Archives

PCB photo of 2Wire 2701HGV-E

Below is a nice clear photograph of the PCB in a 2Wire 2701HGV-E.

The photo is attributed to ‘seya‘, a contributor to a discussion thread on right.com.cn, a Chinese language web forum. [1]:

We can see that the 2701HGV-E is driven by a 2Wire Ares, a TriMedia five-issue slot VLIW CPU.   On the DSL side, the 2701HGV-E has a SiLabs SI3112-ZM1  ADSL2+ AFE and Line Driver.    It also has a USB peripheral port which isn’t present on the BT-issue 2701HGV-C.

Pace plc (new owner of 2Wire Inc)  has published an incomplete list of 2Wire models in the Home Gateway family. [2]

PCB of the 2Wire 2701HGV-E (click to enlarge)

[1] http://www.right.com.cn/forum/thread-40668-1-1.html
[2] http://www.pace.com/universal/gateways/2wire/gateway-platforms/models-and-specs/

2701HGV-C RSA-1024 private key

Another XML config table has been extracted from the firmware image of a 2Wire 2701HGV-C. This is the root RSA private key, broken down into its components.

    <?xml version="1.0" encoding="UTF-8"?>
    <CM VERS="1">
      <TABLE NAME="keys" B="6.3.9.41" B0="6" B1="3" B2="9" B3="41">
        <ROW ID="0">
          <P N="type" T="S">root_rsa</P>
          <P N="key_len" T="U">0x00000262</P>
          <P N="key_data" T="VB">
            02623082025e02010002818100ee6fe39369ab015ea885a9f91dc032f5a0b425
            aac3ce42b384108f1d6a84e29b5f7d8ef3c16899bc65a6a3c8cf55cc26e6b1f9
            569d431709e683f22cefa730429c405794d99c681619857909c4879ed8d57e39
            701ef41760a3b5837acbcf8a29118ecefdd6c378cff3e69ba284b96da238dfa1
            dc93ac0e0c8654680eda269a9d020301000102818018b3248b0fc634351f1601
            9e99d360340bbabdb02bea810461a8e97a6d9f686e19fd42c2c385576fa9c412
            7169f1045dff45ee8367751cbcdcd14c54155b67673be2452417af5231c3455f
            a48e50799f23a71f5285a22860520b62bb04d2b2edbfce29d3093813003fd0a7
            d2fafef0f51344b42298f309ab13454ac79c525cad024100f892f234d33420b5
            72a2f146f5378140426e42d8c9454c343ff49aa9118f187a405bd524b20b32f6
            ecc418df2ef6bfe83143cad9bfd8a4716285c28c9b968b83024100f58f6aca98
            3573f1ffb84cf06685664622617d2f431ad3ad6928299fc7fcf4bd3b5019bde0
            fdf2f408a58f5562958b3922940e8b2d352a8dcb244794e7f2c75f0241008435
            5bff7eaa060f9be650600642bc4b1a4a1ce1c2c349d1ac8683d01297c2541b70
            fc7fa4f6d1e7856c9331f97fa1f87463733bb78f197f79005dc67d6667d30241
            0082f80d1324ff4d69c2e3ff5530b8f185728ce081b69eb64b850c80b6d1a95e
            b716cd700d4fd4e221ba02e361bd04d98e8d9cbded091d9426b03417619a1c68
            ad024100b124ef836c3b3e881e89ae688bb29ab551e523036dd704c7de25d9aa
            f2a3f4c4cdf68440970787265064097f00a913c9280052a43df21c8e3246d726
            1faf87fc
          </P>
        </ROW>
      </TABLE>
    </CM>

The hexdump of the private key can be broken down into its components: [1]

