Any guidance with TippingPoint S10?
-
Looks like it has some sort of network bypass that's getting in the way. It may be possible to disable that with jumpers or in the BIOS if you can get to it. The BIOS is probably accessed via 115200bps and try hitting TAB.
Steve
-
Could you post one or more high-res photos of the inside of the box? That would make it easier to see how it's built and how it's working.
-
Yep. I can find almost no documentation on the box so it's hard to say quite how those NICs are connected. Could be internal switches with mirror ports for the IDS.
Fun. ;)Steve
-
Serial connection to unit was easy. Boot message does not prompt for bios access. I think your on to something regarding "network bypass." When I get home tonight, I will post some high res photos.
-
Unfortunately only 2 mac address are shown in the sticker. I was able to identify 3 pins that could be change/alter. The one on the first picture with "???" in top left corner, I'm not sure what this jumper is for. There are no marking to indicate what is does. One way at the bottom next to CF card is for selecting master/slave. There is one pin next to battery, I'm assuming this is for resetting bios.
Boot Screen
Load End drivers BIOS V1.0.7 Memory Testing : OK ... TippingPoint OS BSP [m10 1.2] Bootloader [20] Creation date: Jul 22 2009, 17:27:19
Control C give the below prompt. I think it already is running from disk and not a bios prompt. You can see I typed the "@" to continue the boot process.
Load End drivers BIOS V1.0.7 Memory Testing : OK ... TippingPoint OS BSP [m10 1.2] Bootloader [20] Creation date: Jul 22 2009, 17:27:19 Press Control-C to stop auto-boot... 2 Type '@' to continue boot, or 'h' for help [VxWorks Boot]: @ boot device : ata=0,0 unit number : 0 processor number : 0 host name : NDS file name : auto flags (f) : 0x0 Attaching to ATA disk device... done. /boot/2.5.5.6994/vxWorks [0c3ca432ffef42a5a746da5469573ac3] Loading /boot/2.5.5.6994/vxWorks....13275344 + 1222576 + 14761892 Starting at 0x108000...
The rest of the boot process from TippingPoint OS
Attaching interface lo0...done Adding 32415 symbols for standalone. Initialize Memory.......................[OK] Add reboot hooks........................[OK] Start CPU Resource Monitoring...........[OK] Initialize System Clock.................[OK] 2015-03-16 05:38:13 [UTC] Set Boot Time...........................[OK] Calculate CPU Speed.....................[OK] 600.104 MHz Identify Host Type......................[OK] n1 Identify HW.............................[OK] A (A-10LF) gei Mount Storage Device....................[OK] Mount File System.......................[OK] /boot/ - Volume is OK /opt/ - Volume is OK /usr/ - Volume is OK /log/ - Volume is OK Initialize IPC..........................[OK] Initialize Paths........................[OK] Read Configuration Files................[OK] Apply Task Environment..................[OK] Apply ATA Environment...................[OK] Apply LCD Environment...................[OK] Create /ramLog..........................[OK] Create /ramTmp..........................[OK] Initialize System Log...................[OK] Initialize License Manager..............[OK] Initialize Update subsystem.............[OK] Create /ramRO...........................[OK] Load RAM Disk...........................[OK] Set Memory Protection...................[OK] 0x3fe8f800 Performing Host/Model Checks............[OK] Software chassis Initialize Network Processor............[OK] Initialize IPM..........................[NOT DETECTED] Read TOS metadata.......................[OK] ver=2.5.5.6994 Read DV metadata........................[OK] ver=2.5.2.7735 Read bootloader metadata................[OK] ver=20 cnt=33 Initialize Audit log....................[OK] Initialize Block Log....................[OK] Initialize Alert Log....................[OK] Initialize SNMP.........................[OK] Initialize Email........................[OK] Initialize Remote Syslog................[OK] Validating Certificate..................[OK] _____ ____ _ |_ _|_ _ __ _ __ _ _ __ __ _| _ \ ___ _ _ __ | |_ | | | | '_ \| '_ \| | '_ \ / _` | |_) / _ \| | '_ \| __| | | | | |_) | |_) | | | | | (_| | __/ (_) | | | | | |_ |_| |_| .__/| .__/|_|_| |_|\__, |_| \___/|_|_| |_|\__| |_| |_| |___/ TippingPoint - Austin, Texas, USA - www.tippingpoint.com TOS Version : 2.5.5.6994 Build Date: Aug 31 2009, 16:35:01 Digital Vaccine : 2.5.2.7735 Serial: U10C-99A2-75BE Hardware Rev : A (A-10LF) Loading........ Login:
-
So you have a load of lan-bypass relays. They are why you can't connect to any port other the management port. You will have to disable those (or enable them perhaps) to be able to use it.
It's curious that you have 4 NIC chips. It's hard to see how those are connected. 1 is the management port and I woulfd guess that 2 are for the by-pass 'segments', maybe the other one was for some 3 segment model. Are you sure that they are all identical chips? The last one is the same under the heat spreader? They show as differently detected in your logs above.If you can't access the bios at all you could try dumping the BIOS with flashrom from pfSense and looking through it for clues.
