I recently picked up a relatively new Symmetricom XLi GPS Time and Frequency System. It is useful as a 10 MHz lab reference in its base configuration, however I wanted to use it as an NTP server. My unit didn't have any software options, and the NTP license is $1k, over 3x what I paid for the XLi.
I poked around the firmware images available from Microsemi and found two undocumented commands (F100 ID, F100 SHELL). By default these are invalid.
Trying 10.0.1.206...
Connected to 10.0.1.206.
Escape character is '^]'.
WELCOME TO SYMMETRICOM NETWORK INTERFACE!
USER NAME: operator
PASSWORD: *****
NETWORK INTERFACE 192-8001 (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
LOGIN SUCCESSFUL!
>F100 SHELL
ERROR: INVALID COMMAND
The manual provides a clue to why this doesn't work. There is a "factory jumper" on the CPU board. This can be accessed by removing the top cover, or removing the CPU card. Install the jumper (JP3) and...
Trying 10.0.1.206...
Connected to 10.0.1.206.
Escape character is '^]'.
WELCOME TO SYMMETRICOM NETWORK INTERFACE!
USER NAME: operator
PASSWORD: *****
NETWORK INTERFACE 192-8001 (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
LOGIN SUCCESSFUL!
>
>F100 SHELL
shell restarted.
->
The XLi runs vxworks and the shell provides complete access to the system memory. I was fortunate enough to have access to another XLi with a valid license. I dumped the memory of that unit with the license installed and with it removed. A diff of the two files showed a couple locations that changed. The magic spot was 0x00334db0.
I should mention that the F100 ID command dumps all the user names and passwords. These include some "backdoor" accounts that are only enabled with the factory jumper in place.
Login over telnet and start the shell. The d command will display the memory contents at the address of interest.
-> d 0x00334db0
00334db0: 0001 0000 c6ce 0002 001e 0000 0000 0000 *................*
Bit 0 in that dword enables the NTP option, bit 1 the TIET option, bit 2 the PPO option, and bit 3 enables the FREQ MEAS option. The first word reading "0001" shows I have the NTP option enabled on this unit already.
The easy to way verify these options is to login in through the RS-232 interface simultaneously and use the F117 command.
SYSTEM POWER ON SELF TEST RESULTS:
SERIAL LOOPBACK TEST PASSED.
RAM TEST PASSED.
.PROG CRC TEST PASSED
NETWORK INTERFACE 192-8001 (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
FLASH FILE SYSTEM MOUNTED.
SOURCE FILE /config/truetime.conf BYTES READ: 1716
FILE SYSTEM REV # 1.106
SCAN_FOR_OPT_CARD BEGINS.
FOUND @ ADDR 30001000H, ID NUM= 87-8028-02
SCAN_FOR_OPT_CARD ENDS.
INSTALL_SMART_OPTIONS BEGINS.
FOUND GPS M12 CARD; QTY=1, ID#=80280002H.
INSTALL_SMART_OPTIONS ENDS.
RAPIDCONTROL FOR XLi WEB SERVER RUNNING.
QUERYING FOR SYMMETRICOM DEVICE. PLEASE WAIT...
SYMMETRICOM GPS DEVICE.
XLi
INITIALIZATION SUCCESSFULLY COMPLETED.
>NOTICE: A NEW TELNET SESSION HAS BEEN STARTED ON THE INTERNET PORT!
>F117
NOTICE: THERE IS ALREADY A TELNET SESSION ON THE INTERNET PORT!
NOTICE: YOU HAVE TAKEN CONTROL AWAY FROM THE TELNET SESSION!
F117 SN XXXXXXXX
NTP ENABLE
FREQ MEAS DISABLE
TIET DISABLE
PPO DISABLE
Back in the telnet session change the least significant byte to 0xF using the m command to modify the memory. ^C to return to the shell.
-> m 0x00334db0
00334db0: 0001-0x000F
00334db2: 0000-18928c vxTaskEntry +28 : shell ()
1a79c4 shell +14c: 1a7a04 ()
1a7bf0 shell +378: execute ()
1a7d88 execute +c0 : yyparse ()
2040d0 yyparse +64c: 202540 ()
202690 yystart +7d4: m ()
1a5488 m +110: fioRdString ()
18b6e4 fioRdString +38 : read ()
198c04 read +c : iosRead ()
1e3a58 iosRead +a4 : 1a3fc0 ()
1a3fcc ptyDevCreate +18c: semQPut ()
tShell restarted.
Verify the options have been enabled in the serial session by issuing another F117 command.
>F117
F117 SN XXXXXXXX
NTP ENABLE
FREQ MEAS ENABLE
TIET ENABLE
PPO ENABLE
Write these changes to flash by issuing a valid command over the serial interface that will update nonvolatile memory. I changed the gateway IP address, it can be changed back later.
>F100 G 0.0.0.0
OK
RESETTING THE UNIT
PLEASE WAIT...
>SYSTEM POWER ON SELF TEST RESULTS:
SERIAL LOOPBACK TEST PASSED.
RAM TEST PASSED.
.PROG CRC TEST PASSED
NETWORK INTERFACE 192-8001 (c) 1998 - 2010 SYMMETRICOM
ALL RIGHTS RESERVED
FLASH FILE SYSTEM MOUNTED.
SOURCE FILE /config/truetime.conf BYTES READ: 1716
FILE SYSTEM REV # 1.106
SCAN_FOR_OPT_CARD BEGINS.
FOUND @ ADDR 30001000H, ID NUM= 87-8028-02
SCAN_FOR_OPT_CARD ENDS.
INSTALL_SMART_OPTIONS BEGINS.
FOUND GPS M12 CARD; QTY=1, ID#=80280002H.
INSTALL_SMART_OPTIONS ENDS.
RAPIDCONTROL FOR XLi WEB SERVER RUNNING.
QUERYING FOR SYMMETRICOM DEVICE. PLEASE WAIT...
SYMMETRICOM GPS DEVICE.
XLi
INITIALIZATION SUCCESSFULLY COMPLETED.
>F117
F117 SN XXXXXXXX
NTP ENABLE
FREQ MEAS ENABLE
TIET ENABLE
PPO ENABLE
>
After restarting all options are permanently enabled. The same status should also be present in the web interface. Enjoy