dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
30
share rss forum feed

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable
reply to Anon

Re: Upgrading Firmware on Thompson DCM475

Yup. Okay, so you're just clipping the JTAG thingie onto the flash chip, and extracting the contents over SPI, right? I'll see if I have something here to do that.

But yes, best would be for someone in Toronto to let you at their DCM-475 w/01.16 for ten minutes or so. Anyone? Teksavvy themselves? (ha ha).

Cheers



Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20

said by mlord:

Yup. Okay, so you're just clipping the JTAG thingie onto the flash chip, and extracting the contents over SPI, right? I'll see if I have something here to do that.

Yes, exactly. Anything that can read an SPI flash is good enough. Then there is a little work figuring out which part of the flash dump is the actual firmware, which should be very simple.

Technically, I don't know for sure that the DCM475 is SPI, but every other D3 modem I've seen is--sometimes 8 pin, but mostly 16 pin.
--
electronicsguru.ca/for_sale/Cablemodems

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable


Flash chip from dcm475 02.08

chip markings
Here's the flash chip, 16-pins:

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

3 edits

Best link I've found thus far for something resembling a datasheet for it:

»www.spansion.com/Support/Datashe···A_00.pdf

Edit, yeah that's the part all right.
3.0V 32mbit SPI NOR flash memory chip.


mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

I don't have any SPI masters at hand that I'm familiar with, but I do have a spare Arduino board here which undoubtedly groks SPI.

Otherwise I've got some USB->GPIO dongles that I can program to do the transfer. That might be quicker for me, because I've not bothered to learn the ins/outs of Arduino yet.



Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20

1 edit

said by mlord:

I don't have any SPI masters at hand that I'm familiar with, but I do have a spare Arduino board here which undoubtedly groks SPI.

Otherwise I've got some USB->GPIO dongles that I can program to do the transfer. That might be quicker for me, because I've not bothered to learn the ins/outs of Arduino yet.

Might be a fun project, but I'm not sure it is worth the effort

What we really need is somebody in Ottawa, and another in Kitchener/Waterloo, willing to do the flashing for other TPIA cable customers. Those people could be set up with a full set of equipment at reasonable cost. That would reduce this entire issue to annoyance level.
--
electronicsguru.ca/for_sale/Cablemodems

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

1 edit

That's more or less what I've got in mind. Once I get it working here, I have several friends with 02.08 modems that will likely need upgrades soon. And I'd be willing to take on any others that are needy and aware enough to find me.

Curiously, the modem has a 4-pin header and a 4-pin socket near the flash chip, but it appears to be a 3V serial port for the processor rather than SPI for the flash. I should hook it up and see what it does at some point.

Doing a bit of simple math, my USB->GPIO adapter will be much too slow for the 32mbit flash contents, so I think I'll have to program the Arduino board to do it for me. They have a handy SPI library and tools, just gotta learn to use them. Might take a few days before I'm ready.

Cheers


AtomicVGZ

join:2011-10-03
Orleans, ON

Sign me up!



Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20
reply to mlord

said by mlord:

Curiously, the modem has a 4-pin header and a 4-pin socket near the flash chip, but it appears to be a 3V serial port for the processor rather than SPI for the flash.

Two different 4 pin ports?! Certainly one is a serial port. The firmware you are running will have locked console, but you'll be able to see some output from it. If there is a second.. I've no idea what that would be. Maybe an unused USB location...
--
electronicsguru.ca/for_sale/Cablemodems

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

1 edit


Internal (serial?) connectors
Not two ports, just two connectors for the same port. Strange.

Meanwhile, I've got my Arduino board running, with a very basic SPI routine clocking at 8MHz, hooked up to the logic analyzer. Looks good there -- the built-in SPI interpreter has no trouble understanding the address/data bytes.

From that I'll need to write some code to parameterize the address and data values, and to relay stuff over the serial/USB interface to a PC. Once that's working, it's pretty simple for me to whip up code on the PC to issue commands to the flash chip.

Not that I wanted an "easy" project or anything, but my Arduino is a 5V part, so I'll also have to add some level shifting to the circuit before I can finally hook it up to the 3V flash part in the modem.


Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20

That two places for the same port thing must just be a manufacturing feature of some sort. The white header is on all RCA modems, but it is hard to connect and reconnect to in bulk. The black one near the edge would be much more convenient to use on the assembly line. I sure wish they had the black one on DCM425s, it would make my life easier! But ya, still strange..

I'm sure you already know about using Nokia DKU-5 cables to connect to 3.3V serial ports:
»www.ebay.com/sch/i.html?_nkw=dku···m=&_ipg=

USBJTAG NT has data rates of 3/6/12MHz, so I'm guessing your 8MHz Arduino should be in the ball park for sure. Not a project I'd choose to take on myself, but I guess I'm just stuck in my analog past
--
electronicsguru.ca/for_sale/Cablemodems


mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

said by Teddy Boom:

USBJTAG NT has data rates of 3/6/12MHz, so I'm guessing your 8MHz Arduino should be in the ball park for sure. Not a project I'd choose to take on myself, but I guess I'm just stuck in my analog past

Heh, I'd probably have ordered a USBJTAG-NT by now if their website would stop crashing long enough to read more about it -- perhaps you've triggered a mini "slashdot effect" on them.

But it's a good excuse to finally play with Arduino, and things are simpler than I expected there. I might buy a newer Arduino board though, to get 3V logic levels along with built in 12mbit USB. My current board can clock SPI at 8MHz, but is constricted on data transfers to/from the outside world: serial, 115200bps. But for now, I'll try and get it all working with what I have on hand -- it should still take less than 10 minutes to move 4MBytes over that serial link.


Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20

said by mlord:

it should still take less than 10 minutes to move 4MBytes over that serial link.

Some cable modems have 16MByte flash!
--
electronicsguru.ca/for_sale/Cablemodems

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

I've now broken down and ordered an Arduino Pro Micro 3.3V board for this project. It should be here on Wednesday, and ought to simplify things: faster comms, and no need for level shifting.

Still looking for a cheaper source for the clip-on connector ($12 shipping for a $12 part??).

Cheers


mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

Update: things are moving along.

Got the 3.3V Arduino board today -- have to get it running soon.
Also have all of the code written and tested (with logic analyzer) for dumping / programming flash on the Arduino.

Haven't found a more affordable source for the (excellent) recommended test clips, but just noticed that the EZ-Hook clips from the analyzer work very well on the in-circuit flash chip. So I'll just use those, since I've got lots of them on hand.

So I'm pretty close to hook-up time. Once I get the new 'duino going, the first task is to rip the 02.08 firmware a few times via different sequences, and do binary compares to judge the reliability of the communications. Then try erasing and reprogramming just the 02.08 firmware, and do readback/verify again.

If that all works, I'll get hold of the 02.16 modem and snatch a copy of the latest firmware from it.

Cheers



Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20

said by mlord:

So I'm pretty close to hook-up time. Once I get the new 'duino going, the first task is to rip the 02.08 firmware a few times via different sequences, and do binary compares to judge the reliability of the communications. Then try erasing and reprogramming just the 02.08 firmware, and do readback/verify again.

If that all works, I'll get hold of the 02.16 modem and snatch a copy of the latest firmware from it.

Install the USBJTAG software and take a look at how cable modem flash is organized on other modems, it will help a lot. If you need a flash dump from a modem, I can pass that along..

In particular, what you'll find is that some of the firmware will be human readable. Try searching for "DCM" and "docsis" in a hex editor. If you've read the firmware properly you should find strings like that. When my friend read a DCM425 chip for me, the bytes always came out flipped:
If I load 425-1.bin into USBJTAG and then inspect image0 I see the
string as follows:
CD4M525-.2803.-1118032S-.Sib.n

Flip the bits and I get:
DCM425-52.08.31-110823-SS.bin.

