w1kl4s/lab-docu
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add a bunch of secret goodies

Browse Source
This commit is contained in:
Jon Sands
2019-10-29 04:56:08 -04:00
parent 6dec11f5e8
commit fabc5235ed
7 changed files with 551 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
documentation/eeprom.md Normal file
View File

@@ -0,0 +1,122 @@
# EEPROM Unlocks
## Information
Before software licensing came around, during the Foundry and early Brocade days, the older FastIron switches used hardware licensing in the form of optional 16kbit EEPROM chips in a socket on the switches mainboard. These were either installed from factory, or you could purchase them and install them yourself.
The EEPROM would contain a magic string of letters and numbers, and when the switch OS saw this it knew to unlock said features. These products are now very old, have not been sold for a decade, and the below license EEPROMs are impossible to buy as the company no longer exists (Foundry is gone). I am providing the strings here to give these old pieces of hardware a little more life.
**Note:** All FastIron devices had two EEPROMs - a soldered in main EEPROM that contained chassis data like MAC address, serial number, manufacture date, etc. Then the second optional EEPROM in a removable socket: this is the EEPROM that contains the magic string. Some devices shipped with a blank EEPROM already in the slot that you can program from the bootloader, others came with none.
## Programming Information
If the switch didn't come with a blank EEPROM already in the socket, you need to purchase one. They need to be `AT24C164` chips, the later revision `24LC16B` will not work. All US vendors I could find are out of these as they are old, [this](https://www.aliexpress.com/item/new-100-24C164-AT24C164-DIP-8/32858414375.html) is the only place I could find to order some. They will take 3 to 4 weeks to arrive, but they work.
For programming the strings into the EEPROM, it's possible to do it from the v7 bootloaders with the `i2cWriteByte` command, but it involves multiple commands.
You can also buy a cheap [EEPROM Programmer](https://www.amazon.com/gp/product/B013Q5P3ES) - see the EEPROM Programmer guide at the bottom of this page.
**Note:** These are raw HEX bytes (not ASCII) to be written starting at the beginning of the EEPROM. So your EEPROM programmer/contents should look like this:
![eeprom](store/eeprom.png)
## EEPROM Unlock Strings
### FCX Advanced Routing
The Brocade FCX was the last switch to use EEPROM based licensing - in fact, in the middle of its sales life, they added software based licensing. This means the FCX can be unlocked via an EEPROM, or via software license. The nice thing is every FCX seems to have come with a blank EEPROM in the socket already, so if you own one you can reboot into the bootloader and run the below to fully unlock it.
**Note:** Make sure you are running the latest bootloader, `grz10100` - earlier bootloaders had different I2C addresses and the below command would not work.
Enter the bootloader (when the switch is booting fresh, over a serial connection, smash the `b` key until you drop into the bootloader prompt) then run the following commands:
```
i2c write a 0 feedface00000200ffffffffffffffff 1
reset
```
The switch will reboot, and when it does, it will be licensed for advanced routing features (BGP, VRFs, tunnels, etc).
### FESX424 & FESX448 Layer 3 Routing Upgrade
```
FEEDFACE02000C00
```
You can program this into a new EEPROM that you've installed from a hidden OS console. Boot the switch fully, then, over a serial connection, press ctrl+y, let go, press m, then press enter. Now enter the following one line at a time:
```
i2cWriteByte 40 0 fe
i2cWriteByte 40 1 ed
i2cWriteByte 40 2 fa
i2cWriteByte 40 3 ce
i2cWriteByte 40 4 2
i2cWriteByte 40 5 0
i2cWriteByte 40 6 c
i2cWriteByte 40 7 0
reset
```
### SuperX Layer 3 Routing Upgrade
```
FEEDFACE09000C00
```
### FGS / FLS 24 & 48 Port Stack Upgrade
**Note:** The stack upgrade also came with upgraded RAM (256MB DIMM versus the stock 128MB). Stacking will not work on this older platform without 256MB of RAM, so do not use this code without it.
