Asus RT-N56U - How to debrick?

Installing and Using OpenWrt
1

Hello,

i recently tried to flash an Asus RT-N56U with Lede 17.01.2 (TFTP Method). Unfortunately there seems to be a bug (#735), that using a lede version > 17.01.0 results in a boot loop

Well, so it seems that i did the initial flash with a damaged version of lede and the router seems to be bricked. I tried all the different types of recovery options, but i still get no ping (i'm not a newbie, i did some recoveries before, so i really think it could be bricked):

1.) Pressing reset or WPS button before plugging the router => slow flashing led (recovery mode), but no ping
2.) pressing reset or wps buttons once after plugging the router in did not work => fast flashing led (failsafe mode), but no ping
3.) Recovery Utility and different types of other "recovery modes" described in the forums did not work

So, the Asus RT-N56U has a serial port. I opened the device and used a serial cable, but for now, there is no exact documentation for the device in the wiki, but some information is present:

https://wiki.openwrt.org/toh/asus/rt-n56u

Now, serial debricking seems to be not as easy, i never did it. The documentation (https://wiki.openwrt.org/doc/howto/generic.debrick) contains information about JTAG and there is some information about serial here: https://wiki.openwrt.org/doc/howto/generic.flashing.serial

What would be the next steps to perform the debrick?
Do i need some hardware adresses (0x...) for the debrick?

Thank you.

2

Yes, you need some hardware:

  1. USB TO TTL (i.e : https://www.amazon.com/Armorview-PL2303HX-RS232-Module-Converter/dp/B008AGDTA4)
  2. Solder
3

@ahmadrasyidsalims
Thank you for your answer.

Sure, i've got the hardware, solder and usb to ttl cable. I connected it, and i have serial access. The question is, how can i now debrick the thing via serial? I got a serial connection and the image on my laptop.

What commands do i need to do for the debrick on this specific device?
How do i find out whats wrong (is there documentation about it), perhaps i could help the lede project making the image to work again on rt-n56u or provide some important logs?
Do i just need to overwrite / erase something or can i assign an ip in recovery mode to do the tftp flash? What would be the easiest and most secure way (to prevent damaging something )?

4

Type 2

The firmware should be already available in your root tftp server

5

Ok, to be sure, everything is clear:

  • I flashed a "damaged" lede image via tftp, which led to a boot loop.
  • Then i established a serial connection, because of the fact that i did not get an ip / ping to upload another image (recovery mode or failsafe not possible)
  • Now you suggest, to Load system code then write to flash via tftp

Sorry, for potentially asking dumb questions: Am i completely wrong or wouldn't this lead to a reflash with the damaged image??

I think i would need to upload a new image to the device without having an ip, so the next step would be transfer a valid image to the device, then flash it or reverting the device to factory defauls (Asus orginal image)?

6

Would you please attach the serial console bootlog of the crashing LEDE to https://bugs.lede-project.org/index.php?do=details&task_id=735. Without knowing why the kernel crashes, it is near to impossible to fix the reason for the crash.

The bug report you already mentioned has a guide to debrick the RT-N56U:

Recovery is done by flashing any other FW, padawan, openwrt or lede 17.01.0 using Asus FW restoration utility. It is only way to connect to router when bootlooping, no SSH or telnet connection.

7

The ASUS restoration utility makes these routers almost unbrickable, get your router in recovery mode. --> power off, hold reset button and power on until the power led blinks slowly. Then launch the restoration utility. Would be best to put a static IP on your connected PC. You may have to try it a few times.

1 Like
8

This^. You need a static IP address in the 192.168.1.x range and make sure that you ONLY have the wired interface to the router connected to the computer that you are running when you open the ASUS utility. It will try all connected interfaces (wired and wireless) and it can latch onto the wrong interface.
If you are getting an error from the ASUS utility, please post the error message. I have one of these that I have bricked and unbricked several times and the utility works like a charm.

@mkresin I will try to reproduce this on my test RT-N56U, I wonder if its related to FS#652

Aaron Z

9

I had a similar issue with the ASUS rt-56ac, sometimes took a couple tries, but was able to successfully unbrick the device when a lede flash went badly. The asus utility seems to work pretty well, although I did encounter an issue where I had to select the image I wanted to flash very quickly as there seemed to be a countdown before the router became unreachable again.

10

@aczlan
@mkresin

Many thanks for the support (i can't thank all of you because of the new user limit :-). I will check the Recovery Utility again, but as I said: In my opinion i tried almost everything to get the recovery working but I failed.

