User Tools

Site Tools


toh:smc:smc7904

SMC SMC7904WBRA

The device is based on Texas Instrument AR7, so you need the target.ar7 in OpenWrt trunk.

Similar devices

3Com sells the very same hardware as 3CRWDR100A-72. Philips sells it as Philips SNA6600, SNA6500, SNV6520. Belgacom has branded it "Belgacom ADSL wireless". See http://www.zoobab.com/philips-sna6600

SMC has a variant without the Mini-PCI WLAN card, the SMC7904BRA. All hardware is identical to the point that there are connection points where the Mini-PCI interface should be on the PCB, only the socket and card are missing.

These routers belong to the large family of AR7-based devices, in particular the subfamily that uses early versions of the 'Broad Net' BRN bootloader and a VxWorks-based OS called "SuperTask!". Characteristic for this bootloader is that it only accepts firmware packaged in a very specific way, namely zipped files by the names of soho.bin ("runtime code", i.e. the kernel) and pfs.img ("user interface", i.e. filesystem).

Other devices in this family include: Belkin F5D7632-4 v3, Belkin F5D7630, Buffalo BBR-4MG, Ozenda/Arcadyan AR4505GW, AR4505KW, Sinus 154 DSL, Sinus 154 DSL Basic SE, Sinus 154 DSL Basic 3, Sinus 154 DSL Komfort, Siemens SX541, Siemens SE555, SMC7004VBR, SMC7004VWBR, SMC7004ABR V2, SMC7004FW, SMC7004WFW, SMC2804WBR V1, SMC 7904WBRB2, SMC 7908VoWBRB, NorthQ9100. Since the bootloader is one of the main obstacles in running custom firmware on these devices, a lot of work done on the other devices can be used for the SMC7904WBRA.

With the SX541 there has been some OpenWrt progression, see http://bs.netgaroo.com/sx541/ and http://www.ip-phone-forum.de/showthread.php?t=72010

See also Siemens SX551, AR7300-based with a BRN bootloader. http://wiki.openwrt.org/toh/siemens/sx551

RouterTech firmware is not supported on these devices due to their bootloader. (See http://www.routertech.org/viewtopic.php?f=16&t=3739&p=47109 )

There used to be a German project that got a stripped version of OpenWrt running on the SX541, Sinus 154 DSL SE, Sinus 154 DSL Basic SE and Sinus 154 DSL Basic 3 - all of which have the same AR7 CPU and Broad Net Inc bootloader. See https://web.archive.org/web/20110811162345/http://ar7-firmware.berlios.de/ and http://sourceforge.net/projects/ar7-firmware.berlios/

Old versions of BRNBoot on these router types still allow crossflashing. With an update to bootloader version 0.69.2 or higher this will be blocked. More info in this Dutch post: http://userbase.be/forum/viewtopic.php?p=377181#p377181

OpenWrt status

Untested, probably unsupportable due to the limited flash storage.

Hardware Highlights

CPU Ram Flash Network USB Serial JTag
AR7 TNETD7300AGDW 16MB 2MiB 4 x 1 No Yes Yes

Basic hardware info

The device has the following connectors on the rear (left to right).

  • Auxiliary antenna.
  • ADSL input connector.
  • Power connector (12V 1.2A).
  • Reset button.
  • Large On/Off button.
  • 4 numbered RJ45 10/100 MBit connectors.
  • Main antenna.

Hardware

Main processor

The main processor is a Texas Instruments TNETD7300AGDW Processor, an AR7 that should work with the target.ar7 of OpenWrt (yet untested).

Memory

Onboard is a PSC A2V28S40BTP 8M x 16 (128 MBit)SDRAM Memory chip. PSC SDRAM products

Flash

The flash chip is an Intel TE28F160C3-B 16Mbit (2MiB) 3.0V Flash memory.

Switch chip

The internal switch is a Marvell 88E6060-RCJ 6-port (4 external, 1 to the router itself, 1 unused) 10/100 switch with autosensing.

Wireless card

The wireless chip in mini-pci card is a Texas Instruments TNETW1130GVF, also known as ACX111 chipset.

Photos

SMC7904WBRA

(SDRAM chip is on the backside.)

