It seems it was the TIAO name missing, thanks for the tip
But now there's a new problem, i cannot iniciate CPU properly, it does not recognise BCM4706 CPU:
C:\zjtag>zjtag -probeonly /cable:0 /instrlen:27 /L1:3 /noreset
==============================================
zJTAG EJTAG Debrick Utility v1.8 RC3
==============================================
cableid=0, cabletype=0
Dev 0:
Flags=0x2
Type=0x6
ID=0x4038a98
LocId=0x431
SerialNumber=TIXGJU6UA
Description=TIAO USB Multi-Protocol Adapter A
ftHandle=0x0
Set I/O speed to 7500 KHz
USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!
Detected IR chain length = 32
There are 0 device(s) in the JTAG chain
Probing bus ... Done
CPU Chip ID: 11111111111111111111111111111111 (0xFFFFFFFF)
*** Unknown or NO CPU Chip ID Detected ***
*** Possible Causes:
1) Router/Modem is not Connected.
2) Router/Modem is not Powered On.
3) Improper JTAG Cable.
4) Unrecognized CPU Chip ID.
But i can access partially at the flash memory (with wrong fc:115), its the 16MB flash, i was able to backup the CFE (corrupted) if i use fc:116 no go:
C:\zjtag>zjtag -flash:cfe /skipdetect /cable:0 /instrlen:5 /L1:3 /fc:116 /norese
t /verbose
==============================================
zJTAG EJTAG Debrick Utility v1.8 RC3
==============================================
cableid=0, cabletype=0
Dev 0:
Flags=0x2
Type=0x6
ID=0x4038a98
LocId=0x431
SerialNumber=TIXGJU6UA
Description=TIAO USB Multi-Protocol Adapter A
ftHandle=0x0
Set I/O speed to 7500 KHz
USB TAP device has been initialized. Please confirm VREF signal connected!
Press any key to continue... ONCE target board is powered on!
Detected IR chain length = 32
There are 0 device(s) in the JTAG chain
Probing bus ... Done
Instruction Length manually set to 5
CPU assumed running under LITTLE endian
CPU Chip ID: 11111111111111111111111111111111 (0xFFFFFFFF)
CPU Manufacturer :Unknown(ID=0xFFE)
CPU Device ID :FFFF
CPU Revision :15
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111111 (0xFFFFFFFF)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
- EJTAG Implementation flags: R3k DINTsup ASID_8 ASID_6 MIPS16 NoDMA MIPS64
Issuing Processor / Peripheral Reset ... Skipped
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
Matching Flash Chip (VenID
evID = 017E : 2201)
*** Manually Selected a Spansion S29GL256P U (32MB) from AMD/Spansion
- Flash Chip Window Start .... : 1C000000
- Flash Chip Window Length ... : 02000000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE ***
Now I only need to be able to erase the CFE and upload the original backup CFE to unbrick the router.
Any thoughts on how to get it done? I mean getting full access to it, i suppose that is the LV Mode => MIPS mode.
PS: I don't have NVRAM.bin saved, only CFE.bin. After CFE upload is it possible to upload the FW via TFTP right? The NVRAM.bin backup is not needed right (i presume it's built in the FW)?
Thanks once again