|
 
diskace
Ebox Senior
Premium,VIP
join:2002-02-21 | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access what is the subject ?
--
Electronic Box Inc. | |
|
 | |
| |
diskace
Ebox Senior
Premium,VIP
join:2002-02-21
1 edit | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi bicephale, does the JTAG interface only interact with the BCM chipset ? I thought JTAG was for the entire circuit board.
What are you trying to do ?
--
Electronic Box Inc. | |
|
| | | 
Bicephale
join:2005-09-24
 ·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi DiskAce,
I didn't have much time to browse around but if we
can assume that the PinOut information & suggested
interface are correct it means the JTAG feature of
the BCM6348 ChipSet is now available. The archive
which this site links to must be renamed as a .RAR
file. The file inside got no extension but that's
one more .RAR file, apparently, and it extracts as
'HairyDairyMaid_WRT54G_Debrick_Utility_v48'... It
seems what we have here is a 'WRT54G EJTAG DeBrick
Utility' under the form of Linux source code and a
set of Windows binaries. I'd suggest you refer to
'ReadMe.Txt' for details about the supported FLASH
chips, etc... As i wrote in my opening message, i
wanted to read anecdotes from others, not to write
my own! Look at 'jtag-hairydairymaid.png', that's
some 12 pins JTAG Connector in the LinkSys WRT54G;
a .PDF guide is also provided that shows where the
'TRST' pin should go when someone tries to build a
generic JTAG cable. There are passages about some
BCM94710 chip, it also shows two possible layouts:
a VisionIce 14 pins JTAG header or a 12 pins EJTAG
one. My SpeedTouch's BCM chip may use a different
PinOut and yet remain electrically compatible with
the interface described by this document, i guess.
If we're able to backup and restore the FLASH chip
that means we can effectively "De-Brick" our ST5x6
device instead of throwing it away in case of some
incident. During the late storm, for example, the
power outages caused my ST546 to switch to "BootP"
mode. What else could have happened, i wonder but
in another six months i may be able to fix that if
there's a FLASH image file handy. So, i'm curious
to see who was tempted to be the 1st guinea pig so
far since i'd bet others found out before i did...
 | |
|
| | | |
diskace
Ebox Senior
Premium,VIP
join:2002-02-21
1 edit | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access According to the readme the BCM6348 JTAG support is implemented in the V4.4. I am not sure whether or not the ST780WLi use the BCM6348 chipset but i will try later on this week to make a JTAG connector.
On your side, i would suggest to work on the 546. Pretty sure you will find more informations on their forum »www.f-x.fr/forum/index.php (French) for compatibility with the 546.
BTW the .zip extension is working here.
--
Electronic Box Inc. | |
|
| | | | |
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi DiskAce,
Well, i've found discrepancies already. One ST516
picture to which i linked shows the 4 pins 3 Volts
Console pads and the 14 pins "De-Brick" access but
the European site appears to exchange them! There
is a way to make sure which is which, it happens a
scope trace is included that strongly suggests the
TTL serial port is reached via some of the 14 pins
instead of the four ones but the coulours from the
French text don't match with those on the picture;
unless their orange and my yellow are the same and
both would correspond to pin #8, that is... If it
is so, pin #1 is Tx, pin #4 is Rx, pin #8 is power
(+3.3 Volts) and pin #7 is gound (0 Volts). Also,
they have a 12 pins header were i expected to find
a 14 pins one so i conclude caution is required...
On the ST546 picture, closing up on J3 and J6 will
not allow me to follow signal paths and this means
i'd need to open mine to take even closer shots or
i won't be able to tell where the EJTAG plug goes.
Moreover, the chipset on the ST546 photograph will
be a BroadCom BCM6338, its PinOut may differ quite
radically! I conclude more caution is required!!!
 | |
|
| | | | | |
| | |
|
chaveiro
join:2007-12-06
3 edits | Hello,
I've been able to backup my speedtouch 585 v6 with jtag tool.
Looking for CFE, kernel and nvram from unlocked 585 v6.
This router has custom firmware (AL) from my isp (Sapo from PT) that as no suport nor updated firmware and bootloader does not accept current versions.
