DSL chipsets in 2Wire kit

Over the years, 2Wire has earned a reputation for building very reliable modems.

2Wire kit will often maintain a stable connection on a defective line when other modems have long since given up the ghost.

This enhanced performance has been attributed to the higher quality components found in 2Wire equipment. In particular, 2Wire’s choice in Analog Front End (AFE) and Line Driver chipsets.

While that may be partly true, it tells only half the story.

As documented below, the DSL chipsets found in 2Wire kit are varied, coming from a number of manufacturers. Hardware alone cannot explain the superior performance. Efficient DSP codecs must also play their part.

Below is some product documentation for the DSL chipsets used in the 2Wire range of Home Gateways:

---

The 2Wire 1800 uses an SiLabs DSL chipset. It is the SiLabs Si3101 in a 44-pin TQFP housing. The Si3101 is capable of ADSL2 but not ADSL2+. The IC was launched Q4 2002.

[1] SiLabs Si3101 – Integrated ADSL Analog Front End – product brief
[2] SiLabs Si3101 – Si3110 – ADSL2/ADSL2+ AFE / line driver / codec hybrid VCXO – product brief
[3] SiLabs Si3101 – Si3110 – Broadband & Voice Telephony Solutions – product brief

---

The 2Wire 2700 uses an STMicro AFE. It is the ADSL2+ capable STMicro ST20184 in a 100-pin TQFP housing. The IC was launched Q1 2005

[4] STMicro ST20184 – ADSL2+ AFE for CPE – datasheet
[5] STMicro ST20190 – ST20184 Utopia ADSL2+ solution for CPE (in 2Wires, the TM3260 instead of ST2019x handles DSP work)

---

The 2Wire 2701 and the 2Wire 2071a (exclusive to the Ozzie market) both use an ADSL2+ chipset from SiLabs. It is the SiLab Si3112. This is an updated version of the Si3110 in a 44-pin TQFP housing. The Si3110 was launched Q2 2004.

[6] SiLabs Si3101 – Si3110 – ADSL2/ADSL2+ AFE / line driver / codec hybrid VCXO – product brief
[7] SiLabs Si3101 – Si3110 – Broadband & Voice Telephony Solutions – product brief

---

The 2Wire 3600 uses an Ikanos (was Conexant) DSL chipset. It is the Accelity DA8-7781 AFE in a 288-pin TSSOP and a BA6-7779 Digital Signal Processor in a 160-pin PBGA package. The Accelity VDSL2 chipset for CPE was launched Q2 2005.

[8] Ikanos DA87781- Accelity VDSL2 CPE chipset – product brief
[9] Conexant DA87781 – Accelity VDSL2 CPE Chipset – product brief

---

The 2Wire 3800 has two chipsets. One for cable, one for twisted pair. The AD9865 AFE chipset from ADI manages the coax signal. It is in a 64-lead LFCSP package. Launched 2004. The second modem chipset in the 3800 is the Ikanos (was Conexant) Accelity DA87781 VDSL2 AFE in a 288-pin TSSOP and a BA6-7779 DSP in a 160-pin PBGA. Launched Q2 2005.

[10] Ikanos DA87781- Accelity VDSL2 CPE chipset – product brief
[11] Conexant DA87781 – Accelity VDSL2 CPE Chipset – product brief
[12] Analog Devices AD9865 – AFE datasheet

---

The 2Wire 3801 uses a PM4380 Analog Front End for VDSL2/ADSL2+ from PMC-Sierra. The PM4380 is in a 56-pin QFN package and was launched Q2 2006. The Gateway also has a CopperGate (now Sigma Designs) HomeHPNA chipset. It is the CG3210H comprising a CG3123 Analog Front End in a 64-pin VQFN package, and a CG3211 Coax/POTS to ethernet bridge controller in a 128-pin TQFP. The CG3210 chipset was launched Q1 2008.

[13] PMC-Sierra PM4380 VDSL2/ADSL2+ AFE Product Brief
[14] CopperGate CG3210H – online brief (local copy)
[15] CopperGate CG3210H – AFE / MAC/PHY product brief

---

Discovering 2Wire card edge pinout (for JTAG / I2C)

PCIe extender cable and Sullins GCE08DHRN dual row card edge connector

Ribbon cable split off and card edge connecter soldered into place to form JTAG cable

JTAG cable fitted to a 2Wire PCB

Trial and Error..

