Any guidance with TippingPoint S10?



  • Out of the box the unit will load pfSense from nanobsd image on compact flash. Boot up is flawless. Looks very promising.

    reeBSD 8.3-RELEASE-p16 #0: Mon Aug 25 08:27:41 EDT 2014
        root@pf2_1_1_i386.pfsense.org:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386
    Timecounter "i8254" frequency 1193182 Hz quality 0
    CPU: Intel(R) Celeron(R) M processor          600MHz (600.02-MHz 686-class CPU)
      Origin = "GenuineIntel"  Id = 0x695  Family = 6  Model = 9  Stepping = 5
      Features=0xa7e9fbbf <fpu,vme,de,pse,tsc,msr,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,clflush,dts,acpi,mmx,fxsr,sse,sse2,tm,pbe>real memory  = 1073741824 (1024 MB)
    avail memory = 1026891776 (979 MB)
    ACPI APIC Table: <intelr awrdacpi="">
    ioapic0 <version 2.0=""> irqs 0-23 on motherboard
    ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
    ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (ipw_bss_fw, 0xc0738f60, 0) error 1
    ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
    ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc0739000, 0) error 1
    ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
    ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc07390a0, 0) error 1
    wlan: mac acl policy registered
    cryptosoft0: <software crypto=""> on motherboard
    padlock0: No ACE support.
    acpi0: <intelr awrdacpi=""> on motherboard
    acpi0: [ITHREAD]
    acpi0: Power Button (fixed)
    acpi0: reservation of 0, a0000 (3) failed
    acpi0: reservation of 100000, 3fdf0000 (3) failed
    Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
    acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
    cpu0: <acpi cpu=""> on acpi0
    acpi_button0: <power button=""> on acpi0
    pcib0: <acpi host-pci="" bridge=""> port 0xcf8-0xcff on acpi0
    pci0: <acpi pci="" bus=""> on pcib0
    vgapci0: <vga-compatible display=""> port 0xff00-0xff07 mem 0xfdf00000-0xfdf7ffff,0xd0000000-0xdfffffff,0xfdf80000-0xfdfbffff irq 16 at device 2.0 on pci0
    pcib1: <acpi pci-pci="" bridge=""> irq 16 at device 28.0 on pci0
    pci1: <acpi pci="" bus=""> on pcib1
    em0: <intel(r) 1000="" pro="" network="" connection="" 7.3.8=""> port 0xdf00-0xdf1f mem 0xfdae0000-0xfdafffff irq 16 at device 0.0 on pci1
    em0: Using an MSI interrupt
    em0: [FILTER]
    pcib2: <acpi pci-pci="" bridge=""> irq 17 at device 28.1 on pci0
    pci2: <acpi pci="" bus=""> on pcib2
    em1: <intel(r) 1000="" pro="" network="" connection="" 7.3.8=""> port 0xcf00-0xcf1f mem 0xfd6e0000-0xfd6fffff irq 17 at device 0.0 on pci2
    em1: Using an MSI interrupt
    em1: [FILTER]
    pcib3: <acpi pci-pci="" bridge=""> irq 18 at device 28.2 on pci0
    pci3: <acpi pci="" bus=""> on pcib3
    em2: <intel(r) 1000="" pro="" network="" connection="" 7.3.8=""> port 0xaf00-0xaf1f mem 0xfdee0000-0xfdefffff irq 18 at device 0.0 on pci3
    em2: Using an MSI interrupt
    em2: [FILTER]
    pcib4: <acpi pci-pci="" bridge=""> irq 19 at device 28.3 on pci0
    pci4: <acpi pci="" bus=""> on pcib4
    em3: <intel(r) 1000="" pro="" network="" connection="" 7.3.8=""> port 0xef00-0xef1f mem 0xfdce0000-0xfdcfffff irq 19 at device 0.0 on pci4
    em3: Using an MSI interrupt
    em3: [FILTER]
    uhci0: <intel 82801fb="" fr="" fw="" frw="" (ich6)="" usb="" controller="" usb-a=""> port 0xfe00-0xfe1f irq 23 at device 29.0 on pci0
    uhci0: [ITHREAD]
    usbus0: <intel 82801fb="" fr="" fw="" frw="" (ich6)="" usb="" controller="" usb-a=""> on uhci0