RSA 1024-bit private key:

key length:
0262

header:
3082025e  (0x3082 == ASN.1 Sequence)

separator:
0201 (0x02 == integer and 0x01 == 1 byte long)

algorithm version:
00  (0x00 == algorithm version zero)

separator:
028181 (0x02 == integer and 0x81 == 129 bytes long)

modulus:  (129 byte modulus, starts with a null (0x00) - remove this)
00  
ee6fe39369ab015ea885a9f91dc032f5
a0b425aac3ce42b384108f1d6a84e29b
5f7d8ef3c16899bc65a6a3c8cf55cc26
e6b1f9569d431709e683f22cefa73042
9c405794d99c681619857909c4879ed8
d57e39701ef41760a3b5837acbcf8a29
118ecefdd6c378cff3e69ba284b96da2
38dfa1dc93ac0e0c8654680eda269a9d

separator:
0203  (0x02 == integer and 0x03 == 3 bytes long)

public exponent:  (3 bytes)
010001  (integer value 65537, Fermat Number F4)

separator:
028180  (0x02 == integer and 0x80 == 128 bytes long)

private exponent: (128 byte)
18b3248b0fc634351f16019e99d36034
0bbabdb02bea810461a8e97a6d9f686e
19fd42c2c385576fa9c4127169f1045d
ff45ee8367751cbcdcd14c54155b6767
3be2452417af5231c3455fa48e50799f
23a71f5285a22860520b62bb04d2b2ed
bfce29d3093813003fd0a7d2fafef0f5
1344b42298f309ab13454ac79c525cad

separator:
0241 (0x02 == integer and 0x41 == 65 bytes long)

prime1:  (65 bytes - starts with a null - remove this)
00
f892f234d33420b572a2f146f5378140
426e42d8c9454c343ff49aa9118f187a
405bd524b20b32f6ecc418df2ef6bfe8
3143cad9bfd8a4716285c28c9b968b83

separator:
0241  (0x02 == integer and 0x41 == 65 bytes long) 

prime2: (65 bytes - starts with a null - remove this)
00
f58f6aca983573f1ffb84cf066856646
22617d2f431ad3ad6928299fc7fcf4bd
3b5019bde0fdf2f408a58f5562958b39
22940e8b2d352a8dcb244794e7f2c75f

separator:
0241  (0x02 == integer and 0x41 == 65 bytes long) 

exponent1: (65 bytes - starts with a null - remove this)
00
84355bff7eaa060f9be650600642bc4b
1a4a1ce1c2c349d1ac8683d01297c254
1b70fc7fa4f6d1e7856c9331f97fa1f8
7463733bb78f197f79005dc67d6667d3

separator:
0241  (0x02 == integer and 0x41 == 65 bytes long) 

exponent2: (65 bytes - starts with a null - remove this)
00
82f80d1324ff4d69c2e3ff5530b8f185
728ce081b69eb64b850c80b6d1a95eb7
16cd700d4fd4e221ba02e361bd04d98e
8d9cbded091d9426b03417619a1c68ad

separator:
0241  (0x02 == integer and 0x41 == 65 bytes long) 

coefficient: (65 bytes - starts with a null - remove this)
00
b124ef836c3b3e881e89ae688bb29ab5
51e523036dd704c7de25d9aaf2a3f4c4
cdf68440970787265064097f00a913c9
280052a43df21c8e3246d7261faf87fc

[1] http://etherhack.co.uk/asymmetric/docs/rsa_1024.html

DSL chipsets in 2Wire kit

Over the years, 2Wire has earned a reputation for building very reliable modems.

2Wire kit will often maintain a stable connection on a defective line when other modems have long since given up the ghost.

This enhanced performance has been attributed to the higher quality components found in 2Wire equipment. In particular, 2Wire’s choice in Analog Front End (AFE) and Line Driver chipsets.

While that may be partly true, it tells only half the story.

As documented below, the DSL chipsets found in 2Wire kit are varied, coming from a number of manufacturers. Hardware alone cannot explain the superior performance. Efficient DSP codecs must also play their part.

Below is some product documentation for the DSL chipsets used in the 2Wire range of Home Gateways:


The 2Wire 1800 uses an SiLabs DSL chipset. It is the SiLabs Si3101 in a 44-pin TQFP housing. The Si3101 is capable of ADSL2 but not ADSL2+. The IC was launched Q4 2002.

[1] SiLabs Si3101 – Integrated ADSL Analog Front End – product brief
[2] SiLabs Si3101 – Si3110 – ADSL2/ADSL2+ AFE / line driver / codec hybrid VCXO – product brief
[3] SiLabs Si3101 – Si3110 – Broadband & Voice Telephony Solutions – product brief


The 2Wire 2700 uses an STMicro AFE. It is the ADSL2+ capable STMicro ST20184 in a 100-pin TQFP housing. The IC was launched Q1 2005

[4] STMicro ST20184 – ADSL2+ AFE for CPE – datasheet
[5] STMicro ST20190 – ST20184 Utopia ADSL2+ solution for CPE (in 2Wires, the TM3260 instead of ST2019x handles DSP work)


The 2Wire 2701 and the 2Wire 2071a (exclusive to the Ozzie market) both use an ADSL2+ chipset from SiLabs. It is the SiLab Si3112. This is an updated version of the Si3110 in a 44-pin TQFP housing. The Si3110 was launched Q2 2004.