BINGO! JTAG pinout established

Pinout for 2Wire dual row card edge connector (found on models 1800, 2071A, 2700, 3600, 3800, 3801)

The pinout of the card edge connector was found to be the same in all models of 2Wire router.

The only oddity is the 2071A, a 2Wire model sold exclusively in Australia.   The 2071 connector is upside-down (like Australia herself!)

The following JTAG device IDCODEs were discovered for the Medusa, Perseus, Ares and the dual core Denali:

$ sudo jtag

UrJTAG 0.10 #2017
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable usbblaster
Connected to libftdi driver.

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00010010011010011011010011000001 (0x1269B4C1)
 Manufacturer: 2Wire (0x4C1)
  Part(0):      TM3260 (0x269B)
  Stepping:     Medusa
  Filename:     /usr/local/share/urjtag/2wire/tm3260/tm3260

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00100010011010011011010011000001 (0x2269B4C1)
  Manufacturer: 2Wire (0x4C1)
  Part(0):      TM3260 (0x269B)
  Stepping:     Perseus
  Filename:     /usr/local/share/urjtag/2wire/tm3260/tm3260

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00110010011010011011010011000001 (0x3269B4C1)
  Manufacturer: 2Wire (0x4C1)
  Part(0):      TM3260 (0x269B)
  Stepping:     Ares
  Filename:     /usr/local/share/urjtag/2wire/tm3260/tm3260

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00010010011010101100010011000001 (0x126AC4C1)
  Manufacturer: 2Wire (0x4C1)
  Part(0):      Denali (0x26AC)
  Stepping:     bcm6091
  Filename:     /usr/local/share/urjtag/2wire/denali/denali

jtag>

We can use these discoveries with the JTAG software we developed earlier for the TriMedia-based 2Wires. [1]

[1] http://hackingbtbusinesshub.wordpress.com/2011/12/19/open-source-trimedia-jtag-tools/

The 2700HGV and 2701HGV-C bootloaders are extracted

The boot ROMs from both the 2Wire 2700HGV and the 2701HGV-C have been extracted using Ian Lesnet’s BusPirate as an i2c master.

The 2701HGV-C has a convenient set of header pins for connecting the BusPirate probe leads to the i2c bus lines of the boot ROM.

However, the 2700HGV requires an elusive 1.0mm pitch dual row card edge connector which has yet to be sourced. (UPDATE: connector obtained. See [4])

So, for the 2700HGV, the BusPirate was connected to the board with some IC pin hooks. These were attached directly to the legs of the FM24C32a boot ROM, a serial CMOS EEPROM in a SOP-8 package from Fudan Microelectronics:

BusPirate IC probe hooks

probe hook on the leg of a (DIP-8) IC

A simple utility was designed in C to parse the bootscripts. The tool displays the script commands in human-readable form.

There are just four command types used in a Trimedia TM32 bootscript:

• Write a 32-bit word to a memory address
• Write a sequence of n words starting at memory address a.
• Idle for t clock ticks.
• Terminate bootscript

The scheme for encoding these commands is described in Ch 6: Boot Module of the Data Book for the PNX15xx/952xx CPU Series. [1]

The bootscripts for the 2700HGV and the 2701HGV-C were found to be almost identical.

The 2700 bootscripts are almost identical to the 2701 bootscripts. The 2700 addresses one more MMIO register which the 2701 does not.

To all intents, however, the L0 bootscripts (and the L1 bootloaders) for the 2700HGV and for the 2701HGV-C are essentially the same.

The C tool to parse the boot ROM contents can be found at [2]. A pre-built 32-bit Windows executable is also in the tarball.

The tool produces output like that below.

The MMIO register addresses and values are just as they are found in the bootscripts.

The processor module identities (CLOCK, RESET, DDR, PCI-XIO, JTAG, I2C, etc) are based on educated guesswork.

The register addresses and the MMIO offsets of the Ares’ modules were compared to the documented modules in the PNX15xx, PNX85xx and the PNX95xx CPU families.

This means that while the module names will largely be correct, the functional names given to the Ares’ MMIO registers may in many cases be wrong.

Most of the bootscripts concern clocking, aperture sizes and addresses, DRAM settings and PCI bus configuration. And since these work fine for the board, there is little point in changing them.

Perhaps the most interesting part, at least for the sake of this hack, are the bootscript commands which load and execute the next stage (L1) bootloader code.

The L1 code will probably load the first block from the NAND flash device. This will likely contain the operating system bootloader (the L2 bootloader).

Back to the boot ROM though..

