| It is currently 01 Aug 2010, 05:36 |
|
All times are UTC + 1 hour |
  |
Page 1 of 1 |
[ 12 posts ] |
| Print view | Previous topic | Next topic |
| Author | Message |
|---|---|
|
Joined: 23 Sep 2008, 12:16 Posts: 6 Location: United Kingdom 
|
 Hacking a 3com APHi,
I have a Wireless building to building bridge from 3COM (3CRWEASYA73) I was sent a firmware upgrade to enable it to work in the UK, and it turned out the firmware was for a different AP, subsequently the AP is bricked. Is there anyway anyone knows of to unbrick it. The 3com PC software doesn't detect it at all. I plug it in the lights come on but I cant detect it, iv tried pinging the default IP nothing, connecting via the console port using hyper-terminal, Putty, Telnet and still nothing iv tried starting up and pinging it to see if it goes into a bios state to begin with but nothing. Iv searched the net theres lots if youve bricked a WRT54G but nothing about 3com, is there anything else I can try or is it doomed to the scrap heap? Thanks |
| 23 Sep 2008, 12:23 |
 |
|
|
|
Administrator  Joined: 01 Dec 2007, 20:56 Posts: 65 Location: Poland
|
Re: Hacking a 3com AP Could you post a few hi-res pictures of your AP's interior (PCB)? It could be possible to connect to a serial port and see if it outputs anything. Sometimes it is possible to locate serial port by just looking on the PCB.
_________________ Regards, www.hwhack.com admin |
| 23 Sep 2008, 12:50 |
 |
|
|
|
Joined: 23 Sep 2008, 12:16 Posts: 6 Location: United Kingdom
|
Re: Hacking a 3com AP heres some pics they arnt fantastically high but, they illustrate the point. if any more are needed ill get some more.
As you can see there is a console port but im getting no response from it. You do not have the required permissions to view the files attached to this post. |
| 24 Sep 2008, 06:55 |
|
|
|
|
Administrator Joined: 01 Dec 2007, 20:56 Posts: 65 Location: Poland
|
Re: Hacking a 3com AP I can't see any "obvious" serial port pins, but that doesn't meen it does not have one. There are many test points, especially in the middle-right edge of the PCB. You could search for serial Tx pin by attaching a piezo buzzer (http://en.wikipedia.org/wiki/Buzzer) between ground and each of the test points. When you reboot and the buzzer makes some noise for a while, this is a big chance it is serial Tx pin.
The console port available on the case could be useless since it may be initialized by software once it is booted. However, you could trace its wires right to PCB. It could give you a hint on where a real low-level serial port is. Alternatively you could connect AP to Ethernet HUB (not switch) together with a PC. Launch network sniffer and boot your AP. Investigate if it sends any packet during (unsuccessful) boot. It could give some info about current state of the FW. If you can see no packet coming, the only way is to look for serial port or JTAG. finding JTAG however (if it exists) is much more complicated (see JTAG finder project posted here: http://www.hwhack.com/electronics/jtag-finder-hardware-project-t593.html). _________________ Regards, www.hwhack.com admin |
| 25 Sep 2008, 06:56 |
|
|
|
|
Joined: 23 Sep 2008, 12:16 Posts: 6 Location: United Kingdom
|
Re: Hacking a 3com AP Thanx for the info it does give me a starting point, The AP does output some data on bootup through the console port because when I connected it and used hyperterminal, id restart it and characters would appear. even if I do find the serial port what would be my next step?
|
| 25 Sep 2008, 07:31 |
|
|
|
|
Administrator Joined: 01 Dec 2007, 20:56 Posts: 65 Location: Poland
|
Re: Hacking a 3com AP It depends on what kind of output you will see on the serial port. If, as you say, your console prints something during reboot it may meen that in fact it serves as a low-level serial port as well. Make sure you have correct terminal settings set up in the hyperterminal. Try different speeds if the default does not work.
