I managed to brick a Belkin F7D4301 v1 router... somehow.
I have a TUMPA Lite, zJTAG 1.8 RC1, and proper cabling (ot at least zjtag detects the CPU, therefore the cabling and soldering SHOULD be fine).
First issue:
zjtag -probeonly /cable:3 /l1:3
==============================================
zJTAG EJTAG Debrick Utility v1.8 RC1
==============================================
cableid=3, cabletype=0
Dev 0:
Flags=0x2
Type=0x8
ID=0x4038a99
LocId=0x83
SerialNumber=TITL0682
Description=USB Multi-Protocol Adapter Lite
ftHandle=0x0
Set I/O speed to 7500 KHz
USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!
Detected IR chain length = 0
Probing bus ... Done
Defined IR chain Length is 5 bits
CPU assumed running under LITTLE endian
CPU Chip ID: 00010100011100010110000101111111 (1471617F)
*** Found a Broadcom manufactured BCM4716 REV 01 CPU ***
- EJTAG IMPCODE ....... : 00000000000000000000000000011010 (0000001A)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... <Processor did NOT enter Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Probing Flash at Address: 0x1FC00000 ...
Detected Chip ID (VenID:DevID = 001A : 0000)
*** Unknown or NO Flash Chip Detected ***
*** REQUESTED OPERATION IS COMPLETE ***
The interesting part is that when I run the same command again, everything seems to be the same, but EJTAG info changes, e.g.:
- EJTAG IMPCODE ....... : 00000000000000000000000000010011 (00000013)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS64
The major issue I think is the unknown flash chip (as the CPU is actually a BCM4718A, but accourding to the source of tjtag, they are basically the same).
Unfortunately when I removed the sticker from the flash chip, the model number disappeared, all that remained was the first two letter of product code: "MX", at least we know the manufacturer, Macronix. The fun part is that according to quite a few web pages, this router has a cFeon EN29LV640B flash chip... whatever.
The fun part is that I tried to backup:nvram with /fc:107, /fc:108 and /fc:097, and the .bin file was the same. In hex editor it seems quite strange:
C0 03 00 22 12 00 00 00 | 00 00 10 00 00 00 20 00
00 00 30 00 00 00 40 00 | 00 00 50 00 00 00 60 00
After a small "header" keeps counting from 0x10 upwards... I have no idea what my flash contains, but I'm pretty sure that it is something else...
I have tried everything to make it work, but I ran out of ideas.
One more thing I noticed: when I set /instrlen to something between 27 and 31, the LEDs are blinking on the router during JTAG operations (with other instrlens they do nothing). With /instrlen:28 the backup contains "E2 AA AA A2 A2 AA AA A2 A2 AA AA" etc, with /instrlen:30 it is all zeros, otherwise I get the same results (the counting file).
So. This is what I noticed, and I have no idea what to do now... Any ideas?
Thanks,
guyee
