dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
393
mlord
join:2006-11-05
Kanata, ON

1 edit

1 recommendation

mlord

Member

Re: Upgrading Firmware on Thompson DCM475


The test setup.. forgot to disconnect the Logic Analyzer
Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use. So for now, I'm back to the serial port version at 5V. Turns out level shifting is a non=issue. I was all set to do it, but just hooked things up without it for a trial, and it all works!

Dumping 32mbits of flash now.
...
00009f50 00 6a 00 69 00 0a 50 70 61 6e 00 01 00 01 00 08 |.j.i..Ppan......|
00009f60 6d 46 57 4c 00 01 00 08 52 53 54 4c 00 01 00 19 |mFWL....RSTL....|
00009f70 54 48 4f 4d 00 01 00 00 07 44 43 4d 34 37 35 00 |THOM.....DCM475.|
00009f80 00 04 31 2e 30 00 00 00 4c 52 43 41 20 00 03 00 |..1.0...LRCA ...|
00009f90 00 00 00 44 43 4d 34 37 35 00 00 00 00 00 00 00 |...DCM475.......|
00009fa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...

More later, whenever it finishes (hours, likely).

Teddy Boom
k kudos Received
Premium Member
join:2007-01-29
Toronto, ON

Teddy Boom

Premium Member

said by mlord:

Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use.

So for now, I'm back to the serial port version at 5V. Turns out level shifting is a non=issue.

Interesting... I think maybe the 3.3V got over loaded because of other loads on the modem board. Maybe the 5V Arduino is more robust--outputs more current. It takes around 0.5A from my bench supply when I apply power direct to the chip in circuit, some modems close to 1A.

5V is on the edge really.. If it is really 4.8V, then I'm sure it is pretty safe (though I'd like to keep it 4V and lower normally). If it is really 5.5V I think you are risking the modem..
said by mlord:

...
00009f50 00 6a 00 69 00 0a 50 70 61 6e 00 01 00 01 00 08 |.j.i..Ppan......|
00009f60 6d 46 57 4c 00 01 00 08 52 53 54 4c 00 01 00 19 |mFWL....RSTL....|
00009f70 54 48 4f 4d 00 01 00 00 07 44 43 4d 34 37 35 00 |THOM.....DCM475.|
00009f80 00 04 31 2e 30 00 00 00 4c 52 43 41 20 00 03 00 |..1.0...LRCA ...|
00009f90 00 00 00 44 43 4d 34 37 35 00 00 00 00 00 00 00 |...DCM475.......|
00009fa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...

More later, whenever it finishes (hours, likely).

Looking good
mlord
join:2006-11-05
Kanata, ON

mlord

Member

Click for full size
SPI activity
Well, that wasn't so bad. I've now got an exactly 4 MByte file with a binary dump of the entire flash chip inside. Oddly enough, none of the flash is write-protected either, according to the chip status register.

I'm going to dump it a few more times and check for bit errors between the various dumps. Meanwhile, here's a look at the logic analyzer display during the dumping..
mlord

3 edits

mlord to Teddy Boom

Member

to Teddy Boom
said by Teddy Boom:

said by mlord:

Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use.
So for now, I'm back to the serial port version at 5V. Turns out level shifting is a non=issue.

Interesting... I think maybe the 3.3V got over loaded because of other loads on the modem board.

No, it died before ever being connected to anything other than my PC's USB port. A not uncommon issue, apparently. I'm checking to see if I can get it replaced under warranty.
quote:
5V is on the edge really.. If it is really 4.8V, then I'm sure it is pretty safe (though I'd like to keep it 4V and lower normally). If it is really 5.5V I think you are risking the modem..
I'm powering the flash chip with 3V, but feeding it TTL signal levels for the SPI lines. A paper I read earlier suggests this is kosher, and thus far it seems to be. The only real concern was whether the MISO data line from the flash chip would have a high enough logic "1" voltage to work with the Arduino. Correction: I did keep the level conversion for MSIO after all. So just that one line (data-out from the flash chip) gets up-shifted to 5V logic.