```
FEEDFACE01001000
```
You can program this into a new EEPROM that you've installed from a hidden OS console. Boot the switch fully, then, over a serial connection, press ctrl+y, let go, press m, then press enter. Now enter the following one line at a time:
```
i2cWriteByte 40 0 fe
i2cWriteByte 40 1 ed
i2cWriteByte 40 2 fa
i2cWriteByte 40 3 ce
i2cWriteByte 40 4 1
i2cWriteByte 40 5 0
i2cWriteByte 40 6 10
i2cWriteByte 40 7 0
reset
```
### FGS / FLS 24 & 48 Port Layer 3 Routing Upgrade
```
FEEDFACE01000100
```
You can program this into a new EEPROM that you've installed from a hidden OS console. Boot the switch fully, then, over a serial connection, press ctrl+y, let go, press m, then press enter. Now enter the following one line at a time:
```
i2cWriteByte 40 0 fe
i2cWriteByte 40 1 ed
i2cWriteByte 40 2 fa
i2cWriteByte 40 3 ce
i2cWriteByte 40 4 1
i2cWriteByte 40 5 0
i2cWriteByte 40 6 1
i2cWriteByte 40 7 0
reset
```
## Using the CH341A EEPROM Writer
If you want to burn blank EEPROM chips yourself, you can pick up a $10 [EEPROM Programmer](https://www.amazon.com/gp/product/B013Q5P3ES). This will be a brief guide on using it under Windows.
First download [this ZIP](https://fohdeesha.com/data/other/EEPROM.zip) which contains the driver, software, and EEPROM dumps. Extract the ZIP to an easy to find location like your desktop.
Put your EEPROM chip into the programmer socket - it should have a little picture silkscreened on the PCB showing you which direction to insert it. Once inserted, plug in the EEPROM Writer to a USB port - it will show up as an unrecognized device, you need to install the driver. Open up Device Manager and find it - it will be an Unknown Device with a yellow icon - then right click and hit update driver:
![eeprom](https://fohdeesha.com/data/other/eepromguide/eeprom%20install1.png)
In the following prompt, select **Browse my computer for driver software**:
![eeprom](https://fohdeesha.com/data/other/eepromguide/eeprom%20install2.png)
In the following prompt, browse to the folder you extracted from the ZIP, then select the Driver folder within it, then click OK/next:
![eeprom](https://fohdeesha.com/data/other/eepromguide/eeprom%20install3.png)
It should successfully install the driver, and you're good to go. Now launch the EEPROM programming software - in the **CH341A Programmer 1.29** folder, double click the executable named **Run Me**, and it will launch the software. Now just follow the instructions in the image below to program the EEPROM. When done, just close the program and remove the EEPROM writer from your PC.
![eeprom](https://fohdeesha.com/data/other/eepromguide/eepromguide.png)

91
documentation/extract.md Normal file
View File

@@ -0,0 +1,91 @@
# Extracting Licenses
**Note:** This is intended for those who are curious, or who have licenses you legitimately own installed on a switch, but have lost the original license files. This is for the ICX6xxx series and is unnecessary on the ICX7xxx series with honor-based licensing (no license files to lose).
When licenses are purchased and used to unlock a switch, the license string is stored on the switch. To extract licenses from a switch back to a license file, follow the below.
## For ARM Models
Thankfully on ARM architecture Brocade devices (ICX6430, ICX6450, any ICX7xxx or newer), you can extract any applied licenses without special JTAG hardware. Just use the **Accessing Linux** guide to boot into linux.