[6] SiLabs Si3101 – Si3110 – ADSL2/ADSL2+ AFE / line driver / codec hybrid VCXO – product brief
[7] SiLabs Si3101 – Si3110 – Broadband & Voice Telephony Solutions – product brief


The 2Wire 3600 uses an Ikanos (was Conexant) DSL chipset. It is the Accelity DA8-7781 AFE in a 288-pin TSSOP and a BA6-7779 Digital Signal Processor in a 160-pin PBGA package. The Accelity VDSL2 chipset for CPE was launched Q2 2005.

[8] Ikanos DA87781- Accelity VDSL2 CPE chipset – product brief
[9] Conexant DA87781 – Accelity VDSL2 CPE Chipset – product brief


The 2Wire 3800 has two chipsets. One for cable, one for twisted pair. The AD9865 AFE chipset from ADI manages the coax signal. It is in a 64-lead LFCSP package. Launched 2004. The second modem chipset in the 3800 is the Ikanos (was Conexant) Accelity DA87781 VDSL2 AFE in a 288-pin TSSOP and a BA6-7779 DSP in a 160-pin PBGA. Launched Q2 2005.

[10] Ikanos DA87781- Accelity VDSL2 CPE chipset – product brief
[11] Conexant DA87781 – Accelity VDSL2 CPE Chipset – product brief
[12] Analog Devices AD9865 – AFE datasheet


The 2Wire 3801 uses a PM4380 Analog Front End for VDSL2/ADSL2+ from PMC-Sierra. The PM4380 is in a 56-pin QFN package and was launched Q2 2006. The Gateway also has a CopperGate (now Sigma Designs) HomeHPNA chipset. It is the CG3210H comprising a CG3123 Analog Front End in a 64-pin VQFN package, and a CG3211 Coax/POTS to ethernet bridge controller in a 128-pin TQFP. The CG3210 chipset was launched Q1 2008.

[13] PMC-Sierra PM4380 VDSL2/ADSL2+ AFE Product Brief
[14] CopperGate CG3210H – online brief (local copy)
[15] CopperGate CG3210H – AFE / MAC/PHY product brief


Discovering 2Wire card edge pinout (for JTAG / I2C)

PCIe extender cable and Sullins GCE08DHRN dual row card edge connector

Ribbon cable split off and card edge connecter soldered into place to form JTAG cable

JTAG cable fitted to a 2Wire PCB

Trial and Error..

BINGO! JTAG pinout established

Pinout for 2Wire dual row card edge connector (found on models 1800, 2071A, 2700, 3600, 3800, 3801)

The pinout of the card edge connector was found to be the same in all models of 2Wire router.

The only oddity is the 2071A, a 2Wire model sold exclusively in Australia.   The 2071 connector is upside-down (like Australia herself!)

The following JTAG device IDCODEs were discovered for the Medusa, Perseus, Ares and the dual core Denali:

$ sudo jtag

UrJTAG 0.10 #2017
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable usbblaster
Connected to libftdi driver.

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00010010011010011011010011000001 (0x1269B4C1)
 Manufacturer: 2Wire (0x4C1)
  Part(0):      TM3260 (0x269B)
  Stepping:     Medusa
  Filename:     /usr/local/share/urjtag/2wire/tm3260/tm3260

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00100010011010011011010011000001 (0x2269B4C1)
  Manufacturer: 2Wire (0x4C1)
  Part(0):      TM3260 (0x269B)
  Stepping:     Perseus
  Filename:     /usr/local/share/urjtag/2wire/tm3260/tm3260

