.:Navigation

Main

Software

Firmware

Forums

Wiip!

The Book

Development

Contact

Tutorials

Videos

Shop


.:Members

Username

Password?

Remember Me


.:Popular

SIGMA Modem: $45

 

Check out

The finest in geek entertainment!

NO STARCH PRESS

RCA / Thomson Developer's Menu
 

Introduction:

The RCA Broadband Cable Modem is a very popular DOCSIS 1.0/1.1 capable that is deployed across North America and throughout Europe (though relabeled in Europe under its parent company Thomson).

 

The following tutorial explains how to implement a modification that will enable a secret menu known as the Developer's Menu. This secret menu is a program that runs in the bootloader (the program that is executed before the main firmware image) that allows you to execute many low-level functions, such as writing/reading data to and from memory, or changing the MAC address.

 

This hack has been successfully tested on the RCA 245 / 305 model and the Thomson 290 model. However, this hack may work on other models, but I recommend that you check our online forum for additional help/questions. Proceed with caution when performing the methods used from this website because they will void your modem's warranty and may physically damage it beyond repair.

 

 

TCM290

 

What you need:

  1. A TCM290 Modem

  2. A T10 Screwdriver

  3. 1 Thin Wire to solder

  4. A RS232 to TTL converter

 

Step 1: Open the modem

You will need a T10 Screwdriver to get the case open. There are 2 visible screws and 1 screw under a "Warranty Void" sticker. Gently open the case as not to break the plastic clips near the LED's.

 

Once opened, Examine the board

 

Step 2: Install a RS-232 to TTL converter

You will need to solder a RS-232 to TTL converter cable to the 4 holes shown here. For more information about this type of interfacing cable, please see this portion of our website.

 

Finished connection using a RS-232 to TTL converter cable:

 

Step 3: Boot modem

Use HyperTerminal or Etherboot to boot the modem. In HyperTerminal set your Baud rate: 19200, Data bits: 8, Parity: None, Stop bits: 1 and flow control: None. In Etherboot, set your modem type to "RCA". First start your software, then plug in the power, If you did everything correctly, you should see a similar boot screen to this one:

 

CM2cr Loader Version 0x04/0x01
Header1 CRC = 0xA18B0EB9
Header1 status = OK (ST.12.07.00)
Header2 status = 0x01
Appl Code1 CRC = 0x093F22E9
Appl Code1 status = OK
Decompressing SW Ver: ST.12.07.00 DONE!
Boot Loader DONE!...

CM2cr2:

 

Step 4: Short EEPROM

The EEPROM is located at the middle-top side of the board, above the flash and DRAM chips. Typically this is a 24c16 type, or a 24wc16j. This chip holds exactly 16 kilobits of data or 2 kilobytes of data.

 

 

This is different from your FLASH which is used to hold your modem's firmware. Once you have located this chip, you need to solder a single wire to pin 5 which is the SDA pin used to address the data and short it to any ground on the modem. I prefer to ground it on the metal flap on the back of the Ethernet jack.

 

This is a very interesting hack; by grounding the address pin, the modem will not be able to read or write data to and from the EEPROM. The modem will panic and give you a diagnostic console (left over from the development process).

 

 

 

The menu is easy to navigate; you type the number or letter of the option you want to run. The first thing we want to do, is program the EEPROM to permanently enable the Developer's Menu. Hit 4 on your keyboard and press enter. You will be given the option to hit E which will let you run E2PROM tests:

 

E2PROM Exerciser Menu
A - Read All 8 blocks from E2PROM
B - Read 256-byte block from E2PROM
D - Fill E2PROM with dummy values
F - Initialize E2PROM to all 0xFF's
P - Read 16-byte page from E2PROM
R - Read byte from E2PROM
W - Write byte to E2PROM
1 - Test E2PROM mem allocation.
-------------------------------------------------------------
0 - Exit menu and continue

 

Step 5: Enable the Developer's Menu

To do this, all you need to do, is write 0xFACE data to address 0x5E5 of the EEPROM. This is normally filled with 0xFFFF. The hex dump below shows the data:

 

Address 0x5E5    FFFF = Normal     FACE = Developers Menu

 

When we shorted the address pin on the EEPROM, the modem could not read or write properly to the device. So, while the modem is still running, you must un-ground the pin. This is why it was important not to solder both ends! Once pin 5 is not grounded, you can enable the menu by writing the 2 bytes separately:

 

->W
Enter E2PROM address (3 hex digits): 5E5
Enter E2PROM value (2 hex digits): FA

->W
Enter E2PROM address (3 hex digits): 5E6
Enter E2PROM value (2 hex digits): CE

 

That's it! Exit this menu by hitting 0 and rebooting the modem. Turn off the modem and remove the wire that you soldered to the EEPROM. Now, when the modem boots, it will automatically have the Developer's Menu! With this menu, you can run all sorts of debug commands, such as change the MAC addresses and upgrade the firmware. The menu does differ depending on which bootloader you have installed.

 

ST 24.1B.70 Menu

MAC Changer

 

 

Conclusion:

In the past, we had to program the EEPROM using an external programmer and de-soldering the IC. However, the introduction of the EEPROM ground hack enables us to easily enable the menu without a programmer. This modification will give the user more control over his or her modem; use it wisely. Special thanks to Jacek for the original menu discovery.

 

Tip: To Stop Freq Scanning

Type 7 on the keyboard

 

Watchdog Test Menu:
A - Stop feeding watchdog (will cause system to freeze if WD is disabled)
B - Toggle Watchdog (Current state = ON)
C - Force software reset
0 - Quit/Return
..................

Type B to disable the watchdog.

Then Type A to Disable the Scanning.

 

  

Copyright 2006 TCNiSO Corporation - Managed and Designed by DerEngel - All content used with permission.