Close

Digging Deeper

A project log for Quanta LB9A Analysis

Breaking into and analyzing an old Quanta switch

Connor HuffineConnor Huffine 06/02/2020 at 17:000 Comments

Partly because I like the latest version of things and partly because I want more experience with it, I think I'm going to attempt to upgrade U-Boot on this box.

I extracted the dts from a dtb I found online, for the Pronto 3290 (a renamed version of the same hardware):

/dts-v1/;

/ {
    model = "MPC8541CDS";
    compatible = "MPC8541CDS\0MPC85xxCDS";
    #address-cells = < 0x01 >;
    #size-cells = < 0x01 >;

    aliases {
        ethernet0 = "/soc8541@e0000000/ethernet@24000";
        ethernet1 = "/soc8541@e0000000/ethernet@25000";
        serial0 = "/soc8541@e0000000/serial@4500";
        serial1 = "/soc8541@e0000000/serial@4600";
        pci0 = "/pci@e0008000";
    };

    cpus {
        #address-cells = < 0x01 >;
        #size-cells = < 0x00 >;

        PowerPC,8541@0 {
            device_type = "cpu";
            reg = < 0x00 >;
            d-cache-line-size = < 0x20 >;
            i-cache-line-size = < 0x20 >;
            d-cache-size = < 0x8000 >;
            i-cache-size = < 0x8000 >;
            timebase-frequency = < 0x00 >;
            bus-frequency = < 0x00 >;
            clock-frequency = < 0x00 >;
            next-level-cache = < 0x01 >;
        };
    };

    memory {
        device_type = "memory";
        reg = < 0x00 0x20000000 >;
    };

    soc8541@e0000000 {
        #address-cells = < 0x01 >;
        #size-cells = < 0x01 >;
        device_type = "soc";
        compatible = "simple-bus";
        ranges = < 0x00 0xe0000000 0x100000 >;
        reg = < 0xe0000000 0x1000 >;
        bus-frequency = < 0x00 >;

        memory-controller@2000 {
            compatible = "fsl,8541-memory-controller";
            reg = < 0x2000 0x1000 >;
            interrupt-parent = < 0x02 >;
            interrupts = < 0x12 0x02 >;
        };

        l2-cache-controller@20000 {
            compatible = "fsl,8541-l2-cache-controller";
            reg = < 0x20000 0x1000 >;
            cache-line-size = < 0x20 >;
            cache-size = < 0x40000 >;
            interrupt-parent = < 0x02 >;
            interrupts = < 0x10 0x02 >;
            linux,phandle = < 0x01 >;
        };

        i2c@3000 {
            #address-cells = < 0x01 >;
            #size-cells = < 0x00 >;
            cell-index = < 0x00 >;
            compatible = "fsl-i2c";
            reg = < 0x3000 0x100 >;
            interrupts = < 0x2b 0x02 >;
            interrupt-parent = < 0x02 >;
            dfsrr;
        };

        dma@21300 {
            #address-cells = < 0x01 >;
            #size-cells = < 0x01 >;
            compatible = "fsl,mpc8541-dma\0fsl,eloplus-dma";
            reg = < 0x21300 0x04 >;
            ranges = < 0x00 0x21100 0x200 >;
            cell-index = < 0x00 >;

            dma-channel@0 {
                compatible = "fsl,mpc8541-dma-channel\0fsl,eloplus-dma-channel";
                reg = < 0x00 0x80 >;
                cell-index = < 0x00 >;
                interrupt-parent = < 0x02 >;
                interrupts = < 0x14 0x02 >;
            };

            dma-channel@80 {
                compatible = "fsl,mpc8541-dma-channel\0fsl,eloplus-dma-channel";
                reg = < 0x80 0x80 >;
                cell-index = < 0x01 >;
                interrupt-parent = < 0x02 >;
                interrupts = < 0x15 0x02 >;
            };

            dma-channel@100 {
                compatible = "fsl,mpc8541-dma-channel\0fsl,eloplus-dma-channel";
                reg = < 0x100 0x80 >;
                cell-index = < 0x02 >;
                interrupt-parent = < 0x02 >;
                interrupts = < 0x16 0x02 >;
            };

            dma-channel@180 {
                compatible = "fsl,mpc8541-dma-channel\0fsl,eloplus-dma-channel";
                reg = < 0x180 0x80 >;
                cell-index = < 0x03 >;
                interrupt-parent = < 0x02 >;
                interrupts = < 0x17 0x02 >;
            };
        };

        mdio@24520 {
            #address-cells = < 0x01 >;
            #size-cells = < 0x00 >;
            compatible = "fsl,gianfar-mdio";
            reg = < 0x24520 0x20 >;

            ethernet-phy@0 {
                reg = < 0x01 >;
                device_type = "ethernet-phy";
                linux,phandle = < 0x03 >;
            };