If you have a regular 585v6 (software version AA)send me CFE backup !!!
wrt54g.exe -probeonly
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 5
CPU Chip ID: 00000110001101001000000101111111 (0634817F)
*** Found a Broadcom BCM6348 Rev 1 CPU chip ***
- EJTAG IMPCODE ....... : 00000000100000000000100100000100 (00800904)
- EJTAG Version ....... : 1 or 2.0
- EJTAG DMA Support ... : Yes
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Done
Halting Processor ... ... Done
Clearing Watchdog ... Done
Probing Flash at (Flash Window: 0x1fc00000) ... Done
Flash Vendor ID: 00000000000000000000000000000001 (00000001)
Flash Device ID: 00000000000000000010001000000000 (00002200)
*** Found a AMD 29lv320MB 2Mx16 BotB (4MB) Flash Chip ***
- Flash Chip Window Start .... : 1fc00000
- Flash Chip Window Length ... : 00400000
- Selected Area Start ........ : 00000000
- Selected Area Length ....... : 00000000
*** REQUESTED OPERATION IS COMPLETE *** | |
|
| 
Angelo_
The Network Guy
Premium
join:2002-06-18 | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access if you guys need help just ask and i'll do whatever | |
|
| | chaveiro
join:2007-12-06 | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hello Angelo_ you can help if have access to a unlocked speedtouch 585 v6 and can make a jtag backup.
I can help you with conecting jtag cable. | |
|
| | |
Angelo_
The Network Guy
Premium
join:2002-06-18 | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access i have 516's but they are of the same family and i've been under suspection that the flash is identical... from a good source  | |
|
| | | | chaveiro
join:2007-12-06
3 edits | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" AccessI dont think they are compatible. Is your modem locked?
If not, post a backup of the CFE file for that modem and you will make many guys happy here in portugal.
1 - Build the cable above, Speedtouch pinout is correct and as follow:
2 - Get »downloads.openwrt.org/utils/Hair···_v48.zip
3 - Issue command: wrt54g -backup:cfe | |
|
ggpr
join:2007-11-23
canada | This may or may not help you guys.
The us robotics 9108 uses the same chip, broadcom 6348 and gives the source code on their site. --may help you to better understand what is going on inside. | |
|
|
| |
| | chaveiro
join:2007-12-06
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Ive tried us robotics firmware, no success. The bootloader of speedtouch aka CFE does not loads it and the usr CFE does not run on speedtouch, at last i could not put it to run.
Anyway.. How can send me backup of a normal 585 v6 CFE file ? (se above how to) | |
|
| |
| | ggpr
join:2007-11-23
canada | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access I can, it will have to wait until I get home on Thursday. | |
|
Cidi Rome
join:2007-12-12
| Hi there..
Need some help...
I've tried the JTAG connection on the ST516 and ST585 with 3 diferente computers and the software always make this reads for the CPU:
All ones (FFF..) when the Router is turned on.
All Zeros (000..)when the Router is turned off.
If someone can help, now is the time..
My MSN is: cidirome@hotmail.com
Best Regards. | |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi Cidi Rome,
Most unfortunately, i never even opened my Thomson
ST546v6 to take a look inside so i'm not the right
guy to testify that 'HairyDairyMaid' is compatible
with that model and hence much less others. There
is one person here who used the tool successfully,
from what i can tell... I'd strongly suggest that
you make contact with Chaveiro as he's provided us
with some practical proof of concept: he captured
the Flash contents and put a BackUp on disk. It's
still unclear if a Restore procedure would work as
well but he's your best bet around here, no doubt!
In the meantime, i suggest you verify that you got
a compatible Flash chip. Otherwise, it will fail. | |
|
Cidi Rome
join:2007-12-12
2 edits | I'm trying to talk with him but He does not answer....
I've spend much time trying to understand how the flash Speedtouch works, and I think I will be able to unlock the Portuguese Routers from Sapo/Telepac if I can put my JTAG cable working.
But at this time I'm stuck. After my last (first) post I have reconstructed my cable with a less lenght cable (now it is only about 20 cm, much less than the Hairy one) and I'm still having the same results for the CPU Id, all zeros with the router off and all ones with the router on or disconnected.
