User Tools

Site Tools


toh:smc:smc7904

SMC SMC7904WBRA

The device is based on Texas Instrument AR7.

Similar devices

3Com sells the very same hardware as 3CRWDR100A-72. Philips sells it as Philips SNA6600, SNA6500, SNV6520. Belgacom has branded it “Belgacom ADSL wireless”. See http://www.zoobab.com/philips-sna6600

SMC has a variant without the Mini-PCI WLAN card, the SMC7904BRA. All hardware is identical to the point that there are connection points where the Mini-PCI interface should be on the PCB, only the socket and card are missing.

These routers belong to the large family of AR7-based devices, in particular the subfamily that uses early versions of the 'Broad Net' BRN bootloader and a VxWorks-based OS called “SuperTask!”. Characteristic for this bootloader is that it only accepts firmware packaged in a very specific way, namely zipped files by the names of soho.bin (“runtime code”, i.e. the kernel) and pfs.img (“user interface”, i.e. filesystem).

Other devices in this family include: Belkin F5D7632-4 v3, Belkin F5D7630, Buffalo BBR-4MG, Ozenda/Arcadyan AR4505GW, AR4505KW, Sinus 154 DSL, Sinus 154 DSL Basic SE, Sinus 154 DSL Basic 3, Sinus 154 DSL Komfort, Siemens SX541, Siemens SE555, SMC7004VBR, SMC7004VWBR, SMC7004ABR V2, SMC7004FW, SMC7004WFW, SMC2804WBR V1, SMC 7904WBRB2, SMC 7908VoWBRB, NorthQ9100. Since the bootloader is one of the main obstacles in running custom firmware on these devices, a lot of work done on the other devices can be used for the SMC7904WBRA.

With the SX541 there has been some OpenWrt progression, see http://bs.netgaroo.com/sx541/ and http://www.ip-phone-forum.de/showthread.php?t=72010

See also Siemens SX551, AR7300-based with a BRN bootloader.

RouterTech firmware is not supported on these devices due to their bootloader. (See http://www.routertech.org/viewtopic.php?f=16&t=3739&p=47109 )

There used to be a German project that got a stripped version of OpenWrt running on the SX541, Sinus 154 DSL SE, Sinus 154 DSL Basic SE and Sinus 154 DSL Basic 3 - all of which have the same AR7 CPU and Broad Net Inc bootloader. See https://web.archive.org/web/20110811162345/http://ar7-firmware.berlios.de/ and http://sourceforge.net/projects/ar7-firmware.berlios/

Old versions of BRNBoot on these router types still allow crossflashing. With an update to bootloader version 0.69.2 or higher this will be blocked. More info in this Dutch post: http://userbase.be/forum/viewtopic.php?p=377181#p377181

OpenWrt status

Untested, probably unsupportable due to the limited flash storage.

Hardware Highlights

CPU Ram Flash Network USB Serial JTag
AR7 TNETD7300AGDW 16MB 2MiB 4 x 1 No Yes Yes

Basic hardware info

The device has the following connectors on the rear (left to right).

  • Auxiliary antenna.
  • ADSL input connector.
  • Power connector (12V 1.2A).
  • Reset button.
  • Large On/Off button.
  • 4 numbered RJ45 10/100 MBit connectors.
  • Main antenna.

Hardware

Main processor

The main processor is a Texas Instruments TNETD7300AGDW Processor, an AR7 that should work with the target.ar7 of OpenWrt (yet untested).

Memory

Onboard is a PSC A2V28S40BTP 8M x 16 (128 MBit)SDRAM Memory chip. PSC SDRAM products

Flash

The flash chip is an Intel TE28F160C3-B 16Mbit (2MiB) 3.0V Flash memory.

Switch chip

The internal switch is a Marvell 88E6060-RCJ 6-port (4 external, 1 to the router itself, 1 unused) 10/100 switch with autosensing.

Wireless card

The wireless chip in mini-pci card is a Texas Instruments TNETW1130GVF, also known as ACX111 chipset.

Photos

SMC7904WBRA

(SDRAM chip is on the backside.)