            ethernet-phy@1 {
                reg = < 0x02 >;
                device_type = "ethernet-phy";
                linux,phandle = < 0x04 >;
            };
        };

        ethernet@24000 {
            cell-index = < 0x00 >;
            device_type = "network";
            model = "TSEC";
            compatible = "gianfar";
            reg = < 0x24000 0x1000 >;
            local-mac-address = [ 00 00 00 00 00 00 ];
            interrupts = < 0x1d 0x02 0x1e 0x02 0x22 0x02 >;
            interrupt-parent = < 0x02 >;
            phy-handle = < 0x03 >;
        };

        ethernet@25000 {
            cell-index = < 0x01 >;
            device_type = "network";
            model = "TSEC";
            compatible = "gianfar";
            reg = < 0x25000 0x1000 >;
            local-mac-address = [ 00 00 00 00 00 00 ];
            interrupts = < 0x23 0x02 0x24 0x02 0x28 0x02 >;
            interrupt-parent = < 0x02 >;
            phy-handle = < 0x04 >;
        };

        serial@4500 {
            cell-index = < 0x00 >;
            device_type = "serial";
            compatible = "ns16550";
            reg = < 0x4500 0x100 >;
            clock-frequency = < 0x00 >;
            interrupts = < 0x2a 0x02 >;
            interrupt-parent = < 0x02 >;
        };

        serial@4600 {
            cell-index = < 0x01 >;
            device_type = "serial";
            compatible = "ns16550";
            reg = < 0x4600 0x100 >;
            clock-frequency = < 0x00 >;
            interrupts = < 0x2a 0x02 >;
            interrupt-parent = < 0x02 >;
        };

        crypto@30000 {
            compatible = "fsl,sec2.0";
            reg = < 0x30000 0x10000 >;
            interrupts = < 0x2d 0x02 >;
            interrupt-parent = < 0x02 >;
            fsl,num-channels = < 0x04 >;
            fsl,channel-fifo-len = < 0x18 >;
            fsl,exec-units-mask = < 0x7e >;
            fsl,descriptor-types-mask = < 0x1010ebf >;
        };

        pic@40000 {
            interrupt-controller;
            #address-cells = < 0x00 >;
            #interrupt-cells = < 0x02 >;
            reg = < 0x40000 0x40000 >;
            compatible = "chrp,open-pic";
            device_type = "open-pic";
            linux,phandle = < 0x02 >;
        };

        cpm@919c0 {
            #address-cells = < 0x01 >;
            #size-cells = < 0x01 >;
            compatible = "fsl,mpc8541-cpm\0fsl,cpm2";
            reg = < 0x919c0 0x30 >;
            ranges;

            muram@80000 {
                #address-cells = < 0x01 >;
                #size-cells = < 0x01 >;
                ranges = < 0x00 0x80000 0x10000 >;

                data@0 {
                    compatible = "fsl,cpm-muram-data";
                    reg = < 0x00 0x2000 0x9000 0x1000 >;
                };
            };

            brg@919f0 {
                compatible = "fsl,mpc8541-brg\0fsl,cpm2-brg\0fsl,cpm-brg";
                reg = < 0x919f0 0x10 0x915f0 0x10 >;
            };

            pic@90c00 {
                interrupt-controller;
                #address-cells = < 0x00 >;
                #interrupt-cells = < 0x02 >;
                interrupts = < 0x2e 0x02 >;
                interrupt-parent = < 0x02 >;
                reg = < 0x90c00 0x80 >;
                compatible = "fsl,mpc8541-cpm-pic\0fsl,cpm2-pic";
            };
        };
    };

    pci@e0008000 {
        cell-index = < 0x00 >;
        interrupt-map-mask = < 0x1f800 0x00 0x00 0x07 >;
        interrupt-map = < 0x9000 0x00 0x00 0x01 0x02 0x03 0x01 >;
        interrupt-parent = < 0x02 >;
        interrupts = < 0x18 0x02 >;
        bus-range = < 0x00 0x00 >;
        ranges = < 0x2000000 0x00 0x80000000 0x80000000 0x00 0x20000000 0x1000000 0x00 0x00 0xe2000000 0x00 0x100000 >;
        clock-frequency = < 0x3f940aa >;
        #interrupt-cells = < 0x01 >;
        #size-cells = < 0x02 >;
        #address-cells = < 0x03 >;
        reg = < 0xe0008000 0x1000 >;
        compatible = "fsl,mpc8540-pci";
        device_type = "pci";
    };

    localbus@f0010100 {
        #address-cells = < 0x02 >;
        #size-cells = < 0x01 >;
        compatible = "fsl,mpc8541-localbus\0fsl,pq2-localbus\0simple-bus";
        reg = < 0xf0010100 0x40 >;
        ranges = < 0x00 0x00 0xfe000000 0x2000000 0x01 0x00 0xf0000000 0x20000 0x02 0x00 0xf0010000 0x10000 0x03 0x00 0xf2000000 0x100000 0x04 0x00 0xe0000000 0x02 >;

        cfcard@1 {
            compatible = "qci-ide";
            device_type = "ide";
            reg = < 0x01 0x00 0x20000 0x04 0x00 0x100000 >;
            ioport_shift = < 0x01 >;
            reg-shift = < 0x01 >;
            #interrupt-cells = < 0x01 >;
            interrupts = < 0x02 0x02 >;
            interrupt-parent = < 0x02 >;
        };
    };
}; 

