AR300M brick and..recovery attempt

Hi there,
the following the tell you a brick story of a AR300M (v.1.3.1). I have tried to update the u-boot on serial using the following
https://raw.githubusercontent.com/gl-inet/gl-uboot-source-for--ar300m/master/bin/uboot-gl-ar300m.bin. However for some reasons,
the downloaded file was corrupted and I have not done an md5 check before using it via tftp ( first error!! ).
On serial console, I have done and got the following:

U-Boot 1.1.4-g87b46363-dirty (Jul 6 2016 - 08:09:50)

cus531 - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(195): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x8, 0x25)
Tap values = (0x16, 0x16, 0x16, 0x16)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 242k for U-Boot at: 87fc0000
Reserving 192k for malloc() at: 87f90000
Reserving 44 Bytes for Board Info at: 87f8ffd4
Reserving 36 Bytes for Global Data at: 87f8ffb0
Reserving 128k for boot params() at: 87f6ffb0
Stack Pointer at: 87f6ff98
Now running in RAM - U-Boot at: 87fc0000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning *** : PCIe WLAN Module not found !!!
In: serial
Out: serial
Err: serial
Net: ath_gmac_enet_initialize…
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Scorpion ---->S27 PHY*
S27 reg init
: cfg1 0x800c0000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
Honey Bee ----> MAC 1 S27 PHY *
S27 reg init
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Qualcomm Atheros SPI NAND Driver, Version 0.1 (c) 2014 Qualcomm Atheros Inc.
====== NAND Parameters ======
sc = 0x87ff5160 page = 0x800 block = 0x20000Setting 0x181162c0 to 0x7efda100
Protect off 9F040000 … 9F04FFFF
Un-Protecting sectors 4…4 in bank 1
Un-Protected 1 sectors
Erasing Flash…Erasing flash…
First 0x4 last 0x4 sector size 0x10000 4
Erased 1 sectors
Writing to Flash… write addr: 9f040000
done
Protecting sectors 4…4 in bank 1
Protected 1 sectors
Warning: Bootlimit (3) exceeded. Using altbootcmd.
Hit any key to stop autoboot: 0
ath> printenv
Unknown command ‘printenv’ - try ‘help’
ath> printenv
bootargs=board=CUS531-NAND console=ttyS0,115200 ubi.mtd=5,2048 root=/dev/mtdblock8 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env),128k(reserved),64k(art);spi0.1:2m(kernel),20m(rootfs),106m(data),22m@0x0(firmware) rootfstype=squashfs,jffs2 noinitrd
bootcmd=if nand bad; then nboot 0x81000000 0; else bootm 0x9f050000; fi
bootdelay=1
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.1.1
serverip=192.168.1.2
loadaddr=0x80800000
dir=
bootlimit=3
altbootcmd=if nand bad; then bootm 0x9f050000; else tftp 0x80060000 ${dir}openwrt-gl-ar300m.bin && erase 0x9f050000 +e30000 && cp.b $fileaddr 0x9f050000 $filesize && bootm 0x9f050000; fi
nlf=tftp 0x81000000 openwrt-ar71xx-nand-gl-ar300m-ubi.img && nand erase && nand write $fileaddr 0 $filesize
lu=tftp 0x80060000 ${dir}uboot_for_gl-ar300m.bin && erase 0x9f000000 +50000 && cp.b $fileaddr 0x9f000000 $filesize; reset
lf=tftp 0x80060000 ${dir}openwrt-gl-ar300m.bin && erase 0x9f050000 +e30000 && cp.b $fileaddr 0x9f050000 $filesize; if nand bad; then run nlf; fi
lc=if ping 192.168.1.2; then tftp 0x81000000 config.bin && cp.b 0x9fff1000 0x80060000 0xf000 && cp.b 0x81000000 0x80060002 0x06 && erase 0x9fff0000 +0x10000 && cp.b 0x81000000 0x9fff0000 $filesize && cp.b 0x80060000 0x9fff1000 0xefff; else setenv bootcount 1 && saveenv && bootm 0x9fe80000; fi
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
bootcount=6

Environment size: 1385/65532 bytes
ath> run lu
Trying eth0
dup 1 speed 100
Using eth0 device
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename ‘uboot_for_gl-ar300m.bin’.
Load address: 0x80060000
Loading: #########
done
Bytes transferred = 40973 (a00d hex) ## Damn!!
Erasing flash…
First 0x0 last 0x4 sector size 0x10000 4
Erased 5 sectors
Copy to Flash… write addr: 9f000000

Lost connection at this point …

In order to recover this condition,
I’ve tried to re-flash it by using CH341A ( black edition ) programmer with a SOIC8 in-circuit clip and the correct .bin
( I think … see further considerations below ), but several errors occurred.
So, after several unsuccessful attempt, I’ve connected a Buspirate 3.6 board and used flashrom ( always using the SOIC8 clip ),
but with no success. Next, I’ve tried to investigate if the W25Q128FVSIG chip is correctly working …

