mypoke should not assume PHY capabilities struct to be 0xC long

[feisuzhu]

root@nas:/home/proton/xl710-unlocker# lspci
00:00.0 Host bridge: Intel Corporation Device 591f (rev 05)
00:01.0 PCI bridge: Intel Corporation Skylake PCIe Controller (x16) (rev 05)
00:02.0 VGA compatible controller: Intel Corporation HD Graphics 630 (rev 04)
00:14.0 USB controller: Intel Corporation 200 Series PCH USB 3.0 xHCI Controller
00:16.0 Communication controller: Intel Corporation 200 Series PCH CSME HECI #1
00:17.0 SATA controller: Intel Corporation 200 Series PCH SATA controller [AHCI mode]
00:1c.0 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #5 (rev f0)
00:1c.6 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #7 (rev f0)
00:1d.0 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #9 (rev f0)
00:1f.0 ISA bridge: Intel Corporation 200 Series PCH LPC Controller (B250)
00:1f.2 Memory controller: Intel Corporation 200 Series PCH PMC
00:1f.3 Audio device: Intel Corporation 200 Series PCH HD Audio
00:1f.4 SMBus: Intel Corporation 200 Series PCH SMBus Controller
00:1f.6 Ethernet controller: Intel Corporation Ethernet Connection (2) I219-V
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
01:00.1 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
01:00.2 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
01:00.3 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
03:00.0 Network controller: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter (rev 32)

root@nas:/home/proton/xl710-unlocker# ethtool -i enp1s0f0
driver: i40e
version: 2.1.14-k
firmware-version: 6.01 0x80003484 1.1747.0
expansion-rom-version: 
bus-info: 0000:01:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

root@nas:/home/proton/xl710-unlocker# ./mytool 0 100
...
[00000044] 00000000 + 44 => 8394
[00000045] 00000000 + 45 => 0020
[00000046] 00000000 + 46 => 802a
[00000047] 00000000 + 47 => 0002
[00000048] 00000000 + 48 => 67a8  // ptr to EMP SR
[00000049] 00000000 + 49 => 7fff
[0000004a] 00000000 + 4a => 0405
[0000004b] 00000000 + 4b => ffff
...

root@nas:/home/proton/xl710-unlocker# ./mytool 0x67a8
...
[000067be] 000067a8 + 16 => 154b
[000067bf] 000067a8 + 17 => 00c5
[000067c0] 000067a8 + 18 => 00f5
[000067c1] 000067a8 + 19 => 0135  // ptr to PHY Capabilities 0
[000067c2] 000067a8 + 1a => 0141
[000067c3] 000067a8 + 1b => 014d
[000067c4] 000067a8 + 1c => 0159
[000067c5] 000067a8 + 1d => 0606
[000067c6] 000067a8 + 1e => 0606
[000067c7] 000067a8 + 1f => 0606

root@nas:/home/proton/xl710-unlocker# ./mytool $((0x67a8+0x19+0x135))
[000068f6] 000068f6 + 00 => 000c
[000068f7] 000068f6 + 01 => 0002
[000068f8] 000068f6 + 02 => 0083
[000068f9] 000068f6 + 03 => 1871
[000068fa] 000068f6 + 04 => 0000
[000068fb] 000068f6 + 05 => 0000
[000068fc] 000068f6 + 06 => 3303
[000068fd] 000068f6 + 07 => 000b
[000068fe] 000068f6 + 08 => 630c  // was 6b0c, clearing the 0x800 (1<<11) has no effect
[000068ff] 000068f6 + 09 => 0a00
[00006900] 000068f6 + 0a => 6432
[00006901] 000068f6 + 0b => 0001
[00006902] 000068f6 + 0c => 0000
[00006903] 000068f6 + 0d => 000c
[00006904] 000068f6 + 0e => 0002
[00006905] 000068f6 + 0f => 0083
[00006906] 000068f6 + 10 => 1871
[00006907] 000068f6 + 11 => 0000
[00006908] 000068f6 + 12 => 0000
[00006909] 000068f6 + 13 => 3303
[0000690a] 000068f6 + 14 => 630c  // was 6b0c, I only touched value above but this and following values changed too
[0000690b] 000068f6 + 15 => 6b0c
[0000690c] 000068f6 + 16 => 0a00
[0000690d] 000068f6 + 17 => 6432
[0000690e] 000068f6 + 18 => 0001
[0000690f] 000068f6 + 19 => 0000
[00006910] 000068f6 + 1a => 000c
[00006911] 000068f6 + 1b => 0002
[00006912] 000068f6 + 1c => 0083
[00006913] 000068f6 + 1d => 1871
[00006914] 000068f6 + 1e => 0000
[00006915] 000068f6 + 1f => 0000

[  118.826068] i40e 0000:01:00.0 enp1s0f0: the driver failed to link because an unqualified module was detected.
[  118.827588] IPv6: ADDRCONF(NETDEV_UP): enp1s0f0: link is not ready

[feisuzhu]

The machine powered off and on, had no effect.