Telnet and recovery webinterface

Note that the default firmware accepts telnet connections from LAN. The login should be 'admin' or 'root' with whatever password you have set in the web interface. (Default password is 'smcadmin'.) Sometimes the telnet port may be at 8081. Although the Telnet interface allows you to configure the device to accept firmware from TFTP, these uploads are still checked for compliance with the BRN bootloader's demands just as they would through the webinterface.

The only exception found so far is when upgrading “web_image” - for example openwrt-ar7-2.4-runtime-lzma-SINUS154_DSL_BASIC_SE.bin can be uploaded through this option. After a reboot the device presents its very basic recovery web interface at 192.168.2.1 that accepts files as “Runtime Code”, “Firmware”, “User interface” and “Boot Loader” - but still performs checks. This recovery interface would be a good way to upload custom firmwares since the Ethernet connection (with DHCP!) makes it fast and easy (you don't even have to open the case).

To restore the original firmware e.g. FW_SMC7904BRA_053.bin (it is actually a zip file containing soho.bin and pfs.img plus an additional signature), upload it as “Runtime Code” using the recovery interface.

Serial

A serial console can be connected to J4.

The serial signals are at a 3.3V level, so you need to use a level convertor, see port.serial

Be careful that your serial interface doesn't backfeed into the modem's PCB when you have the modem's power turned off. When this happens you will notice the modem leds flashing rapidly (despite the modem not being connected to mains) and your converter getting warm.

The serial signal itself is 115200 baud, 8 databits, 1 stopbit, no parity (8N1).

The pinout for the serial is

pin signal
1 Not Connected
2 Not Connected
3 RX
4 Not Connected
5 TX
6 Not Connected
7 Not Connected
8 Not Connected
9 GND
10 VCC +3.3V

Disposition on the board:

9 7 5 3 1
10 8 6 4 2

Bootlogs

The bootlog shows some minor software differences with the 3Com 3CRWDR100A-72, which is otherwise identical in hardware.