Cheers
mlord

mlord

Member

Mmm.. interesting. You know how these modems always chop off the log messages displayed in the web interface? Well.. the full log messages (not chopped) are stored near the end of flash.

TSI Gabe
Router of Packets
Premium Member
join:2007-01-03
Gatineau, QC

TSI Gabe

Premium Member

I've been meaning to get one of these for a while.

»www.adafruit.com/products/757

Conversion from 3.3 to 5v or the other way around is way too common.
mlord
join:2006-11-05
Kanata, ON

1 edit

mlord

Member

Yeah, that's the same type of gizmo I'm using here, except mine is from SparkFun: »www.sparkfun.com/products/8745
Edit: But I like the one you posted the link for even better. Gotta get some!

Handy little sucker. I'm actually using the "LV" (Low Voltage) side to POWER the flash chip in-circuit inside the modem. Works rather well!

After disconnecting the logic analyzer, the loading on the pins is now low enough that I'm getting very consistent error-free dumps every time. Takes just under 19 minutes to dump all of flash in ASCII-hex (with spaces) over the serial link. I can speed that up by eliminating the spaces between byte values, which ought reduce the time by 1/3 or so.

At this point, I'm just about ready to borrow a modem with 02.16 firmware to read the image out of.

Cheers
mlord

mlord

Member

said by mlord:

Unfortunately the new 3.3V Arduino w/USB died after just a minute or so of use.

After some research, it turns out it wasn't dead after all -- just getting stuck somewhere. I've revived it now, and the setup is much simpler using it, with built-in USB and 3V logic. Just six(6) wires from it to clips on the flash chip, and nothing else required.

After I re-rip the flash a few times, I'll start playing with the scarier business of erasing/programming the flash and see how that turns out.

Very, very, close now!
mlord

mlord

Member

Six minutes and thirty-seven seconds to rip and transfer the 4MBytes of flash, using a 1Mhz SPI clock. That's good, I suppose. Programming will be slower.

Speaking of which, I can't just shove the entire image from another modem into this one, or can I? Surely there's an area in flash that records the MAC addresses for the modem? I do see the MAC address in several places, in both binary and formatted ASCII.

Teddy Boom?
mlord

1 edit

mlord

Member

Okay, there are several distinct regions within the 4MBytes of flash.

The first 64KB appears to be a fixed "bootloader" area, including MAC address and various crypto certificates.

The area from 0x010000 to 0x1fffff (2MB less 64KB in size) is likely the "factory image" area. This consists of a firmware code image, plus padding. The odd thing is, there's a bunch of "junk" in the first few 64KB blocks following the "used portion" of the image here, possibly leftovers from an earlier/larger "manufacturing/test image" at the factory. The "regular" image padding appears to be 16KB blocks of 0xffffffff, except with the first 32-bits of each 16KB block zeroed out 0x00000000.

The area from 0x200000 to 0x3effff (same size as above) looks like the "secondary image" area, used for new firmware downloads in the field. The suspicion is that if a valid image is found here, then the booloader uses it rather than the "factory" image. Currently on my modem, it's a duplicate of the factory image, minus the "junk", with "regular" padding as described above.

It's not clear if field upgrades alternate between the two images, or always go only to the second image. I can probably find out with some experimentation once I have the 02.16 image to play with alongside the 02.08 image.

The final 64KB of flash is mainly used as a set (two sets?) of log buffers.

Since none of the flash has been write-protected, it's easy to do all kinds of experimentation without having to lift the WE (Write Enable) pin.

Time to start erasing/programming things now.
vientito1
join:2009-01-09

vientito1

Member

Is Rogers the only company refusing to upgrade firmware? How about Videotron? Are they holding the same deplorable attitude and practice?
mlord
join:2006-11-05
Kanata, ON

mlord

Member

Dunno. But for most modems, we can now do it ourselves, or take/send it to Toronto to have it done. I'll be offering updates to DCM-475 modems here in Ottawa shortly.

