This blog is about the TriMedia-based routers from 2Wire (now part of Pace).
In the United Kingdom, these routers are re-branded as the British Telecom range of Business Hub, hence the blog name.
The aim of the blog is to document the liberation of these unusual and powerful devices.
The overarching plan is to unlock them for use with any ISP and without configuration limits.
26 Comments
Matem, love your work. Seems you’re the only one working on the 2wire’s.. and an amazing job you’re doing too! I just wish I had your skills
Hi Benryanau,
Thanks for your kind words.
I promise you a proper reply tomorrow, about the key (from what little I know of it) but currently have a legendary migraine and so to bed!
cheers, a
No worries, sorry to hear you’re in a bad way.
Would it be possible for you to send me a copy of the dumped flash?
Also, how are you going with writing/editing the flash?
cheers
ben
Hi again,
The sun came out which happens so rarely in England it gave me a migraine!
Viz writing the flash, haven’t got on to that yet. It’s a priority though. The ONFI program and erase commands need dropping into the driver we built.
The issue now is the flash translation layer (FTL) – it shuffles NAND pages to level the wear on the flash device. And it seems that shuffling is done on a random basis. So NAND dumps from the same device running the same firmware could be very different. This introduces a problem with writing specific pages and erasing specific units. With no understanding of the underlying FTL, it’s likely to wreck the flash file system.
cheers, a
I’m not sure if you know this or not, but the 2Wire 3801HGV is also being used by MTS in Canada. I tripped over your blog whilst looking for some post install information. The topology as installed here is: VDSL-3801HGV then using one of the Ethernet Switch Ports is connected to a Motorola VIP2262 PVR and using the HPNA Port is connected to 3 slave Motorola VIP2202′s over RG6 from a Splitter. They are delivering VOD, TV and Broadband over the 3801HGV. I’m specifically looking for ways to get into the setup menu’s so that I can make the install more suited to my pre existing LAN Topology, the plan is to set static IP’s on the STB’s and use my own router for DHCP, ACL’s etc, but available information is, let’s say sketchy at best, and the installers went all shy when I asked em questions
If you can shed any light on em based on your own work, I would be interested to hear about it 
Hi JBW!
Thank you for your comments. Very interesting! I wish I could help, but we scarcely see the 3801HGV. Much of the 2Wire range is used here in Britain, but not the 3801. Although they should work in theory (EDIT: VDSL2 Profile incompatibilities aside)
We are still trying to crack open the 2700 and 2701 series. The 3801 has a different CPU – a dual core Trimedia TM3260, whereas all previous 2Wire Home Gateways have been single cores – Ares, Perseus and Medusa. The 3801HGV certainly looks impressive on paper.
If you can lay your hands on a spare one (even a broken one), then maybe the NAND flash could be lifted off the PCB and its contents dumped that way?
Thanks once again from your interest
cheers, asbokid
Shouldn’t be a problem, hit it from the standard gateway GUI. In there you can make those adjustments. No hacking required.
Hey matey, I have the equipment to lift the flash read/ reprogram it etc and place it back on the board, but alas I’m here until later in the year and don’t have access to the equipment needed. I have spotted someone selling one though on the ‘bay that was originally used by AT&T in the U.S and rolled out as their U-Verse triple play thingamabob gateway, if it looks like it’s going to go cheap, I might just try and snag it. I could then bring it back with me and see if I can get something useful out of it. The main problem I have with the one installed here is crippled firmware, there’s no way to turn off routing etc because they have removed the features they don’t want folks to twiddle with. The STB’s are yet another can of complexity
Hi again, jukeboxwizard.
That sounds like a great plan. Good luck with it
cheers, a
Very informative posts and solid analysis! The 2Wire brand is a great target to hack, it’s ubiquitous in the US as AT&T’s high speed DSL gateway. If you’re interested in getting some more attention, I recommend you send a link to hackaday.com.
I can’t wait to see more, hack on!
Hi REVENGE, Thanks for your message. Just returned to this project, so hopefully can make some progress. If you or anyone else is interested in collaborating, please contact!
cheers, asbokid
Have a 3800HGV-B for experiments – also have desoldering stations. Please let me know what I could do to help. Do you have a mailing list for this effort? I became interested in this platform during my explorations of the Scientific Atlanta IPTV set top boxen based on the Sigma Designs SMP8634 (IPN330HD, IPN430MC) which are deployed behind 2Wire RGs by AT&T’s U-Verse in parts of the U.S. I would appreciate contact from anyone willing to work on opening-up the IPTV devices as well — the intent is to use them as general purpose media players independent of a service provider. Regards, Michael
Hello Michael,
Thanks for leaving your comments. Very interesting. Hopefully someone will come forward over the IPTV devices.
As for a mailing list for Hacking the 2Wire, see link is sidebar.
Here’s the general plan for unlocking:
* Lift off the NAND flash IC with a hot-air gun
* Dump contents with a NAND reader. The Alauda IC is perfect for this
* Rewrite the XML “initd” table to re-enable the secure shell daemon. See: http://pastebin.com/ss8sqMdu
* Rewrite the XML “user” table with new passwords. See: http://pastebin.com/gucCEM3H
* Update the ECC in the out-of-band areas for all modified pages. See: hackingbtbusinesshub.com/2wires-nand-flash-..ecc
* Re-program the modified NAND pages
* Re-install NAND IC on the 2Wire PCB
* Fingers crossed and boot!
