2Wire 2700HG-D

FCCID: PGR2W2700RD
Chipset: Atheros AR2413A
Flash: ST NAND128W3A2BN6 (16MB?)
Ram: NANYA NT5DS16M16CS-5T (64MB?)

Hidden manual firmware update page can be found at:
(GatewayIPaddress)\tech\update
Advanced Configuration settings can be found at:
(GatewayIPaddress)\mdc

Supported upgrade file formats are:
.bin
.imi
.2sp

OEM Kernel is either FreeBSD (from searching)
or Linux (Knopix?) (from 2wire source download) (file is KNP-Linux)

How would I install OpenWRT (and what files) on this Gateway?

Thanks!

Some news - I have found out how to successfully write the flash to zeros. Fun. Now, I think that I need to JTAG the flash back to OpenWRt, or back to factory. FYI, the factory SBC recovery.2sp factory is a whopping 10.0 MB, as reported by Windows. This machine has a HUGE flash (This file sucessfully uploaded and converted my factory Quest firmware to factory SBC firmware.) I think that someone skilled could likely take a flash image, an Atheros OpenWRT kernel image, and place the OpenWRT image in place of the stock Linux Kernel.

I have a Red, Green, Red blink sequence on power on, after which two other LED's (DSL & Internet) light to Red. I think this either means a.) bootloader intact, kernel zeros, or b.) flash entirely zeros. I do not have any ethernet ports, usb detection by pc, or ping that I can find. Probable brick.

Does any programers out there know if the OpenWRT kernel is chipset specific, or if this version is taylored to the specific chipset application?

As to a hacked binary image, I believe the trick is to locate the exact first bite of the updated kernel, and replace the kernel byte for byte with the appropriate binary OpenWRT kernel. The file has detailed text information regarding where scripts are, etc.

There is also a service connector on the front portion of the circuit board, with seven printed connectors. I believe that this is for manually servicing this board, but the key is finding which connector does what. I measure 1,2,3,4,5 6,7 as
-,-,+,+,+ -,-
connector #4 resets the power when connected to the case. Joy for anyone interested in trying to increase the functionality of this model of nearly retired dsl modem, or OpenWRT Software. I have found some of the factory firmware after extensive searching. Of course, any experimentors should either be extremely carefull, well equiped, or be willing to make (small, in my case) sacrifices. DO NOT EXPERIMENT WITH VITAL EQUIPMENT.

Thanks, and I hope someone will take up this model of hardware. I think that this could have promise.

Any plan to donate this device away for the cause of hacking?

A device with plenty of Flash/RAM is definitely a good candidate for any open-source firmware, AFAIC.

I need an introduction project, however, there should be a multitude of these things out there.  I am in the USA, and Quest (a local broadband company) has been supplying thier customers with these.  Power adapters die frequently, but mine (which I bought at a yard sale for $1.00 US) worked with another power adapter.  I have seen around 3 on ebay when I looked, and it seems that they go for around $25.00 US.  Many people don't like them for various reasons, and some get bricked by automated firmware updates (or people get really annoyed by the same, without the bricking.)  Right now, I am trying to figure the pinouts on the J2 header for that board.  On closer examination, there are pins on the other side of the PCB.  Someone in the UK has figured out a method of getting more functionality and access to the firmware (I was never able to get a tftp response, among other things) by connecting two pins on the J2 header (which would cause a factory diagnostics boot).  Google unlocking 2Wire 270x-xx for more detailed information.  X is a wild card, as the article is written about the next model up, the 2701, if memory serves.  I can supply my killer firmware version, but the best approach is to locate original firmware.  I took the two large binary blocks, and replaced them and everything after them with a block of zeros. 

As I now have a brick, it seems that I have (?) successfully erased the kernel.  There were two blocks, with a sequence which I beleve to be the write comand, and I placed zeros after both.  There does exist a boot wait, and I did have access to the UI after the "upgrade", until I hard resseted.  This allows for a possible test procedure to see if firmware is accepted, but I do not know how well the recovery flash after test flash would work as the router reboots prior to running the update procedure.  I think it might just find a corrupted kernel at that point and the recovery flash would grind to a screeching halt. 