So maybe it is all just pairwise swapped?!?!
So I googled around a bit and found HEX Workshop, which conveniently has a byte swap feature. Not long after that I had a working ST52.08.31 image.
»www.hexworkshop.com/

Unfortunately no Sayal in Ottawa:
»www.sayal.com/zinc/zinc_contactus.asp
But there must be an electronics supply place.. Not sure about test clips, but they aren't that obscure, so the odds can't be too bad.
--
electronicsguru.ca/for_sale/Cablemodems


TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON
kudos:7

That's called Endianness

»en.wikipedia.org/wiki/Endianness

x86 are little endian

While in this case is likely MIPS based which is usually big endian.
--
TSI Gabe - TekSavvy Solutions Inc.
Authorized TSI employee ( »TekSavvy FAQ »Official support in the forum )



Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20

said by TSI Gabe:

That's called Endianness

Thanks! I've heard of little endian and big endian before, and I probably even dealt with the ideas a little 15 years ago, but I sure didn't make the connection.

I mentioned that I'm an analog guy right?
--
electronicsguru.ca/for_sale/Cablemodems

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

1 edit
reply to mlord


The test setup.. forgot to disconnect the Logic Analyzer
Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use. So for now, I'm back to the serial port version at 5V. Turns out level shifting is a non=issue. I was all set to do it, but just hooked things up without it for a trial, and it all works!

Dumping 32mbits of flash now.
...
00009f50 00 6a 00 69 00 0a 50 70 61 6e 00 01 00 01 00 08 |.j.i..Ppan......|
00009f60 6d 46 57 4c 00 01 00 08 52 53 54 4c 00 01 00 19 |mFWL....RSTL....|
00009f70 54 48 4f 4d 00 01 00 00 07 44 43 4d 34 37 35 00 |THOM.....DCM475.|
00009f80 00 04 31 2e 30 00 00 00 4c 52 43 41 20 00 03 00 |..1.0...LRCA ...|
00009f90 00 00 00 44 43 4d 34 37 35 00 00 00 00 00 00 00 |...DCM475.......|
00009fa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...

More later, whenever it finishes (hours, likely).


Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:20

said by mlord:

Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use.

So for now, I'm back to the serial port version at 5V. Turns out level shifting is a non=issue.

Interesting... I think maybe the 3.3V got over loaded because of other loads on the modem board. Maybe the 5V Arduino is more robust--outputs more current. It takes around 0.5A from my bench supply when I apply power direct to the chip in circuit, some modems close to 1A.

5V is on the edge really.. If it is really 4.8V, then I'm sure it is pretty safe (though I'd like to keep it 4V and lower normally). If it is really 5.5V I think you are risking the modem..
said by mlord:

...
00009f50 00 6a 00 69 00 0a 50 70 61 6e 00 01 00 01 00 08 |.j.i..Ppan......|
00009f60 6d 46 57 4c 00 01 00 08 52 53 54 4c 00 01 00 19 |mFWL....RSTL....|
00009f70 54 48 4f 4d 00 01 00 00 07 44 43 4d 34 37 35 00 |THOM.....DCM475.|
00009f80 00 04 31 2e 30 00 00 00 4c 52 43 41 20 00 03 00 |..1.0...LRCA ...|
00009f90 00 00 00 44 43 4d 34 37 35 00 00 00 00 00 00 00 |...DCM475.......|
00009fa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...

More later, whenever it finishes (hours, likely).

Looking good
--
electronicsguru.ca/for_sale/Cablemodems

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable
reply to mlord

Click for full size
SPI activity
Well, that wasn't so bad. I've now got an exactly 4 MByte file with a binary dump of the entire flash chip inside. Oddly enough, none of the flash is write-protected either, according to the chip status register.

I'm going to dump it a few more times and check for bit errors between the various dumps. Meanwhile, here's a look at the logic analyzer display during the dumping..

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

3 edits
reply to Teddy Boom

said by Teddy Boom:

said by mlord:

Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use.
So for now, I'm back to the serial port version at 5V. Turns out level shifting is a non=issue.

Interesting... I think maybe the 3.3V got over loaded because of other loads on the modem board.

No, it died before ever being connected to anything other than my PC's USB port. A not uncommon issue, apparently. I'm checking to see if I can get it replaced under warranty.

quote:
5V is on the edge really.. If it is really 4.8V, then I'm sure it is pretty safe (though I'd like to keep it 4V and lower normally). If it is really 5.5V I think you are risking the modem..
I'm powering the flash chip with 3V, but feeding it TTL signal levels for the SPI lines. A paper I read earlier suggests this is kosher, and thus far it seems to be. The only real concern was whether the MISO data line from the flash chip would have a high enough logic "1" voltage to work with the Arduino. Correction: I did keep the level conversion for MSIO after all. So just that one line (data-out from the flash chip) gets up-shifted to 5V logic.