Telnet and recovery webinterface

Note that the default firmware accepts telnet connections from LAN. The login should be 'admin' or 'root' with whatever password you have set in the web interface. (Default password is 'smcadmin'.) Sometimes the telnet port may be at 8081. Although the Telnet interface allows you to configure the device to accept firmware from TFTP, these uploads are still checked for compliance with the BRN bootloader's demands just as they would through the webinterface.

The only exception found so far is when upgrading "web_image" - for example openwrt-ar7-2.4-runtime-lzma-SINUS154_DSL_BASIC_SE.bin can be uploaded through this option. After a reboot the device presents its very basic recovery web interface at 192.168.2.1 that accepts files as "Runtime Code", "Firmware", "User interface" and "Boot Loader" - but still performs checks. This recovery interface would be a good way to upload custom firmwares since the Ethernet connection (with DHCP!) makes it fast and easy (you don't even have to open the case).

To restore the original firmware e.g. FW_SMC7904BRA_053.bin (it is actually a zip file containing soho.bin and pfs.img plus an additional signature), upload it as "Runtime Code" using the recovery interface.

Serial

A serial console can be connected to J4.

The serial signals are at a 3.3V level, so you need to use a level convertor, see port.serial

Be careful that your serial interface doesn't backfeed into the modem's PCB when you have the modem's power turned off. When this happens you will notice the modem leds flashing rapidly (despite the modem not being connected to mains) and your converter getting warm.

The serial signal itself is 115200 baud, 8 databits, 1 stopbit, no parity (8N1).

The pinout for the serial is

pin signal
1 Not Connected
2 Not Connected
3 RX
4 Not Connected
5 TX
6 Not Connected
7 Not Connected
8 Not Connected
9 GND
10 VCC +3.3V

Disposition on the board:

9 7 5 3 1
10 8 6 4 2

Bootlogs

The bootlog shows some minor software differences with the 3Com 3CRWDR100A-72, which is otherwise identical in hardware.

===========================================================
 TI ADSL AR7300 Loader 0.62 build Mar 30 2004 14:12:11
                 Broad Net Technology, INC.
===========================================================
INTEL TE28F160C3-B bottom boot 16-bit mode found

Copying boot params.....DONE

Press any key to enter command mode ...
Flash Checking  Passed.

Unzipping program from bank 2...done
Try to find image for running...
Unzipping program from bank 3...done
In C_Entry() function ...
install_exception 
sys_irq_init() ...
##### _ftext      = 0x94000000
##### _fdata      = 0x941B1470
##### __bss_start = 0x941EE9D8
##### end         = 0x948C08BC
##### Backup Data from 0x941B1470 to 0x948E08BC~0x9491DE24 len 251240
##### Backup Data completed
##### Backup Data verified
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
userclk_init() ...
Runtime code version: 0.53
System startup...
[INIT] Memory COLOR 0, 800000 bytes ..
[INIT] Memory COLOR 2, 325480 bytes ..
DSL HAL Version: 06.00.01.00
Sangam detected, rev 0x21
timecode=4280182
set dspfreq 250Mhz
Sangam clock boost 250
REG_VSERCLKSELR<-0x01
Enable Analog PLL 

SAR_FREQUNCY = 62500000Hz

manu_id=89 chip_id=88c3
INTEL TE28F160C3-B bottom boot 16-bit mode found
Boot Parameters found !!!
Bootcode version: 0.62
Serial number: S512033450
Hardware version: 01A
sizeof(struct III_Config_t) is 76652

manu_id=89 chip_id=88c3
INTEL TE28F160C3-B bottom boot 16-bit mode found
ruleExt[17] is for SSL
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=48 BUF_ALIGN_SZ=12 BUFFER_OFFSET=112
BUF_BUFSZ0=384 BUF_BUFSZ1=1872
NUM_OF_B0=0 NUM_OF_B1=1000
BUF_POOL0_SZ=0 BUF_POOL1_SZ=1920000
sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920
*BUF0=0x945ca754 *BUF1=0x943f5b44
Altgn *BUF0=0x945ca760 *BUF1=0x943f5b50
End at BUF0:0x945ca760, BUF1:0x945ca750

BUF0[0]=0x945ca760 BUF1[0]=0x943f5b50

buffer0 pointer init OK!
buffer1 pointer init OK!
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 0 ip = 127.0.0.1

