Here's how to use the console port/TTL Serial port on the CG3000D modem router combo.

Hey, I spent a couple days playing with the console port, also known as the TTL serial port, on the CG3000D modem router combo unit. I wanted to post my findings and this info might be the same for the CG3000, CD3100, and CG3100D gateways as well, but I don't know as I don't have those. From what I've read, the CG3000D should be similar to the CG3100 style units and the "D" in the name signifies that its an ISP supported model.

I'm hoping this helps people to play with their ports again (lol) and start making some more quality firmware for the CG3000D units as well. I plan on making Netbeer soon and I need to make sure I have the mechanics down on how I plan on flashing that firmware to this unit before I spend time programming it. Just now I finished playing with the TTL serial port and found that the firmware blocked that port so I can't use it for anything other than seeing the boot sequence, so soon I'll have my USB JTAG NT unit here and I'll be able to use the 14 pin MIPS EJTAG port to play with flashing the firmware.

If you're interested in my findings, I posted the information below and also a link to download the files required for playing with your ports. This is rare information that I really had to dig for and experiment with in order to discover. So, I hope people can now find this information easier. As always, contact me if you have questions and I'll see what I can do.

Stock CG3000Ds allow access to the serial port.

Download the tutorial and the files: http://thelifemaster.com/Main/uploads/TTL-Serial-Port-CG3000D.zip

----

This is a collection of data I found out about the CG3000D's console port/TTL serial port while trying to access it. I wrote this document to help people no matter what your knowledge is on this. I didn't assume you knew much of anything I'm talking about in this document. Keep in mind that this is meant for technicians to work with, but I know that some techs might not be hardware techs or know every single term. I was programming for years and flunked a basic computer class in college because I didn't know the terminology. I just knew how to make it work.

So, again, this is meant for techs and if you do connect to the serial port properly and can type commands, be sure you know what you;re ding or you could frazzle your unit into a bright shiny new doorstop until you get your JTAG tools. (AKA Brick)


Firmware version: V5.5.3.mp1CPR07c (Supplied by Cox Cable as an update that my gateway installed automatically.)

Status: You get a readout of the boot process and then it closes the port so you can't access it. (I included the log for that.)

Theory: Using USB JTAG NT, I should be able to flash the unit with my new firmware and that will have the console port open again.

Requirements for talking to the port on the CG3000D:

1.) USB to UART TTL Serial port adapter. (It cost me $5 on eBay and I included a picture and its driver. Just search up "USB ttl serial" and find one like mine. It needs a 3.3V pin, not a 5v pin.)
2.) USB extension cord (Optional, but if you might want one as the ribbon cable on mine is about 12" long.)
3.) T7 or T7H Torx bit or a small flat head screwdriver. lol I use a T7H and I think the "H" stands for hole since mine are made to have a post in the middle of the screw. I used a small flathead on it as well and its fine.
4.) CG3000D (If you want to be obvious)
5.) PuTTY (Included in this archive)

Setup

1.) Install PuTTY (Use the one included or get the latest version if need be, from http://chiark.greenend.org.uk/~sgtatham/putty/…download.html)

2.) Open your gateway (modem/router combo or CG3000D if you will) by disconnecting every cord from it and flipping it over, then pulling its feet off. The rubbers are held on by a strip of rubber going through a hole. They should pull off with little force. Then just unscrew the 6 screws and open the case gently, but don't remove the board yet.

3.) The board is held onto one half of the case by a wire going to the WiFi antenna. If you need to remove the extra plastic part to make things easier, pull back the tape on the main board and un snap the wire from there. It connects like a laptop wifi antenna does.

4.) Look at the side of the board with the components mounted to it. Turn the board so the ports are facing upwards and look to the right of the big black heatsink on the chipset. (Its a BCM3380 Broadcom chip if you want to know.) See the 4 pin header? That's the TTL serial port, also called the console port. It looks like 4 metal prongs sticking up.

5.) Now break out your USB to UART TTL serial port adapter and its cable. If you're working with the same hardware I was, then take the jumper off of the using as its not needed. Put it in a plastic bag so you don't loose it.

6.) Now look at the pinouts included in this zip file. The green pinout is the pinout for the board and the one called "adapter pinout.jpg" is of course the one for the adapter. If you're using a different adapter, rely on the pinout supplied by the adapter you're using.
7.) Hook up the ribbon cable wires to the adapter.

8.) Find pin 1 of the 4 pin header on your gateway by looking at the bottom of the board (side without the components on it) and finding the square solder point. You'll see the rest are all circles. Be sure to look only at the part for the 4 pin header, not the square part for the 14 pin MIPS EJTAG header next to it.

9.) Now that you know which way is up, or rather which pin is pin 1, look at the pinout for the board I provided you with. Hook the proper wires up to the 4 pin header WHILE THE UnIT IS OFF. It should be off right now, but it doesn't work like an ethernet port or usb port where you can just plug it in and unplug it. You need to boot it up with it plugged in and turn off the unit before unplugging it or you could frazzel the unit.