[feisuzhu]

HOLY SHIT I'M SO LUCKY!

Your code assumes PHY capabilities struct to be 0xC long, which does not hold true to my NIC(mine has 0xD), so only the first word is written to the right location.

My NIC can power up and respond to ioctl after power cycle (lucky!), so I corrected wrong written values and re-applied the poke, this time it works.

[k0ste]

@feisuzhu I think you first who successfully unlocked 6.0 firmware. It will be nice, if you write here manual with changes (like [original](https://www.mail-archive.com/[email protected]/msg11459.html from @terpstra) or submit a patch if it necessary for covering work with newest firmware.

[gelezayka]

does not work:

000068f0 + 00 => 000c
000068f0 + 01 => 0022
000068f0 + 02 => 0083
000068f0 + 03 => 1871
000068f0 + 04 => 0000
000068f0 + 05 => 0000
000068f0 + 06 => 3303
000068f0 + 07 => 000b
000068f0 + 08 => 630c
000068f0 + 09 => 0a00
000068f0 + 0a => 0a1e
000068f0 + 0b => 0003
000068f0 + 0c => 0000

68fd, 690a, 6917 - the same

srv# lspci | grep 710
04:00.0 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
04:00.1 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
04:00.2 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
04:00.3 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)

srv# ethtool -i enp4s0f0
driver: i40e
version: 2.7.29
firmware-version: 6.01 0x8000351b 0.0.0
expansion-rom-version:
bus-info: 0000:04:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

[ 78.911299] i40e 0000:04:00.3: Rx/Tx is disabled on this device because an unsupported SFP+ module type was detected.
[ 78.911376] i40e 0000:04:00.3: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for a list of supported modules.

[hawaiik]

@feisuzhu Any insight you can share here? I got as far as above and got the PHY but I don't get how you fixed it finally by saying you used 0xd instead of 0xc? From what I found we use the same card, so any help would be appreciated!

[feisuzhu]

@feisuzhu Any insight you can share here? I got as far as above and got the PHY but I don't get how you fixed it finally by saying you used 0xd instead of 0xc? From what I found we use the same card, so any help would be appreciated!

@hawaiik https://github.com/terpstra/xl710-unlocker/blob/master/mypoke.c#L60
I didn't do thorough analysis but observed adjacent 6b0c values are 0xd apart.

[hawaiik]

@hawaiik https://github.com/terpstra/xl710-unlocker/blob/master/mypoke.c#L60
I didn't do thorough analysis but observed adjacent 6b0c values are 0xd apart.

So in line 60 of mypoke you just changed
eeprom->offset = offset + 0xci2;

to
eeprom->offset = offset + 0xdi2;

?

[feisuzhu]

@hawaiik Yes, and please don't follow my experience blindly, confirm yourself.

[hawaiik]

@feisuzhu Alright, thank you for the headsup, I will take a look.

[hawaiik]

It seems Intel changed some stuff again....I was not able to unlock the card so far.....

[merbanan]

@feisuzhu I can confirm that patching a card with nvram layout like you described in the ticked worked fine for me. Ie struct start position 0x68f6 and struct offset 0xD.

[csdexter]

Hello,
I would like to report success >:) , one bug and one possible improvement:

• the bug is that the code ignores the fact that the length word (that 0x000D or 0x000C) is not counted in the structure length. Therefore, to jump forward "at the same location in the next structure" you need to add 1 to your structure size
• the improvement is to actually read the value at the offset given by the user and use that as the structure length (for that particular NIC) so that the code works with multiple NICs without risking the kind of corruption reported by @feisuzhu above
• the success report is that incorporating the fixes above I managed to unlock an X710 running firmware version 7.10 (the target was at 0x6940).

