Thomson TG587N V2 / O2 Wireless Box IV

Also known as O2 Wireless Box IV.

The Thomson TG587N is an Broadcom MIPS-based ADSL router with 802.11bgn wireless and ADSL2+ support. It has a 4-port switch, and 2 wireless antennas out the back of the device.

There is no GPL Source code avalible to download. And they did quite a good job hiding that it used a Linux Kernel.

Manufacturer's site: www.technicolor.com
Distributor's site: service.o2.co.uk

1. downloads
2. Install OpenWrt, has a crippled bootloader

You will need to JTAG the device and change the bootloader first, or reserve engineer the encryption.

→ cfe Details about Broadcoms CFE's

The original Bootloader has a signature check which prevents you easily changing the firmware. Here is a copy of the original bootloader, and I have removed some checks to make it work. You will need jtag to replace it.
This CFE is not like normal Broadcom CFE's. You will have to correctly format the TFTP file. So use the BT HH 2A for ease, however details are provided below:

Here is a test using an adjusted Netgear DGN2200 firmware on the Thomson TG587n V2, using the original image format (without encryption). DGN2200 on a TG587nV2

→ generic.sysupgrade
If you have already installed OpenWrt and like to reflash for e.g. upgrading to a new OpenWrt version you can upgrade using the mtd command line tool. It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

The default network configuration is:

This device does not have a WAN interface.

→ hardware.button on howto use and configure the hardware button(s).

→ System configuration: Leds

→ port.serial general information about the serial port, serial port cable, etc.

The serial is located at the bottom right of the PCB. You will need to bridge resistors R106 and R105 located near the WPA button. (9600, 8, N, 1)

→ port.jtag general information about the JTAG port, JTAG cable, etc.

There was good information on http://forums.modem-help.co.uk but the website appears to be down now.
Here is a document from the website: https://drive.google.com/file/d/0B4-Ln6UubyEeTGtCX2NBc3lLZTQ/
The jtag is located on the centre left of the board, 3.3v

Use zjtag to write the Bootloader/CFE, with the command line:

tjtag64 -flash:custom /window:1E000000 /start:1E000000 /length:10000 /bypass

However, you will probably need to Byte-Swap the file before you burn it.

Sometimes the image does not write correctly. And even more rarely, you might find it does not detect your flash any more.
This is probably cause by some corrupted bytes messing up the TLB memory map. So you might need to scan though a lot of the memory until you think you found the new Flash Base address.

vi /etc/init.d/led (Press esc then i)
just under the “start() {” function, add this:

# Turn off most gpio/leds
gpio=473
cd /sys/class/gpio
while [ $gpio -lt 486 ] ; do
	echo $gpio > export 2> /dev/null
	[ -d gpio${gpio} ] && {
		echo out > gpio$gpio/direction 2> /dev/null
		echo 0 > gpio$gpio/value 2> /dev/null
		echo $gpio > unexport 2> /dev/null
	}
	gpio=$((gpio+1))
done

Hold WPS during boot to start telnetd:
vi /etc/init.d/failsafesub (Press esc then i)

#!/bin/sh /etc/rc.common
START=12
start() {
	echo 509 > /sys/class/gpio/export
	echo in > /sys/class/gpio/gpio509/direction
	bVALUE=$(cat /sys/class/gpio/gpio509/value)
	echo 509 > /sys/class/gpio/unexport
	if [ "$bVALUE" == "0" ]; then
		echo WPS Failsafe Telnet Started > /dev/kmsg
		telnetd -l /bin/sh
	fi
}

chmod 0777 /etc/init.d/failsafesub
/etc/init.d/failsafesub enable