Login

CableGuRu · (This post was last modified: 07-07-2012, 06:44 PM by CableGuRu.)

I am not sure how to do that at all. I am using the parallel JTAG cable. Is there anything else I can do to try and get this?

*EDIT* Thank you. I think I can do it by the pic you posted.

**drewmerc** · 07-07-2012, 06:44 PM

here's a correct def that i knocked up but (a big BUTT) i have no idea what processor or flash chip is in a 5120 (mostly because i can not be bothered looking) and even then the risk of using this def would still be very risky as it is untested

Code:
/*

+=====================================================================+

|                            JTAG Utility                             |

|                      (c)2008 ToM - tplewa@o2.pl                     |

|                                                                     |

|            BCMXXXX DEFINITION FILE                       |

+=====================================================================+

*/

IRlength=5 

Protocol=ejtag

Endian=big

Ram=0x94000000,0x800000    //Ram=RAM_ADDRESS_START,RAM_SIZE

Flash=0x90000000        // Flash=FLASH_ADDRESS_START

//Definition for Motorola SB5001

#Boot loader

MemoryTab=Boot,0x90000000,0x10000

#configuration1

MemoryTab=Nvram0,0x90010000,0xC0000

#first copy of firmware

MemoryTab=CmApp0,0x900D0000,0x30000

#configuration2

MemoryTab=Nvram1,0x90100000,0xC0000

#cert

MemoryTab=Cert,0x901F0000,0x8000

#cfg0

MemoryTab=Cfg0,0x901F8000,0x2000

#evlog0

MemoryTab=Evlog0,0x901FA000,0x2000

#evlog1

MemoryTab=Evlog0,0x901FC000,0x4000

/*

CableGuRu · (This post was last modified: 09-07-2012, 04:34 AM by CableGuRu.)

thank you. I tried using that def file. what I did was copy the folder "bcm3349" to the Hitachi Dir in the "jtagparts" folder. Then I edited the file "PARTS" to include "0x0000100f, bcm3349, BCM3349", I then got this:

"Read IDCODE: 0x0000100f
Manufacturer: Hitachi
Part: 0x0001
Version: 0x0
---------------------------------

Read IDCODE: 0x0000100f
Manufacturer: Hitachi
Part: BCM3349
Version: 0x0
---------------------------------
Create & Clear RAM Buffer (0x94000000 - 0x94800000)
Load Configuration File: bcm3349.def
IR Length: 0x5
Endian: Big
Protocol: EJTAG
RAM Start Address: 0x94000000
RAM Size: 0x800000
FLASH Start Address: 0x90000000
---------------------------------
Read IMPCODE: 0x21404000
EJTAG Version: 2.5
EJTAG DMA Support: No
---------------------------------
Detect FLASH : Unknown (Manufacturer’s: 0x100f Device: 0x0000)
jtag> getram 9fc00000 200000
Address out of range
jtag> getram 94000000 800000
GetRam: Complete
jtag> getram 90000000 200000
Address out of range
jtag> getram 94000000 800000
GetRam: Complete
jtag> save 94000000 800000
Save file: C:\Users\Admin\Desktop\94000000.bin"

The bin file was 8mb of empty. it was instant too so it didnt read it. I do have a rs232 board. Is there another way I can get the certs?

**drewmerc** · 08-07-2012, 09:13 AM

well to me it looks like the def is working and that the flash.def is missing something
what flash chip is in your modem

CableGuRu · (This post was last modified: 08-07-2012, 01:41 PM by CableGuRu.)

(08-07-2012, 09:13 AM)drewmerc Wrote: well to me it looks like the def is working and that the flash.def is missing something
what flash chip is in your modem

I found this: http://www.usbjtag.com/jtagdevices/sb5120.php I gives info on the cpu and flash.

The Flash chip is: Flash Memory PC CHIP 29LV160BTTC-70 MX brand TSOP48

**drewmerc** · 08-07-2012, 02:27 PM

well after looking at the flash def i know i don't have much of a clue as to what's going on and i don't really wish to learn
(but looking back at the above can i ask why your using 5101 addresses when trying to getram? you should be using 5120 address

>getram 90000000 800000
or
>getram 94000000 800000
or perhaps just try getting the certs/nonvol
>getram nvram0
>getram certs

but i do find usbjtags sb5120 link interesting as it shows how to bypass the watchdog (again all the above is speculation)

CableGuRu · (This post was last modified: 08-07-2012, 03:20 PM by CableGuRu.)

I tried the commands you also gave and it does not want to dump the flash. I was hoping that I could somehow use the rs232 board and get the info somehow. I thought there was a method but I am unsure. I may just have to hook my old modem back up and fight through the pain till I can get another one. Getting lots of lag and not getting lots of lag using a friends modem. Signal is great. And speeds look fine on speedtest.net with my old modem. Was hoping to have my haxorware flashed modem to use in its place though.

**drewmerc** · 08-07-2012, 03:35 PM

you can try with you max cable the connections are in the pic posted, extracting the nonvol from it is going to be fun (assuming the bootloader is noisy)

CableGuRu · (This post was last modified: 08-07-2012, 11:06 PM by CableGuRu.)

ok. I just flashed my modem back to stock. I am going to have them add my modem to the account since it is stock again. Is there any benefit nowadays to having haxorware on a modem if using it on your account with standard assigned bootfile?

Also what command do I use to grab my nonvol from the 2mb dump on my modem?

Thank you a lot for all your help btw. It has been over a year since I messed with modems.

Login
Username:
Password:	Lost Password?
	Remember me