OpenWrt Forum Archive

Topic: Thomson TG585v7

The content of this topic has been archived between 6 Feb 2018 and 20 Apr 2018. Unfortunately there are posts – most likely complete pages – missing.

Hey,

I recently received from my ISP a brand new Thomson TG585v7 Modem/WLAN-Router. It features ADSL2+, 4x Switch, b/g WLAN.

I immediately checked for openwrt-support, unfortunately, the device is nowhere listed. So I disassembled the device and found inside:

CPU: BCM6338KFBG
Switch: BCM5325EKQMG
Wireless: BCM4318KFBG
Flash: S29GL032N90TFI04 (Spansion 32 Megabit)
RAM: DS1216AGTA-75-E (Elpida 128 Megabit)

For now, I still need to build a serial and JTAG-cable.
I read in this and other forums that the device is firmware-locked to my ISP. In another forum, they flashed the CFE of an generic TG585 in order to run the generic Thomson firmware.
According to https://forum.openwrt.org/viewtopic.php?id=8336 there is still a signature check even in the generic firmware.

Could the following approach work out: Take a CFE from a similar device from another manufacturer, adapt the MAC address and flash the Thomson with the new CFE? Which model should I choose?  Any advice on this?

Thanks

No one?
I know this CFE transfer has been done with the MN700 (AFAIK, it uses a modified Asus WL500g CFE and thus can be flashed with the Asus firmware).

Telling from the ports, the TP-Link TD-8840 might use the same chips. Can anyone verify this or send me some internal photos?

Im working on it already build the jtag cable but tjtag dont recognise the ram, so now i will try to make it work, backup and try to run openwrt.

Hope your still interested

Good news! Yes, I am still interested. Some time ago I tried to attach serial console, but with limited success: To me it seems as if there were some parts on the PCB missing, there are quite a few empty pads near the header which I assumed was the console.

If you need someone to test, just tell me. Right now I don't have access to the device, but in two weeks I can play around with it again.

Please keep us updated!

Ok so far, I was able to backup cfe,navram,kernel using jtag cable, its a Standard MIPS EJTAG (2x7 pin) connector

http://www.jtagtest.com/pinouts/ejtag

http://cidirome.977mb.com/JTAG.png

i used tjtag 3.0.1 using /fc:84 since I've been told that it has the same architecture as Spansion S29GL032M BotB

I tried to upload kernel using jtag cable, took all night but mi computer had a problem an it could complete.

I also tried using tftp but as it has already posted the router looks for a signed binary and resets if it is no signed, so the next thing I can think of is trying usign some cfe from

http://downloads.openwrt.org/snapshots/trunk/brcm63xx/

i was thinking of openwrt-6338GW-jffs2-128k-bc310-cfe.bin could some one provide some light here?

i will continue testing

Why didn't you use /fc:86? According to the Wiki, /fc:84 is a 8MB chip while my device only features 4MB. Whatever, did it work for you?

Can't wait to try things out on my Router, in two weeks I'll have access to the device again (and already ordered the JTAG-Parts).

Hello,

You should use /fc:85 for the 585v7:

/fc:85 ............. Spansion S29GL032M BotB    (4MB)

If you use /fc:86 the erase regions will be wrong: reading will work but writing will get "stuck" when it tries to write to a block that hasn't been erased. This happens at 0x1fc02000, and only if you attempt to write something that is different to what is currently stored in those bytes.

I also find it is best to wait for the Username: prompt on serial and then run tjtag with /noreset /nobreak

Did you successfully hook up a serial cable to the TG585v7? Mine didn't respond, our I did something wrong. What pinout did you use?

The serial port and jtag port have missing resistors to stop them from working. You must bridge R91 and R98 for serial (or put a resistor in there.)
For JTAG bridge R17 and R18 and you don't need to put that resistor between serial port and jtag pins. Again you can solder in a resistor if you want. I just bridged them with a blob of solder. R91 and R98 are on the bottom of the board near the serial, R17 and R18 are on the top, next to the JTAG.

The serial pin out: 1: 3.3v 2: GND 3: TX 4:RX. Pin 1 is furthest from JTAG header.