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00110010011010011011010011000001 (0x3269B4C1)
  Manufacturer: 2Wire (0x4C1)
  Part(0):      TM3260 (0x269B)
  Stepping:     Ares
  Filename:     /usr/local/share/urjtag/2wire/tm3260/tm3260

jtag> detect

IR length: 5
Chain length: 1
Device Id: 00010010011010101100010011000001 (0x126AC4C1)
  Manufacturer: 2Wire (0x4C1)
  Part(0):      Denali (0x26AC)
  Stepping:     bcm6091
  Filename:     /usr/local/share/urjtag/2wire/denali/denali

jtag>

We can use these discoveries with the JTAG software we developed earlier for the TriMedia-based 2Wires. [1]

[1] http://hackingbtbusinesshub.wordpress.com/2011/12/19/open-source-trimedia-jtag-tools/

Probing the MMIO aperture

The development of a replacement bootloader for the 2Wire 2701HGV-C allows us to experiment to discover the secrets within the 2Wire Ares CPU.

Inside a TriMedia CPU, in addition to the TM32 core(s), are a number of “modules” contained in “chiplets”.

One module contains the DRAM controller, another holds the JTAG controller, there’s a boot module, a module for the PCI/XIO (flash) controller, and so on.

Each of those modules is accessed through the MMIO address space of the CPU.  In the 2Wire Ares, the MMIO space is a 2MByte aperture bounded by the address range [ 0x1be0 0000 to 0x1bff ffff ].

Each CPU module has its own slice of that MMIO address space. At a minimum, a module has a 4kByte sub-aperture where the control and status registers for the module are mapped.

A special register is found at offset 0xffc in the MMIO aperture of every module. This is the module’s ‘identifier register’. Peeking it will report the ID of the module.

Peeking every MMIO address ending in 0xffc should, in theory, identify every module in a 2Wire CPU by its 16-bit module ID.

From this peeking experiment the following modules are identified in the 2Wire Ares, the CPU that drives the 2701HGV-C:

(grep is used to filter out the many occurrences of the hexspeak word “DEADABBA”. This word indicates that an MMIO region is unused.  “00000000” likely means the same).

asbokid@u50si1:~/asboboot$ grep -viE 'DEADABBA|00000000' discoveredmodules.txt

1be08ffc = 00000029

1be40ffc = 01130100
1be41ffc = 01160000
1be42ffc = 010a1000
1be47ffc = 01082000

1be4dffc = 01280000
1be4effc = 010b0000
1be60ffc = 01230000
1be61ffc = 01270000
1be64ffc = 0124009b

1bf00ffc = 2b802001

The CPU module identifier is a 32-bit word:

Bits 31:16 hold the module ID number
Bits 15:12 hold the major revision number of the module
Bits 11:8 hold the minor revision number of the module
Bits 7:0 hold the aperture size (0 = 4kByte, 1 = 8kB, 2 = 12kB, etc.)

This information can be used to identify the following modules in the 2Wire Ares CPU:

NULL      Module ID 0x0000 (Rev.0.0) of 0x29 size with MMIO offset 0x00,8000
PCI/XIO   Module ID 0x0113 (Rev.0.1) of  4kB size with MMIO offset 0x04,0000
SPY M-ARC Module ID 0x0116 (Rev.0.0) of  4kB size with MMIO offset 0x04,1000
BOOT      Module ID 0x010a (Rev.1.0) of  4kB size with MMIO offset 0x04,2000
CLOCK     Module ID 0x0108 (Rev.2.0) of  4kB size with MMIO offset 0x04,7000
GLOBAL2   Module ID 0x0128 (Rev.0.0) of  4kB size with MMIO offset 0x04,d000
MPBC      Module ID 0x010b (Rev.0.0) of  4kB size with MMIO offset 0x04,e000
RESET     Module ID 0x0123 (Rev.0.0) of  4kB size with MMIO offset 0x06,0000
TM32 JTAG Module ID 0x0127 (Rev.0.0) of  4kB size with MMIO offset 0x06,1000
MPI NULL  Module ID 0x0124 (Rev.0.0) of 0x9b size with MMIO offset 0x06,4000
TM32 CORE Module ID 0x2b80 (Rev.2.0) of  8kB size with MMIO offset 0x10,0000

We can cross-reference those apertures and IDs with the public documentation for the closely-related Philips PNX15xx/PNX95xx and the PNX852x CPU series: [1] [2] [3]

UPDATE #1:

This probing provides strong evidence that the 2Wire Ares has its origins in a dual core architecture. The cores would be a MIPS32 and a TriMedia TM32.

