2wire 2701HG-G JTAG

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
ganiba
DD-WRT Novice


Joined: 13 May 2008
Posts: 4

PostPosted: Mon May 26, 2008 4:30    Post subject: 2wire 2701HG-G JTAG Reply with quote
Hi,
Is there any way or tutorial about if/how can JTAG be used in the modem/router 2wire 2701HG-G?
Or a way/cable to detect pinout for JTAG.
I found some posts saying that it includes Atheros chipset and 32MB or more in memory.
If there is a way to change the firmware it will be a great box.

Thanks for your help.
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17638
Location: Hesse/Germany

PostPosted: Mon May 26, 2008 17:23    Post subject: Reply with quote
fcc id?
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
ganiba
DD-WRT Novice


Joined: 13 May 2008
Posts: 4

PostPosted: Mon May 26, 2008 18:08    Post subject: Reply with quote
Sash wrote:
fcc id?


FCC ID: PGR2w2701

UPDATE: Is It a JTAG connection on J26?
https://fjallfoss.fcc.gov/prod/oet/forms/blobs/retrieve.cgi?attachment_id=787265&native_or_pdf=pdf
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17638
Location: Hesse/Germany

PostPosted: Mon May 26, 2008 19:39    Post subject: Reply with quote
i dont know 2wire cpu´s

what platform is this? arm, mipsel, x86?

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
ganiba
DD-WRT Novice


Joined: 13 May 2008
Posts: 4

PostPosted: Mon May 26, 2008 21:05    Post subject: Reply with quote
I really don't know. However, i found here in another topic, more information about, and i hope it could help:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=30524&sid=092f1dfe570c6f02060e953ef2ffc072

and this one too:
http://forums.whirlpool.net.au/forum-replies-archive.cfm/808533.html

----------------
Hi!

i have opened it

(will upload somme pic)


the "CPU"

2WIRE

TRI Media

3000-000485-008-u
5tvd101411 P
0724
singapore


NANYA chip

NTT5DS32M16BS
714147W1BV


NAND2 CHIP

880BD 8G
SGP 88 70S


got a M Chip i too (ethernet controller (i think))

88E6061-LAJ 1
B62393.2
0706 A1P
TW


OTHER INFO:

2Wire 2701HG-G
618-005-013

i see 3 small antena

1 connector to connect a antena

13 Pins like a jtag

got some component under 2 shilded metal.

1 metal cap was big:

under it i got:

Atheros
AR2413A-00
B65189B
0709
taiwan

------------------
technik733
DD-WRT Novice


Joined: 09 Apr 2009
Posts: 19

PostPosted: Mon Mar 08, 2010 3:08    Post subject: Reply with quote
I have come upon a 2701HG-B, and it seems to be very similar.

The CPU looks like it's model name is Ares, made by TriMedia. Aside from a couple lines of cryptic numerals that's all there is on mine.

It also uses an AR2413A, has 32MiB of memory (unless there's another chip on the other side), and 16MiB of flash. There is also a Marvell Ethernet controller, and a second small wireless radio that I can't identify; the chip's too small.

I think it's an ARM processor... I have another low-end 2wire board around here that has an ARM7 processor (Medusa, as opposed to Ares), so no MMU, but it's proving hard to find anything about this one.

EDIT: Actually no, on further investigation I think it might have an MMU. I've found a copy of the firmware for the 2701HG-G from this thread http://www.keyboardninjas.com/smf/index.php?topic=80.0 and it looks like the thing already runs linux because inside the firmware file it has this, as well as some random bash/ash looking stuffs:

Code:
#
# This is the reinstall start script
#
# ASH is supported in 4.23 and up.
#

# Setup leds for the upgrade op.
blink -noerr -upgrade

# dump some status info
df -k /disk
sysctl kern.mem.freeheap
ls -l /tmp/pkgspool

# remove the lock file if its there
rm -f /tmp/nospace_lock

# DONE: we are now ready to unpack the stuff
#!/bin/ash

#
# This is the event script for when we are out of space.
# It doesn't necessarily always run.
#
echo "Reinstall nospace.ash script called"
df -k /disk
du -k /disk

#
# remove any packages and exit
#
p=""
for p in `ls /disk/pkg`; do
done
if [ ! -z $p ]; then
    rm -rf /disk/pkg;
    mkdir /disk/pkg;
    echo `date` ": nospace script deleted /disk/pkg";
    sleep 10;
    # Dump some status info
    df -k /disk;
    du -k /disk;
    exit 0;
fi


