sb5100 cable modem usbjtagnt pluking

8/10/2019 SB5100 Cable Modem UsbjtagNT PluKing

1/12

SB5100 Cable modem

Motorola SB5100 surfboardThe CPU of the board uses BCM3348. The tool to debug the CPU is EJTAG (DMA).

Picture showing JTAG is connected

Flash One 2MB 28F160C3

Firmware 2MB $9FC00000-$9FDFFFFF

RAM 16MB $80000000-$81000000

Backup videohttp://usbjtag.com/pafiledb/index.php?act=view&id=33

Sigma programminghttp://usbjtag.com/pafiledb/index.php?act=view&id=35Change machttp://usbjtag.com/pafiledb/index.php?act=view&id=45Rescue SB5100 method 1http://usbjtag.com/pafiledb/index.php?act=view&id=58

Rescue SB5100 method 2http://usbjtag.com/pafiledb/index.php?act=view&id=59

Definition in usbjtag.def Commands (usbjtag 0.09. SB5100 Test
http://usbjtag.com/pafiledb/index.php?act=view&id=33http://usbjtag.com/pafiledb/index.php?act=view&id=33http://usbjtag.com/pafiledb/index.php?act=view&id=33http://usbjtag.com/pafiledb/index.php?act=view&id=35http://usbjtag.com/pafiledb/index.php?act=view&id=35http://usbjtag.com/pafiledb/index.php?act=view&id=35http://usbjtag.com/pafiledb/index.php?act=view&id=45http://usbjtag.com/pafiledb/index.php?act=view&id=45http://usbjtag.com/pafiledb/index.php?act=view&id=45http://usbjtag.com/pafiledb/index.php?act=view&id=58http://usbjtag.com/pafiledb/index.php?act=view&id=58http://usbjtag.com/pafiledb/index.php?act=view&id=59http://usbjtag.com/pafiledb/index.php?act=view&id=59http://www.usbjtag.com/jtagdevices/sb5100jtag.jpghttp://usbjtag.com/pafiledb/index.php?act=view&id=59http://usbjtag.com/pafiledb/index.php?act=view&id=58http://usbjtag.com/pafiledb/index.php?act=view&id=45http://usbjtag.com/pafiledb/index.php?act=view&id=35http://usbjtag.com/pafiledb/index.php?act=view&id=33


2/12

0.03):

Name=SB5100DLL=SB5100.dllMemory=Ram,0,0x80000000,0x800000

// Boot loaderMemory=Boot,1,0x9fc00000,0x8000// configurationMemory=cfg,1,0x9fc08000,0x8000

// first copy of firmwareMemory=Image0,1,0x9fc10000,0xf0000

// second copy of firmwareMemory=Image1,1,0x9fd00000,0xf0000

// log dataMemory=log,1,0x9fdf0000,0x10000Programram=0x80400000

// watch dogInit=0xfffe0224,0

// initialize chip setInit=0xfffe2300,0x1aInit=0xfffe2304,0

Init=0xfffe2308,0x8040Init=0xfffe230C,3Init=0xfffe2310,0x4824Endian=Big-IRLength=5Protocol=EJTAGDMA=YesProbTrap=1

Backup firmwaregetram 9fc00000 200000save 9fc00000 200000

Program whole firmware. (Shouldnot interrupt)

detectldram 9fc00000program 9fc00000 200000cmpram 9fc00000 200000

cmpram is optional. It can be usedafter program only when DMA issupported.After that you should seeDEBUG ON. You should see "Compairdata OK"

Program Sigmadetectldram boot select the sigma bootldram image0 Select sigma application

program bootprogram image0

Rescue SB5100. When box not fireup. Normal programming will notwork. First need to program boot(if method 1 does not work use method2)Method 1.detectldram 9fc00000(Select the backed upfile)poke fffe230c 3poke fffe2304 0poke fffe2300 apoke fffe2300 9poke fffe2300 9poke fffe2300 9poke fffe2300 9poke fffe2300 9poke fffe2300 9poke fffe2300 9poke fffe2300 9poke fffe2300 1cprogram 9fc00000 200000cmpram 9fc00000 200000if cmpram failed, power off and on thebox again and dodelectprogram 9fc00000 200000cmpram 9fc00000 200000

Method 2.detectldram boot (Select proper boot file)erase bootsprogram boot (Slow programming)Power off and on SB5100detectldram 9fc00000(Select the backed upfile)program 9fc00000 200000


3/12

cmpram 9fc00000 200000

Lasted Updated:December 09 2011

Vists since Jan 4,2009

perdon me equivoque es

detect

ldram 9fc00000

erase 9fc00000 200000

sprogram 9fc00000 200000

reset

ldram carga lo que quieras

program programa

Hola , os dejo aqui un mapa de la flash que pueda servir de algo.