Approaches for functional machines (as seems logical to me) would be:
1.)  Hacked Firmware recovery/update with kernel portion replaced with opensource firmware
2.)  Hacked USB Driver and/or firmware with read/write via USB, so that the flash is accessible in the sameway the USB flash drives are
3.)  Programed Basic firmware with acceptable header that has a kernel that allows either
      a.)  TFTP Access
      b.)  USB Read/Write Access
      c.)  Erase rest of Flash

I would appreciate some pointers on this, as I am new to the whole hacking thing.  I have some schooling with programming, and am willing to learn.  DIY projects are very effective teaching tools, and I have open ears to what anyone has to say.  I have been considering emailing the techsupport to try and obtain a pinout of the J2 header, but I suspect that that information might not be forthcoming.  any ideas?

(Last edited by tjm08 on 24 Nov 2009, 17:04)

Thanks for all information you provided above. You definitely have done a lot of works on this device and I wish you will be able to debrick yours soon.

I am working on building an interface cable to the pcb J2 Header.  I thought part of an old-style floppy cable would work, but the pin widths are different.  (the floppy pins are wider).  It looks like I am going to have to take a 25pin header cable from an old AT PC (I have a huge supply of obsolete hardware) and a 25 pin female to 25 pin female cable. 

I figure that if I
a.)  locate the relevant pin defs for the 14 pin pcb edge connector
b.)  find the corresponding pin defs for the 25 pin parallel port
c.)  solder the individual wires from the 25 pin header to the correct pins of the PCB
d.)  obtain a driver that will allow me to write bits to specific adresses,

then I have a JTAG-type interface that will work with a 2Wire 2700HG-D (and similar). 

Yay.  Any advice on how to find the pinouts?

More Fun.  After extensive examination of the circuit board and internet research, It seems that this DSL Modem/Gateway/Wireless Router uses a VLIW type Processor, of the TriMedia Family of NXP Processors, in addition to the 16MB Flash and the 64MB DDR SDRAM.  It seems that this is an interesting beastie;  I have been trying to review the OEM Flash binary for the write (and other) instructions and the binary kernel image.

Does anyone know if this type of CPU is supported by OpenWRT?  Some of the DSL Forums indicate that this processor is similar to the MIPS type of CPU.

I am still having loads of fun.

Some news.  I have a tentative pinout.

J-1 Header  Note:  Even pins are on the top of the board, odd pins underneath
01 - 3.3V   02 - GND (connected to 04 via trace; continuity to GND)   
03 - 0.0V   04 - GND (connected to 02 via trace; continuity to GND
Key
05 - 3.3V   06 - 3.3V
07 - 3.3V   08 - 3.3V (nSRST;  causes system reset led pattern when shorted to ground)
09 - 3.3V   10 - 3.3V (FTM) (Functional Test Mode;  connected to pin 1 of J-1 Header, which is documented)
11 - N.C.   12 - 0.0V
13 - N.C.   14 - GND (continuity to GND)

J-2 Header
01 - 3.3V (FTM)  02 - GND  (Documented for "Functional Test Mode")

Found (tentative)
nSRST (optional JTAG, consistant with observed behavior)
To find:
nTRST (optional JTAG, possible; used for logic reset of JTAG chain)
TCK    (essential JTAG; Test clock signal)
RTCK  (optional JTAG, possible;  used for adaptive clocking and higher data transfer)
TDI     (essential JTAG; Test Data Input)
TDO    (essential JTAG; Test Data Output)
I Believe that nTRST may be either pin #3 or pin #12, based on the procedure used by Smiggy.

Quoting from Smiggy, who documented his test method as follows on
http://forums.whirlpool.net.au/forum-re … 08533.html

The method I used was fairly simple but laborious.

1. Measure the resistance of all pins to GND and 3.3V power supply. You need to measure under the electrolytic capacitors to determine which is the main 3.3v supply. Mark them carefully on a pinout graphic all your measurements. This is important to do a clean accurate test. Turn it on and measure all voltages. Mark them on your graphic.

