Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Toshiba pcx2500
#1
Was just wondering if anybody has any info on hacking this modem. I know I cannot flash a modified firmware to it, but I was wondering if there is a way to get it into factory mode. Or I was wondering if some1 could help me with getting my USBJtag to read/write the nonvol area on it.. Or anything pertaining to testing with this modem.. I would also like to know if any1 knows exactly how to hook a cable up to it to connect to it's console. I have tried the toshiba diag app, but I can't really do anything fun with it..
[Image: 2wgsq48.jpg]
Reply
#2
how about some (good)pics of the top and bottom of the circuit board

edit
theres this but the pic sucks ass http://haxorware.com/forums/thread-88.html
[Image: Picture001.jpg]

bamp 2nd edit time damn hard to find but here it is just for you tally (hope it helps)
[Image: Untitled_17.png]

test the ground pins match like the pic (guessing the last 3 nc's are missing)
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#3
Thanks man!!! I don't quite know what i can do with this other than build a pjtag? Blush

I know that the modems have the same chip as the 5120, and I even had a pcx2600 about a year ago maybe longer, that i had opened but i couldn't get it to detect properly so i asked around and some1 gave me values to add to the .def file in the jtag folder. So I added them and I could read/write from it, but I bricked it lol (back then I had no clue what i was doing lol) Anyways i can't remember what site I got the help from and I checked all the sites I can think of but can't find it. I think the .def file I edited is on a hard drive that I got rid of, I also had a script I wrote for it to use with the usbjtag app. but I cannot find that either.. But I doubt it would be the same for the 2500 but maybe.. Anyways, If I give you the values that it tells me when i try to detect, do you think you could then tell me what to add to the def file? Thanks again for your help!! :-D

Code:
IDCODE 0000100F
TI TNETC4401
IMPCODE 21404000
DMA not supoorted
Unknown flash type!
Report these two value to dctbdm@yahoo.com 0020,88ce
[Image: 2wgsq48.jpg]
Reply
#4
Add this to flash.def

0x0020,0x88CE,M28W160CT ,0x200000,31,0x10000,1,8,0x2000

and set usbjtag mode to 5120
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#5
You rock!!! Thanks bro!!!!!!!!! Big Grin

edit:

Ahh, it's still giving me the same notice and same values to report. Do I need to anything to the usbjtag.def file?? I use 5120TE mode, and when I look in the usbjtag.def i noticed there is some code in there pertaining to this mode.. Do I need to edit anything into it? Here is the code;

Code:
Test:
Name=SB5120TE
//DLL=sb5120.dll
IRLength=5
Endian=Big
Memory=Ram,0,0x94000000,800000
// boot loader
Memory=Boot,1,0x90000000,0x10000
// first firmware image
Memory=CmApp0,1,0x90010000,0xf0000
// second firmware (backup)
Memory=CmApp1,1,0x90100000,0xf0000
// Unknown
Memory=DSPower,1,0x901f0000,0x4000
// Certificate and Unknown Reserved
Memory=Cert,1,0x901f4000,0x4000
// not allowed Memory=Cert,1,0x901f4000,0x1800
// Unknown
// not allowed Memory=Reserved,1,0x901f5800,0x2800
// first log
Memory=EvLog0,1,0x901f8000,0x2000
// second log (backup)
Memory=EvLog1,1,0x901fa000,0x2000
// first config
Memory=NVRAM0,1,0x901fc000,0x2000
// second config (backup)
Memory=NVRAM1,1,0x901fe000,0x2000
Programram=0x94040000
Protocol=EJTAG
DMA=No
ProbTrap=1

thanks for your help Big Grin
[Image: 2wgsq48.jpg]
Reply
#6
try this
Code:
speed 2

detect

http://translate.google.com/translate?la...3Ft%3D2645
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#7
Thanks man, I checked that thread out, it has some very useful stuff in it. I have gotten it to detect and read everything I can get from it (cert, cmapp1/0,nvram etc..) But I cannot write back to it :'( I was really hoping that I would be able to tick the "factory MIB" box in the change mac option (under 5120 testing).. but it's blanked out.. but I can see and edit the mac addresses and they are all correct. Just can't write to it .. Oh and it still giving me the same thing saying report these values, even though I put the code you gave me into the def file....

If there is nothing more you can think of for me to try, then thanks a lot for everything!!!!.. Hopefully someday we can do something with these modems, while ISP's are still using d11 compliant modems :-p

[Image: 2agru3l.png]
[Image: 1sikqs.png]
[Image: 2wgsq48.jpg]
Reply
#8
watchdog is enabled there's a thread on that site but when translated i still could not read it
never played with a 5120 but know i think i know whats's going on

Code:
Backup firmware
getram 90000000 200000
save 90000000 200000

Disable watchdog be ready to program
SB5120 has a watchdog and need to disable to do programming.
Create file named 5120p.usp
reset
detect
program
Type command 5120p
After this your SB5120 is ready to program and you can program it in normal speed without trigger watchdog.

At this point HERE before doing the next step..... change the mac & and whatever you need w/ the SB5120 Tab in the app... Just be sure the .dll is in the program's installed folder. Or it wont show up  

Program whole firmware.
ldram 90000000
program 90000000 200000

You can use "reset" to restart the modem. You can not use "cmpram" command to check if the programming is ok when it says "DEBUG ON"

Rescue SB5120. When box not fire up. Normal programming will not work. First need to program boot. No watchdog exist in this case
detect
ldram boot (Select proper boot file)
erase boot
sprogram boot (Slow programming)
reset
detect
ldram image0(Any tabes you have backed up)
program image0(Any tabs you want at normal speed)

attached the 5120p.usp


Attached Files
.rar   5120p.rar (Size: 95 bytes / Downloads: 39)
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#9
(20-06-2010, 08:49 AM)drewmerc Wrote: watchdog is enabled there's a thread on that site but when translated i still could not read it
never played with a 5120 but know i think i know whats's going on

Code:
Backup firmware
getram 90000000 200000
save 90000000 200000

Disable watchdog be ready to program
SB5120 has a watchdog and need to disable to do programming.
Create file named 5120p.usp
reset
detect
program
Type command 5120p
After this your SB5120 is ready to program and you can program it in normal speed without trigger watchdog.

At this point HERE before doing the next step..... change the mac & and whatever you need w/ the SB5120 Tab in the app... Just be sure the .dll is in the program's installed folder. Or it wont show up  

Program whole firmware.
ldram 90000000
program 90000000 200000

You can use "reset" to restart the modem. You can not use "cmpram" command to check if the programming is ok when it says "DEBUG ON"

Rescue SB5120. When box not fire up. Normal programming will not work. First need to program boot. No watchdog exist in this case
detect
ldram boot (Select proper boot file)
erase boot
sprogram boot (Slow programming)
reset
detect
ldram image0(Any tabes you have backed up)
program image0(Any tabs you want at normal speed)

attached the 5120p.usp

Hmmm, I tried this file, I issue the command, then I try to ldram and then program something and i get
Quote:-ldram cert
-program cert
Use DETECT to detect the flash type

How exactly do I use this?? Run the app, (wait till it does its connecting thing), then issue 5120p?? Now after the script finishes it's commands, what do I do?? Try to load something then program it, or?? If I touch it, it says "exit script" but if i dont it just hangs there??

thanks again for all the help..



EDIT:

Here is what I am doing (with what I got from your post); detect, getram 90000000 200000, save 90000000 200000(name and save it), then I ldram 90000000(the file i just saved), reset, detect, program 90000000 200000.. But then I only get "use detect to detect the flash type" Sad Am I doing it wrong??
[Image: 2wgsq48.jpg]
Reply
#10
(21-06-2010, 09:13 AM)tally Wrote: EDIT:

Here is what I am doing (with what I got from your post); detect, getram 90000000 200000, save 90000000 200000(name and save it), then I ldram 90000000(the file i just saved), reset, detect, program 90000000 200000.. But then I only get "use detect to detect the flash type" Sad Am I doing it wrong??

i dont use a usbjtag(used to but not for a long time) but if i remember right you copy the usp file to your scripts(or whatever) folder (it's in the usbjtag folder)

and type 5120.usp in the usb jtag program
i believe the program command has to be sent before the watchdog starts thats why you use a script, thats why it resets first
backup your firmware
hex edit a new mac into it
re program using the usp script
(i also think you should be using latest software and also try in tm602g mode)


Attached Files Thumbnail(s)
   
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)