 00:10:18:00:00:00
PSI Size (1-128) KBytes           : 128
Enable Backup PSI [0|1]           : 0
System Log Size (0-256) KBytes    : 0
Auxillary File System Size Percent: 0
flow memory allocation (MB)       : 14
buffer memory allocation (MB)     : 16
DHD 0 memory allocation (MB)      : 0
DHD 1 memory allocation (MB)      : 0
DHD 2 memory allocation (MB)      : 0
WLan Feature                      : 0x00
Partition 1 Size (MB)             : 8M
Partition 2 Size (MB)             : 48M
Partition 3 Size (MB)             : 0M
Partition 4 Size (MB) (Data)      : 8M
When erasing nvram with "e n" it will first ask if you would like to continue. Than it will erase nvram and start asking the above questions. Seems like the new NAND table was good and the old one was completely wrong.

Than it rebooted and died. Anyway the 2.4GHz WiFi was also very broken so I have a new router now from warranty.
 
Desoldering and flashing.

There are JTAG connectors, but no one knows the pinout.

Thanks
I have the same issue with tplink C2300 - the same story with erased nand and serial access with boot ending on
IMG?
FAIL
There are 4 misterious TPs apart from UART I presume can beJTAGS so I will try it first as desoldering and flashing scares me alot :)
 
Hi sorry for posting in old thread i know you erased too much and used programmer with chip desoldering but is there any non-invasive way of clearing mtd8/mtd9 which is jffs2 (misc2) partition without programmer flashing copy of those partitions from new device ?
 
Hi sorry for posting in old thread i know you erased too much and used programmer with chip desoldering but is there any non-invasive way of clearing mtd8/mtd9 which is jffs2 (misc2) partition without programmer flashing copy of those partitions from new device ?
these sections cannot be cleared
they are used by the system
 
I have the dumps of successful and failing boots. I am trying to figure out the reason of the failure. Any ideas?
 

Attachments

  • successful.txt
    7.9 KB · Views: 180
  • failing.txt
    7.6 KB · Views: 136
maybe HW error ?
I found the difference between my good rt-ac86u and bad rt-ac86u (boot loop, already replaced with a new NAND chip)

The Good one
Rich (BB code):
nand: Could not find valid ONFI parameter page; aborting
nand: device found, Manufacturer ID: 0xc2, Chip ID: 0xda
nand: Macronix NAND 256MiB 3,3V 8-bit
nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
bcm63xx_nand ff801800.nand: Adjust timing_1 to 0x65324458 timing_2 to 0x80040e54
bcm63xx_nand ff801800.nand: detected 256MiB total, 128KiB blocks, 2KiB pages, 16B OOB, 8-bit, BCH-4

The Bad one
Rich (BB code):
NAND ECC BCH-8, page size 0x800 bytes, spare size used 108 bytes
NAND flash device: , id 0xc2da block 128KB size 262144KB
...
nand: device found, Manufacturer ID: 0xc2, Chip ID: 0xda
nand: Macronix NAND 256MiB 3,3V 8-bit
nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
bcm63xx_nand ff801800.nand: Adjust timing_1 to 0x65324458 timing_2 to 0x80040e54
bcm63xx_nand ff801800.nand: detected 256MiB total, 128KiB blocks, 2KiB pages, 27B OOB, 8-bit, BCH-8
 
Very smart idea. I executed "e n" to erase nvram (it's a hidden command) and than reinitialized it with some variables.
The problem is I was testing what board id it would accept. It accepts every ID. I entered 1 so I wrote a wrong board id with the result that CFE now crashes when initializing memory.
...
Sorry for bringing this up after 5 years, but i have some devices around with bad NAND blocks... I changed the NAND chip on them: i wrote the original NAND content back to the new and good NAND, but the flasher also copies the bad block flags on to the new NAND. I also tried the "n e" command, in order to force a new NAND bad block check. It is asked me the same questions, but it only gives two characters to enter the Board Id, while my original Board ID is like this: 94906AX92U.
Anyone was able to run the "n e" (nvram erase) with success? How?
Or any other "hidden" command that forces the bad block re-check?
 
The board ID should be two characters shoudn;t it ? The two characters represent your selection against the list of boards available... this is what I saw when I did the AX6600....
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top