Symmetricom XLi License Hack

[FFFF00]

I recently picked up a relatively new Symmetricom XLi GPS Time and Frequency System. It is useful as a 10 MHz lab reference in its base configuration, however I wanted to use it as an NTP server. My unit didn't have any software options, and the NTP license is $1k, over 3x what I paid for the XLi.

I poked around the firmware images available from Microsemi and found two undocumented commands (F100 ID, F100 SHELL). By default these are invalid.

Code: [Select]

Trying 10.0.1.206...
Connected to 10.0.1.206.
Escape character is '^]'.

WELCOME TO SYMMETRICOM NETWORK INTERFACE!
USER NAME: operator
PASSWORD: *****
NETWORK INTERFACE 192-8001      (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
LOGIN SUCCESSFUL!

>F100 SHELL
ERROR: INVALID COMMAND
The manual provides a clue to why this doesn't work. There is a "factory jumper" on the CPU board. This can be accessed by removing the top cover, or removing the CPU card. Install the jumper (JP3) and...

Code: [Select]

Trying 10.0.1.206...
Connected to 10.0.1.206.
Escape character is '^]'.

WELCOME TO SYMMETRICOM NETWORK INTERFACE!
USER NAME: operator
PASSWORD: *****
NETWORK INTERFACE 192-8001      (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
LOGIN SUCCESSFUL!

>
>F100 SHELL
shell restarted.

->
The XLi runs vxworks and the shell provides complete access to the system memory. I was fortunate enough to have access to another XLi with a valid license. I dumped the memory of that unit with the license installed and with it removed. A diff of the two files showed a couple locations that changed. The magic spot was 0x00334db0.

I should mention that the F100 ID command dumps all the user names and passwords. These include some "backdoor" accounts that are only enabled with the factory jumper in place.

Login over telnet and start the shell. The d command will display the memory contents at the address of interest.

Code: [Select]

-> d 0x00334db0
00334db0:  0001 0000 c6ce 0002 001e 0000 0000 0000   *................*
Bit 0 in that dword enables the NTP option, bit 1 the TIET option, bit 2 the PPO option, and bit 3 enables the FREQ MEAS option. The first word reading "0001" shows I have the NTP option enabled on this unit already.

The easy to way verify these options is to login in through the RS-232 interface simultaneously and use the F117 command.

Code: [Select]

SYSTEM POWER ON SELF TEST RESULTS:
SERIAL LOOPBACK TEST PASSED.
RAM TEST PASSED.
.PROG CRC TEST PASSED
NETWORK INTERFACE 192-8001      (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
FLASH FILE SYSTEM MOUNTED.
SOURCE FILE /config/truetime.conf BYTES READ: 1716
FILE SYSTEM REV #  1.106

SCAN_FOR_OPT_CARD BEGINS.
FOUND @ ADDR 30001000H, ID NUM= 87-8028-02
SCAN_FOR_OPT_CARD ENDS.
INSTALL_SMART_OPTIONS BEGINS.
FOUND GPS M12 CARD; QTY=1, ID#=80280002H.
INSTALL_SMART_OPTIONS ENDS.
RAPIDCONTROL FOR XLi WEB SERVER RUNNING.
QUERYING FOR SYMMETRICOM DEVICE. PLEASE WAIT...
SYMMETRICOM GPS DEVICE.
XLi
INITIALIZATION SUCCESSFULLY COMPLETED.
>NOTICE: A NEW TELNET SESSION HAS BEEN STARTED ON THE INTERNET PORT!

>F117

NOTICE: THERE IS ALREADY A TELNET SESSION ON THE INTERNET PORT!
NOTICE: YOU HAVE TAKEN CONTROL AWAY FROM THE TELNET SESSION!
F117 SN XXXXXXXX

     NTP ENABLE
     FREQ MEAS DISABLE
     TIET DISABLE
     PPO DISABLE
Back in the telnet session change the least significant byte to 0xF using the m command to modify the memory. ^C to  return to the shell.

Code: [Select]

-> m 0x00334db0
00334db0:  0001-0x000F
00334db2:  0000-18928c vxTaskEntry    +28 : shell ()
1a79c4 shell          +14c: 1a7a04 ()
1a7bf0 shell          +378: execute ()
1a7d88 execute        +c0 : yyparse ()
2040d0 yyparse        +64c: 202540 ()
202690 yystart        +7d4: m ()
1a5488 m              +110: fioRdString ()
18b6e4 fioRdString    +38 : read ()
198c04 read           +c  : iosRead ()
1e3a58 iosRead        +a4 : 1a3fc0 ()
1a3fcc ptyDevCreate   +18c: semQPut ()
tShell restarted.
Verify the options have been enabled in the serial session by issuing another F117 command.

