Canadian Broadband → Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access

Any new anecdotes about one of these?:

ST516v6 Components Side
ST516v6 Solder Side

ST546v6 Components Side
ST546v6 Solder Side

ST585iv6 Components Side

what is the subject ?

Hi DiskAce,

My subject is in the title, i thought it was clear
enough for the average reader:  Thomson SpeedTouch
5x6 & 585 EJTAG "De-Brick" Access.  Here's another
hint:  HairyDairyMaid is likely to work with this:



Feel free to contribute with some feedback if any!

Hi bicephale, does the JTAG interface only interact with the BCM chipset ? I thought JTAG was for the entire circuit board.

What are you trying to do ?

Hi DiskAce,

I didn't have much time to browse around but if we
can assume that the PinOut information & suggested
interface are correct it means the JTAG feature of
the BCM6348 ChipSet is now available.  The archive
which this site links to must be renamed as a .RAR
file.  The file inside got no extension but that's
one more .RAR file, apparently, and it extracts as
'HairyDairyMaid_WRT54G_Debrick_Utility_v48'...  It
seems what we have here is a 'WRT54G EJTAG DeBrick
Utility' under the form of Linux source code and a
set of Windows binaries.  I'd suggest you refer to
'ReadMe.Txt' for details about the supported FLASH
chips, etc...  As i wrote in my opening message, i
wanted to read anecdotes from others, not to write
my own!  Look at 'jtag-hairydairymaid.png', that's
some 12 pins JTAG Connector in the LinkSys WRT54G;
a .PDF guide is also provided that shows where the
'TRST' pin should go when someone tries to build a
generic JTAG cable.  There are passages about some
BCM94710 chip, it also shows two possible layouts:
a VisionIce 14 pins JTAG header or a 12 pins EJTAG
one.  My SpeedTouch's BCM chip may use a different
PinOut and yet remain electrically compatible with
the interface described by this document, i guess.



If we're able to backup and restore the FLASH chip
that means we can effectively "De-Brick" our ST5x6
device instead of throwing it away in case of some
incident.  During the late storm, for example, the
power outages caused my ST546 to switch to "BootP"
mode.  What else could have happened, i wonder but
in another six months i may be able to fix that if
there's a FLASH image file handy.  So, i'm curious
to see who was tempted to be the 1st guinea pig so
far since i'd bet others found out before i did...

According to the readme the BCM6348 JTAG support is implemented in the V4.4. I am not sure whether or not the ST780WLi use the BCM6348 chipset but i will try later on this week to make a JTAG connector.

On your side, i would suggest to work on the 546. Pretty sure you will find more informations on their forum »www.f-x.fr/forum/index.php (French) for compatibility with the 546.

BTW the .zip extension is working here.

Hi DiskAce,

Well, i've found discrepancies already.  One ST516
picture to which i linked shows the 4 pins 3 Volts
Console pads and the 14 pins "De-Brick" access but
the European site appears to exchange them!  There
is a way to make sure which is which, it happens a
scope trace is included that strongly suggests the
TTL serial port is reached via some of the 14 pins
instead of the four ones but the coulours from the
French text don't match with those on the picture;
unless their orange and my yellow are the same and
both would correspond to pin #8, that is...  If it
is so, pin #1 is Tx, pin #4 is Rx, pin #8 is power
(+3.3 Volts) and pin #7 is gound (0 Volts).  Also,
they have a 12 pins header were i expected to find
a 14 pins one so i conclude caution is required...

On the ST546 picture, closing up on J3 and J6 will
not allow me to follow signal paths and this means
i'd need to open mine to take even closer shots or
i won't be able to tell where the EJTAG plug goes.

Moreover, the chipset on the ST546 photograph will
be a BroadCom BCM6338, its PinOut may differ quite
radically!  I conclude more caution is required!!!

Feed me!

Hello,

I've been able to backup my speedtouch 585 v6 with jtag tool.

Looking for CFE, kernel and nvram from unlocked 585 v6.

This router has custom firmware (AL) from my isp (Sapo from PT) that as no suport nor updated firmware and bootloader does not accept current versions.

If you have a regular 585v6 (software version AA)send me CFE backup !!!

wrt54g.exe -probeonly

====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***

- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... ... Done
Clearing Watchdog ... Done

Probing Flash at (Flash Window: 0x1fc00000) ... Done

Flash Vendor ID: 00000000000000000000000000000001 (00000001)
Flash Device ID: 00000000000000000010001000000000 (00002200)
*** Found a AMD 29lv320MB 2Mx16 BotB (4MB) Flash Chip ***

- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000

*** REQUESTED OPERATION IS COMPLETE ***

if you guys need help just ask and i'll do whatever

Hello Angelo_ you can help if have access to a unlocked speedtouch 585 v6 and can make a jtag backup.

I can help you with conecting jtag cable.

i have 516's but they are of the same family and i've been under suspection that the flash is identical... from a good source

This may or may not help you guys.
The us robotics 9108 uses the same chip, broadcom 6348 and gives the source code on their site. --may help you to better understand what is going on inside.

I dont think they are compatible. Is your modem locked?

If not, post a backup of the CFE file for that modem and you will make many guys happy here in portugal.

1 - Build the cable above, Speedtouch pinout is correct and as follow:

 nTRST  1   2 GND
 TDI    3   4 GND
 TDO    5   6 GND
 TMS    7   8 GND
 TCK    9  10 GND
 nSRST 11  12 n/a
   n/a 13  14 Vcc
 

2 - Get »downloads.openwrt.org/ut ··· _v48.zip

3 - Issue command: wrt54g -backup:cfe

Hi,

I guess it may be too late but have you considered
to discuss with the owner/author of this picture?:

US Robotics 9108 Disassembly, Rene Bartosh (aka KirJava), 2006-Dec-20

Ive tried us robotics firmware, no success. The bootloader of speedtouch aka CFE does not loads it and the usr CFE does not run on speedtouch, at last i could not put it to run.

