Last modified Fri, 29 May 2009 03:20:48 GMT

Notice: You've probably been sent here because you have a 675 and your DSL line is DMT (not CAP). You can't make your 675 work with DMT. And puting the 678 firmware on the 675 will not work. If you have a 678 programmed for CAP and need it to work with DMT, I can get you the firmware if you ask for it. If you broke your 675/678 I can help fix it, or send you a replacement (possibly). If you wan't to get rid of a 675 I'll take it (and maybe pay for shipping), I'll buy a 678 for $25, a NetSpeed branded (before cisco bought it) possibly more. abest@digitalflex.net.

2009-05-28: I have a 678 now that I don't use it for my DSL connection. I haven't had much of a desire to update anything on this for a while. I'm willing to help you fix your 675 or 678 if you lost the password, and possibly if you bricked it, it gives me motivation to update this page. I'm thinking of expanding this page with other DSL related router information, including the evil Actiontec which has a DOS vulnerability that the vendor won't listen to me (requires access to private network, and seems to me the #1 reason you need to power cycle it (FYI: this could have been fixed by now my hardware is old)).

Also since this page is being accessed less then once a day (in comparison to its peek almost a decade ago), I'm not sure if I should be putting more effort into this, however if you want to do something interesting (or maybe learn something), I'm still interested in helping out.

Just FYI, I'am a firmware engineer so I know some of what I'm talking about, though I've hacked this mostly while drunk, and only in my spare time. So be warned!

2007-08-21: I got another 675 (thanks day), however I still don't have a 678 that I can hack with yet.

2006-12-10: I've been getting more and more requests for information on the 678. I may be expanding this for for 67x models. If you happen to have any documentation on these routers. Or if you have any information on a dsl line emulator, it would be very helpfull. Also corrected NVRAM addresses typo below.

I haven't been working on this for a little while, if you do have questions or comments feel free to email me at abest@digitalflex.net Address is different, I may not respond quickly, but it will be faster then waiting on me to update this page.

FAQ

Notes

A quick comment on the Cisco 675, 678, CAP and DMT. The 675 CAN NOT do DMT, there is NOT a firmware update. DMT requires special harware and programming. The 678 was created for DMT and CAP, the software just needs to be flashed. But again the 675 CAN NOT BE FLASHED to support DMT. This seems to be a popular misunderstanding because the 678 was shipped programmed for CAP before it was grandfathered. This is misunderstood by some phone techs, and others.

And a quick comment on DMT, DMT is Discrete Multi Tone (Like CDMA, only it is PtP and less redundant, (technicaly it is very different)). Most forms of comunication work by modulating the frequency, or amplitude (AM/FM), but radio and wired communication is different anyway. CAP works encodes its data on the time domain, while DMT encodes on both the time and frequency domains. Its easy to build a transceiver for data on one frequency AM or FM. It is not so simple when you have several frequencies in a narrow band. DMT has to sample all the frequencies in side this band and extract which frequencies are in a time slice, this requires a much more powerful DSP. I don't think the 675 even has one, and if it does its a very simple one. The 678 does have one, how it is integrated I do not know (I would like to). This is why I'm playing with the 675s now that they are useless for DSL, someday the 678s might do the same (however DMT is the standard and will last until 7Mbs is too slow).....

I've been searching for information on the Cisco 675 DSL router for informatiother then its intended use. So I'm putting up some information on hacking/reverse engineering it.

I'm updating this page out of order it may be inconsistent.

Specs.

The ROM contains a modified and striped down Mon960 Rom Monitor (from Intel) that has been named Ron960, although it may just be more of a clone.

The ROM monitor has the ability to upload via XModem to memory, and to program flash memory from DRAM. Erase segments of memory (#6 seems to be the user area of NVRAM). You can set breakpoints and disassemble memory, modify memory by bye, word, quad, etc. Ctrl-C can also be mapped to interupt into the debugger (eg. start in Monitor mode and then "go", then hit Ctrl-C when you want to break, from there you can then step, trace, set break points and anything else you want to do.

Interesting areas of memory.

0x1000 0000 - 0x103f ffff is the same as 0x1040 0000 - 0x107f ffff. You can't write to 0x1000 0000 but you can write to 0x1000 0001. Not sure where the memory technicaly starts/ends (Best guess is 0x1000 8000 - 0x103f 7fff, I dunno.). The IP does start at 0x1000 8000 and I've breaked at 0x1000 f8cc. I'm also not sure which part is NVRAM, or if some of its is copyed from NVRAM. Whe updaing firmware you download to 0x1000 8000 and flash the memory at 0xfee0 0000. When I do some more dumps I should be able to figure some of this out. (Important to note that some of the calls are PIC, meaning the address is offset in the dasm output). I still need to read the assembly from the IBR's IP record until it jumps out of ROM (I think 0xfeff xxxx is ROM).

