JTAG a Buffalo WZR-HP-G300NH2?

[LightworkerNaven]

Hey, I was working on using USB JTAG NT to JTAG the WZR-HP-G300NH2 and I couldn't get it to state "Debug On," so I'm curious as to what I should do about that. I did my research and learned the following things about this unit.

1.) It has a 14 pin JTAG header (I soldered the header in place)
2.) The router is designed to use, and shipped with, DD-WRT. I was able to solder in and use the 4 pin UART serial port next to the JTAG port.
3.) The board uses the following chips:

Code: Select all

Wireless proc:
Atheros
AR9283 - AL1A
N4B274 . 00B
1108

Proc:
Atheros
AR7242-AH1A
G12196 . 1C
1025

Proc Stats:
Uses EJTAG - https://forum.openwrt.org/viewtopic.php?id=34993
Uses SPIFLASH or NAND  (Most likely the former as I saw a datasheet for Nanyan and 25L128 stating those are SPI)

Ethernet switch chip:
Atheros
AR8316-AK1E
D1H1788
1108

Flash:
MXIC
X110346
MX25L12845EMI-10G
3F204800

MXIC
X110246
MX25L12845EMI-10G
3F225700

Flash:
Nanyan
1043
NT5TU32M16C6-25C
023033Z0GL 7 TW (TW = Taiwan?)

The AR7242 uses EJTAG apparently, but with it having SPI chips, I don't know what category to place the new XML in. Under routers only EJTAG is listed, so I selected EJTAG as it's category. I kept reading how Big Endian is more popular and the Buffalo routers I saw stuff on use Big Endian. It's a MIPS core which I heard defaults to Big Endian, so that's why I chose Big Endian. in this config.

I also saw 2 Buffalo routers using IRLength of 8, but I forget what IRLength is. IIRC it's how long the string is when it identifies the chip. (Ex. The values USB JTAG NT always tells you to report or the IDCODE and whatnot.) Anyway, I selected 8 for that reason. It's also the same reason I set DMA to Yes and ProbTrap to 1.

As I want to get the unit to talk to USB JTAG NT before I go any further, I just left the addresses as they were set for the config I copied to modify for the unit. However, with Debug Off, it really doesn't help much to have a config file yet at all if I'm understanding how USB JTAG NT works. Also, I rechecked my soldering joints and tried again, but it still says "Debug Off." Also, Pins 2,4,6,8, and 10 all go to ground.

I must have bricked the unit when I played with the serial port. I unplugged the router before I unplugged my serial adapter from the USB port, thus not allowing the unit to fully power down properly. Now when I use the serial port, it only shows the following stuff. It doesn't even make it to the TFTP server to repair it any way other than JTAG.

Code: Select all

BUFFALO U-BOOT Ver 1.03
  == CPU:400MHz, DDR:400MHz, AHB:200MHz ==
PB93 (ar7241 - Virian) U-boot
DRAM:  64 MB
WAN port disabling: done
Top of RAM usable for U-Boot at: 84000000
Reserving 265k for U-Boot at: 83fbc000
Reserving 192k for malloc() at: 83f8c000
Reserving 44 Bytes for Board Info at: 83f8bfd4
Reserving 36 Bytes for Global Data at: 83f8bfb0
Reserving 128k for boot params() at: 83f6bfb0
Stack Pointer at: 83f6bf98

Below is what I put in my config file for the unit.

Code: Select all

<Test>
   <Name>WZR-HP-G300NH2</Name>
   <Cat>Router</Cat>
   <Protocol>EJTAG</Protocol>
   <Endian>Big</Endian>
   <DLL>router.dll</DLL>
  <IRLength>8</IRLength>
   <DMA>Yes</DMA>
   <ProbTrap>1</ProbTrap>
   <Programram>0x80200000</Programram>
   <Memorys>
     <Memory>
       <Name>u-boot</Name>
       <Type>1</Type>
       <Address>0x9f000000</Address>
       <Size>0x30000</Size>
     </Memory>
     <Memory>
       <Name>bootenv</Name>
       <Type>1</Type>
       <Address>0x9f030000</Address>
       <Size>0x10000</Size>
     </Memory>
     <Memory>
       <Name>KERNEL</Name>
       <Type>1</Type>
       <Address>0x9f040000</Address>
       <Size>0x770000</Size>
     </Memory>
     <Memory>
       <Name>NVRAM</Name>
       <Type>1</Type>
       <Address>0x9F7B0000</Address>
       <Size>0x40000</Size>
     </Memory>
     <Memory>
       <Name>Config</Name>
       <Type>1</Type>
       <Address>0x9F7F0000</Address>
       <Size>0x10000</Size>
     </Memory>
   </Memorys>
   <Inits>
  </Inits>
</Test>

[usbbdm]

Hey, I was working on using USB JTAG NT to JTAG the WZR-HP-G300NH2 and I couldn't get it to state "Debug On," so I'm curious as to what I should do about that. I did my research and learned the following things about this unit.