HiZ>m

1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
    x. exit(without change)

(1)>5
Set speed:

1. 30KHz
2. 125KHz
3. 250KHz
4. 1MHz
5. 50KHz
6. 1.3MHz
7. 2MHz
8. 2.6MHz
9. 3.2MHz
10. 4MHz
11. 5.3MHz
12. 8MHz

(1)>4
Clock polarity:

1. Idle low *default
2. Idle high

(1)>2
Output clock edge:

1. Idle to active
2. Active to idle *default

(2)>1
Input sample phase:

1. Middle *default
2. End

(1)>1
CS:

1. CS
2. /CS *default

(2)>2
Select output type:

1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)

(1)>2
Clutch disengaged!!!
To finish setup, start up the power supplies with command ‘W’
Ready

Now, with router powered on ( Buspirate power supply not in use! ) and the following connections:

/CS → pin 1 , DO (MISO)-> pin 2, GND → pin 4, DI (MOSI) → pin 5 and CLK → pin 6.

SPI>[ 0b11 0x00 0x00 r:2 r:2 ]
/CS ENABLED
WRITE: 0x03 ## Interface hangs

At this point I suspect the chip is definitively gone ( damn … ): I’ve discovered also, the CH341A programmer ( black edition ) always power 5V
and the chip, by datasheet, pretend at maximum 3.6V and probably here another great mistake!!

I don’t know at this point if I can do something other, but if the hypothesis are correct ( chip fried and so on ) and suppose I’m able to replace
the chip by desolder-solder ( I’ve the right equipment … a kind of beast is here in soldering … work in progress ):

1. Probably I can replace the chip with the following W25Q128JVSIQ-ND @Digikey, correct?
2. If 1 is true, could someone in case the downloaded .bin is not right for this environment, provide the right .bin ( or better a full dump of nand )?
3. Other suggestions?

I will grateful to anyone for each suggestion that can permit to learn a lot by this experience.
Thank you

1. not sure about the flash. But if it is the same brand and size, it should be OK.
2. the uboot should be correct. Just need to check the md5 : 2d34d88fd33fa9128afc1d51269ee9c7
3. I think the flash programmer should be fine. But I may be wrong. The only thing need to take care is that don’t mount the flash in the wrong way. Otherwise you will burn it in seconds. The flash will become very very hot and then smoke.

I have a problem with my flash also. The device was working fine but decided I wanted to attempt to get have it duel booting firmware with the switch. I was looking at a thread on this [AR-300M] Change firmware with button (NAND and NOR) - #13 by nopro404 I also posted my problem there but thought here was more appropriate place I should ask for assistance. The bottom line is I used an incorrect version of uboot and was not bootable. I did copy my working uboot before updating but was unable to recover it. I also copied my flash with the corrupted uboot. I did attempt to overwrite the working uboot to the flash with a flash programmer but all I get is uboot not access via serial console or netconsole. I can get to the uboot web interface and it appears to write to the flash but there is no boot to NAND or NOR. As I have a copy of my flash can I get some assistance in fixing my flash?
I can read, copy and write it no problem but programming I am not getting it to work. I have made numerous attempts but still no success.
Thank You.

Hello, another incautious user here.
I was upgrading the uboot with an image found on the github repo of GL.inet (by using http://192.168.1.1/uboot.html), but after some minutes the router had all three LEDs steady on, and it does not show any connection to my NIC.
Tomorrow a USB to SERIAL adapter is shipping home, but meanwhile I thought to register here too…
I don’t think the connection to putty will deliver any info. The box seems totally fried.
Will report back, but I’d like to know if there is a way to flash the eeprom…
Thanks for your time,
Gabriel

brick1291×1510 505 KB

If there is no output from the serial port at all, then you need to take off the Nor flash and flash using a programmer.

Sadly I confirm it.
I just fried all the eeprom. I can manage flashing the chip with a programmer, but where do I find the image?
Are the MAC addresses written in the original firmware that I lost?

I know I did a bad job frying it, but I’d be very very grateful to be able to recover it.
Any help is really welcome.
Yesterday night I was so pissed I burnt it I couldn’t get asleep.

Oh well, not actually frying it, but at least scramble…

Sorry…maybe I, made a stupid question.

is it correct to flash openwrt-ar71xx-nand-gl-ar300m-ubi.img made with the domino-team guide on github on the chip?
I’m going to use a programmer similar to the one linked above, the CH341A, with 3.3V jumper.

Has this procedure a chance to recover the router?

Hey there,

TLDR - writing directly the image in the flash didn’t do the trick for me personally but if you get some guidance or find out how to do it, please post it here and tag me as it would nice to learn something new

You can recover it but I suggest to contact the support team via email to confirm the image you need to write in the flash. I suggest you write in the NOR flash first as that one imho is easier to work with while the NAND is a bit more difficult when you want to just write from empty.
All the mac address, serial number and rf tuning are stored in the art partition which you can get again from support over email and then identify where it is stored and replace it in the flash.
In my case I had another ar300m so I was able to grab the image from there and then replace the art partition. You can read my journey here : GL-AR300M Unable to flash NAND - #33 by misujr and see how I have managed to get it back basically.