0x1000 0000 - 0x103f ffff Seems to be DRAM, as its empty and is where code is executed from. 0xfee0 0000 - 0xfeff ffff is NVRAM/ROM and contains compressed code/data.

Standard memory addresses for i960

Presently I'm not yet sure of where the memory addresses of the DRAM, NVRAM, ROM are located (I have some ideas). I'm also unaware of where the hardware registers/drivers are located. Some poking research on the chips sets, and pin configurations (memory selectors), etc. Should give me some ideas.

Presently I'm dumping chunks of memory via "bd 10000000 40000" to get a local copy of memory to search through. In a few days I should have some more data on various segments of memory. It appears as though there is a lot of data containing help/HTML etc, which give lots of space for adding code, etc. Also there should be enough space to run quite a few things.

Traceing boot process

After the monitor is loaded execution starts at 0xfee0 0000 the code self copys itself from NVRAM at 0xfee0 0000 to DRAM at 0x1000 8000.

cbos#set error team
1998 CBOS 2.0 Team
Kip McClanahan      Frank Peraza
Jim Crow            Ron Battles
Bob Black           Jon Harrod
Leo Maurer          Craig Botkin
James Beard         Kevin Moden
Joaquin Aviles      Craig Cantrell
Greg Griffith       Josh Karnes
Hieu Hoang          Thao Hoang
Satya Rao           Dennis Cox

I wipped out the NVRAM, sectors 0-6. I was trying to modify the contents of nvram. I moved the flash memory to RAM then erased nvram. Then I flashed it, I did something wrong... I updated the firmware to 2.2.0. It also updated the Rom Monitor to build 111... I must be carefull about this and figure out how the flash code works before goign to far..

2.2.0 is compressed on the NVRAM, and decompresses into memory on boot. This will make things interesting for a while...

Downgraded to 2.0.1... The Rom Monitor was left, so I have a newer version of Ron960 and an older version of CBOS... Nice...

es 0 erases NVRAM fee00000 to fee40000 and so on. Sector 6 is User config, 7 is Rom Monitor... Don't delete it (I don't even know if its possible yet.)...

2006-12-10: Update I corrected the ending addresses, Thank you Paul for pointing this out (back in June).
0 fee0 0000 - fee3 ffff
1 fee4 0000 - fee7 ffff
2 fee8 0000 - feeb ffff
3 feec 0000 - feef ffff
4 fef0 0000 - fef3 ffff
5 fef4 0000 - fef7 ffff
6 fef8 0000 - fefb ffff
7 fefc 0000 - feff ffff

Hello world! Running on 675 i690 processor.
Ron960 User Interface: Build  111 (Aug 24 1999 18:28:08)                       
NetSpeed HomeRunner(TM); i960 JX; JA step number 03                            
Copyright 1997 NetSpeed Corporation                                            
Copyright 1998, 1999 Cisco Systems                                             
=>df 10008000
Downloading                                                                    
C
=>dasm 100081b0 8
100081b0 : 86003000 1000e3f0  callx  0x1000e3f0
100081b8 : 8c803000 100081a0  lda  0x100081a0, g0
100081c0 : 86003000 100083b0  callx  0x100083b0
100081c8 : 5ca01e00           mov  0, g4
100081cc : 5c801614           mov  g4, g0
100081d0 : 0a000000           ret  
100081d4 : 00000000           .word     0x00000000
100081d8 : 00000000           .word     0x00000000
=>go 10008110
Hello World!
Program Exit: 0
=>

Rom Monitor (Ron960)

This is based on the Rom960 documentation from intel, and observation of the modified Rom monitor in the Cisco675.

The address fefcc310 is the begining of the command table (see array below). The Ron960 is a modified version of Intels Rom960 code (you can DL from intel). Grab this for reference on figuring out how the rom monitor works. (You can also get the compiler which is a modified GCC, I used a stock GCC (which does have i960 bugs, I hacked around them).

Here is the cmd_table from ui_main.c in Rom960


cmd_table[] = {
    { ".",  0,            0,        "",      dot_help},
    { "?",  help,         0,        "s",     he_help },
    { "bd", databreak,    0,        "h",     bd_help },
    { "br", breakpt,      0,        "h",     br_help },
    { "cf", cf_cmd,       0,        "",      cf_help },
    { "da", dasm,         0,        "hd",    da_help },
    { "db", display,      BYTE,     "Sd",    db_help },
    { "dc", display_char, FALSE,    "Sd",    dc_help },
    { "dd", display,      LONG,     "Sd",    dd_help },
    { "de", delete,       0,        "H",     de_help },
    { "di", display,      WORD,     "Sd",    di_help },
    { "do", download,     0,        "h",     do_help },
    { "dq", display,      QUAD,     "Sd",    dq_help },
    { "ds", display,      SHORT,    "Sd",    ds_help },
    { "dt", display,      TRIPLE,   "Sd",    dt_help },
    { "ef", ef_cmd,       0,        "",      ef_help },
    { "fi", fill,         0,        "HHH",   fi_help },
    { "fl", disp_float,   LONG,     "Hd",    fl_help },
    { "fr", disp_float,   WORD,     "Hd",    fr_help },
    { "fx", disp_float,   EXTENDED, "Hd",    fx_help },
    { "go", go,           GO_RUN,   "h",     go_help },
    { "he", help,         0,        "s",     he_help },
    { "mb", modify,       BYTE,     "Sd",    mb_help },
    { "md", modify_d,     WORD,     "SH",    md_help },
    { "mo", modify,       WORD,     "Sd",    mo_help },
    { "ps", go,           GO_NEXT,  "h",     ps_help },
    { "qu", reset,        1,        "",      qu_help },
    { "rb", reset,        1,        "",      qu_help },
    { "re", display_regs, 0,        "",      re_help },
    { "rs", reset,        0,        "",      rs_help },
    { "st", go,           GO_STEP,  "h",     st_help },
    { "tr", trace,        0,        "ss",    tr_help },
    { "ve", banner,       0,        "",      ve_help },
    { "po", post_test,    0,        "",      po_help },
    { "zz", cio_disp,     0,        "d",     po_help },
    { "\0", 0, 0, "", 0 }
};

Help was striped (as was a number of other things) in the Cisco version.

