Adding VLAN functionality to BCM53128 based "dumb" switches

skyblaster · April 17, 2022, 6:03pm

I'm sure most on this board are more interested in RTL838x based switches at this point in time, however I came across this intriguing project which adds additional functionality to BCM53128 based "dumb" switches: https://github.com/florolf/neatgear

The author focuses on a GS108v4 in his blog writeup, but it looks like this should work on my GS308P, and likely many other models as well: https://blog.n621.de/2019/04/vlans-on-the-netgear-gs108-switch/

Since this is a hardware hack, with no management interfaces to exploit, my understanding is that the attack surface after modification is pretty much non-existent, but before I go ahead and add a couple VLANs and share the device between internal and external networks, I wanted to share it here for discussion.

My CH341A is at the ready for testing, I just haven't been able to decipher all of the applicable SoC registers.

stragies · April 17, 2022, 7:24pm

Reading the blog-post, it would seem, that you can get a CLI shell to the RTOS running in the BCM53 by connecting with 9600,8n1 to the Pins 69 and 70.

That may be a more comfortable "interface" than "Reflash-to-change-settings"?

skyblaster · April 17, 2022, 8:22pm

On my GS308P there is a pin header installed, however I just traced it out to the following:

J1-1	?
J1-2	BCM59101 p15
J1-3	BCM59101 p14
J1-4	GND

Edit: Sadly, it doesn't appear pins 69 and 70 are broken out anywhere on the board.

stragies · April 17, 2022, 8:36pm

Did you have a chance to catch some boot-up output from that? I wonder, what the intended use of this header is. Maybe it's similar to the BCM59121, which is in use in many RTL83xx POE switches, and allows perPort Power-Control and -Measurement. Then connecting a USB-UART permanently would have use-cases.

How good are your soldering skills?

skyblaster · April 17, 2022, 9:32pm

I don't have a logic probe or the data sheet for the BCM59101 to confirm it, but it appears this header is not a UART header at all. With a multimeter I'm seeing constant 3.3V on the middle two pins (leading to BCM59101 pins 14 and 15).

All I have is a Hakko 936. I don't think that's going to cut it at this pitch.

skyblaster · April 17, 2022, 9:34pm

Also, I share the same thought that the GS308P is a repackaged GS108PEv3. I just haven't seen the insides of the GS108PEv3 to prove it.

svanheule · April 18, 2022, 12:18pm

The control protocol for the BCM59121 (and 111, 101) chips uses I2C, not serial. You may be able to snoops on the transmitted data, but be careful with power domains and hooking up devices that are normally isolated.

stragies · April 18, 2022, 12:37pm

Remembering, where I read about the serial port (your page), I went to reread that paragraph, and yes, you are right, the usage of a I2C dialect is mentioned:

On the Broadcom platform, an intermediate microcontroller is used to managed a Broadcom PSE controller, like the BCM59121. Although more than one microcontroller type is used over different products, they all appear to use the same serial protocol. The high level control and status commands between the microcontroller and SoC use the SoC's secondary UART. The UART connection between the SoC and microcontroller typically uses a 19200 baud, 8n1 connection. Communication between the microcontroller and the Broadcom chip uses Broadcom Serial Control (BSC), an I2C dialect.

Thanks for refreshing my memory, "Broadcom Serial Control" had stuck in my mind, and the last 3 words had slipped my mind!

skyblaster · April 18, 2022, 2:32pm

While dynamic control would be cool, I don't plan on changing the configuration very often.
I'm perfectly happy with modifying the EEPROM directly.

My motivation for posting here, was to alert you all that this is even a possibility, and for more eyeballs on the code to make sure the modifications look sound.