BR,
Misujr

Hey Misujr! Thank you very much for the answer!
I’ll have the programmer shipped at my home in just a few hours, and I can’t wait to try and recover the router.
I will contact the customer service and hope they can provide me a backup of the ART partition… but in any case they cannot help, could you pass me your dump?
I hope following step by step your journey will help me recover this little and capable box.

Thank you a lot, really!
Best wishes,
Gabriel

First thing is to flash the uboot at the beginning of the router.

Then you should be able to do everything in the uboot console.

Hi Gabriel,

The dump from my flash memory is taken using the method I have described in my post so it is of no use with a CH341A programmer ( I have tried myself to use it like that). I can take a dump with a CH341A but that will be only later next week as now I am out of office.
Mean time please try what alzhao just suggested in post 11 as that should be a much better solution than getting my dump reflashed and then trying to fix it .
If that doesn’t work, just update the thread and I will take a dump with a CH341a and send that to you ( though I will scramble the MAC and the SN to avoid issues with the ddns service from glinet) .

Best Regards,
Misujr

If @bright_plastik still have the bottom sticker he can write to us and get the back up of radio data, mac addresses etc.

UPDATE! I documented myself, and understood how to plug the programmer. I made a dump of the chip, just in case… It is a little more than 16MB, but dunno what to do with it, as it is corrupted. Maybe I can recover the mac addresses and calibration out of it?

(OLD) Hey fellow recoverer!
Today I got my CH431A. It has a clamp and all the jazz. I had to resume an old laptop with win7 to avoid problems with drivers, and now I’m looking at the pins and connections with cold sweat.
I see in the other thread you pointed the pin 1, on the chip. Thanks. Now, on the rear of the programmer I see two slots: one is marked 25 SPI and the other 24 I2C. I rekon I should connect to the 25 SPI, but I’d love to receive your imput and confirmations. I attach a picture (open it for full image):

[Album] imgur.com

I even read somewhere that modifications on the CH431 have to be made to provide 3.6V…but I think they are not needed. I see the traces marks on pcb, and they indicate 3.3V on the two slots, on the lower right pin (pin8). Nonetheless, an indication of position and direction to plug the clamp to pcb would be welcome.
Before I manage burning my chip and wait for a substitute, I wait for your suggestions!

I got in contact with the customer support, meanwhile. It was the omnipresent @alzhao, again! I’ll wait next week for a dump of my ART partition, so I have everything needed.

You can check this thread:

I posted a link to a guide I made how to use the clamp and the program for it.

@alzhao, just a fast question.
In the email you mention to desolder the chip from the pcb. Is it needed because some other components on pcb can interfere with read and write?

You seem to have gotten the type of device that I got so it is fairly straight forward:

1. Use the SPI bay (25 SPI)
2. According to the silk screen and also my own adapter, Pin 1 is the pin near the “I” of SPI but please MEASURE FIRST ! Use a multimeter and determine where you have 3.3v and where you have GND. VCC, RESET and WP should have 3.3 or close to this value. The silk screen is not the always going to match the real product sadly.
3. To use the CLIP, plug the clip in the adapter pcb, the adapter pcb will generally have a small dot to indicate where it should be pin1. Then measure pn the clip to be sure you got it right just like at step 2.(if you are lucky, the clip wire ribbon will have one wire of another colour and then you can orient that to be near the dot that marks pin 1 and this way you know where pin1 is always.
4. Here it is a bit of a split
   A. @Johnex made a great guide and he managed to flash similar memories while the memory ic was soldered to the pcb. Try this way first but make sure you have the router unplugged from power.
   B. @alzhao recommends the same way I used and that means you your clip will only power the IC and it will not actually power the rest of the router plus in my case it was the only way I managed to get it to work.
   Both ways are good it’s down to you which way you pick but I would try them in order starting with the easier one.

I hope these steps make sense and will help you .

BR,
Misujr

The correct way if the chip is already on the board is to use a clip. There are countless videos on youtube of people flashing the bios on motherboards and doing memory modification like I did in the guide.

If the chip is not on the board anymore, then you use a SOP8 socket like this:

As an example:

I managed to connect it! Thanks a lot to everyone!

Now, I made a backup of the image present on the chip.

It’s a bunch of characters, but maybe the ART section is still usable.

Can you tell me how I can restore only the uboot section?
(it is the section that got corrupted while I was trying to upgrade it)
Is there a way to flash only a sector of the chip, like you do in the partitions of the drives? I’d like to keep the calibration data and mac addresses, and flash the new uboot with the programmer…
Anyone knows?

Again, my great gratitude for all your support.

Awesome that you got a backup !
Here I will let others that know better how to flash only the Uboot as I don’t know that. As far as I know you can flash only bits of the IC(using flashrom under linux I know this but surely the software for CH341 should have such option) , just have to flash them at correct addresses but again I don’t have that as hands on experience.