EDIT: You also need to bridge R84 for serial port power. And you can only skip the pullup resistor between serial and jtag if you have the right type of jtag cable.

(Last edited by ali1234 on 27 Mar 2010, 23:22)

Thank you very much, I'll try that as soon as I get access to the device again (which will be in about two weeks)!

Here is an image to help locate the pads. This is after I installed the JTAG header but before putting in the serial. Click for bigger:

http://al.robotfuzz.com/~al/thomson/tg585s.jpg

Hi guys, I also have one of these lying around, so in a bit i think im gonna make the bridges for serial and jtag. Then see what happens when i connect via serial

I'm making some progress. The Thomson bootloader is rather annoying. Judging from the strings it contains it can boot Linux, but I cannot figure out how.

I have managed to find a binary for Broadcom CFE on 6338. I found it in a Belkin GPL release:

http://www.belkin.com/support/gpl.asp

"Belkin_7633_v1.00.017_GPL.tar.gz      ADSL2+ Modem with High-Speed Mode Wireless-G Router (F5D7633)"

Which links to this:

http://www.belkin.com/support/gpl/bcm96 … ase.tar.gz

Inside this archive is the file "bcm963xx_3.02L.01_consumer.tar.gz"

Inside that file is "targets/cfe/cfe6338.bin"

I byte swapped this file to convert to big endian and flashed into my Thomson, and it booted, with serial output at 115200.

Impressive work.

/sorry for offtop...

I have now booted OpenWrt by flashing the image with jtag. Take an image for 63xx, byte swap to big endian, and flash at 0x10000, just after the end of CFE. The ethernet and wireless do not work. Here is the bootlog output:

CFE version 1.0.37-6.5.17 for BCM96338 (32bit,SP,BE)
Copyright (C) 2000-2005 Broadcom Corporation.

Boot Address 0xbfc00000

Initializing Arena.
Initializing Devices.
Parallel flash device: name AM29LV320MB, id 0x2200, size 4096KB
error on Ethernet Switch setup
Failed initializing enet hardware
CPU type 0x29010: 240MHz
Total memory: 16777216 bytes (16MB)

Total memory used by CFE:  0x80401000 - 0x805283F0 (1209328)
Initialized Data:          0x8041D7F0 - 0x8041FA50 (8800)
BSS Area:                  0x8041FA50 - 0x804263F0 (27040)
Local Heap:                0x804263F0 - 0x805263F0 (1048576)
Stack Area:                0x805263F0 - 0x805283F0 (8192)
Text (code) segment:       0x80401000 - 0x8041D7E8 (116712)
Boot area (physical):      0x00529000 - 0x00569000
Relocation Factor:         I:00000000 - D:00000000

Board IP address                  : 192.168.1.1  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 3  
Board Id Name                     : 96338W  
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 2  
Base MAC Address                  : 00:11:22:33:44:55  
Ethernet PHY Type                 : External Switch Using Reverse MII
Memory size in MB                 : 16
CMT Thread Number                 : 0
Dying Gasp Enable (0:Disable 1:Enable)  : 0

