[hunggnuh85]

Hi, I have a TM-AC1900 converted to Asus RT-AC68U. I'm currently debricking it using DD-WRT and Serial USB TTL method.

In normal Asus-based firmware, the partition layout is like this:
dev: size erasesize name
mtd0: 00080000 00020000 "boot"
mtd1: 00180000 00020000 "nvram"
mtd2: 03e00000 00020000 "linux"
mtd3: 03c64d80 00020000 "rootfs"
mtd4: 03ec0000 00020000 "brcmnand"
mtd5: 00140000 00020000 "asus"


and the related messages in boot log:
Creating 4 MTD partitions on "nflash":
0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000200000 : "nvram"
0x000000200000-0x000004000000 : "linux"
0x00000039b280-0x000004000000 : "rootfs"
Creating 2 MTD partitions on "brcmnand":
0x000004000000-0x000007ec0000 : "brcmnand"
0x000007ec0000-0x000008000000 : "asus"

Currently, a TM-AC1900 conversion guide will tell you to wipe out the "asus" partition as the new stock Asus firmwares would detect a file inside that partition and flash a locked CFE bootloader and revert the router back to TM-AC1900. (Specifically, a "mtd-erase" command would be run to mark the partition as all FFFFF... (?!) to make it look like the genuine AC68U partition)

However, I did the conversion long ago when people did not know about that and used the famous Asus-forked Merlin firmware. I recently upgraded it to the newest version which might included some changes from Asus that caused "strange issues" to my router. So, I tried downgrading using the webgui but that didn't work and it stayed at the old one. The fork author advised the use of a flash-specific tool such as the official Asus Firmware Restoration (basically a tftp tool, just officially from Asus).

However, after using the Asus tool, the router did not boot up. Since then, I have not been able to flash any Asus-based and Tomato firmwares. I could use all methods (Asus tool, tftp, CFE Miniweb) and they all output successful messages (Upload completed, Transfer successfully, etc...), but the router would not work (just a solid power light, couldn't ping).

After many tries, it turned out that OpenWRT and DD-WRT could be flashed and ran normally on the router. But both did not list the "asus" partition, and as using their native tool "mtd" to write the other firmwares gave the same results just like the above methods, I've switched to try the serial USB TTL method.

Alright. Now with the "show devices" in the CFE prompt output:
CFE> show devices
Device Name Description
------------------- ---------------------------------------------------------
uart0 NS16550 UART at 0x18000300
uart1 NS16550 UART at 0x18000400
nflash0 AMD NAND flash size 131072KB
nflash0.boot AMD NAND flash offset 0 size 512KB
nflash0.nvram AMD NAND flash offset 80000 size 1536KB
nflash0.trx AMD NAND flash offset 200000 size 1KB
nflash0.os AMD NAND flash offset 20001C size 129024KB
nflash1.boot AMD NAND flash offset 0 size 512KB
nflash1.nvram AMD NAND flash offset 80000 size 1536KB
nflash1.trx AMD NAND flash offset 200000 size 63488KB
nflash1.brcmnand AMD NAND flash offset 4000000 size 65536KB
eth0 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller
*** command status = 0

I tried the "flash -noheader nflash1.trx" but after the "bytes written" message, it has been stuck there for 12 hours and hasn't shown the CFE prompt. As it's also basically a tftp method, I wonder if it would work. There is one difference compared to previous tries: the LAN light has also been blinking for 12 hours. While I'll let it run for a full 24 hour, I'm writing this post to ask you.

I think here are the new steps I can proceed:
- Run the flash -erase to erase the nflash1.brcmnand, nflash1.trx and nflash1.boot (also nflash0.boot?)
- flash -noheader 192.168.1.2:better_cfe.bin nflash1.boot => I'd like to update the cfe to a better one (also nflash0.boot?)
- flash -noheader 192.168.1.2:good_stock_asus_fw.trx nflash1.trx => flash a good stock Asus firmware which does not lock the router

I did googling and barely any guide mentioned about the possibility of erasing the nflash1.brcmnand. Only a topic on DD-WRT forum regarding modding the Buffalo routers mentioned about that. However, as I don't know if there are differences between Buffalo & Asus, I would like to ask:
- Would my suggested plan work?
- Could I flash the CFE that way? If yes, for both ".boot" devices or which one to choose? (It looks like nflash1 is the one, but then I don't know what the nflash0 is about)
- On DD-WRT and/or Serial CFE Prompt, is there any tool to check, fix and repartition the NAND? (Can we actually do that with NAND storage? Wondering if there was any hardware failure related to the NAND)

Thank you very much, at least for taking time reading my long post.

[deslatha]

Device Name Description
------------------- ---------------------------------------------------------
uart0 NS16550 UART at 0x18000300 // serial port 0 debug build-in
uart1 NS16550 UART at 0x18000400 // serial port 1 debug as telnet port
nflash0 AMD NAND flash size 131072KB // total 128MB storage + 4M for ecc error
nflash0.boot AMD NAND flash offset 0 size 512KB //0.5
MB + 1kB ecc
nflash0.nvram AMD NAND flash offset 80000 size 1536KB
nflash0.trx AMD NAND flash offset 200000 size 1KB
nflash0.os AMD NAND flash offset 20001C size 129024KB
nflash1.boot AMD NAND flash offset 0 size 512KB
nflash1.nvram AMD NAND flash offset 80000 size 1536KB
nflash1.trx AMD NAND flash offset 200000 size 63488KB
nflash1.brcmnand AMD NAND flash offset 4000000 size 65536KB
eth0 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller
*** command status = 0 //everthing is ok.
As you see, nflash0.boot is cfe in BroadComm router. Then cfe's data only around 2 blocks (64kb x2=128kb).Why it is reserver for 8 blocks which is (64kbx8=512kb).

If nand has bad blocks then it is flash in :
level 0: 256b extra spare and write in there.
level 1: write to next blocks. if error on block 2 then write on block3 and so on.(that may be cfe has extra few blocks).
level 3: write on nflash1.brcmnand which cfe reserver.
All is guess, may not right. Then why there is no nflash0.brcmnand. may be flash without check or with verify.
It look like your router have bad memory chipset, and now for 12 hours it could creating alot bad blocks on nand due to many write cycle loop.
Too many miss handle fw install on router and wrong cfe on router leading damage hardware. a cfe may deal with a specific manufactory nand. Need to check dts in github or a text in cfe if you open in hex edit.
Also why BroadComm cpu set at 800 mhz; not 600...not 580 mhz, dont you see wl chip set communication on 2.4ghz.
So 2.4ghz:0.8 ghz=3(gold ratio).that why you will see alot hang or error on Mediatek chipset or QualComm.

[hunggnuh85]

@deslatha: Thank you. But as I'm just a novice, I did not understand much of your post. Sorry

However, after the waiting time, I turned off the router and turned it back on. And well... it booted successfully Things have been normal since.

So, what still confuses me is: the "flash -noheader" method was basically a tftp method, but why did it work while the other tftp methods I tried failed?

My questions in the first post are still relevant and this topic would be a good reference, so I hope someone would come up with the answers.

Thanks