Para cargar el cfg :

-blackcat - flash - write - 9fc08000 lenght 32768

-USBJtag - ldram cfg - program cfg

- - - - - - - - Mapa FLASH - - - - - - - -

by Dgadrian

|_ _ _ _ _ _9FC0000

| boot

|_ _ _ _ _ _9fc0800

| cfg

|_ _ _ _ _ _9fc1000

|

|

|

| imagen 0

|

|

|

|_ _ _ _ _ _9fd0000

|

|

|

| imagen 1

|

|

|_ _ _ _ _ _9fdf000


4/12

|

| Log

|

|_ _ _ _ _ _9fdffff

|

un saludo a todos

Nuevo version Disponible SB5100 MoD v 1.0.4 Beta

Download Actualizado

Firmware para SB5100 por tplewa en theoryshare

New Features:

- HTTPD Password Protection

- Change HTTPD Port from Web

- Clone

a) Serial Number

B) HFC MAC Address

c) Ethernet MAC Address

d) CPE USB MAC Address

e) SNMP sysDescr

f) SNMP docsDevSwCurrentVers

- Backup NonVol

- Firmware Update form TFTP and Full Backup

(Future Features)

- Sniffer

Beta version available 0-4 weeks (maybe faster )

Any suggestions ?

#SB5100MoD Change Log

#######################

version 1.0.4 Beta:

(10-July-2008)

- Add Upload cmConfig from TFTP to Flash Memory (TFTP GET???)

- Add CopyTftp Symbol (VxWorks Shell) - No FileSize Limit

USAGE:

CopyTftp("SourceTftpIP","SourceFileName","Destinat ionTftpIP","DestinationFileName")

*DestinationFileName - Optional


5/12

Hilo Creado_______________________________

Post:#2

RE: SB5100 bricked - need recovery instructions

Normal method of debrick by erase the flash and sprogram the boot.

erase 9fc00000 200000

ldram boot (good firmware)

sprogram 9fc00000 200000

Method 2.

detect

ldram boot (Select proper boot file)

erase boot

sprogram boot (Slow programming)

Power off and on SB5100

detect

ldram 9fc00000(Select the backed up file)

program 9fc00000 200000

cmpram 9fc00000 200000

cuando le tengas el usb conectado quitale la corriente al modem lo conectas y rapido

dale a detectar devera detestar y luego le pones un bootloader para ese modelo

reinicias todo y le pones una full flash saludos

mira lo masefectivo es usar el cable jtag con el programa jtag untility, conecta el

cabable a tu moden sin conectarlo a la corriente, en cuanto lo conectas has un detect

en el programa luego el commando ldram flsh y pones un flash a tu modem, tardara

en completarlo como 10 - 15 min pero estara revivido

Comandos USBJTAG

Comandos de este software:

d Display the address.Syntax: d address (in hexadecimal)

Example: d 9fc80000

exit Exit the whole application.

Syntax: exit

help print command help.
http://www.forocable.com/foro/showthread.php?t=54886http://www.forocable.com/foro/showthread.php?t=54886http://www.haxorware.com/forums/showthread.php?tid=2592&pid=19352#pid19352http://www.haxorware.com/forums/showthread.php?tid=2592&pid=19352#pid19352http://www.haxorware.com/forums/showthread.php?tid=2592&pid=19352#pid19352http://www.haxorware.com/forums/showthread.php?tid=2592&pid=19352#pid19352http://www.forocable.com/foro/showthread.php?t=54886


6/12

Syntax: helpThis will print all the command names.

Syntax: help (cmd) This will print the usage of the cmd.

