Brendan Gillatt
TalkTalk Broadband Modem Hacking

Introduction

The front of the modem. The rear of the modem showing various connectors. This modem is often sent free with home broadband packages from TalkTalk. It's a curious mix between an ADSL modem, a router and a firewall; there is only one ethernet port and one USB port along with the DSL connection. I got two of them from a family friend who was sent three of them when she signed up!

The only way I've connected to the modem is using the on board serial port - I don't have a crossover cable for connecting via ethernet and the drivers for the USB port don't work with Vista. I would expect that the hardware serial port I've connected to is very similar to the telnet/ssh connection over ethernet or USB.

Connecting Using the TTL Serial Port

The modem has a 5 volt (TTL) serial port connection on board giving a console on connection. The header is labelled "JP2". The connections are, numbering pin closest to rear of board as 1:

  1. Serial transmit
  2. Ground
  3. +5 volts
  4. NC - no pin
  5. Serial receive

The serial port header. Overview of the circuit board. Click for larger image

To connect to a PC you require a TTL to RS232 or USB adaptor. I happen to be creating a project using an FTDI FT232R serial to USB converter chip so I've been using that.

On connecting the serial port and turning on the router, you will see a POST log before being dropped into a rather limited shell. For example:

Starting POST - V5.0
SDRAM ... Passed
Loader Checksum ... Passed
Loader (V5.00) Self-Extracting ... Done
Decompressing UMON (V1.62) ... Done/Activated
vmode 80002188 = 404018bf
Flash Nex NX25P16 (Capacity=2048K, PageSize=256, TotalPages=8192)
Testing FILESYS Checksum ... Passed
Testing DSLCODE Checksum ... Passed
Testing APPCODE Checksum ... Passed
Decompressing "TEAppl.gsz" (973835->3661080) ... Done
vmode 80002188 = 404018bf
Pin 138 Low, have PPP LED!!

Text Segment Size  = 3288912 bytes
Data Segment Size  = 372168 bytes
Bss  Segment Size  = 971696 bytes
System Stack Size  = 16536 bytes
HISR   Stack Size  = 16536 bytes
NetBuffer Pool Size= 416048 bytes
System Memory Size = 1752328 bytes
Start of DSPText   = 2078e800 bytes
Decompressing "TEMod.gsz" (59940->267360) ... Done
Using HUAWEI MT820 LED Define !!
Decompressing "TEDSL.gsz" (128816->380776) ... Done
sdram 8000218c = 00000b04
sdram 8000218c = 00000b04

File System Memory Size = 389120 bytes
UnTar File System \...\...\.\..\...\.\..\..\............\....\.\... Done


 CfgInit: System Coming up from Default ConfigurationDSL State: 0x0 --> 0x0
DSL State: 0x0 --> 0x10

exec Exec_url_block
exec Exec_Misc
HwiLed control ON 


                         *******************

                               Welcome 

                         *******************



Software Release V200R002B021 Opal

Copyright (c) 2001-2004



$Reset LED!!


Thu Jan 01 00:00:03 1970 : STATUS ALARM : System Up



$

Every now and then the console outputs:

RESTART the DSP...
DSL State: 0x10 --> 0x0
DSL State: 0x0 --> 0x10

...which seems to be some kind of reset for the DSL chip, perhaps because I haven't got a telephone line plugged in.

Hardware

RAM and CPU chips. JTAG port The processor is a Conexant GS8120-174004DBOEZ. This is a proprietary chip and no Linux kernel build I know of supports it. A MIRA P2V64S40ETP 64Mbit SRAM is connected along with a Spansion S25FL016A 16Mbit SPI flash memory. There is a Realtek RTL8201CP Ethernet PHY. The ADSL physical layer is handled by a Conexant BAZ-3882-NCAZ.

The second header, identified as "JP3" appears to be a JTAG port. This could be very useful! It appears that the device is very sensitive to interference - the current usage rises dramaticaly if I place the bare board within 5cm of something metallic. At the moment I'm working on it with the circuit board balanced on a china tea-cup!

Some Useful Information

The modem is identified as a SmartAX MT882 on the bottom of the product. These are manufactured by Huawei

Putting some of the filenames and version numbers into google reveals a bit about the modem. First of all, it is very, very similar to a BT Voyager 205 and the Solwise SAR-110: the commands are identical and the boot log is very similar. The hardware is significantly different however, so I am not confident that flashing an image from a BT or Solwise modem will work with this one.

A list of similar products, all with slightly different hardware but the same processor and RTOS:

It appears that there is a JTAG port next to the flash memory. FreakNet have a nice article on using the JTAG port to force the RTOS to load a firmware image.

To Do

I'm tempted to try and read the data of the SPI flash, which should be pretty straightforward, or see what happens if I erase the flash altogether: the CPU may fall back to some default operating mode if there is no RTOS given.

Getting JTAG up and running would be immensely useful for probing the device further.

I would like to conect over TCP/IP though either the USB or Ethernet port, though this requires another computer or a wired ethernet hub. From there I have read the directory tree of the device can be accessed over FTP.

Conclusion

While it's been pretty interesting looking at the stuff so far, they're not particularly useful because of the proprietary RTOS and processor. If you want embedded Linux you're still best off with the ubiquitous WRT-54G.