Could not activate network interface 'eth0': CFE error -1
*** Press Enter to stop auto run (3 seconds) ***
Auto run second count down: 0
Code Address: 0x80010000, Entry Address: 0x80010000
Decompression OK!
Entry at 0x80010000
Starting program at 0x80010000
Linux version 2.6.32.9 (nico@desktop-de-nico) (gcc version 4.3.3 (GCC) ) #2 Tue Mar 23 07:32:51 CET 2010
Detected Broadcom 0x6338 CPU revision a2
CPU frequency is 240 MHz
16MB of RAM installed
registering 8 GPIOs
board_bcm963xx: CFE version: 1.0.37-6.5
bootconsole [early0] enabled
CPU revision is: 00029010 (Broadcom BCM6338)
board_bcm963xx: board name: 96338W
Determined physical RAM map:
 memory: 01000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00001000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00001000
Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 4064
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
PID hash table entries: 64 (order: -4, 256 bytes)
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Primary instruction cache 16kB, VIPT, 2-way, linesize 16 bytes.
Primary data cache 8kB, 2-way, VIPT, no aliases, linesize 16 bytes
Memory: 13304k/16384k available (2134k kernel code, 3080k reserved, 459k data, 136k init, 0k highmem)
Hierarchical RCU implementation.
NR_IRQS:128
Calibrating delay loop... 238.59 BogoMIPS (lpj=477184)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
NET: Registered protocol family 1
audit: initializing netlink socket (disabled)
type=2000 audit(0.236:1): initialized
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
msgmni has been set to 25
io scheduler noop registered
io scheduler deadline registered (default)
gpiodev: gpio device registered with major 254
gpiodev: gpio platform device registered with access mask FFFFFFFF
bcm63xx_uart.0: ttyS0 at MMIO 0xfffe0300 (irq = 10) is a bcm63xx_uart
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
bcm963xx_flash: 0x00400000 at 0x1fc00000
bcm963xx: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
bcm963xx_flash: Read Signature value of CFE1CFE1
bcm963xx_flash: CFE bootloader detected
bcm963xx_flash: CFE boot tag found with version 6, board type 6338W, and tagid bccfe.
bcm963xx_flash: Partition 0 is CFE offset 80c78a20 and length 0
bcm963xx_flash: Partition 1 is kernel offset c7e and length 0
bcm963xx_flash: Partition 2 is rootfs offset cbf and length 0
bcm963xx_flash: Partition 3 is nvram offset d00 and length 0
bcm963xx_flash: Partition 4 is linux offset d40 and length 0
bcm963xx_flash: Spare partition is 2b0000 offset and length 140000
Creating 5 MTD partitions on "bcm963xx":
0x000000000000-0x000000010000 : "CFE"
0x000000010100-0x0000000f0000 : "kernel"
mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
0x0000000f0000-0x0000003f0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
mtd: partition "rootfs_data" created automatically, ofs=2B0000, len=140000 
0x0000002b0000-0x0000003f0000 : "rootfs_data"
0x0000003f0000-0x000000400000 : "nvram"
0x000000010000-0x0000003f0000 : "linux"
bcm63xx_wdt started, timer margin: 30 sec
Registered led device: adsl
Registered led device: ses
Registered led device: ppp-fail
Registered led device: power
Registered led device: stop
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 136k freed
Please be patient, while OpenWrt loads ...
- preinit -
Press f<ENTER> to enter failsafe mode
- regular preinit -
switching to jffs2
mini_fo: using base directory: /
mini_fo: using storage directory: /jffs
- init -

Please press Enter to activate this console. eth0: link forced UP - 100/full - flow control off/off
Generic kernel compatibility enabled based on linux-next next-20100113
cfg80211: Calling CRDA to update world regulatory domain
roboswitch: Probing device eth0: Failed to enable switch
roboswitch: Probing device eth1: No such device
roboswitch: Probing device eth2: No such device
roboswitch: Probing device eth3: No such device
cfg80211: World regulatory domain updated:
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
    (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
    (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Broadcom 43xx driver loaded [ Features: PNL, Firmware-ID: FW13 ]
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (210 buckets, 840 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.



BusyBox v1.15.3 (2010-03-19 06:01:56 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 BackFire (10.3-rc1, r20254) -----------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua 
  * 1/3 shot Bailey's  on the bottom, then Bailey's, 
  * 1/3 shot Vodka     then Vodka.
 ---------------------------------------------------
root@OpenWrt:/#

Wow, this is good news!

Here in Norway there has been put up loads of this ADSL router, and also the 780WL. This looks very promising!

The Thomson stuff is all over the place, in Canada, in the US, in Europe all over... With OpenWRT on it life will be sweeeter smile

Keep up the good work!! I'm interested in flashing DDWRT to Speedtouch 780wl. I hear that 585 and 780wl are very similar. I think that difference is in VOIP. It has 2 FXS ports and 1 PSTN. If you succeed with 585 i could try with 780wl.

I'm making good progress. I have the ethernet ports working in CFE now. Here is how I did it.