Now that you're booted into a linux shell: There is a `system` file in the `/fast_iron/sys/` directory which contains the license strings if the switch has been licensed:
```
cd /fast_iron/sys/
cat system
```
`cat`'ing the file, you'll get some strange characters with any present license strings buried inside (example strings randomly generated, not legit license strings):
```
LMLSk*B LoXskI065X5NfpQuE3SUCsnoadI656ajE:IIlOsgywL,UrHduINy6k5wz,:IlzS0r5S9w,sg69l0I848tL5m5SLUdf9dmIzkCtIIu5sRrL032UUNSsX6bfI6fXdkbeSE68uV?=2*B L2CrsQxIn9LdEa6NP5k10d2Rs8Tdf6l0dk0t:0jH9rSALukn99a9ygb1xIl0IdxEEssSNkUOvOPl0rosRxAtLLStLv0k22kv0lkkAXrrpM5rA0SuA6urzEIIdIaqMU20Me:p#%%%%?/ #
```
To easier discern where the license strings begin and end, you need to get the `system` file off the box and onto your desktop. Plug the management port into your network, then give the linux system a temporary IP:
```
ifconfig br0 192.168.1.56 netmask 255.255.255.0 up
```
Give it a default gateway as well:
```
route add default gw 192.168.1.1
```
Now assuming you're still in the `/fast_iron/sys/` directory, TFTP the file off the box onto your TFTP server:
```
tftp -p -l system 192.168.1.8
```
>Note: if you are running your TFTP server on linux, you need to create an empty file with this filename (system) in your tftp root directory, and chmod it with 777 so the switch can write to said empty file. Otherwise the switch will give a "file not found" error.
Open the downloaded file on your desktop with something like NotePad++, and it should look like [This](https://fohdeesha.com/data/other/system.png). License strings start with `*B ` and are followed by a string (note, there must be a space after `*B`), and the license string ends where the `NUL` characters begin.
So applying this knowledge, we can extract the following two licenses from that system file in the screenshot. You'll need to remove the newline after the `*B`, so the `*B` and then the string are on the same line. Make sure to leave a space between `*B` and the string as well:
```
#first license (example is randomly generated, not a legit license)
*B 9iCL80dHxLmvid3SxhIuk9zsalx630zHSpadlLlIfSTblqCSlSejIw5zibzBIyafEOvCrobl:OL8lwN4Rzd9zQCNIhsd,ASV0Bzgks5rlLMCwk,kA:mkdOCzZvVENVUluHX2
#second license (example is randomly generated, not a legit license)
*B pBNnASnpOSSmd55l:OUZUrU,5k8M5lLvOQCNuH6IUn:u:MbU0kSkNdrCCdIyEAIAki99zICC8dvA9LtnnLbwrAAy1OohuhnCkLb0dUHEv4xCInr:y8OBwLLso:,df3ORy5bd
```
Now you just need to stick those strings in an XML file, like `newlicense.xml` - Using the template below, you can see where to stick the license string. Note: No other fields in this file matter or are even checked, they can be left alone. Just insert the string into the `<licKey>` field:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<lic:licenseInfo xmlns:lic="http://license.brocade.com/licensefile">
<licenseHeader>
<serialNumber>dbuHKIIjMxI</serialNumber>
<productNumber>ICX6450-PREM-LIC-SW</productNumber>
<description>ICX6450-PREM-LIC-SW</description>
<version xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<dateGenerated>20121212120317372</dateGenerated>
</licenseHeader>
<license>
<featureName>ICX6450-PREM-LIC-SW</featureName>
<featureVersion>dbuHKIIjMxI</featureVersion>
<licKey>*B 9iCL80dHxLmvid3SxhIuk9zsalx630zHSpadlLlIfSTblqCSlSejIw5zibzBIyafEOvCrobl:OL8lwN4Rzd9zQCNIhsd,ASV0Bzgks5rlLMCwk,kA:mkdOCzZvVENVUluHX2</licKey>
</license>
</lic:licenseInfo>
```
Now you have a backup of your legitimate license file just as you would receive from Brocade.
## For PowerPC Models
On PowerPC models (FCX, ICX6610) it is more complicated, as they do not run linux. These units store the license strings directly on raw system flash in random locations. To extract these strings, you pretty much have to open the switch, attach a JTAG unit (such as a BDI2000) to the JTAG header, and dump the entire switch flash to a file, then open it in a hex editor.
