Just as the blog’s tagline implies, I tend not to publish things before I have finished them to my own satisfaction. As that rarely happens, even the pieces that might be useful to someone do often not see the light of day.
Sometimes though, I manage to get fed up enough by the time I have sunk into a particular project to publish its unpolished parts anyway, which is how this blog happens.
Today, I present you with a summary of the fun I had with the Netgear GS108 switches roughly a year and a half ago. At that point in time, the GS108v4 was the most recent version of that series. As far as I can tell, this is still the case, so everything in this post should still apply. There should be no need to dismount the heat sink to check; if the PCB looks similar enough (especially the traces to the Ethernet ports), it should be the same chip.
A while ago I was looking for some dumb (i.e. simple fan-out) switches to extend my home network. While it would have been nice to get managed ones, all of the ones I know about either suck (such as the TP-Link TL-SG3210) and/or have a questionable management interface, only do 100 MBit (such as the old Catalyst switches you find on eBay) or are perfect, but way too expensive.
Anyway, I was stuck with my current setup, abusing an OpenWRT WiFi router as a combined AP and VLAN-capable switch (it does have L2-hardware-forwarding), but as it only has a few ports, I needed a few dumb switches and ended up with the Netgear GS108:
It’s cheap (<30 EUR on Amazon), has a metal enclosure and the 8 GigE ports I was looking for. All done. Let’s move on.
However, I could not resist the temptation to look inside:
Looks reasonably fine, but what might hide under that heat sink though?
A BCM53128! While the datasheet can be found on the internet and Broadcom even semi-officially publishes it itself on their community forum, they are in my personal opinion still a bunch of jerks who historically didn’t want you to use their hardware unless you are Fortune 500 company buying millions of parts per year and would DMCA you into oblivion if you were trying as a hobbyist. This might have changed as a result of acquisition by Avago, but I’m not going to take any chances and won’t publish any documentation excerpts here. You’ll have to believe me or exercise your Google-fu yourself.
The BCM53128 is actually a pretty nifty chip, which can (among other things) also run in a managed configuration and do 802.1q-style VLANs. For configuration that goes beyond simple strapping pins in an unmanaged scenario such as this one, it also supports loading a configuration from an external SPI flash (shown below the lower right corner of the switch ASIC itself, 64k in this case). I wonder what’s inside?
The bane of my existence, of course: Firmware.
$ hexdump -Cv dump-gs108.bin | head -n 50
00000000 02 00 ef e4 7f e8 7e 03 fd fc 22 02 29 1f 7f 08 |......~...".)...|
00000010 02 01 36 02 28 f3 90 ff ff 12 08 94 ed f0 90 ff |..6.(...........|
00000020 fd 12 08 94 eb f0 a3 ea f0 a3 e9 f0 90 ff ff 12 |................|
00000030 08 94 85 22 83 85 23 82 a3 e0 fb a3 e0 fa a3 e0 |..."..#.........|
00000040 f9 4a 60 03 12 01 12 90 00 04 12 08 b8 e0 70 08 |.J`...........p.|
00000050 7b ff 7a 25 79 bb 80 22 90 00 04 12 08 b8 e0 b4 |{.z%y.."........|
00000060 01 08 7b ff 7a 25 79 c3 80 10 90 00 04 12 08 b8 |..{.z%y.........|
