Barracuda 310 NICs
-
If this was a web filter (likely a transparent one) then these are probably bypass NICs. You could test that by seeing if you can get a connection through any of them (like a switch) while the system is off.
-
This looks like fun. :)
Is that standard or some prototype? Seems a bit crude having wires soldered directly on the back of the parallel port.
Where do the other connections I can see go to?
The four other wires on the parallel port, red-yellow-green-black.
The two sets of red-orange-yellow-green wires on the daughter board.
The connector on the daughter board, J8, is that where the blue-black wire connects?It almost certainly has some watchdog running which is why is stays connected for 5 seconds after you plug in the 2 wire connection.
What pins on the parallel port are six wires soldered to? It looks like pins 10-5 but I am looking upside down and from the back! If that's true then all except the left most (in the photo) black wire are connected to data output pins which would make sense.
Have Barracuda customised the BIOS at all? They could have put in some code there to control the initial by-pass behaviour. Are there any by-pass control options in the Barracuda OS?
Do you have voltmeter? You may need to boot the Barracuda OS and measure what it's doing to the parallel port.
The box appears to have at least 3 LEDs on the front panel which are software controlled and two buttons. One of those may be 'read' by the parallel port but they could also both be using standard motherboard connections, reset and power on.
Steve
-
Reading some datasheets it seems a bit vague but there appears to be an 'operating mode' that is in Basic, IP settings (or maybe advanced depending on firmware). You can select Active, Soft Bypass or Hard Bypass. If you connect via the rear ethernet port you can select these options and test the parallel port to see what it's doing. It should be relatively easy to replicate the output in pfSense. If you can't do that we could just guess. ;)
Steve
-
This looks like fun. :)
Is that standard or some prototype? Seems a bit crude having wires soldered directly on the back of the parallel port.
I believe that this unit should be production. I have pulled this from one of my customers and they've had it for about 4 years. But agreed on the crudeness of the soldering.Where do the other connections I can see go to?
Heres another picture of just the "ethernet contraption". The two sets of 4 pins (J4/J5) go to the respective ethernet PCI boards. The blue cables are CAY6 in what looks like TIA586A standard. They too go to the PCI boards. J7 is a standard floppy power port. J8 goes to the Parallel port. Pin 4 of J8 is the black wire and Pin 3 is the blue wire. On the parallel port side, the blue is connected to pin 5 and the black to pin 6. Also, the one chip that this seems to go to is an NXD HEF4538BP.The four other wires on the parallel port, red-yellow-green-black.
These go to the LED's on the front panel. From http://onebadpixel.com/blog/2014/03/23/repurposing-the-barracuda-bsf-300a-spam-firewall/ this post, it looks like they're just power pins…The two sets of red-orange-yellow-green wires on the daughter board.
The two sets of 4 pins (J4/J5) go to the respective ethernet PCI boards. I believe they are also the LED control pins for the RJ45's. Although not sure.The connector on the daughter board, J8, is that where the blue-black wire connects?
Yes, that is correct. Out of the 4 pins, only pin 3 and 4 are connected, the other 2 cables are snipped.It almost certainly has some watchdog running which is why is stays connected for 5 seconds after you plug in the 2 wire connection.
What pins on the parallel port are six wires soldered to? It looks like pins 10-5 but I am looking upside down and from the back! If that's true then all except the left most (in the photo) black wire are connected to data output pins which would make sense.
Yes you are correct on that. The blue is connected to pin 5 and the black to pin 6, then the other ones are on 7-10.Have Barracuda customised the BIOS at all? They could have put in some code there to control the initial by-pass behaviour. Are there any by-pass control options in the Barracuda OS?
The box does have a Barracuda splash screen and password on the bios, so I believe they have. When the box just powers up, you can hear the relays click on, wait 5, click off. Then, when the stock Barracuda OS boots, they click on and stay on. Once the shutdown command is issued, about 30 sec into the powerdown cycle you can hear them click off again. Not sure about the bypass control. When in the OS over the VGA port, there are only options to configure the IP address and restore.Do you have voltmeter? You may need to boot the Barracuda OS and measure what it's doing to the parallel port.