For reference, ethtool -i output below:

driver: i40e
version: 2.10.19.82
firmware-version: 7.10 0x8000646c 1.2527.0
expansion-rom-version: 
bus-info: 0000:3b:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

Thanks for the awesome work and keep'em coming :D

[presslab-us]

I seem to have a bit newer version of firmware 7.10. The target was at 0x6940 but the length was 0xE this time. With the changes it is working fine.

driver: i40e
version: 2.8.20-k
firmware-version: 7.10 0x800075e1 19.5.12
expansion-rom-version: 
bus-info: 0000:01:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

[cppmonkey]

@presslab-us
I see you're using a Dell XL710-BM2 based card too.
Which card is it? I have a XL710-QDA2

[cppmonkey]

Turned out offset 3 wasn't allowing LR4 modules. The unlock had already worked

Changed from altering offset 0x8 to 0x3 and stuffed it with 0x0700 enabling 40GBASE-LR4, 40GBASE-SR4 & 40GBASE-CR4

[presslab-us]

@presslab-us
I see you're using a Dell XL710-BM2 based card too.
Which card is it? I have a XL710-QDA2

I have the X710-DA4 with four SFP+ ports.

I also have added all pertinent options to register 0x3. But even still, this card is very picky. If a module advertises in it's EEPROM "transceiver compliance codes" that it supports Fiber Channel (in addition to the normal Ethernet one) it won't work. I have edited the EEPROM to remove the Fiber Channel codes and then it is accepted.

[andrewohanian]

This seems like the most active thread here. Just wanted to update that I got this working on 8.4

ethtool -i eth4
driver: i40e
version: 2.12.6
firmware-version: 8.40 0x8000abd7 1.2992.0
expansion-rom-version:
bus-info: 0000:03:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

My offset was 0x6947and instead of 0x8, the register with bit 11 was on 0x1. So I changed line 46 to this: int offset = 2*(phy0_offset + 0x1)

My original value on 0x1 was 6b0c, which I set to 630c on line 63, to turn off bit 11.

It took a while to figure this out, but once I did, the unsupported SFPs are working perfectly.

[fmenard123]

Hello andrewohanian,

On my machine, the firmware version of the XL710 drivers is 8.15

ethtool -i enp23s0f3
driver: i40e
version: 5.15.0-39-generic
firmware-version: 8.15 0x800095c4 0.0.0
expansion-rom-version:
bus-info: 0000:17:00.3
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes

Can you elaborate what is the nature of the patch that needs to be made ?

F.

[fmenard123]

Alright, I now run: ./mytool 0 0x8000 |grep 000d
I get:

00000000 + 693a => 000d
00000000 + 6948 => 000d
00000000 + 6956 => 000d
00000000 + 6964 => 000d

Then I do:

./mytool 0x693a

I get:

0000693a + 00 => 000d
0000693a + 01 => 0022
0000693a + 02 => 0083
0000693a + 03 => 1871
0000693a + 04 => 0000
0000693a + 05 => 0000
0000693a + 06 => 3303
0000693a + 07 => 000b
0000693a + 08 => 630c

That looks like a legit structure, with 0022, followed by 0083... the issue is at +08, the value is already at 630C ... yet

DMESG says:

[ 5434.690412] i40e 0000:17:00.3 enp23s0f3: NIC Link is Up, 10 Gbps Full Duplex, Flow Control: None
[ 5442.396323] i40e 0000:17:00.3 enp23s0f3: NIC Link is Down
[ 5446.528974] i40e 0000:17:00.3: Rx/Tx is disabled on this device because an unsupported SFP module type was detected.
[ 5446.529024] i40e 0000:17:00.3: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for a list of supported modules.

So I do not see where is the Bit 11 to change ... since the value is already 630c at +08

What I am not getting here ?

[Darlord47]

Hello @fmenard123 !
I've ran into same issue, have you succeed to solve this?

[fmenard123]

I have not. I since found a server with a built in switch that attaches to trace lines on a xeon—d built-in phy. I’ve successfully got something working. What kind of transceivers are you using ?

…

Sent from my iPhone On Apr 18, 2023, at 05:35, Darlord47 ***@***.***> wrote:  Hello @fmenard123<https://github.com/fmenard123> ! I've ran into same issue, have you succeed to solve this? — Reply to this email directly, view it on GitHub<#4 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AX3ILBXV3IVYKWYDIPD74CTXBZN5PANCNFSM4EESQDKA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[Darlord47]

@fmenard123 D-Link DEM-CB300S DAC cable