|Colubris name||HP ProCurve name|
|MSC-3200 MultiService Controller||MSM313 Access Point|
This router was initially known as the "CN3200 WLAN Access Point/Controller."
Later when Colubris started referring to it as a "MultiService Controller" it became known as the MSC-3200.
As of October 1st, 2008 Colubris Networks Inc. was acquired by Hewlett-Packard and it's products were integrated into the HP ProCurve product line. Now under HP this board has a different name and model number: MSM313 Access Point, J9346A/B.
Neither Colubris nor HP have released any source code despite the fact that this hardware (and probably similar boards) use a Linux kernel.
Initial analysis of the router's bootloader also shows that it uses Das U-Boot.
ftp://ftp.hp.com/pub/japan/procurve/ (*Retrievable as of 9/2/2013) Contains firmware version 5.2.6.
ftp://foty.sea.ygnition.net/colubris/old -DEAD- had firmware versions: 3.1.0, 4.1.1, 5.1.1, 5.1.3, 5.1.4, 5.2.1, and "montreal_fix3-OPTIMIST-" however seems to no longer be online. No mirrors have yet to be found.
http://www.ezcommwireless.in/colubris/MSC%203200/ (*Retrievable as of 9/2/2013) appears to contain firmware versions: 2.1.4, 2.4.4, 126.96.36.199, 4.1.1, 5.1.4, and 5.2.1.
Note that the OEM firmware is encrypted (CIM file format?)
|IBM PowerPC 405EP||133 Mhz||32Mib||16MiB||No||Yes||?|
More on the processor: powerpc.405ep.pdf
|CPU/Speed:||PowerPC 405EP/133 Mhz|
|EEPROM:||ST M27W101 / 128 KiB|
|Flash-Chip:||Toshiba TC58DVM72A1FT00 (NAND)|
|Flash size:||16 MiB|
|Wireless:||Atheros AR5212A 802.11a/b/g (mini-pci)|
|Ethernet:||2 eth, Altima AC101L|
|Serial:||Yes (Maxim MAX3225E)|
There is a wired RJ12 external port located between the two Ethernet ports. The pinout is as shown below:
Facing the router ports
At this time there is no method to make the serial port of any use. It can be enabled by editing the router's Configuration File by hand, and re-uploading it. If (via the aforementioned method) one were to enable both the physical port and the TCPSERIALBRIDGE they would see that these ports echo to each other. Therefore confirming the pinout and operation.
|JTAG ID||processor version register|
This is the JTAG at the CPU (not the board):
And this is the JTAG at the board:
It seems the connector matches to this one:
|IBM 4XX 16-PIN (JTAG RISCWATCH)|
|COMMENT:||IBM also calls RISCWatch.|
|CONNECTOR:||16-pin Header (2.54mm)|
|-||nc||15||16||p||GND|Please someone provide a backup of the bootloader — danitool 2012/01/21 23:14
Ask and ye shall receive.
http://filebin.ca/tGNXMCPGZap/cn3200_rom.bin - Firmware v188.8.131.52-03-5281
The above bootloader ROM image was acquired by de-soldering the EEprom and reading it out. Using an Arduino MEGA if anyone is interested.
At the top of the ROM (0x64 - 0x73) there is an identifier "Colubris_BID_$$$" (ASCII), followed by a date stamp (0x8f - 0xAF) "Boot 3.1 (Mar 10 2004 - 13:48:52)" (ASCII).
Most of the data in the ROM appears to be machine instructions for the PPC processor. These are PowerPC big endian instructions, and function prologues are identifiable by the signature 0x7C0802A6 and epilogue 0x4E800020.
Further analysis of the boot ROM shows that there is a section where the Das U-BOOT bootloader is used. Specifically Das U-BOOT specific string start showing up at 0x1B9D0, if not earlier around 0x1B730 or 0x1B620.
I am working on providing a backup of the system image — DataPtr 2013/09/02 02:18
This router is using the "GoAhead (Embedded) Web Server" by EmbedThis Web Technologies.
The server runs the following TCP ports: 8082, 8081, 8080, 443, 80
It appears that this router uses SSH-2.0-OpenSSH_3.8.1p1
Connecting to the router using sFTP (sftp://192.168.1.1) with the admin credentials will dump the user into a "sftp-sandbox" specifically "/tmp/sftp-sandbox" which contains the file "firmware.cim. One seems to be unable to download this file, it is assumed that this is a placeholder for firmware upgrades.
Around version 3 (184.108.40.206 for example) of the firmware the CLI over SSH option becomes available. In the routers management interface under the "Management > CLI" tab this can be enabled.
While in the OEM CLI switching to the "enable" context reveals the sh "Protected access to shell" option. Executing this option prompts the user for an "Answer" to a "Challenge." The challenge being a six-digit number from which the answer can be generated.
toh/colubris/cn3200.txt · Last modified: 2013/11/30 02:09 by danitool