Looking for Microsemi SyncServer S600 firmware

[pcmoore]

Hello all,

I'm not entirely sure if this is the right forum (my thinking: it is a *network* time server) or if this request is even appropriate, but I figured I would give it a shot. Does anyone know where I could find a current, or even recent, firmware image for a Microsemi SyncServer S600? I got my hands on a used system for a reasonable price, but didn't do my full due diligence in making sure the firmware was freely available. I have an account on the Microchip/Microsemi support site, but it would appear that a support contract is necessary to get recent firmware

• SyncServer S600 - NTP and PTP Network Time Server | Microsemi

 

[Sparky]

Hello all,

I'm not entirely sure if this is the right forum (my thinking: it is a *network* time server) or if this request is even appropriate, but I figured I would give it a shot. Does anyone know where I could find a current, or even recent, firmware image for a Microsemi SyncServer S600? I got my hands on a used system for a reasonable price, but didn't do my full due diligence in making sure the firmware was freely available. I have an account on the Microchip/Microsemi support site, but it would appear that a support contract is necessary to get recent firmware

• SyncServer S600 - NTP and PTP Network Time Server | Microsemi

Hello,

I'm in the same situation -- I have a SyncServer S650 and also found the firmware updates at https://my.microsemi.com/ website are locked.

My unit is circa 2018 and has firmware 2.1.12.

Did you find a source for the firmware update?

 

[pcmoore]

Did you find a source for the firmware update?

Unfortunately, I did not. It's not even very easy figuring out what license(s) (?) I would need to purchase to enable software updates or additional features, e.g. other constellations beyond GPS. At some point I need to reach out to Microchip/Microsemi to clarify what I need, but based on other anecdotes about the company I'm not holding out much hope. If you do find something, or even just clarification on what is needed to update the firmware, enable additional capabilities, etc. please let us know!

On the other hand, both Meinberg and Safran/Orolia/Spectracom have been extremely helpful when I've contacted them as a hobbyist looking for service, parts, etc.

 

[oneplane]

I'm surprised they are still used when a box with an NTP or PTP daemon and PPS and satellite source can just be plugged in for the same accuracy and reliability. For certification or contractual scenarios it might still be the way to do it, but other than that I'm not sure.

As for the firmware, sometimes you can find them elsewhere if you know the filename or a hash. Those get published freely by some vendors.

 

[pcmoore]

I'm surprised they are still used when a box with an NTP or PTP daemon and PPS and satellite source can just be plugged in for the same accuracy and reliability. For certification or contractual scenarios it might still be the way to do it, but other than that I'm not sure.

These boxes can typically offer things that are difficult to easily replicate on a standard server box; examples include multiple time code, frequency, and pulse outputs as well as comparator inputs for the same. There is also the issue of the time reference and holdover oscillators, while it is very possible to get a reasonable device which you can plug into your own server, I suspect the cost and setup/maintenance burden would outweigh the cost of the dedicated timing box for all but large datacenter/hyperscale users.

As for the firmware, sometimes you can find them elsewhere if you know the filename or a hash. Those get published freely by some vendors.

I could be wrong, but on these particular boxes I believe it isn't as simple as just finding the firmware, you also need a license key installed to "unlock" the firmware.

 

[Sparky]

Unfortunately, I did not. It's not even very easy figuring out what license(s) (?) I would need to purchase to enable software updates or additional features, e.g. other constellations beyond GPS. At some point I need to reach out to Microchip/Microsemi to clarify what I need, but based on other anecdotes about the company I'm not holding out much hope. If you do find something, or even just clarification on what is needed to update the firmware, enable additional capabilities, etc. please let us know!

On the other hand, both Meinberg and Safran/Orolia/Spectracom have been extremely helpful when I've contacted them as a hobbyist looking for service, parts, etc.

Thanks for replying! It's unfortunate there is this obstacle to getting firmware updates :/

What I understand about the hardware and options so far is:
1. In late 2018 the GNSS module was updated to a newer version to allow support for additionsl GPS constellations (e.g. BeiDou). Aparently you can get HW updated (probably at a cost involved).
2. In additional to security resolutions and bug fixes, new features are added to the FW. Thus, it's necessary to update to more recent firmware to get access to the new features.
3. Some new features are optional and activated via licensing.