=========================================================== TI ADSL AR7300 Loader 0.62 build Mar 30 2004 14:12:11 Broad Net Technology, INC. =========================================================== INTEL TE28F160C3-B bottom boot 16-bit mode found Copying boot params.....DONE Press any key to enter command mode ... Flash Checking Passed. Unzipping program from bank 2...done Try to find image for running... Unzipping program from bank 3...done In C_Entry() function ... install_exception sys_irq_init() ... ##### _ftext = 0x94000000 ##### _fdata = 0x941B1470 ##### __bss_start = 0x941EE9D8 ##### end = 0x948C08BC ##### Backup Data from 0x941B1470 to 0x948E08BC~0x9491DE24 len 251240 ##### Backup Data completed ##### Backup Data verified [INIT] System Log Pool startup ... [INIT] MTinitialize .. userclk_init() ... Runtime code version: 0.53 System startup... [INIT] Memory COLOR 0, 800000 bytes .. [INIT] Memory COLOR 2, 325480 bytes .. DSL HAL Version: 06.00.01.00 Sangam detected, rev 0x21 timecode=4280182 set dspfreq 250Mhz Sangam clock boost 250 REG_VSERCLKSELR<-0x01 Enable Analog PLL SAR_FREQUNCY = 62500000Hz manu_id=89 chip_id=88c3 INTEL TE28F160C3-B bottom boot 16-bit mode found Boot Parameters found !!! Bootcode version: 0.62 Serial number: S512033450 Hardware version: 01A sizeof(struct III_Config_t) is 76652 manu_id=89 chip_id=88c3 INTEL TE28F160C3-B bottom boot 16-bit mode found ruleExt[17] is for SSL default route: 0.0.0.0 BufferInit: BUF_HDR_SZ=48 BUF_ALIGN_SZ=12 BUFFER_OFFSET=112 BUF_BUFSZ0=384 BUF_BUFSZ1=1872 NUM_OF_B0=0 NUM_OF_B1=1000 BUF_POOL0_SZ=0 BUF_POOL1_SZ=1920000 sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920 *BUF0=0x945ca754 *BUF1=0x943f5b44 Altgn *BUF0=0x945ca760 *BUF1=0x943f5b50 End at BUF0:0x945ca760, BUF1:0x945ca750 BUF0[0]=0x945ca760 BUF1[0]=0x943f5b50 buffer0 pointer init OK! buffer1 pointer init OK! time = 08/01/2003, 00:00:00 TRAP(linkUp) : send ok! Interface 0 ip = 127.0.0.1 Memory request 2072 left 297928 ptr 9426DE7C Call tn7sar_malloc_dma_xfer() addr:B426DE7C size:2072 MAC1 [RX=128 TX=1]: TI External PHY MAC Address: 00:04:e2:e2:b4:aa [VLAN] port: 0x0001 vlan: 0x0008 [VLAN] ifno: 1 port: 4 vlan: 0x1020 time = 08/01/2003, 00:00:00 TRAP(linkUp) : send ok! br_MacAddress=00-04-E2-E2-B4-AA Interface 1 ip = 192.168.1.1 Init SAR ifno:3 chan:0 VPI/VCI:0/33 Init PDSP ... Init PDSP done. Memory request 552 left 297376 ptr 9426E694 Call tn7sar_malloc() addr:B426E694 size:552 [aal5->os]2.IsrRegister(OsDev:941eec9c, halIsr:940bf644, Interrupt:15) [aal5]halControl(HalDev:94853f20, Key:OamMode, Action:Set, Value:948e072c) [aal5]halChannelSetup(HalDev:94853f20, HalCh:948e0670, OsSetup:00000000) [aal5 Inst 0, Ch 0] Config Dump: TxNumBuffers :00000128, TxNumQueues :00000002 RxNumBuffers :00000128, RxBufSize :00001582 TxServiceMax :00000032, RxServiceMax:00000016 RxBufferOffset:00000000, DaMask :00000001 CpcsUU :00000005, Gfc :00000000 Clp :00000000, Pti :00000000 Priority :00000002, PktType :00000000 Vci :00000033, Vpi :00000000 TxVc_CellRate :00015625, TxVc_QosType:00000002 TxVc_Mbs :00004000, TxVc_Pcr :00015625 TxVc_AtmHeader:00000528 InitTcb(CH:0): tcbsize:48 allsize:6160 num:128 Memory request 6160 left 291216 ptr 9426E8BC Call tn7sar_malloc_dma_xfer() addr:B426E8BC size:6160 Memory request 6160 left 285056 ptr 942700CC Call tn7sar_malloc_dma_xfer() addr:B42700CC size:6160 InitRcb(CH:0): rcbsize:64 allsize:8208 num:128 Memory request 8208 left 276848 ptr 942718DC Call tn7sar_malloc_dma_xfer() addr:B42718DC size:8208 Call halChannelSetup(), Ch:0 (HalCh->TxVc_VpOffset)=00000000 (HalCh->RxVc_VpOffset)=00000000 Install SAR handler ... MAC Address: 00:04:e2:e2:b4:ab br_MacAddress=00-04-E2-E2-B4-AA Interface 3 ip = 192.168.2.1 MAC Address: 00:04:e2:e2:b4:aa [VLAN] port: 0x000e vlan: 0x0007 [VLAN] ifno: 20 port: 1 vlan: 0x202c [VLAN] ifno: 20 port: 2 vlan: 0x202a [VLAN] ifno: 20 port: 3 vlan: 0x2026 time = 08/01/2003, 00:00:00 TRAP(linkUp) : send ok! Interface 20 ip = 192.168.2.1 ruleCheck()> Group: 0, Error: Useless rule index will be truncated ruleCheck()> Group: 1, Error: Useless rule index will be truncated ruleCheck()> Group: 2, Error: Useless rule index will be truncated CBAC rule format check succeed !! reqCBACBuf()> init match pool, Have: 1000 Memory Address: 0x94877cdc ~ 0x9487ea58 reqCBACBuf()> init timeGap pool, Have: 10000 Memory Address: 0x9487ea58 ~ 0x948af7ac reqCBACBuf()> init sameHost pool, Have: 2000 Memory Address: 0x948af7ac ~ 0x948bf1cc CBAC rule pool initialized !! Init NAT data structure RUNTASK id=1 if_task if0... RUNTASK id=2 if_task if1... RUNTASK id=3 if_task if3... RUNTASK id=4 if_task if20... RUNTASK id=5 timer_task... RUNTASK id=6 conn_mgr... RUNTASK id=7 period_task... ========== ADSL Modem initialization OK ! ====== Initializing DSL interface ... Install ADSL handler ... Start programming PLL for Sangam chip clock_ ID = 0x00000009 Run DSP at the preset frequency Begin DSP firmware Download ... Section count 199 Not DSP PMEM/DMEM Section Addr: 147f9c00 Section Length: 15448 Special CO Profile found Not DSP PMEM/DMEM Section Addr: 147f2e00 Section Length: 12300 Not DSP PMEM/DMEM Section Addr: 147f8000 Section Length: 1186 Not DSP PMEM/DMEM Section Addr: 147f8800 Section Length: 4132 Not DSP PMEM/DMEM Section Addr: 147fdc00 Section Length: 924 OVERLAY PAGE #1 LEN=56128 OVERLAY PAGE #2 LEN=22752 OVERLAY PAGE #8 LEN=2304 OVERLAY PAGE #7 LEN=32 OVERLAY PAGE #3 LEN=42848 OVERLAY PAGE #4 LEN=13504 OVERLAY PAGE #5 LEN=9664 OVERLAY PAGE #6 LEN=13760 OVERLAY PAGE #9 LEN=34560 OVERLAY PAGE #10 LEN=36672 Wrote Image; Overlay Pages:11 Profiles:5 POTS Service DSP Firmware Download completed. Set DSP to 250MHz ... Modem Co TC_NOSYNC de: 06.00.[Overlay Page Done 1] 04.00 Train Mode: 0xff Training Mode: MMODE RUNTASK id=8 dhcp_daemon... RUNTASK id=9 telnetd_main... Found PFS image@94f30000, uncompressed by boot-code!! RUNTASK httpd... RUNTASK id=13 dnsproxy... RUNTASK id=14 rip... RUNTASK id=15 ripout... RUNTASK id=16 dhcpd_mgmt_task... UPnP is enabled UPNP Device initialize success! slot=17 Starting Multitask... Start WatchDog ... MTstart2() begin ... VLAN Port#1: IP=192.168.1.1 init psock cnt=2