From the output of our boot ROM dump tool, we can see that the TM32 core (still held in reset) is configured to start executing code from DRAM address 0×4000,0000.

write 1bf00048 40000000 // TM3260 - TM32_DRAM_START

A little further on in the bootscript, we find the command that copies the stage 1 bootloader (0×273 words) from the boot ROM into DRAM, starting at address 0×4000,0000.

From the Ares’ system view memory map that we determined earlier, we know that 0×4000,0000 is the lowest address in the DRAM aperture. [3]

writelist 40000000 00000273 // copy L1 code (627 words) to DRAM (0x40000000)

As expected, the last bootscript command takes the TM32 core out of reset. The CPU immediately begins executing the instructions starting from the address pointed to by its Program Counter, (0×4000,0000).

write 1bf00030 800000e3 // TM3260 - TM32_CTL

Below is the full output from the bootscript parsing tool. Source tarball at [2]

$ ./i2cdumpreader
Usage: ./i2cdumpreader   [MMIO_BASE (default 0x1be00000)]

$ ./i2cdumpreader 2700hgv_bootrom.bin

// Loaded 4096 bytes from boot ROM image file: '2700hgv_bootrom.bin'

write 1be4d500 01000003	// GLOBAL2-SCRATCH - SCRATCH0
write 1be47008 00201700	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9500	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b00	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc700	// CLOCK-PLL - PLL1_CTL
write 1be47008 00201701	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9501	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b01	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc701	// CLOCK-PLL - PLL1_CTL
delay 000015e0		    // idle for 5600 clock cycles
write 1be47008 00201700	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9500	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b00	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc700	// CLOCK-PLL - PLL1_CTL
delay 00000118		    // idle for 280 clock cycles
write 1be47008 00201701	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9501	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b01	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc701	// CLOCK-PLL - PLL1_CTL
delay 000445c0		    // idle for 280000 clock cycles
write 1be47000 002c8b01	// CLOCK-PLL - PLL0_CTL
write 1be47004 002cc701	// CLOCK-PLL - PLL1_CTL
write 1be47200 00000013	// CLOCK-CTL - CLK_MEM_CTL
write 1be47204 00000013	// CLOCK-CTL - CLK_FPI_CTL
write 1be47208 00000003	// CLOCK-CTL - CLK_???_CTL
write 1be47250 00000009	// CLOCK-CTL - CLK_PCI_CTL
write 1bf80088 ffffa70f	// UNKNOWN - UNKNOWN
write 1be4d408 06061010	// GLOBAL2-MMI - MM_SHORT_REFRESH?
write 1be4d400 0000001c	// GLOBAL2-MMI - MM_SDRAM_SIZE?
delay 00000118		    // idle for 280 clock cycles
write 1be4d400 0000001f	// GLOBAL2-MMI - MM_SDRAM_SIZE?
write 1be4d42c 28d26aa2	// GLOBAL2-MMI - MM_UNKNOWN
write 1be4d404 000005c0	// GLOBAL2-MMI - MM_REFRESH?
write 1be4d428 00000013	// GLOBAL2-MMI - UNKNOWN
write 1be4dc10 000000a1	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a2	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a3	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000013b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000c81	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000029	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000003b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000010	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a1	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a2	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a3	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000501	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000007	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000008	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000400	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000053b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000069	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000043b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000c81	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000780	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000400	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000010	// GLOBAL2-MMIARB - UNKNOWN
delay 000015e0		    // idle for 5600 clock cycles
write 1be4d414 00000001	// GLOBAL2-MMI - MM_SELF_REFRESH
write 1be4d800 0000000f	// GLOBAL2-MMIARB - RAM0
write 1be4d804 00000305	// GLOBAL2-MMIARB - RAM1
write 1be4d808 00000204	// GLOBAL2-MMIARB - RAM2
write 1be4dc04 00000002	// GLOBAL2-MMIARB - MAXADDR
write 1be4dc08 0000008f	// GLOBAL2-MMIARB - DEFAULTAGENT0
write 1be4dc0c 00000082	// GLOBAL2-MMIARB - DEFAULTAGENT1
write 1be4dc00 00000140	// GLOBAL2-MMIARB - MODE
write 1be40010 01c20e83	// PCI-XIO - pci_setup
write 1be40014 fffff245	// PCI-XIO - pci_control
write 1be4006c 00001722	// PCI-XIO - subsystem_ids
write 1be40018 80000000	// PCI-XIO - pci_base1_lo
write 1be4001c c0000000	// PCI-XIO - pci_base1_hi
write 1be40050 40000000	// PCI-XIO - base10 (DRAM)
write 1be40054 1be00000	// PCI-XIO - base14 (MMIO)
write 1be40058 f0000000	// PCI-XIO - base18 (XIO)
write 1be60000 00000008	// RESET - RST_CTL
write 1bf00030 400000e3	// TM3260-CORE - TM32_CTL
delay 00000118		    // idle for 280 clock cycles
write 1be4d018 40000000	// GLOBAL2-CTL - TM_REGION_LO
write 1be4d01c 44000000	// GLOBAL2-CTL - TM_REGION_HI
write 1bf00034 40000000	// TM3260-CORE - TM32_DRAM_LO
write 1bf00038 44000000	// TM3260-CORE - TM32_DRAM_HI
write 1bf0003c 44000000	// TM3260-CORE - TM32_DRAM_CLIMIT
write 1bf00048 40000000	// TM3260-CORE - TM32_DRAM_START
write 1bf00040 00000000	// TM3260-CORE - TM32_DRAM_APERT1_LO
write 1bf00044 00000000	// TM3260-CORE - TM32_DRAM_APERT1_HI
writelist 40000000 00000273
			// copy L1 code (627 words) to DRAM (0x40000000)

