Hasivo switches

Hsa anyone done any digging into the hasivo switch range and getting OpenWRT on them?

I've just grabbed the S1100WP-8GT-SE since it was a great price for 2.5GbE w/ PoE.
Now that it's arrived (from AliExpress) i'm very impressed with the overall build quality. Nice robust metal housing.

It's apparently got a Realtek controller (although currently under a heatsink, and I haven't tried pulling it off). And HS104PTI PoE chips (2 off).
It looks like it has an unpopulated RS232 port on the front left (looks to be both 1x4 pins, and an RJ45 8p8c footprint), and a number of 1x4 pin sockets around the board, so I expect one of them is a TTL/CMOS serial port (although I might go the RS232 option first.. I suspect it's a CLI console however, so wouldn't expose firmware secrets).

if you don'r own one, see if you can find a firmware you can analyze.
AFAIK there's no 2.5GbE switch within the supported range.

I was able to 'backup' the current firmware on the device, and have put it here (for if anyone else wants to have a look into it)
https://drive.google.com/drive/folders/1W3hzzc3z2sRGG3EvRHEc4hYVzA_Jg2pe?usp=sharing

The web page on the device lists some details as:
Loader Version HS_3.6.6.55087
Loader Date Dec 11 2021 - 18:17:40
Firmware Version HS_1.0.0.0
Firmware Date Jul 30 2022 - 16:53:57

The web interface is basic, but feels quite snappy. I'm still pretty impressed for the price of it.

I think I can now see the price drawback... it runs very hot.
With just a single 1Gbps connection, no real throughput and the underside of the case was uncomfortable to hold. Will be interesting to see how it goes.

if they're cheap, Hasivo might be using some under sized chip for the switching, to cut costs.
or it's just a bad hw/cooling design

if you're still on warranty, try to push it

FYI:

haven't moved an inch since May last year, though ...

That’s great.
Not the exact model i have, but might share some commonality.
I’ll pull apart oem firmware tonight to see.

I haven't been able to get that far. I did find a tool for the Zyxel firmware that also seemed to open up this image file, with a little lzma help (https://github.com/cmsj/gs1900fw).
That helped to extract the initramfs, so can confirm it's running Linux 3.18.24 flavour.

I haven't yet been able to find anything that might be a dtb or similar however (but perhaps I just don't know where to look, happy for guidance on this).

There is a file in the initramfs /etc/ called oem_config which starts with "!!!9301 oem", and mentions "sysname: 8-Port-10G-Managed-Switch"
Which has me wondering if it may be a Realtek 930x family controller.

According to this site I'd guess that it's a Realtek 9302B

You won't find a dtb on a 3.18.24 kernel because it's ancient from 2014.

I'm surprised binwalk -Me didn't extract the kernel directly when I was looking at it.

Noticed what appears to be the same switch sold on Amazon for $189.99 as

Binardat 8 Port 2.5G PoE Switch Web Managed, 8 x 2.5 Gigabit RJ-45 Base-T Ports, IEEE802.3af/at, 120W Power Supply, Multi-Gigabit Desktop Ethernet Switch

Tempted to get one from Amazon for nearly the same price as AliExpress.

From the visible component layouts that does look identical.
I’d say it’s a worthwhile switch given the features/price/build quality.

The out of box OS is pretty workable.
OpenWRT would be nicer though.

I've taken off the heatsink for the processor.
It's an RTL9303 with 8x RTL8221B PHYs
K4B2G1646F-BYMA RAM (https://semiconductor.samsung.com/dram/ddr/ddr3/k4b2g1646f-byma/)
FM25Q128A SPI flash (https://www.fmsh.com/nvm/FM25Q128_ds_eng.pdf)
3x HC595 I suspect for the LEDs
2xHS104PTI for POE control on daughterboard

I still haven't had any luck getting linux boot info however.
If I dumped out the SPI flash, is there an easy way to get some of the linux info?
My thoughts are something like QEMU might be possible to get the firmware running outside of the hardware (there's no JTAG connections I can identify on the board, and no shell serial.. just the switch admin console serial).