Here is the dump the cisco


fefcc310 : 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc320 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc330 : 3f 00 00 00 00 00 00 00 60 e3 fc fe 00 00 00 00 ?.......`.......
fefcc340 : 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 s...............
fefcc350 : 62 64 00 00 00 00 00 00 c0 f2 fc fe 03 00 00 00 bd..............
fefcc360 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc370 : 62 72 00 00 00 00 00 00 c0 f2 fc fe 02 00 00 00 br..............
fefcc380 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc390 : 62 77 00 00 00 00 00 00 c0 f2 fc fe 00 00 00 00 bw..............
fefcc3a0 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc3b0 : 62 70 00 00 00 00 00 00 80 f1 fc fe 00 00 00 00 bp..............
fefcc3c0 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc3d0 : 64 61 73 6d 00 00 00 00 b0 0b fd fe 00 00 00 00 dasm............
fefcc3e0 : 68 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 hd..............
fefcc3f0 : 64 62 00 00 00 00 00 00 90 1e fd fe 01 00 00 00 db..............
fefcc400 : 53 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sh..............
fefcc410 : 64 63 00 00 00 00 00 00 10 22 fd fe 00 00 00 00 dc......."......
fefcc420 : 53 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sd..............
fefcc430 : 64 64 00 00 00 00 00 00 90 1e fd fe 08 00 00 00 dd..............
fefcc440 : 53 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sh..............
fefcc450 : 64 65 6c 00 00 00 00 00 f0 f3 fc fe 00 00 00 00 del.............
fefcc460 : 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 H...............
fefcc470 : 64 66 00 00 00 00 00 00 90 28 fd fe 01 00 00 00 df.......(......
fefcc480 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc490 : 64 69 00 00 00 00 00 00 90 1e fd fe 04 00 00 00 di..............
fefcc4a0 : 53 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sh..............
fefcc4b0 : 64 6f 00 00 00 00 00 00 90 28 fd fe 00 00 00 00 do.......(......
fefcc4c0 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc4d0 : 64 71 00 00 00 00 00 00 90 1e fd fe 10 00 00 00 dq..............
fefcc4e0 : 53 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sh..............
fefcc4f0 : 64 73 00 00 00 00 00 00 90 1e fd fe 02 00 00 00 ds..............
fefcc500 : 53 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sh..............
fefcc510 : 64 74 00 00 00 00 00 00 90 1e fd fe 0c 00 00 00 dt..............
fefcc520 : 53 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sh..............
fefcc530 : 65 73 00 00 00 00 00 00 c0 53 fc fe 00 00 00 00 es.......S......
fefcc540 : 64 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ds..............
fefcc550 : 66 69 00 00 00 00 00 00 30 27 fd fe 00 00 00 00 fi......0'......
fefcc560 : 48 48 48 00 00 00 00 00 00 00 00 00 00 00 00 00 HHH.............
fefcc570 : 66 6c 00 00 00 00 00 00 20 52 fd fe 08 00 00 00 fl...... R......
fefcc580 : 48 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Hd..............
fefcc590 : 66 72 00 00 00 00 00 00 20 52 fd fe 04 00 00 00 fr...... R......
fefcc5a0 : 48 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Hd..............
fefcc5b0 : 66 78 00 00 00 00 00 00 20 52 fd fe 0a 00 00 00 fx...... R......
fefcc5c0 : 48 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Hd..............
fefcc5d0 : 67 6f 00 00 00 00 00 00 60 e2 fc fe 00 00 00 00 go......`.......
fefcc5e0 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc5f0 : 68 65 6c 70 00 00 00 00 60 e3 fc fe 00 00 00 00 help....`.......
fefcc600 : 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 s...............
fefcc610 : 68 69 70 00 00 00 00 00 20 e2 fc fe 00 00 00 00 hip..... .......
fefcc620 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc630 : 6c 61 00 00 00 00 00 00 b0 e6 fc fe 00 00 00 00 la..............
fefcc640 : 48 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HH..............
fefcc650 : 6c 6d 00 00 00 00 00 00 20 e7 fc fe 00 00 00 00 lm...... .......
fefcc660 : 48 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HH..............
fefcc670 : 6d 30 00 00 00 00 00 00 50 e1 fc fe 00 00 00 00 m0......P.......
fefcc680 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc690 : 6d 61 63 00 00 00 00 00 e0 dd fc fe 00 00 00 00 mac.............
fefcc6a0 : 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............
fefcc6b0 : 6d 62 00 00 00 00 00 00 40 1c fd fe 01 00 00 00 mb......@.......
fefcc6c0 : 53 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sd..............
fefcc6d0 : 6d 63 00 00 00 00 00 00 60 e6 fc fe 00 00 00 00 mc......`.......
fefcc6e0 : 48 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HH..............
fefcc6f0 : 6d 64 00 00 00 00 00 00 60 1b fd fe 04 00 00 00 md......`.......
fefcc700 : 53 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SH..............
fefcc710 : 6d 77 00 00 00 00 00 00 60 1b fd fe 02 00 00 00 mw......`.......
fefcc720 : 53 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SH..............
fefcc730 : 6d 6f 00 00 00 00 00 00 40 1c fd fe 04 00 00 00 mo......@.......
fefcc740 : 53 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Sd..............
fefcc750 : 6d 76 00 00 00 00 00 00 f0 df fc fe 00 00 00 00 mv..............
fefcc760 : 48 48 48 00 00 00 00 00 00 00 00 00 00 00 00 00 HHH.............
fefcc770 : 70 62 00 00 00 00 00 00 10 57 fc fe 00 00 00 00 pb.......W......
fefcc780 : 48 48 48 00 00 00 00 00 00 00 00 00 00 00 00 00 HHH.............
fefcc790 : 70 73 00 00 00 00 00 00 60 e2 fc fe 02 00 00 00 ps......`.......
fefcc7a0 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc7b0 : 71 75 69 74 00 00 00 00 a0 15 fc fe 01 00 00 00 quit............
fefcc7c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc7d0 : 72 62 00 00 00 00 00 00 a0 15 fc fe 01 00 00 00 rb..............
fefcc7e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc7f0 : 72 65 00 00 00 00 00 00 50 26 fd fe 00 00 00 00 re......P&......
fefcc800 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc810 : 72 65 73 65 74 00 00 00 a0 15 fc fe 00 00 00 00 reset...........
fefcc820 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc830 : 73 74 00 00 00 00 00 00 60 e2 fc fe 01 00 00 00 st......`.......
fefcc840 : 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 h...............
fefcc850 : 74 72 00 00 00 00 00 00 20 41 fd fe 00 00 00 00 tr...... A......
fefcc860 : 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ss..............
fefcc870 : 76 30 00 00 00 00 00 00 b0 e0 fc fe 00 00 00 00 v0..............
fefcc880 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc890 : 76 31 00 00 00 00 00 00 50 e0 fc fe 00 00 00 00 v1......P.......
fefcc8a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc8b0 : 76 65 72 00 00 00 00 00 20 d5 fc fe 00 00 00 00 ver..... .......
fefcc8c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc8d0 : 7a 7a 00 00 00 00 00 00 20 e8 fc fe 00 00 00 00 zz...... .......
fefcc8e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc8f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
fefcc900 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
As you may notice thay are different!

A Summary of the commands

. Repeate last command.
? Help, which tells you there is not help.
bd Data breakpoint.
br Breakpoint.
bw
bp Instruction break point.(just
dasm Disassemble memory.
db Dump memory in bytes.
dc
dd
del Delete memory
df Download firmware
di
do
dq
ds
dt
es Erase sectors of NVRAM
fi
fl
fr
fx
go
help
hip
la
lm
m0
mac Set mac address, doesn't work it seems.
mb
mc
md
mw
mo
mv
pb Programs bios, er.. NVRAM
ps
quit
rb Reboot
re
reset
st
tr
v0
v1
ver
zz

There are still more I need to document