Picked up an "ONTI ONT-S207CW-72TS" (The L2 version of S600W-5GT-2S, minus console port - soldered one on now though).
Decided to have a poke around the stock firmware.
There's a debug interface that can be accessed through a choice of keys after logging in:
rl_bind_key(0x14,vtysh_diagDebug);
rl_bind_key(0xf4,vtysh_diagDebug);
rl_bind_keyseq("\\C-\\M-t",vtysh_diagDebug);
These being CTRL+T, F4 or CTRL+META+T.
This prompts for a password (found in defdb.ko) - "switchrtk"
Switch#
Diagnostics: *********
If _access_flag == 0 (access over console) then you'll be presented with:
Press ENTER to continue
[D] Diag
[E] Engineering
[S] Shell
Enter Selection: s
~ # uname -a
Linux 3.18.24 #569 Sat Apr 22 20:02:05 CST 2023 mips GNU/Linux
If _access_flag != 0 (i.e telnet/ssh) then you'll be presented with the "diag" shell:
Press ENTER to continue
RTK.0>
Don't get too excited as these images are compiled with many listed features disabled and/or unsupported on this SoC.
RTK.0> ?
exit - exit diag shell
unit - unit configure
terminal - terminal configuration
sdk - sdk configuration
nic - NIC configuration
mpls - MPLS configuration
oam - OAM configuration
stack - stack configuration
tunnel - tunnel configuration
vxlan - VXLAN configuration
openflow - openflow configuration
bpe - bpe configuration
rtl8231 - rtl8231 configuration
uart1 - uart1 configuration
l2-ntfy - L2-notification configuration
acl - ACL configuration
range-check - range check configuration
debug - debug configuration
diag - diag configuration
serdes - serdes interface
eee - EEE configuration
eeep - EEEP configuration
flowctrl - flowctrl configuration
l2-table - l2 table configuration
l3 - l3 configuration
led - LED configuration
mib - mib configuration
mirror - mirror configuration
rspan - RSPAN configuration
sflow - sFlow configuration
port - port configuration
qos - QoS configuration
bandwidth - bandwidth configuration
storm-control - storm-control configuration
register - register configuration
vlan - VLAN configuration
security - security configuration
stp - stp configuration
switch - switch configuration
sys - system
time - time configuration
trap - trap configuration
trunk - trunk configuration
ipmcast - ipmcast configuration
mcast - mcast configuration
pie - PIE configuration
field-selector - field selector configuration
gpio - generalCtrl GPIO configuration
spi - SPI configuration
i2c - I2C configuration
We can get _access_flag = 0 by spawning the the login process again (/bin/login is a symlink to cli):
RTK.0> sys command sh
This kicks you out back to the login screen - login and enter the debug key sequence and password again, except this time you'll get the menu choice:
Username: admin
Password: *****
Switch#
Diagnostics: *********
Press ENTER to continue
[D] Diag
[E] Engineering
[S] Shell
Enter Selection: s
~ # uname -a
Linux 3.18.24 #569 Sat Apr 22 20:02:05 CST 2023 mips GNU/Linux