Small steps...
I soldered an RJ45 onto the missing console port on the front of the unit.. hooked up an RS232 Cisco style console cable and got the following on boot

U-Boot 2011.12.(3.6.6.55087) (Dec 11 2021 - 18:17:40)

Board: RTL9300 CPU:800MHz LX:175MHz DDR:600MHz
DRAM:  256 MB
SPI-F: FUDANWEI/A14018/MMIO16-1/ModeC 1x16 MB (plr_flash_info @ 83f9ddf8)
Loading 65536B env. variables from offset 0xe0000
Net:   Net Initialization Skipped
No ethernet found.
Hit Esc key to stop autoboot:  0
## Booting kernel from Legacy Image at b4300000 ...
   Image Name:   1.0.0.0
   Created:      2022-07-30  16:53:57 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    8564103 Bytes = 8.2 MB
   Load Address: 80000000
   Entry Point:  8032ed60
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

console [ttyS0] enabled
bootconsole [early0] disabled
Calibrating delay loop... 531.66 BogoMIPS (lpj=2658304)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
TCP established hash table entries: 2048 (order: 1, 8192 bytes)
TCP bind hash table entries: 2048 (order: 3, 40960 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 12288 bytes)
UDP-Lite hash table entries: 256 (order: 1, 12288 bytes)
NET: Registered protocol family 1
futex hash table entries: 256 (order: 0, 7168 bytes)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
ntfs: driver 2.1.31 [Flags: R/W].
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 485
random: modprobe urandom read with 0 bits of entropy available
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 47, base_baud = 10879900) is a 16550A
loop: module loaded
SCSI Media Changer driver v0.25
RTK_SPI_FLASH_MIO driver is bypassed
RTK_NORSFG3 driver is used
=================================================================
init_luna_nor_spi_map: flash map at 0xb4000000
SPI NOR driver probe...
=====Fudanwei======/A14018/MMIO16-1/ModeC add SPI NOR partition
MTD partitions obtained from built-in array
Creating 7 MTD partitions on "rtk_norsf_g3":
0x000000000000-0x0000000e0000 : "LOADER"
0x0000000e0000-0x0000000f0000 : "BDINFO"
0x0000000f0000-0x000000100000 : "SYSINFO"
0x000000100000-0x000000200000 : "JFFS2 CFG"
0x000000200000-0x000000300000 : "JFFS2 LOG"
0x000000300000-0x000000f00000 : "RUNTIME"
0x000000f00000-0x000001000000 : "OEMINFO"
=================================================================
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
rtk_gen1_hcd_cs_init: rtk_gen1_hcd_cs_init()!
rtk_gen1_hcd_cs_init: register rtk_gen1_ehci ok!
usb_phy_configure_process: usb_phy_configure_process()!
rtk_gen1-ehci rtk_gen1-ehci: Realtek On-Chip EHCI Host Controller
rtk_gen1-ehci rtk_gen1-ehci: new USB bus registered, assigned bus number 1
rtk_gen1-ehci rtk_gen1-ehci: irq 28, io mem 0x18021000
rtk_gen1-ehci rtk_gen1-ehci: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
ohci-platform: OHCI generic platform driver
usbcore: registered new interface driver uas
usbcore: registered new interface driver usb-storage
TCP: cubic registered
NET: Registered protocol family 10
sit: IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Freeing unused kernel memory: 6876K (80459000 - 80b10000)
Mount DEV File System....OK
Mount PROC File System........OK
Mount Main SQFS File System........OK
Mount Module SQFS File System....OK
Mount CFG JFFS2 File System....OK
Mount LOG JFFS2 File System....OK
Mount OEM JFFS2 File System....OK
RTCORE LKM Insert...
RTCORE Driver Module Initialize
  IOAL init
  Log init
  Hardware-profile probe (RTL9303_8X8226)
  Hardware-profile init
  GPIO probe (unit 0): (found)
  GPIO Init
  SPI init (unit 0)
  Intr Probe (unit 0)
  TC probe (unit 0): (found)
  TC init (unit 0)
    TC util init (unit 0)
    TC util init (isr)
  Watchdog probe (unit 0): (found)
  Watchdog init (unit 0)
  I2C probe (unit 0)
  RTL8231 probe (unit 0): (found)
  RTL8231 init (unit 0)
  UART probe (unit 0): (found)