That's all for now,
Best Regards. | |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi Cidi Rome,
I'm not at ease when people bring the "lock" thing
on topic around here, the original purpose of this
thread is to provide ST owners a means to garantee
that they can "De-Brick" their unit should a Flash
incident occur. It would be most legitimate to do
BackUps and/or Restores considering the money that
such products might have cost but, please, keep it
private if you must discuss about hacking again as
a locked thread wouldn't be of any help to anyone.
It takes time to gather documentation from diverse
uncoordinated sources so i'd suggest that you post
details about your experiments in the meantime. I
advise you to maximize exposure hoping that search
engines like Google might work for you. Patience! | |
|
Cidi Rome
join:2007-12-12
| Hi there.
Today I tested my cable with the multimeter and checked this measures:
DB25(LPT) - Socket (Router)
Pin2 - Pin3 = aprox 100 Ohm
Pin3 - Pin9 = aprox 100 Ohm
Pin4 - Pin7 = aprox 100 Ohm
pin13 - Pin5 = aprox 100 Ohm
Pin18-25 - Pin2,4,6,8 = Close to 0 Ohm
Tested again with 2 computers and the sames reads for the CPU:
- all zeros with the router off
- all ones with the router on or the cable disconnected.
Chaveiro, where are you, please help.
Best Regards. | |
|
|
Bicephale
join:2005-09-24
1 edit | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hummm...
It's not always a good idea to probe circuits with an Ohm-Meter!
Beware, you were lucky to have 100 Ω limiting resistors but it's
not 100 % safe to inject currents even at such a reduced level... | |
|
|
Bicephale
join:2005-09-24 | Oups! I sort of just woke up from a short afternoon nap...
Disregard my remark, i need to read your post more closely!
 | |
|
Cidi Rome
join:2007-12-12
| One thing came to my mind....
Do you know if the problem my or my not be the printer port set to ECP, EPP or SPP?
Now I'm not at the place where I make the tests but, probably, all the computers I've made tests with have he port set to ECP....
Best Regards. | |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi Cidi Rome,
Well, i must confess that i haven't re-read any of
the related documentation for a very long time but
i guess i know where you should look for Chaveiro:
Como convertir un Comtrend 536+ en UsRobotics
He made a reference to a picture published on this
foreign forum, perhaps he's been hanging around...
It might be the right time for me to start looking
around again, i'll try to browse the InterNet with
your question in mind. Did you try asking Angelo?
| |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Hi again,
Some time was required for me to "immerse". Sorry
but it was made clear from the start that we don't
have a clue which proves positively that the ST585
and ST516 both use the very same E-JTAG layout. I
regret this but you and Nedjel may need to hold on
until someone has verified that this unit actually
has a compatible E-JTAG connector where to connect
your adaptor. The Thomson SpeedTouch 516 v6 model
has a BroadCom BCM 6338 Chip inside while i expect
you to find a BCM 6348 inside the ST585... By the
way, you could be very usefull to the thread since
it turns out that you have both devices handy! If
i were to compare the interfaces i'd try to find a
helpful characteristic when identifying the nTRST,
TDIn, TDOut, TMS, TClk and nSRST signal lines, via
measurement of their voltages if no better tool is
available, or perhaps using waveforms otherwise...
In the meantime, i can imagine why the ST516 won't
let you use the E-JTAG cable as describe above but
it's a mystery to me what's really happening about
your ST585. It isn't rare to find legacy HardWare
in Industrial environments so i'd probably try the
standard parallel mode 1st if i were in a hurry or
i'd just wait until i've read a suitable document. | |
|
Cidi Rome
join:2007-12-12
| Hi Bicephale.
About the ST516v6, I notice that the JTAG connector is behind 2 capacitors, but I managed to solder the pins on the other side of the board and I took care to correct the order because when using the 12 pin connector it will be inverted (thats obvious).
Tomorrow I will try to change the parallel port settings and if it stills not work I will cut the cable and make it about 10-15cm.
There is one thing that is whoring me, the ST516v6 chip (BCM6338) is not listed when we run wrt45g.exe, but I think when I'm able to detect correctly the CPU (by this I mean not to get all ones in the CPU ID) it will be compatible with the BCM6348 and I will be able to read/write from it as if it was one.
Wish me luck.