Once you have a file containing a dump of the entire onboard flash, and have opened it in a hex editor, you search it for the characters `*B` - you will eventually come across the license string(s) like so:
![lic strings](https://fohdeesha.com/data/other/ppclic.png)
There's our license string, starting with `*B` as always. So, extracted, it looks like this (again, not a real license):
```
*B 8:n,UyAs6b9TXB3sowQ81lk,oLxLdkH:L:SIhdOko0lOEoIeSMl4dspO898E::LlSdEutafAA,bvuzxlr2so2Uks92ObyrkMyI5:rAd25Edr29ICgkqd3a,iv:bukvbO:,eO
```
Interestingly, on PPC platforms, when a user deletes licenses from the switch, it does not remove these strings - it just moves them to another part of flash. I have purchased ICX6610's on ebay where the previous owner deleted all licenses, so it boots up unlicensed. However after dumping the flash via JTAG, I found perfectly legitimate license strings still in flash that I was able to extract.
#### PowerPC Models, Desperate Edition
If you have a non-linux based switch (eg ICX6610) and you REALLY want to extract the licenses, but have no JTAG unit, there's still a way to extract them. You need to connect to the switch over serial, and get into the bootloader. Use a program like putty, and configure it to log the serial session (in Putty, Session > Logging > select a filename/location and choose the "printable output" option).
Now run the following in the bootloader:
```
dd f4000000 8388608
```
It will start printing the raw flash contents line by line in your serial window, and putty will be logging it. This will take about 10 hours, so go to bed. In the morning, reboot the switch, and take a look at your putty log file. Search it for our `*B` string just like above, and you will eventually find your license strings.

92
documentation/firmware.md Normal file
View File

@@ -0,0 +1,92 @@
# Extracting Brocade Firmware
Around the v8060 codetrain and above, Brocade seems to have moved to using the standard [FIT](https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842374/U-Boot+Images) image type for their firmware files. These contain the linux kernel, ramdisk, device tree, etc, all in a standard structure, so we can extract them. This is not an exhaustive or detailed guide, some knowledge of linux etc is assumed.
## Trim the firmware file
Brocade adds some Brocade-specific metadata in front of the FIT image, so it needs to be removed before FIT tools will recognize it. For most files it seems to be 512 bytes we need to remove:
```
dd if="SPR08080e.bin" of="trimmed.bin" bs=512 skip=1
```
For the newer "UFI" images (where they've combined the bootloader and OS in one file), it seems to usually be 1360 bytes:
```
dd if=SPR08091ufi.bin of="trimmed.bin" bs=1360 skip=1
```
However some images seem to need 1276 bytes removed:
```
dd if=TNR08091ufi.bin of="trimmed.bin" bs=1276 skip=1
```
To be sure, just open the firmware file with a [hex editor](https://mh-nexus.de/en/hxd/) and highlight and delete everything before the HEX values `D0 0D FE ED` (the FIT file should start with `D0 0D FE ED`)
Now install u-boot-tools:
```
apt install u-boot-tools
```
Debian 9 (and maybe others) have a very old uboot-tools version in the default repo, and does not come with the required dumpimage program. In that case, just manually install the recent tools:
```
wget http://ftp.us.debian.org/debian/pool/main/u/u-boot/u-boot-tools_2019.01+dfsg-7_amd64.deb
dpkg -i u-boot-tools_2019.01+dfsg-7_amd64.deb
```
Now use `dumpimage` to view a list of all the components in the firmware package:
```
dumpimage -l trimmed.bin
```
You'll get a list of everything in the package:
```
root@testing:~# dumpimage -l trimmed.bin
FIT description: Linux kernel and FDT blob
Created: Fri Jun 7 00:19:54 2019
Image 1 (fdt@1)
Description: ICX7650.dtb
Created: Fri Jun 7 00:19:54 2019
Type: Flat Device Tree
Compression: uncompressed
Data Size: 27517 Bytes = 26.87 KiB = 0.03 MiB
Architecture: AArch64
Load Address: 0x81200000
Hash algo: crc32
Hash value: fd8efcc8
Image 3 (ramdisk@1)
Description: Ramdisk -rootfs
Created: Fri Jun 7 00:19:54 2019
Type: RAMDisk Image
Compression: lzma compressed
Data Size: 57735137 Bytes = 56381.97 KiB = 55.06 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x00000000
Entry Point: 0x00000000
Hash algo: crc32
Hash value: 0749eb07
-----trimmed-----
```
Choose a part to extract to a separate file, putting the image number after the `-p` argument.