Does that sound credible?!
cheers, a
@Michael
I also have some smp8634 based IPTV devices with similair intentions and we are not the only ones.
http://sourceforge.net/projects/mramc/
http://www.t-hack.com/forum/index.php
http://www.t-hack.com/wiki/index.php/Main_Page
Smp8634 MRUA’s and BSP/drivers for WinCE can be found on the net.
Do you have any embedded development experience?
Lets get in contact.
@asbokid
Those are some wicked jtag/boundary scan tutorials. Thanks!
What chipset is in the usbblaster clone? The one I purchased never worked correctly…based on silabs C8051F321.
Could you share a compiled binary if urjtag, that was used in the tutorial?
Does your clone work with Openocd also?
Hi smp8634,
Thanks for your kind words
The Usb Blaster here has a Cypress CY7C68013A USB peripheral controller [1] and a 74HC244 octal buffer and line driver. [2]
Altera USB Blaster clone
(click for full size)
UrJTAG here was compiled from source (for AMD64) and it doesn’t seem to build statically, so not sure a compiled binary will be much use to you.
Is the JTAG pinout assuredly correct? OpenOCD was not tried, iirc. Though UrJTAG / Usb Blaster has worked perfectly every time on a range of boards, some with pretty quirky and undocumented JTAG TAPs like the 2Wires.
cheers, a
[1] http://www.cypress.com/?docID=34060
[2] http://www.nxp.com/documents/data_sheet/74HC_HCT244.pdf
Thanks for the quick response.
I have a mini FX2LP board board. Is there an eeprom on the other side of the pcb? Would need a copy of the firmware…
Is there any way to track down the email address that @Michael used to reply to this blog?
There is indeed. It’s an ATMEL32 24C64N. It deserves some better photos. Not sure who Michael is. Which thread are we looking at?
Photos are fine. Gonna whip something up here soon. Already found a copy of schematic and fx2lp firmware.
Nice to hear this hardware works with strange/undocumented taps…
My target is NEC Vr5532A https://rapidshare.com/files/2454913807/necvr5532.PDF
p627 shows BSR but only for Vr5500. The footnote implies Vr5532A BSR is different.
It gets worse on p639, but I have already built the circuit on p640.
Also from reading datasheet on *very* similar target (Vr5432), the IDCODE register is only 25 bits and the LSB is 0. So NEC did something proprietary there
.
The blog posts should help me out. Thanks again. Fingers are crossed.
Btw…here is post from “Michael” http://hackingbtbusinesshub.wordpress.com/about/#comment-309
Hi again, smp8634,
The NEC device looks very interesting! With a bit of luck it might turn out to have a BSR of 125 bits, too? We had a little play with Boundary Scan Programming on one of the Trimedias. Somewhat optimistically hoping to program the onboard NAND flash via the TAP by twiddling the 14(?) lines of the PCI/XIO bus on the CPU!
You did a “…” about the EEPROM of the USB Blaster. Am I misreading or do you need a copy if its contents? You’re very welcome if it’s useful. There’s an EEPROM burner ready and waiting with a SOIC8/SOP8 adaptor on it. Is it worth the effort though, what with the USB Blaster clones selling for just £2.50 on Taobao now?
No secret source for a datasheet for that specific CPU?!
cheers, a
Found the schematic and firmware already. https://rapidshare.com/files/2130321491/Altera%20FX2%20Blaster.zip
I can use Cyconsle EZ-USB to write firmware to eeprom
Datasheet for a very similar cpu (vr5432) documents its jtag registers in more detail. https://rapidshare.com/files/4271673944/vr5432.zip
Thanks for passing the message along.
Michael (a.k.a. cybertheque) posted in this thread of comments on October 5th, thi year.
Ahh.. Thanks viz Michael’s post. I just emailed him, so if the email address he left is valid, he hopefully will soon be alerted to the interest in his messages.
Been super busy but I do appreciate the follow-ups; as winter takes hold here I will have more time to lay out the 2-wire and IPTV stuff on the bench and be of some help in the effort. In answer to the question about embedded experience, for me it covers the range of vacuum-tube drum-memory CPUs in process control, emebbed minis for test and diagnostic stations, and a variety of MCUs in everything imaginable. I have yet to do much serious work with FPGAs.
@asbokid
http://i49.tinypic.com/2u5gtav.png…….looks like BSR is 125 bits….yay!
Thanks again for all your help.
One question though. This CPU loads BYPASS register at tap reset, since it does not have a 1149.1 compliant IDCODE register (it is only 24 bits).
How can I setup this target so I do not have to manually define registers every time.
Hello smp8634,
The registers and instructions (and instruction length) are defined in a text file, in the same way that they are entered on the urjtag command line.
That text file containing all the definitions is then loaded with the ‘include’ primitive of urjtag.
See: http://urjtag.org/book/_jtag_commands.html
Cheers, a
Hi, I recently acquired a unlocked 2-wire 2700HG-B with 4.25.19 fw. The modem spontaneously rebooted a few times .I noticed the pwr supply was not correct and found a 5.1V 2A supply. The unit hasn’t spontaneously rebooted, but I have noticed that over time ( a few days ) it seems to degrade. I end up with lots of errors and “un-cacelled echo” and a retrain will not fix the issue. In all cases, a reboot of the modem makes all well. Great SNR, no errors, and the un-cancelled echo is gone. I’m thinking either the modem , or perhaps the gear on the other end is suspect, since the connection seems to always go from being horrid to perfect with the reboot.
Is this a symptom of an issue with 2wire of that type, with that fw ?