NorthQ9100

NorthQ9100

Vendor NorthQ
Product Page NorthQ9100 - Broadband router
Description From the product vendor:

The Broadband Router is an incredibly fast router with
40 Mbps LAN to WAN throughput. This is a cost-effective
IP Sharing Router that enables multiple users to share
the Internet through an ADSL or cable modem.

Simply configure your Internet connection settings in the 
router and plug you PC to the LAN port and you're
ready to share files and access the Internet.
OEM Info From the PCB:

BP MLL E186014 94V-0 (R) 0328
PN:52-0000437-00
Rev. B
FCC ID ???????????????
Inside Photo PCB Front and Back
See Also tbd

Internal Components

CPU Samsung S5N8947 (ARM7TDMI@72 MHz, Mode 2, 2x Ethernet, UART, USB, ADSL, JTAG, SPI, I2C, 5x GPIO)
Has the same CPU core as S3C4510B
- The device seems to run in the dual-Ethernet-MAC mode, so it has 2 completely independent Ethernet MACs with BDMA support
- The ADSL Utopia, USB, I2C and some other interfaces are unconnected and do not seem to be available on any headers.
- There is one serial port with some modem control available on the 2x5 connector with no level conversion.
Flash memory 1 Mbyte
MX 29LV800BTC
SDRAM memory 8 MBytes
Winbond W986432DH-6
Ethernet Switch IC+ IP175A
Connectors 2x5 - Serial port



Connectors

J1 : a 10-pin UART connector
1 NC 2 DSR (out) pin 178
3 Tx (out) pin 174 4 NC
5 Rx (in) pin 173 6 NC
7 DTR (in) pin 175 8 NC
9 Gnd 10 Vcc 3.3V
Please notice that DTR is an input and DSR is an output.




Original firmware

The original firmware can be found here.
Firmware packaged using PKZIP compression and could be downloaded using the web interface.



Reverse engineering

The first step is to unzip the file generic_fwui_01S.zip which gives the file generic_fwui_010S.bin.
After that I found the 10 character ID = {'B', 'R', 'N', '6', '1', '0', '4', 'V', '2', '\0'} by using a hex editor and the work done by Petr Novak.
From the firmware file it's possible to extract two files PFS.IMG & SOHO.BIN and both of these files are zipped using PKZIP compression.

Layout of firmware file generic_fwui_010S.bin.
Offset Size Offset Size Comment
0x00000 0x30000 PFS
0x00000 0x1868F PFS.ZIP
0x1868F 0x17965 Filled with 0xFF
0x2FFF4 0x00004 Length of PFS.ZIP
0x2FFF8 0x00004 Signature 0x12345678
0x2FFFC 0x00004 CRC32 checksum of PFS.ZIP
0x30000 0x90000 SOHO
0x00000 0x6A503 SOHO.ZIP
0x6A503 0x25AF1 Filled with 0xFF
0x8FFF4 0x00004 Length of SOHO.ZIP
0x8FFF8 0x00004 Signature 0x12345678
0x8FFFC 0x00004 CRC32 checksum of SOHO.ZIP
0xC0000 0x0000A Firmware ID 'BRN6104V2\0'




Boot loader

First step was to connect a level shifter to the 2x5 connector. I connected DTR with DSR and then I connected TX & RX to the level shifter. The last but most important thing to remember is ground and power (+3.3V).
Then I started the program HyperTerminal in Windows and found the BAUD rate to be 57600 8-N-1. The dump of the first communication with the router says that the boot loader is called "LAN Router BRN Loader". This router crashed after a firmware upgrade with customized firmware and you can see it on the 4 errors. 
================================================================
 LAN Router BRN Loader V1.5-6104S build Mar 11 2003 11:04:49
                 Broad Net Technology Inc.
================================================================
V_Manufacturer_ID=C2H, V_Device_ID=225BH
Mxic MX29LV800B bottom boot 16-bit mode found

Copying boot params.....DONE

Press any key to enter command mode ...
Flash Checking .. Passed.

Unzipping program from bank 2...done
Try to find image for running...
Unzipping program from bank 3...done

[Fail] Exception : Undefined 
[Fail] Exception : Undefined 
[Fail] Exception : Undefined 
[Fail] Exception : Undefined
For more information about the bootloader look here.



TBD

reset button - the reset button is not a normal reset button but an input pin on the CPU because the CPU can see how long the button has been pushed. What pin are the reset button connected to? 
Reset button pressed
Reset button is held for 1 seconds
Reset button is held for 2 seconds
Reset button is held for 3 seconds
Reset button is held for 4 seconds
Reset button is held for 5 seconds
Reset button is held for 6 seconds
Reset button is held for 7 seconds
Reset button is held for 8 seconds
Reset button is held for 9 seconds
Restoring factory default values...



$Id: index.html,v 1.11 2004/03/18 11:10:41 runechristensen Exp $