I have tried many CFE binaries and none of them work directly. I found one in particular CFE here:

ftp://ftp.dlink.com/Broadband/dsl2540B/ … 041G00.zip

This is a full firmware including a CFE. It has a 0x100 byte TRX header. I stripped that off and wrote the rest into flash at 0x1fc00000. This CFE will boot but without networking.

An unusual thing about this CFE is that it runs far enough to uncompress itself in GXemul MIPS emulator. From there I was able to extract the full compressed and uncompressed CFE binaries by tracing the CPU execution. The compression is LZMA and although the compressed file is not recognised by any LZMA decompressor I could find, I was able to insert a new LZMA file in its place. After adjusting all the branch instructions in the decompresser code, I can now upload my own patched and recompressed version of CFE.

This is useful because CFE has board definitions in tables inside the compressed section. After figuring out the format of those tables and rewriting them I was able to insert the correct settings for this board. The board needs a gpio pulled high to bring the switch out of reset. The board seems to use external phy (not external switch) and there doesn't seem to be any way to control the switch other than reset it (not enough GPIO.)

I will try to release my Python scripts for rebuilding CFE some time in the next week. If you are interested I suggest you grab the CFE image from d-link while it is still available, because I won't be able to release that, and the LZMA CFE that can run in GXemul seems to be a very rare thing.

WOW alromh87 THIS IS AMAZING !!!! KEEP IT COMING MATE !!!

oops a mirror smile http://www.telecom-lab.net/files/dsl254 … 041G00.zip

alromh87 wrote:

Ok so far, I was able to backup cfe,navram,kernel using jtag cable, its a Standard MIPS EJTAG (2x7 pin) connector

http://www.jtagtest.com/pinouts/ejtag

http://cidirome.977mb.com/JTAG.png

i used tjtag 3.0.1 using /fc:84 since I've been told that it has the same architecture as Spansion S29GL032M BotB

I tried to upload kernel using jtag cable, took all night but mi computer had a problem an it could complete.

I also tried using tftp but as it has already posted the router looks for a signed binary and resets if it is no signed, so the next thing I can think of is trying usign some cfe from

http://downloads.openwrt.org/snapshots/trunk/brcm63xx/

i was thinking of openwrt-6338GW-jffs2-128k-bc310-cfe.bin could some one provide some light here?

i will continue testing

(Last edited by NetworkPro on 14 Feb 2011, 22:13)

Keep up the good work, I'm looking forward to your CFE patches. From sunday on I'll have access to the Thomson again and will definitely try all your suggestions!

i have a ST585v6, i use it as an access point for my cable modem, it will bring new life to it if this works on it, however it has a diferent chip, the BCM96348, is it compatible?

thanks, keep the good work and progress

I've put some scripts for working with CFE here:

http://al.robotfuzz.com/~al/thomson/cfe-builder/

If you break your router with this I am not going to help you fix it so make sure you know what you are doing.

This won't work with any other version of CFE as it patches machine code. 6348 will need a different CFE as they are CPU specific.

Oh, I almost forgot. You need to patch the kernel for the new board type. Use the latest openwrt trunk or ethernet won't work. Wireless and DSL do not work yet.

(Last edited by ali1234 on 10 Apr 2010, 13:30)

OK, I've installed the headers and bridged the missing resistors. Just one question: Does the default Thomson CFE/Firmware output anything on the serial console? I don't get any output (at 115200).

EDIT: Sorry, the Thomson CFE/Firmware configures serial as 9600 baud, not 115200! At least serial is working correctly now, tonight I'll build the JTAG cable.

EDIT2: Another question, can the new CFE flash openwrt or is it necessary to flash the openwrt image via JTAG?

Thanks

(Last edited by mauritzius on 12 Apr 2010, 10:41)

I updated the Wiki page with the details for serial and jtag access.
May I put your pictures onto the Wiki?

I can confirm that the python scripts work. I successfully flashed the CFE to my Thomson and it boots properly. It just took me some time to find the /st5 switch for tjtag, without it, flashing is practically impossible.

Now I need to patch and compile OpenWrt. Could you provide your patches to add support for the new board type?

(Last edited by mauritzius on 12 Apr 2010, 21:57)