Best Regards. | |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access I've found this while revisiting the whole thread:
OpenFreebox InterfaceSERIE
If you own a scope, now you know what to look for,
i suppose. In any case, the fact that the tool is
not clearly supporting BroadCom's BCM6338 chip may
explain why it fails to work. Have you checked in
the Windows Control Panel? Euh... I know, that's
going to sound totally desperate so, good luck!...
 | |
|
| |
Cidi Rome
join:2007-12-12 | Good morning..
I'm mainly testing with ST585, the 516 will be a later project, I only tried it so soon because I was not getting the 585 to work with the JTAG..
Have a nice day. | |
|
Cidi Rome
join:2007-12-12
1 edit | Hi.
 BAD news.
Tried to set the printer port as ECP, SPP and Normal, and I'm getting the same results.
Shortened the cable to about 15cm including plugs, and same results.
I can only think about two things: the ST585 JTAG don't have the pinout that Chaveiro said or the software is not working right (less probable).
Bicephale, you said about probing the pins with a scope, but I don't own one, is there any other way?
Best Regards. | |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi Cidi Rome,
Here's how i tried to identify signal lines in the
GNet BB0060B. It was simply a matter of "reading"
the circuit board using a multitude of photographs
of which only a few captured the details i needed:
GNet BB0060B ADSL Modem/Router issue, Bicephale, 2007-Jul-8
In this example, we see that U8 (Fig. 1, 12, 2 and
3) links to U10 (Fig. 8) via R58/R60, i identified
and documented the Flash chip in hope to acquire a
reasonably strong "feeling" about what the signals
were on JP1 but i never reached total certainty as
it required the removal of any component which was
hiding strategic parts of this puzzle... Luckily,
its JTAG maintenance connector only involved a few
pins so it should be possible to get away with it:
provided that the D.C. and A.C. readings from some
compatible product (which is known to work) can be
gathered, i'd try to make comparisons but it would
probably require a sparkle of judgment & intuition
as well. In short, considering the limitations of
an average user relatively to measuring equipment,
Chaveiro would have proved to be useful should one
of his posts have included the E-JTAG's electrical
signature so that others can make educated guesses
about the relative safety of this project and yet,
even if i could garantee that the adaptor's layout
does work, euh... well, i still find necessary to
warn against the risks, not to mention there are a
few more pins to deal with in the present case!...
So, my advice is to document this device suitably,
hoping that some evidence will emerge, eventually.
For a lucky guy it may be forgiving to mistake one
pin for another but i'm afraid the prospect gets a
bit worst as the number of pins is increased. I'm
worried, i wouldn't require of you that you assume
the same risks as when Chaveiro tried this just to
satisfy my curiosity so lets proceed with caution!
| |
|
Cidi Rome
join:2007-12-12
| Good evening...
More bad news...
Tried it with linux with exactly the sames results 
About following the circuit lines on the board I feel that it is almost impossible because the chip is surface mounted with the pins underneath it and the board have certainly more that two layers, and I'm talking about ST585, I think ST516 is even worse.
Once more, any help will be most appreciated.
Best Regards. | |
|
| |
Cidi Rome
join:2007-12-12
| Hi,
I'm positive that that the files that Chaveiro posted are real, I analyzed them and I was able to see one of the things that I think is locking it, and one thing that made me able to modify a regular firmware file to make the router think it was a compatible version. With that change I was able to load a generic firmware into it with the ST upgrade tool, but know, I think the boot loader detects the difference (that it is not a valid version) and refuses to boot it.
Do you think it is possible to have success with Windows 98 where Windows XP or Linux failed to work? Of course I can get to a Windows 98, I'm a computer tech, if I suspect that is way out I'll install one to test it.
Another thing.
Today I tried to use the parameter "/skipdetect" with " -backup:cfe" but it took to long to execute that I left it there working (or not) and tomorrow I will see the results.
Goog Night. | |
|
| |
|
Bicephale
join:2005-09-24 | Finally i verified about 'WRT54G.Exe': it's a Win32 console program. | |
|
Cidi Rome
join:2007-12-12
2 edits | Hi.
Remember I left that thing ON yesterday, today it was the same state I left it.