I do have a voltmeter. I wasn't sure where to stick the prongs as I didn't want to burn out the port and kill the box. Would you be able to tell me what pins to measure? I'm not sure whether pin 6 is the ground or not…The box appears to have at least 3 LEDs on the front panel which are software controlled and two buttons. One of those may be 'read' by the parallel port but they could also both be using standard motherboard connections, reset and power on.
The bigger harness from the front panel has the Power button, power LED, reset button and HDD led. The other ones are the custom LED's that Barracuda has put in.Steve
-
Reading some datasheets it seems a bit vague but there appears to be an 'operating mode' that is in Basic, IP settings (or maybe advanced depending on firmware). You can select Active, Soft Bypass or Hard Bypass. If you connect via the rear ethernet port you can select these options and test the parallel port to see what it's doing. It should be relatively easy to replicate the output in pfSense. If you can't do that we could just guess. ;)
Steve
Sorry just saw this after I posted my reply. I can go into the system through the front ports but only when the cuda is booted up in the original OS. I'll boot it up and see if I can find that mode.
-
I think you're right about the NIC LEDs being on J4/5.
That chip appears to be a 'Dual precision monostable multivibrator'. More research needed! I was expecting a timer of some sort and perhaps that can be configured as such. Your decription of how it functions indicates a timer. Here's what I would think happens. In 'Active' mode the box sends a signal every, say, 4 seconds that resets the timer such that it never reaches it's trigger point. If the box fails completely or the OS crashes it stops sending the pulses and the by-pass is triggered. In 'Hard Bypass' mode the box may have to set the bypass manually.
Both pins 5 and 6 are outputs so they could be doing different things. It's possible that one goes low and the other goes high to indicate the action would ever that might be. Anyway it should be fairly easy to measure it or discover it experimentally.
You are looking for 5V DC signal levels. Neither of those pins in ground, pins 18-25 are all ground but you can probably just use the metal chassis. Test between the case and pin 5 and then pin 6 in various modes if you can. Bare in mind that it might only signal every 5 seconds so test for at least that long.That site you linked to describes exactly what I had in mind. The fact that they used the parallel port for this may seem crude but it makes it very much easier for us. ;)
The reset button appears to have a number of functions it can perform depending on how long you hold it down for. Are you sure it's not connected to the parallel port?
Steve
-
Yeah I am not too sure what that Dual Precision thing is… But it may just be there for looks :) It could also be the relays that are time or relay for that matter as out of the 4 of them, it only sounds like 1 is doing something.
I've put a multimeter (set at 6V) on the pins and here are the results:
Pin 5 (blue) - Upon power, spikes to about 0.83V then drops immediately while posting. Then bounces around 0.02-0.03 after post and during Barracuda boot. Once the OS is fully booted, the pin jumps to 0.83V.
Pin 6 (black) - Constantly stays at 0V and once the OS is booted, goes up to 0.03V
Pin 7 - 1.18V constant
Pin 8 - 1.18V constant
Pin 9 - 1.18V
Pin 10 - 0.83V <-This one you were right on. It is the reset button, as when I take the multimeter off this pin, the system says rebooting, please wait... and reboots.Also, as for the modes, on my system I only have Active and Audit. They apparently only change how the filtration happens. I've also looked in the BIOS, and the Parallel Port Mode is Normal and the Address is 378.
Hope that helps!
Thanks again Steve.
Max
-
So it looks to me like pin 5 is our likely suspect. Even if it's not there's only two pins to choose from and two states on each so 4 possible tests. Since you didn't see it pulse at all I have to assume there's no proper watchdog action and that the software simply sets it to non bypass mode unless the box power fails. That does mean that if the OS crashed it wouldn't go back to bypass mode yet the timer seems to suggest it could. :-\ Maybe it was planned and never implemented for some reason. The whole thing looks like a bit of an afterthought. ::)
Ok so the box has 3 NICs yes so you can access pfSense via the rear NIC?