10.) Now, check your work. Make sure that the 3.3V pin on the adapter goes to the 3.3V pin on the board, the TX goes to the TX pin, RX to RX, GND (ground) goes to ground. The TX could also be labeled TXD for transmission Data and RX could be RXD for Receiver Data. If your ribbon cable is multicoloured, then just make sure the colors go to the right place, but if its just grey or something, be sure you follow it closely.

11.) Plug your USB extension cable into the adapter, then your USB port if you opted to use one.

12.) Now, Windows should start trying to find the driver for your unit. If you have your own driver, you can use that one of course and if you have the same hardware as I did, Windows 7 says that it can't find the driver and then it says that it found something that could help you. (I think it was the troubleshooter or something that opened automagically, but I don't remember.) It will give you the direct link to the download. If you need the driver and are using the same unit that I am, I included a driver for you. However you install the driver, make sure its installed.

13.) Open Device manager and under "Ports (COM and LPT)" you need to find the item listed for your unit and open it. We'll need to change some settings on the "port settings" page.

14.) Launch PuTTY.

15.) Now both PuTTY and the port settings in Device Manager must match and I'll tell you how. In device manager, on the "port settings" tab for your adapter, you're going to want to click the advanced button and uncheck the FIFO buffer option if its on there. I don't know if the advanced button will show for all units or not, but if its not there, skip this step. Also, make a note of the Com number. Mine is COM3.

16.) Set the port settings in Device manager to:

Speed: 115200
Data bits: 8
Stop bits: 1
Parity: None
Flow control: None

17.) In PuTTY, on the first screen you see, select "serial" in the radio boxes. (The circle select boxes)

18.) In the box that says COM1, change that to whatever COM number you saw in Device Manager above.

19.) Change the 9600 to 115200.

20.) Enter a name for your stored settings in the "Saved Sessions" box and hit save.

21.) Go to Connections -> Serial on the tree at the left.

22.) Set "Flow Control" to "none" and the rest of the settings should match the ones set above in Device Manager.

23.) Go back to "Session" in the tree at the left and hit save again.

24.) Now this is where the fun begins. Connect the power cord to the modem and make sure the power button is turned on as well then QUICKLY double click the name of the saved session in PuTTY.

25.) You'll see a black console box come up and the boot sequence will show on the screen. If its gibberish that comes up, change the baud rate to something like 9600 on both Device Manager and PuTTY.

26.) If you get the following text at the end, then the port is disabled in the firmware.

"[tStartup] BcmEpsCmDocsisSystem::Initialize: (BFC System) ERROR - Disable console port now!"

27.) If you didn't get that message, try talking to the port. type a command and see what pops up, but BE CAREFUL! God only knows what happens if you type "clear." For all I know, it could wipe your firmware and then bye bye gateway, hello comfortable reality. lol (Dreamfall quote) Also, tftp_read and tftp_write only allow for tftp on the HFC side. (This means you need a $5,000 CMTS to connect to the cable on your modem in order to pull firmware to your modem. I think I fancy my $60 USB JTAG NT a bit more.

If you want to pull new firmware from the cmts, then use cd /docsis_ctl and then use dload. You'll need to know the name of the firmware the cable company is sending to you. Flash the stock firmware onto your modem and change its mac_addresses to the mac_addresses for your modem and change its serial number to your serial number. Keep the config in tact for your modem as it has the root certificate. You'll need to then use PuTTY with logging enabled and connect via SSH using the user/pass MSO/changeme. Leave your computer and modem on overnight and at around 2AM-3AM, you'll most likely get the new firmware pulled to your modem. Check the log and you'll find the server sending you the file as well as the filename. If the server is 172.23.0.18 and your file is filename.bin, then do this: dload -s -l 172.23.0.18 filename.bin and you'll start pulling it down from the CMTS.


CG3000D/DocsisCtl> dload

COMMAND: dload

USAGE: dload [-i Number] [-s] [-l] [-f] [IpAddress] [Filename{127}]

DESCRIPTION:
Causes the CM DOCSIS Control thread to download and store the specified image
file via TFTP from the specified TFTP Server IP address. When the download
is completed, the next reboot will run this image. If you omit the filename
and/or IP address parameters, then we will use the ones stored in non-vol
settings. The -i parameter specifies the image number to be overwritten
(number of images depends on the platform). If omitted then the default
image for the platform will be used. If present, the -s causes Secure
Download to be used. The -l flag selects image1 as the target and allows a
large image to be loaded, if allowed by the flash driver. The -f flag forces
the image to be loaded even if the signature or compression types are not
valid for the platform.

EXAMPLES:
dload 11.24.4.3 ram_sto.bin -- TFTPs ram_sto.bin from the server.
dload -i1 11.24.4.3 ram_sto.bin -- Same, but downloads to image1.
dload -- Uses the file/server from non-vol
settings.
dload -s 11.24.4.3 ram_sto.bin -- Secure download.
dload -l 11.24.4.3 ram_sto.bin -- Download large image to image1.
dload -f 11.24.4.3 ram3360_sto.bin -- Loads a 3360 image onto a 3345 modem.





Also, here's a pinout of the port if you're interested.






Keywords: cg3000, cg3000d, cg3100, cg3100d, serial port, ttl, com port, modem, router, gateway, uart, usb, mips, jtag, tftp, firmware, pinout