Bicephale
join:2005-09-24
 ·TekSavvy Solutions..
| reply to Cidi Rome
Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access
Hi Cidi Rome,
Most unfortunately, i never even opened my Thomson
ST546v6 to take a look inside so i'm not the right
guy to testify that 'HairyDairyMaid' is compatible
with that model and hence much less others. There
is one person here who used the tool successfully,
from what i can tell... I'd strongly suggest that
you make contact with Chaveiro as he's provided us
with some practical proof of concept: he captured
the Flash contents and put a BackUp on disk. It's
still unclear if a Restore procedure would work as
well but he's your best bet around here, no doubt!
In the meantime, i suggest you verify that you got
a compatible Flash chip. Otherwise, it will fail. |
|
Cidi Rome
join:2007-12-12
2 edits | reply to Bicephale
I'm trying to talk with him but He does not answer....
I've spend much time trying to understand how the flash Speedtouch works, and I think I will be able to unlock the Portuguese Routers from Sapo/Telepac if I can put my JTAG cable working.
But at this time I'm stuck. After my last (first) post I have reconstructed my cable with a less lenght cable (now it is only about 20 cm, much less than the Hairy one) and I'm still having the same results for the CPU Id, all zeros with the router off and all ones with the router on or disconnected.
That's all for now,
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi Cidi Rome,
I'm not at ease when people bring the "lock" thing
on topic around here, the original purpose of this
thread is to provide ST owners a means to garantee
that they can "De-Brick" their unit should a Flash
incident occur. It would be most legitimate to do
BackUps and/or Restores considering the money that
such products might have cost but, please, keep it
private if you must discuss about hacking again as
a locked thread wouldn't be of any help to anyone.
It takes time to gather documentation from diverse
uncoordinated sources so i'd suggest that you post
details about your experiments in the meantime. I
advise you to maximize exposure hoping that search
engines like Google might work for you. Patience! |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi there.
Today I tested my cable with the multimeter and checked this measures:
DB25(LPT) - Socket (Router)
Pin2 - Pin3 = aprox 100 Ohm
Pin3 - Pin9 = aprox 100 Ohm
Pin4 - Pin7 = aprox 100 Ohm
pin13 - Pin5 = aprox 100 Ohm
Pin18-25 - Pin2,4,6,8 = Close to 0 Ohm
Tested again with 2 computers and the sames reads for the CPU:
- all zeros with the router off
- all ones with the router on or the cable disconnected.
Chaveiro, where are you, please help.
Best Regards. |
|
Bicephale
join:2005-09-24
1 edit | Hummm...
It's not always a good idea to probe circuits with an Ohm-Meter!
Beware, you were lucky to have 100 Ω limiting resistors but it's
not 100 % safe to inject currents even at such a reduced level... |
|
Bicephale
join:2005-09-24 | reply to Cidi Rome
Oups! I sort of just woke up from a short afternoon nap...
Disregard my remark, i need to read your post more closely!
 |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
One thing came to my mind....
Do you know if the problem my or my not be the printer port set to ECP, EPP or SPP?
Now I'm not at the place where I make the tests but, probably, all the computers I've made tests with have he port set to ECP....
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi Cidi Rome,
Well, i must confess that i haven't re-read any of
the related documentation for a very long time but
i guess i know where you should look for Chaveiro:
Como convertir un Comtrend 536+ en UsRobotics
He made a reference to a picture published on this
foreign forum, perhaps he's been hanging around...
It might be the right time for me to start looking
around again, i'll try to browse the InterNet with
your question in mind. Did you try asking Angelo?
 |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| reply to Cidi Rome
Hi again,
Some time was required for me to "immerse". Sorry
but it was made clear from the start that we don't
have a clue which proves positively that the ST585
and ST516 both use the very same E-JTAG layout. I
regret this but you and Nedjel may need to hold on
until someone has verified that this unit actually
has a compatible E-JTAG connector where to connect
your adaptor. The Thomson SpeedTouch 516 v6 model
has a BroadCom BCM 6338 Chip inside while i expect
you to find a BCM 6348 inside the ST585... By the
way, you could be very usefull to the thread since
it turns out that you have both devices handy! If
i were to compare the interfaces i'd try to find a
helpful characteristic when identifying the nTRST,
TDIn, TDOut, TMS, TClk and nSRST signal lines, via
measurement of their voltages if no better tool is
available, or perhaps using waveforms otherwise...
In the meantime, i can imagine why the ST516 won't
let you use the E-JTAG cable as describe above but
it's a mystery to me what's really happening about
your ST585. It isn't rare to find legacy HardWare
in Industrial environments so i'd probably try the
standard parallel mode 1st if i were in a hurry or
i'd just wait until i've read a suitable document. |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi Bicephale.
About the ST516v6, I notice that the JTAG connector is behind 2 capacitors, but I managed to solder the pins on the other side of the board and I took care to correct the order because when using the 12 pin connector it will be inverted (thats obvious).
Tomorrow I will try to change the parallel port settings and if it stills not work I will cut the cable and make it about 10-15cm.
There is one thing that is whoring me, the ST516v6 chip (BCM6338) is not listed when we run wrt45g.exe, but I think when I'm able to detect correctly the CPU (by this I mean not to get all ones in the CPU ID) it will be compatible with the BCM6348 and I will be able to read/write from it as if it was one.