So whilst testing the hardware in the Watchguard boxes I 'wrote' (borrowed mostly!) two small programs to read and write directly the input output space. Download them to your box when it's running pfSense like so:
[2.2-BETA][root@pfSense.localdomain]/root: fetch -o /tmp https://sites.google.com/site/pfsensefirebox/home/readio /tmp/readio 100% of 6207 B 5193 kBps 00m00s [2.2-BETA][root@pfSense.localdomain]/root: fetch -o /tmp https://sites.google.com/site/pfsensefirebox/home/writeio /tmp/writeio 100% of 6136 B 5532 kBps 00m00s
Then change the permissions on the files:
[2.2-BETA][root@pfSense.localdomain]/root: cd /tmp [2.2-BETA][root@pfSense.localdomain]/tmp: chmod 0755 readio [2.2-BETA][root@pfSense.localdomain]/tmp: chmod 0755 writeio
Now you can use those to integrate the parallel port and change it. There almost no error checking in those and they can write to anywhere. So be careful! Since we have put them in /tmp they will be lost if you reboot.
The parallel port is at 0x378 as you said but it actually spans 3 registers, see: http://en.wikipedia.org/wiki/Parallel_port#Port_addresses
Pins 5 and 6 are on the base address, 0x378, on bits 3 and 4. So:[2.2-BETA][root@pfSense.localdomain]/tmp: ./readio 0x378 Reading 378 :37
So on my box I see 37. This is actually a hexidecimal number representing an 8bit register.
3= 0011 and 7=0111 so the register is reading 00110111. The bits are numbered 0-7 with 7 being the most significant bit (furthest left) so on my box bit 3 is 0 and bit 4 is 1. That means pin 5 is low.To set pin 5 high we change bit 3 to 1. So the register reads 0011111 which is in hex 0x3f. To write that back we can use writeio:
[2.2-BETA][root@pfSense.localdomain]/tmp: ./writeio 0x378 0x3f Setting 378 to 3f
At that point you hopefully hear relays click and have access to the front ports. :)
Obviously you'll have to use whatever values your parallel port registers are set to.
Steve
-
You, kind sir, are a genius! That has worked to a T! :) Really appreciate your help with this.
Now I maybe "overstaying my welcome", but I have seen your Watchguard posts and looks like you have written a script to get an activity light on the LED's. Would it be possible on the cuda as well? Right now I have 2 LED's (Traffic and "Spyware Download") out of the 3 that are always on and might look neater if they were activity lights of sort… :D
Also, the LED in the left hand corner (red) turns off as soon as the NIC board gets enabled with the 0x3f command.
-
Thanks for saying so but really I'm no genius. The only reason I know any of this is because it's so similar to what we did on the Watchguard box and that took me days, weeks even when I first did it. ;)
Anyway controlling the LEDs will probably be easy. Are the wires to the front panel connected directly to the LEDs are via some logic chip?
Perhaps I didn't make this clear but the values I read from my box are very unlikely (but not impossible!) to be the same as on your box. You need to read the 0x378 register first and then modify it and write it back. Did your box coincidentally return '37' also?
Being able to read the reset button would require a lot more effort so lets ignore that, at least for now.
So we have the 5 output lines:
| Pin | Bit in 0x378 | Function |
| 5 | 3 | Enable NIC Bypass relays. 1=bypass disabled |
| 6 | 4 | ? |
| 7 | 5 | Red LED? |
| 8 | 6 | Yellow LED ? |
| 9 | 7 | Green LED ? |This assumes the connections are the same as in the spam filter references in the blog post above which seems reasonable.
You wrote 0x3f, 00111111 and that switched the NICs and turned off the red LED. The other LEDs remain on? That implies an inverted logic which is common. One side on the LED is supplied with ~3V and you switch it on by pulling the other side to 0V, logic low.
If you write out 0xff all the leds should turn off.
There's a problem here though because you wrote both bits 3 and 4 to high we don't actually know which pin is switching the NIC relays.
Reboot the box and read in the initial value at 0x378. You'll have to re-fetch the two programs.
Steve
-
Hey Steve,
Sorry work has got in the way over the last few. I have read the IO port without doing amy writing and I get back a zero '0' with no modifications.
You are correct. The parallel port wires go into some sort of a board, where the LED's are soldered on to.
-
No problem. So we need to narrow down which pins do what by writing to one bit at a time.
First try just pin 5 to make sure the relays are controlled by that. Try:./writeio 0x378 0x08
If that's true then we can leave that connected and try the leds.