#
# NOTE: the /tmp/nospace_lock file is not needed for
# units running 4.21.1 and later
#

#
# if the old kernel hasn't already been removed,
# remove it now and create a link to new one in case
# we reboot before new kernel gets moved to /disk/kernel3
#
if [ ! -h /disk/kernel3 ]; then
    rm -f /disk/kernel3;
    ln /disk/tmp/kernel /disk/kernel3;

    #
    # Clear the cfg since the kernel has changed
    #
    rm -rf /disk/cm;
    mkdir /disk/cm;

    echo `date` ": nospace script deleted /disk/kernel3 and /disk/cm";

    # give the flash fs time to purge
    sleep 10;
    df -k /disk;
    du -k /disk;

    exit 0;
fi

echo `date` ": nospace script has nothing to delete!";
#!/bin/tw

#
# This is the reinstall start script
#

# run the ASH script if possible. (non ASH builds will ignore this line)
if [ -x /tmp/reinstall/start.ash ]; then /tmp/reinstall/start.ash; exit 0; fi

# Setup leds to all orange blink and lock for the upgrade op.
# Don't know current firmware so can't use ash here.
#
blink -noerr -set 0 -color orange -form square -period 1000 -phase 0 -enables 1,0 -pcent 100
blink -noerr -set 1 -color orange -form square -period 1000 -phase 500 -enables 1,0 -pcent 100
blink -noerr -set 2 -color orange -form square -period 1000 -phase 0 -enables 0,1 -pcent 100
blink -noerr -lock

# For new ID, we rely on this command to do the right thing.
blink -noerr -upgrade

# free up flash space now, to make the kernel swap safer
# since the pkg limits the spool buffer size.
rm -rf /disk/pkg
rm -rf /disk/cm

mkdir /disk/pkg
mkdir /disk/cm

# flash needs time to finish deletes
sleep 10

# dump some interesting info
df /disk
sysctl kern.mem.freeheap
ls -l /tmp/pkgspool

# remove the lock file if its there
rm -f /tmp/nospace_lock

# DONE: we are now ready to unpack the stuff
#!/bin/tw

#
# As long as 4.21.x is supported this script needs to work
# in both ASH and pre-ASH systems
#

#
# This is the error script
#

# Unlock the led's and set them back to something sane.
blink -noerr -unlock
blink -noerr -set 0 -color green -form solid -pcent 100 -enables 1 -phase 0
blink -noerr -set 1 -color green -form solid -pcent 100 -enables 1 -phase 0
blink -noerr -set 2 -color green -form solid -pcent 100 -enables 1 -phase 0

# If the LM supports it, have him fix the LED's.
lmc syncled

# Clear out any temp files we may have made.
rm -rf /disk/tmp
#!/bin/tw

#
# This is the event script for when we are out of space. It doesn't necessarily
# always run.
#

# run the ASH script if possible. (non ASH builds will ignore this line)
if [ -x /tmp/reinstall/nospace.ash ]; then /tmp/reinstall/nospace.ash; exit 0; fi

echo "Re-install script nospace.tws called"

df /disk
du /disk

# lock file indicates kernel has been replaced
# by new kernel. Can't delete it at that point
# so exit script.
if [ -f /tmp/nospace_lock ]; then exit; else
fileexit /tmp/nospace_lock
fi

# remove pkgs (ui and config)
rm -rf /disk/pkg
mkdir /disk/pkg

# remove old kernel and create a link to new one
# in case we reboot before new kernel gets moved
# to /disk/kernel3
rm -f /disk/kernel3
ln /disk/tmp/kernel /disk/kernel3

#
# Clear the cfg directory when the kernel changes, just in case.
#
rm -rf /disk/cm
mkdir /disk/cm

# give the flash fs time to purge
sleep 10
df /disk
du /disk


It mentions "Medusa" in the beginning of the file, so it makes me wonder why an Ares board would have a Medusa firmware; possibly they aren't terribly different, or there's a big difference between my B series and the G series. I do have a Medusa powered 1071 series though.

I'm stumped as to how I might continue though. Maybe it would be possible to modify the script in the middle to turn on an ssh or telnet server when you update the firmware?

_________________
Ich muss Finnisch lernen...
technik733
DD-WRT Novice


Joined: 09 Apr 2009
Posts: 19

PostPosted: Mon Mar 08, 2010 5:38    Post subject: Reply with quote
ganiba wrote:
Sash wrote:
fcc id?