./wrt54g -backup:cfe /skipdetect
====================================
WRT54G/GS EJTAG Debrick Utility v4.8
====================================
Probing bus ... Done
Instruction Length set to 0
CPU Chip ID: 11111111111111111111111111111111 (FFFFFFFF)
*** CHIP DETECTION OVERRIDDEN ***
- EJTAG IMPCODE ....... : 11111111111111111111111111111111 (FFFFFFFF)
- EJTAG Version ....... : Unknown (7 is a reserved value)
- EJTAG DMA Support ... : No
Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... ... Done
After more than 12 Hours I had to stop it with CTRL+C
Best Regards.
About the CPU and Flash:
CPU is: BCM6348KPBG
FLASH ssems to be: Spansion S29GL032M9QTFIR4
(very hard to read) http://www.alldatasheet.com/view.jsp?Searchword=S29GL032M9 | |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi Cidi Rome,
Thank you for the nice reading. I've searched for
information about maintenance connectors but there
is no provision for such a feature in the Spansion
chip. Communications between the BCM6338 chip and
this one is through parallel buses and i don't see
a trace of something that looks like some SPI bus,
which takes us to square one: we need to identify
the BCM63x8 pins which connect to the E-JTAG zone:
BCM6348 BCM6338
----------------------------- -----------------------------
23-M, TRst (Test ReSeT, Opt.) ?
24-M, TCk (Test Clock) ?
24-N, TDI (Test Data Input) ?
25-N, TDO (Test Data Output) ?
26-N, TMS (Test Mode Select) ?
| |
|
Cidi Rome
join:2007-12-12
| Hi.
The info you wrote about BCM6348 is on the 3rd post of this thread. And at this time I'm not worried with BCM6338, anyway I believe it will work with the same (working) cable that works with ST585 taking the care to invert it because have to be connected the other side of the board.
Cya. | |
|
|
Bicephale
join:2005-09-24 | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access My thought exactly, identify the layout on one and the other should work too!
| |
|
| |
Cidi Rome
join:2007-12-12
1 edit | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi there...
Many news today....
By topics (lol)
- Managed to use the JTAG with my ST 585, the trick was to provide the signal to nTRST pin, I tried before with a resistor to pin 14 but didn't work, today I tried the same resistor to pin 1 of the serial connector (+3.3V), et voilá.
- Saved the CFE to file quite fast
- Made the changes to it that I thought would be enough to be able to load a generic firmware.
- Tried to flash the changed file to the router but he software hung, so I tried around and discovered that with the parameter /nodma it would flash.
- But by my calculations it would take more than 1h and 30m to flash 256K, and it did only took about 90 seconds to read, so I stopped it.
- The bad news, now I can't do anything, the soft detects the Router CPU, but hangs right after in one of the next operations, normally the enable memory write if the router is turned on for more than 3 seconds or one of the next if the router has been turned on and immediately started the JTAG program. I hope someone can help-me recovering this router....
- More news. About the ST 516v6... It has the same JTAG header, and the same need of nTRST to be "powered".
- The JTAG tool is able to read the CPU ID but it is not able to recognize it, I will try to change the application to recognize the ST516 CPU but I down know if I will be successful..
Now the beg... Please HELP about my ST585...
Best Regards. | |
|
| | | |
| | | |
Angelo_
The Network Guy
Premium
join:2002-06-18 | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access you can still recover.... he prob ran into the c&p job they did... the modems all have the same base bc they are all the same in theory...
has he tried to force it to flash? | |
|
Cidi Rome
join:2007-12-12
| Merry Xmas.
Fresh news...
Managed to change the program to detect the ST 516 CPU under linux, now It would be good if someone can tell what tools should I use to compile it under Windows.
It didn't recognize the flash chip (exactly the same one as ST585, don't know why), I forced with /fc:03 and backed up the CFE, comparing with the 585 one, seems to be good.
Any ideas how to recover my 585 yet?
Best Regards. | |
|
|
Bicephale
join:2005-09-24 | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi,
The ST 516 v5 had a chip suitable for this E-JTAG tool,
maybe you'll have suggestions from the owners of these.
Good luck! Merry Christmass!
| |
|
Cidi Rome
join:2007-12-12
| Happy new year.
Got more news.
Managed to backup and flash successfully a ST516v6.