Cheers

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

Mmm.. interesting. You know how these modems always chop off the log messages displayed in the web interface? Well.. the full log messages (not chopped) are stored near the end of flash.



TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON
kudos:7

I've been meaning to get one of these for a while.

»www.adafruit.com/products/757

Conversion from 3.3 to 5v or the other way around is way too common.
--
TSI Gabe - TekSavvy Solutions Inc.
Authorized TSI employee ( »TekSavvy FAQ »Official support in the forum )


mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

1 edit

Yeah, that's the same type of gizmo I'm using here, except mine is from SparkFun: »www.sparkfun.com/products/8745
Edit: But I like the one you posted the link for even better. Gotta get some!

Handy little sucker. I'm actually using the "LV" (Low Voltage) side to POWER the flash chip in-circuit inside the modem. Works rather well!

After disconnecting the logic analyzer, the loading on the pins is now low enough that I'm getting very consistent error-free dumps every time. Takes just under 19 minutes to dump all of flash in ASCII-hex (with spaces) over the serial link. I can speed that up by eliminating the spaces between byte values, which ought reduce the time by 1/3 or so.

At this point, I'm just about ready to borrow a modem with 02.16 firmware to read the image out of.

Cheers


mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable
reply to mlord

said by mlord:

Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use.

After some research, it turns out it wasn't dead after all -- just getting stuck somewhere. I've revived it now, and the setup is much simpler using it, with built-in USB and 3V logic. Just six(6) wires from it to clips on the flash chip, and nothing else required.

After I re-rip the flash a few times, I'll start playing with the scarier business of erasing/programming the flash and see how that turns out.

Very, very, close now!

mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

Six minutes and thirty-seven seconds to rip and transfer the 4MBytes of flash, using a 1Mhz SPI clock. That's good, I suppose. Programming will be slower.

Speaking of which, I can't just shove the entire image from another modem into this one, or can I? Surely there's an area in flash that records the MAC addresses for the modem? I do see the MAC address in several places, in both binary and formatted ASCII.

Teddy Boom?


mlord

join:2006-11-05
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable

1 edit

Okay, there are several distinct regions within the 4MBytes of flash.

The first 64KB appears to be a fixed "bootloader" area, including MAC address and various crypto certificates.

The area from 0x010000 to 0x1fffff (2MB less 64KB in size) is likely the "factory image" area. This consists of a firmware code image, plus padding. The odd thing is, there's a bunch of "junk" in the first few 64KB blocks following the "used portion" of the image here, possibly leftovers from an earlier/larger "manufacturing/test image" at the factory. The "regular" image padding appears to be 16KB blocks of 0xffffffff, except with the first 32-bits of each 16KB block zeroed out 0x00000000.

The area from 0x200000 to 0x3effff (same size as above) looks like the "secondary image" area, used for new firmware downloads in the field. The suspicion is that if a valid image is found here, then the booloader uses it rather than the "factory" image. Currently on my modem, it's a duplicate of the factory image, minus the "junk", with "regular" padding as described above.

It's not clear if field upgrades alternate between the two images, or always go only to the second image. I can probably find out with some experimentation once I have the 02.16 image to play with alongside the 02.08 image.

The final 64KB of flash is mainly used as a set (two sets?) of log buffers.

Since none of the flash has been write-protected, it's easy to do all kinds of experimentation without having to lift the WE (Write Enable) pin.

Time to start erasing/programming things now.


vientito1

join:2009-01-09

Is Rogers the only company refusing to upgrade firmware? How about Videotron? Are they holding the same deplorable attitude and practice?


mlord

join:2006-11-05
Nepean, ON
kudos:13

Dunno. But for most modems, we can now do it ourselves, or take/send it to Toronto to have it done. I'll be offering updates to DCM-475 modems here in Ottawa shortly.

Cheers