**Note:** The `-T` argument must always be set to `-T flat_dt`, even if you are extracting a different image type, only change the `-p` number:
```
dumpimage -T flat_dt -p 3 -i trimmed.bin ramdisk.zip
```
The above example extracts the ramdisk from the above firmware file, which is the main filesystem for the switch. If you open up the resulting `ramdisk.zip` with 7zip or similar, you'll be able to explore the switch filesystem, including the interesting init scripts under `/etc/`:
![7zip](https://fohdeesha.com/data/other/7zip.png)
**Note:** Notice `FastIron.xz` - this is the FastIron binary that gets uncompressed and ran after Linux boots, and this is what provides the FastIron interface you're used to.
## Packaging Modifications
With the appropriate tools (such as `mkimage`) you can modify the filesystem/ramdisk, kernel, etc after extraction, and repackage them for flashing back to the switch. You will most likely need to update the checksum for the new FIT package in the brocade metadata. More info on packaging FIT images [here.](https://xilinx-wiki.atlassian.net/wiki/spaces/A/pages/18842374/U-Boot+Images)
## Bonus: Viewing FDTs
If you extract firmware device trees, like below for example:
```
dumpimage -T flat_dt -p 1 -i trimmed.bin ICX7650.bin
```
and want to see them in human-readable form, run the following:
```
apt install device-tree-compiler
fdtdump ICX7650.bin
```
You'll get a nice human-readable view of the device tree.

107
documentation/hidden.md Normal file
View File

@@ -0,0 +1,107 @@
# Hidden Brocade Dev Stuff
This is a collection of hidden tools, modes, and commands buried inside Brocade FastIron products.
## Hidden Commands
All Fastiron platforms have hidden CLI commands, with the biggest one being `dm`. The ```dm``` command is available (but hidden) for diagnostic use. Type ```dm``` and hit tab to see available options, like the below for example:
```
FCX3(config)#dm
HEX Number
802-1w show 802-1w internal information
aaa-acct-session
acl_tcam command for tcam manager
aging-loop Turn off/on system aging loop
allled Toggle -On/Off All LED
alt-diag Test only, off/on
app_vlan_debug App VLAN table (shadow)
auq-resync Sync Auq for a device
auq-status show auq status
badaddr Test only, will reboot
blink Show gig link changes due to PHY blink
buffer DMA CPU buffer related
cancel-flash-timeout set flash timeout to default
clear_boot_count Clear crash dump
cpld-reg-dump Dump the CPLD register
```
There's hundreds of other options. These are low level debug commands, so if you don't know what they do you can easily break your switch.
**Note:** There are most likely many other commands that are hidden so they do not show up under tab completion, like the commands above do. An example of some of these that I have managed to find are below:
```
dm license get
dm license exempt
dm license reset
dm license version
dm license vls
```
## Hidden OS Console
This only works over a serial connection. It will not work over telnet/ssh/etc. Connect to a FastIron device over serial, and once it's fully booted and running, press ```ctrl+y```, let go, then press ```m```. Then hit enter. It should drop you down to the OS console:
```
OS>
```
> Note: This is mainly for the PowerPC architecture switches (FCX, ICX6610). The ARM switches (ICX6450, ICX7xxx) still have this hidden console available, but it only has ~5 commands. For a proper low level CLI on ARM switches, use the *Accessing Linux* section.
Press the question mark on your keyboard for a list of all available options:
```
OS>
clear Clear internal table
console Attach console to a process
copy Copy file
daw Set data address watchpoint
dbg Toggle debug mode
dq Display memory in 64-bit quad word
dd Display memory in 32-bit double word
del Delete flash file
dir List flash files
----trimmed----
```
You'll note the options are nearly identical to what's available in the bootloader, except while the switch is fully booted and running. There's a couple extra options here too that aren't available in just the bootloader. To exit this mode, just hit ```ctrl+z```.