Example: help flshdct

detect Detect the target CPU and possible flash types. If there are memory tabs

defined as flash then a flash detect command is also issued.Syntax: detect

search Search the memory block. This is ONLY used for an unknown target and

you want to find the memory map. Most important to find where the firmware

starts. For most user this command is not used.

Syntax: search start end step.

initusb Initialize the USB PORT. This will trigger USB PORT to reinitialize the

USB JTAG. It might take several seconds to get back JTAG connected state.

Syntax: initusb

getram Read memory from target to PC. This is length operation and the progress

bar will show roughly where you are. After completion of the memory read, the

memory in the tabs will be updated. You can view and edit the memory in the

memory tabs. Be careful whe n edit the memory map, since most flash firmware

has complicated checksum to avoid data corruption, simply edit the firmware and

program back might not work.

Syntax: getram tab

getram start length

Example: getram boot

getram 9fc00000 200000

save Save the PC memory to a file. The default file extension is .bin

Syntax: save tabname

save start length

Example: save boot

save 9fc00000 200000

ldram Load binary file t o PC memory. This is opposite to save command.

Syntax: ldram tabname (filename)

ldram address

Example: ldram boot

ldram 9fc00000

cmpram Compare the PC memory with target memory. This is very useful

especially for programming flash. If you use EJTAG you cannot do cmpram right

after the programming if non-DMA is used. The OK means the memory are

identical between PC and the target. Otherwise the failed address will be

displayed.

Syntax: cmpram tabname


7/12

cmpram address length

Example: cmpram boot

cmpram 9fc00000 200000

peek Get one word from target.

Syntax: peek addressExample: peek 80000000

poke Set one word to target.

Syntax: poke address value

flshlist List all the flash types that are defined in flash.def

Syntax: flshlist

about Display about dialog box.

Syntax: about

cls Clear the screen

Syntax: cls

e Edit data in PC memory. To update to the target ram or flash you need to use

setram or program commands.

Syntax: e address data1 data 2 .

Example: -e 9fc08000 11 22 33 44

f Fill data in PC memory. To update to the target ram or flash you need to use

configshow Show all the configuration.Syntax:configshow

Example:

-CONFIGSHOW

Test name: SB5100

Test DLL: SB5100.dll

IRLength: 5

Endian: Big

Boot Flash=Intel 28F160C3B

Image0 Flash=Intel 28F160C3B

Image1 Flash=Intel 28F160C3B

log Flash=Intel 28F160C3B

erase Erase the flash. The erase command used with sprogram. Normal program

command auto erase the flash. This command only used when normal program

command does not work. ST20 target must use erase/sprogram to program the

flash. Please note the erase command does not have feedback while erasing. And

normally erase take quite a long time. A 2M flashs erase normally will take up to

20-40 seconds. If after long time the program does not return something has gone


8/12

wrong and you need to stop the program and start again.

Syntax: erase tabname

erase address length

Example:

-ERASE image0Erase starts

Erase time 00:00:08 .021

sprogram Slow program. This is slow program compared to normal program. In

EJTAG this method does not use target ram. In EJTAG when the boot is not setup

and the initialization sequence to access ram is unknown, sprogram normally used

for program a boot block. Make sure the target flash is erased.

Syntax: sprogram tabname

sprogram start length

Example:

-ERASE bootErase starts

Erase time 00:00:00 .031

-SPROGRAM boot

Program Starts...

Program time 00:00:08 .084

CMPRAM boot

program Program the flash or eeprom. If you program flash make sure you have

execute flshdct or detect command. The right flash type must be set to the

memory.

Syntax: program tabnameprogram address length

Example: program boot

program 9fc00000 200000

bk Break the target. Normally use this with register view enabled.