I will be looking into the possibiltiy of GNSS module update and will reply back once I find out what is involved.

I'm surprised they are still used when a box with an NTP or PTP daemon and PPS and satellite source can just be plugged in for the same accuracy and reliability. For certification or contractual scenarios it might still be the way to do it, but other than that I'm not sure.

As for the firmware, sometimes you can find them elsewhere if you know the filename or a hash. Those get published freely by some vendors.

Other than a simple NTP server I am interested in the more advanced features (configurable sine, pulse, timecode outputs, interval timing, etc.)

Thanks for the idea to search for firmware based on filename. I have tried to guess the filename but haven't found anything related yet. I'll keep looking!

 

[Sparky]

I could be wrong, but on these particular boxes I believe it isn't as simple as just finding the firmware, you also need a license key installed to "unlock" the firmware.

I haven't seen anything that indicates a license is required to install firmware updates...but I might be wrong...I haven't got too far into it yet.

For sure, though, license keys are required to activate optional features of the firmware.

 

[nasbdh9]

The advantage of these proprietary boxes is the out-of-the-box clock reference source and PPS output, plus a beautiful webui.

If you just need an NTP/PTP server using GPS clock source, you only need a NEO-M8N module plus a Linux device with COM/UART interface and support for pulse input (depending on whether PTP is required to add PCIe with PTP function Network card), the time accuracy provided in this way is sufficient for 99.9% of home laboratories, and the disadvantages are also obvious. The clock source of the device itself is not accurate. For example, when using some thin clients as servers, the time of the device itself within 24 hours Jitter can be as high as 1 second.

 

[oneplane]

The advantage of these proprietary boxes is the out-of-the-box clock reference source and PPS output, plus a beautiful webui.

If you just need an NTP/PTP server using GPS clock source, you only need a NEO-M8N module plus a Linux device with COM/UART interface and support for pulse input (depending on whether PTP is required to add PCIe with PTP function Network card), the time accuracy provided in this way is sufficient for 99.9% of home laboratories, and the disadvantages are also obvious. The clock source of the device itself is not accurate. For example, when using some thin clients as servers, the time of the device itself within 24 hours Jitter can be as high as 1 second.

I think a rubidium PPS source combined with GPS clock is plenty accurate for almost all small scale setups, commercial or otherwise. Considering lots of legacy networks are still addicted to AD NTP services I don't see sub-microsecond accuracy as relevant. I'm also not sure what a WebUI does for a set-and-forget system, especially when you'd mostly be interested in a pass/fail alarm type of signal.

Now, this is all referenced to a computer scenario, not a metrology or science experiments or something like that. But when I see 'network time server' I think computer networks, not instrument networks

This all would probably also change (in computer networks too) if we were more on the PTP side of accuracy and latency, but even then, the software (and hardware) used in computer networks outside of that scope is rather... timeless? Even an OCXO would be miles ahead of whatever a PC has for timekeeping.

 

[Sparky]

Unfortunately, I did not. It's not even very easy figuring out what license(s) (?) I would need to purchase to enable software updates or additional features, e.g. other constellations beyond GPS. At some point I need to reach out to Microchip/Microsemi to clarify what I need, but based on other anecdotes about the company I'm not holding out much hope. If you do find something, or even just clarification on what is needed to update the firmware, enable additional capabilities, etc. please let us know!

@pcmoore : I attached documention I found regarding Software support and Options (oops, file too large -- screenshot below). Unfortunately access to FW updates is subscription based -- it's pretty lame that even after purchasing equipment you have to shell out $ for bug fixes and security updates!

 

[pcmoore]

@pcmoore : I attached documention I found regarding Software support and Options (oops, file too large -- screenshot below). Unfortunately access to FW updates is subscription based -- it's pretty lame that even after purchasing equipment you have to shell out $ for bug fixes and security updates!

View attachment 31304

That matches my understanding, and yes, I completely agree that blocking security updates on a subscription fee is a poor practice for many reasons.