FCC ID: PGR2w2701

UPDATE: Is It a JTAG connection on J26?
https://fjallfoss.fcc.gov/prod/oet/forms/blobs/retrieve.cgi?attachment_id=787265&native_or_pdf=pdf


If that's the picture of your router, I'd say that J26 might be EJTAG, and J42 the kind that you would use with the cheapo JTAG cables and Hairydairymaid's jtag tool. Unfortunately I don't have a J42 on either of my 2wires.

Also, what's the switch next to the power plug? I seem to be lacking that as well, along with the USB plug. And the switch on the front... Hmm... Extra switches...

It seems that it might be FreeBSD based from that other thread...

Also I found this on the whirlpool forum:

Quote:

I just killed mine trying to read the jtag. So be careful. It now is completely dead. Power on but the reset is not functioning. All I did was try to read so they have a self-destruct if you don't know what you are doing. Anyhow glad it worked for you jonboy. They do have some issues and unfortunately tweaking as you casually mentioned will come at a price.

...

I didn't short it out. It can actually still read the processor id. But the mips programs didn't do anything so I tried an ARM jtag program and that did something bad. I guess it has put the processor in a state it cannot start from.


Maybe it's MIPS.

Quote:
TriMedia processor is not an Arm nor a MIPS, The TriMedia is a VLIW:

Very long instruction word (VLIW)
http://en.wikipedia.org/wiki/Very_long_instruction_word

JTAG for such processor is sold at MDS (MOMENTUM DATA SYSTEMS INC.) for thousands dollars:
http://www.mds.com/products/product.asp?prod=MDS-JTAG

So, is there someone here who has an idea about how to JTAG this Box considering this architecture?


Or not?

_________________
Ich muss Finnisch lernen...
technik733
DD-WRT Novice


Joined: 09 Apr 2009
Posts: 19

PostPosted: Mon Mar 08, 2010 15:59    Post subject: Reply with quote
Well, it looks like short of buying the dev kit from TriMedia, we'd have to somehow reverse-engineer the firmware and decipher the architecture ourselves, which may not be a very fun thing to do. Or maybe it would be. =P

From what I've found on http://www.tcshelp.com/public_files.html it looks like it is a PNX13000 or 15000 chip, and one of the big features is that you don't need to use assembly language to program them at all... that's not very helpful for us though because I can't seem to find a VLIW C/C++ decompiler... It's like information on this thing is encased in a steel casket hidden away in the darkest corner of an insane asylum for monkeys or something.

My 1071 has a spot for what looks like a normal ethernet WAN port so I'm going to see if I can get telnet or SSH from that side after I add the port and the controller chip from one of my broken WRT54Gs. Looks like it'll just drop right in. As for the 2071, I may try something with the USB.

If I'm going to get into serious hackery, I'd love to break something that's not been done before. May as well start here since I've got a couple nice samples (and some parts routers) to start with.

I shall return!

EDIT: Hmm... I wonder if I could convince them to let me in here... http://www.tcshelp.com/request_account.html

_________________
Ich muss Finnisch lernen...
technik733
DD-WRT Novice


Joined: 09 Apr 2009
Posts: 19

PostPosted: Tue Mar 09, 2010 4:50    Post subject: Reply with quote
Well I'm back with at least some news.

After a very lucky google search and a bit of effort I'm been able to get my hands on 1.4GiB of firmwares for the Medusa series modem/routers.

They definitely run a type of BSD, and each firmware definitely has some kind of shell script, which gives some details of what tools are included in each one. It seems that the scripts get "run" sometime after it's uploaded to the box, because I've seen one detailing how the firmware was being updated; how the flash was partitioned and such. I am also almost positive that they are VLIW processors, made by NXP, formerly of Phillips.

I am attempting to modify the 1071/Medusa board to add a WAN port as soon ans I post this.

Aaaand as I'd feared it's not using the new adapter. It looks like I've got everything connected correctly, nd I've not broken it yet, but it's disconnecting ever few seconds and even with static IP for WAN I can't ping it when it IS connected. So back to plan B of deciphering the firmwares...

_________________
Ich muss Finnisch lernen...
frangelica
DD-WRT Novice


Joined: 26 May 2010
Posts: 1

PostPosted: Wed May 26, 2010 6:40    Post subject: Reply with quote
technik733 wrote:


Aaaand as I'd feared it's not using the new adapter. It looks like I've got everything connected correctly, nd I've not broken it yet, but it's disconnecting ever few seconds and even with static IP for WAN I can't ping it when it IS connected. So back to plan B of deciphering the firmwares...


Hi technik733...

Are you still working on this thing?? I am considering
getting involved...

Cheers
TorontoFish
DD-WRT Novice


Joined: 04 Oct 2006
Posts: 31

PostPosted: Fri Oct 08, 2010 19:15    Post subject: Any progress? Reply with quote
frangelica wrote:
technik733 wrote:


Aaaand as I'd feared it's not using the new adapter. It looks like I've got everything connected correctly, nd I've not broken it yet, but it's disconnecting ever few seconds and even with static IP for WAN I can't ping it when it IS connected. So back to plan B of deciphering the firmwares...


Hi technik733...

Are you still working on this thing?? I am considering
getting involved...

Cheers


Hi Guys, any news on the progress? Got a few 2wires 2701 from my provider laying around doing nothing.
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17638
Location: Hesse/Germany

PostPosted: Sat Oct 09, 2010 8:14    Post subject: Reply with quote
no modem router support!
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
asbokid
DD-WRT Novice


Joined: 08 Sep 2011
Posts: 1

PostPosted: Thu Sep 08, 2011 13:23    Post subject: Re: Any progress on port to 2Wire Trimedia platform? Reply with quote
TorontoFish wrote:
Hi Guys, any news on the progress? Got a few 2wires 2701 from my provider laying around doing nothing.


Hi TorontoFish..

Are you still around? I'm looking at the 2701. It's provided as the ADSL2+ CPE for British Telecom's Business Broadband customers. So it is ostensibly higher end equipment.

I would guess that the likelihood of porting dd-wrt to 2Wire 270x devices is close to zero, at least at the moment.

The devices run on a 2Wire media processor which has a Trimedia VLIW (Very Long Instruction Word) core. There is no freely available compiler for that architecture.

The only compiler available is commercial. It is based on GNU cc, so should be GPL'ed ,but no open source version has ever been released. There's one for gpl-violations.org to sink their teeth into, perhaps!

That commercial Trimedia c compiler is called tmcc. It is supplied in a software development kit for the platform and costs a staggering $5000.

To add to that outrageous overhead is the cost of a JTAG programmer. And you can't use any old parallel port wiggler.

While the JTAG ports are electrically compatible with the JTAG standard, the programming software is not. And a JTAG USB programmer kit costs a cool $1500.

All things included, it's no wonder the Trimedia platform is dying on its feet. NXP pulled the plug on further development and sold out to Trident, and the much vaunted 64 bit version of the core may never materialise. 2Wire was recently bought out by Pace which favours ARM cores in its CPE instead.

Shame, because all that R&D of the VLIW has effectively gone to waste.

To add to what was noted above..

The 2Wire devices do appear to have very good specifications with unusually large amounts of RAM and flash for consumer grade equipment.

However, that is in part due to the overheads of the VLIW core.

The Trimedia has five 32-bit slots to each of its instructions. Those slots can execute five separate operations in parallel. This feature is known as Instruction level Parallelism (ILM) and it is the raison d'etre for VLIW. It is a great idea if you can fill all five slots with useful code.

But when you can only fill one of those five slots then the other four slots have to be filled with NOPs. This significantly bloats the size of executable code.

Hence the need for much more RAM and flash..

And at a glance, that extra RAM and flash is misinterpreted. The device looks like it is offering higher specification when in fact it's just got a processor that is very wasteful of resources.

cheers,
asbokid
indianajones
DD-WRT Novice


Joined: 26 Dec 2011
Posts: 2

PostPosted: Mon Dec 26, 2011 22:18    Post subject: Reply with quote
technik733 wrote:

....So back to plan B of deciphering the firmwares...


I was looking at the 2wire website for the latest router firmware and noted that they have provided the GPL source codes along with the toolchain and other programs.
Here is the link:
http://support.2wire.com/index.php?page=view&article=790

Perhaphs somebody smarter than me can make use of this to port ddwrt over?
nicomaniaque
DD-WRT User


Joined: 24 Dec 2006
Posts: 80

PostPosted: Tue Feb 28, 2012 6:49    Post subject: Reply with quote
Finally, after all.. Something possible with this piece off hardware?
_________________
Nicko

Athlon 1.8Ghz running PFSENSE

3 Dsl Line for my WAN (3x 2701 hg-g + 1 standby)

16 port gigabyte switch

1x Wap610N for wireless
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum