Thomson TG587N V2 / O2 Wireless Box IV

Devices with Broadcom WiFi chipsets have limited OpenWrt supportability (due to limited FLOSS driver availability for Broadcom chips). Consider this when choosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported. See Broadcom WiFi for details.

DSL will not work at all on devices with BCM63xx DSL chipset (due to unavailability of FLOSS driver for Broadcom chips). Consider this when choosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported.
See Broadcom DSL, Unsupported: DSL modem and Broadcom BCM63xx for details.

Also known as O2 Wireless Box IV.

The Thomson TG587N is an Broadcom MIPS-based ADSL router with 802.11bgn wireless and ADSL2+ support. It has a 4-port switch, and 2 wireless antennas out the back of the device.

Version/Model Launch Date OpenWrt Version Model Specific Notes
Thomson TG587N V2 2008 ? CHAOS CALMER RC1+ No openwrt ADSL support

There is no offical support for this device, and it appears to be the same as the BT Home Hub 2A. Please use that image, and you will need JTAG. The Ethernet, Wireless and USB works but the LEDs are incorrect.

There is no GPL Source code avalible to download. And they did quite a good job hiding that it used a Linux Kernel.

Ver CPU Ram Flash Network Wireless USB Serial JTag
v2 Broadcom BCM6358 300MHz 64MiB 16MiB 4 x LAN b/g/n 2 x 2.0 Yes Yes

Manufacturer's site:
Distributor's site:

  1. Install OpenWrt, has a crippled bootloader

You will need to JTAG the device and change the bootloader first, or reserve engineer the encryption.

Bootloader / CFE

cfe Details about Broadcoms CFE's

The original Bootloader has a signature check which prevents you easily changing the firmware. Here is a copy of the original bootloader, and I have removed some checks to make it work. You will need jtag to replace it.
This CFE is not like normal Broadcom CFE's. You will have to correctly format the TFTP file. So use the BT HH 2A for ease, however details are provided below:

Adjusted Thomson CFE (contains some default values)

Offset Len Example Data
0 9 “BLI223UX0”
20 2 “O2” (Just Branding)
32 4 0x01020304 (Version)
42 2 0x0164 (Header Length)
44 4 0x008ACE4F (Data Length)
48 4 0xDEADBEEF (CRC32, Ignore)
308 1 0x08 (Type of field to follow)
309 1 0x06 (Length of field)
310 6 “CANT-8”
316 19 > 0x09 + 0x11 + “Thomson TG587n v2”
335 5 > 0x20 + 0x03 + “200”
340 10 > 0x0A + 0x08 + “TG587nv2”
350 6 > 0x81 + 0x04 + 0xBE040000 (Flash Start Address)
356 6 > 0xb0 + “MUTE” + 0x06
378 6 > 0xb6 + “LINU” + 0x0A
388 X Start of LZMA compressed Linux Kernel, starting with 0x5D000020
X X Squash FS / JFFS2
X X Various Board Info
Footer 77 “ipkg2_sign(in=3=1234567[byte], out=1=1234923[byte]) (ipkg2-header=356[byte])” + 0x0A

Here is a test using an adjusted Netgear DGN2200 firmware on the Thomson TG587n V2, using the original image format (without encryption). DGN2200 on a TG587nV2

If you have already installed OpenWrt and like to reflash for e.g. upgrading to a new OpenWrt version you can upgrade using the mtd command line tool. It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

The default network configuration is:

Interface Name Description Default configuration
br-lan LAN & WiFi
vlan1 (eth0.1) LAN ports (1 to 4) None
wlan0 WiFi Disabled

This device does not have a WAN interface.

hardware.button on howto use and configure the hardware button(s).

RESET (504) 2, Active Low
WPS (504) 5, Active Low

System configuration: Leds

Label GPIO
WLAN, Red (456) 0
POWER, Red (472) 3
WLAN, Green (472) 7
INET, Red (472) 9
WPS, Red (472) 11
WPS, Green (472) 12
POWER, Green
INET, Green
Back LAN Port Leds, all on (472) 14
Internal Board Reset (472) 27
Instruction set MIPS
Vendor Broadcom
bootloader cfe
Board ID: CANT-8
System-On-Chip BCM6358
CPU @Frq BMIPS4350 V1.0 @300MHz
Flash size 8 bit, NOR, 16384 KiB
Flash Chip S29GL128P90TFCR2
RAM size 64 MiB
RAM Chip H5DU5162ETR-E3C
Wireless On board: Broadcom BCM4322 (B43) 802.11b/g/n (14e4:4322)
switch distinct Chip: BCM5325EKQMG
USB 2 x 2.0
PSU 22V DC 818mA / Wall Socket Plug
Serial Yes

Main PCB

port.serial general information about the serial port, serial port cable, etc.

The serial is located at the bottom right of the PCB. You will need to bridge resistors R106 and R105 located near the WPA button. (9600, 8, N, 1)

port.jtag general information about the JTAG port, JTAG cable, etc.

There was good information on but the website appears to be down now.
Here is a document from the website:
The jtag is located on the centre left of the board, 3.3v

Pin Desc
2 TRST (Ignore)
5 Gnd
8 Gnd

Use zjtag to write the Bootloader/CFE, with the command line:

tjtag64 -flash:custom /window:1E000000 /start:1E000000 /length:10000 /bypass

However, you will probably need to Byte-Swap the file before you burn it.

Possible problem:

Sometimes the image does not write correctly. And even more rarely, you might find it does not detect your flash any more.
This is probably cause by some corrupted bytes messing up the TLB memory map. So you might need to scan though a lot of the memory until you think you found the new Flash Base address.

Turn off most of the leds when booting

vi /etc/init.d/led (Press esc then i)
just under the “start() {” function, add this:

# Turn off most gpio/leds
cd /sys/class/gpio
while [ $gpio -lt 486 ] ; do
	echo $gpio > export 2> /dev/null
	[ -d gpio${gpio} ] && {
		echo out > gpio$gpio/direction 2> /dev/null
		echo 0 > gpio$gpio/value 2> /dev/null
		echo $gpio > unexport 2> /dev/null

Failsafe substitute

Hold WPS during boot to start telnetd:
vi /etc/init.d/failsafesub (Press esc then i)

#!/bin/sh /etc/rc.common
start() {
	echo 509 > /sys/class/gpio/export
	echo in > /sys/class/gpio/gpio509/direction
	bVALUE=$(cat /sys/class/gpio/gpio509/value)
	echo 509 > /sys/class/gpio/unexport
	if [ "$bVALUE" == "0" ]; then
		echo WPS Failsafe Telnet Started > /dev/kmsg
		telnetd -l /bin/sh

chmod 0777 /etc/init.d/failsafesub
/etc/init.d/failsafesub enable

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/12/21 14:54
  • by danitool