Try setting pin 9 to high:./writeio 0x378 0x88
and pin 8:
./writeio 0x378 0x48
and pin 7:
./writeio 0x378 0x28
Did any of that do anything useful? :)
Steve
-
Yes, that has actually worked well. :D So to start with, when the cuda boots up, I have (looking from left to right) LED 1,2,3 ON, HDD blinks (as it should) and Power solid.
When I issue:
./writeio 0x378 0x08
Relays click and the front ports come on. LED 1,2,3 are all on as per boot.
./writeio 0x378 0x88
LED 3 turns off.
./writeio 0x378 0x48
LED 2 turns off and LED 3 turns on
./writeio 0x378 0x28
LED 1 Turns off and LED 2 turns on.
Hope that helps. Thanks again.
M
-
Ok, that's what we expected, great. :)
Still don't know what pin 6 does though. I would guess it's for 'patting the watchdog' if it's used. Probably not important here.
I'll try to knock together some code in the morning. We can probably use much of the code given in the linked site above.Steve
-
Ok, that's what we expected, great. :)
Still don't know what pin 6 does though. I would guess it's for 'patting the watchdog' if it's used. Probably not important here.
I'll try to knock together some code in the morning. We can probably use much of the code given in the linked site above.Steve
Awesome, thanks so much! Appreciate the help.
-
Right, try this. See attached files. They have a .png extension because the forum only allows certain types, just remove it. Set the file permissions.
I find it amusing that in his blog post Jim Barstow apologises for his code claiming he's not a C programmer. He's got plenty on me! ;) Any real programmer would cringe at my code but it seems to work. It has limited error checking. It can't do more then one thing at once so if you want to change two LEDs you have to call it twice, for example:./BCHW32 red on ./BCHW32 green off
Let me know if that works at all. I spent some time late last night trying to debug something before I realised that the laptop I was testing on didn't have a parallel port. ::)
Steve
-
I actually have an application that could take advantage of this daughterboard and a Load Balancer 340 coming in the mail sometime in the next 2 weeks. The front nics in the 340 are just plain connectors with no watchdog circuit http://imgur.com/hcsuwTB I would be down to trade my plain board for anyone's board with the relays/watchdog circuit. If you are not good at soldering, just clip the black/blue wire from your parallel port and separate them with electrical tape. I don't want anyone damaging their motherboard! I have enabled forum members to email me, so hit me up. Thanks in advance!
-
Never heard back from Maxpol, maybe my code set fire to his box. ;)
Steve
-
Your code is good, I've basically done exactly the same thing on my own 310 - annoyingly, I was probably working it out myself around the time this thread was happening, I never thought to look on here, despite knowing you (stephen) as a helpful guy from my previous experimentation with a Lanner unit. The Barracuda came up for £1 on eBay about 5 minutes from home, so I figured it was worth a try.
cron410, where are you located? If you're in the US then you're probably out of luck, but if you're located in the UK then I could look into disconnecting my watchdog circuit from my 310 - it's an older revision than the one pictured here (pretty sure mine uses a PATA disk, from memory) but given that Barracuda have written the firmware to apply to all hardware revisions I would imagine that the behaviour is identical to this unit. I'm certainly 99% sure I've used the same values as maxpol did to activate my front ports and de-activate the LEDs (red disappears after bootloader, yellow disappears after fully booted, leaving only the green as a "everything's OK" indicator).
I intend to get pfSense working and pop it back on eBay as a fully-featured average-spec firewall rather than just a web filter but given that I don't really have time to write anything in the UI specifically for toggling the front ports on and off from the web interface, I don't 100% need the NIC module at this point in time.
-
I need your help. I am a victim of purchasing a barracuda 310 and the front NIC's are now working. I followed you procedure and I am getting a funny number back.
I did this : ./readio 0x378
And I am getting back: Reading 378 :0
I changed the parallel port in bios to a different number and ran ./readio and I keep getting back xxx:0
Now I'm not good with numbers but I know 0 means nothing. So I did ./writeio 0x378 0x0 and nothing happen.
Please I hope you get this message or anyone that can help me. I just purchased this off ebay and its a shame I may have to junk it.
Many Thanks!