Cidi Rome
join:2007-12-12
2 edits | reply to Bicephale
Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access
Hi.
Remember I left that thing ON yesterday, today it was the same state I left it.
./wrt54g -backup:cfe /skipdetect
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 0
CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111111 (FFFFFFFF)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... ... Done
After more than 12 Hours I had to stop it with CTRL+C
Best Regards.
About the CPU and Flash:
CPU is: BCM6348KPBG
FLASH ssems to be: Spansion S29GL032M9QTFIR4
(very hard to read) http://www.alldatasheet.com/view.jsp?Searchword=S29GL032M9 |
|
Bicephale
join:2005-09-24
 ·TekSavvy Solutions..
| Hi Cidi Rome,
Thank you for the nice reading. I've searched for
information about maintenance connectors but there
is no provision for such a feature in the Spansion
chip. Communications between the BCM6338 chip and
this one is through parallel buses and i don't see
a trace of something that looks like some SPI bus,
which takes us to square one: we need to identify
the BCM63x8 pins which connect to the E-JTAG zone:
BCM6348 BCM6338
----------------------------- -----------------------------
23-M, TRst (Test ReSeT, Opt.) ?
24-M, TCk (Test Clock) ?
24-N, TDI (Test Data Input) ?
25-N, TDO (Test Data Output) ?
26-N, TMS (Test Mode Select) ?
 |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi.
The info you wrote about BCM6348 is on the 3rd post of this thread. And at this time I'm not worried with BCM6338, anyway I believe it will work with the same (working) cable that works with ST585 taking the care to invert it because have to be connected the other side of the board.
Cya. |
|
Bicephale
join:2005-09-24 | My thought exactly, identify the layout on one and the other should work too!
 |
|
Cidi Rome
join:2007-12-12
1 edit | Hi there...
Many news today.... 
By topics (lol)
- Managed to use the JTAG with my ST 585, the trick was to provide the signal to nTRST pin, I tried before with a resistor to pin 14 but didn't work, today I tried the same resistor to pin 1 of the serial connector (+3.3V), et voilá.
- Saved the CFE to file quite fast
- Made the changes to it that I thought would be enough to be able to load a generic firmware.
- Tried to flash the changed file to the router but he software hung, so I tried around and discovered that with the parameter /nodma it would flash.
- But by my calculations it would take more than 1h and 30m to flash 256K, and it did only took about 90 seconds to read, so I stopped it.
- The bad news, now I can't do anything, the soft detects the Router CPU, but hangs right after in one of the next operations, normally the enable memory write if the router is turned on for more than 3 seconds or one of the next if the router has been turned on and immediately started the JTAG program. I hope someone can help-me recovering this router....
- More news. About the ST 516v6... It has the same JTAG header, and the same need of nTRST to be "powered".
- The JTAG tool is able to read the CPU ID but it is not able to recognize it, I will try to change the application to recognize the ST516 CPU but I down know if I will be successful..
Now the beg... Please HELP about my ST585...
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi Cidi Rome,
Thank you very much for the feed-back, this thread
needed such input for quite a while. I understand
you've "bricked" the ST585 but lets not panick, it
makes no doubt in my mind that it is only a matter
of time before you get it fixed: other SpeedTouch
585 owners will join once they've realized that it
is possible to recover from a Flash incident! The
BackUp/Restore concept still requires to be tested
and proven viable, i'm sorry for the inconvenience
but that's an opportunity for you (who have little
to loose) and for others (they can reduce the risk
they'd need to assume otherwise)... My suggestion
would be to illustrate your setup one photographic
snapshot at a time by posting once every few days;
there's no hurry, try to maximize your exposure!!!
It's certainly frustrating but time will pass then
it will be history with some luck! Anyway, you've
verified that both E-JTAG connectors are the same,
perhaps you can start by explaining what you error
was in order to make the BackUp procedure safer...
 |
|
Angelo_
The Network Guy
Premium
join:2002-06-18 | you can still recover.... he prob ran into the c&p job they did... the modems all have the same base bc they are all the same in theory...
has he tried to force it to flash? |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Merry Xmas.
Fresh news...
Managed to change the program to detect the ST 516 CPU under linux, now It would be good if someone can tell what tools should I use to compile it under Windows.
It didn't recognize the flash chip (exactly the same one as ST585, don't know why), I forced with /fc:03 and backed up the CFE, comparing with the 585 one, seems to be good.
Any ideas how to recover my 585 yet?
Best Regards. |
|
Bicephale
join:2005-09-24 | Hi,
The ST 516 v5 had a chip suitable for this E-JTAG tool,
maybe you'll have suggestions from the owners of these.
Good luck! Merry Christmass!
|
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Happy new year.
Got more news.
Managed to backup and flash successfully a ST516v6.
Backup is very easy, but I advise not to flash it back...
But now I would really apreciate to put my hands on another version of this router's boot loader (cfe) in other words, one that wasn't bought from an ISP that had messed it up like the Portuguese ones.
Of course I'm searching too for the ST585v6.
Best Regards.
If someone needs help on backing-up the flash(boot loader) add my MSN (cidirome@hotmail.com), I will help. I have already made changes to the software to support the BCM6338 CPU and the spantion flash.
Another thing, I'm searching for a decompiler for this kind of CPU machine code, if someone knows of one....