Steve
-
TP's OS is based upon redhat/fedora Linux (unless they've changed it)…it use to run the stock images and has since been re-skinned for a bit of background. The controllers you have on that box are PC82573L's (http://www.intel.com/content/dam/doc/datasheet/82573-gbe-controllers-datasheet.pdf), as usual they like older controllers. The 82573L controller was first released almost 10-yrs ago. Take a look at (https://downloadcenter.intel.com/download/17509/Network-Adapter-Gigabit-Base-Driver-for-FreeBSD-) for the current version of the drivers, though they were designed for the FreeBSD 9.x kernel.
-
@Patrick_:
TP's OS is based upon redhat/fedora Linux (unless they've changed it)…it use to run the stock images and has since been re-skinned for a bit of background. The controllers you have on that box are PC82573L's (http://www.intel.com/content/dam/doc/datasheet/82573-gbe-controllers-datasheet.pdf), as usual they like older controllers. The 82573L controller was first released almost 10-yrs ago. Take a look at (https://downloadcenter.intel.com/download/17509/Network-Adapter-Gigabit-Base-Driver-for-FreeBSD-) for the current version of the drivers, though they were designed for the FreeBSD 9.x kernel.
According to his serial output, this one is running vxWorks.
The BIOS has no regular interface it seems, probably only NVRAM-controlled as is quite often with vxWorks boxes.Regarding the jumper in the left top corner near the power connector: that looks like it is either wired into a DC-DC circuit, a AD-DA circuit (it's near an analog devices chip) or maybe simply for an optional part that is not installed.
It seems to be x86 based with full BIOS boot, maybe a dmidecode dump (if BSD has that, I know Linux does) would shed some light on what tables are there. ACPI dump would be nice too.
Regarding the escape-to-prompt option: at that stage you are in some sort of bootloader. It's not a BIOS escape prompt at that part. This is quite common, if you press ? instead of @ you should get a bunch of commands that allow for direct manipulation of addresses and their contents.
I'd love to get my hands on one of these, seems like a fun hacking project :p
Edit: I found one on eBay, going to bid on it ^^
Looks like these TippingPoint devices were stand-alone, then 3Com and then HP. For some reason they are ridiculously expensive, seeing that they are basically low-power vxWorks boxes with some ancient software… would love to hack in pfSense support for them.
Edit2: Might be that vxWorks is the bootloader and it actually loads a Unix or Linux system afterwards. Looking at the chips, there seems to be an EEPROM and a ROM, and some glue logic based on FPGA-like devices. As long as those are abstracted away by the general x86 architecture, we might be able to switch the relays in software using either GPIOs or writing bits to a special address. In the latter case, we really do need ROM dumps of pretty much everything.
Edit3: Those ULN2003A's on the sides of the relay's are darlington arrays, probably used to drive the relays using TTL level signals. Turn those on (as in the power-less state the relays need to be in bypass mode, that is how bypass works ;) ) and you have accessible network ports. Since there are tons of relays and those arrays allow individual IO's to be done, it probably means that they can be individually controlled from software. So ports can be switched on and off, and be bypassed to each other in a software-defined way. So it's not like Ports 1 and 2 are hardwired to be bypassable, you could bypass any set of ports you want. (if the relays have enough pins.. it's all theory ATM). So no common bypass signal for ALL ports at once I fear.
Edit4: okay, I'm probably too enthusiastic and wrong, those relays are B4CA4 relays which allow for two separate lines to be switched. So basically you can do 2 out of 8 signal lines per port with 1 relay. There are 16 relays, so I guess that's 32 lines, which is 4 switchable ports. This is pretty logical because there are 2 sets of ports on the front panel, so the relays are configured to allow those two sets to be individually bypassed. The relays themselves are set/reset relays according to one of the datasheets, there are A-types and B-types in that series, and the B-series are latching. It probably means that on powerloss the device has a few seconds before power down which is used to control the way passthrough is done from software.
Edit5: okay, now it's getting sad :p Those BA4CA4.5Z relays are actually 'normal' relays that switch off on power loss, so not latching at all.
-
Yeah, they pretty much have to be non-latching otherwise they don't failover in a power failure.
They probably only have two positions also; 1a connected to 1b or not. However with a normal lan-bypass setup you have one NIC for each port and there aren't enough here. :-\
Steve
-
Yeah, they pretty much have to be non-latching otherwise they don't failover in a power failure.
They probably only have two positions also; 1a connected to 1b or not. However with a normal lan-bypass setup you have one NIC for each port and there aren't enough here. :-\
Steve
Well, I can see five ports and five transformers, and five Intel chips for ethernet. (the one on the far left is still under it's heatsink, but you can see the transformer traces going over there)
The four ports next to the relays are in their bypass setup, the one leftmost is a non-bypass port, presumably to connect to a management network. -
Ah, under the heatsink. I guess that's why it's detected as something different. Though quite why the management port needs heatsinking and the in-band ports don't…..
Easy to test the by-pass mode. Without any power connected to the box test for connectivity between 1a and 1b (or 2a and 2b).Steve
-
That would indeed work, lets see if the TS can test that when he/she gets home.
I did a small inspection on the traces to those ULN2003A's, it looks like every chip controls 4 relays, and per chip, only the first four channels are used.
Those channels are tied together on one trace, so in theory, shorting one of them to Vcc will switch the relays.On the right hand side of the ULN chips, you can see U69, which looks like one pin is connected to the two ULN's up there, another to Vcc and the head pin to a trace that goes down to the Lattice chip. I could be wrong as the photo isn't sharp enough to do that kind of PCB tracing when zoomed in, but it's pretty logical to me. The Lattice is probably responsible for some general glue logic.
-
I am new to pfSense, I'm so thankful for this forum and the people who contribute to it. Saved me a lot of time.
tippingpoint_s10. Anways, with only 1 ethernet port I manage to get flashrom installed and read out the bios.[2.1.5-RELEASE][root@pfSense.localdomain]/root(8): flashrom -p internal -r tippS10.bin flashrom v0.9.7-r1711 on FreeBSD 8.3-RELEASE-p16 (i386) flashrom is free software, get the source code at http://www.flashrom.org Calibrating delay loop... OK. Found chipset "Intel ICH6-M". Enabling flash write... OK. Found SST flash chip "SST49LF008A" (1024 kB, FWH) at physical address 0xfff00000. Reading flash... done.
So much fun, I want to learn all this stuff, but I don't have time. Any pointers to bios editing would be helpful. I did some search, but only came up with bios-mods.com, too much information here with no guidance. Their latest message on the welcome page is from 2013.
Here are the original photo, I had to cut the previous one to size. My phone camera isn't that great.
https://drive.google.com/file/d/0B3viFJ2DdornNGRtN1FleFloSEU/view?usp=sharing
With the power off, 2a is connected to 2b, and 1a is connected to 1b.
edit1: I can tell you that the one labeled Intel legacy gigabit is a different chip. This is the one currently working, this chip is under the heatsink. I'm not worry about this chip. It's the other 4 that don't seem to work at all. My guess is the TippingPoint OS turns them on, because they light up after TOS boots.
-
Ok, that is a standard Award BIOS. Console redierction is enabled by default at 115200bps. Try connecting at that speed and use TAB to connect. The com port is not specified though so it may be using an internal com port. Though if that was the case I would not expect the pfSense serial console to work. The BIOS may specify com2 somewhere though…
It does have options to disable the two lan-bypass segments.
Com ports look absolutely normal and the pfSense console works so nothing suspicious there. There is no 'Agent wait time' option so possibly it isn't waiting in which case you may have a very short time to be pressing TAB. Start pressing it as soon as you power on.
Steve
-
If you're not able to reach the BIOS setup we could try editing the image to make lan-bypass disabled the default option. You can flash that back and clear the CMOS to apply it. Of course that carries some risk.
Steve
-
Nope, tried multiple times, I can't get into the bios settings. If you could modify the bios for me, I will flash it. I understand the risk. I have done multiple bios recovery before, no problem. I was also looking around for for the same type of bios (SST49LF008A-33-4C-NHE). Just in case something goes wrong and I need another chip.
My questions are: I notice when I extracted the bios it was only 1024 kB. The same type of chip has a 8MB version and a 4MB version? Can I flash a 1MB bin file to a 8MB or 4MB bios? Or do I have to find the exact capacity bios? Also, where did you learn how to edit bios firmware? What program did you use? Are they manufacture specific?
Thanks for your help.
-
49LF008 is by definition 8Mbit = 1Mbyte (Mb is a megabit, MB is megabyte). So a 1MB BIOS is the right size for a 8Mb flash chip. Many/most memories are usually specified in bits not bytes (because they can be arranged differently - sometimes 8 bits wide, 16 bits wide etc).
There is no 4 Megabit 49LF008.
-
Yup, BIOS rom chip size is always given in Mbits for some reason. ::)
I know that people have used a 512KB image on an 8Mb chip without issue. Obviously it won't fit the other way around.
I'll try and modify that image when I get a chance then.
Another option, potentially more fun but also more frustrating, is to probe the various GPIO pins until you find where the lan-bypass relays are connected.Steve
-
could you point me in the right direction on how to modify firmware&bios images?
-
49LF008 is by definition 8Mbit = 1Mbyte (Mb is a megabit, MB is megabyte). So a 1MB BIOS is the right size for a 8Mb flash chip. Many/most memories are usually specified in bits not bytes (because they can be arranged differently - sometimes 8 bits wide, 16 bits wide etc).
There is no 4 Megabit 49LF008.
Thank you for clearing this up. I understand the difference btw Mb & MB. Just so used to working in Megabyte, that when ever anyone refer to MB or Mb, I tho they mean the same. In reality (technically) they are not, so thank you.