Syntax: bk

Shortcut: F6

r Read registers or set register value to the target

Syntax: r

r register valueExample: r r1 8000200

conecta dale detect y lo mas rapido posible dale


9/12

ldram boot

sprogram boot

si lo haces muy rapido vas a ver que empieza a escribir y despues de eso te detecta la

flash

para darte cuenta si este metodo te sirv3 hace lo siguiente.

dale detect

si te detecta todo bien espera un rato, volve a darle detect y no te va a detectar nada,

si te pasa eso hace lo que te digo arriba y se te soluciona el problema

k

tienes que grabarle el boot , primero para que te deje de nuevo cargarlo

detect

ldram boot

erase boot

sprogram boot

si no tienes el boot de tu firewey original sacalo asi

ldram 9fc00000

save boot

y listo ese lo usa para booterlo. es asi visualisalo

debrick

detect

IDCODE 0334817F

Broadcom BCM3348

IMPCODE 800908

DMA supoorted

Found Address= 9fc00000 Intel 28F160C3B

9FC00000 erased

9FC02000 erased

9FC04000 erased9FC06000 erased

-LDRAM BOOT

-ERASE BOOT

Erase starts...

Erase time 00:00:00 .016

-SPROGRAM BOOT

Program Starts...


10/12


-DETECT

IDCODE 0334817F

Broadcom BCM3348

IMPCODE 800908

DMA supoortedFound Address= 9fc00000 Intel 28F160C3B

-LDRAM 9FC00000

-PROGRAM 9FC00000 200000

Erase starts...

Erase time 00:00:18 .059

Program speed 134.58 KB/s


Program pass, if no further programming needed, power off/on the targe

EN TOOL PLOMEAR LOS DOS

Tengo un motorola sb5100 y realize los sig pasos para poder obtener mas velocidad.

1) cambie la mac del modem por una mac que tiene contratada mayor velocidad de

otro nodo.

2) escribi la sigma v142.

3)active el modo telnet desde la sigma.

4) ejecute telnet y desactive el BPI mediante el siguiente comando:

cd /cd non-vol

cd docsis

enable bpi falsewrite

Reinicie el modem y listo! empece a navergar a mayor velocidad. El problema que solopude hacerlo DOS DIAS, luego el modem no volvio a conectar (osea la luz de online noqueda fija).

Me falta hacer algo mas? porque pude navegar a mayor velocidad y ahora no?le estoy errando en algo??

si hay algun tuto donde explique bien me lo pueden pasar?

Gracias gente.

salu2


11/12

ldram boot

erase boot

sprogram boot

Subir certificados sb5100 por snmp

amigos para subir certificados a un moden sb5100 tienen que instalar primeros laslibrias snmp :

http://www.4shared.com/file/GU-b_HbA...-1win32_2.html ya que en el enlace

del foro el enlace esta caido, pero igual pueden buscarlo en la seccion de descargas.

seguidamente tienen que crear un archivo .bat , lo pueden hacer creando un bloc de

notas y guardarlo como un archivo .bat

en la seccion de decargas del foro hay un archivo .bat para los motorola sb5100 pero a

mi no me ha funcionado bien, ya que no trae las intrucciones snmp para mete los

certifacados cmFactoryManCertificate y el cmFactoryRootCertificate.

yo hice el bat con la siguiente info, y me funciono con los certis scaneados desde el

fastcert 3.0 :

REM HFCmacAddress

snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.4.0 x tu mac sinpuntos

REM cmFactoryBigRSAPublicKey

snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.50.0 x tucertificado

REM cmFactoryBigRSAPrivateKeysnmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.51.0 x tu

certificado

REM cmFactoryCMCertificatesnmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.52.0 x tu

certificado

REM cmFactoryManCertificatesnmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.53.0 x tucertificado

REM cmFactoryRootCertificate

snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.54.0 x tucertificado

pause

ahora solo tiene que reemplazar la mac, y el certificado correspondiente, espero que

les sirva amigos, cabe aclarar que su modem tiene que estar modificado, ya sea con

mod 1.0.4 , ya que el mio lo tenog con mod 1.0.4.
http://www.4shared.com/file/GU-b_HbA/net-snmp-540-1win32_2.htmlhttp://www.4shared.com/file/GU-b_HbA/net-snmp-540-1win32_2.html


12/12

ORIGINAL UJMODEN

Cambiar HFC MAC = 00:0E:5C:5F:D0:10 Ethernet Add = 00:0E:5C:5F:D0:11

Serial 126603334212444903030000

Cambiar HFC MAC = 00:12:13:14:15:16 Ethernet Add = 00:12:13:14:15:17

Serial 126603334212444903030000

140255516366958401021000

120244416366958404123000

sb5100 cable modem usbjtagnt pluking

Documents