0000000: c281c181 c182d1b5 c1810200 02100c00
0000010: 20000000 00202050 22220222 20a07484
0000020: 1c3c1838 10301832 14340505 05050605
0000030: 16151311 13181112 16120002 02030a06
[...]
0000990: c0c2c080 c19a7a0c f0a12020 04140100
00009a0: 00010001 00030203 00010000 00000101
00009b0: 00010100 00000001 01010000 00000000
00009c0: 426f6f74 436f6465 00000000
			            // end of writelist
write 1bf00030 800000e3	// TM3260-CORE - TM32_CTL
terminate		        // terminate bootscript

The next task is to examine the level 1 bootloader. The bootloader will contain a NAND flash driver that needs to be understood to progress this hack.

[1] http://www.nxp.com/documents/data_sheet/PNX15XX_PNX952X_SER_N.pdf
[2] https://docs.google.com/leaf?id=0B6wW18mYskvBMmIwMGJjOTQtZDMxNS00MzNiLThkYzgtMGE4N2ZiNTEwMGM3&hl=en_GB
[3] http://hackingbtbusinesshub.wordpress.com/2011/10/17/a-tentative-memory-map-for-the-2wire-ares/
[4] http://hackingbtbusinesshub.wordpress.com/2011/12/20/rejoice-the-card-edge-connector-has-arrived/

Eyeballing the 2Wire 2700HGV (BT BusinessHub t.2/v.2)

Click to enlarge photos..

2700HGV external front

2700HGV external rear

2700HGV pcb top

2700HGV pcb bottom

Discovering JTAG pinout for the 2Wire 2700HG (update)

UPDATE:

We now have the pinout for the card edge connector used in 2Wire routers.  The pinout is the same for all routers. See [2]

The information below is retained for interest only.

---

The following is lifted from the openwrt.org forum. It was posted back in 2009 by tjm08 (Troy J. Mueller).

tjm08 writes:

I have a 2Wire 2700HG-D which has an Atheros-based [802.11] chipset, 128Mbit flash, 64 MByte RAM, and a TriMedia VLIW processor.

There are two headers for an edge connector, J-1 (14 pins) and J-2 (2 pins). I am trying to figure how to access the flash for JTAG.

The stock firmware does not support tftp, and the firmware is corrupted due to some experimentation.

I believe that I can fabricate a parallel interface cable, using all 8 of the data pins, and three of the ground pins.

2 of the 14 pins at J-1 are not connected, three are ground, and the remaining nine (2 @ 0.0v 7 @ 3.3v) are unidentified.

One pin (#10) bridges to pin 1 of J-2, and J-2 is documented as starting a diagnostic “Functional Test Mode”.

Pins 6 and 8 appear to cause a reset (post light blink pattern) when connected to ground.