Memory request 2072 left 297928 ptr 9426DE7C
Call tn7sar_malloc_dma_xfer() addr:B426DE7C size:2072
MAC1 [RX=128 TX=1]: TI External PHY
MAC Address: 00:04:e2:e2:b4:aa
[VLAN] port: 0x0001 vlan: 0x0008
[VLAN] ifno: 1 port: 4 vlan: 0x1020
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
br_MacAddress=00-04-E2-E2-B4-AA
Interface 1 ip = 192.168.1.1

Init SAR ifno:3 chan:0 VPI/VCI:0/33
Init PDSP ...
Init PDSP done.
Memory request 552 left 297376 ptr 9426E694
Call tn7sar_malloc() addr:B426E694 size:552
[aal5->os]2.IsrRegister(OsDev:941eec9c, halIsr:940bf644, Interrupt:15)
[aal5]halControl(HalDev:94853f20, Key:OamMode, Action:Set, Value:948e072c)
[aal5]halChannelSetup(HalDev:94853f20, HalCh:948e0670, OsSetup:00000000)
  [aal5 Inst 0, Ch 0] Config Dump:
    TxNumBuffers  :00000128, TxNumQueues :00000002
    RxNumBuffers  :00000128, RxBufSize   :00001582
    TxServiceMax  :00000032, RxServiceMax:00000016
    RxBufferOffset:00000000, DaMask      :00000001
    CpcsUU        :00000005, Gfc         :00000000
    Clp           :00000000, Pti         :00000000
    Priority      :00000002, PktType     :00000000
    Vci           :00000033, Vpi         :00000000
    TxVc_CellRate :00015625, TxVc_QosType:00000002
    TxVc_Mbs      :00004000, TxVc_Pcr    :00015625
    TxVc_AtmHeader:00000528
InitTcb(CH:0): tcbsize:48 allsize:6160 num:128
Memory request 6160 left 291216 ptr 9426E8BC
Call tn7sar_malloc_dma_xfer() addr:B426E8BC size:6160
Memory request 6160 left 285056 ptr 942700CC
Call tn7sar_malloc_dma_xfer() addr:B42700CC size:6160
InitRcb(CH:0): rcbsize:64 allsize:8208 num:128
Memory request 8208 left 276848 ptr 942718DC
Call tn7sar_malloc_dma_xfer() addr:B42718DC size:8208
Call halChannelSetup(), Ch:0
(HalCh->TxVc_VpOffset)=00000000
(HalCh->RxVc_VpOffset)=00000000
Install SAR handler ...
MAC Address: 00:04:e2:e2:b4:ab
br_MacAddress=00-04-E2-E2-B4-AA
Interface 3 ip = 192.168.2.1

MAC Address: 00:04:e2:e2:b4:aa
[VLAN] port: 0x000e vlan: 0x0007
[VLAN] ifno: 20 port: 1 vlan: 0x202c
[VLAN] ifno: 20 port: 2 vlan: 0x202a
[VLAN] ifno: 20 port: 3 vlan: 0x2026
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 20 ip = 192.168.2.1

ruleCheck()> Group: 0,  Error: Useless rule index will be truncated
ruleCheck()> Group: 1,  Error: Useless rule index will be truncated
ruleCheck()> Group: 2,  Error: Useless rule index will be truncated
CBAC rule format check succeed !!
reqCBACBuf()> init match pool, Have: 1000
Memory Address: 0x94877cdc ~ 0x9487ea58
reqCBACBuf()> init timeGap pool, Have: 10000
Memory Address: 0x9487ea58 ~ 0x948af7ac
reqCBACBuf()> init sameHost pool, Have: 2000
Memory Address: 0x948af7ac ~ 0x948bf1cc
CBAC rule pool initialized !!
Init NAT data structure
RUNTASK id=1 if_task if0...
RUNTASK id=2 if_task if1...
RUNTASK id=3 if_task if3...
RUNTASK id=4 if_task if20...
RUNTASK id=5 timer_task...
RUNTASK id=6 conn_mgr...
RUNTASK id=7 period_task...

