Router motherboard

I got an old “Oi” (a Brazilian internet and phone provider company) router from a relative. After disassembly, I managed to find out it’s based on a Realtek RTL8672 SoC.

One thing that instantly drew my attention was a 12-pin header on the board that was really close to the SoC.

After some research, I found out that the pinout of this header is compatible with the one used by the Linksys WRT54G router.

Router motherboard with JTAG modchip

I immediately soldered wires to that header, as seen in the picture. But when I tried to connect using my Bluepill DirtyJTAG adapter, UrJTAG reported that TDO was stuck at 0.

After doing a diode test on the header, I discovered that the TDO pin wasn’t even connected — it showed Open Line (O.L.) on the multimeter.

I followed the traces to some resistor pads located right next to the header.

Resistor pads

After soldering a jumper wire to R86, I got a reverse diode value on the test — meaning the pad was finally connected.

Now when I try to connect, UrJTAG says TDO is stuck at 1.

I also tried adding a pull up to TMS as shown on the picture below, but I still got the same error on UrJTAG.

Even with all the missing passives restored, I suspect that JTAG has been permanently fused or disabled in the chip’s OTP settings

Modchip + resistor

I don’t have a glitcher laying around, a second STM32 as clock gen and crowbar would be way too slow, and an FPGA would be way too expensive, it’s not worth it buying gear for such a silly project