The ‘fingerprints’ of a MIPS32 core once upon a time being in the Ares include:

  • a module with the same ID as a MIPS Peripheral Interface Bus Controller (0x010b)
  • a module with the same ID as a MPI Null Module (0x0124)
  • a bootscript write command to the MMIO(RST_CTL) reset control register for the MIPS32
  • memory map layout with DRAM shadowed at 0x4000,0000 (for a MIP32 with the TLB disabled)

However, we would also expect to find a MIPS-standard EJTAG module in the CPU, and some commands in the bootscripts which write to MMIO registers to configure the MIPS architecture. Yet those things have not been found.

It is possible that the TM32 core has been disabled from accessing an EJTAG module (if present) and disabled from accessing any other units attached to the MIPS PI bus.

Peripheral access can be disabled by setting the CPU Protection Registers in the GLOBAL2 module. In theory, TM32 access to all MPI devices (and TPI devices) can be re-enabled by writing to the GLOBAL2 registers MMIO(0x04d000) and MMIO(0x04d004).

UPDATE #2:

Those two commands have been added to the boot scripts to make all modules attached to the MPI bus and the TPI bus visible and accessible to the TM32 core:

# enable TM32 access to all modules attached to the MIPS PI bus
# MMIO(TM_OWNED_M_PI) = ffffffff
echo -n -e "\x00\xd0\xe4\x1b\xff\xff\xff\xff" >> asbo005_2701hgv-c_bootrom.bin

# enable TM32 access to all modules attached to the TM32 PI bus
# MMIO(TM_OWNED_T_PI) = ffffffff
echo -n -e "\x04\xd0\xe4\x1b\xff\xff\xff\xff" >> asbo005_2701hgv-c_bootrom.bin

Disappointingly, adding those bootscript commands did not reveal the presence of any more CPU modules.

What we were expecting to find is an EJTAG TAP port on the 2×7 set of header pins on the 2Wire 2701 PCB and on the card edge connectors found in other models of 2Wire.

However, the MIPS-standard EJTAG signal pins, if present, would be physically separate to the TM32 JTAG pins. The two TAPs cannot be multiplexed together.

Since we know that the header pins and card edge connectors provide a TM32 JTAG TAP, then if an EJTAG module is present in the Ares, its external lines must be located elsewhere on the board. That said, there are no indications that an EJTAG module is in the 2Wire Ares.

[1] http://www.future-mag.com/0810/docs/PNX15XX_PNX952X_SER_N_4.pdf
[2] http://www.tridentmicro.com/wp-content/uploads/2010/01/UM101041.pdf
[3] https://docs.google.com/open?id=0B6wW18mYskvBNmRiN2E4MTUtM2JhMS00MDcwLTlmZjQtM2MzNjUxYzY5MmQ1

The 2700HGV and 2701HGV-C bootloaders are extracted

The boot ROMs from both the 2Wire 2700HGV and the 2701HGV-C have been extracted using Ian Lesnet’s BusPirate as an i2c master.

The 2701HGV-C has a convenient set of header pins for connecting the BusPirate probe leads to the i2c bus lines of the boot ROM.

However, the 2700HGV requires an elusive 1.0mm pitch dual row card edge connector which has yet to be sourced. (UPDATE: connector obtained. See [4])

So, for the 2700HGV, the BusPirate was connected to the board with some IC pin hooks. These were attached directly to the legs of the FM24C32a boot ROM, a serial CMOS EEPROM in a SOP-8 package from Fudan Microelectronics:

BusPirate IC probe hooks

probe hook on the leg of a (DIP-8) IC

A simple utility was designed in C to parse the bootscripts. The tool displays the script commands in human-readable form.

There are just four command types used in a Trimedia TM32 bootscript:

  • Write a 32-bit word to a memory address
  • Write a sequence of n words starting at memory address a.
  • Idle for t clock ticks.
  • Terminate bootscript

The scheme for encoding these commands is described in Ch 6: Boot Module of the Data Book for the PNX15xx/952xx CPU Series. [1]

The bootscripts for the 2700HGV and the 2701HGV-C were found to be almost identical.

The 2700 bootscripts are almost identical to the 2701 bootscripts. The 2700 addresses one more MMIO register which the 2701 does not.