    uhci1: <intel 82801fb="" fr="" fw="" frw="" (ich6)="" usb="" controller="" usb-b=""> port 0xfd00-0xfd1f irq 19 at device 29.1 on pci0
    uhci1: [ITHREAD]
    usbus1: <intel 82801fb="" fr="" fw="" frw="" (ich6)="" usb="" controller="" usb-b=""> on uhci1
    ehci0: <intel 82801fb="" (ich6)="" usb="" 2.0="" controller=""> mem 0xfdfff000-0xfdfff3ff irq 23 at device 29.7 on pci0
    ehci0: [ITHREAD]
    usbus2: EHCI version 1.0
    usbus2: <intel 82801fb="" (ich6)="" usb="" 2.0="" controller=""> on ehci0
    pcib5: <acpi pci-pci="" bridge=""> at device 30.0 on pci0
    pci5: <acpi pci="" bus=""> on pcib5
    pci5: <unknown> at device 3.0 (no driver attached)
    em4: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.6=""> port 0xbf00-0xbf3f mem 0xfd9c0000-0xfd9dffff,0xfd9a0000-0xfd9bffff irq 18 at device 4.0 on pci5
    em4: [FILTER]
    isab0: <pci-isa bridge=""> at device 31.0 on pci0
    isa0: <isa bus=""> on isab0
    atapci0: <intel ich6="" udma100="" controller=""> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfa00-0xfa0f at device 31.1 on pci0
    ata0: <ata channel=""> at channel 0 on atapci0
    ata0: [ITHREAD]
    ata1: <ata channel=""> at channel 1 on atapci0
    ata1: [ITHREAD]
    atapci1: <intel ich6m="" sata150="" controller=""> port 0xf900-0xf907,0xf800-0xf803,0xf700-0xf707,0xf600-0xf603,0xf500-0xf50f mem 0xfdffc000-0xfdffc3ff irq 19 at device 31.2 on pci0
    atapci1: [ITHREAD]
    ata2: <ata channel=""> at channel 0 on atapci1
    ata2: [ITHREAD]
    ata3: <ata channel=""> at channel 1 on atapci1
    ata3: [ITHREAD]
    pci0: <serial bus,="" smbus=""> at device 31.3 (no driver attached)
    atrtc0: <at realtime="" clock=""> port 0x70-0x73 irq 8 on acpi0
    uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
    uart0: [FILTER]
    uart0: console (115200,n,8,1)
    uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
    uart1: [FILTER]
    ppc0: <parallel port=""> port 0x378-0x37f,0x778-0x77b irq 7 on acpi0
    ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
    ppc0: [ITHREAD]
    ppbus0: <parallel port="" bus=""> on ppc0
    ppi0: <parallel i="" o=""> on ppbus0
    orm0: <isa option="" rom=""> at iomem 0xef000-0xeffff pnpid ORM0000 on isa0
    acpi_throttle0: <acpi cpu="" throttling=""> on cpu0
    Timecounter "TSC" frequency 600024136 Hz quality 800
    Timecounters tick every 10.000 msec
    IPsec: Initialized Security Association Processing.
    usbus0: 12Mbps Full Speed USB v1.0
    usbus1: 12Mbps Full Speed USB v1.0
    usbus2: 480Mbps High Speed USB v2.0
    ad0: 3823MB <ts4gcf133 20110407=""> at ata0-master PIO4
    ugen0.1: <intel> at usbus0
    uhub0: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr=""> on usbus0
    ugen1.1: <intel> at usbus1
    uhub1: <intel 1="" 9="" uhci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr=""> on usbus1
    ugen2.1: <intel> at usbus2
    uhub2: <intel 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr=""> on usbus2
    Root mount waiting for: usbus2 usbus1 usbus0
    uhub0: 2 ports with 2 removable, self powered
    uhub1: 2 ports with 2 removable, self powered
    uhub2: 12 ports with 12 removable, self powered
    Trying to mount root from ufs:/dev/ufs/pfsense0
    Configuring crash dumps...
    Mounting filesystems...
    Setting up memory disks... done.
    Disabling APM on /dev/ad0
    
         ___
     ___/ f \
    / p \___/ Sense
    \___/   \
        \___/
    
    Welcome to pfSense 2.1.5-RELEASE  ...
    