00000070 e0 b4 02 09 7b ff 7a 25 79 cb 12 01 12 12 01 2a |....{.z%y......*|
00000080 85 22 83 85 23 82 ef f0 e0 ff 64 0a 60 04 ef b4 |."..#.....d.`...|
00000090 0d 16 90 00 04 12 08 b8 e0 fe 70 03 ff 80 4a ee |..........p...J.|
000000a0 64 01 70 8e 7f 01 80 41 85 22 83 85 23 82 e0 b4 |d.p....A."..#...|
000000b0 1b 08 12 04 72 7f 0d 12 01 36 7f 0a 12 01 36 85 |....r....6....6.|
000000c0 22 83 85 23 82 e0 ff 64 59 60 04 ef b4 79 04 7f |"..#...dY`...y..|
000000d0 01 80 16 85 22 83 85 23 82 e0 ff 64 4e 60 08 ef |...."..#...dN`..|
000000e0 64 6e 60 03 02 00 32 7f 00 90 00 05 02 08 94 78 |dn`...2........x|
000000f0 7f e4 f6 d8 fd 75 22 a0 75 23 00 75 81 52 12 1d |.....u".u#.u.R..|
00000100 0a 02 26 3d a5 58 90 1d 9e 02 1d 00 90 1f 78 02 |..&=.X........x.|
00000110 05 4a 90 27 a1 02 05 4a 90 27 dd 02 05 4a 90 24 |.J.'...J.'...J.$|
00000120 e9 02 05 4a 90 2a 39 02 05 4a 90 1d a3 02 1d 00 |...J.*9..J......|
00000130 90 1d a8 02 1d 00 90 29 b3 02 05 4a 90 1d ad 02 |.......)...J....|
00000140 1d 00 90 1d b2 02 1d 00 90 2a 2a 02 05 4a 90 00 |.........**..J..|
00000150 03 02 05 4a 90 1e c5 02 05 4a 90 22 d4 02 05 4a |...J.....J."...J|
00000160 90 25 ee 02 05 4a 90 ea b5 02 1d 88 90 f1 f9 02 |.%...J..........|
00000170 1d 88 90 29 72 02 05 4a 90 27 62 02 05 4a 90 25 |...)r..J.'b..J.%|
00000180 44 02 05 4a 90 27 1e 02 05 4a 90 28 55 02 05 4a |D..J.'...J.(U..J|
00000190 90 26 d5 02 05 4a 90 1b af 02 05 4a 90 1d b7 02 |.&...J.....J....|
000001a0 1d 00 90 2a 33 02 05 4a 90 1d bc 02 1d 00 90 fd |...*3..J........|
000001b0 8d 02 1d 88 90 f4 ef 02 1d 88 90 de 29 02 1d 88 |............)...|
000001c0 90 ce 1e 02 1d 88 90 1d c1 02 1d 00 90 be 0e 02 |................|
000001d0 1d 88 90 b6 bf 02 1d 88 90 bf a6 02 1d 88 90 ed |................|
000001e0 09 02 1d 88 90 ec 79 02 1d 88 90 c3 a2 02 1d 88 |......y.........|
000001f0 90 e2 c2 02 1d 88 90 f5 53 02 1d 88 90 e3 78 02 |........S.....x.|
00000200 1d 88 90 a1 38 02 1d 88 90 d2 74 02 1d 88 90 fc |....8.....t.....|
00000210 ca 02 1d 88 90 f9 4e 02 1d 88 90 d0 53 02 1d 88 |......N.....S...|
00000220 90 80 ff 02 1d 88 90 d4 7b 02 1d 88 90 fa f1 02 |........{.......|
00000230 1d 88 90 1d c6 02 1d 00 90 80 fc 02 1d 88 90 f1 |................|
00000240 86 02 1d 88 90 f8 f9 02 1d 88 90 f7 92 02 1d 88 |................|
00000250 90 f9 a0 02 1d 88 90 1d cb 02 1d 00 90 1d d0 02 |................|
00000260 1d 00 90 fd 25 02 1d 88 90 fd 40 02 1d 88 90 fc |....%.....@.....|
00000270 26 02 1d 88 90 e5 8a 02 1d 88 90 e7 84 02 1d 88 |&...............|
00000280 90 e9 72 02 1d 88 90 eb e8 02 1d 88 90 ea 14 02 |..r.............|
00000290 1d 88 90 e8 29 02 1d 88 90 ba 99 02 1d 88 90 fc |....)...........|
000002a0 e9 02 1d 88 90 a3 c4 02 1d 88 90 ed 95 02 1d 88 |................|
000002b0 90 cc fc 02 1d 88 90 e1 48 02 1d 88 90 9e 1a 02 |........H.......|
000002c0 1d 88 90 1d d5 02 1d 00 90 fd c0 02 1d 88 90 f5 |................|
000002d0 b5 02 1d 88 90 fd 07 02 1d 88 90 c6 02 02 1d 88 |................|
000002e0 90 c7 31 02 1d 88 90 d8 2b 02 1d 88 90 ee 18 02 |..1.....+.......|
000002f0 1d 88 90 fb 93 02 1d 88 90 c8 5f 02 1d 88 90 a8 |.........._.....|
00000300 d4 02 1d 88 90 c9 88 02 1d 88 90 96 ca 02 1d 88 |................|
00000310 90 ee 97 02 1d 88 90 c1 0c 02 1d 88 90 d9 f9 02 |................|
$ strings dump-gs108.bin | head -n 20
M`*~
MNOx {
J???
