Netgear GS108T-200NAS Hacking

Netgear GS108T-200

I’ve got a number of these switches in use. They are quite handy as they do not require external power when PoE is available, and have some nice monitoring features.

For a project, I needed to control a non-connected device in a location where I only had the switch and some other closed devices. My first thought was to try to use the switch to talk to a small microcontroller that could drive GPIO lines as required (this way I would not need to take up an ethernet port)

That idea hit a dead end, but I found some interesting undocumented things on the switch, not just on the serial port but on the network as well.

Serial Port

The first order of business was to find the serial port. After opening the case and removing the heatsink, it was pretty obvious where it was.
GS108T-200NAS UART

IO Voltage level is 3.3V, presumably VCC is also 3.3V but I didn’t test it. Baud rate is the standard 115200, n-8-1.

The boot sequence dump:

CFE-NTSW-B5.1.0.2 for GS1XXT (32bit,SP,BE,MIPS)
Build Date: Wed Aug 11 18:05:01 IST 2010 (yrdreddy@lc-hyd-001)
Copyright (C) 2000,2001,2002,2003,2004,2005 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
Board : GS108T
CPU type 0x29050: 200MHz
Total memory: 0x4000000 bytes (64MB)

Total memory used by CFE:  0x83EA0000 - 0x83FFF720 (1439520)
Initialized Data:          0x83EEA0D0 - 0x83EEB260 (4496)
BSS Area:                  0x83EEB260 - 0x83EFD720 (74944)
Local Heap:                0x83EFD720 - 0x83FFD720 (1048576)
Stack Area:                0x83FFD720 - 0x83FFF720 (8192)
Text (code) segment:       0x83EA0000 - 0x83EE97F7 (301047)
Boot area (physical):      0x03E5F000 - 0x03E9F000
Relocation Factor:         I:E42A0000 - D:E42A0000
Compression Supported:     7zip

Loader:elf Filesys:raw Dev:flash0.os File: Options:(null)
Loading:
Validating the code file..
Flash stk image is 4067246 bytes,  CRC 0000A915
0x80041000/16045520 0x80f8e5d0/2993176 0xa0001000/262144 Entry at 0x80041000
Starting program at 0x80041000

16x5x SERIAL init - dev: b8000300.1
IFP: 0x80f1abd4, next: 0x81268f20
IFP: 0x81268f20, next: 0x00000000

Vpd crc valid.
ramfs crc OK (0xc1575f3)
..FastPATH software Version 5.0.5.7 Build Date: Fri Sep 14 13:32:37 EDT 2012
Starting fpmain
ICS unit 0: Dev 0xc312, Rev 0x11, Chip BCM53312_B0, Driver BCM53314_A0
GPIO Board ID = 0
SOC unit 0 attached to PCI device BCM53312_B0

Tuning MMU with 4096 cells and 4 CoS queues for 13 ports of which 12 are Ethernet ports
Fan in is targeted at 4 while the over subscription is set to 8

calling init_bcm_53312, board_id=108 power=0 gpio_in boardid bits=0
.started!
[osapiPipeCreate-61]
[osapiPipeOpen-67]
..
(Unit 1)>

Applying configuration, please wait ...
FastPATH Debug >

Command list:

FastPATH Debug >?

