BTHomeHub V2 Type B
Black boxes given away with a bt broadband subscription. It comes in two versions Type A and Type B. The two versions look identical, and although they provide similar functionality, they are quite different on the inside.
Type A is made by Thomson, and is broadcom based, using Thomson linux based firmware. Type B is made by SHC (Siemens), and is Infineon/Lantiq Danube based, using OpenRG based linux firmware. Bootloader is u-boot.
The homehub V2 includes ADSL2+, 802.11b/g/n wireless, host USB port, 4 wired ethernet ports, DECT, FXS & FXO ports and VOIP functionality.
The firmware of both units can be successfully hacked for use on other ISPs (see www.psidoc.com). The Type A firmware is a litlte more flexible than the Type B firmware in terms of what can be done after gaining access.
Until the patches come through to trunk, source mods for building OpenWRT for Type B are here: https://sourceforge.net/p/hh2b4ever/code/ci/7c17843ab0596dccb2bd972ed9df6c4ccd9995a8/tree/
latest info: binary at sourceforge for annexa works, although the leds are squiffy and the ADSL reports a fault but works. see http://www.psidoc.com/showthread.php/495-OpenWRT-on-HHV2B for details
News 25/3/2012: Thanks to blogic, some patches went into trunk today…. Building from trunk
Hardware Highlights
| CPU | Ram | Flash | Ethernet | USB | Wireless | Serial | JTag | VOIP | FXS |
|---|---|---|---|---|---|---|---|---|---|
| Lantiq Danube@333MHz | 64MB | 32MB NAND+512k NOR | 4 | Yes | 11ng | Yes | Yes | yes | yes |
Installation
Firmware
NAND Flash Layout
| NAND - 32 Mbytes: |
| 0x00000000-0x00004000 : "Atheros EEPROM" |
| 0x00004000-0x00E04000 : "OpenRG Image 1" |
| 0x00E04000-0x00F00000 : ? (empty) |
| 0x00F00000-0x01D00000 : "OpenRG Image 2 (empty)" |
| 0x01D00000-0x01E00000 : ? (empty) |
| 0x01E00000-0x02000000 : "Dect configuration? (empty)" |
NOR Flash Layout
| NOR - 512k: |
| 0x00000000-0x00040000 : first u-boot |
| 0x00040000-0x00050000 : u-boot stored config |
| 0x00050000-0x00060000 : RG conf 1 16k |
| 0x00060000-0x00070000 : RG conf 2 16k |
| 0x00070000-0x00080000 : RG factory conf 16k |
Flash Details
NOR:
PHYS_FLASH_1 0xB0000000
16 bit
in EBU region 0
NAND:
PHYS_FLASH_2 0xB4000000
Sector size 256
nand max floors 1
nand max chips 1
in EBU region 1
Hardware
Info
| SoC: Lantiq Danube-S PSB 50712 @ 333MHz |
| RAM: Samsung K4H511638F 64MiB |
| NOR Flash: Spansion S29AL004D 4MiB |
| NAND Flash: Samsung K9F5608U0D-JIB0 32MiB |
| Wireless: Atheros 9160-BC1A 802.11b/g/n, pci, 0x18000000, irq 22 |
| Ethernet switch: Infineon AD9669I |
| DECT: SiTel SC14488 |
| Slic: Teridian 73m1966, Infineon Vinetic PEF4268F 'Ringing SLIC with Integrated DC/DC Converter' |
Photos
Serial
In the photos above, wires are soldered on to the 3.3v serial lines.
The connections are:
| Top | GND |
| Middle | Rx |
| Bottom | Tx |
Note that the original u-boot has 'silent' mode enabled
GPOs
The CPU has 2 x 16 possible GPIO
The board provides a further 24? GPOs (for leds) controlled by stp
for each pin there are control bits
dir = direction
out = value?
altsel0/altsel1
od - 0=open drain, 1='normal mode' puch pull
pudsel = pullup/down select 1=up
puden = pull up/down enable
uboot initial values
| bit | dir | out | altsel0 | altsel1 | od | pudsel | puden | usage |
| - | 70 | FF | 73 | 01 | FF | 00 | 00 | - |
| GPIO-00 | 0 in | 1 | 1 | 1 | 1 | 0 | 0 | |
| GPIO-01 | 0 in | 1 | 1 | 0 | 1 | 0 | 0 | FXO Interrupt |
| GPIO-02 | 0 in | 1 | 0 | 0 | 1 | 0 | 0 | Reset button |
| GPIO-03 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | CLK-OUT2 - (25mhz for amd9669i? - danube_clock.c in u-boot) |
| GPIO-04 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - stp-st (maybe also likely boot clock select 1 = 36mhz) |
| GPIO-05 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - stp-d |
| GPIO-06 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - stp-sh |
| GPIO-07 | 0 in | 1 | 0 | 0 | 1 | 0 | 0 | - |
| name | dir | out | altsel0 | altsel1 | od | pudsel | puden | usage |
| - | 26 | FB | 38 | 02 | 77 | 48 | 48 | - |
| GPIO-08 | 0 in | 1 | 0 | 0 | 1 | 0 | 0 | |
| GPIO-09 | 1 out | 1 | 0 | 1 | 1 | 0 | 0 | - FXO Chip Select |
| GPIO-10 | 1 out | 0 | 0 | 0 | 1 | 0 | 0 | - FXO reset |
| GPIO-11 | 0 in | 1 | 1 | 0 | 0 | 1 | 1 | - pulled up |
| GPIO-12 | 0 in | 1 | 1 | 0 | 1 | 0 | 0 | |
| GPIO-13 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - USB Power |
| GPIO-14 | 0 in | 1 | 0 | 0 | 1 | 1 | 1 | find handset button - pulled up |
| GPIO-15 | 0 in | 1 | 0 | 0 | 0 | 0 | 0 | - |
| name | dir | out | altsel0 | altsel1 | od | pudsel | puden | usage |
| - | BE | D7 | 87 | 00 | FC | 50 | 50 | - |
| GPIO-16 | 0 in | 1 | 1 | 0 | 0 | 0 | 0 | - |
| GPIO-17 | 1 out | 1 | 1 | 0 | 0 | 0 | 0 | - |
| GPIO-18 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - |
| GPIO-19 | 1 out | 0 | 0 | 0 | 1 | 0 | 0 | - |
| GPIO-20 | 1 out | 1 | 0 | 0 | 1 | 1 | 1 | - pulled up |
| GPIO-21 | 1 out | 0 | 0 | 0 | 1 | 0 | 0 | - PCI Reset |
| GPIO-22 | 0 in | 1 | 0 | 0 | 1 | 1 | 1 | - wps button pulled up |
| GPIO-23 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - likely endian select 0=little |
| name | dir | out | altsel0 | altsel1 | od | pudsel | puden | usage |
| - | FB | 3F | 8B | 04 | E3 | 08 | 08 | - |
| GPIO-24 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - |
| GPIO-25 | 1 out | 1 | 1 | 0 | 1 | 0 | 0 | - |
| GPIO-26 | 0 in | 1 | 0 | 1 | 0 | 0 | 0 | - |
| GPIO-27 | 1 out | 1 | 1 | 0 | 0 | 1 | 1 | - pulled up |
| GPIO-28 | 1 out | 1 | 0 | 0 | 0 | 0 | 0 | - SC14488 dect chip reset |
| GPIO-29 | 1 out | 1 | 0 | 0 | 1 | 0 | 0 | - pci-req1 |
| GPIO-30 | 1 out | 0 | 0 | 0 | 1 | 0 | 0 | - pci-gnt1 |
| GPIO-31 | 1 out | 0 | 1 | 0 | 1 | 0 | 0 | - |
USB Power? 13
from original bootlog: FXO reset using GPIO-10 FXO interrupt using GPIO-1 FXO Chip Select using GPIO-9
from u-boot, initial values are:
| INIT_VAL_P0_DIR | 2670 |
| INIT_VAL_P0_OUT | FBFF |
| INIT_VAL_P0_ALTSEL0 | 3873 |
| INIT_VAL_P0_ALTSEL1 | 0201 |
| INIT_VAL_P0_OD | 77FF |
| INIT_VAL_P0_PUDSEL | 4800 |
| INIT_VAL_P0_PUDEN | 4800 |
| GPIO1 | |
| INIT_VAL_P1_DIR | FBBE |
| #ifdef CONFIG_SHC_BT_PORTA_HW_SPIN1 | |
| #define INIT_VAL_P1_OUT | 0x00002FD7 |
| #else | |
| #define INIT_VAL_P1_OUT | 0x00003FD7 |
| #endif | |
| INIT_VAL_P1_ALTSEL0 | 8B87 |
| INIT_VAL_P1_ALTSEL1 | 0400 |
| INIT_VAL_P1_OD | E3FC |
| INIT_VAL_P1_PUDSEL | 0850 |
| INIT_VAL_P1_PUDEN | 0850 |
Buttons
| Port | Bit | Key |
|---|---|---|
| 0 | 2 | Restart |
| 0 | 15 | Find handset |
| 1 | 6 | Wireless association |
All buttons are active low.
