Example of repairing the router via JTAG (ar724x)

Note: The list of routers on which the main configuration file for OpenOCD should work, in fact, can be much larger (almost all AR724x processors). However, for each platform 1), an appropriate loader, modified so that it can be downloaded from SDRAM memory - without loss of functionality.

port.jtag The pinout of the EJTAG v3.1 interface on the AR724x looks like this:

JTAG Common Name AR724x Pin Connector EJTAG for DIR-615 Ex
EJTAG_SEL (do not use) 79 ASCII
TDI 81
TDO 82
TMS 84
TCK 85
RST (do not use) 93

If there is no marking of the reference of the processor feet on the board, then one can use this orientation:
Raspinovka common on all AR724x processors

Note: Debugging and testing (for writing this instruction) was performed with a working loader, so it was necessary to temporarily disable the flash memory of the device ( CS0 ⇒ 3.3V), so that the device initialization and boot process was interrupted in the bootloader, there may be an instruction to disable the JTAG port to release the GPIO line).

EJTAG_SEL pin - AR7240/AR7241/AR7242 Considering that EJTAG connector is not displayed on many devices - the logical state of this pin does not have a specific role for JTAG operation protocol. It's enough to interrupt the device boot from the flash memory, described in the above way. And if you consider that you are reading this manual - most likely, your device does not boot properly.

RST pin - AR7240/ AR7241/ AR7242 completely resets the processor, i.e. including the recorded CPU initialization registers, this state is equivalent to disconnecting power from the device - therefore, we will not use this pin either.

port.jtag.cables The connection is usually made through a special JTAG adapter. These can be simple and cheap USB-JTAG adapters, and old parallel-port-based adapters (LPT) for a computer - usually these adapters are self-made.

In the example presented in this section, the connection was made through the old and slow JTAG adapter for the LPT port - Wiggler( without the buffer). The design of this adapter is extremely simple.

The program part contains a list of programs that will be needed during debugging and recovery through the JTAG interface. Also, this part contains a list of used OpenOCD commands and a configuration file for AR724x processors.

  • PuTTY - telnet console. This console is also used to connect to the router through the serial port.
  • init-ar7240.cfg - config. file for the OpenOCD program and your device (config file, you need to copy it to the OpenOCD program folder as target /init-ar7240.cfg).
  • 8Muboot_RAM_version.bin is a boot loader that can be run in SDRAM memory via JTAG (thanks to a member of the OpenWRT forum with a nickname tthrx )

* backup.bin - a conditional bootloader or another piece of flash data that needs to be restored.

Note: Note that the bootloader stores information about the MAC address (TP-Link: U-boot MAC offset 0x01fc00 (value in HEX format))) and the PIN code (TP-Link: U -boot PIN offset 0x01fe00 (value in Dec format))) of the device. It should also be aware that the art section used with EEPROM information for the wireless communication chip must match the wireless chip of the device being restored.
For example: art section of MR3420 router (WiFi Chip: AR9287) does not fit to MR3220 router (WiFi Chip: AR9285) and vice versa.


B In the example presented in this section, the command is used as - identification of the identifier and device status, not more. Usually, when this command is executed, the nSRST is activated, but in our case RST pin is not the same .


Put the processor into debugging mode (accepting commands) .

 reset init 

After executing this command, the script for this event (enclosed in braces) will be executed, which is in the config. file (sending commands to the processor) .

dump_image <file name> <start address in memory area or flash drive> <size>

This command saves the dump from the device's memory / flash drive to a file. The command can be executed before the processor and the device memory are initialized. To read flash memory, use the address 0x9f000000

load_image <file name> <address in memory area only> <file format>

This command loads the file into the device memory. The command must be executed after initializing the processor and device memory.

resume <address in memory area or flash drive>

This command starts the loader, analog go in uboot'e


# Atheros AR724x MIPS 24Kc SoC.
# tested on AP99 reference board
# configure file for AR7200 boards (32/64 MB ram)
# this settings format for OpenCD was changed / taken from source of settings for OCD Commander
# source: http://www.cpx.cz/dls/wpe72_WPE72NX_MMJ5N26E/wp72_loader_jtag.zip

adapter_nsrst_delay 100
jtag_ntrst_delay 100

reset_config trst_only separate; # or use only "reset_config none"

set CHIPNAME ar724x

jtag newtap $ CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id 1

target create $ TARGETNAME mips_m4k -endian big -chain-position $ TARGETNAME

$ TARGETNAME configure -event reset-init {
# WAR for the bug # 55574: Set the CKE (bit 7 in DDR_CONFIG2 register)
# to low initially
mww 0xB8000004 0x99D10628