Code: [Select]

>F117

F117 SN XXXXXXXX

     NTP ENABLE
     FREQ MEAS ENABLE
     TIET ENABLE
     PPO ENABLE
Write these changes to flash by issuing a valid command over the serial interface that will update nonvolatile memory. I changed the gateway IP address, it can be changed back later.

Code: [Select]

>F100 G 0.0.0.0

OK
RESETTING THE UNIT
PLEASE WAIT...

>SYSTEM POWER ON SELF TEST RESULTS:
SERIAL LOOPBACK TEST PASSED.
RAM TEST PASSED.
.PROG CRC TEST PASSED
NETWORK INTERFACE 192-8001      (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
FLASH FILE SYSTEM MOUNTED.
SOURCE FILE /config/truetime.conf BYTES READ: 1716
FILE SYSTEM REV #  1.106

SCAN_FOR_OPT_CARD BEGINS.
FOUND @ ADDR 30001000H, ID NUM= 87-8028-02
SCAN_FOR_OPT_CARD ENDS.
INSTALL_SMART_OPTIONS BEGINS.
FOUND GPS M12 CARD; QTY=1, ID#=80280002H.
INSTALL_SMART_OPTIONS ENDS.
RAPIDCONTROL FOR XLi WEB SERVER RUNNING.
QUERYING FOR SYMMETRICOM DEVICE. PLEASE WAIT...
SYMMETRICOM GPS DEVICE.
XLi
INITIALIZATION SUCCESSFULLY COMPLETED.
>F117

F117 SN XXXXXXXX

     NTP ENABLE
     FREQ MEAS ENABLE
     TIET ENABLE
     PPO ENABLE

>
After restarting all options are permanently enabled. The same status should also be present in the web interface. Enjoy 

[deepskyridge]

Nice fix for your problem.

I have a Symmetricom 55300A that I am looking to upgrade the firmware.

How did you get access to Microsemi firmware listings, I have not been able to get a account with them.

Thanks
Gary

[raileon]

Great tutorial!

I just got all options enabled on mine 

[texaspyro]

I checked a couple of XLi's and the magic location is apparently in a different place... probably due to different firmware.  Any ideas on how to find the proper location?

[FFFF00]

Out of curiosity what firmware version are you running on your XLI's? I believe I was running the latest firmware when I wrote this, it might be worthwhile upgrading.

I found the correct location by doing a diff of the entire memory. I dumped the memory with the option installed and then used the F126 command to clear the option and dumped it again. I did have a license key for one of my XLI units, so there was no risk in losing the option I already had.

[texaspyro]

Out of curiosity what firmware version are you running on your XLI's? I believe I was running the latest firmware when I wrote this, it might be worthwhile upgrading.

I think mine are on 2.0:

#
#   Device: Truetime XLi
#   Unit type:         Truetime XLi
#   GPS:               87-8028-02
#   GPS FPGA:          184-8024v1
#   GPS Software:      230-01510-04v1.18
#   Bootloader:        192-8000
#   Software:          192-8001
#   File system:       192-8002V2.0
#   Project:           2.0
#   FPGA:              184-8000V64
#   Osc type:          TCVCXO
#   Time code:         IRIG-B
#   Modulation:        AM
#   Bay 4              GPS M12 RECEIVER
#   Freq measurement:  Not installed
#   NTP option:        Not installed
#   PPO optiom:        Not installed
#   TIET option:       Not installed
#

I really don't need the options but I am adding XL / XLi support to Lady Heather and would like to be able to test them.

Where can one find the latest firmware... the download link from Google leads to a server not found error.

[staticx57]

Hi,

Interested in this as well. I seem to be on old firmware, anyone have updated software for this device?

[comsec22]

I did the job and works.

Thank You

[mcguire]

  Hi folks, I'm sorry to resurrect such an old thread, but I'm looking for the firmware update files for the XLi, preferably the latest version.  I've searched quite a bit but have turned up nothing.  If anyone has those files, I would very much appreciate getting a copy.

               Thanks,
               -Dave