LEDS
Near the 11 leds, there are two HC595: 8-Bit Serial-Input/Serial or Parallel-Output Shift Register with Latched 3-State Outputs (http://pdf1.alldatasheet.com/datasheet-pdf/view/46165/SLS/HC595.html)
| The leds are grouped |
| 3 for Power |
| 3 for Broadband |
| 2 for phone |
| 2 for wireless |
| 1 for upgrading |
LED control base address is 0xBE100BB0 which correlates with ltq_register_gpio_stp.
| Name | Colour | bit |
| Upgrading | orange | = bit 13 (213 with 200 base added) |
| Phone | orange | = bit 14 (214) |
| Phone | blue | = bit 15 (215) |
| Wireless | orange | = bit 16 (216) |
| Wireless | blue | = bit 17 (217) |
| Broadband | Red | = bit 18 (218) |
| Broadband | Orange | = bit 19 (219) |
| Broadband | Blue | = bit 20 (220) |
| Power | Red | = bit 21 (221) |
| Power | Orange | = bit 22 (222) |
| Power | Blue | = bit 23 (223) |
Wireless
Atheros 9160-BC1A 802.11b/g/n, pci, 0x18000000, irq 22, slot 14
Marked as device 168C:FF1C
The calibration data is stored in the first 0x4000 bytes of the nand
the first 0x60 of these contain PCI register fixups, organised as Reg16:Value32. These need to be written to the PCI register space BEFORE the PCI device is probed… This leads to the issue that the PCI device is probed before the nand is active, so before we can get to the data, so a scheme of hardcoding these register fixups and calling the writing routine as a DECLARE_PCI_FIXUP_EARLY routine works. The actual eeprom data can be read later as part of the ath9k initialisation by utilising the hook ltqpci_plat_dev_init().
The eeprom data needs to be byte-swapped, then the data which is meant to be words byte swapped again. We can't currently tell Ath9k to handle this without patching ath9k, but once done, it works.
unfortunately, wireless (PCI) and NAND (EBU) interact. for the moment, PCI gets inhibited while the nand chip is selected; I felt it better to have some wireless degradation rather than file system corruption.
FXO/FXS
The FXO/FXS interface for telephony is a combination of Teridian 73m1966 and Infineon Vinetic PEF4268F 'Ringing SLIC with Integrated DC/DC Converter', for which some drivers are available. I believe that as I write, some work may be being done on using SIP with the telephone interfaces.
DECT
The DECT modem (SiTel SC14488) is a processor in it's own right. It is connected to ttyLTQ0, and also to Danube PCM Lines? We would need firmware to run within the SiTel modem to talk to the Dect phones, and to understand the protocols on the serial control, as well as implement the PCM communication (which seems to be DMAed). There is an un-populated site for a serial eeprom? - so the firmware must be programmed by the main cpu at startup.
Although we have the original BT firmware for the DECT modem, there is little or no information regarding how this may be controlled. The control seems to be done from within the OpenRG application, for which we have no source.
Tags
toh/bt/homehub_v2b.txt · Last modified: 2012/04/09 12:43 by btsimonh