lab-docu/docs/hidden.md
2020-11-19 03:47:13 -05:00

100 lines
4.3 KiB
Markdown

# Hidden Brocade Dev Stuff
This is a collection of hidden tools, modes, and commands buried inside Brocade FastIron products.
## Hidden Commands
All Fastiron platforms have hidden CLI commands, with the biggest one being `dm`. The ```dm``` command is available (but hidden) for diagnostic use. Type ```dm``` and hit tab to see available options, like the below for example:
```
FCX3(config)#dm
HEX Number
802-1w show 802-1w internal information
aaa-acct-session
acl_tcam command for tcam manager
aging-loop Turn off/on system aging loop
allled Toggle -On/Off All LED
alt-diag Test only, off/on
app_vlan_debug App VLAN table (shadow)
auq-resync Sync Auq for a device
auq-status show auq status
badaddr Test only, will reboot
blink Show gig link changes due to PHY blink
buffer DMA CPU buffer related
cancel-flash-timeout set flash timeout to default
clear_boot_count Clear crash dump
cpld-reg-dump Dump the CPLD register
--More--
```
There's hundreds of options. These are low level debug commands, so if you don't know what they do you can easily break your switch.
**Note:** There's around ~700 commands that are completely hidden, they will not even show up using tab autocomplete like the above `dm` commands do. [Click here](https://fohdeesha.com/data/other/brocade/FastIron-Hidden.txt) for a full list of these commands. Many of these might delete your config, your licenses, lock the switch up, etc.
## Hidden OS Console
This only works over a serial connection. It will not work over telnet/ssh/etc. Connect to a FastIron device over serial, and once it's fully booted and running, press ```ctrl+y```, let go, then press ```m```. Then hit enter. It should drop you down to the OS console:
```
OS>
```
> Note: This is mainly for the PowerPC architecture switches (FCX, ICX6610). The ARM switches (ICX6450, ICX7xxx) still have this hidden console available, but it only has ~5 commands. For a proper low level CLI on ARM switches, use the *Accessing Linux* section.
Press the question mark on your keyboard for a list of all available options:
```
OS>
clear Clear internal table
console Attach console to a process
copy Copy file
daw Set data address watchpoint
dbg Toggle debug mode
dq Display memory in 64-bit quad word
dd Display memory in 32-bit double word
del Delete flash file
dir List flash files
----trimmed----
```
You'll note the options are nearly identical to what's available in the bootloader, except while the switch is fully booted and running. There's a couple extra options here too that aren't available in just the bootloader. To exit this mode, just hit ```ctrl+z```.
## Hidden Bootloader Modes
All the newer switches that run linux (ICX6450, ICX6650, ICX7xxx) use u-boot as the bootloader. However it runs in a very locked down mode with only a few commands available. Thankfully after contacting Arris (who own Ruckus, who now owns Brocade), they published their u-boot [source code](https://sourceforge.net/arris/wiki/Projects/).
From analyzing their u-boot source, we are able to find some hidden routines that will force the switch to boot into fully unlocked u-boot. To do so, run the following in the bootloader:
#### ICX6430 & ICX6450
```
manufacturing_diag enable
reset
## it will reboot into fully unlocked u-boot
## be sure to stop it in the bootloader (smash b)
## set it back to normal
manufacturing_diag disable
reset
```
#### ICX6650 & ICX7150 & ICX7250 & ICX7450 & ICX7750
```
diagmode enable
reset
## it will reboot into fully unlocked u-boot
## be sure to stop it in the bootloader (smash b)
## set it back to normal
diagmode disable
reset
```
#### ICX7650 & ICX7850
```
setenv diag_mode_on 1
saveenv
reset
## it will reboot into fully unlocked u-boot
## be sure to stop it in the bootloader (smash b)
## set it back to normal
setenv diag_mode_on
saveenv
reset
```
#### ICX7550
Unknown, but most likely one of the above - just try each one until the command takes.