1.) It has a 14 pin JTAG header (I soldered the header in place)
2.) The router is designed to use, and shipped with, DD-WRT. I was able to solder in and use the 4 pin UART serial port next to the JTAG port.
3.) The board uses the following chips:

Code: Select all

Wireless proc:
Atheros
AR9283 - AL1A
N4B274 . 00B
1108

Proc:
Atheros
AR7242-AH1A
G12196 . 1C
1025

Proc Stats:
Uses EJTAG - https://forum.openwrt.org/viewtopic.php?id=34993
Uses SPIFLASH or NAND  (Most likely the former as I saw a datasheet for Nanyan and 25L128 stating those are SPI)

Ethernet switch chip:
Atheros
AR8316-AK1E
D1H1788
1108

Flash:
MXIC
X110346
MX25L12845EMI-10G
3F204800

MXIC
X110246
MX25L12845EMI-10G
3F225700

Flash:
Nanyan
1043
NT5TU32M16C6-25C
023033Z0GL 7 TW (TW = Taiwan?)

The AR7242 uses EJTAG apparently, but with it having SPI chips, I don't know what category to place the new XML in. Under routers only EJTAG is listed, so I selected EJTAG as it's category. I kept reading how Big Endian is more popular and the Buffalo routers I saw stuff on use Big Endian. It's a MIPS core which I heard defaults to Big Endian, so that's why I chose Big Endian. in this config.

I also saw 2 Buffalo routers using IRLength of 8, but I forget what IRLength is. IIRC it's how long the string is when it identifies the chip. (Ex. The values USB JTAG NT always tells you to report or the IDCODE and whatnot.) Anyway, I selected 8 for that reason. It's also the same reason I set DMA to Yes and ProbTrap to 1.

As I want to get the unit to talk to USB JTAG NT before I go any further, I just left the addresses as they were set for the config I copied to modify for the unit. However, with Debug Off, it really doesn't help much to have a config file yet at all if I'm understanding how USB JTAG NT works. Also, I rechecked my soldering joints and tried again, but it still says "Debug Off." Also, Pins 2,4,6,8, and 10 all go to ground.

I must have bricked the unit when I played with the serial port. I unplugged the router before I unplugged my serial adapter from the USB port, thus not allowing the unit to fully power down properly. Now when I use the serial port, it only shows the following stuff. It doesn't even make it to the TFTP server to repair it any way other than JTAG.

Code: Select all

BUFFALO U-BOOT Ver 1.03
  == CPU:400MHz, DDR:400MHz, AHB:200MHz ==
PB93 (ar7241 - Virian) U-boot
DRAM:  64 MB
WAN port disabling: done
Top of RAM usable for U-Boot at: 84000000
Reserving 265k for U-Boot at: 83fbc000
Reserving 192k for malloc() at: 83f8c000
Reserving 44 Bytes for Board Info at: 83f8bfd4
Reserving 36 Bytes for Global Data at: 83f8bfb0
Reserving 128k for boot params() at: 83f6bfb0
Stack Pointer at: 83f6bf98

Below is what I put in my config file for the unit.

Code: Select all

<Test>
   <Name>WZR-HP-G300NH2</Name>
   <Cat>Router</Cat>
   <Protocol>EJTAG</Protocol>
   <Endian>Big</Endian>
   <DLL>router.dll</DLL>
  <IRLength>8</IRLength>
   <DMA>Yes</DMA>
   <ProbTrap>1</ProbTrap>
   <Programram>0x80200000</Programram>
   <Memorys>
     <Memory>
       <Name>u-boot</Name>
       <Type>1</Type>
       <Address>0x9f000000</Address>
       <Size>0x30000</Size>
     </Memory>
     <Memory>
       <Name>bootenv</Name>
       <Type>1</Type>
       <Address>0x9f030000</Address>
       <Size>0x10000</Size>
     </Memory>
     <Memory>
       <Name>KERNEL</Name>
       <Type>1</Type>
       <Address>0x9f040000</Address>
       <Size>0x770000</Size>
     </Memory>
     <Memory>
       <Name>NVRAM</Name>
       <Type>1</Type>
       <Address>0x9F7B0000</Address>
       <Size>0x40000</Size>
     </Memory>
     <Memory>
       <Name>Config</Name>
       <Type>1</Type>
       <Address>0x9F7F0000</Address>
       <Size>0x10000</Size>
     </Memory>
   </Memorys>
   <Inits>
  </Inits>
</Test>

Try to select WRT160NL and see if you get anything.

[LightworkerNaven]

I already tried that one, but it still says "Debug Off."

[usbbdm]

I already tried that one, but it still says "Debug Off."

Connect teamviewer and let me take a look.

[LightworkerNaven]

I'll PM you my Team Viewer details right now.

[LightworkerNaven]

@USBBDM:

I remembered I wrote a post on the USB JTAG NT pinout:

viewtopic.php?t=8246

Using that pinout, pin 1 is TRST and pin 2 is a ground connection. In theory, I should be able to measure the voltage across pin 1 and 2 and get the voltage supplied for TRST. I measured that and the voltage is 0VDC. My meter doesn't even twitch when it measures that and that leads me to believe that you were right about a missing resistor.

To eliminate the possibility of a weak solder joint, I used an ohmmeter to test pin 2's connection to ground and pin 1's connection to TP4. (A test point that attaches directly to that pin, presumably to test just what we're doing.) Both tests were successful in that the header pins are connected to the board properly.

Upon closer inspection of the board, pin 1 doesn't appear to connect to anything other than TP4 which is just a copper contact to test things with. Odd... The article you sent me states that on the AR7242 (my chip) the pin 80 can be used for GPIO and CS# (cable select?) as well as nTRST.

https://forum.openwrt.org/viewtopic.php?id=34993

Also, I read on that page how I can get around the issue of not having the TRST pin available to me. It states you can put a manual switch from VCC (pin 93) to the pin 80 TRST pin and use a 10-50Ohm resistor on there. I looked at how pin 93 is wired up and it runs through a cap (c332) to an MPU reset circuit. (The RA29G) I measured the voltage off of the RA29G attached to the cap and it's putting out a consistent 3.38VDC. As this is .08 volts more than the needed 3.3V, I think that's why that post states you need to wire in a 10-50 Ohm resistor. My question is, I know some circuits are finicky and have a low tolerance, but if I don't wire in a resistor, will it still work and not damage my unit?

Moreover, how the fish am I supposed to solder a wire to that small and clustered of a chip?

Does anyone know?

UPDATE: I connected pin 1 of the JTAG adapter to a 15K resistor and then I connected the resistor to pin 80 of the chip. The way I got around soldering directly to the chip is that that pin connects to a blank space for a resistor on the back of the board. (R309) It was measuring as a direct connection on one of the resistor pads to the chip's pin 80. I tested to see if pin 1 really does connect somehow to the other side of that R309 and it doesn't. I did somehow get a reading off of it when I connected that resistor going to pin 1 and it showed the 15K Ohm value of that resistor. I'm not sure why it did that when I was clearly only touching the correct pad and the other probe to pin one and there wasn't a solder bridge either.

When I hooked it up with that 15K Ohm resistor I still can't get it to say "Debug On." I thought the resistance might be to high, but when I put that resistor in pin one's socket on the USB Jtag NT and connected a voltmeter to the other end and to pin 2 (ground) I got 3.4V as I did without the resistor. (Weird... You'd think it would drop, so something's up there.) I'll try again with a 35.7 Ohm resister I plan on buying on eBay and testing it again to see if it was cutting the voltage too much as I originally thought it would.

Oh, and in case you're curious, if you look at the back of the board with the ports at the top, find R309 and the top pad is the one that goes to pin 80. I used very thin stranded ribbon cable to connect to that tiny pad. Be sure to tin the end of the wire so you don't have it fraying all over the place. Place kapton tape or some other kind of tape on top of that wire to help hold it in place so it doesn't break off of the board.

[LightworkerNaven]

How does USB JTAG NT use the nTRST? Does it put out the 3.3V and wait for some kind of reply from the proc and then shuts off the power on that pin to continue?

I followed the OpenWRT tutorial for the AR724x chips in a couple ways. First, I tried to map the nTRST pin on the header to the Pin 80 of the AR7242 chip through a 35.7 Ohm resistor. That didn't work, so I tried it the way the tutorial suggested and I mapped pin 80 to the serial port's VCC line (3.3v) through a 35.7 Ohm resistor and a PBNO switch. I plugged USB JTAG NT into the header (nTRST is NC in this config) and I plugged USB JTAG NT into my computer. Then I held the hardware switch I added for 2 seconds and plugged in my router. "Debug Off" still showed. I tried it one more time just to be sure and I got the same result.

So, how does USB JTAG NT use nTRST? Does it need to be hooked up to something for it to work?


UPDATE: I removed the resistor to perform some tests as pin 80 wasn't getting the 3.3V. As all of my switches were messing up, I built my own using a header with a jumper. After 2 seconds I pulled the jumper off to disconnect the circuit. I also tested the voltage from pin 80 to ground with the header on and it measured just over 3.3V, so we're getting the correct voltage there.

In that OpenWRT post, it mentions that the RST pin will disable JTag. I think that's in reference to if that pin is off, then the unit is off. So, should I ground out RST or leave it hot? My guess is I should leave it hot, but it's strange that he mentions JTAG being turned off as well.

He also doesn't distinguish when you release the button. He states to hold it, power on the unit, then after 2 minutes depress the button. I take it as he crappily worded it and meant to say "release the button" as "depress the button" means the same thing as pressing it.

[Skillet50]

How does USB JTAG NT use the nTRST?

Hold it low , Hold it high , and Pulses when ?

and best of luck LightworkerNaven

[usbbdm]

How does USB JTAG NT use the nTRST?

Hold it low , Hold it high , and Pulses when ?

and best of luck LightworkerNaven

Current nTRST on NT is constant high.

[LightworkerNaven]

OK, so basically it's just holding down the trigger to get the chip to start in JTAG mode. Correct? Also, are you interested in buying one of these to test? I'm not selling this one, (Unless you want to buy it) but I know you said you'd look into if enough people were interested in it before you invest in this model to test. I'm hoping you've decided to so we can see what you come up with as I'm pretty much tapped out on what to do. Any ideas? I can take pictures of my board if it helps.

[usbbdm]

OK, so basically it's just holding down the trigger to get the chip to start in JTAG mode. Correct? Also, are you interested in buying one of these to test? I'm not selling this one, (Unless you want to buy it) but I know you said you'd look into if enough people were interested in it before you invest in this model to test. I'm hoping you've decided to so we can see what you come up with as I'm pretty much tapped out on what to do. Any ideas? I can take pictures of my board if it helps.

All I see here is the same as WRT160NL. However I have found some more information that can go to fast mode even the boot is erased. I do not believe that the JTAG is disabled on this router since it is built on dd-wrt and JTAG should simply be enabled. I do not understand why you have this issue.
Anyway if there are more people interested in here I can try to find one locally.

[LightworkerNaven]

What do you mean by "fast mode?" Also, I doubt that JTAG is disabled as well, but what I think they did is make that into a GPIO port for one of their added hardware features and removed the connection to JTAG's nTRST pin in favor of it. Not everyone who uses DD-WRT uses JTAG, but they want to get their customers to use the added features, so they made the trade off.

However, if pin 80 still functions as the nTRST pin as well, what are we missing in that they would feel the need to disconnect it from that header pin? Are we supposed to flip a switch or push a button or have the right button/switch configuration to make it so that pin 80 isn't trying to be used as a GPIO at the same time it's being used as nTRST? If that's the case, they're trying to protect the device from getting damaged, but you'd think a diode would fix that. (Unless it receives a signal on one pin and puts the signal out on pin 80, thus a collision would be possible and burn out the circuit.)

Also, I posted a reply on that old thread you showed me in case you want to look it over. https://forum.openwrt.org/viewtopic.php ... 27#p207027

[usbbdm]

I read your post, DEBUG OFF is not important. You have to be able to read the CPU ID first.
I found the proper initialize sequence so no need to use sprogram when in brick mode.

[LightworkerNaven]

What's the proper initialize sequence? What do I do to get it to recognize it? I did a "Detect" and it still comes back all 0s every time.

[usbbdm]

What's the proper initialize sequence? What do I do to get it to recognize it? I did a "Detect" and it still comes back all 0s every time.

That means there is connection problem. Until you get proper CPU ID then we can continue on.
The init sequence can be found in
https://forum.openwrt.org/viewtopic.php?id=34993

Again you have to get the proper CPU ID first or it will never work.