Scanning the /proc/device-tree on the running switch yields 

# ls -R /proc/device-tree/                                                                                                         
/proc/device-tree/:                                                                                                                
#address-cells    chosen            linux,phandle     name                                                                         
#size-cells       compatible        memory            soc8541@e0000000                                                             
aliases           cpus              model                                                                                          
                                                                                                                                   
/proc/device-tree/aliases:                                                                                                         
name     serial0  serial1                                                                                                          
                                                                                                                                   
/proc/device-tree/chosen:                                                                                                          
bootargs            linux,initrd-start  name                                                                                       
linux,initrd-end    linux,stdout-path                                                                                              
                                                                                                                                   
/proc/device-tree/cpus:                                                                                                            
#address-cells  #size-cells     name                                                                                               
#cpus           PowerPC,8541@0                                                                                                     
                                                                                                                                   
/proc/device-tree/cpus/PowerPC,8541@0:                                                                                             
32-bit              device_type         reg                                                                                        
bus-frequency       linux,phandle       timebase-frequency                                                                         
clock-frequency     name                                                                                                           
                                                                                                                                   
/proc/device-tree/memory:                                                                                                          
device_type    linux,phandle  name           reg                                                                                   
                                                                                                                                   
/proc/device-tree/soc8541@e0000000:                                                                                                
#address-cells    ethernet@24000    name              serial@4500                                                                  
#interrupt-cells  ethernet@25000    pci@8000          serial@4600                                                                  
#size-cells       i2c@3000          pic@40000                                                                                      
bus-frequency     linux,phandle     ranges                                                                                         
device_type       mdio@24520        reg                                                                                            
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/ethernet@24000:                                                                                 
#address-cells     device_type        linux,phandle      name                                                                      
#size-cells        interrupt-parent   local-mac-address  phy-handle                                                                
compatible         interrupts         model              reg                                                                       
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/ethernet@25000:                                                                                 
#address-cells     device_type        linux,phandle      name                                                                      
#size-cells        interrupt-parent   local-mac-address  phy-handle                                                                
compatible         interrupts         model              reg                                                                       
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/i2c@3000:                                                                                       
compatible        dfsrr             interrupts        name                                                                         
device_type       interrupt-parent  linux,phandle     reg                                                                          
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/mdio@24520:                                                                                     
#address-cells  device_type     linux,phandle                                                                                      
#size-cells     ethernet-phy@1  name                                                                                               
compatible      ethernet-phy@2  reg                                                                                                
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/mdio@24520/ethernet-phy@1:                                                                      
device_type    linux,phandle  name           reg                                                                                   
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/mdio@24520/ethernet-phy@2:                                                                      
device_type    linux,phandle  name           reg                                                                                   
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/pci@8000:                                                                                       
#address-cells      compatible          interrupts                                                                                 
#interrupt-cells    device_type         linux,phandle                                                                              
#size-cells         interrupt-map       name                                                                                       
bus-range           interrupt-map-mask  ranges                                                                                     
clock-frequency     interrupt-parent    reg                                                                                        
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/pic@40000:                                                                                      
#address-cells        clock-frequency       linux,phandle                                                                          
#interrupt-cells      compatible            name                                                                                   
big-endian            device_type           reg                                                                                    
built-in              interrupt-controller                                                                                         
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/serial@4500:                                                                                    
clock-frequency   device_type       interrupts        name                                                                         
compatible        interrupt-parent  linux,phandle     reg                                                                          
                                                                                                                                   
/proc/device-tree/soc8541@e0000000/serial@4600:                                                                                    
clock-frequency   device_type       interrupts        name                                                                         
compatible        interrupt-parent  linux,phandle     reg  

 Parsing deeper than this is difficult, as the linux build on the system lacks a lot of essential tools like hexdump that would allow me to read the raw values on the tree. 

Of specific note is the root node /proc/device-tree/compatible, which is LB4M.

It's possible this system is running a contorted LB4M firmware, but everywhere else it identifies as a LB9A. It would also be a very odd change, since the LB4M apparently ran a VXWorks kernel under the hood, with a few hardware differences as well. One quirk supports the possibility; when booting I get an error relating to connecting the Ethernet PHY and the two front panel OOB management ports don't work. I can ping out on them in U-Boot, so I know the hardware is good. 

This software is definitely not stock, as it has overwritten the default recovery tools as well. I almost want to buy another of these switches from another vendor to see if I can get a different draw on firmware.

Discussions