Unfortunately, I am on vacation until july, so I can not test anything atm.
As soon as I am back, I will check the whole thing again and append the bootlog.

11

@mkresin
I flashed both 17.01.1 and 17.01.2 to my RT-N56U and got the same bootloop, my logs are attached to FS#735.

Aaron Z

12

When you hit "Upload" in the ASUS Utility, the connection to the router that is in rescue mode must be the only enabled/connected network interface. Otherwise, it will error out and complain that it cannot connect or that it is not in rescue mode.

Aaron Z

1 Like
13

i have also a rt-n56u in boot loop.
i cannot exactly remember what was the root cause. in think i have flashed some trunk version and with "sysupgrade" i also did a factory reset.
somewhere there was the information that this will brick the device?

i tried everything, but the IP cable from Router to my PC is always detected as "unconnected".
That means the IP ports of the router are not working and because of that also the TFTP recovery cannot work.
I also tried to play with the serial console and uboot, but i cannot stop this autoreboot
(my ttl adapter is from pollin)

Is there any chance to bring the device back in a normal state?
Can i flash the uboot via serial connection?
the uboot i have found here:

The output of the serial interface looks like:

Starting kernel ...

[ 0.000000] Linux version 4.4.47 (buildbot@builds-02.infra.lede-project.org) (gcc version 5.4.0 (LEDE GCC 5.4.0 r3103-1b51a49) ) #0 Mon Feb 6 21:34:28 2017
[ 0.000000] SoC Type: Ralink RT3883 ver:1 eco:5:
[ 2.340439] 4 ofpart partitions found on MTD device 1c000000.nor-flash
[ 2.353502] Creating 4 MTD partitions on "1c000000.nor-flash":
[ 2.365139] 0x000000000000-0x000000030000 : "u-boot"
[ 2.376910] 0x000000030000-0x000000040000 : "u-boot-env"
[ 2.389699] 0x000000040000-0x000000050000 : "factory"
[ 2.401865] 0x000000050000-0x000000800000 : "firmware"
[ 2.417068] rtl8367 rtl8367: using GPIO pins 1 (SDA) and 2 (SCK)
[ 2.429223] rtl8367 rtl8367: ACK timeout
[ 2.437047] rtl8367 rtl8367: unable to read chip number
[ 2.447469] rtl8367 rtl8367: chip detection failed, err=-145
[ 2.458777] rtl8367: probe of rtl8367 failed with error -145
[ 2.472008] mtk_soc_eth 10100000.ethernet: using fixed link parameters
[ 2.485078] mtk_soc_eth 10100000.ethernet eth0 (uninitialized): link up (1000Mbps/Full duplex)
[ 2.503055] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[ 2.520190] rt2880_wdt 10000120.watchdog: Initialized
[ 2.531777] NET: Registered protocol family 10
[ 2.544824] NET: Registered protocol family 17
[ 2.553841] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 2.578993] 8021q: 802.1Q VLAN Support v1.8
[ 2.590562] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[ 2.605550] Please append a correct "root=" boot option; here are the available partitions:
[ 2.622212] 1f00 192 mtdblock0 (driver?)
[ 2.632288] 1f01 64 mtdblock1 (driver?)
[ 2.642360] 1f02 64 mtdblock2 (driver?)
[ 2.652432] 1f03 7872 mtdblock3 (driver?)
[ 2.662502] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[ 2.680044] Rebooting in 1 seconds..

U-Boot 1.1.3 (Jan 12 2011 - 11:35:36)

Board: Ralink APSoC DRAM: 64 MB
relocate_code Pointer at: 837c4000

Software System Reset Occurred

flash_protect ON: from 0xBC000000 to 0xBC02AFAF
flash_protect ON: from 0xBC030000 to 0xBC030FFF
*** Warning - bad CRC, using default environment

Ralink UBoot Version: 3.5.2.0

ASIC 3883_MP (MAC to VITESSE Mode)
DRAM component: 1024 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 128 MBytes
Flash component: NOR Flash
Date:Jan 12 2011 Time:11:35:36

icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

The CPU freq = 500 MHZ

estimate memory size =64 Mbytes

Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.

You choosed 3

early Realtek giga Mac support...
GPIOMODE current: 181c
GPIOMODE writing: 181d
GPIOMODE current: 181d
get reg 0x1300: 837ee158
.....

