You are on page 1of 12

SB5100 Cable modem

Motorola SB5100 surfboard


The CPU of the board uses BCM3348. The tool to debug the CPU is EJTAG (DMA).
Picture showing JTAG is connected

Flash

One 2MB

28F160C3

Firmware

2MB

$9FC00000-$9FDFFFFF

RAM

16MB

$80000000-$81000000

Backup video http://usbjtag.com/pafiledb/index.php?act=view&id=33


Sigma programming http://usbjtag.com/pafiledb/index.php?act=view&id=35
Change mac http://usbjtag.com/pafiledb/index.php?act=view&id=45
Rescue SB5100 method 1http://usbjtag.com/pafiledb/index.php?act=view&id=58
Rescue SB5100 method 2http://usbjtag.com/pafiledb/index.php?act=view&id=59
Definition in usbjtag.def

Commands (usbjtag 0.09. SB5100 Test

0.03):
Backup firmware
getram 9fc00000 200000
save 9fc00000 200000
Program whole firmware. (Should
not interrupt)
detect
ldram 9fc00000
program 9fc00000 200000
cmpram 9fc00000 200000
cmpram is optional. It can be used
after program only when DMA is
supported.After that you should see
DEBUG ON. You should see "Compair
data OK"

Name=SB5100
DLL=SB5100.dll
Memory=Ram,0,0x80000000,0x800000
// Boot loader
Memory=Boot,1,0x9fc00000,0x8000
// configuration
Memory=cfg,1,0x9fc08000,0x8000
// first copy of firmware
Memory=Image0,1,0x9fc10000,0xf0000
// second copy of firmware
Memory=Image1,1,0x9fd00000,0xf0000
// log data
Memory=log,1,0x9fdf0000,0x10000
Programram=0x80400000
// watch dog
Init=0xfffe0224,0
// initialize chip set
Init=0xfffe2300,0x1a
Init=0xfffe2304,0
Init=0xfffe2308,0x8040
Init=0xfffe230C,3
Init=0xfffe2310,0x4824
Endian=Big
-IRLength=5
Protocol=EJTAG
DMA=Yes
ProbTrap=1

Program Sigma
detect
ldram boot select the sigma boot
ldram image0 Select sigma application
program boot
program image0
Rescue SB5100. When box not fire
up. Normal programming will not
work. First need to program boot
(if method 1 does not work use method
2)
Method 1.
detect
ldram 9fc00000(Select the backed up
file)
poke fffe230c 3
poke fffe2304 0
poke fffe2300 a
poke fffe2300 9
poke fffe2300 9
poke fffe2300 9
poke fffe2300 9
poke fffe2300 9
poke fffe2300 9
poke fffe2300 9
poke fffe2300 9
poke fffe2300 1c
program 9fc00000 200000
cmpram 9fc00000 200000
if cmpram failed, power off and on the
box again and do
delect
program 9fc00000 200000
cmpram 9fc00000 200000
Method 2.
detect
ldram boot (Select proper boot file)
erase boot
sprogram boot (Slow programming)
Power off and on SB5100
detect
ldram 9fc00000(Select the backed up
file)
program 9fc00000 200000

cmpram 9fc00000 200000

Lasted Updated:December 09 2011


Vists since Jan 4,2009

perdon me equivoque es
detect
ldram 9fc00000
erase 9fc00000 200000
sprogram 9fc00000 200000
reset

ldram carga lo que quieras


program programa
Hola , os dejo aqui un mapa de la flash que pueda servir de algo.
Para cargar el cfg :
-blackcat - flash - write - 9fc08000 lenght 32768
-USBJtag - ldram cfg - program cfg
- - - - - - - - Mapa FLASH - - - - - - - by Dgadrian
|_ _ _ _ _ _9FC0000
| boot
|_ _ _ _ _ _9fc0800
| cfg
|_ _ _ _ _ _9fc1000
|
|
|
| imagen 0
|
|
|
|_ _ _ _ _ _9fd0000
|
|
|
| imagen 1
|
|
|_ _ _ _ _ _9fdf000

|
| Log
|
|_ _ _ _ _ _9fdffff
|
un saludo a todos

Nuevo version Disponible SB5100 MoD v 1.0.4 Beta


Download Actualizado
Firmware para SB5100 por tplewa en theoryshare
New Features:
- HTTPD Password Protection
- Change HTTPD Port from Web
- Clone
a) Serial Number
B) HFC MAC Address
c) Ethernet MAC Address
d) CPE USB MAC Address
e) SNMP sysDescr
f) SNMP docsDevSwCurrentVers
- Backup NonVol
- Firmware Update form TFTP and Full Backup

(Future Features)
- Sniffer

Beta version available 0-4 weeks (maybe faster )


Any suggestions ?
#SB5100MoD Change Log
#######################
version 1.0.4 Beta:
(10-July-2008)
- Add Upload cmConfig from TFTP to Flash Memory (TFTP GET???)
- Add CopyTftp Symbol (VxWorks Shell) - No FileSize Limit
USAGE:
CopyTftp("SourceTftpIP","SourceFileName","Destinat ionTftpIP","DestinationFileName")
*DestinationFileName - Optional

Hilo Creado_______________________________

Post: #2
RE: SB5100 bricked - need recovery instructions

Normal method of debrick by erase the flash and sprogram the boot.
erase 9fc00000 200000
ldram boot (good firmware)
sprogram 9fc00000 200000
Method 2.
detect
ldram boot (Select proper boot file)
erase boot
sprogram boot (Slow programming)
Power off and on SB5100
detect
ldram 9fc00000(Select the backed up file)
program 9fc00000 200000
cmpram 9fc00000 200000

cuando le tengas el usb conectado quitale la corriente al modem lo conectas y rapido


dale a detectar devera detestar y luego le pones un bootloader para ese modelo
reinicias todo y le pones una full flash saludos
mira lo masefectivo es usar el cable jtag con el programa jtag untility, conecta el
cabable a tu moden sin conectarlo a la corriente, en cuanto lo conectas has un detect
en el programa luego el commando ldram flsh y pones un flash a tu modem, tardara
en completarlo como 10 - 15 min pero estara revivido
Comandos USBJTAG
Comandos de este software:
d Display the address.
Syntax: d address (in hexadecimal)
Example: d 9fc80000
exit Exit the whole application.
Syntax: exit
help print command help.

Syntax: helpThis will print all the command names.


Syntax: help (cmd) This will print the usage of the cmd.
Example: help flshdct
detect Detect the target CPU and possible flash types. If there are memory tabs
defined as flash then a flash detect command is also issued.
Syntax: detect
search Search the memory block. This is ONLY used for an unknown target and
you want to find the memory map. Most important to find where the firmware
starts. For most user this command is not used.
Syntax: search start end step.
initusb Initialize the USB PORT. This will trigger USB PORT to reinitialize the
USB JTAG. It might take several seconds to get back JTAG connected state.
Syntax: initusb
getram Read memory from target to PC. This is length operation and the progress
bar will show roughly where you are. After completion of the memory read, the
memory in the tabs will be updated. You can view and edit the memory in the
memory tabs. Be careful whe n edit the memory map, since most flash firmware
has complicated checksum to avoid data corruption, simply edit the firmware and
program back might not work.
Syntax: getram tab
getram start length
Example: getram boot
getram 9fc00000 200000
save Save the PC memory to a file. The default file extension is .bin
Syntax: save tabname
save start length
Example: save boot
save 9fc00000 200000
ldram Load binary file t o PC memory. This is opposite to save command.
Syntax: ldram tabname (filename)
ldram address
Example: ldram boot
ldram 9fc00000
cmpram Compare the PC memory with target memory. This is very useful
especially for programming flash. If you use EJTAG you cannot do cmpram right
after the programming if non-DMA is used. The OK means the memory are
identical between PC and the target. Otherwise the failed address will be
displayed.
Syntax: cmpram tabname

cmpram address length


Example: cmpram boot
cmpram 9fc00000 200000
peek Get one word from target.
Syntax: peek address
Example: peek 80000000
poke Set one word to target.
Syntax: poke address value
flshlist List all the flash types that are defined in flash.def
Syntax: flshlist
about Display about dialog box.
Syntax: about
cls Clear the screen
Syntax: cls
e Edit data in PC memory. To update to the target ram or flash you need to use
setram or program commands.
Syntax: e address data1 data 2 .
Example: -e 9fc08000 11 22 33 44
f Fill data in PC memory. To update to the target ram or flash you need to use
configshow Show all the configuration.
Syntax:configshow
Example:
-CONFIGSHOW
Test name: SB5100
Test DLL: SB5100.dll
IRLength: 5
Endian: Big
Boot Flash=Intel 28F160C3B
Image0 Flash=Intel 28F160C3B
Image1 Flash=Intel 28F160C3B
log Flash=Intel 28F160C3B
erase Erase the flash. The erase command used with sprogram. Normal program
command auto erase the flash. This command only used when normal program
command does not work. ST20 target must use erase/sprogram to program the
flash. Please note the erase command does not have feedback while erasing. And
normally erase take quite a long time. A 2M flashs erase normally will take up to
20-40 seconds. If after long time the program does not return something has gone

wrong and you need to stop the program and start again.
Syntax: erase tabname
erase address length
Example:
-ERASE image0
Erase starts
Erase time 00:00:08 .021
sprogram Slow program. This is slow program compared to normal program. In
EJTAG this method does not use target ram. In EJTAG when the boot is not setup
and the initialization sequence to access ram is unknown, sprogram normally used
for program a boot block. Make sure the target flash is erased.
Syntax: sprogram tabname
sprogram start length
Example:
-ERASE boot
Erase starts
Erase time 00:00:00 .031
-SPROGRAM boot
Program Starts...
Program time 00:00:08 .084
CMPRAM boot
program Program the flash or eeprom. If you program flash make sure you have
execute flshdct or detect command. The right flash type must be set to the
memory.
Syntax: program tabname
program address length
Example: program boot
program 9fc00000 200000
bk Break the target. Normally use this with register view enabled.
Syntax: bk
Shortcut: F6
r Read registers or set register value to the target
Syntax: r
r register value
Example: r r1 8000200

conecta dale detect y lo mas rapido posible dale

ldram boot
sprogram boot

si lo haces muy rapido vas a ver que empieza a escribir y despues de eso te detecta la
flash

para darte cuenta si este metodo te sirv3 hace lo siguiente.


dale detect
si te detecta todo bien espera un rato, volve a darle detect y no te va a detectar nada,
si te pasa eso hace lo que te digo arriba y se te soluciona el problema
k
tienes que grabarle el boot , primero para que te deje de nuevo cargarlo
detect
ldram boot
erase boot
sprogram boot
si no tienes el boot de tu firewey original sacalo asi
ldram 9fc00000
save boot
y listo ese lo usa para booterlo. es asi visualisalo
debrick
detect
IDCODE 0334817F
Broadcom BCM3348
IMPCODE 800908
DMA supoorted
Found Address= 9fc00000 Intel 28F160C3B
9FC00000 erased
9FC02000 erased
9FC04000 erased
9FC06000 erased
-LDRAM BOOT
-ERASE BOOT
Erase starts...
Erase time 00:00:00 .016
-SPROGRAM BOOT
Program Starts...

Program time 00:00:09 .009


-DETECT
IDCODE 0334817F
Broadcom BCM3348
IMPCODE 800908
DMA supoorted
Found Address= 9fc00000 Intel 28F160C3B
-LDRAM 9FC00000
-PROGRAM 9FC00000 200000
Erase starts...
Erase time 00:00:18 .059
Program speed 134.58 KB/s
Program time 00:00:15 .082
Program pass, if no further programming needed, power off/on the targe
EN TOOL PLOMEAR LOS DOS

Tengo un motorola sb5100 y realize los sig pasos para poder obtener mas velocidad.
1) cambie la mac del modem por una mac que tiene contratada mayor velocidad de
otro nodo.
2) escribi la sigma v142.
3)active el modo telnet desde la sigma.
4) ejecute telnet y desactive el BPI mediante el siguiente comando:
cd /
cd non-vol
cd docsis
enable bpi false
write
Reinicie el modem y listo! empece a navergar a mayor velocidad. El problema que solo
pude hacerlo DOS DIAS, luego el modem no volvio a conectar (osea la luz de online no
queda fija).
Me falta hacer algo mas? porque pude navegar a mayor velocidad y ahora no?
le estoy errando en algo??
si hay algun tuto donde explique bien me lo pueden pasar?
Gracias gente.
salu2

ldram boot
erase boot
sprogram boot

Subir certificados sb5100 por snmp


amigos para subir certificados a un moden sb5100 tienen que instalar primeros las
librias snmp :
http://www.4shared.com/file/GU-b_HbA...-1win32_2.html ya que en el enlace
del foro el enlace esta caido, pero igual pueden buscarlo en la seccion de descargas.
seguidamente tienen que crear un archivo .bat , lo pueden hacer creando un bloc de
notas y guardarlo como un archivo .bat
en la seccion de decargas del foro hay un archivo .bat para los motorola sb5100 pero a
mi no me ha funcionado bien, ya que no trae las intrucciones snmp para mete los
certifacados cmFactoryManCertificate y el cmFactoryRootCertificate.
yo hice el bat con la siguiente info, y me funciono con los certis scaneados desde el
fastcert 3.0 :
REM HFCmacAddress
snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.4.0 x tu mac sin
puntos
REM cmFactoryBigRSAPublicKey
snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.50.0 x tu
certificado
REM cmFactoryBigRSAPrivateKey
snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.51.0 x tu
certificado
REM cmFactoryCMCertificate
snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.52.0 x tu
certificado
REM cmFactoryManCertificate
snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.53.0 x tu
certificado
REM cmFactoryRootCertificate
snmpset -v2c -c t3xr1tt3r 192.168.100.1 1.3.6.1.4.1.1166.1.19.4.54.0 x tu
certificado
pause
ahora solo tiene que reemplazar la mac, y el certificado correspondiente, espero que
les sirva amigos, cabe aclarar que su modem tiene que estar modificado, ya sea con
mod 1.0.4 , ya que el mio lo tenog con mod 1.0.4.

ORIGINAL UJMODEN
Cambiar HFC MAC = 00:0E:5C:5F:D0:10

Ethernet Add = 00:0E:5C:5F:D0:11

Serial 126603334212444903030000
Cambiar HFC MAC = 00:12:13:14:15:16

Serial 126603334212444903030000
140255516366958401021000
120244416366958404123000

Ethernet Add = 00:12:13:14:15:17