I ran into the exact same issues you did. There is a way to do it through Chrome and the Network Tools screen. I had to use a FAT32 USB drive with the 1703 firmware, but mtd-write2 would not read it from USB. I had to do a cp /tmp/mnt/USB/firmware1703.trx /tmp
Click
here if you would like to get that firmware and FW_RT_AC68U_30043763626.trx. You could also skip much of this and just go right to FW_RT_AC68U_30043763626.trx, enable SSH and replace the CFE and delete mtdblock5 but I am putting all the steps here I followed. You will also need ASUS Firmware 384.20308
CLICK HERE FOR IT ( it is the last safest ASUS Firmware before it started hunting for Cellspots). Let me know what shortcuts worked and maybe we can reduce this to fewer steps (as has been previously mentioned).
I was then able to do mtd-write2 /tmp/firmware1703.trx linux then rebooted and reset nvram. I was then able to enable ssh and then do the rest.
See
step 4 here for details how to do this with chrome and the inspect / console and using the diagnostics command for each step.
When I ran the last command to do the write from the file on USB to flash it just circled for a second with no error. Upon reboot, I still had the 1399 firmware. Did it many times, so this is what I did to get around it.
This did not succeed in the process that I posted above but will also repost right
here.
validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("/sbin/mtd-write2 /tmp/mnt/USB/firmware1703.trx linux").replace(/%/g,"..");return true;}
This is what ultimately succeeded with the 1399 FW version and doing this from end-to-end. In Chrome, go to the network tools screen, right click and choose inspect, then go to the console. Paste in each command, hit enter, then click the diagnostics button. Make sure you inserted a FAT32 USB into the USB 2.0 slot with the 1706 firmware trx file on it, call it firmware1706.trx and label the USB just USB so that you just have to copy the commands below as-is and not edit - they should just run.
validForm = function(){document.form.SystemCmd.value = "ping\nmount -t tmpfs tmpfs userRpm";return true;}
validForm = function(){document.form.SystemCmd.value = "ping\ncp -a . userRpm";return true;}
If you see the message cp: recursion detected, omitting directory "./userRpm" you are on the right track.
validForm = function(){document.form.SystemCmd.value = "ping\nmount --move userRpm .";return true;}
validForm = function(){document.form.SystemCmd.value = "ping\nmount";return true;}
validForm = function(){document.form.SystemCmd.value = "ping\nservice restart_httpd";return true;}
You will see some connection errors and that is ok because it is restarting.
validForm = function(){document.form.SystemCmd.value = "ping\nwget -A txt -r -nH -nd docbill.freeshell.org";return true;}
validForm = function(){document.form.SystemCmd.value = "ping\nfind u.txt";return true;}
If the file is there, then proceed.
validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("find /tmp/mnt -name firmware1703.trx" ).replace(/%/g,"..");return true;}
Change firmware1703.trx to whatever the filename is on your FAT32 formatted USB drive labeled "USB" and recheck.
Now this is where it differs. You want to write this to /tmp and do the mtd-write2 from there.
validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("cp /tmp/mnt/USB/firmware1703.trx /tmp").replace(/%/g,"..");return true;}
validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("ls -l /tmp/firmware1703.trx" ).replace(/%/g,"..");return true;}
If the file is there, proceed to flash.
validForm = function(){document.form.SystemCmd.value = "ping\n. u.txt " + encodeURIComponent("/sbin/mtd-write2 /tmp/firmware1703.trx linux").replace(/%/g,"..");return true;}
If it took more than a second or two, then it most likely flashed.
Rebooted and hold down WPS for 20 seconds to ensure nvram reset. After a few minutes, you should be able to connect to 192.168.29.1 and verify it's a 1703 firmware. You can enable ssh and proceed to get the CFE onto the USB or pull with scp so you can update it to the 1.0.2.0 AIMesh through the pipeline tool. You can then follow all the other instructions as you normally would and you should be ready to rock n' roll.
Adding the steps here from a previous post so it is all in one place.
SSH in or from the console over serial
cp /dev/mtd0 /tmp/mnt/USB/original_cfe.bin
# I've also seen - cat /dev/mtd0 > /tmp/mnt/USB/original_cfe.bin
# or if you are ssh'ing in, you can do cat or cp to /tmp/original_cfe.bin and then scp it from the router.
Then take that and upload
Upload original_cfe.bin to https://cfeditor.pipeline.sh/
Select 1.0.2.0 US 1.0.2.5 US for AC68P or 1.0.2.0 US AiMesh for AC68U with AiMesh as Source CFE > Download the new .bin > rename it to new_cfe.bin
Download This_File and extract with p7zip or 7zip
Copy new_cfe.bin & mtd-write & FW_RT_AC68U_30043763626.trx to the FAT32 usb drive we used previously (or you can scp it over the network)
Plug the usb drive back into the router and boot it completely.