Cheers

Gone
Premium Member
join:2011-01-24
Fort Erie, ON

Gone to vientito1

Premium Member

to vientito1
said by vientito1:

Is Rogers the only company refusing to upgrade firmware? How about Videotron? Are they holding the same deplorable attitude and practice?

For what it's worth, Cogeco will update the firmware of any supported modem connected to its network, regardless of who owns it.
vientito1
join:2009-01-09

vientito1

Member

Please give out sites where we could find info about DIY flashing of most brands we find on market. I have googled but failed to get any useful info so far.

omasse
join:2004-12-21
Montreal, QC

omasse to vientito1

Member

to vientito1
said by vientito1:

Is Rogers the only company refusing to upgrade firmware? How about Videotron? Are they holding the same deplorable attitude and practice?

Couldn't tell for sure, but mine updated itself from STAC.55.01 to STAC.55.04 the first time it joined their network last Februrary. They deactivated the web interface a month later and I haven't been commited enough to find out if they pushed new versions since then.

That's a fascinating thread thanks to mlord and Teddy Boom. Lots of good info in here.

Teddy Boom
k kudos Received
Premium Member
join:2007-01-29
Toronto, ON

Teddy Boom to vientito1

Premium Member

to vientito1
said by vientito1:

Please give out sites where we could find info about DIY flashing of most brands we find on market. I have googled but failed to get any useful info so far.

Lots of references in this thread to starting points. I hate to be like this, but if you aren't finding anything you aren't looking hard enough. I don't want to go any further in the direction of "how to hack cable internet" so I'm not going to hold your hand on this.
mlord
join:2006-11-05
Kanata, ON

mlord

Member

said by mlord:

Time to start erasing/programming things now.

Hit a snag here. The USB/Serial code in Arduino is buggy on the receive side, so I've yet to get it to reliably receive programming data from the host. After banging against the wall for a very long time, I found this discussion of the exact same issue:

»code.google.com/p/arduin ··· l?id=998

So.. I'll have to implement a workaround, I guess. Or figure out how to rebuild/reprogram the Arduino system software.

Cheers

Teddy Boom
k kudos Received
Premium Member
join:2007-01-29
Toronto, ON

Teddy Boom

Premium Member

said by mlord:

Hit a snag here.

D'oh! You were making very impressive progress! Everything was going a little too well for you, I guess, time to pay
mlord
join:2006-11-05
Kanata, ON

2 edits

mlord

Member

Workaround now implemented, doing some dry-runs with it now: transfering data, and pretending to erase/program without actually doing it.

Edit: 15 minutes and 6 seconds to transfer the data, without programming the flash for real./edit

Slow. Might take 20 minutes to program the 2MB- file. That's not horrendous, though I was hoping to do it in under 10 minutes. Bedtime now. I'll continue this after work on Friday.

Cheers

Edit: For the curious, the receive buffer seems to overflow after 63-64 bytes on this Arduino board. So, I'm sending the page (256 bytes) data as a series of buffer-fill commands, with each command line never longer than 62 bytes. The Arduino sends back an ack to the host after receipt of each buffer-fill, and the host waits for the ack before sending the next one. After all 256 bytes have been buffered, the host then sends a "program page" command to the Arduino. I could get rid of that last step with some optimization, but it's in there for now.

The 63-64 byte limit likely comes from the USB packet size of 64 bytes for a "full speed" connection like this one. Unnecessary, but due to an Arduino bug that's the limit.
mlord

mlord

Member

said by mlord:

:) Workaround now implemented, doing some dry-runs with it now: transfering data, and pretending to erase/program without actually doing it.

Edit: 15 minutes and 6 seconds to transfer the data, without programming the flash for real./edit

I've now figured out how to hack the Arduino core software, and got the transfer time down to under 9 minutes now. Much better!