To all intents, however, the L0 bootscripts (and the L1 bootloaders) for the 2700HGV and for the 2701HGV-C are essentially the same.

The C tool to parse the boot ROM contents can be found at [2]. A pre-built 32-bit Windows executable is also in the tarball.

The tool produces output like that below.

The MMIO register addresses and values are just as they are found in the bootscripts.

The processor module identities (CLOCK, RESET, DDR, PCI-XIO, JTAG, I2C, etc) are based on educated guesswork.

The register addresses and the MMIO offsets of the Ares’ modules were compared to the documented modules in the PNX15xx, PNX85xx and the PNX95xx CPU families.

This means that while the module names will largely be correct, the functional names given to the Ares’ MMIO registers may in many cases be wrong.

Most of the bootscripts concern clocking, aperture sizes and addresses, DRAM settings and PCI bus configuration. And since these work fine for the board, there is little point in changing them.

Perhaps the most interesting part, at least for the sake of this hack, are the bootscript commands which load and execute the next stage (L1) bootloader code.

The L1 code will probably load the first block from the NAND flash device. This will likely contain the operating system bootloader (the L2 bootloader).

Back to the boot ROM though..

From the output of our boot ROM dump tool, we can see that the TM32 core (still held in reset) is configured to start executing code from DRAM address 0x4000,0000.

write 1bf00048 40000000 // TM3260 - TM32_DRAM_START

A little further on in the bootscript, we find the command that copies the stage 1 bootloader (0x273 words) from the boot ROM into DRAM, starting at address 0x4000,0000.

From the Ares’ system view memory map that we determined earlier, we know that 0x4000,0000 is the lowest address in the DRAM aperture. [3]

writelist 40000000 00000273 // copy L1 code (627 words) to DRAM (0x40000000)

As expected, the last bootscript command takes the TM32 core out of reset. The CPU immediately begins executing the instructions starting from the address pointed to by its Program Counter, (0x4000,0000).

write 1bf00030 800000e3 // TM3260 - TM32_CTL

Below is the full output from the bootscript parsing tool. Source tarball at [2]

$ ./i2cdumpreader
Usage: ./i2cdumpreader   [MMIO_BASE (default 0x1be00000)]

$ ./i2cdumpreader 2700hgv_bootrom.bin

// Loaded 4096 bytes from boot ROM image file: '2700hgv_bootrom.bin'