Once you get human-readable output, look for any info that may help you in manually loading correct FW image. If this AP supports it, you could - for example - terminate autoloading process with some key combination and thus get boot loader command prompt. _________________ Regards, www.hwhack.com admin |
| 25 Sep 2008, 16:32 |
|
|
|
|
Joined: 23 Sep 2008, 12:16 Posts: 6 Location: United Kingdom
|
Re: Hacking a 3com AP Hi Rawsock,
SUCCESS!!!! well some anyone played about with hyper terminal tried all the speeds didnt get anything, then I tried turning the flow control off now i`m getting a readable output so I can see the SDRAM tests and the firmware loading I tried just sending my good copy of the firmware, which sent fine to it did go rather fast at the end but came up with no errors, I tried detecting it with the 3com software and it still appears to be in the same state. Iv attached the hyperterminal out see if there are any clues in there. Thanks Code: ar531x rev 0x00005742 firmware startup... SDRAM TEST...PASSED Boot-Shim Version: 1.0.1 Boot-Shim Booting... The Pressed-time of Reset Button is 0 seconds Selecting SoftwareLoad Now! Selected the FAT SoftwareLoad! Starting at 0xbe060000... ar531x rev 0x00005742 firmware startup... SDRAM TEST...PASSED Boot Code version: 1.2.3 0 auto-booting... Attached TCP/IP interface to ae0. Warning: no netmask specified. Attaching network interface lo0... done. Attaching to TFFS... Attaching to TFFS... done. Wait for reset , 4 ..3 ..2..1..0 Loading /fl/3com-img.bin...Boot web up ... 18984 + 2361280 + 105600 Starting at 0x80880000... ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:03 ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:05 ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:07 ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:09 ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:02 ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:04 ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:06 ar5212GetMacAddr: EEPROM MAC 00:18:6e:12:3d:08 wdsLinkEndStart called, wdsIfId = 0x10000000 wdsLinkEndStart called, wdsIfId = 0x10000001 wdsLinkEndStart called, wdsIfId = 0x10000002 wdsLinkEndStart called, wdsIfId = 0x10000003 wdsLinkEndStart called, wdsIfId = 0x10000004 wdsLinkEndStart called, wdsIfId = 0x10000005 wdsLinkEndStart called, wdsIfId = 0x10010000 wdsLinkEndStart called, wdsIfId = 0x10010001 wdsLinkEndStart called, wdsIfId = 0x10010002 wdsLinkEndStart called, wdsIfId = 0x10010003 wdsLinkEndStart called, wdsIfId = 0x10010004 wdsLinkEndStart called, wdsIfId = 0x10010005 Attached TCP/IP interface to ae unit 0 Attaching interface lo0...done /fl/ - Volume is OK Attached TCP/IP interface to ae unit 0 Attached TCP/IP interface to ar unit 0x0200 Attached TCP/IP interface to ar unit 0x0201 Attached TCP/IP interface to ar unit 0x0202 Attached TCP/IP interface to ar unit 0x0203 Attached TCP/IP interface to ar unit 0x1300 Attached TCP/IP interface to ar unit 0x1301 Attached TCP/IP interface to ar unit 0x1302 Attached TCP/IP interface to ar unit 0x1303 Attached TCP/IP interface to wds unit 0x0000 Attached TCP/IP interface to wds unit 0x0001 Attached TCP/IP interface to wds unit 0x0002 Attached TCP/IP interface to wds unit 0x0003 Attached TCP/IP interface to wds unit 0x0004 Attached TCP/IP interface to wds unit 0x0005 Attached TCP/IP interface to wds unit 0x1000 Attached TCP/IP interface to wds unit 0x1001 Attached TCP/IP interface to wds unit 0x1002 Attached TCP/IP interface to wds unit 0x1003 Attached TCP/IP interface to wds unit 0x1004 Attached TCP/IP interface to wds unit 0x1005 Watch Exception Exception Program Counter: 0x801e0e28 Status Register: 0x1000ec01 Cause Register: 0x1080005c Task: 0x81fffdf0 "tRootTask" Trace exception task's stack, begin! 