User Tools

Site Tools


toh:colubris:cn3200

Colubris CN3200

AKA MSC-3200

AKA MSM313

AKA HP J9346A/B

History

Naming

Colubris name HP ProCurve name
MSC-3200 MultiService Controller MSM313 Access Point

Colubris

This router was initially known as the "CN3200 WLAN Access Point/Controller."

Later when Colubris started referring to it as a "MultiService Controller" it became known as the MSC-3200.

HP

As of October 1st, 2008 Colubris Networks Inc. was acquired by Hewlett-Packard and it's products were integrated into the HP ProCurve product line. Now under HP this board has a different name and model number: MSM313 Access Point, J9346A/B.

Failure to adhere to the GPL

Neither Colubris nor HP have released any source code despite the fact that this hardware (and probably similar boards) use a Linux kernel.

Initial analysis of the router's bootloader also shows that it uses Das U-Boot.

External Resources

Official Documentation and Firmware

ftp://ftp.hp.com/pub/japan/procurve/ (*Retrievable as of 9/2/2013) Contains firmware version 5.2.6.

Unofficially hosted firmware

ftp://foty.sea.ygnition.net/colubris/old -DEAD- had firmware versions: 3.1.0, 4.1.1, 5.1.1, 5.1.3, 5.1.4, 5.2.1, and "montreal_fix3-OPTIMIST-" however seems to no longer be online. No mirrors have yet to be found.

http://www.ezcommwireless.in/colubris/MSC%203200/ (*Retrievable as of 9/2/2013) appears to contain firmware versions: 2.1.4, 2.4.4, 3.1.1.5, 4.1.1, 5.1.4, and 5.2.1.

Note that the OEM firmware is encrypted (CIM file format?)

Hardware

Hardware Highlights

CPU CPU speed Ram Flash USB Serial JTag
IBM PowerPC 405EP 133 Mhz 32Mib 16MiB No Yes ?

More on the processor: powerpc.405ep.pdf

Info

Architecture: PowerPC
Vendor: IBM
Bootloader: Das U-Boot
CPU/Speed: PowerPC 405EP/133 Mhz
EEPROM: ST M27W101 / 128 KiB
Flash-Chip: Toshiba TC58DVM72A1FT00 (NAND)
Flash size: 16 MiB
RAM-chip: Infineon HYB39S128160CT-7
RAM: 32 MiB
Wireless: Atheros AR5212A 802.11a/b/g (mini-pci)
Ethernet: 2 eth, Altima AC101L
USB: no
Serial: Yes (Maxim MAX3225E)
JTAG: Yes

Photos

Main PCB

Photo of PCB

Serial

There is a wired RJ12 external port located between the two Ethernet ports. The pinout is as shown below:

Facing the router ports

PoE/Local 1 2 3 4 5 6 Cloud/WAN
Left blu yel grn red blk wht Right Reference only
X TX RX GND X Connection

At this time there is no method to make the serial port of any use. It can be enabled by editing the router's Configuration File by hand, and re-uploading it. If (via the aforementioned method) one were to enable both the physical port and the TCPSERIALBRIDGE they would see that these ports echo to each other. Therefore confirming the pinout and operation.

JTAG

JTAG ID processor version register
0x20267049 0x51210950

This is the JTAG at the CPU (not the board):

And this is the JTAG at the board:

It seems the connector matches to this one:

IBM 4XX 16-PIN (JTAG RISCWATCH)
AMONTEC REF: IBM16
NAME: IBM 4xx
CATEGORY: JTAG
TARGET: IBM 4xx
COMMENT: IBM also calls RISCWatch.
CONNECTOR: 16-pin Header (2.54mm)
CONNECTOR TYPE: dual
TDO o 1 2 nc -
TDI i 3 4 i nTRST
HALTED o 5 6 p VREF
TCK i 7 8 nc -
TMS i 9 10 nc -
HALT i 11 12 p GND
nSRST od 13 14 k KEY
- nc 15 16 p GND

Firmware

Bootloader

Please someone provide a backup of the bootloaderdanitool 2012/01/21 23:14

Ask and ye shall receive.

http://filebin.ca/tGNXMCPGZap/cn3200_rom.bin - Firmware v4.2.1.0-03-5281

Acquiring the boot ROM

The above bootloader ROM image was acquired by de-soldering the EEprom and reading it out. Using an Arduino MEGA if anyone is interested.

Analysis

At the top of the ROM (0x64 - 0x73) there is an identifier "Colubris_BID_$$$" (ASCII), followed by a date stamp (0x8f - 0xAF) "Boot 3.1 (Mar 10 2004 - 13:48:52)" (ASCII).

Most of the data in the ROM appears to be machine instructions for the PPC processor. These are PowerPC big endian instructions, and function prologues are identifiable by the signature 0x7C0802A6 and epilogue 0x4E800020.

Further analysis of the boot ROM shows that there is a section where the Das U-BOOT bootloader is used. Specifically Das U-BOOT specific string start showing up at 0x1B9D0, if not earlier around 0x1B730 or 0x1B620.

Flash System Image

I am working on providing a backup of the system imageDataPtr 2013/09/02 02:18

Software

HTTP Server

This router is using the "GoAhead (Embedded) Web Server" by EmbedThis Web Technologies.

http://embedthis.com/products/goahead/

The server runs the following TCP ports: 8082, 8081, 8080, 443, 80

SSH Server

It appears that this router uses SSH-2.0-OpenSSH_3.8.1p1

sFTP Server

Connecting to the router using sFTP (sftp:192.168.1.1) with the admin credentials will dump the user into a "sftp-sandbox" specifically "/tmp/sftp-sandbox" which contains the file "firmware.cim. One seems to be unable to download this file, it is assumed that this is a placeholder for firmware upgrades. ==== OEM CLI ==== Around version 3 (3.1.1.5 for example) of the firmware the CLI over SSH option becomes available. In the routers management interface under the "Management > CLI" tab this can be enabled. === Shell Access === While in the OEM CLI switching to the "enable" context reveals the sh "Protected access to shell" option. Executing this option prompts the user for an "Answer" to a "Challenge." The challenge being a six-digit number from which the answer can be generated. ===== Tags =====

toh/colubris/cn3200.txt · Last modified: 2014/01/06 10:55 (external edit)