========== ADSL Modem initialization OK ! ======

Initializing DSL interface ...
Install ADSL handler ...
Start programming PLL for Sangam chip
clock_ ID = 0x00000009
Run DSP at the preset frequency
Begin DSP firmware Download ...
Section count 199
Not DSP PMEM/DMEM
Section Addr: 147f9c00 Section Length: 15448 
Special CO Profile found
Not DSP PMEM/DMEM
Section Addr: 147f2e00 Section Length: 12300 
Not DSP PMEM/DMEM
Section Addr: 147f8000 Section Length: 1186 
Not DSP PMEM/DMEM
Section Addr: 147f8800 Section Length: 4132 
Not DSP PMEM/DMEM
Section Addr: 147fdc00 Section Length: 924 
OVERLAY PAGE #1 LEN=56128
OVERLAY PAGE #2 LEN=22752
OVERLAY PAGE #8 LEN=2304
OVERLAY PAGE #7 LEN=32
OVERLAY PAGE #3 LEN=42848
OVERLAY PAGE #4 LEN=13504
OVERLAY PAGE #5 LEN=9664
OVERLAY PAGE #6 LEN=13760
OVERLAY PAGE #9 LEN=34560
OVERLAY PAGE #10 LEN=36672
Wrote Image; Overlay Pages:11  Profiles:5
POTS Service 
DSP Firmware Download completed.
Set DSP to 250MHz ...
Modem Co
TC_NOSYNC
de: 06.00.[Overlay Page Done  1]
04.00
Train Mode: 0xff
Training Mode: MMODE
RUNTASK id=8 dhcp_daemon...
RUNTASK id=9 telnetd_main...
Found PFS image@94f30000, uncompressed by boot-code!!
RUNTASK httpd...
RUNTASK id=13 dnsproxy...
RUNTASK id=14 rip...
RUNTASK id=15 ripout...
RUNTASK id=16 dhcpd_mgmt_task...
UPnP is enabled
UPNP Device initialize success! slot=17
Starting Multitask...
Start WatchDog ...
MTstart2() begin  ...
VLAN Port#1: IP=192.168.1.1
init psock cnt=2

Some extra info is available when entering the bootloader's hidden administrator mode using a serial console.

===========================================================
 TI ADSL AR7300 Loader 0.62 build Mar 30 2004 14:12:11
                 Broad Net Technology, INC.
===========================================================
INTEL TE28F160C3-B bottom boot 16-bit mode found

Copying boot params.....DONE

Press any key to enter command mode ...

[AR7300 Boot]:

======================
 [U] Upload to Flash  
 [E] Erase Flash      
 [G] Run Runtime Code 
 [A] Set MAC Address 
 [#] Set Serial Number 
 [V] Set Board Version 
 [H] Set Options 
 [P] Print Boot Params 
======================

[AR7300 Boot]:!

Enter Administrator Mode !

======================
 [U] Upload to Flash  
 [E] Erase Flash      
 [G] Run Runtime Code 
 [M] Upload to Memory 
 [R] Read from Memory 
 [W] Write to Memory  
 [T] Memory Test      
 [Y] Go to Memory     
 [A] Set MAC Address 
 [#] Set Serial Number 
 [V] Set Board Version 
 [H] Set Options 
 [P] Print Boot Params 
======================

[AR7300 Boot]:u

UPLOAD Flash
---------------------------------------
    Area            Address      Length 
---------------------------------------
[0] Boot            0xB0000000     128K
[1] Configuration   0xB0020000     128K
[2] Web Image       0xB0040000     832K
[3] Code Image      0xB0110000     896K
[4] Boot Params     0xB01F0000      64K
---------------------------------------
Enter area to UPLOAD: 

When the bootloader fails to load the OS, it reverts to an emergency kernel which sets up the recovery interface, through which new firmware can be uploaded. Here is the log for that process:

===========================================================
 TI ADSL AR7300 Loader 0.62 build Mar 30 2004 14:12:11
                 Broad Net Technology, INC.
===========================================================
INTEL TE28F160C3-B bottom boot 16-bit mode found

Copying boot params.....DONE

Press any key to enter command mode ...
Flash Checking fw-ui- Failed.

Unzipping web  at 0x94f30000 ... done
Unzipping code at 0x94000000 ... done
Boot ETCPIP running ...