(null)
-PCIX
ERROR: Assertion failed: (%s) at %s:%u
@~B}
@~B}
%s Firmware
Version: %u.%02u.%02u.%02u
Date: %s %s
09:48:48
Oct 27 2011
Switch init failed!
53128 Gigabit PHY Driver
5464 Gigabit PHY Driver
%08lX:
%02bX
%s
[N/y]
More about the firmware in a minute. What’s also in there is a standard Broadcom configuration section, which the chip applies at boot. The config that shipped by default in my switches (SHA1: 2b8110fb53990b8be5b98251a3c1d5870f22c241) does LED, Jumbo frame and QoS configuration.
While the format is slightly underdocumented, it turns out that you can indeed also configure the VLAN settings from there. I’ve written a tool that patches an existing firmware file with a user-provided VLAN config (Head over to the README in the repo for documentation on how to use it). The whole VLAN setup logic is basically taken from the Linux kernel driver for the B53 family.
So much about the part that is working well enough that it might be of use to someone, now about the bits and pieces.
The presence of firmware in the flash image piqued my interest for two reasons:
- I was initially having problems getting my register customizations to work. I suspected that the firmware might be incorrectly taking over/interfering with the programming process.
- According to the datasheet, while mainly meant for power-saving control, the 8051 core can also access the switch’s datapath, which might allow one to implement features such as LLDP or even proper STP, which are sorely missing on these dumb switches.
I found some for the most part rather confusing register-level documentation for the 8051 side, but did not manage to find the SDK or anything else to validate the guesses I made from the documentation, so I had to reverse-engineer much of the firmware present in the flash. In the end, I managed to write an emulator that could run the firmware and emulated enough of the peripherals to show some signs of life. Alas, the memory model of the 8051, combined with extensive bank switching makes reverse-engineering this firmware a little tedious. I got fed up before figuring out whether the firmware fiddles around with the config parsing (it does however indeed touch the switch registers) or how to send packets, so I dropped the ball on this at some point.
My memory is a little hazy here, but I’ll write down some of the interesting high-level points I remember, just in case someone is interested:
- The chip supports a kind of XIP with caching where it copies a chunk of memory from the flash to an invisible internal buffer when starting to execute a given region. This is being used here.
- There is a ROM in the ASIC and the firmware calls code from there extensively. This means I also had to dump the internal ROM (done through bit-banging it out through GPIOs with a piece of custom firmware).
- The internal ROM contains an RTOS and a complete CLI for interacting with the ASIC in a number of ways. The UART interface is not documented anywhere, but it is accessed via the standard 8051 UART SFRs. I have no idea how to electrically interface with the UART on an actual chip, though. Update: I just found a reference design where pins 69 and 70 are broken out to a pin header labelled “for debug only”. As expected, those turn out to be TX and RX, respectively. (9600, 8n1. However, note this seems to change to ~16000 baud when no ethernet link is detected.)
If you have done similar research or want to continue down this path, please do hit me up!