    Creating symlinks......done.
    External config loader 1.0 is now starting...
    Launching the init system... done.
    Initializing............................. done.
    Starting device manager (devd)...done.
    Loading configuration......done.
    Updating configuration...done.
    Cleaning backup cache........done.
    Setting up extended sysctls...done.
    Setting timezone...done.
    Configuring loopback interface...done.
    Starting syslog...done.
    Starting Secure Shell Services...done.
    Setting up polling defaults...done.
    Setting up interfaces microcode...done.
    Configuring loopback interface...done.
    Creating wireless clone interfaces...done.
    Configuring LAGG interfaces...done.
    Configuring VLAN interfaces...done.
    Configuring QinQ interfaces...done.
    Configuring WAN interface...done.
    Configuring LAN interface...done.
    Syncing OpenVPN settings...done.
    Configuring firewall......done.
    Starting PFLOG...done.
    Setting up gateway monitors...done.
    Synchronizing user settings...done.
    Starting webConfigurator...done.
    Configuring CRON...done.
    Starting DNS forwarder...done.
    Starting NTP time client...done.
    Starting DHCP service...done.
    Starting DHCPv6 service...done.
    Configuring firewall......done.
    Generating RRD graphs...done.
    Starting syslog...done.
    Starting CRON... done.
    Bootup complete
    
    FreeBSD/i386 (pfSense.localdomain) (console)
    
    *** Welcome to pfSense 2.1.5-RELEASE-nanobsd (i386) on pfSense ***
    
     WAN (wan)       -> em0        ->
     LAN (lan)       -> em4        -> v4: 192.168.1.1/24
    
     0) Logout (SSH only)                  8) Shell
     1) Assign Interfaces                  9) pfTop
     2) Set interface(s) IP address       10) Filter Logs
     3) Reset webConfigurator password    11) Restart webConfigurator
     4) Reset to factory defaults         12) pfSense Developer Shell
     5) Reboot system                     13) Upgrade from console
     6) Halt system                       14) Disable Secure Shell (sshd)
     7) Ping host                         15) Restore recent configuration
    
    Enter an option: 8</intel></intel></intel></intel></intel></intel></ts4gcf133></acpi></isa></parallel></parallel></parallel></at></serial></ata></ata></intel></ata></ata></intel></isa></pci-isa></intel(r)></unknown></acpi></acpi></intel></intel></intel></intel></intel></intel></intel(r)></acpi></acpi></intel(r)></acpi></acpi></intel(r)></acpi></acpi></intel(r)></acpi></acpi></vga-compatible></acpi></acpi></power></acpi></intelr></software></version></intelr></fpu,vme,de,pse,tsc,msr,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,clflush,dts,acpi,mmx,fxsr,sse,sse2,tm,pbe>
    
