search

c0d3z3r0 / rbmode

2 stars 4 forks source link

Support for 4 ports? #3

Closed Aristocles closed 4 years ago

Aristocles commented 4 years ago

Hi, Eddy here from makeitbreakitfixit.com. Someone posted your project up to one of my blog post on hacking the Steelhead (http://makeitbreakitfixit.com/2016/06/20/hacking-a-riverbed-steelhead-cx755/). I am working on converting another Steelhead and would prefer to control the in-path ports using software rather than the hacky way of soldering that I have done. Your project looks hopeful, but I would need it to support 4 port, not 2. Any chance for support for 4 port support?

There are a few devices with 4 ports, two of them are the CX 555 and CX 755.

Thanks.

c0d3z3r0 commented 4 years ago

Hi Eddy,

unfortunately I don't own any of these devices anymore. The guys hacking around with smbus are on the right track, though. I guess the easiest would be reversing the original riverbed tool / driver, to see which commands are needed to set all ports to "normal" (in-path) mode.

Another idea I just had: the relais are controlled by that bigger IC, which actually is a NXP microcontroller (the thingy that receives the smbus commands). It's a P89LPC932A1 [1] or similiar.

First, I would try to connect a UART adapter to the two test pads at pins 17 (RX) and 18 (TX) to see if there is some debug output (or maybe one can even send commands?).

Next step: try to dump the firmware (that thing has 8 kB flash) and EEPROM (512 byte) and try your luck with radare or Ghidra. (I can have a look at it, too, if you manage to dump the firmware ;-) ) However, if they've done their job right, the protection bits are set and prevent read-out.

[1] https://www.nxp.com/docs/en/data-sheet/P89LPC932A1.pdf

Aristocles commented 4 years ago

Thanks mate. Turns out the two commands your script executes is enough to get both in-path interfaces working again (4 interfaces in total). I confirmed this with the commands found here https://forum.netgate.com/topic/61720/pfsense-on-a-riverbed-steelhead/106

Namely running these commands: smbmsg -s 0x48 -c 0x55 -o 6 0x03 0xfc 0x01 0xfe 0x66 0x99 smbmsg -s 0x48 -c 0x55 -o 6 0x03 0xfc 0x00 0xff 0x66 0x99

But only after adding to /boot/loader.conf.local: ichsmb_load="YES" smb_load="YES"

Your script may have worked out but it would've needed to be modified to work in freebsd (I am trying to get it to work in pfsense) and that would require installing gcc to compile some python modules which I want to avoid. Instead, I am getting the above commands to execute on boot.

Thanks again.

c0d3z3r0 commented 4 years ago

Cool, thanks for your feedback :-)

But only after adding to /boot/loader.conf.local: ichsmb_load="YES" smb_load="YES"

sure, this loads the smbus/i2c modules I guess

Your script may have worked out but it would've needed to be modified to work in freebsd (I am trying to get it to work in pfsense) and that would require installing gcc to compile some python modules which I want to avoid. Instead, I am getting the above commands to execute on boot.

I would avoid that, too, if I wouldn't have gcc and python installed anyways ;)