User Tools

Site Tools


wiki:projects:hacking_tl_sg1005p

Hacking cheap realtek switch

This page is about extending capabilities of cheap Realtek based gigabit switches turning them from “stupid” into “web smart”.

For Tplink TL-SG1005P we have hack to turn 802.3af into 802.3at POE+ - suitable for powering high power devices such as Netgear GS105PE, HP intelijack, or similar devices requiring 30W power.

Tested devices

Tplink TL-SG105 Tplink TL-SG105P

Switch description

We are talking about switches based on RTL8367. This is pretty advanced chip. Features 5 gigabit ports plus extra GMII/SGMII interface to connect PHY or MCU or other capable device. Inside of this chip, there is 8051 MCU which has integrated NIC connected to the switch fabric. The Phy configuration depends on the letter after RTL8367 - eg RTL8367S has SGMII interface, etc, but most of the switch fabris is the same.

Normally in “stupid” switched configuration is bootstrapped from I2C serial eeprom. This eeprom contains 2byte “count” and register-value pairs. There is exactly “count” number of these pairs.

So easy hack would be to add custom configuration into the eeprom, and change number of configuration pairs to load - this is ok for static VLAN configuration for example.

Alternatively this eeprom can contain code for 8051 MCU. (this case is not discussed)

The 8051 MCU can also execute code from SPI flash. This is the feature we are going to exploit.

Switch modification

How the switch boots up depends on strapping pins. TP link switches are nice as they have place on PCB for all strapping possibilities. You only need soldering iron and move one resistor to different place.

We are interested in changing the boot configuration. This follows next table:

image

Stupid switches are wired so DIS_8051 is tied to 1. It means that the 8051 MCU is disabled. We want to change this option to DIS_8051 = 0 and EN_SPIF = 1. This configuration will load code from SPI flash.

Next step is to prepare SPI flash. You will need 1MB spi flash - eg 25q80, or 2MB flash.

Thanks to chineese friends we have full dump from Netgear GE105E switch.

https://github.com/libc0607/Realtek_switch_hacking/blob/master/gs105e_v2_fullflash_dcef09e1aed8.bin

Just write this image to the SPI flash with your favorite programmed. If you are using 2MB flash, you need to write this image TWICE.

To change the MAC address just look at address 0xFC000 (for 1MB chip) or address 0x1FC000 (for 2MB chip)

Internal pictures

35MHz source350MHz source

wiki/projects/hacking_tl_sg1005p.txt · Last modified: 2020/04/13 10:19 by robots