  NIC probe (unit 0)
  IOAL init
  L2Ntfy probe (unit 0): (found)
RTK Driver Module Initialize
  MAC probe (unit 0)
    Chip 9303 (found)
  MAC init (unit 0)
@@@@@@@@@@@@@@@@@@@@@@@ret=       0,val=     fff
  SMI protocol probe (unit 0)
unit=0 port=0 smi=0 C45=1 C22=1
unit=0 port=8 smi=0 C45=1 C22=1
unit=0 port=16 smi=0 C45=1 C22=1
unit=0 port=20 smi=0 C45=1 C22=1
unit=0 port=24 smi=1 C45=1 C22=1
unit=0 port=25 smi=1 C45=1 C22=1
unit=0 port=26 smi=1 C45=1 C22=1
unit=0 port=27 smi=1 C45=1 C22=1
  PHY probe (unit 0)
PHY driver probed on unit 0 port 0
PHY driver probed on unit 0 port 8
PHY driver probed on unit 0 port 16
PHY driver probed on unit 0 port 20
PHY driver probed on unit 0 port 24
PHY driver probed on unit 0 port 25
PHY driver probed on unit 0 port 26
PHY driver probed on unit 0 port 27
  Chip Construct (unit 0)
    Chip Construct
    Disable PHY Polling
    PHY Reset
    MAC Construct
    Turn Off Serdes
    Serdes Construct
    PHY Construct
    Turn On Serdes
    Mac_Polling_PHY Config
    Enable PHY Polling
    Misc
  PHY init (unit 0)
  Mgmt_dev init (unit 0)
RTDRV Driver Module Initialize
[GPIO] Initial External Device 1 mode 1 address 0
[GPIO] Initial Internal pin  0 direction OUT default 0
[GPIO] Initial Internal pin  1 direction OUT default 0
[GPIO] Initial External1 pin  0 direction  IN default 0
[GPIO] Initial External1 pin  1 direction  IN default 0
[GPIO] Initial External1 pin  3 direction  IN default 0
[GPIO] Initial External1 pin  4 direction  IN default 0
[GPIO] Initial External1 pin  5 direction  IN default 0
[GPIO] Initial External1 pin  6 direction  IN default 0
[GPIO] Initial External1 pin  7 direction  IN default 0
[GPIO] Initial External1 pin  8 direction  IN default 0
[GPIO] Initial External1 pin  9 direction  IN default 0
[GPIO] Initial External1 pin 12 direction  IN default 0
[GPIO] Initial External1 pin 13 direction  IN default 0
[GPIO] Initial External1 pin 14 direction  IN default 0
[GPIO] Initial External1 pin 21 direction  IN default 0
[GPIO] Initial External1 pin 24 direction  IN default 0
[GPIO] Initial External1 pin 25 direction  IN default 0
[GPIO] Initial External1 pin 26 direction  IN default 0
[GPIO] Initial External1 pin 33 direction  IN default 0
==================Board ID: 9300022====================
==================Force Boardmodel With WEB Always.==================
==================Force Boardmodel With PoE==================.
==================Check the PSE existed or not.==================
==================Check the PSE existed or not result: Has PSE.==================
==================Try to Get the PSE Infromation.==================
==================Already Got the bt_port_no Infromation.==================
==================Already Got the pse_bank_pwr Infromation.==================
==================PSE Infromation.==================
==================PSE Infromation. PSE BT Port Number = 1==================
==================PSE Infromation. PSE Power Bank(walt) = 120==================
Init Board Configuration Module....OK
net: module license 'Realtek Semiconductor Corp.' taints kernel.
Disabling lock debugging due to kernel taint
Init Net Module....OK
Init Define Database Module....OK
Init KSI Core Driver Module....OK
Init OS Abstract Layer Module....OK
Init SKI Core Driver Module....OK
OK
Init Board Module....
Init Board Module-->watchdog....OK
Init Board Module-->led....OK
Init Board Module-->fiber....OK
Init Board Module-->POE....init the pse led controlled iic interface
init the pse led controlled iic interface
init the pse led controlled iic interface
init the pse led controlled iic interface
init the pse led controlled iic interface
init the pse led controlled iic interface
init the pse led controlled iic interface
init the pse led controlled iic interface
OK
Init Board Module-->BUTTON....
           board_button_dumbmode_init

           board_button_isolation_init

           board_button_reset_init
OKOK
POEDOG ON
Init Board Vendor Module....OK
Init Switch STP Module....OK
Init Switch LACP Module....OK
Init Switch Multicast Module....OK
Init Custom Module....OK
Init OEM_INFOR ....OK
@@@@@@@@@@@@initd starts@@@@@@@@@@@@

====== Defaults Initial [Start] ======
Init Switch Factory Default....OK
Init VLAN Factory Default....OK
Init Mirror Factory Default....OK
Init L2 Factory Default....OK
Init Trunk Factory Default....OK
Init Rate Factory Default....OK
Init QoS Factory Default....OK
Init LACP Factory Default....OK
Init EEE Factory Default....OK
Init IGMP Factory Default....OK
Init STP Factory Default....OK
Init System Factory Default....OK
Init SNMP Factory Default....OK
Init Syslog Factory Default....OK
Init Custom Factory Default....OK

====== With PoE boardmodel Start.======

====== With PoE boardmodel End.======
Init POE Factory Default....OK
@@@@@@@@@@@@@@@@@@@in oem_config file: fds default ipaddr=192.168.2.1
@@@@@@@@@@@@@@@@@@@in uboot enviroment file: fds default ipaddr=192.168.0.1
Init Oem config Factory Default....OK
====== Defaults Initial [Done] ======

====== Initial from startup-config [Start] ======
====== Initial from startup-config [Done] ======

====== Post Initial [Start] ======
System Post Initial....OK
Port Post Initial....OK
====== Post Initial [Done] ======
*Jan 01 2022 00:00:03: %SYSTEM-5-COLDSTART: Cold@@@@@@@@@@@@initd ends@@@@@@@@@@@@
 startup
@@@@@@@@@@@@timd starts@@@@@@@@@@@@
Press any key to continue

When I use ESC to stop autoboot and try to get into uboot terminal, I'm prompted for a 'password'.
i've tried basic example passwords from uboot source, tried 'hasivo'... i'm open to other options.
Not sure I want to setup a brute force attempt... open to pointers on finding the password.

Hit Esc key to stop autoboot:  0
################################################################

############Login Menu ############
### You Can Use 'CTRL + Z' to reset. ###

### Please input uboot password below: ###

Do you get a shell after this?

There's a username and password in the oem_config file you referenced earlier.

If I let the boot continue into linux, then the 'admin':'admin' login works, but drops me to the switch config console (not a linux shell).

I've tried (in uboot prompt) the password 'admin123' which was listed in the oem_config file. But this wasn't accepted.
Uboot password seems the best option right now, it would allow me to tftp to save the current firmware, and to tftp new firmware in. I'd also hope it might let me alter what the shell assigned to the admin user is (or even to log in as root).

What about port scanning the management interface?

Appears ssh and telnet are listening according to /etc/inetd.conf:

ssh     stream tcp6 nowait root /bin/sshd -i
telnet  stream tcp6 nowait root /bin/telnetd

I fear these might lead you to the same switch console?

/etc/profile suggests as much:

#/bin/sh -c /bin/cli

There's some hints in /bin/cli that there's a way to start a shell?

strings cli | rg -i shell
vtysh_start_shell_cmd
[S] Shell
Integrated shell for Quagga routing software suite.

Port scan only revealed HTTP out of the box.
From the HTTP interface however it was possible to enable HTTP, SSH and TELNET.
However both SSH and TELNET went to the switch config console.

I didn't see any comments around dropping to shell in the help of the config console. But I'll try throwing a few of those at it when I get home.

I tried 'Shell', 'shell', 's', 'S', 'vtysh_start_shell_cmd' in all the various modes for the switch config console.. none appeared to be recognised.
I also tried some that appear in the Zyxel / Realtek SDK versions, like 'diag' etc

The do command looked promising. But didn't seem to know about anything

image545×566 11.2 KB