Available Commands:
        0x80078f6c      cablediag
        0x8028aef4      cliDebug
        0x802be820      cliInfoDump
        0x801fd0c8      cnfgrDump
        0x8024e01c      configClear
        0x802446e8      configDump
        0x8024e044      configSave
        0x80056b58      debug_policy_table
        0x8031b310      debugTftp
        0x8031b2b0      debugUploadRoot
        0x8031b2e0      debugUploadServer
        0x8004e540      dev
        0x802049e8      dhcpcDebugMsgLvlSet
        0x8008b62c      diag_shell
        0x8030a328      dltNetDebugSet
        0x80053d5c      dosCtrl
        0x8030b3c0      dtlDrvStats
        0x803ea2b0      dumpFdbStats
        0x8031292c      ecos_net_stats
        0x8007eed8      green
        0x8021ed78      greenTrace
        0x8004866c      hapiBroadAclDebug
        0x80048d00      hapiBroadAutoDosDebug
        0x80065ee8      hapiBroadDebugL2McastShow
        0x80048678      hapiBroadDebugPkt
        0x800486ac      hapiBroadDebugPktFilterGet
        0x800486dc      hapiBroadDebugPktFilterSet
        0x8007577c      hapiBroadDebugPolicyMemory
        0x80075648      hapiBroadPolicyDebug
        0x80075128      hapiBroadPolicyDebugTable
        0x800815c8      hapiBroadVoipCallDump
        0x800818b0      hapiBroadVoIPPolicyDump
        0x8024e31c      if
        0x8024e31c      ifconfig
        0x803d9fdc      lagShow
        0x8030ec40      lkup
        0x8022fd84      logClear
        0x8022b6b8      logConsole
        0x8023004c      logShow
        0x8025e754      mbufDetail
        0x8025fae0      mbufFree
        0x8025e35c      mbufHistoryClear
        0x8025e2d4      mbufHistoryDelete
        0x8025e3d4      mbufHistoryDump
        0x8025e1b8      mbufHistoryInit
        0x8025eddc      mbufShow
        0x8030e5b8      memShow
        0x803f3544      mfdbStats
        0x80050008      MMUConfig
        0x80053588      MMUCount
        0x8005275c      MMUState
        0x803104cc      msgQ
        0x803108bc      msgQprint
        0x80310574      msgQshow
        0x80310974      msgQstall
        0x80234488      nimDebugDump
        0x8023a104      nimDebugIntfModeSet
        0x80235458      nimPortDump
        0x802442f0      nsdpTftpStop
        0x80244094      nsdpTrace
        0x803104cc      osapiDebugMsgQueuePrint
        0x8030d2ec      osapiMemShow
        0x80310574      osapiMsgQueueShow
        0x80315824      osapiTaskShow
        0x8004e56c      phyDump
        0x800c210c      phyget
        0x8004e5a4      phyMedium
        0x8004e604      phyRead
        0x800c23f8      physet
        0x8004e75c      phyWrite
        0x80247320      poeCfgDump
        0x802810e8      poeClrCfg
        0x80281260      poeClrImg
        0x80287bc4      poeDebug
        0x80287b18      poeDump
        0x80287dcc      poeUpdImg
        0x80075648      policy
        0x80076314      policyDebugEnable
        0x80075128      policyTable
        0x801fa6b4      poolShow
        0x80046290      reboot
        0x8004f790      regDump
        0x803128f4      routePrint
        0x8004ad98      rxShow
        0x802681a0      schedDump
        0x802fd08c      SessTbl
        0x8024df50      setdhcp
        0x80400b08      snoopCfgDump
        0x80401724      snoopDebugTraceAllFlagsReset
        0x804015b8      snoopDebugTraceDisable
        0x80401558      snoopDebugTraceEnable
        0x804018d8      snoopDebugTraceFlagsReset
        0x804018a0      snoopDebugTraceFlagsSet
        0x80401744      snoopDebugTraceFlagsShow
        0x80401618      snoopDebugTraceHelp
        0x80400f10      snoopInfoShow
        0x802561b0      sntpDebug
        0x802546b8      sntpDebugClear
        0x80255ba4      sntpDebugShow
        0x802561bc      sntpDebugTime
        0x8038aa68      sslCertGen
        0x80258db0      sysShow
        0x8030e6d0      taskShow
        0x8035fefc      voipCallDBDump
        0x8035d2b8      voipDebugCfgShow
        0x803640dc      voipH323CallDump
        0x80365420      voipSccpCallDump
        0x80368210      voipSipCallDump
        0x8035fde0      voipTrace
        0x8030eefc      before
        0x8030f040      after
        0x8021c99c      driv

Please see the source code for parameter lists.

FastPATH Debug >

Not all the commands are functional, but more about that later.

Closing it up

You’ll need thermal adhesive (not just thermal paste) to remount the heatsink. Something like Arctic Alumina would work. For the serial port, there’s enough empty space to mount a 3.5mm TRS jack (GND, TXD, RXD) on the back of the switch, to allow connections in the future.

Leave a comment

Your email address will not be published. Required fields are marked *