801d99f4 : 801d6110 (ffffffff, 81fff8d8, 8000, 0) 801d65b8 : 801e0c94 (81f29880, 81f2a7f0, eeeeeeee, eeeeeeee ) 0x801e0e10 00851821 addu v1,a0,a1 0x801e0e14 94620000 lhu v0,0(v1) 0x801e0e18 8fa30130 lw v1,304(sp) 0x801e0e1c 00431024 and v0,v0,v1 0x801e0e20 104000c0 beqz v0,0x801e1124 0x801e0e24 8fa40140 lw a0,320(sp) 0x801e0e28 96a20000 lhu v0,0(s5) 0x801e0e2c 0000a021 move s4,zero 0x801e0e30 1040005f beqz v0,0x801e0fb0 0x801e0e34 00401821 move v1,v0 0x801e0e38 0000b821 move s7,zero 0x801e0e3c 0000b021 move s6,zero End! Watch Exception Exception Program Counter: 0x801e0e28 Status Register: 0x1000ec01 Cause Register: 0x1080005c Task: 0x81fffdf0 "tRootTask" remove bridge port ae0 ar531x rev 0x00005742 firmware startup... SDRAM TEST...PASSED Boot-Shim Version: 1.0.1 Boot-Shim Booting... The Pressed-time of Reset Button is 0 seconds Selecting SoftwareLoad Now! Selected the FAT SoftwareLoad! Starting at 0xbe060000... ar531x rev 0x00005742 firmware startup... SDRAM TEST...PASSED Boot Code version: 1.2.3 2 |
| 26 Sep 2008, 12:41 |
|
|
|
|
Administrator Joined: 01 Dec 2007, 20:56 Posts: 65 Location: Poland
|
Re: Hacking a 3com AP That's good. But I'm not sure if I understand what you have done. Did you manage to burn a new firmware? Did you do that over a serial port?
If you still have problems, I can see that boot loader waits for a reset button to be pressed. It will probably interrupt booting the firmware and give you a boot loader command prompt. Try pressing reset button several times during boot or press it permanently and than boot. Try different combinations if nothing happens. _________________ Regards, www.hwhack.com admin |
| 27 Sep 2008, 12:25 |
|
|
|
|
Joined: 23 Sep 2008, 12:16 Posts: 6 Location: United Kingdom
|
Re: Hacking a 3com AP all I did was connected the ap via the console port to the serial port, and played about with the speed and flow control in Hyperterminal and thats what I got. I noticed the counter as well talking about reset buttons, thing is there doesn't appear to be a reset button that I can see. Iv tried pulling the plug on it, which did nothing (TBH didnt really expect it to) so unless I can find some sort of reset button or jumper combination i`m stuck. I havnt managed to get a new firmware on it, first time I looked at it I maged to send a file to it, but dont think I completed the installation correctly, tried again but it has not allowed me to send a file on any setting.
edit: discovered that I can only upload a file when the AP is booting and on Y-Modem weird thing is when uploading it says it will take around an hour it gets 2 about 30k then shoots straight to the end then it seems to corrupt and prints rubbish there is a menu but, options don't seem to work. |
| 04 Oct 2008, 00:52 |
|
|
|
|
Administrator Joined: 01 Dec 2007, 20:56 Posts: 65 Location: Poland
|
Re: Hacking a 3com AP Ok now I understand. This is strange you cannot find a reset button. If it is not routed to a real button / jumper or anything visible, you have small chances to find it by yourself.
Did you try pressing Ctrl+C on the serial console during boot-up? Another thing you could try is to unsolder flash memory chip and put it into a programmer (note the 'Loading /fl/3com-img.bin'). But that is something to try if you are really a desperate. _________________ Regards, www.hwhack.com admin |
| 07 Oct 2008, 22:05 |
|
|
|
|
Joined: 23 Sep 2008, 12:16 Posts: 6 Location: United Kingdom
|
Re: Hacking a 3com AP Iv tried doing the CTRL+C thing does seem to do anything at all, I was thinking what if I tried while the ap is booting shorting the pins on the console port?
|
| 08 Oct 2008, 18:54 |
|
|
|
|
Administrator Joined: 01 Dec 2007, 20:56 Posts: 65 Location: Poland
|
Re: Hacking a 3com AP Console port normally contains only receive / transmit signals, so shorting any one of them is not a good idea. Anyway, if you plan to throw your AP away, I would first try to short everything that comes to my mind
 _________________ Regards, www.hwhack.com admin |
| 08 Oct 2008, 20:56 |
|
|
|
|
|
Page 1 of 1 |
[ 12 posts ] |
|
All times are UTC + 1 hour |
Who is online |
Users browsing this forum: No registered users and 2 guests |
| You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum |