User Tools

Site Tools


toh:siemens:sx551

Siemens SX551

An AR7 based WLAN ADSL modem/router with VOIP.

Note: A lot of good information is on the OldWiki page: http://wiki.openwrt.org/doku.php?id=oldwiki:openwrtdocs:hardware:siemens:sx551

Hardware Highlights

CPU Ram Flash Network USB Serial JTag
TI AR7 32MiB 2MiB 4 Yes Yes Yes

Also notable are the mini-PCI slot and Atheros b/g radio.

Stock firmware

The box runs a 'Broad Net' bootloader

As far as I could find, there is no normal way to interrupt the bootloader. It can boot to one out of two 'modes', upgrade mode or run mode. Normally the box goes to runmode, but by keeping the reset button pressed on poweron, and after releasing pressing the button 3 times, the box goes to 'upgrade mode'. It's actually running a different runtime then.

When I flashed a apparently unbootable kernel, I got a bootloader menu:

 ===========================================================
  TI ADSL AR7300 Loader 0.71.4 build Oct 18 2005 11:13:40
                  Broad Net Technology, INC.
 ===========================================================
 ESS ES29LV160D bottom boot 16-bit mode found
 
 Copying boot params.....DONE
 
 Flash Checking  Passed.
 
 Unzipping  web at 0x94f30000 ... [LZMA] done
 Unzipping code at 0x94000000 ... [LZMA] done
 
 [AR7300 Boot]:
 After pressing <enter>
 ======================
  [U] Upload to Flash  
  [E] Erase Flash      
  [G] Run Runtime Code 
  [A] Set MAC Address 
  [#] Set Serial Number 
  [V] Set Board Version 
  [H] Set Options 
  [P] Print Boot Params 
 ======================

 [AR7300 Boot]:p

 MAC address     : 00-01-E3-CB-91-48
 Serial number   : J608316809
 Hardware version: 01
 Options         : 00-00-00-00-00-00
 
 [AR7300 Boot]:

Flash partitions

The flash memory is 'ESS ES29LV160D bottom boot 16-bit mode' It's partitions (according to a dump I extacted using JTAG):

# Offset Size Function Compression
0 0k 37k Bootloader -
1 37k 85k Upgrade code Zip
2 122k 6k Upgrade web Zip
3 128k 128k Environment -
4 256k 249k Runmode web LZMA
5 505k 1479k Runmode code LZMA
6 1984k 64k Boot params -

It's partitions as showed by the bootloader (after flashing an unbootable runtime kernel)

 ---------------------------------------
     Area            Address      Length 
 ---------------------------------------
 [0] Boot            0xB0000000     128K
 [1] Configuration   0xB0020000     128K
 [2] Web Image       0xB0040000    1728K
 [3] Code Image      0xB0040000    1728K
 [4] Boot Params     0xB01F0000      64K
 [5] Flash Image     0xB0000000    2048K
 ---------------------------------------
So the bootloader seems pretty misused.

According to the serial log while flashing new firmware the erasesize is 64KiB.

OS

The OS seems to be the RealTime OS SuperTask!

Extended hardware information

PCB photo's

Main processor

The main processor is an Texas Instruments TNETD7300AZDW

RAM

PSC A2V46S40BTP 256Mbit (32MiB) (16 * 16MiB) SDRAM Memory chip.

Flash

ESS ES29LV160D bottom boot 16MiB (16 * 1MiB) Erase size according to serial output at firmware update; 64KiB.

USB

One port, a second should be able to add, connected to a VT6212.

Wireless

A mini-PCI Atheros AR5212 card

Switch

The internal switch is a Marvell 88E6060-RCJ1 6-port (4 external, 1 to the router itself, 1 unused) 10/100 switch with autosensing.