# set PLL
mww 0xb8050000 0x00040828

# update PLL
mww 0xb8050008 0x1
sleep 10
mww 0xb8050008 0x0
# disable flash remap
mww 0xbf000004 0x43

mww 0xb8000000 0xC7BC8CD0
mww 0xB8000004 0x9DD0E6A8
mww 0xB8000010 0x00000008
mww 0xB8000008 0x00000133
sleep 10
mww 0xB8000010 0x00000001
mww 0xB800000C 0x00000000
mww 0xB8000010 0x00000002
mww 0xB8000010 0x00000008
mww 0xB8000008 0x00000033
mww 0xB8000010 0x00000001
mww 0xB8000014 0x00004F10
mww 0xB8000018 0x000000FF
mww 0xB800001C 0x00000007
mww 0xB8000020 0x00000007

# UART Test
mww 0xB8040028 0x000480FA
mww 0xB802000C 0x00000083
mww 0xB8020000 0x0000006D
mww 0xB8020004 0x00000000
mww 0xB802000C 0x00000003
mww 0xB8020008 0x00000001
mww 0xB8020000 0x00000030
mww 0xB8020000 0x00000031
mww 0xB8020000 0x00000032
mww 0xB8020000 0x00000033
mww 0xB8020000 0x00000034
mww 0xB8020000 0x00000035
mww 0xB8020000 0x00000036
mww 0xB8020000 0x00000037
mww 0xB8020000 0x00000038
mww 0xB8020000 0x00000039
mww 0xB8020000 0x0000000D
mww 0xB8020000 0x0000000A

# setup working area somewhere in RAM
$ TARGETNAME configure -work-area-phys 0xa0600000 -work-area-size 0x20000

# serial SPI capable flash
# flash bank <driver> <base> <size> <chip_width> <bus_width>

Restore the boot loader u-boot and art section, on the MR3220 (4M) router in the Windows operating system. If desired, in the same way, in addition, you can flash firmware image or the entire flash memory - fullflash.

  • Unpack the assembled version of “openocd-0.5.0.zip” into a folder convenient for us.
  • Move or copy from the folder bin (the folder is located in the root directory of OpenOCD), all the contents to the root directory of OpenOCD.
  • Create the file ar724x.bat (you can use any other name) in the same root directory of OpenOCD with the following contents:
    openocd-0.5.0.exe -f interface / parport.cfg -f target / init-ar7240.cfg

    If you use another JTAG adapter, then the name parport.cfg should be changed to the appropriate configuration file name for your JTAG adapter.

  • Connect JTAG to the computer and disconnected the router.
  • We connect the UART to the computer and the unplugged router, also follows from
  • Connect JTAG to the computer and disconnected the router.
  • Connect the UART to the computer and the unplugged router, also open PuTTY (the program must be configured on the parallel port of your computer with the appropriate settings for your router).
  • Run ar724x.bat, almost immediately you can turn on the router, the goal is to find the identifier 0x00000001 (standard identifier of Atheros processors):
    D: \ Free \ OpenOCD \ 0.5.0> openocd-0.5.0.exe -f interface / parport.cfg -f target / init-ar7240.cfg
    Open On-Chip Debugger 0.5.0 (2012-04-06-14: 30)
    Licensed under GNU GPL v2
    For bug reports, read
    Warn: Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
    Info: only one transport option; autoselect 'jtag'
    parport port = 0x378
    6000 kHz
    adapter_nsrst_delay: 100
    jtag_ntrst_delay: 100
    none separate
    Info: clock speed 500 kHz
    Info: JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0)
    Info: accepting 'telnet' connection from 4444

    If it was not possible to determine the identifier at once, try going to the next item and typing “ reset ” in the console. If the program does not detect the processor identifier anyway, you need to check the connection of the JTAG cable for possible errors, and the cause of the problem can be the length of the cable used.

  • If everything went well, you need to start the console telnet or another window PuTTY using the address, after connecting to the console, the input line should appear:
    Open On-Chip Debugger

    • Then enter the commands:

      > reset
      JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0)

      This command should not affect the state of the processor. RST us we do not handle. However, the command once again determines the identifier and the state of the processor.

      > halt
      target state: halted
      target halted in MIPS32 mode due to debug-request, pc: 0xbfc03860

      This command switches the processor from the “running” state to the “halted” state - in this state, the processor receives commands from the operator .

      > reset init
      JTAG tap: ar724x.cpu tap / device found: 0x00000001 (mfg: 0x000, part: 0x0000, ver: 0x0)
      target state: halted
      target halted in MIPS32 mode due to debug-request, pc: 0xbffd0ac0

      Initialize the main script in the configuration file init-ar7240.cfg . In this case, the script sent a group of prisoners' commands to curly braces for the init event. After that, we can fully work with the processor and device memory.

      > load_image backup_uboot.bin 0x81000000 bin
      131072 bytes written at address 0x81000000
      downloaded 131072 bytes in 12.250000s (10.449 KiB / s)
      > load_image backup_art.bin 0x81020000 bin
      65536 bytes written at address 0x81020000
      downloaded 65536 bytes in 5.440000s (11.765 KiB / s)
      > load_image 8Muboot_RAM_version.bin 0x80000000 bin
      262144 bytes written at address 0x80000000
      downloaded 262144 bytes in 21.639999s (11.830 KiB / s)

      We load in advance somewhere into the memory, the loader u-boot and art section - later, this data will need to be copied to the flash memory.
      The main thing we do is we load 8Muboot_RAM_version.bin the loader into the memory area 0x80000000 - the loader was compiled with reference to this address.

      Note: It is possible to do only with the loader 8Muboot_RAM_version.bin (in the memory area 0x80000000) - using this bootloader, you can flash the flash using tftp method .
      You should know the features of tftp, in this bootloader:

      • To access the bootloader, you need to enter tt
      • The IP address of the computer, at the same time, should be - (or use the setenv command to change the value of serverip ).
    • The following command will start the loader from the SDRAM area of ​​the memory, simultaneously with this process, another console should be started PuTTY , configured on the serial port:
      resume 0x80000000

      The loader will try to load firmware from the flash memory to prevent a failure (and as a result, the reboot of the router) - when the window “Autoboot in ..” appears in the window, you need to quickly write in the console tt .

The final stage of recovery is via the U-boot bootloader. It is necessary to erase the working area of ​​the flash memory, and then copy the previously recorded data to the flash memory of the device.
You can do this as follows:

AR7241 # erase 0x9f000000 + 0x20000
Erase Flash from 0x9f000000 to 0x9f01ffff in Bank # 1
First 0x0 last 0x1 sector size 0x10000
Erased 2 sectors
AR7241 #

Erase the area in the flash memory for the boot loader u-boot .

AR7241 # cp 0x81000000 0x9f000000 0x20000
Copy to Flash ... write addr: 9f000000
AR7241 #

Copy from the SDRAM area of ​​the memory, previously written u-boot bootloader, into the flash memory .

AR7241 # erase 0x9f3F0000 + 0x10000
Erase Flash from 0x9f3f0000 to 0x9f3fffff in Bank # 1
First 0x3f last 0x3f sector size 0x10000
Erased 1 sectors
AR7241 #

Erase the area in the flash memory for the art section (flash memory 4M ) .

AR7241 # cp 0x81020000 0x9f3F0000 0x10000
Copy to Flash ... write addr: 9f3f0000
AR7241 #

Copy from the SDRAM area of ​​the memory, previously written art section, into the flash memory .

The loader for SDRAM and the source code can be found in the this section of the forum.

Extended logs for working with the program and the material used can be found at for forum.

Universal loader Myloram for Compex devices based on AR71xx and AR724x processors. The loader can work on third-party devices with these processors. Description of device recovery in the corresponding instructions by reference.

Device with a specific architecture used by NOR / NAND / DDR memory, number of indicators, buttons, their attachment to GPIO numbers, etc. For example, here the platform is considered - AP99
If necessary, you can replace it with OCD Commander , but remember that there is another format for sending registers to the processor, so the config file needs to be changed to this format.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2019/09/02 20:25
  • by tmomas