In SSH terminal like putty or terminal through serial:
cd /mnt/USB
chmod u+x mtd-write
./mtd-write new_cfe.bin boot
./mtd-write FW_RT_AC68U_30043763626.trx linux
nvram_erase
reboot
Once the unit is booted back up, run the below commands before removing the serial cable and putting the router back together.
Code for fixing MTD5 partition:
You can enter this in Terra Term before you remove the serial cable and re-assemble the router
cat /dev/mtd5 > /jffs/mtd5_backup.bin
mkdir /tmp/asus_jffs
mount -t jffs2 /dev/mtdblock5 /tmp/asus_jffs
rm -rf /tmp/asus_jffs/*
sync && umount /tmp/asus_jffs
rm -rf /jffs/.sys/RT-AC68U
nvram unset fw_check && nvram commit && reboot
We still have 2 more commands to execute but we need to update firmware to 384.xxxxx or higher. We will use 3.0.0.4.384.20308 (preferred because it is just before the change in firmware to hunt Cellspots) or the command will not be effective.
Now wait for the reboot. Go to 192.168.1.1 and manually update firmware to 3.0.0.4.384.20308 that we downloaded.
Reset NVRAM again. Very important!
Power off the router
Wait 10 seconds
Press and hold WPS button on the side
Power up router and keep holding WPS button for 15-20 seconds until you see the power light starts to flash
Now turn on SSH in router system, and log in PuTTY, and do 2 more commands.
Make sure you are in /tmp/home/root directory.
Writing all FFs to the MTD5 (This will resize CFE it to normal)
Here are the commands:
ln -s /sbin/rc mtd-erase
./mtd-erase -d asus
It will look like this *The “Erasing…” is given when you never did the 2 commands before… if you have you probably won’t see them again? Don’t be alarmed:
admin@RT-AC68U:/tmp/home/root# ln -s /sbin/rc mtd-erase
admin@RT-AC68U:/tmp/home/root# ./mtd-erase -d asus
Erasing 0x0 - 0x1ffff
Erasing 0x20000 - 0x3ffff
Erasing 0x40000 - 0x5ffff
Erasing 0x60000 - 0x7ffff
Erasing 0x80000 - 0x9ffff
Erasing 0xa0000 - 0xbffff
Erasing 0xc0000 - 0xdffff
Erasing 0xeffff - 0xfffff
Erasing 0x100000 - 0x11ffff
Erasing 0x120000 - 0x13ffff
"asus" successfully erased.
/tmp/home/root#
You can now flash Asus, Merlin, Advanced Tomato, Tomato, and DD-WRT firmwares.
I used a Raspberry Pi running stock Raspbian to get to the terminal on this just to see what was happening. With the stock 1399 firmware and CFE 2.1.2.6, it was not allowing me to get to the CFE prompt and do anything including running nvram reset but I could see by holding down the WPS button, it was causing the nvram to reset. I kept getting a "command status = -1" error not a 0 when running anything on the CFE> menu. 1399 and later seems super locked down and restricted - which is probably because the CFE version is 2.1.2.6. Once I forced the 1703 firmware on it, everything opened up so I could ssh in and extract the CFE, modify with the pipeline, and overwrite the CFE on the device with the correct modified version. If they had closed the loop on the diagnostics screen, I would have had to resort to connecting my Raspberry Pi to the flash chip and using flashrom commands to get the CFE off so I can reflash the right version after running it through the pipeline process. (something I was really happy to avoid).
To connect your raspberry pi to it, do the following, connect Pin 6 on the Rpi to GND on the router. Connect pin 8 on the Rpi to the RX pin on the router, and finally connect pin 10 to the TX pin on the router.
View attachment 194348View attachment 194350
You may have to go into raspi-config and enable the serial interface under interfaces and restart your pi. Once it reboots, you can ssh into it and do the following:
sudo apt install minicom
Once that installs, you can get access to the terminal by running the following.
minicom -b 115200 -o -D /dev/serial0
You can then see the whole boot process and you can hit enter to get access to the console to run any linux command you want.
On your Rpi, you do need to be a member of the tty group or else you can try with sudo. For reference, the default pi user is automatically a member of tty group - type "id" at a shell prompt to verify group membership.