G33K @ Work | Basteleien eines Geeks



Feb/10

2

Switch Hacking

Last week I stumbled upon tmbinc’s blog entry series “What’s inside”.
This one was especially interesting to me since I always wanted to buy a GBit switch (I never had one until today, really ;) ).

I ordered this switch (a TP-Link TL-SG1008D) for just about 30€ including shipping and today I got my package. I opened it, checked if the switch works and voided the warranty.
After opening the device it was clear that I got some other hardware compared to tmbinc. I don’t have this monster heat sink on top of a BGA chip. Instead there are two smaller LQFP-Chips with one heat sink each.

A closer look at my and tmbinc’s images relieve that my switch is actually revision 1.1 and tmbinc’s is revision 2.0.

I tried to remove the heat sinks with pliers but I didn’t want to damage my new toy.
Also, I wanted to know how warm these chips get while using the device, so I took some ethernet cables, made some loops and inserted one cable into the ethernet jack into my laptop. As soon as Mac OS detected an active connection it broadcasted at least one package onto the line that was looping happily from one switch port to the next ;)
I let this thing running for about 10 minutes and the chips didn’t get very warm. I hoped that the glue would get a bit less sticky due to the heat, but there was just no heat. Seems that the heat sinks did a good job there. ;) So I tried the exact opposite and put this thing into my freezer for a few minutes. After it got cooled down a few degrees I took my pliers and applied some force and look: They came off.

As you can see there are two Realtek chips on this board. The right chip is an RTL8214. The Realtek Website says that this chip is just a quad-port gigabit ethernet transceiver.
The other chip is an RTL8368S. Here the Realtek Website tells us, that this chip is actually the switch controller for 8 ports, but it has only 4 transceivers, hence the second transceiver chip. On the pictures you can clearly see some bus between the two ICs.
And look at the features: Per port-ACLs on Layer 2, 3 and 4, VLAN, Spanning Tree, 802.1x, QoS and several statistic counters.
Unfortunately the datasheets for both chips don’t seem to be publicly available.
<rant>I absolutely hate all this NDA crap… Those fscking ethernet chips are no rocket science that needs to be protected in such a way. SRSLY!</rant>

On the upper side of the image above you can see a small IC with part number 24C08, which is an 8KBit I2C EEPROM. I haven’t looked at the contents yet, but I suspect that this EEPROM contains the configuration for the switch controller, but I doubt that the contents will be of any help without a datasheet :(

Some closeups of the chips:

Update: I found some datasheets for several Realtek Chips. There is no datasheet for the RTL8368, but for the RTL8369. It seems that the only difference between those two chips are that the latter doesn’t have any transceivers on-die, but only some SGMII ports for all 8 Ethernet ports. I think I’m going to dump the EEPROM and try to get some information out of it with the 8369 datasheet.

RSS Feed

4 Kommentare for Switch Hacking

Tarek | 26. März 2010 at 07:39

Hi, I tried to get to your ftp server to take a look at your datasheets.
It seems that you have shut it down or something.

Could you either send it to me or get your ftp server back online?

Author comment by Andy | 26. März 2010 at 07:43

This is not my FTP-Server. I just found it digging around the net with various Google search queries.

A quick Google search would have revealed to you that this datasheet is freely available from Realtek.
Unfortunately, it seems that the described EEPROM configuration in this datasheet is not compatible with the RTL8368 as a colleague of mine found out through reading out the chip and comparing its contents with the datasheet of the 8369 chip.

But, if you make any progress on that, I would love to hear from you again. ;)

Bebert | 27. Juli 2010 at 19:44

Here is my dump for the TL-SG1008D but I don’t talk the Hexa language. I dumped the rom with my arduino and a step-by-step guide. Now I don’t know what to do ;)

http://pastebin.ca/1909504

nrkxpnta | 4. April 2013 at 20:27

I found some C drivers here (/trunk/switch/switch/rtl8368):
http://code.google.com/p/kakaxi-project/source/detail?r=9

Leave a comment!

<<

>>