Programming RNG110 (one more time)

[auroden]

I know you guys have initiated threads about this model several times and it always ended up badly. I have e few details that might intrigue your curiosity to program this type of STB.
The RNG110 uses a Broadcom chip BCM7405 which has a MIPS processor and this box is JTAG-able based on the Pace manufacturers data. Hence we should be able to access the 256 MB flash chip via USBJTAG-NT tool.
Unfortunately, I currently don't have my hands on a sample of this model but for those of you who do I have attached a few docs that support what I am talking about here.
I believe that the reason none succeeded so far is that the JTAG connection is disabled by default and needs small intervention. On the partial schematic diagram I have included, one can find a note that tells you "to pull low the pin EJTAG_CE0 for JTAG boundary scan". This pin is HIGH by default and it has to be grounded to enable the JTAG connection. Anyway, the JTAG pinout is complete and there is nothing missing.
You'll be able to see one more note on the same diagram which I am not sure what it means: "EJTAG Interface - Wire to topside pull up resistors if required for dev." Maybe someone can put here an explanation what it does mean. I believe it has something to do with the connecting pads but I don't know what exactly the note is about.
Someone will probably say, this is a lot of theory but once I get my hands on one of these I will try it myself, unless someone else is more anxious and would try it sooner. I hope that one person will post some results here before me. Good Luck.

[justsomeguy]

I know you guys have initiated threads about this model several times and it always ended up badly. I have e few details that might intrigue your curiosity to program this type of STB.
The RNG110 uses a Broadcom chip BCM7405 which has a MIPS processor and this box is JTAG-able based on the Pace manufacturers data. Hence we should be able to access the 256 MB flash chip via USBJTAG-NT tool.
Unfortunately, I currently don't have my hands on a sample of this model but for those of you who do I have attached a few docs that support what I am talking about here.
I believe that the reason none succeeded so far is that the JTAG connection is disabled by default and needs small intervention. On the partial schematic diagram I have included, one can find a note that tells you "to pull low the pin EJTAG_CE0 for JTAG boundary scan". This pin is HIGH by default and it has to be grounded to enable the JTAG connection. Anyway, the JTAG pinout is complete and there is nothing missing.
You'll be able to see one more note on the same diagram which I am not sure what it means: "EJTAG Interface - Wire to topside pull up resistors if required for dev." Maybe someone can put here an explanation what it does mean. I believe it has something to do with the connecting pads but I don't know what exactly the note is about.
Someone will probably say, this is a lot of theory but once I get my hands on one of these I will try it myself, unless someone else is more anxious and would try it sooner. I hope that one person will post some results here before me. Good Luck.

who says no one has sucedded in this endevour? lol.

[merkin]

who says no one has sucedded in this endevour? lol.

I'll step out on that limb, at least no one without NDA.

@auroden
You missed one important point in the datasheet...

Code: Select all

• Authentication process: Use of challenge-response mechanisms to activate various busses or test ports (PCI, EBI, and JTAG)

And if you want to school yourself in bcm97405 strap bits, just read this thread viewtopic.php?t=8283

[cherrymachine]

CE0 is high and CE1 is low so its in normal op. (assuming this is way box is wired). what does "boundry scan" give you ?

[auroden]

who says no one has succeeded in this endevour? lol.

Maybe you did but I didn't see any post about it. If such a case you probably kept it to yourself.

You (Justsomeguy) wrote: "As was already stated this box is NOT jtaggable. a hard mod is required..."

Why didn't you reply to any of these posts from other posters like:

Capone wrote: "For starters NO this Box is NOT JTagable ....." - "You can't JTag that Box so No way to get an NVRAM For your Area ....

Usbbdm wrote: "I opened RNG110 box today again and still cannot find the JTAG point. I do not even know what kind of CPU it uses. There is a 14 pin pads but does not look like either MIPS or ARM JTAG pinout."

Mr.Rogers wrote: "It cannot be done. PERIOD! with 2 small exceptions. This thread is to let users that are wondering about flashing their HD model box. I am here to put some things to rest. So keep reading if you are one of the many that want to flash your HD box. Since it cannot be done, let me say it one more time. IT. CANNOT. BE. DONE!"

Or maybe you are considering "hard mod" grounding a certain point to enable the chip at the EJTAG_CE0 pin?

[auroden]

@merkin

If you want to school yourself in bcm97405 strap bits, just read this thread ...

All I wanted here is to initiate things that were strongly discouraged by many on this forum. I don't intend to school myself about this box's main BGA chip. Since you are very good at it, I will let you continue the discussion about this topic. Good luck with that.

[macgyver12]

To jtag a cable card enabled HOST is pointless. However there are other ways to do what you set out to do that do not involve modifying or even fully reading the firmware.

The answer believe it or not is casually mentioned in these forums.

I am curious to see how successful you are with reading this box though. You seem to be one of the small few on these boards that has the ambition and know how to get it done.

Also, there are people on these forums who will tell you something cannot be done when they know it can. So don't be fooled and go for it. One way or another everything can be jtag'd

[CAPONE]

To jtag a cable card enabled HOST is pointless. However there are other ways to do what you set out to do that do not involve modifying or even fully reading the firmware.

The answer believe it or not is casually mentioned in these forums.

I am curious to see how successful you are with reading this box though. You seem to be one of the small few on these boards that has the ambition and know how to get it done.

Also, there are people on these forums who will tell you something cannot be done when they know it can. So don't be fooled and go for it. One way or another everything can be jtag'd

I do not doubt that thruough the Host the card can in fact be accessed and programmed. It may not be easy but I do believe its posible. I know for a fact that thruough the cable feed the CACO can in fact program the M-Card and marry it to any reciever, so there must ba a way.

[auroden]

... there are people on these forums who will tell you something cannot be done when they know it can ...

You got that right, it is called "hypocrisy".

Merriam-Webster example for hypocrisy: "the hypocrisy of people who say one thing but do another".

Anyway, thanks for the credit but I am afraid I will not discuss about this anymore.

[macgyver12]

haha

Hypocrisy or not, sometimes there are definately legitimate reasons behind it.

Capone, if custom firmware were created for these boxes, ANYTHING is possible. Security bypass, key dumps, soo damn much. Unfortunately reading and writing firmware for so many years has not led to anything of the sort.

[CAPONE]

haha

Hypocrisy or not, sometimes there are definately legitimate reasons behind it.

Capone, if custom firmware were created for these boxes, ANYTHING is possible. Security bypass, key dumps, soo damn much. Unfortunately reading and writing firmware for so many years has not led to anything of the sort.

Well, I would not be looking for the USBJTAG NT to do the Job, Not that I think it CAN'T, But don't see that happening. LOL Maybe reading and writing firmware for so long has keep most people from thinking out side the BOX.

[willowtree001]

What can we do with the Comcast RNG 100? The board is made by Scientific Atlanta/CISCO. Would like to do hardware mod, if anyknow know write me a message to my inbox. This would be great since they install these boxes in so many different locations as a basic box

[auroden]

I don't want to disappoint you but not many locations use this type of a box, simply because it doesn't work like Pace units (RNG110) on Motorola Headends.
As far as the hard modding, moderators don't allow discussion about it on this forum. That's why nobody replies to you, which is still better then be mocked up for ignorance.

[keja]

I don't want to disappoint you but not many locations use this type of a box, simply because it doesn't work like Pace units (RNG110) on Motorola Headends.
As far as the hard modding, moderators don't allow discussion about it on this forum. That's why nobody replies to you, which is still better then be mocked up for ignorance.

Very interesting.

[Skillet50]

The procedure for jtaggin these boxes to reset factory settings was to lower a fingered block onto the pads, insert a shorted plug into the IR blaster port (think just so it wouldn't see any remote signals that were flying around the shop) Run the PACE software on the computer. It would detect the box, connect to the box, check the flash, then program it. then you would take the box to another computer and hook up it's Ethernet port , scan it's ID & MAC address and it would be programmed back to factory. We had to do this for boxes that wouldn't boot (crazy combos of LEDS on front panel)
The second step of connecting is where I believe the "Secret Handshake" takes place. Not sure.