How to de-brick a hard-bricked router in 2019 (on the example of Asus RT-N16)
If your network router is bricked, and you cannot recover it using any technique, provided by a manufacturer, chances are that it is hard-bricked. In my case, the power light was not going on, just network port lights. No serial console output at all. No recovery method of 30/30/30 would work.
In this case, you have a chance to de-brick the device using JTAG. To access this feature, you will need:
- Raspberry Pi (our example showcases Raspberry PI 3 B);
- Jumpers or an IDE bus from your old computer’s IDE drives;
- A solder or spring-loaded connector with the wire to contact the printed board;
- A screwdriver to disassemble and reassemble the device;
- 6 100-Ohm resistors of about 1/8 Watt power;
First, let us open the router and locate a JTAG connector. You can find online where JTAG is for your specific router. Sometimes you should solder to different places on the motherboard to collect its signals.
In the case of the famous RT-N16 router, the connector is in one location, placed conveniently, and is marked as J1.
Now choose the means to make a connection. In my case, I did not have a spring loaded connector handy, so decided to go for a soldering solution. The board is based on an aluminium sheet, so tends to get hot whenever you solder, be careful.
Remember, JTAG does not tolerate long cables, so try to limit yourself to 20 cm. In case you already use a 20-30 cm. IDE bus, the solution will still work even if you attach another 10 cm. cable /jumper wires, leading to the board. Maybe the reason is IDE bus has all wires inline so they do not interfere much.
The signals of the connector are on the left, whereas ground sits on the right. First I was wondering if I should solder the ground to one pin and connect all ground pins additionally, but in fact, you need to only solder to a single ground pin. All the rest are already connected by the aluminium board, using a common ground.
Another important thing would be to turn the router on and check voltage levels on soldered/connected wires. It should show 3.3V on most pins, occasionally one pin can show 2.7V and the nSRST is usually around 0V.
If you see lower or jumping values, be sure to check your soldering or quality of the JTAG connection. I have managed to get a proper connection only from the third try, despite all looking like they were properly attached.
If you have managed to reach that far, then you are very close to the result.
Connect Raspberry PI 3 B:
- Via IDE cable
Make sure your IDE cable looks inwards on the 40-pin connector of PI, rather than outwards. If it looks outwards, all your header pins will be mirrored left to right and you will have to account for that. You can place resistors into the pin holes on the other end of IDE. Pliers can help to bend the leads of resistors and compress them into a sicker wire for proper contact.
2. Via jumper wires;
A 100 Ohm resistor must be connected sequentially to every signal, except for the ground. You can test the pin numbers via a LED light script of Raspberry.
Next, compile openocd utility on raspberry. Installing by apt will not help, because the utility will lack the functionality we require here:
sudo apt-get update
sudo apt-get install -y git autoconf libtool libftdi-dev libusb-1.0-0-dev
mkdir -p ~/src; cd ~/src
git clone --recursive git://git.code.sf.net/p/openocd/code openocd-git
cd openocd-git
./bootstrap && \
./configure --enable-sysfsgpio \
--enable-maintainer-mode \
--disable-werror \
--enable-ftdi \
--enable-ep93xx \
--enable-at91rm9200 \
--enable-usbprog \
--enable-presto_libftdi \
--enable-jlink \
--enable-vsllink \
--enable-rlink \
--enable-arm-jtag-ew \
--enable-dummy \
--enable-buspirate \
--enable-ulink \
--enable-usb_blaster_libftdi \
--prefix=/usr \
&&
make
&&
make installPin numbers you have to connect will be mentioned in openocd config file:
/usr/share/openocd/scripts/interface/sysfsgpio-raspberrypi.cfgFor convenience, I show them here.
RPI HEADER JTAG CONNECTOR
6 GROUND GROUND (one of right pins)
19 TDI
21 TDO
22 TMS
23 TCK
26 nTRST
At this point you can list the partitions on the router, dump or delete them. I recommend to dump and store your CFE just in case (do it twice to ensure there is no error in final files).
To dump CFE (a “BIOS” of router):
cd /usr/share/openocd/scripts; sudo openocd -f interface/sysfsgpio-raspberrypi.cfg -f tools/firmware-recovery.tcl -c "board asus-rt-n16; dump_part CFE /root/cfe.0.bin; shutdown"To list partitions:
sudo openocd -f interface/sysfsgpio-raspberrypi.cfg -f tools/firmware-recovery.tcl -c "board asus-rt-n16; list_partitions; shutdown"To de-brick:
sudo openocd -f interface/sysfsgpio-raspberrypi.cfg -f tools/firmware-recovery.tcl -c "board asus-rt-n16; erase_part nvram; shutdown"Usually, to de-brick a hard-bricked router, only NVRAM partition has to be erased. Then, after a power-cycle, your router will be ready for a firmware flash.
I have done it using a tftp Linux utility. For the moment, the best supported 3rd party firmware for RT-N16 I found, was AdvancedTomato. But if you go for a stock firmware, it is also not that bad nowadays.
In case anything goes wrong, just double- and triple-check your contacts and voltage levels on JTAG.
If these steps have saved you from the need of purchasing new hardware, please endorse this article.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (3)
Commented:
The process being described here would hardly take days (or even an entire day)
Commented:
Author
Commented:Andrew, indeed once the process is written out like here, it will not take long. But piecing this all together and researching, as well as trying all possible recovery methods is what takes time. However I am not a professional in soldering, neither had I an oscilloscope to know what signal levels I have to receive in the end.