Teddy Boom
k kudos Received
Premium Member
join:2007-01-29
Toronto, ON

Teddy Boom

Premium Member

A fellow Teksavvy reseller brought over a couple of DCM475s this morning. I've now got a copy of 2.16, and I was able to upgrade a modem. Not very thoroughly tested yet, because the upgraded modem is not subscribed on an account, but it certainly did the basics.

Funny how we are both making progress at the same time after most of a year of the issue, but better late than never

HiVolt
Premium Member
join:2000-12-28
Toronto, ON

HiVolt

Premium Member

said by Teddy Boom:

Funny how we are both making progress at the same time after most of a year of the issue, but better late than never

That's nice, but what isn't funny is that TekSavvy isn't getting anywhere in getting these issues resolved the way they should be, by a simple firmware push.

TSI Gabe
Router of Packets
Premium Member
join:2007-01-03
Gatineau, QC

TSI Gabe

Premium Member

Trust me...we are working on this. On many different levels. Including looking at hacks like in this thread.

HiVolt
Premium Member
join:2000-12-28
Toronto, ON

HiVolt

Premium Member

said by TSI Gabe:

Trust me...we are working on this. On many different levels. Including looking at hacks like in this thread.

Good to hear.
mlord
join:2006-11-05
Kanata, ON

mlord to Teddy Boom

Member

to Teddy Boom
said by Teddy Boom:

A fellow Teksavvy reseller brought over a couple of DCM475s this morning. I've now got a copy of 2.16

Peachy. Which of the two flash images did you replace, the first one, or the second?

I ripped 02.16 from another modem this afternoon, and found it in the first partition. The second partition had 02.08. So perhaps the "factory" image is the one at 00200000 rather than the one at 00010000.

Or more likely, it doesn't matter.. bootloader just picks the newest valid image (?).

Teddy Boom
k kudos Received
Premium Member
join:2007-01-29
Toronto, ON

Teddy Boom

Premium Member

said by mlord:

Which of the two flash images did you replace, the first one, or the second?

I ripped 02.16 from another modem this afternoon, and found it in the first partition. The second partition had 02.08. So perhaps the "factory" image is the one at 00200000 rather than the one at 00010000.

Cheers

I found the same thing. On the 2.16 modem it was 2.16 in image0 and 2.08 in image1. On the 2.08 modem it had 2.08 in both locations. I replaced both on the 2.08 modem. I had to erase and flash the entire firmware at the time, because I didn't have a proper USBJTAG xml file for the DCM475. I've now created that xml, so I could experiment, but I don't have any modems to play with any more

I don't know if my theory about the two images works. It seems to mostly work, and on the DCM425 it seems to always work that way, but... I guess there must be an environment variable that chooses which fw to boot from. Annoying.
mlord
join:2006-11-05
Kanata, ON

1 edit

mlord to Teddy Boom

Member

to Teddy Boom
said by Teddy Boom:

Not very thoroughly tested yet, because the upgraded modem is not subscribed on an account, but it certainly did the basics.

Once I've reprogrammed my own modem a few times (also not subscribed), I will likely borrow a subscribed stac 02.08 modem from a different buddy, and try it on that one. That should be the acid test, I think.

Teddy Boom
k kudos Received
Premium Member
join:2007-01-29
Toronto, ON

Teddy Boom

Premium Member

said by mlord:

Once I've reprogrammed my own modem a few times (also not subscribed), I will likely borrow a subscribed stac 02.08 modem from a different buddy, and try it on that one. That should be the acid test, I think.

To be honest, if it boots it is good. I'm just a little paranoid
mlord
join:2006-11-05
Kanata, ON

mlord

Member

Click for full size
Up-to-date, at last!
Same deal. I replaced image0 at first, but the modem came up as 02.08 still. Then I flashed the exact same firmware into image1, and.. presto!

Also verified that the MAC address is still the original, and it is.

mlord

1 recommendation

mlord

Member


Sparkfun Arduino Pro Micro 3.3V
The final version of the flash rig. Pretty darned simple.