Archive for April, 2010

The Switch economy – according to us!

April 20, 2010

Large vendors like Cisco, Juniper, Foundry and Force10 create most of their hardware and software (sometimes even chip!) designs by themselves and usually don’t share any information about these designs with the outside world (and if so – only on a “need to know” basis).

On the other hand there’s a whole ecosystem around independent companies focusing on isolated tasks of the design and production process. These are usually divided into four major groups:



What is a Switch?

April 18, 2010

A network switch is a device with multiple physical ethernet ports between which frames are forwarded according to the specific rules the switch has been configured with.

The most basic scenario would be an unmanaged switch with a single broadcast domain – in such a setup the switch would learn which MAC addresses can be found behind which ports and when it receives a frame for a given MAC address, it forwards the frame to the given port.


Figuring out the .BIX checksums

April 17, 2010

The .BIX runtime format contains two checksums. A checksum over the runtime image and a checksum over the header. The bootloader does not verify these checksums when you’re uploading a file, but it does so when you’re trying to boot the files. If they’re wrong it will cause the following error:


CLI backdoor

April 14, 2010

It appears the backdoor I found earlier in the 3coms during bootup is also available on the CLI when logged in.

First you press <CTRL-G>, then you enter the password.


Uploading files with xmodem

April 14, 2010

PuTTy on Windows does not support zmodem, xmodem, etc. so I often used HyperTerminal, but the GUI of Hyperterminal annoys me.

So instead of switching between PuTTy and HyperTerminal all the time, I tried to use a different terminal emulator ‘TeraTerm Pro’. This seems fine, but for some reason it dumps a few random characters on the serial line after the file is transferred, falsely answering the multiple choice menu to decide between runtime, diag, multiple image or loader.


Accton bix multiple image format

April 12, 2010

I just realized the design of and the reason for the accton multiple image format. The .BIX format for older switches only has a 32-byte header in front of the gzipped runtime:


Figuring out the bootloader password

April 12, 2010

Some online documents indicated the Accton bootloader had a menu with which you can interrupt the booting process and upload files, recover from failed flash, change bootorder, etc.

This was also the case for our testsubject, but none of the passwords found online worked and just resulted in a continuing boot:


Consider yourself welcomed

April 10, 2010


On this blog we’ll talk about switches.

Wouldn’t it be nice to be able to run a proper, generic operating system on these switches? Thought so.

Our current research subject is a 3Com 3870. This is a 3com-branded version of the EdgeCore ES4649, SMC87xxML3

Stay tuned for further updates.