write 1be4d500 01000003	// GLOBAL2-SCRATCH - SCRATCH0
write 1be47008 00201700	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9500	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b00	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc700	// CLOCK-PLL - PLL1_CTL
write 1be47008 00201701	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9501	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b01	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc701	// CLOCK-PLL - PLL1_CTL
delay 000015e0		    // idle for 5600 clock cycles
write 1be47008 00201700	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9500	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b00	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc700	// CLOCK-PLL - PLL1_CTL
delay 00000118		    // idle for 280 clock cycles
write 1be47008 00201701	// CLOCK-PLL - PLL2_CTL
write 1be4700c 002c9501	// CLOCK-PLL - PLL3_CTL
write 1be47000 022c8b01	// CLOCK-PLL - PLL0_CTL
write 1be47004 022cc701	// CLOCK-PLL - PLL1_CTL
delay 000445c0		    // idle for 280000 clock cycles
write 1be47000 002c8b01	// CLOCK-PLL - PLL0_CTL
write 1be47004 002cc701	// CLOCK-PLL - PLL1_CTL
write 1be47200 00000013	// CLOCK-CTL - CLK_MEM_CTL
write 1be47204 00000013	// CLOCK-CTL - CLK_FPI_CTL
write 1be47208 00000003	// CLOCK-CTL - CLK_???_CTL
write 1be47250 00000009	// CLOCK-CTL - CLK_PCI_CTL
write 1bf80088 ffffa70f	// UNKNOWN - UNKNOWN
write 1be4d408 06061010	// GLOBAL2-MMI - MM_SHORT_REFRESH?
write 1be4d400 0000001c	// GLOBAL2-MMI - MM_SDRAM_SIZE?
delay 00000118		    // idle for 280 clock cycles
write 1be4d400 0000001f	// GLOBAL2-MMI - MM_SDRAM_SIZE?
write 1be4d42c 28d26aa2	// GLOBAL2-MMI - MM_UNKNOWN
write 1be4d404 000005c0	// GLOBAL2-MMI - MM_REFRESH?
write 1be4d428 00000013	// GLOBAL2-MMI - UNKNOWN
write 1be4dc10 000000a1	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a2	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a3	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000013b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000c81	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000029	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000003b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000010	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a1	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a2	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 000000a3	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000501	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000007	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000008	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000000	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000400	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000053b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000014	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000069	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000005	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 0000043b	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000c81	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000780	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000006	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000400	// GLOBAL2-MMIARB - UNKNOWN
write 1be4dc10 00000010	// GLOBAL2-MMIARB - UNKNOWN
delay 000015e0		    // idle for 5600 clock cycles
write 1be4d414 00000001	// GLOBAL2-MMI - MM_SELF_REFRESH
write 1be4d800 0000000f	// GLOBAL2-MMIARB - RAM0
write 1be4d804 00000305	// GLOBAL2-MMIARB - RAM1
write 1be4d808 00000204	// GLOBAL2-MMIARB - RAM2
write 1be4dc04 00000002	// GLOBAL2-MMIARB - MAXADDR
write 1be4dc08 0000008f	// GLOBAL2-MMIARB - DEFAULTAGENT0
write 1be4dc0c 00000082	// GLOBAL2-MMIARB - DEFAULTAGENT1
write 1be4dc00 00000140	// GLOBAL2-MMIARB - MODE
write 1be40010 01c20e83	// PCI-XIO - pci_setup
write 1be40014 fffff245	// PCI-XIO - pci_control
write 1be4006c 00001722	// PCI-XIO - subsystem_ids
write 1be40018 80000000	// PCI-XIO - pci_base1_lo
write 1be4001c c0000000	// PCI-XIO - pci_base1_hi
write 1be40050 40000000	// PCI-XIO - base10 (DRAM)
write 1be40054 1be00000	// PCI-XIO - base14 (MMIO)
write 1be40058 f0000000	// PCI-XIO - base18 (XIO)
write 1be60000 00000008	// RESET - RST_CTL
write 1bf00030 400000e3	// TM3260-CORE - TM32_CTL
delay 00000118		    // idle for 280 clock cycles
write 1be4d018 40000000	// GLOBAL2-CTL - TM_REGION_LO
write 1be4d01c 44000000	// GLOBAL2-CTL - TM_REGION_HI
write 1bf00034 40000000	// TM3260-CORE - TM32_DRAM_LO
write 1bf00038 44000000	// TM3260-CORE - TM32_DRAM_HI
write 1bf0003c 44000000	// TM3260-CORE - TM32_DRAM_CLIMIT
write 1bf00048 40000000	// TM3260-CORE - TM32_DRAM_START
write 1bf00040 00000000	// TM3260-CORE - TM32_DRAM_APERT1_LO
write 1bf00044 00000000	// TM3260-CORE - TM32_DRAM_APERT1_HI
writelist 40000000 00000273
			// copy L1 code (627 words) to DRAM (0x40000000)

0000000: c281c181 c182d1b5 c1810200 02100c00
0000010: 20000000 00202050 22220222 20a07484
0000020: 1c3c1838 10301832 14340505 05050605
0000030: 16151311 13181112 16120002 02030a06
[...]
0000990: c0c2c080 c19a7a0c f0a12020 04140100
00009a0: 00010001 00030203 00010000 00000101
00009b0: 00010100 00000001 01010000 00000000
00009c0: 426f6f74 436f6465 00000000
			            // end of writelist
write 1bf00030 800000e3	// TM3260-CORE - TM32_CTL
terminate		        // terminate bootscript

The next task is to examine the level 1 bootloader. The bootloader will contain a NAND flash driver that needs to be understood to progress this hack.

[1] http://www.nxp.com/documents/data_sheet/PNX15XX_PNX952X_SER_N.pdf
[2] https://docs.google.com/leaf?id=0B6wW18mYskvBMmIwMGJjOTQtZDMxNS00MzNiLThkYzgtMGE4N2ZiNTEwMGM3&hl=en_GB
[3] http://hackingbtbusinesshub.wordpress.com/2011/10/17/a-tentative-memory-map-for-the-2wire-ares/
[4] http://hackingbtbusinesshub.wordpress.com/2011/12/20/rejoice-the-card-edge-connector-has-arrived/