Backup is very easy, but I advise not to flash it back...
But now I would really apreciate to put my hands on another version of this router's boot loader (cfe) in other words, one that wasn't bought from an ISP that had messed it up like the Portuguese ones.
Of course I'm searching too for the ST585v6.
Best Regards.
If someone needs help on backing-up the flash(boot loader) add my MSN (cidirome@hotmail.com), I will help. I have already made changes to the software to support the BCM6338 CPU and the spantion flash.
Another thing, I'm searching for a decompiler for this kind of CPU machine code, if someone knows of one....
Best Regards. | |
|
|
Bicephale
join:2005-09-24
·TekSavvy Solutions..
| Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi Cidi Rome,
Please let me check if i understood you correctly:
it seems the E-JTAG restore procedure failed on an
ST516v6 branded by a Portuguese ISP and yet you're
confident that your backup copy has been collected
successfully! Well, there's a question in my mind
which i must ask: did you try to check positively
that the data hasn't been corrupted by comparing a
2nd backup to the 1st one? No user should discuss
openly about patching code here and now it appears
that some custom FirmWares might very well prevent
the legitimate use of this backup/restore tool; i
hope that the readers will appreciate this renewed
warning: don't mess with this if you can't afford
the loss!!! Once again your precious contribution
is noted as this leaves you with a pair of bricked
modems and your unfortunate situation is likely to
last for weeks if not months - hence, my advice to
the ST owners who wonder what's the status of this
old thread: the initial purpose was to provide an
"insurance" which we'd rather not use unless it is
absolutely necessary. Don't try an E-JTAG restore
until further notice or get prepared to assume the
consequences because right now this concept hasn't
been proven to work just yet. The SpeedTouch line
of products is widely distributed, i have no doubt
that progress will be made but we must be patient.
In the meantime, Cidi Rome, i truly wish that this
is not definitive! I invite you to come back here
regularily to keep us posted, maybe 2008 will turn
these failures into some stories you can laugh at.
Happy new year, anyway!
| |
|
Cidi Rome
join:2007-12-12
| Hi there... I'm already on 2008....-
About the bricked Routers...
Only ST585 is Bricked and I have learned much with it, so I think it is not for long.
About ST516, I have the backups, and in the meanwhile I've learned how to flash them to the router successfully and correctly.
I said "I advise not to flash it back" because I noticed that write was wrong (some bytes exchanged with others), but I know how to prepare the source file to get a good flash.
About the "custom firmwares" I have to say I believe that this situation is the same for the regular ones (firmwares) and I don't think the real problem is the firmware but the boot-loader (cfe).
About the safety of the operation I say that if you connect the JTAG (and all the necessary connections) correctly, only use the parameter /backup:cfe|nvram|kernel|wholeflash and don't mess with /flash: or /erase: there is little chance to brick your router.
Best Regards to everyone and
HAPPY NEW YEAR! | |
|
Cidi Rome
join:2007-12-12
| Hi there....
Good News.
Here is the utility you need to backup/flash successfully Speedtouch Routers (for windows), tested on ST516v6, and I will test soon on ST585 (I will try to de-brick the one I've bricked).
Best Regards. | |
|
| chaveiro
join:2007-12-06
4 edits | Re: Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access Hi Cidi,
Please post the saved files for your locked st516 as i posted for st585v6 might be usefull for someone.
The JTAG programmer i used is this generic one it has drivers so is more safe to use »shop.gtronica.com/product_info.p···ts_id=53
and modified the flat cable pinout to the modem pins.
To write a saved file you must do some byte flip to the readed file.
I use a program named Hex Workshop 5.0 for windows.
And do:
1. open readed file (must do to all: cfe, kernel and nvram)
2. choose tools -> byteflip -> 32bits -> OK
3. choose tools -> byteflip -> 16bits -> OK
4. save new modified file and write this new file to modem
The write of the complete flash via this method takes about 8hrs, i've done it!
You can safelly backup and restore the 585v6 and possibly all other supported models via this methode.
PS: For someone with a unlocked ST858v6 please post the CFE file. Thank you. (Se previous post how to.) | |
|
|
| (topic locked) |
|
Thomson SpeedTouch 5x6 & 585 EJTAG "De-Brick" Access