PCI devices

From the bootlog:

 Enumerating PCI device 5
 PCI: Slot=0, ID=TI VLYNQ2PCI , Index=0, MemBase=0x00000000, Int=00
 0x00: 0xa10a104c 0x22100007 0x00000000 0x00002004
 0x10: 0xfc000008 0xfc000000 0x00000001 0x00000000
 0x20: 0x00000000 0x00000000 0x00000000 0x00000000
 0x30: 0x00000000 0x00000040 0x00000000 0x02010100
 0x40: 0x00020001 0x00000000
 PCI: Slot=1, ID=Atheros AR5212 , Index=0, MemBase=0x40000000, Int=00
 0x00: 0x0013168c 0x02900006 0x02000001 0x00002004
 0x10: 0x40000000 0x00000000 0x00000000 0x00000000
 0x20: 0x00000000 0x00000000 0x00005001 0x44121113
 0x30: 0x00000000 0x00000044 0x00000000 0x1c0a0100
 0x40: 0x00000000 0x01c20001
 PCI: Slot=2, ID=VIA VT6212 , Index=0, MemBase=0x60000000, Int=00
 0x00: 0x30381106 0x02100007 0x0c030061 0x00802004
 0x10: 0x00000000 0x00000000 0x00000000 0x00000000
 0x20: 0x60000001 0x00000000 0x00000000 0x30381106
 0x30: 0x00000000 0x00000080 0x00000000 0x00000100
 0x40: 0x00031040 0x00000000
 PCI: Slot=3, ID=VIA VT6212 , Index=1, MemBase=0x60000020, Int=00
 0x00: 0x30381106 0x02100007 0x0c030061 0x00802004
 0x10: 0x00000000 0x00000000 0x00000000 0x00000000
 0x20: 0x60000021 0x00000000 0x00000000 0x30381106
 0x30: 0x00000000 0x00000080 0x00000000 0x00000200
 0x40: 0x00031040 0x00000000
 PCI: Slot=4, Vendor:DeviceID=0x1106:0x3104, Index=0, MemBase=0x40010000, Int=00
 0x00: 0x31041106 0x02100007 0x0c032063 0x00802004
 0x10: 0x40010000 0x00000000 0x00000000 0x00000000
 0x20: 0x00000000 0x00000000 0x00000000 0x31041106
 0x30: 0x00000000 0x00000080 0x00000000 0x00000300
 0x40: 0x000b0000 0x00000000
 PCI: Slot=5, --- No device present ---

Serial

J4 is a serial header. Orientated as on the PCB photo above:

GNDNCTXRXNC
3.3VNCNCNCNC

It's a 3.3V TTL port. 115200 N 8 1.

JTAG

Some anonymous guy published the JTAG port: Using the HairyDairyMaid software I managed to readout the flash.<br> BTW, the resistors are 4k7 ohm pullups to 3.3V for TDO,TDI,TMS and TCK. For TRST it's a 4k7 ohm pulldown to ground.

Installing OpenWRT

Using the firmware 'Upgrade mode'

The firmware runmode software is devided in two LZMA compressed flash partitions, 'web', max 248k, and 'code', max 1478k, which are decompressed to 0x94f30000 and 0x94000000. I don't know how we could use 'web'. But 'code' should be able to contain a compressed kernel with build-in ramdisk. This initramfs should mount an usb stick, and either use kexec to boot a 'bigger' kernel from the stick, or overlay the filesystem on the stick, when a decent kernel can be fitted in flash.

I have build a kernel with a build-in initramfs, containing the modules needed to mount an USB stick, and busybox. Further I stripped pretty anything which was not needed. This fitted easily in the provided space. 76k (compressed) was left. Unfortunately the box didn't boot, it felt back to the bootloader prompt:

===========================================================
 TI ADSL AR7300 Loader 0.71.4 build Oct 18 2005 11:13:40
                 Broad Net Technology, INC.
===========================================================
ESS ES29LV160D bottom boot 16-bit mode found

Copying boot params.....DONE

Flash Checking  Passed.

Unzipping  web at 0x94f30000 ... [LZMA] done
Unzipping code at 0x94000000 ... [LZMA] done

[AR7300 Boot]:

To create the openwrt update file, I used the tool mkfirm which I patched a bit. (Added the SX551 to the list of devices). As 'web' file I just compressed some junk. The file was accepted by the firmware.

 lzma junk
 lzma vmlinux
 mkfirm -o openwrt.bin -m BRN4519JW junk.lzma vmlinux.lzma

Tags

toh/siemens/sx551.txt · Last modified: 2014/02/13 07:27 (external edit)