2. The pins that have already been defined as putting the box into special boot mode. Mark those.

3. One pin will have high resistance to GRND and 3.3v. It is TDO, ie output which cannot be pulled up or down but floating. Mine showed 3Mohm.

4. One pin will be at either full supply potential 3.3v or 0v will be nTRST. (Assuming they have nTRST turned off. It was in mine.) It will more than likely have a different resistance than other pins. Mine was 5K to 3.3v 1.5K GND. It will, hence have much lower voltage to ground and be at or near 0v.

5. Hopefully you now have a bunch of pins next to each other, which are unknown. In my case 4,5 then 12,13,14 All measure 3.3v. All have 1k to 3.3v and 2k to GND. I traced pins 4, 5 to I2C serial eprom. So it won't be those. That leaves the 3 pins bunched together. 12,13,14 which makes sense. The rest is trial and error. Make up a grid and work through the combinations. TDI, TMS, TCK. start the JTAG software each time. I just used the hairy dairy maid one. When I hit the right combo all the LED's turned on indicating I had put the processor in a diagnostic mode.
Only one or perhaps two combinations will do that. So you now have the 4 JTAG pins plus NTRST defined. Or perhaps two possibles.

There is a procedure documented on JTAG finder, which is essentially a logic procedure where in all potential JTAG Pins are hooked up simultaneously.  A data signal is sent to one pin at a time, and all of the other pins are observed for changes in logic state.  more information can be found at:  http://www.elinux.org/JTAG_Finder

Given the tentative pinout that I have now, I think that I can build an unbuffered parallel interface with 8 connects on parallel pins 2-9 (data pins), and reserve pin 13 for TDO when found.  Then I should be able to implement the finder method to narrow things down.  After that, figure how to work with the TriMedia VLIW CPU and the NAND flash.  The cable would be identical to the unbuffered cable described in the wiki, with the exception of using all eight of the data bus signals.

Any thoughts on this method?

GPL source code is here: http://www.2wire.com/index.php?p=437

Might play with one that I just picked out of our condo re-use bin......

Gerrit

(Last edited by z80yyz on 8 Oct 2010, 17:04)

The pinout for the dual row card edge connector found in the 2Wire routers is as follows:

There are now some development tools for the TriMedia core found in these routers.

A disassembler has been built for the TriMedia VLIW core, and there are utilities to re-build the boot ROM and JTAG tools to download object code to the core and to dump the NAND flash contents.

More info at:

http://hackingbtbusinesshub.wordpress.c … -jtag-i2c/

P.S. Please contact if you have experience in reverse-engineering a flash file system, especially TrueFFS from m-Systems.   The file system used in the 2Wire may be sitting on top of the Flash Translation Layer from TrueFFS and this needs to be understood.

I have bricked my router
There are any possibility to recover it with JTAG?

Yes it is possible.

If it is one of the 2Wires with a card edge connector for JTAG then you will either need to solder wires to the card edge 'fingers',  or find a suitable connector.  They are available off-the-shelf but at a price, or else fashion one from a PCIe riser which has the same 1mm pitch as the edge connector.

Then you need to create a new boot ROM.  The 2Wire modems normally boot from a 24Cxx series i2c serial EEPROM.  To JTAG the device you use a different boot ROM. It contains the early stage bootscripts and the phase 1/2 bootloaders. Instead of booting from flash, the new boot ROM runs a JTAG monitor.

The JTAG monitor runs natively on the Trimedia (the CPU in the 2Wires) and accepts flash write instructions from a JTAG programmer on the PC.

It's not easy and requires several bits of kit - 24Cxx EEPROM programmer, 24C32 EEPROM on breakout board, 1mm pitch dual edge card connector, JTAG programmer and JTAG programming software.

cheers, a

P.S. The fact that the 2Wire router is bricked probably means that something is faulty.  The NAND flash devices are more prone to fail with age, for example.

my router is bricked because I updated it with a wrong firmware.

I have almost all of these tools. Can you help me with the steps to recover it?