When i reset into the failsafe mode i see the following messages, but as the IP ports are dead nothing can be done:

U-Boot 1.1.3 (Jan 12 2011 - 11:35:36)

Board: Ralink APSoC DRAM: 64 MB
relocate_code Pointer at: 837c4000
flash_protect ON: from 0xBC000000 to 0xBC02AFAF
flash_protect ON: from 0xBC030000 to 0xBC030FFF
*** Warning - bad CRC, using default environment

Ralink UBoot Version: 3.5.2.0

ASIC 3883_MP (MAC to VITESSE Mode)
DRAM component: 1024 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 128 MBytes
Flash component: NOR Flash
Date:Jan 12 2011 Time:11:35:36

icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

The CPU freq = 500 MHZ

estimate memory size =64 Mbytes

Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.

You choosed 3

0

early Realtek giga Mac support...
GPIOMODE current: 181c
GPIOMODE writing: 181d
GPIOMODE current: 181d
get reg 0x1300: 837ee158
....
get reg 0x1300: 837ee158
rtk_switch_init(): return 14
rtl8367m_switch_init_pre() return 14

Bootloader version: 1.0.0.6
MAC Address: 20:CF:30:B7:A2:49

GPIOMODE before: 181d
GPIOMODE writing: 181d
GPIOMODE restoring: 181d
BTN_RESET pressed

Enter Rescue Mode

3: System Boot system code via TFTP.

NetTxPacket = 0x838072C0

KSEG1ADDR(NetTxPacket) = 0xA38072C0

NetLoop,call eth_halt !

NetLoop,call eth_init !
Trying Eth0 (10/100-M)

Waitting for RX_DMA_BUSY status Start... done

set MDIO_CFG as MAC_FORCE, SPD 1000M, FULL_DUPLEX

Realtek giga Mac support..
software reset RTL8367M...
get reg 0x1300: 837d0654
....
get reg 0x1300: 837d0654
rtk_switch_init(): return 14
rtl8367m_switch_init() return 14

Header Payload scatter function is Disable !!

ETH_STATE_ACTIVE!!
Using Eth0 (10/100-M) device

Our IP address is:(192.168.1.1)
Wait for TFTP request...
T T T T T T T T T T T T T T
14

Have you tried the Asus firmware restoration utility? Get the sysupgrade version of Lede 17.01.4 and the utility from https://www.asus.com/us/Networking/RTN56U/HelpDesk_Download/ (click See all downloads under Utilities). The documentation is here: https://www.asus.com/support/FAQ/1000814/

Push the reset button for about 5 seconds while you plug in the power cable. It doesn't work perfectly every time, some times it helps to try a different ethernet port.

15

http://rt-n56u.soulblader.com/files/current/

I found this link. Apparently it seems someone is maintaining current n56u padavan builds. I know you can build them yourself but I want to know if this is legit. Like if there is any cryptojacking involved or if any data is being sent to some servers. If not I am curious if it is working as fresh build. I will probably be getting my hands on an n56u soon and will flash it with this. Then I will use it as a wired router and connect some UAPs or TPLink EAPs to it to get some good backhaul router and good AC APs. I tried the ERX- 5-port but I'd rather use something like this.

16

I also run into boot loop with my rt-n56u after flashing lede-17.01.4 by tftp method.

In my opinion the tftp transfer of the image ran far to quick ~1.5s ?. Don't know whether this was the root cause....

Tried also ASUS utility (192.168.1.x/24 or other variants I found) and also I am not able to connect to my router in recovery mode (power led blinks). Ping neigther works. Also tried it under windows or linux. No success. Seems that the lan interfaces do not work anymore.

@sandreas @waldoo: did you solve this problem (for example via serial connection)?

Triaholgi

17

Unfortunately not. The lan ports are completely down and i have tried everything possible i know and understand.
Also it gets very hot while it is in this reboot loop.
The strange thing is that i have the same one running stable with 17.01.4, but there i did a normal sysuprade -c starting i think from some openwrt version.

As far as i remember my router got bricketed while installing some trunk version and did a factory reset.

Last week i have installed on my TP-link a firmware via TFTP and also there the transfer was very quick. I think it is becuase the image is not so big and the ip ports have a high speed at this time

18

I have seen some posts where it can take up to an hour or more for the router to reboot after using the ASUS Firmware Utility.

19

It sounded like there were two separate issues causing bootloop problems.

https://bugs.lede-project.org/index.php?do=details&task_id=462

Did you use sysupgrade or factory image?

20

at least from my side i cannot exactly remember as it was too long ago.

@jwoods:
for me this is not working as the outer hangs in an reboot loop, you see this in serial console.
Also the device is getting very, very hot after some Minutes. Also the output in the serial interafe shows then special unknown caracters and is very slow. It think this is because the processor is too hot to work