    pciconf -l -v
    hostb0@pci0:0:0:0:      class=0x060000 card=0x25908086 chip=0x25908086 rev=0x04 hdr=0x00
        class      = bridge
        subclass   = HOST-PCI
    vgapci0@pci0:0:2:0:     class=0x030000 card=0x25928086 chip=0x25928086 rev=0x04 hdr=0x00
        class      = display
        subclass   = VGA
    pcib1@pci0:0:28:0:      class=0x060400 card=0x26608086 chip=0x26608086 rev=0x04 hdr=0x01
        class      = bridge
        subclass   = PCI-PCI
    pcib2@pci0:0:28:1:      class=0x060400 card=0x26628086 chip=0x26628086 rev=0x04 hdr=0x01
        class      = bridge
        subclass   = PCI-PCI
    pcib3@pci0:0:28:2:      class=0x060400 card=0x26648086 chip=0x26648086 rev=0x04 hdr=0x01
        class      = bridge
        subclass   = PCI-PCI
    pcib4@pci0:0:28:3:      class=0x060400 card=0x26668086 chip=0x26668086 rev=0x04 hdr=0x01
        class      = bridge
        subclass   = PCI-PCI
    uhci0@pci0:0:29:0:      class=0x0c0300 card=0x26588086 chip=0x26588086 rev=0x04 hdr=0x00
        class      = serial bus
        subclass   = USB
    uhci1@pci0:0:29:1:      class=0x0c0300 card=0x26598086 chip=0x26598086 rev=0x04 hdr=0x00
        class      = serial bus
        subclass   = USB
    ehci0@pci0:0:29:7:      class=0x0c0320 card=0x265c8086 chip=0x265c8086 rev=0x04 hdr=0x00
        class      = serial bus
        subclass   = USB
    pcib5@pci0:0:30:0:      class=0x060401 card=0x24488086 chip=0x24488086 rev=0xd4 hdr=0x01
        class      = bridge
        subclass   = PCI-PCI
    isab0@pci0:0:31:0:      class=0x060100 card=0x26418086 chip=0x26418086 rev=0x04 hdr=0x00
        class      = bridge
        subclass   = PCI-ISA
    atapci0@pci0:0:31:1:    class=0x01018a card=0x266f8086 chip=0x266f8086 rev=0x04 hdr=0x00
        class      = mass storage
        subclass   = ATA
    atapci1@pci0:0:31:2:    class=0x01018f card=0x26538086 chip=0x26538086 rev=0x04 hdr=0x00
        class      = mass storage
        subclass   = ATA
    none0@pci0:0:31:3:      class=0x0c0500 card=0x266a8086 chip=0x266a8086 rev=0x04 hdr=0x00
        class      = serial bus
        subclass   = SMBus
    em0@pci0:1:0:0: class=0x020000 card=0x00008086 chip=0x109a8086 rev=0x00 hdr=0x00
        class      = network
        subclass   = ethernet
    em1@pci0:2:0:0: class=0x020000 card=0x00008086 chip=0x109a8086 rev=0x00 hdr=0x00
        class      = network
        subclass   = ethernet
    em2@pci0:3:0:0: class=0x020000 card=0x00008086 chip=0x109a8086 rev=0x00 hdr=0x00
        class      = network
        subclass   = ethernet
    em3@pci0:4:0:0: class=0x020000 card=0x00008086 chip=0x109a8086 rev=0x00 hdr=0x00
        class      = network
        subclass   = ethernet
    none1@pci0:5:3:0:       class=0xff0000 card=0x00010001 chip=0x0001a727 rev=0x00 hdr=0x00
    em4@pci0:5:4:0: class=0x020000 card=0x002e1903 chip=0x10768086 rev=0x05 hdr=0x00
        class      = network
        subclass   = ethernet
    [2.1.5-RELEASE][root@pfSense.localdomain]/root(2): exit
    
    Enter an option: 1
    
    Valid interfaces are:
    
    em0   00:07:99:a2:75:bf   (up) Intel(R) PRO/1000 Network Connection 7.3.8
    em1   00:07:99:a2:75:c0 (down) Intel(R) PRO/1000 Network Connection 7.3.8
    em2   00:07:99:a2:75:c1 (down) Intel(R) PRO/1000 Network Connection 7.3.8
    em3   00:07:99:a2:75:c2 (down) Intel(R) PRO/1000 Network Connection 7.3.8
    em4   00:07:99:a2:75:be   (up) Intel(R) PRO/1000 Legacy Network Connection 1.0.6
    
    Do you want to set up VLANs first?
    

    Here is the problem. I see all the interface, but can only access em4, which is the legacy intel gigabit interface. em0 to em3 seem dead. There are no lights on them, they do not detect a wire plugged into the port. I found some information from an X506 device https://forum.pfsense.org/index.php?topic=72916.0, but I think this unit is totally different. These interfaces are not switch IC, they seem like real network interface.

    I thought there maybe a bios option to turn them on/off. There is no bios prompt on boot.

    em4 is labeled management on the unit.



  • I think you are using an older pfSense, could that be? I read BSD 8, while pfSense 2.2 is at version 10 I think. If you are using an older version, could you try a newer version instead?



  • Thanks for fast reply. I initially had pfsense 2.2 nano. In this version, none of the ports work, even em4 did not work.


  • Netgate Administrator

    Looks like it has some sort of network bypass that's getting in the way. It may be possible to disable that with jumpers or in the BIOS if you can get to it. The BIOS is probably accessed via 115200bps and try hitting TAB.

    Steve



  • Could you post one or more high-res photos of the inside of the box? That would make it easier to see how it's built and how it's working.