## Hidden Bootloader Modes
All the newer switches that run linux (ICX6450, ICX6650, ICX7xxx) use u-boot as the bootloader. However it runs in a very locked down mode with only a few commands available. Thankfully after contacting Arris (who own Ruckus, who now owns Brocade), they published their u-boot [source code](https://sourceforge.net/arris/wiki/Projects/).
From analyzing their u-boot source, we are able to find some hidden environment variables that will force the switch to boot into fully unlocked u-boot. To do so, run the following in the bootloader:
#### ICX6430 & ICX6450
```
setenv pp_init_enable 1
setenv diag_cmd_on 1
saveenv
reset
## it will reboot into fully unlocked u-boot
## set it back to normal
setenv pp_init_enable
setenv diag_cmd_on
saveenv
reset
```
#### ICX6650 & ICX7250 & ICX7450
```
setenv diag_mode_enable 1
saveenv
reset
## it will reboot into fully unlocked u-boot
## set it back to normal
setenv diag_mode_enable
saveenv
reset
```
#### ICX7650:
```
setenv diag_mode_on 1
saveenv
reset
## it will reboot into fully unlocked u-boot
## set it back to normal
setenv diag_mode_on
saveenv
reset
```
#### ICX7150, ICX7750, ICX7850
Unknown, but most likely one of the three above. If you try all three, make sure to undo each one (follow the `back to normal` bit) before moving onto the next attempt.

88
documentation/linux.md Normal file
View File

@@ -0,0 +1,88 @@
# Accessing Linux
This only applies to the newer architecture switches - the ICX6450, ICX6650, and the ICX7xxx series. The older models (GS, FCX, ICX6610, etc) run a proprietary bootloader and OS, so there is no Linux to access.
Some time after the ICX6610 design, they moved to using the popular u-boot bootloader, which then boots good old linux. The linux system then launches a monolithic FastIron binary. This is of course all transparent, all you will see is the normal FastIron interface - except now it's an application being ran on top of linux.
After some poking around in a dump of a running switches RAM, I stumbled upon the INIT script used to start the linux system. Of interest were these statements (trimmed for brevity):
```
#If noautostart is set in uboot, stop at linux prompt
cat /proc/cmdline |grep "noautostart" 1>/dev/null 2>&1 if [ $? -eq 0 ] then START_FI_AUTO=0
#If enabletelnet is set in uboot, then start telnet daemon
cat /proc/cmdline |grep "enabletelnet" 1>/dev/null 2>&1 if [ $? -eq 0 ] then
/usr/sbin/telnetd -l /bin/sh -f /etc/welcome
```
It's looking at the boot arguments passed by the bootloader for a `noautostart` or `enabletelnet` string. If it sees the `noautostart` string, it does not start the Fastiron app and drops you right into linux. If it sees the `enabletelnet` string, it starts a hidden telnet server with raw access to linux. These are our two ways in.
## Method 1: Disable FastIron AutoStart
This method tells the switch not to boot the Fastiron app, and drops you right into linux. You will only have serial access to the switch, the usual networking software will NOT be loaded.
Get into the bootloader like usual (hit `b` during boot), then run the following:
```
setenv extra_bootargs noautostart
boot
```
>note: this only sets this argument once and does not save it. So on subsequent reboots or power-ons, the string will be gone and it will boot normally.
It will begin booting like normal, but eventually you'll land in a shell:
```
BusyBox v1.18.3 (2013-11-22 14:33:50 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ #
```
Press tab twice and it'll show you all possible commands (just typing `help` will not show you all commands), there's a couple hundred, most of the utilities you'd expect including `wget`, `curl`, `vi`, and `ftpput`.
Check out the filesystem:
```
/ # ls
FastIron.xz etc home mnt sbin tmp
bin fast_iron init proc sys usr
dev ftp lib root tftpboot var
/ #
```
In the `fast_iron` directory, you'll find the startup configs you save from the normal switch CLI, as well as some logs. To reboot back to normal FastIron, just issue the `reboot` command.