J-1 Header
Note: Even pins are on the top of the board, odd pins underneath

01 – 3.3v
02 – GND (connects to 04 via trace; continuity to GND)
03 – 0.0v
04 – GND (connects to 02 via trace; continuity to GND
Key
05 – 3.3v
06 – 3.3v (nSRST?; causes sys reset LED pattern when pulled to GND)
07 – 3.3v
08 – 3.3v (nSRST?; causes sys reset LED pattern when pulled to GND)
09 – 3.3v
10 – 3.3V (FTM) (Functional Test Mode;connects to pin 1 of J-1 hdr as documented)
11 – N.C.
12 – 0.0v
13 – N.C.
14 – GND (continuity to GND)

J-2 Header
01 – 3.3V (FTM)
02 – GND (Documented for “Functional Test Mode”)

To find:
nSRST (optional JTAG, consistent with observed behavior)
nTRST (optional JTAG, possible; used for logic reset of JTAG chain)
TCK (essential JTAG; Test clock signal)
RTCK (optional JTAG, possible; used for adaptive clocking and higher data transfer)
TDI (essential JTAG; Test Data Input)
TDO (essential JTAG; Test Data Output)

I believe that nTRST may be either pin #3 or pin #12, based on the procedure used by Smiggy and Revs Per Minute.

tjm then quotes from Revs-Per-Min, who documents his test method as follows on

http://forums.whirlpool.net.au/forum-replies.cfm?t=808533&p=9&#r176

The method I used [for determining JTAG pinout on the 2701] was fairly simple but laborious.

1. Measure the resistance of all pins to GND and 3.3V power supply. You need to measure under the electrolytic capacitors to determine which is the main 3.3v supply. Mark them carefully on a pinout graphic all your measurements. This is important to do a clean accurate test. Turn it on and measure all voltages. Mark them on your graphic.

2. The pins that have already been defined as putting the box into special boot mode. Mark those.

3. One pin will have high resistance to GND and 3.3v. It is TDO, ie output which cannot be pulled up or down but floating. Mine showed 3Mohm.

4. One pin will be at either full supply potential 3.3v or 0v will be nTRST. (Assuming they have nTRST turned off. It was in mine.) It will more than likely have a different resistance than other pins. Mine was 5K to 3.3v 1.5K GND. It will, hence have much lower voltage to ground and be at or near 0v.

5. Hopefully you now have a bunch of pins next to each other, which are unknown. In my case 4,5 then 12,13,14 All measure 3.3v. All have 1k to 3.3v and 2k to GND. I traced pins 4, 5 to I2C serial eprom. So it won’t be those. That leaves the 3 pins bunched together. 12,13,14 which makes sense. The rest is trial and error.

Make up a grid and work through the combinations. TDI, TMS, TCK. Start the JTAG software each time. I just used the hairy dairy maid one. When I hit the right combo all the LEDs turned on indicating I had put the processor in a diagnostic mode. Only one or perhaps two combinations will do that. So you now have the 4 JTAG pins plus NTRST defined. Or perhaps two possibles.

There is a procedure documented on JTAG Finder, which is essentially a logic procedure where all potential JTAG Pins are hooked up simultaneously. A data signal is sent to one pin at a time, and all of the other pins are observed for changes in logic state. More information can be found at: http://www.elinux.org/JTAG_Finder

Given the tentative JTAG pinout that I have now, I think that I can build an unbuffered parallel interface with 8 connects on parallel pins 2-9 (data pins), and reserve pin 13 for TDO when found.

Then I should be able to implement the finder method to narrow things down.

After that, figure how to work with the TriMedia VLIW CPU and the NAND flash. The cable would be identical to the unbuffered cable described in the wiki, with the exception of using all eight of the data bus signals.

Any thoughts on this method?

Last edited by tjm08 (2009-12-09 15:43:47)

Taken from: the openwrt forum thread entitled “Finding JTAG Pinouts, New Hardware (2Wire 2700HG-D)“   [1]

[1] https://forum.openwrt.org/viewtopic.php?id=22816

[2] http://hackingbtbusinesshub.wordpress.com/2012/01/16/discovering-2wire-card-edge-pinout-for-jtag-i2c/

PCB photos of the 2Wire 2701HG-B and 2700

The following photos of the 2Wire 2701HG-B and the 2700 were taken by “Smiggy“, a contributor to the Australian Whirlpool forum for broadband discussion.

Here, Smiggy highlights the card edge connector for the JTAG TAP (and the i2c bus) on the 2Wire 2700.

Photo courtesy of "smiggy"

Here, Smiggy is illustrating the pinout of the boot ROM (where fitted) on the 2701.

Photo courtesy of "smiggy"

The Ares CPU on the 2Wire 2701HG-B board. The Ares is a Trimedia TM32 core:

Photo courtesy of "smiggy"

Photos found at [1].

[1] http://a.nfshost.com/2701hgb.jpg