Hi, I have one of these cablemodems laying around here, and I wanted to have a second attempt at hacking it + making it run my own Linux.
In short, my device doesn't have secureboot enabled (i.e. boot mode = unsecure), which lets me load a custom kernel from the internal eMMC/ymodem/tftp.
There are some kernel sources for 2.6 kernels, and some "patches" for 3.x kernels and one or two repos for a 4.14 kernel (related to an asus storage device).
I started patching a 5.8 kernel I had lying around (shouldn't be too dificult to port to the last 5.x kernel, not sure about 6.x) to make it boot. The Intel Puma 6 SoC that this thing has is a really weird dual core atom + an armv6 core. The Atom part is what boots the entire SoC, and it uses a proprietary "bios"/loader (Intel CEFDK); whose sources are leaked though. It lets us disable the ARM core completely and reclaim back the ram allocated to it (so in the end, the x86 side has the full 512MB of available ram), boot bzImages from TFTP/ymodem and modify the "startup script" so it's technically possible to load a kernel that can't be made to fit on the same kernel partition that the modem uses (which is only 4MB, and my current kernel doesn't fit there).
I would like to know which kernel version should I target to make my patches so I can use the latest OpenWRT on it, and if someone has some experience with these devices, because I'm facing some issues still.
My current kernel lets me boot to a debian rootfs from a USB drive, ethernet works but only as a member of the embedded marvell switch (i.e. can't use VLANs to each switch's ports, it's all bridged together), the 5.8GHz ath10k wlan card refuses to load the calibration data from the original modem rootfs (in which the ath10k driver had the whole calibration + OTP + firmware embedded as binary blobs, not even using the firmware kernel mechanism or trying to read these from a file), and I can't make the front leds to behave as I want (i.e. the WLAN ones are handled by the qualcomm cards themselves, but the other ones seems to have been manipulated by the ARM core, which is dead now).
Other than that, the system behaves properly, the dual core Atom is really "good", and the ethernet works fine at its maximum speed of 1gbps (tested with iperf3).
The switch chip seems to be mapped to the Atom but it's hidden behind the "l2sw" (level 2 switch, which I assume it's the thing that interconnects the physical switch and the Atom and the ARM cores), and the Intel CEFDK sources have some pointers as to how to interact with the switch via MDIO. Would be cool to actually control the link between the Atom and the marvell switch so we could do VLANs properly.
My changes are here: https://github.com/cocus/puma6-kernel. Just use the "ce2600_bloat.config" config for the kernal, make it, and load the bzImage to your modem using ymodem or tftp. More info on my discoveries are here: https://github.com/cocus/dpc3848ve-stuff.
If anyone has some more insight and would like to help out, feel free to reply here. And if it's not clear, I'm not interested on the cablemodm part of the modem, just the networking side of the Atom (ethernet, wifi, usb, etc).