  • Netgate Administrator

    Yep. I can find almost no documentation on the box so it's hard to say quite how those NICs are connected. Could be internal switches with mirror ports for the IDS.
    Fun.  ;)

    Steve



  • Serial connection to unit was easy. Boot message does not prompt for bios access. I think your on to something regarding "network bypass." When I get home tonight, I will post some high res photos.



  • Unfortunately only 2 mac address are shown in the sticker. I was able to identify 3 pins that could be change/alter. The one on the first picture with "???" in top left corner, I'm not sure what this jumper is for. There are no marking to indicate what is does. One way at the bottom next to CF card is for selecting master/slave. There is one pin next to battery, I'm assuming this is for resetting bios.

    Boot Screen

    
    Load End drivers
    BIOS V1.0.7
    Memory Testing : OK
    ...
    
    TippingPoint OS
    BSP [m10 1.2]   Bootloader [20]
    Creation date: Jul 22 2009, 17:27:19
    
    

    Control C give the below prompt. I think it already is running from disk and not a bios prompt. You can see I typed the "@" to continue the boot process.

    Load End drivers
    BIOS V1.0.7
    Memory Testing : OK
    ...
    
    TippingPoint OS
    BSP [m10 1.2]   Bootloader [20]
    Creation date: Jul 22 2009, 17:27:19
    
    Press Control-C to stop auto-boot...
     2
    Type '@' to continue boot, or 'h' for help
    [VxWorks Boot]: @
    
    boot device          : ata=0,0
    unit number          : 0
    processor number     : 0
    host name            : NDS
    file name            : auto
    flags (f)            : 0x0
    
    Attaching to ATA disk device... done.
    /boot/2.5.5.6994/vxWorks [0c3ca432ffef42a5a746da5469573ac3]
    Loading /boot/2.5.5.6994/vxWorks....13275344 + 1222576 + 14761892
    Starting at 0x108000...
    

    The rest of the boot process from TippingPoint OS

    Attaching interface lo0...done
    
    Adding 32415 symbols for standalone.
    Initialize Memory.......................[OK]
    Add reboot hooks........................[OK]
    Start CPU Resource Monitoring...........[OK]
    Initialize System Clock.................[OK] 2015-03-16 05:38:13 [UTC]
    Set Boot Time...........................[OK]
    Calculate CPU Speed.....................[OK] 600.104 MHz
    Identify Host Type......................[OK] n1
    Identify HW.............................[OK] A (A-10LF) gei
    Mount Storage Device....................[OK]
    Mount File System.......................[OK]
    /boot/  - Volume is OK
    /opt/  - Volume is OK
    /usr/  - Volume is OK
    /log/  - Volume is OK
    Initialize IPC..........................[OK]
    Initialize Paths........................[OK]
    Read Configuration Files................[OK]
    Apply Task Environment..................[OK]
    Apply ATA Environment...................[OK]
    Apply LCD Environment...................[OK]
    Create /ramLog..........................[OK]
    Create /ramTmp..........................[OK]
    Initialize System Log...................[OK]
    Initialize License Manager..............[OK]
    Initialize Update subsystem.............[OK]
    Create /ramRO...........................[OK]
    Load RAM Disk...........................[OK]
    Set Memory Protection...................[OK] 0x3fe8f800
    Performing Host/Model Checks............[OK] Software chassis
    Initialize Network Processor............[OK]
    Initialize IPM..........................[NOT DETECTED]
    Read TOS metadata.......................[OK] ver=2.5.5.6994
    Read DV metadata........................[OK] ver=2.5.2.7735
    Read bootloader metadata................[OK] ver=20 cnt=33
    Initialize Audit log....................[OK]
    Initialize Block Log....................[OK]
    Initialize Alert Log....................[OK]
    Initialize SNMP.........................[OK]
    Initialize Email........................[OK]
    Initialize Remote Syslog................[OK]
    Validating Certificate..................[OK]
    
          _____                             ____               _
         |_   _|_ _ __  _ __  _ _ __   __ _|  _ \ ___  _ _ __ | |_
           | | | | '_ \| '_ \| | '_ \ / _` | |_) / _ \| | '_ \| __|
           | | | | |_) | |_) | | | | | (_| |  __/ (_) | | | | | |_
           |_| |_| .__/| .__/|_|_| |_|\__, |_|   \___/|_|_| |_|\__|
                 |_|   |_|            |___/
    
        TippingPoint - Austin, Texas, USA - www.tippingpoint.com
     TOS Version     : 2.5.5.6994   Build Date: Aug 31 2009, 16:35:01
     Digital Vaccine : 2.5.2.7735       Serial: U10C-99A2-75BE
     Hardware Rev    : A (A-10LF)
    
    Loading........
    
    Login:
    
    





  • Netgate Administrator

    So you have a load of lan-bypass relays. They are why you can't connect to any port other the management port. You will have to disable those (or enable them perhaps) to be able to use it.
    It's curious that you have 4 NIC chips. It's hard to see how those are connected. 1 is the management port and I woulfd guess that 2 are for the by-pass 'segments', maybe the other one was for some 3 segment model. Are you sure that they are all identical chips? The last one is the same under the heat spreader? They show as differently detected in your logs above.

    If you can't access the bios at all you could try dumping the BIOS with flashrom from pfSense and looking through it for clues.

    Steve



  • TP's OS is based upon redhat/fedora Linux (unless they've changed it)…it use to run the stock images and has since been re-skinned for a bit of background. The controllers you have on that box are PC82573L's (http://www.intel.com/content/dam/doc/datasheet/82573-gbe-controllers-datasheet.pdf), as usual they like older controllers. The 82573L controller was first released almost 10-yrs ago. Take a look at (https://downloadcenter.intel.com/download/17509/Network-Adapter-Gigabit-Base-Driver-for-FreeBSD-) for the current version of the drivers, though they were designed for the FreeBSD 9.x kernel.



  • @Patrick_:

    TP's OS is based upon redhat/fedora Linux (unless they've changed it)…it use to run the stock images and has since been re-skinned for a bit of background. The controllers you have on that box are PC82573L's (http://www.intel.com/content/dam/doc/datasheet/82573-gbe-controllers-datasheet.pdf), as usual they like older controllers. The 82573L controller was first released almost 10-yrs ago. Take a look at (https://downloadcenter.intel.com/download/17509/Network-Adapter-Gigabit-Base-Driver-for-FreeBSD-) for the current version of the drivers, though they were designed for the FreeBSD 9.x kernel.

    According to his serial output, this one is running vxWorks.
    The BIOS has no regular interface it seems, probably only NVRAM-controlled as is quite often with vxWorks boxes.

    Regarding the jumper in the left top corner near the power connector: that looks like it is either wired into a DC-DC circuit, a AD-DA circuit (it's near an analog devices chip) or maybe simply for an optional part that is not installed.

    It seems to be x86 based with full BIOS boot, maybe a dmidecode dump (if BSD has that, I know Linux does) would shed some light on what tables are there. ACPI dump would be nice too.

    Regarding the escape-to-prompt option: at that stage you are in some sort of bootloader. It's not a BIOS escape prompt at that part. This is quite common, if you press ? instead of @ you should get a bunch of commands that allow for direct manipulation of addresses and their contents.

    I'd love to get my hands on one of these, seems like a fun hacking project :p

    Edit: I found one on eBay, going to bid on it ^^

    Looks like these TippingPoint devices were stand-alone, then 3Com and then HP. For some reason they are ridiculously expensive, seeing that they are basically low-power vxWorks boxes with some ancient software… would love to hack in pfSense support for them.

    Edit2: Might be that vxWorks is the bootloader and it actually loads a Unix or Linux system afterwards. Looking at the chips, there seems to be an EEPROM and a ROM, and some glue logic based on FPGA-like devices. As long as those are abstracted away by the general x86 architecture, we might be able to switch the relays in software using either GPIOs or writing bits to a special address. In the latter case, we really do need ROM dumps of pretty much everything.

    Edit3: Those ULN2003A's on the sides of the relay's are darlington arrays, probably used to drive the relays using TTL level signals. Turn those on (as in the power-less state the relays need to be in bypass mode, that is how bypass works ;) ) and you have accessible network ports. Since there are tons of relays and those arrays allow individual IO's to be done, it probably means that they can be individually controlled from software. So ports can be switched on and off, and be bypassed to each other in a software-defined way. So it's not like Ports 1 and 2 are hardwired to be bypassable, you could bypass any set of ports you want. (if the relays have enough pins.. it's all theory ATM). So no common bypass signal for ALL ports at once I fear.

    Edit4: okay, I'm probably too enthusiastic and wrong, those relays are B4CA4 relays which allow for two separate lines to be switched. So basically you can do 2 out of 8 signal lines per port with 1 relay. There are 16 relays, so I guess that's 32 lines, which is 4 switchable ports. This is pretty logical because there are 2 sets of ports on the front panel, so the relays are configured to allow those two sets to be individually bypassed. The relays themselves are set/reset relays according to one of the datasheets, there are A-types and B-types in that series, and the B-series are latching. It probably means that on powerloss the device has a few seconds before power down which is used to control the way passthrough is done from software.

    Edit5: okay, now it's getting sad :p Those BA4CA4.5Z relays are actually 'normal' relays that switch off on power loss, so not latching at all.


  • Netgate Administrator

    Yeah, they pretty much have to be non-latching otherwise they don't failover in a power failure.

    They probably only have two positions also; 1a connected to 1b or not. However with a normal lan-bypass setup you have one NIC for each port and there aren't enough here.  :-\

    Steve



  • @stephenw10:

    Yeah, they pretty much have to be non-latching otherwise they don't failover in a power failure.

    They probably only have two positions also; 1a connected to 1b or not. However with a normal lan-bypass setup you have one NIC for each port and there aren't enough here.  :-\

    Steve

    Well, I can see five ports and five transformers, and five Intel chips for ethernet. (the one on the far left is still under it's heatsink, but you can see the transformer traces going over there)
    The four ports next to the relays are in their bypass setup, the one leftmost is a non-bypass port, presumably to connect to a management network.


  • Netgate Administrator

    Ah, under the heatsink. I guess that's why it's detected as something different. Though quite why the management port needs heatsinking and the in-band ports don't…..
    Easy to test the by-pass mode. Without any power connected to the box test for connectivity between 1a and 1b (or 2a and 2b).

    Steve



  • That would indeed work, lets see if the TS can test that when he/she gets home.

    I did a small inspection on the traces to those ULN2003A's, it looks like every chip controls 4 relays, and per chip, only the first four channels are used.
    Those channels are tied together on one trace, so in theory, shorting one of them to Vcc will switch the relays.

    On the right hand side of the ULN chips, you can see U69, which looks like one pin is connected to the two ULN's up there, another to Vcc and the head pin to a trace that goes down to the Lattice chip. I could be wrong as the photo isn't sharp enough to do that kind of PCB tracing when zoomed in, but it's pretty logical to me. The Lattice is probably responsible for some general glue logic.



  • I am new to pfSense, I'm so thankful for this forum and the people who contribute to it. Saved me a lot of time.
    tippingpoint_s10. Anways, with only 1 ethernet port I manage to get flashrom installed and read out the bios.

    [2.1.5-RELEASE][root@pfSense.localdomain]/root(8): flashrom -p internal -r tippS10.bin
    flashrom v0.9.7-r1711 on FreeBSD 8.3-RELEASE-p16 (i386)
    flashrom is free software, get the source code at http://www.flashrom.org
    
    Calibrating delay loop... OK.
    Found chipset "Intel ICH6-M". Enabling flash write... OK.
    Found SST flash chip "SST49LF008A" (1024 kB, FWH) at physical address 0xfff00000.
    Reading flash... done.
    

    So much fun, I want to learn all this stuff, but I don't have time. Any pointers to bios editing would be helpful. I did some search, but only came up with bios-mods.com, too much information here with no guidance. Their latest message on the welcome page is from 2013.

    Here are the original photo, I had to cut the previous one to size. My phone camera isn't that great.

    https://drive.google.com/file/d/0B3viFJ2DdornNGRtN1FleFloSEU/view?usp=sharing

    With the power off, 2a is connected to 2b, and 1a is connected to 1b.

    edit1: I can tell you that the one labeled Intel legacy gigabit is a different chip. This is the one currently working, this chip is under the heatsink. I'm not worry about this chip. It's the other 4 that don't seem to work at all. My guess is the TippingPoint OS turns them on, because they light up after TOS boots.


  • Netgate Administrator

    Ok, that is a standard Award BIOS. Console redierction is enabled by default at 115200bps. Try connecting at that speed and use TAB to connect. The com port is not specified though so it may be using an internal com port. Though if that was the case I would not expect the pfSense serial console to work. The BIOS may specify com2 somewhere though…

    It does have options to disable the two lan-bypass segments.

    Com ports look absolutely normal and the pfSense console works so nothing suspicious there. There is no 'Agent wait time' option so possibly it isn't waiting in which case you may have a very short time to be pressing TAB. Start pressing it as soon as you power on.

    Steve


  • Netgate Administrator

    If you're not able to reach the BIOS setup we could try editing the image to make lan-bypass disabled the default option. You can flash that back and clear the CMOS to apply it. Of course that carries some risk.

    Steve



  • Nope, tried multiple times, I can't get into the bios settings. If you could modify the bios for me, I will flash it. I understand the risk. I have done multiple bios recovery before, no problem. I was also looking around for for the same type of bios (SST49LF008A-33-4C-NHE). Just in case something goes wrong and I need another chip.

    My questions are: I notice when I extracted the bios it was only 1024 kB. The same type of chip has a 8MB version and a 4MB version? Can I flash a 1MB bin file to a 8MB or 4MB bios? Or do I have to find the exact capacity bios? Also, where did you learn how to edit bios firmware? What program did you use? Are they manufacture specific?

    Thanks for your help.




  • 49LF008 is by definition 8Mbit = 1Mbyte (Mb is a megabit, MB is megabyte). So a 1MB BIOS is the right size for a 8Mb flash chip. Many/most memories are usually specified in bits not bytes (because they can be arranged differently - sometimes 8 bits wide, 16 bits wide etc).

    There is no 4 Megabit 49LF008.


  • Netgate Administrator

    Yup, BIOS rom chip size is always given in Mbits for some reason.  ::)
    I know that people have used a 512KB image on an 8Mb chip without issue. Obviously it won't fit the other way around.
    I'll try and modify that image when I get a chance then.
    Another option, potentially more fun but also more frustrating, is to probe the various GPIO pins until you find where the lan-bypass relays are connected.

    Steve



  • @steve

    could you point me in the right direction on how to modify firmware&bios images?



  • @Shonky:

    49LF008 is by definition 8Mbit = 1Mbyte (Mb is a megabit, MB is megabyte). So a 1MB BIOS is the right size for a 8Mb flash chip. Many/most memories are usually specified in bits not bytes (because they can be arranged differently - sometimes 8 bits wide, 16 bits wide etc).

    There is no 4 Megabit 49LF008.

    Thank you for clearing this up. I understand the difference btw Mb & MB. Just so used to working in Megabyte, that when ever anyone refer to MB or Mb, I tho they mean the same. In reality (technically) they are not, so thank you.


  • Netgate Administrator

    Ok, find attached the modified bios image the only thing I have changed here are the default values for the two lan-bypass segments from enabled to disabled. For this to have any effect you'll have to flash it then reset the cmos to load the defaults. It may catch fire etc…  ;)
    Remove the .png extension. The MD5 should be 2a4017953a1031f97b36b1174b85f9b1.

    Steve

    tps10mod.bin.png



  • Yup followed those directions and it works. Had to reset bios.

    Stephenw10, are you in Europe? How many Euros do I owe you? Thanks a million.


  • Netgate Administrator

    I'm in London, we haven’t moved to Euros, yet.
    That's great news anyway. Does it control the 'active' leds also? If not that's more potential fun right there.  :D

    Steve



  • LED on the ports are working.



  • @stephenw10:

    Ok, find attached the modified bios image the only thing I have changed here are the default values for the two lan-bypass segments from enabled to disabled. For this to have any effect you'll have to flash it then reset the cmos to load the defaults. It may catch fire etc…  ;)

    Steve, how did you modify the bios file?



  • yes, i want to know/learn and would be willing to take the ferry to london to find out :D :D


  • Netgate Administrator

    There's no big secret I just opened it in modbin6. Pretty easy with older bioses like this.  ;)

    Steve



  • I'm just going to point out that Paul, Netgate's COO, used to work at Tipping Point as the VP Business Management / VP Product Management.

    IJS…


Log in to reply