In C_Entry() function ...
install_exception 
sys_irq_init 
system startup...
tcpip_startup...
INTEL TE28F160C3-B bottom boot 16-bit mode found
pBootParams=B01F0000
Set flash memory layout to BPARAMS+RECOVER_KERNEL
Bootcode version: 0.62
Serial number: S512033450
Hardware version: 01A
!!No configuration file present!!
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=16 BUF_ALIGN_SZ=0 BUFFER_OFFSET=80
BUF_BUFSZ0=384 BUF_BUFSZ1=1632
NUM_OF_B0=500 NUM_OF_B1=500
BUF_POOL0_SZ=200000 BUF_POOL1_SZ=824000
Buf0_Block b432ff90  Buf1_Block b4266cc0
BUF0[0]=0xb432ff90 BUF1[0]=0xb4266cc0

buffer0 pointer init OK!
buffer1 pointer init OK!
init_if() ; gConfig.Interface[0].Link_Type is [4]
Interface 0 ip = 127.0.0.1

init_if() ; gConfig.Interface[1].Link_Type is [1]
MAC Address: 00:04:e2:e2:b4:aa
MAC1 [RX=128 TX=1]: TI External PHY
Interface 1 ip = 192.168.2.1

init_if() ; gConfig.Interface[2].Link_Type is [0]
RUNTASK id=1 if_task if0...
RUNTASK id=2 if_task if1...
RUNTASK id=3 timer_task...
RUNTASK id=4 period_task...
RUNTASK id=5 dhcp_daemon...
RUNTASK httpd...
RUNTASK id=8 dhcpd_mgmt_task...
Starting Multitask...
MTstart2() begin  ...
period_task running!!!
httpd: listen at 192.168.2.1:80
dhcpd_mgmt_task started...
period_task running 60
find a client = 192.168.2.100
period_task running 120
upgrade CGI > process content-type...
boundary=-----------------------------22843288965301486351941370
endbound=-----------------------------22843288965301486351941370--
content-length: 944491
lens_up=0, call recv(), recv() returned, lens_up=512...
remove 0xD, 0xA
remove 0xD, 0xA
remove 0xD, 0xA
remove 0xD, 0xA
remove 0xD, 0xA
remove 0xD, 0xA
parse file upload
value: FW_SMC7904BRA_053.bin
remove 0xD, 0xA
content-type upg_buf = Content-Type: application/octet-stream
remove 0xD, 0xA
enter receive loop...
#######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################count=944138
comparing UI...
comparing FW...
found signature: 78h 56h 34h 12h
ulImgLens=183437, LENGTH[2]-12=851956
length checking OK
search_signature: image's lens = 184320
write to flash task...

update UI, length=183437...
INTEL TE28F160C3-B bottom boot 16-bit mode found
erase from location b0040000 done
erase from location b0050000 done
erase from location b0060000 done
erase from location b0070000 done
erase from location b0080000 done
erase from location b0090000 done
erase from location b00a0000 done
erase from location b00b0000 done
erase from location b00c0000 done
erase from location b00d0000 done
erase from location b00e0000 done
erase from location b00f0000 done
erase from location b0100000 done
write length 2cc8d
0123456789abfound signature: 78h 56h 34h 12h
ulImgLens=759109, LENGTH[3]-12=917492
length checking OK
search_signature: image's lens = 759808

update FW, length=759109...
INTEL TE28F160C3-B bottom boot 16-bit mode found
erase from location b0110000 done
erase from location b0120000 done
erase from location b0130000 done
erase from location b0140000 done
erase from location b0150000 done
erase from location b0160000 done
erase from location b0170000 done
erase from location b0180000 done
erase from location b0190000 done
erase from location b01a0000 done
erase from location b01b0000 done
erase from location b01efff4 done
write length b9545
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJK

JTAG

3crwdr100a-72_jtag.jpg

To enable JTAG functionality, you must short-circuit SHORT pins or put 100R resistor. (At your own risk)

The AR7 chip has a small memory banks on the chip : 4Kb PROM (@0xBFC00000) and 4Kb RAM (@0x80000000)

The FLASH is located at 0x90000000 (CS0) and RAM is located at 0x94000000 (CS1)

These address extracted from http://www.linux-mips.org/wiki/AR7#Memory+map:http://www.linux-mips.org/wiki/AR7#Memory map

See port.jtag and JTAG tools for more JTAG details.

Tags

toh/smc/smc7904.txt · Last modified: 2015/03/20 13:46 by Arnie