## Method 2: Enable Hidden Telnet Server
This method tells the switch to start a hidden telnet server attached to the underlying Linux OS. It's only accessible via the management port (this is the only networking port Linux can see as it's off the management CPU, not the switching ASIC). The IP for Linux (where the telnet server will be) is set by a bootloader variable.
The upside of this method is that FastIron will still start, so you'll still have a normal functioning switch. There will just be an (unsecure) telnet daemon running on the management port with raw access to the underlying Linux OS - great for live debugging.
Get into the bootloader like usual (hit `b` during boot), then run the following. For the IP, choose an IP that is not in use anywhere else, especially on the switch. If you have a management IP assigned to the switch, this is separate from that and needs to be a different IP:
```
setenv extra_bootargs enabletelnet
setenv ipaddr 192.168.1.57
boot
```
>note: this only sets this argument once and does not save it. So on subsequent reboots or power-ons, the string will be gone and it will boot normally.
The switch will boot as normal, except now the underlying Linux OS has launched a telnet server at the specified IP, and is accessible via the management port only. When you telnet to it (default telnet port), you will have a full Linux CLI:
```
Welcome to FastIron Board's Telnet session
_ _
| ||_|
| | _ ____ _ _ _ _
| || | _ \| | | |\ \/ /
| || | | | | |_| |/ \
|_||_|_| |_|\____|\_/\_/
On Brocade's FastIron board
BusyBox v1.18.3 (2013-11-22 14:33:50 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # ls
FastIron etc home mnt sbin tmp
bin fast_iron init proc sys usr
dev ftp lib root tftpboot var
/ #
```

45
documentation/stack-ports.md Normal file
View File

@@ -0,0 +1,45 @@
# ICX6610 Stack Ports
## Upgrading The Software
Thankfully in FastIron release 08.0.10 and up, Brocade quietly removed the "stack-only" restriction on the rear 40gbE ports.
This means the first step is to update to the latest release. This link has instructions and a ZIP of the latest images - [FastIron Upgrade & Config Guide](http://fohdeesha.com/docs/fcx/).
However you're not done yet!
## Removing Stack Configuration
There are going to be some stacking commands automatically put in your configuration, so we need to remove them. To see what you need to remove, show the config:
```
show run
```
Towards the top you should see a stacking related block similar to the below:
```
stack unit 1
module 1 icx6610-48-port-management-module
module 2 icx6610-qsfp-10-port-160g-module
module 3 icx6610-8-port-10g-dual-mode-module
stack-trunk 1/2/1 to 1/2/2
stack-trunk 1/2/6 to 1/2/7
```
We need to remove the two ```stack-trunk``` lines. They may be slightly different on your end, so substitute whatever was in your config. Notice that they are under the ```stack unit 1``` level, so you need to enter that CLI level first:
```
enable
conf t
stack unit 1
no stack-trunk 1/2/1 to 1/2/2
no stack-trunk 1/2/6 to 1/2/7
exit
write mem
```
Now show the config:
```
show run
```
There should no longer be any ```stack-trunk``` commands, or any commands referencing stack ports. That's pretty much it! You can now use the ports on the rear as normal. However, see the next section on how they are laid out.
## Port Layout
Keep in mind two of the rear ports are 4x 10gbE breakout only, and the remaining two are 40gbE only. The two 40gbE-only ports will NOT run at 10gbE (for instance with a QSFP to SFP+ adapter), so use these two for 40gbE links only. The extremely professional diagram below shows the port config and their associated port numbers in the OS:
![Port Diagram](https://fohdeesha.com/data/other/icx-ports.png)

6
mkdocs.yml
View File

@@ -16,5 +16,11 @@ nav:
- 'ICX7250 / ICX7450': 'icx7250.md'
- 'JTAG LB6M': 'jtag.md'
- 'JTAG ICX6610': 'jtag6610.md'
- Hidden Dev Stuff: hidden.md
- Accessing Linux: linux.md
- Extracting Firmware: firmware.md
- Extracting Licenses: extract.md
- ICX6610 Stack Ports: stack-ports.md
- EEPROM Unlocks: eeprom.md
- Other:
- 'Multiple /64s *nix': '64nix.md'