Did you happen to get part numbers and/or cost estimates for the firmware update subscription? I might consider purchasing a subscription once every few years to get a firmware update, but that would require a reasonable subscription cost which I'm not confident exists.

 

[oneplane]

Looks like S600 2 Year is €314 on a dutch reseller website.
You can also see the current latest version at http://update.microsemi.com/SyncServer_S600 (It's Enterprise so they don't have TLS, twice as expensive, half as good).

The user guide also shows the GUI should have a self-update button? Not just the section where you upload two files manually.

 

[Sparky]

That matches my understanding, and yes, I completely agree that blocking security updates on a subscription fee is a poor practice for many reasons.

Did you happen to get part numbers and/or cost estimates for the firmware update subscription? I might consider purchasing a subscription once every few years to get a firmware update, but that would require a reasonable subscription cost which I'm not confident exists.

No, I haven't yet inquired about the cost of 1Yr Software Support. I will check it out and update.

"Part numbers" for the Software Subscription is indicated in the PDF I attached. Screenshot here:

 

[oneplane]

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: close
Content-Length: 27
Content-Type: text/html; charset=UTF-8
Date: Tue, 29 Aug 2023 21:00:25 GMT
ETag: "21c05ad-1b-5177711754b40"
Last-Modified: Mon, 01 Jun 2015 16:10:45 GMT
Server: Apache/2.2.15 (CentOS)

So eh, this update server runs on an ancient unpatched Apache and CentOS version, with no TLS. Which includes arbitrary file read, filesystem traversal and remote code execution. Great.

It appears there are some 9.x scores for this version as well (Apache Http Server version 2.2.15 : Security vulnerabilities, CVEs). Here is some irony to make this even more fun: Network Time Servers: Is Security Hardening Disclosure a Roadmap for Exploitation? « Microsemi


While it would probably not be wise to privateer the firmware files you desire, it's not impossible either

 

[Sparky]

Looks like S600 2 Year is €314 on a dutch reseller website.
You can also see the current latest version at http://update.microsemi.com/SyncServer_S600 (It's Enterprise so they don't have TLS, twice as expensive, half as good).

The user guide also shows the GUI should have a self-update button? Not just the section where you upload two files manually.

I did not see a "self update" option in the GUI. There is, however, an option for the SyncServer to automatically check if there are software updates available, which queries the URL you indicated and reports the firmware version available into the GUI or CLI.

 

[Sparky]

Here is some irony to make this even more fun: Network Time Servers: Is Security Hardening Disclosure a Roadmap for Exploitation? « Microsemi

LOL, I had not seen that article before. If Microchip/Microsemi really believe security is crucial -- and it seems they do by touting the "hardening" of their products -- then the updates should be readily available for free.

 

[Slothstronaut]

Picked up one of these units as well, Microsemi so far has been silent when asking for help on this. Might bite the bullet and pay for the support but I'm also open to exploiting this machine, surely there is a way in

 

[Slothstronaut]

Well, I tried to purchase a 1 year support plan and after about 3 weeks of back and forth they cancelled the order because it was "no longer available". Anyone have any luck with this or can @oneplane provide a link to the reseller you found? If i can get ahold of the new firmware it would help a lot to RE it.

Thanks!

 

[Sparky]

Picked up one of these units as well, Microsemi so far has been silent when asking for help on this. Might bite the bullet and pay for the support but I'm also open to exploiting this machine, surely there is a way in

Just curious what model you have (S600, S650) and the year of build?

The serial number is something like SCAyyww... where `yy` is the year (20yy) and `ww` is the week number. My S650 is from mid 2018 and had FW 2.x.y. which is rather old.

A recent FW upgrade file would be a huge help!!

 

[Slothstronaut]

Mine is a bit older and running basically the first firmware that was available 1.5.0. It works, and it doesn't really have any issues that need fixed but id really like more up to date firmware to get away from all the security issues.

At the same time, older firmware usually means hacking features is a lot easier...

I can see the bootup via serial console, but trying to interrupt the uboot doesnt work which means either they set a specific keystroke for the interrupt or they disabled it altogether. I see there is an I2C bus connected to the onboard flash, so might be worth trying to dump the flash chip that way.