Can you comment on if this device has an sd slot like the n66?
Pics are not available on the fcc site. Do you know of any pics that may have been posted in other forums?
Once we (we does not mean me) finish up jtag on the n66, I was thinking about getting the ac66. My hesitation is that when ever I get the latest & greatest, I get burned when a new revision comes out a few weeks later.
No idea. I haven't opened mine yet, and I haven't seen any internal pics of this yet either.
If you are interested by this router, waiting until there is at least a few 802.11ac NICs available might be a good reason too, if you already have an RT-N66U.
Joined: 21 Nov 2010 Posts: 278 Location: North America
Posted: Thu Aug 16, 2012 14:41 Post subject:
barryware wrote:
Can you comment on if this device has an sd slot like the n66?
Pics are not available on the fcc site. Do you know of any pics that may have been posted in other forums?
Once we (we does not mean me) finish up jtag on the n66, I was thinking about getting the ac66. My hesitation is that when ever I get the latest & greatest, I get burned when a new revision comes out a few weeks later.
Joined: 21 Nov 2010 Posts: 278 Location: North America
Posted: Fri Aug 17, 2012 22:57 Post subject: Sample JTAG Session With The RT-AC66U
Sample JTAG Session With RT-AC66U Using Tiao Universal JTAG Adaptor Version 2 (Parallel Port) And
TJTAG302RC2-1 Software Running On 32-Bit WinXP Pro PC
Selected port = 0x378 <<========== WinXP also uses IRQ 7
Intial value of Control register is 000000EC
Intial value of status register is 0000007F
01111111 (0000007F)
Status bit 7 Busy Inverted pin 11 = 1
Status bit 6 *Ack pin 10 = 1
Status bit 5 Paper-out pin 12 = 1
Status bit 4 Select pin 13 = 1
Status bit 3 *Error pin 15 = 1
* means low = true, e.g., *Error
VCC connected
values of Control register after init 0x000000EC
value of status register after init 0x0000007F
system reset complete
Detected IR chain length = 32
Number of device(s) = 1
idcode 0x000c317f 32 <<========== CPU ID
Probing bus ... Done
Instruction Length set to 0
CPU Chip ID: 00000000000000000000000000000000 (00000000)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 00000000000000000000000000000000 (00000000)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
- EJTAG Implementation flags: R4k MIPS32
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... DMA Read Addr = FF300000 Data = (FFFFFFFF)ERROR ON READ
DMA Write Addr = FF300000 Data = ERROR ON WRITE
Done
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Skipped
Clearing Watchdog ... DMA Write Addr = B8000080 Data = ERROR ON WRITE
Done
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Write Addr = 1FC00555 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Read Addr = 1FC00000 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC00002 Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC0001C Data = (FFFFFFFF)ERROR ON READ
DMA Read Addr = 1FC0001E Data = (FFFFFFFF)ERROR ON READ
DMA Write Addr = 1FC00000 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Write Addr = 1FC00555 Data = ERROR ON WRITE
DMA Write Addr = 1FC00AAA Data = ERROR ON WRITE
DMA Read Addr = 1FC00000 Data = (FFFFFFFF)ERROR ON READ
00000000111111111111111100000000 (00FFFF00)
DMA Read Addr = 1FC00200 Data = (FFFFFFFF)ERROR ON READ
00000000111111111111111111111111 (00FFFFFF)
^C <<========================= Terminated Session
2.) Standard MIPS EJTAG signals were used (TDI, TDO, TMS, TCK, and GND) except nTRST, nSRST, and DINT. The Tiao Universal JTAG Adaptor was wired the "Wiggler Way" (buffered mode operation).
3.) Using different values with the /instrlen switch had no effect on the outcome.
4.) Execution timing is somewhat critical. Enter command at CLI but don't press "Enter". Power cycle the router and when all LEDS flash then press "Enter". (You may have to experiment with this to get the timing right.)
5.) Hopefully, Tornado can fix the TJTAG software.
Joined: 21 Nov 2010 Posts: 278 Location: North America
Posted: Wed Aug 22, 2012 7:17 Post subject: Buffalo DD-WRT F/W Flashed And Runs But Has Major Problems
I've been experimenting with one of my AC66U routers and have successfully flashed the DD-WRT Buffalo WZR-D1800H giga-build 19364 to it using the CFE because the stock firmware's Upgrade function in the Admin menu won't allow it. While the firmware does run, it reveals some major problems such as the LEDs don't work properly, and the LAN and WAN ports don't work; but amazingly the Wi-Fi does work. The DD-WRT Web GUI works and after some initial configuration changes I was able to get a wireless SSH session. The serial console port also works. See the Web GUI picture below.
Comments:
1.) The DD-WRT firmware thinks it's running on a Linksys WRT-54G/GL/GS class router.
2.) The MAC Address is totally bogus. (I may be able to fix this.)
3.) Initially the CPU Clock showed "unknown MHz", but I was able to fix it by entering nvram set clkfreq=600,300,150;nvram commit;reboot at the CLI.
4.) The firmware discovers only 128MB of the 256MB of main memory in the router. This was also verified by entering cat /proc/meminfo at the CLI.
5.) The firmware correctly finds 64KB of NVRAM.
6.) The VLANs aren't properly configured. (Not Shown)
7.) IMHO, I believe BrainSlayer should be able to fix these problems.
8.) If you're a N00Bplease don't try loading this firmware.
- Magnetron1.1
DD-WRT_Web_GUI.png
Description:
DD-WRT Web GUI
Filesize:
78.08 KB
Viewed:
57543 Time(s)
Last edited by Magnetron1.1 on Wed Aug 22, 2012 12:35; edited 1 time in total
admin@RT-AC66U:/tmp/home/root# dmesg|grep -E '\-0x|MTD|Bad|nvram|Boot|flash'
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
pflash: found no supported devices
Boot partition size = 262144(0x40000)
Creating 2 MTD partitions on "sflash":
0x00000000-0x00040000 : "pmon"
0x001f0000-0x00200000 : "nvram"
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
lookup_nflash_rootfs_offset: offset = 0x0
nflash: squash filesystem with lzma found at block 9
Creating 2 MTD partitions on "nflash":
0x00000000-0x02000000 : "linux"
0x001313e8-0x02000000 : "rootfs"
Bad block table found at page 65472, version 0x01
Bad block table found at page 65408, version 0x01
nand_read_bbt: Bad block at 0x03400000
Creating 2 MTD partitions on "brcmnand":
0x00000000-0x02000000 : "trx"
0x02000000-0x07f00000 : "brcmnand"
dev_nvram_init: _nvram_init
_nvram_init: allocat header: 2280980480, size= 65536
root@AsusRT-AC66URT2:~# dmesg|grep -E 'nvram|MTD|flash|\-0x|trx|NAND|Bad'
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
scan for nvram at 20000
scan for nvram at 40000
scan for nvram at 80000
scan for nvram at 100000
scan for nvram at 200000
found nvram at 1F0000
pflash: found no supported devices
no filesys. assume nflash devices
nvram size: 65536
Creating 3 MTD partitions on "sflash":
0x00000000-0x00200000 : "cfe"
0x001d0000-0x001e0000 : "nvram"
0x001f0000-0x00200000 : "nvram_cfe"
Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
lookup_nflash_rootfs_offset: offset = 0x0
found trx at 0, len =15736832
nflash: squash filesystem with lzma found at offset 0
Creating 2 MTD partitions on "nflash":
0x00000000-0x02000000 : "nandimage"
0x001b2000-0x02000000 : "rootfs"
NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
NAND device: mtd->writesize=2048 mtd->oobsize=64 mtd->erasesize=131072 busw=0
NAND device: page_shift=11 pagemask=65535 bbt_erase_shift=17 chip_shift=27 badblockpos=0 options=1011d
Bad block table found at page 65472, version 0x01
Bad block table found at page 65408, version 0x01
nand_read_bbt: Bad block at 0x03400000
Creating 2 MTD partitions on "brcmnand":
0x00000000-0x02000000 : "linux"
0x02000000-0x07f00000 : "ddwrt"
found nvram
found cfe nvram
The reason this works is that it uses the same chipset and wifi radio as the buffalo, as soon as brainslayer commites the d1800h to the public repo, I probably could get support for this in a few days... Its a matter of doing a gpio pull and finding out leds and reset and wds. I have a ticket in to commit to public repo..... Fingers crossed.
P.s. the reason this comes up as a GL/GS is that is default if not found in broadcom-sysinit, if this is defined it would come up correctly...
Joined: 21 Nov 2010 Posts: 278 Location: North America
Posted: Thu Aug 23, 2012 5:51 Post subject:
Fractal wrote:
The reason this works is that it uses the same chipset and wifi radio as the buffalo, as soon as brainslayer commites the d1800h to the public repo, I probably could get support for this in a few days... Its a matter of doing a gpio pull and finding out leds and reset and wds. I have a ticket in to commit to public repo..... Fingers crossed.
P.s. the reason this comes up as a GL/GS is that is default if not found in broadcom-sysinit, if this is defined it would come up correctly...
-Fractal
Yes ... I'm well aware of all these facts. This is why I chose to flash this Buffalo firmware set. I was expecting an "identity" crisis and a whole lot worse.
"Most NAND devices are shipped from the factory with some bad blocks. These are typically marked according to a specified bad block marking strategy. By allowing some bad blocks, the manufacturers achieve far higher yields than would be possible if all blocks had to be verified good. This significantly reduces NAND flash costs and only slightly decreases the storage capacity of the parts."
Currently the Samsung 128MB NAND flash memory k9f1g08u0d-scb0 (the one used in this router) can be bought for about $2.90/ea in lots of 10.
RMerlin wrote:
Otherwise, the map looks a bit odd, but should be mostly OK I think. Looks like all the needed mtd management code is there.
What's really strange about the DD-WRT flash memory mapping are the 2 NVRAMs: "nvram" and "nvram_cfe". You're probably wondering what this is all about. Here's a quote from one of BrainSlayer's earlier posts in the WZR-D1800H forum.
BrainSlayer wrote:
"nvram_cfe gets only copied to nvram if nvram is empty. so only if you erase nvram or on first boot. so the nvram_cfe is untouched at all. except by the bootloader. but there is also some benefit in it. nvram_cfe can be used to create own factory default settings."
This was something he noticed that Buffalo was doing in their firmware builds and he decided to follow suit.
RMerlin wrote:
I see no jffs partition tho - is that normally only created by DD-WRT if you actually enable it?
Actually mtd6 "ddwrt" becomes the jffs partition when JFFS2 Support is enabled on the Administration menu and the router is rebooted.
root@AsusRT-AC66URT2:~# cat /proc/filesystems
nodev sysfs
nodev rootfs
nodev bdev
nodev proc
nodev sockfs
nodev pipefs
nodev tmpfs
nodev devpts
nodev ramfs
nodev devfs
squashfs
nodev usbfs
nodev jffs2<<=== This entry appears after JFFS2 is enabled and the router is rebooted
nodev cifs
root@AsusRT-AC66URT2:~# mount<<=== Check mount points
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
ramfs on /tmp type ramfs (rw)
devpts on /dev/pts type devpts (rw)
devpts on /proc/bus/usb type usbfs (rw)
/dev/mtdblock/6 on /jffs type jffs2 (rw)<<=== Auto-mounted by firmware
root@AsusRT-AC66URT2:~# df -h /jffs<<=== Show space allocation on the partition
Filesystem Size Used Available Use% Mounted on
/dev/mtdblock/6 95.0M 2.5M 92.5M 3% /jffs<<=== Firmware is doing std block i/o
root@AsusRT-AC66URT2:~# ls -l /jffs<<=== No sub-directories or files here
root@AsusRT-AC66URT2:~# <<=== Nothing is listed
##### Copy some files to /jffs #####
root@AsusRT-AC66URT2:~# cp /bin/busybox /jffs
root@AsusRT-AC66URT2:~# dd if=/dev/zero of=/jffs/allzeros bs=512 count=20000
20000+0 records in
20000+0 records out
root@AsusRT-AC66URT2:~# ls -l /jffs<<=== List files (file size is in bytes)
-rw-r--r-- 1 root root 10240000 Jan 2 00:49 allzeros
-rwxr-xr-x 1 root root 402687 Jan 2 00:42 busybox
root@AsusRT-AC66URT2:~# df -h /jffs<<=== Show space allocation on the partition
Filesystem Size Used Available Use% Mounted on
/dev/mtdblock/6 95.0M 2.8M 92.2M 3% /jffs
##### Unmount /jffs #####
root@AsusRT-AC66URT2:~# umount /jffs
root@AsusRT-AC66URT2:~# mount<<=== Check mount points -- /jffs gone
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
ramfs on /tmp type ramfs (rw)
devpts on /dev/pts type devpts (rw)
devpts on /proc/bus/usb type usbfs (rw)
##### Re-mount /jffs #####
root@AsusRT-AC66URT2:~# mount -t jffs2 -w /dev/mtdblock/6 /jffs
root@AsusRT-AC66URT2:~# mount<<=== Check mount points
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
ramfs on /tmp type ramfs (rw)
devpts on /dev/pts type devpts (rw)
devpts on /proc/bus/usb type usbfs (rw)
/dev/mtdblock/6 on /jffs type jffs2 (rw)<<=== Successful re-mount
root@AsusRT-AC66URT2:~# ls -l /jffs<<=== The files still exist and will continue to exist
-rw-r--r-- 1 root root 10240000 Jan 2 00:49 allzeros <<=== even when the router is power cycled
-rwxr-xr-x 1 root root 402687 Jan 2 00:42 busybox <<==="