Programming RNG110 (one more time)
Moderator: justsomeguy
-
- Junior Member
- Posts: 9
- Joined: Tue Sep 18, 2012 10:26 pm
- Location: Netherlands
Programming RNG110 (one more time)
I know you guys have initiated threads about this model several times and it always ended up badly. I have e few details that might intrigue your curiosity to program this type of STB.
The RNG110 uses a Broadcom chip BCM7405 which has a MIPS processor and this box is JTAG-able based on the Pace manufacturers data. Hence we should be able to access the 256 MB flash chip via USBJTAG-NT tool.
Unfortunately, I currently don't have my hands on a sample of this model but for those of you who do I have attached a few docs that support what I am talking about here.
I believe that the reason none succeeded so far is that the JTAG connection is disabled by default and needs small intervention. On the partial schematic diagram I have included, one can find a note that tells you "to pull low the pin EJTAG_CE0 for JTAG boundary scan". This pin is HIGH by default and it has to be grounded to enable the JTAG connection. Anyway, the JTAG pinout is complete and there is nothing missing.
You'll be able to see one more note on the same diagram which I am not sure what it means: "EJTAG Interface - Wire to topside pull up resistors if required for dev." Maybe someone can put here an explanation what it does mean. I believe it has something to do with the connecting pads but I don't know what exactly the note is about.
Someone will probably say, this is a lot of theory but once I get my hands on one of these I will try it myself, unless someone else is more anxious and would try it sooner. I hope that one person will post some results here before me. Good Luck.
The RNG110 uses a Broadcom chip BCM7405 which has a MIPS processor and this box is JTAG-able based on the Pace manufacturers data. Hence we should be able to access the 256 MB flash chip via USBJTAG-NT tool.
Unfortunately, I currently don't have my hands on a sample of this model but for those of you who do I have attached a few docs that support what I am talking about here.
I believe that the reason none succeeded so far is that the JTAG connection is disabled by default and needs small intervention. On the partial schematic diagram I have included, one can find a note that tells you "to pull low the pin EJTAG_CE0 for JTAG boundary scan". This pin is HIGH by default and it has to be grounded to enable the JTAG connection. Anyway, the JTAG pinout is complete and there is nothing missing.
You'll be able to see one more note on the same diagram which I am not sure what it means: "EJTAG Interface - Wire to topside pull up resistors if required for dev." Maybe someone can put here an explanation what it does mean. I believe it has something to do with the connecting pads but I don't know what exactly the note is about.
Someone will probably say, this is a lot of theory but once I get my hands on one of these I will try it myself, unless someone else is more anxious and would try it sooner. I hope that one person will post some results here before me. Good Luck.
You do not have the required permissions to view the files attached to this post.
-
- Junior Member
- Posts: 1417
- Joined: Wed Jan 28, 2009 4:01 pm
who says no one has sucedded in this endevour? lol.auroden wrote:I know you guys have initiated threads about this model several times and it always ended up badly. I have e few details that might intrigue your curiosity to program this type of STB.
The RNG110 uses a Broadcom chip BCM7405 which has a MIPS processor and this box is JTAG-able based on the Pace manufacturers data. Hence we should be able to access the 256 MB flash chip via USBJTAG-NT tool.
Unfortunately, I currently don't have my hands on a sample of this model but for those of you who do I have attached a few docs that support what I am talking about here.
I believe that the reason none succeeded so far is that the JTAG connection is disabled by default and needs small intervention. On the partial schematic diagram I have included, one can find a note that tells you "to pull low the pin EJTAG_CE0 for JTAG boundary scan". This pin is HIGH by default and it has to be grounded to enable the JTAG connection. Anyway, the JTAG pinout is complete and there is nothing missing.
You'll be able to see one more note on the same diagram which I am not sure what it means: "EJTAG Interface - Wire to topside pull up resistors if required for dev." Maybe someone can put here an explanation what it does mean. I believe it has something to do with the connecting pads but I don't know what exactly the note is about.