Anyway.. How can send me backup of a normal 585 v6 CFE file ? (se above how to)

Hi there..

Need some help...

I've tried the JTAG connection on the ST516 and ST585 with 3 diferente computers and the software always make this reads for the CPU:

All ones (FFF..) when the Router is turned on.

All Zeros (000..)when the Router is turned off.

If someone can help, now is the time..

My MSN is: cidirome@hotmail.com

Best Regards.

Hi Cidi Rome,

Most unfortunately, i never even opened my Thomson
ST546v6 to take a look inside so i'm not the right
guy to testify that 'HairyDairyMaid' is compatible
with that model and hence much less others.  There
is one person here who used the tool successfully,
from what i can tell...  I'd strongly suggest that
you make contact with Chaveiro as he's provided us
with some practical proof of concept:  he captured
the Flash contents and put a BackUp on disk.  It's
still unclear if a Restore procedure would work as
well but he's your best bet around here, no doubt!

In the meantime, i suggest you verify that you got
a compatible Flash chip.  Otherwise, it will fail.

I'm trying to talk with him but He does not answer....

I've spend much time trying to understand how the flash Speedtouch works, and I think I will be able to unlock the Portuguese Routers from Sapo/Telepac if I can put my JTAG cable working.

But at this time I'm stuck. After my last (first) post I have reconstructed my cable with a less lenght cable (now it is only about 20 cm, much less than the Hairy one) and I'm still having the same results for the CPU Id, all zeros with the router off and all ones with the router on or disconnected.

That's all for now,
Best Regards.

Hi Cidi Rome,

I'm not at ease when people bring the "lock" thing
on topic around here, the original purpose of this
thread is to provide ST owners a means to garantee
that they can "De-Brick" their unit should a Flash
incident occur.  It would be most legitimate to do
BackUps and/or Restores considering the money that
such products might have cost but, please, keep it
private if you must discuss about hacking again as
a locked thread wouldn't be of any help to anyone.

It takes time to gather documentation from diverse
uncoordinated sources so i'd suggest that you post
details about your experiments in the meantime.  I
advise you to maximize exposure hoping that search
engines like Google might work for you.  Patience!

Hi there.

Today I tested my cable with the multimeter and checked this measures:

DB25(LPT) - Socket (Router)

Pin2 - Pin3 = aprox 100 Ohm
Pin3 - Pin9 = aprox 100 Ohm
Pin4 - Pin7 = aprox 100 Ohm
pin13 - Pin5 = aprox 100 Ohm
Pin18-25 - Pin2,4,6,8 = Close to 0 Ohm

Tested again with 2 computers and the sames reads for the CPU:
- all zeros with the router off
- all ones with the router on or the cable disconnected.

Chaveiro, where are you, please help.

Best Regards.

Hummm...

It's not always a good idea to probe circuits with an Ohm-Meter!

Beware, you were lucky to have 100 Ω limiting resistors but it's
not 100 % safe to inject currents even at such a reduced level...

Oups!  I sort of just woke up from a short afternoon nap...

Disregard my remark, i need to read your post more closely!

One thing came to my mind....

Do you know if the problem my or my not be the printer port set to ECP, EPP or SPP?

Now I'm not at the place where I make the tests but, probably, all the computers I've made tests with have he port set to ECP....

Best Regards.

Hi Cidi Rome,

Well, i must confess that i haven't re-read any of
the related documentation for a very long time but
i guess i know where you should look for Chaveiro:

Como convertir un Comtrend 536+ en UsRobotics

He made a reference to a picture published on this
foreign forum, perhaps he's been hanging around...

It might be the right time for me to start looking
around again, i'll try to browse the InterNet with
your question in mind.  Did you try asking Angelo?

Hi again,

Some time was required for me to "immerse".  Sorry
but it was made clear from the start that we don't
have a clue which proves positively that the ST585
and ST516 both use the very same E-JTAG layout.  I
regret this but you and Nedjel may need to hold on
until someone has verified that this unit actually
has a compatible E-JTAG connector where to connect
your adaptor.  The Thomson SpeedTouch 516 v6 model
has a BroadCom BCM 6338 Chip inside while i expect
you to find a BCM 6348 inside the ST585...  By the
way, you could be very usefull to the thread since
it turns out that you have both devices handy!  If
i were to compare the interfaces i'd try to find a
helpful characteristic when identifying the nTRST,
TDIn, TDOut, TMS, TClk and nSRST signal lines, via
measurement of their voltages if no better tool is
available, or perhaps using waveforms otherwise...

In the meantime, i can imagine why the ST516 won't
let you use the E-JTAG cable as describe above but
it's a mystery to me what's really happening about
your ST585.  It isn't rare to find legacy HardWare
in Industrial environments so i'd probably try the
standard parallel mode 1st if i were in a hurry or
i'd just wait until i've read a suitable document.

Hi Bicephale.

About the ST516v6, I notice that the JTAG connector is behind 2 capacitors, but I managed to solder the pins on the other side of the board and I took care to correct the order because when using the 12 pin connector it will be inverted (thats obvious).

Tomorrow I will try to change the parallel port settings and if it stills not work I will cut the cable and make it about 10-15cm.

There is one thing that is whoring me, the ST516v6 chip (BCM6338) is not listed when we run wrt45g.exe, but I think when I'm able to detect correctly the CPU (by this I mean not to get all ones in the CPU ID) it will be compatible with the BCM6348 and I will be able to read/write from it as if it was one.

Wish me luck.
Best Regards.