Wish me luck.
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| I've found this while revisiting the whole thread:
OpenFreebox InterfaceSERIE
If you own a scope, now you know what to look for,
i suppose. In any case, the fact that the tool is
not clearly supporting BroadCom's BCM6338 chip may
explain why it fails to work. Have you checked in
the Windows Control Panel? Euh... I know, that's
going to sound totally desperate so, good luck!...
 |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
1 edit | reply to Cidi Rome
Ouch! That's right, there's not even a mention of the BCM6335 in 'ReadMe.Txt'...
Euh...
Have you seen VOiPLover's Thread?...
|
|
Cidi Rome
join:2007-12-12 | reply to Bicephale
Good morning..
I'm mainly testing with ST585, the 516 will be a later project, I only tried it so soon because I was not getting the 585 to work with the JTAG..
Have a nice day. |
|
Cidi Rome
join:2007-12-12
1 edit | reply to Bicephale
Hi.
BAD news.
Tried to set the printer port as ECP, SPP and Normal, and I'm getting the same results.
Shortened the cable to about 15cm including plugs, and same results.
I can only think about two things: the ST585 JTAG don't have the pinout that Chaveiro said or the software is not working right (less probable).
Bicephale, you said about probing the pins with a scope, but I don't own one, is there any other way?
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi Cidi Rome,
Here's how i tried to identify signal lines in the
GNet BB0060B. It was simply a matter of "reading"
the circuit board using a multitude of photographs
of which only a few captured the details i needed:
GNet BB0060B ADSL Modem/Router issue, Bicephale, 2007-Jul-8
In this example, we see that U8 (Fig. 1, 12, 2 and
3) links to U10 (Fig. 8) via R58/R60, i identified
and documented the Flash chip in hope to acquire a
reasonably strong "feeling" about what the signals
were on JP1 but i never reached total certainty as
it required the removal of any component which was
hiding strategic parts of this puzzle... Luckily,
its JTAG maintenance connector only involved a few
pins so it should be possible to get away with it:
provided that the D.C. and A.C. readings from some
compatible product (which is known to work) can be
gathered, i'd try to make comparisons but it would
probably require a sparkle of judgment & intuition
as well. In short, considering the limitations of
an average user relatively to measuring equipment,
Chaveiro would have proved to be useful should one
of his posts have included the E-JTAG's electrical
signature so that others can make educated guesses
about the relative safety of this project and yet,
even if i could garantee that the adaptor's layout
does work, euh... well, i still find necessary to
warn against the risks, not to mention there are a
few more pins to deal with in the present case!...
So, my advice is to document this device suitably,
hoping that some evidence will emerge, eventually.
For a lucky guy it may be forgiving to mistake one
pin for another but i'm afraid the prospect gets a
bit worst as the number of pins is increased. I'm
worried, i wouldn't require of you that you assume
the same risks as when Chaveiro tried this just to
satisfy my curiosity so lets proceed with caution!
|
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Good evening...
More bad news...
Tried it with linux with exactly the sames results 
About following the circuit lines on the board I feel that it is almost impossible because the chip is surface mounted with the pins underneath it and the board have certainly more that two layers, and I'm talking about ST585, I think ST516 is even worse.
Once more, any help will be most appreciated.
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi,
Then it seems your ST585 is not seen but then lets
not forget that Chaveiro posted his binary capture
to raise our interest. Well, we can't do anything
with it but it shows that the UnBricker does work.
There's also the possibility that he mocked us but
i have no reason to think so. It would be best to
use a Windows 98 system for this test, can you get
one? Can you help us identy your Flash chip? I'm
short of options and i won't be able to follow the
discussions on those foreign sites which i refered
to - even less to ask for electrical signatures...
Perhaps all that remains to do is to use patience. |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi,
I'm positive that that the files that Chaveiro posted are real, I analyzed them and I was able to see one of the things that I think is locking it, and one thing that made me able to modify a regular firmware file to make the router think it was a compatible version. With that change I was able to load a generic firmware into it with the ST upgrade tool, but know, I think the boot loader detects the difference (that it is not a valid version) and refuses to boot it.
Do you think it is possible to have success with Windows 98 where Windows XP or Linux failed to work? Of course I can get to a Windows 98, I'm a computer tech, if I suspect that is way out I'll install one to test it.
Another thing.
Today I tried to use the parameter "/skipdetect" with " -backup:cfe" but it took to long to execute that I left it there working (or not) and tomorrow I will see the results.
Goog Night. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
1 edit | Hi Cidi Rome,
Well, the purpose and installation of 'GiveIO.Sys'
are discussed in the "Installing GiveIO on Windows
XP" section of 'ReadMe.Txt'. I'd need to check it
under a "pure" DOS session but it looks like you'd
be able to run 'WRT54G.Exe' without Windows at all
if you prefer. As for Linux, i'm no expert but it
turns out i tried to use my parallel port via QEmu
and the suite of Virtual Machines... there wasn't
one until i started typing the Linux magic spells!
If you got MS-DOS on a secondary Hard-Drive then i
strongly suggest that you should simply use it!...
Thanks for confirming that the binary we have does
plead in favour of the HairyDairyMaid UnBricker!!!
|
|
Bicephale
join:2005-09-24 | reply to Cidi Rome
Finally i verified about 'WRT54G.Exe': it's a Win32 console program. |
|