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi Cidi Rome,
Please let me check if i understood you correctly:
it seems the E-JTAG restore procedure failed on an
ST516v6 branded by a Portuguese ISP and yet you're
confident that your backup copy has been collected
successfully! Well, there's a question in my mind
which i must ask: did you try to check positively
that the data hasn't been corrupted by comparing a
2nd backup to the 1st one? No user should discuss
openly about patching code here and now it appears
that some custom FirmWares might very well prevent
the legitimate use of this backup/restore tool; i
hope that the readers will appreciate this renewed
warning: don't mess with this if you can't afford
the loss!!! Once again your precious contribution
is noted as this leaves you with a pair of bricked
modems and your unfortunate situation is likely to
last for weeks if not months - hence, my advice to
the ST owners who wonder what's the status of this
old thread: the initial purpose was to provide an
"insurance" which we'd rather not use unless it is
absolutely necessary. Don't try an E-JTAG restore
until further notice or get prepared to assume the
consequences because right now this concept hasn't
been proven to work just yet. The SpeedTouch line
of products is widely distributed, i have no doubt
that progress will be made but we must be patient.
In the meantime, Cidi Rome, i truly wish that this
is not definitive! I invite you to come back here
regularily to keep us posted, maybe 2008 will turn
these failures into some stories you can laugh at.
Happy new year, anyway!
|
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi there... I'm already on 2008....-
About the bricked Routers...
Only ST585 is Bricked and I have learned much with it, so I think it is not for long.
About ST516, I have the backups, and in the meanwhile I've learned how to flash them to the router successfully and correctly.
I said "I advise not to flash it back" because I noticed that write was wrong (some bytes exchanged with others), but I know how to prepare the source file to get a good flash.
About the "custom firmwares" I have to say I believe that this situation is the same for the regular ones (firmwares) and I don't think the real problem is the firmware but the boot-loader (cfe).
About the safety of the operation I say that if you connect the JTAG (and all the necessary connections) correctly, only use the parameter /backup:cfe|nvram|kernel|wholeflash and don't mess with /flash: or /erase: there is little chance to brick your router.
Best Regards to everyone and
HAPPY NEW YEAR! |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi there....
Good News.
Here is the utility you need to backup/flash successfully Speedtouch Routers (for windows), tested on ST516v6, and I will test soon on ST585 (I will try to de-brick the one I've bricked).
Best Regards. |
|
chaveiro
join:2007-12-06
4 edits | Hi Cidi,
Please post the saved files for your locked st516 as i posted for st585v6 might be usefull for someone.
The JTAG programmer i used is this generic one it has drivers so is more safe to use »shop.gtronica.com/product_info.p···ts_id=53
and modified the flat cable pinout to the modem pins.
To write a saved file you must do some byte flip to the readed file.
I use a program named Hex Workshop 5.0 for windows.
And do:
1. open readed file (must do to all: cfe, kernel and nvram)
2. choose tools -> byteflip -> 32bits -> OK
3. choose tools -> byteflip -> 16bits -> OK
4. save new modified file and write this new file to modem
The write of the complete flash via this method takes about 8hrs, i've done it!
You can safelly backup and restore the 585v6 and possibly all other supported models via this methode.
PS: For someone with a unlocked ST858v6 please post the CFE file. Thank you. (Se previous post how to.) |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi there.
With the utility I posted and the passive JTAG I made, I'm able to flash the "wholeflash.bin" in about 90 minutes and read it in less then 10 minutes using an actual computer (Core 2 Duo).
About the files, I will post them soon.. Hi have to change the MAC and Serial Number from the files (CFE & Wholeflash) to prevent any unexpected thing....
Chaveiro, Add my MSN (cidirome@hotmail.com), I suspect we can talk in Portuguese with each other, in this case I'll send you the files directly.
Best Regards. |
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi Cidi Rome,
Wow, those are great news!!! So, i guess that the
restored content was corrupted indeed! Right!?...
Well, i'm glad to be proven wrong about "patching"
FirmWare: it would have been perfectly legitimate
to discuss over your need to compensate for such a
major defect in the E-JTAG tool itself! What made
you become aware of the situation? Comparisons of
the "before" and "after" Flash images, i'd bet?...
I had concerns that the FirmWare was making use of
Spansion's Electronic Serial Number (ESN) feature,
it seemed to me that maybe it could have prevented
a regular restore process to succeed, somehow, but
now i read that your ST516v6 is back to the way it
was: it was effectively bricked and now it isn't.
Sorry, i'm afraid i was wrong about many things in
the end but that's a relief in such circumstances!
I can see that Chaveiro paid us a visit, on top of
that... It's a promissing prospect and i'm really
pleased for you. Thanks for the feed-back, i must
confess the thread needed that since i started it!
Good luck! Happy new Year everyone!!!
 |
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Hi there.
It was with the ST516v6 that I discovered that the writings to the flash was wrong...
I discovered too that It was related to the "pracc" writes (non DMA) of the wrt program, since I wasn't able to write in DMA mode I wrote with nodma parameter...
Later I discovered Why the DMA functions didn't work and changed them... The changed program I up-loaded includes the correction for pracc and dma writes.
About the FLASH Serial Number you said, I have to recall that I had 2 ST516v6 in the game, one of them that I have never wrote nothing to, only read to prevent bricking it... In one instance the bricked one worked with the CFE of the other, Serial Number and MAC appeared in the Thomson Firmware upgrade tool and at the Firmware upgrade tool itself.
Anyway I still thing there is an error in the Pracc writhing procedures of the original program, but I may be wrong and that situation may only be true when using Speedtouch routers. The DMA procedures would write correctly I changed only the way of working...
Best Regards. |
|
chaveiro
join:2007-12-06
1 edit | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access
JTAG PATEL |
|
|
Cidi Rome
join:2007-12-12
| reply to Bicephale
Good Night.
Chaveiro, thanks for the information (not for me, but I think it is very useful).
I'm now posting the dumps files of ST516v6.
Changed
S/N to: (CP)1234ABCDE
and
MAC to: F1F2F3F4F5F6
Hope the files are useful.
Best Regards. |
|