Some extra info is available when entering the bootloader's hidden administrator mode using a serial console.

=========================================================== TI ADSL AR7300 Loader 0.62 build Mar 30 2004 14:12:11 Broad Net Technology, INC. =========================================================== INTEL TE28F160C3-B bottom boot 16-bit mode found Copying boot params.....DONE Press any key to enter command mode ... [AR7300 Boot]: ====================== [U] Upload to Flash [E] Erase Flash [G] Run Runtime Code [A] Set MAC Address [#] Set Serial Number [V] Set Board Version [H] Set Options [P] Print Boot Params ====================== [AR7300 Boot]:! Enter Administrator Mode ! ====================== [U] Upload to Flash [E] Erase Flash [G] Run Runtime Code [M] Upload to Memory [R] Read from Memory [W] Write to Memory [T] Memory Test [Y] Go to Memory [A] Set MAC Address [#] Set Serial Number [V] Set Board Version [H] Set Options [P] Print Boot Params ====================== [AR7300 Boot]:u UPLOAD Flash --------------------------------------- Area Address Length --------------------------------------- [0] Boot 0xB0000000 128K [1] Configuration 0xB0020000 128K [2] Web Image 0xB0040000 832K [3] Code Image 0xB0110000 896K [4] Boot Params 0xB01F0000 64K --------------------------------------- Enter area to UPLOAD:


When the bootloader fails to load the OS, it reverts to an emergency kernel which sets up the recovery interface, through which new firmware can be uploaded. Here is the log for that process:

=========================================================== TI ADSL AR7300 Loader 0.62 build Mar 30 2004 14:12:11 Broad Net Technology, INC. =========================================================== INTEL TE28F160C3-B bottom boot 16-bit mode found Copying boot params.....DONE Press any key to enter command mode ... Flash Checking fw-ui- Failed. Unzipping web at 0x94f30000 ... done Unzipping code at 0x94000000 ... done Boot ETCPIP running ... In C_Entry() function ... install_exception sys_irq_init system startup... tcpip_startup... INTEL TE28F160C3-B bottom boot 16-bit mode found pBootParams=B01F0000 Set flash memory layout to BPARAMS+RECOVER_KERNEL Bootcode version: 0.62 Serial number: S512033450 Hardware version: 01A !!No configuration file present!! default route: 0.0.0.0 BufferInit: BUF_HDR_SZ=16 BUF_ALIGN_SZ=0 BUFFER_OFFSET=80 BUF_BUFSZ0=384 BUF_BUFSZ1=1632 NUM_OF_B0=500 NUM_OF_B1=500 BUF_POOL0_SZ=200000 BUF_POOL1_SZ=824000 Buf0_Block b432ff90 Buf1_Block b4266cc0 BUF0[0]=0xb432ff90 BUF1[0]=0xb4266cc0 buffer0 pointer init OK! buffer1 pointer init OK! init_if() ; gConfig.Interface[0].Link_Type is [4] Interface 0 ip = 127.0.0.1 init_if() ; gConfig.Interface[1].Link_Type is [1] MAC Address: 00:04:e2:e2:b4:aa MAC1 [RX=128 TX=1]: TI External PHY Interface 1 ip = 192.168.2.1 init_if() ; gConfig.Interface[2].Link_Type is [0] RUNTASK id=1 if_task if0... RUNTASK id=2 if_task if1... RUNTASK id=3 timer_task... RUNTASK id=4 period_task... RUNTASK id=5 dhcp_daemon... RUNTASK httpd... RUNTASK id=8 dhcpd_mgmt_task... Starting Multitask... MTstart2() begin ... period_task running!!! httpd: listen at 192.168.2.1:80 dhcpd_mgmt_task started... period_task running 60 find a client = 192.168.2.100 period_task running 120 upgrade CGI > process content-type... boundary=-----------------------------22843288965301486351941370 endbound=-----------------------------22843288965301486351941370-- content-length: 944491 lens_up=0, call recv(), recv() returned, lens_up=512... remove 0xD, 0xA remove 0xD, 0xA remove 0xD, 0xA remove 0xD, 0xA remove 0xD, 0xA remove 0xD, 0xA parse file upload value: FW_SMC7904BRA_053.bin remove 0xD, 0xA content-type upg_buf = Content-Type: application/octet-stream remove 0xD, 0xA enter receive loop... #######################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################count=944138 comparing UI... comparing FW... found signature: 78h 56h 34h 12h ulImgLens=183437, LENGTH[2]-12=851956 length checking OK search_signature: image's lens = 184320 write to flash task... update UI, length=183437... INTEL TE28F160C3-B bottom boot 16-bit mode found erase from location b0040000 done erase from location b0050000 done erase from location b0060000 done erase from location b0070000 done erase from location b0080000 done erase from location b0090000 done erase from location b00a0000 done erase from location b00b0000 done erase from location b00c0000 done erase from location b00d0000 done erase from location b00e0000 done erase from location b00f0000 done erase from location b0100000 done write length 2cc8d 0123456789abfound signature: 78h 56h 34h 12h ulImgLens=759109, LENGTH[3]-12=917492 length checking OK search_signature: image's lens = 759808 update FW, length=759109... INTEL TE28F160C3-B bottom boot 16-bit mode found erase from location b0110000 done erase from location b0120000 done erase from location b0130000 done erase from location b0140000 done erase from location b0150000 done erase from location b0160000 done erase from location b0170000 done erase from location b0180000 done erase from location b0190000 done erase from location b01a0000 done erase from location b01b0000 done erase from location b01efff4 done write length b9545 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJK


JTAG

3crwdr100a-72_jtag.jpg

To enable JTAG functionality, you must short-circuit SHORT pins or put 100R resistor. (At your own risk)

The AR7 chip has a small memory banks on the chip : 4Kb PROM (@0xBFC00000) and 4Kb RAM (@0x80000000)

The FLASH is located at 0x90000000 (CS0) and RAM is located at 0x94000000 (CS1)

These address extracted from http://www.linux-mips.org/wiki/AR7#Memory+map:http://www.linux-mips.org/wiki/AR7#Memory map

See port.jtag and JTAG tools for more JTAG details.

Tags

toh/smc/smc7904.txt · Last modified: 2018/06/08 15:55 by tmomas