Someone will probably say, this is a lot of theory but once I get my hands on one of these I will try it myself, unless someone else is more anxious and would try it sooner. I hope that one person will post some results here before me. Good Luck.
live your life like a beer commericial
-
- Junior Member
- Posts: 246
- Joined: Thu Jun 28, 2007 8:49 pm
I'll step out on that limb, at least no one without NDA.justsomeguy wrote:who says no one has sucedded in this endevour? lol.
@auroden
You missed one important point in the datasheet...
Code: Select all
• Authentication process: Use of challenge-response mechanisms to activate various busses or test ports (PCI, EBI, and JTAG)
-
- Junior Member
- Posts: 177
- Joined: Thu Jul 26, 2007 7:52 am
rng110
CE0 is high and CE1 is low so its in normal op. (assuming this is way box is wired). what does "boundry scan" give you ?
-
- Junior Member
- Posts: 9
- Joined: Tue Sep 18, 2012 10:26 pm
- Location: Netherlands
Maybe you did but I didn't see any post about it. If such a case you probably kept it to yourself.justsomeguy wrote:who says no one has succeeded in this endevour? lol.
You (Justsomeguy) wrote: "As was already stated this box is NOT jtaggable. a hard mod is required..."
Why didn't you reply to any of these posts from other posters like:
Capone wrote: "For starters NO this Box is NOT JTagable ....." - "You can't JTag that Box so No way to get an NVRAM For your Area ....
Usbbdm wrote: "I opened RNG110 box today again and still cannot find the JTAG point. I do not even know what kind of CPU it uses. There is a 14 pin pads but does not look like either MIPS or ARM JTAG pinout."
Mr.Rogers wrote: "It cannot be done. PERIOD! with 2 small exceptions. This thread is to let users that are wondering about flashing their HD model box. I am here to put some things to rest. So keep reading if you are one of the many that want to flash your HD box. Since it cannot be done, let me say it one more time. IT. CANNOT. BE. DONE!"
Or maybe you are considering "hard mod" grounding a certain point to enable the chip at the EJTAG_CE0 pin?
-
- Junior Member
- Posts: 9
- Joined: Tue Sep 18, 2012 10:26 pm
- Location: Netherlands
@merkin
All I wanted here is to initiate things that were strongly discouraged by many on this forum. I don't intend to school myself about this box's main BGA chip. Since you are very good at it, I will let you continue the discussion about this topic. Good luck with that.If you want to school yourself in bcm97405 strap bits, just read this thread ...
-
- Junior Member
- Posts: 64
- Joined: Thu May 13, 2010 9:28 am
To jtag a cable card enabled HOST is pointless. However there are other ways to do what you set out to do that do not involve modifying or even fully reading the firmware.
The answer believe it or not is casually mentioned in these forums.
I am curious to see how successful you are with reading this box though. You seem to be one of the small few on these boards that has the ambition and know how to get it done.
Also, there are people on these forums who will tell you something cannot be done when they know it can. So don't be fooled and go for it. One way or another everything can be jtag'd
The answer believe it or not is casually mentioned in these forums.
I am curious to see how successful you are with reading this box though. You seem to be one of the small few on these boards that has the ambition and know how to get it done.
Also, there are people on these forums who will tell you something cannot be done when they know it can. So don't be fooled and go for it. One way or another everything can be jtag'd
-
- Junior Member
- Posts: 5011
- Joined: Sat Dec 27, 2008 3:25 pm
I do not doubt that thruough the Host the card can in fact be accessed and programmed. It may not be easy but I do believe its posible. I know for a fact that thruough the cable feed the CACO can in fact program the M-Card and marry it to any reciever, so there must ba a way.macgyver12 wrote:To jtag a cable card enabled HOST is pointless. However there are other ways to do what you set out to do that do not involve modifying or even fully reading the firmware.
The answer believe it or not is casually mentioned in these forums.
I am curious to see how successful you are with reading this box though. You seem to be one of the small few on these boards that has the ambition and know how to get it done.
Also, there are people on these forums who will tell you something cannot be done when they know it can. So don't be fooled and go for it. One way or another everything can be jtag'd
"If you give a man a fish you feed him for a day. If you teach a man to fish you feed him for a lifetime."
-
- Junior Member
- Posts: 9
- Joined: Tue Sep 18, 2012 10:26 pm
- Location: Netherlands
You got that right, it is called "hypocrisy".macgyver12 wrote:... there are people on these forums who will tell you something cannot be done when they know it can ...
Merriam-Webster example for hypocrisy: "the hypocrisy of people who say one thing but do another".
Anyway, thanks for the credit but I am afraid I will not discuss about this anymore.
-
- Junior Member
- Posts: 64
- Joined: Thu May 13, 2010 9:28 am
haha
Hypocrisy or not, sometimes there are definately legitimate reasons behind it.
Capone, if custom firmware were created for these boxes, ANYTHING is possible. Security bypass, key dumps, soo damn much. Unfortunately reading and writing firmware for so many years has not led to anything of the sort.
Hypocrisy or not, sometimes there are definately legitimate reasons behind it.
Capone, if custom firmware were created for these boxes, ANYTHING is possible. Security bypass, key dumps, soo damn much. Unfortunately reading and writing firmware for so many years has not led to anything of the sort.
-
- Junior Member
- Posts: 5011
- Joined: Sat Dec 27, 2008 3:25 pm
Well, I would not be looking for the USBJTAG NT to do the Job, Not that I think it CAN'T, But don't see that happening. LOL Maybe reading and writing firmware for so long has keep most people from thinking out side the BOX.macgyver12 wrote:haha
Hypocrisy or not, sometimes there are definately legitimate reasons behind it.
Capone, if custom firmware were created for these boxes, ANYTHING is possible. Security bypass, key dumps, soo damn much. Unfortunately reading and writing firmware for so many years has not led to anything of the sort.
"If you give a man a fish you feed him for a day. If you teach a man to fish you feed him for a lifetime."
-
- Junior Member
- Posts: 13
- Joined: Wed Oct 26, 2005 2:25 pm
-
- Junior Member
- Posts: 9
- Joined: Tue Sep 18, 2012 10:26 pm
- Location: Netherlands
I don't want to disappoint you but not many locations use this type of a box, simply because it doesn't work like Pace units (RNG110) on Motorola Headends.
As far as the hard modding, moderators don't allow discussion about it on this forum. That's why nobody replies to you, which is still better then be mocked up for ignorance.
As far as the hard modding, moderators don't allow discussion about it on this forum. That's why nobody replies to you, which is still better then be mocked up for ignorance.
-
- Junior Member
- Posts: 138
- Joined: Tue Mar 23, 2010 5:28 pm
Very interesting.auroden wrote:I don't want to disappoint you but not many locations use this type of a box, simply because it doesn't work like Pace units (RNG110) on Motorola Headends.
As far as the hard modding, moderators don't allow discussion about it on this forum. That's why nobody replies to you, which is still better then be mocked up for ignorance.
-
- Junior Member
- Posts: 54
- Joined: Wed Jun 30, 2010 9:03 am
Rng 110
The procedure for jtaggin these boxes to reset factory settings was to lower a fingered block onto the pads, insert a shorted plug into the IR blaster port (think just so it wouldn't see any remote signals that were flying around the shop) Run the PACE software on the computer. It would detect the box, connect to the box, check the flash, then program it. then you would take the box to another computer and hook up it's Ethernet port , scan it's ID & MAC address and it would be programmed back to factory. We had to do this for boxes that wouldn't boot (crazy combos of LEDS on front panel)
The second step of connecting is where I believe the "Secret Handshake" takes place. Not sure.
The second step of connecting is where I believe the "Secret Handshake" takes place. Not sure.
Who is online
Users browsing this forum: No registered users and 3 guests