Difference between revisions of "Cisco"

From LinuxMIPS
Jump to navigationJump to search
Line 189: Line 189:
* [http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator Cisco 7200 Simulator]
* [http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator Cisco 7200 Simulator]
* [http://www.cisco.com/warp/public/63/arch_7200_5810.shtml Cisco 7200 Series Router Architecture]
* [http://www.cisco.com/warp/public/63/arch_7200_5810.shtml Cisco 7200 Series Router Architecture]
* [http://www.bodhost.com/web-hosting/index.php/2007/05/03/cisco-firewall-flashback/ Cisco Firewall PIX]
* [http://www.mcvax.org/~koen/uClinux-cisco2500/ uClinux port for the Cisco 2500]
* [http://www.mcvax.org/~koen/uClinux-cisco2500/ uClinux port for the Cisco 2500]
* [http://www.uclinux.org/ports/ uClinux Ports]
* [http://www.uclinux.org/ports/ uClinux Ports]
* [http://www.townsendassets.com/blog/2006/12/22/cisco-6509-security-for-fips-140-2/ Cisco 6509 Security for FIPS 140-2]

Revision as of 14:53, 3 April 2008

Cisco Systems Routers

Cisco Systems manufactures several routers with MIPS processors. Most of these routers are relatively modern, and sometimes are still prohibitively expensive on eBay or even via alternative channels of purchase. However, as many of these routers get decomissioned, they do appear on eBay at reasonable prices. A popular model with Linux/MIPS developers is the Cisco 3600-series.


Cisco has a very bland history when it comes to the class of CPUs in their hardware, often known for their (ab)use of m68k CPUs for their routers, as well as x86 CPUs for their firewalling and VPN solutions.

Cisco later switched to MIPS-based solutions from a variety of vendors, most notably IDT, PMC-Sierra and Broadcom, as well as some higher-end models being based on PowerPC processors.


Model Number CPU CPU Clockspeed Controller Slot/Bus
1100 IBM PowerPC 405GP 200Mhz - Mini-PCI
1200 IBM PowerPC 405GP 200Mhz - Mini-PCI
1300 IBM PowerPC 405GP 200Mhz - Mini-PCI
1600 Motorola QUICC 68360 33MHz - WIC
1720 Motorola PowerQUICC MPC860 40MHz - WIC
1750 Motorola PowerQUICC MPC860 40MHz - WIC
1841 RM5261A-256H 250MHz Marvell GT96103A NM (PCI)
2500 Motorola 680EC30 20MHz - -
2600 Motorola PowerQUICC MPC860 40MHz - NM (PCI)
2610 Motorola PowerQUICC MPC860 ? - NM (PCI)
2610XM Motorola PowerQUICC MPC860 ? - NM (PCI)
2611 Motorola PowerQUICC MPC860 ? - NM (PCI)
2611XM Motorola PowerQUICC MPC860 ? - NM (PCI)
2620 Motorola PowerQUICC MPC860 ? - NM (PCI)
2620XM Motorola PowerQUICC MPC860 ? - NM (PCI)
2621 Motorola PowerQUICC MPC860 ? - NM (PCI)
2621XM Motorola PowerQUICC MPC860 ? - NM (PCI)
2650 Motorola PowerQUICC MPC860 ? - NM (PCI)
2650XM Motorola PowerQUICC MPC860 ? - NM (PCI)
2651 Motorola PowerQUICC MPC860 ? - NM (PCI)
2651XM Motorola PowerQUICC MPC860 ? - NM (PCI)
2691 RM7061A 160MHz ? NM (PCI)
2801 RM5261A 250MHz Marvell MV96103A AIM, HWIC, PVDM
2811 RM5261A 350MHz Marvell MV96340 NM (PCI), AIM, HWIC, PVDM
2821 RM7065C 466MHz Marvell MV96340 NM (PCI)
2851 RM7065C-466T 466MHz Marvell MV96340 NM (PCI)
3620 IDT R4600 80MHz Galileo NM (PCI)
3631 RM7061a 240MHz ? NM/WIC
3640 IDT R4600 100MHz Galileo NM (PCI)
366x RM5271 225MHz Galileo NM (PCI)
3725 RM5200 240MHz ? NM (PCI)
3745 RM5200 350MHz ? NM (PCI)
3825 BCM1125H 500MHz AMD1813 NM (PCI)
3845 BCM1250 ? ? NM (PCI)
4000 Motorola 68030 40MHz ? NP ?
4500M R4700 100MHz ? NP ?
4700M R4700 133MHz ? NP ?
AS5300 R4700 150MHz ? ?
AS5350 RM7000 250MHz ? ?
AS5350XM BCM-1250 750MHz ? ?
AS5400 RM7000 250MHz ? ?
AS5400HPX RM7000 390MHz ? ?
AS5400XM BCM-1250 750MHz ? ?
7000 Motorola 68040 25MHz ? ?
7010 Motorola 68040 25MHz ? Cbus
7120 RM5271 225MHz ? PA ?
7140 RM7000 262MHz ? PA ?
7200 NPE100 R4700 150MHz ? PA ?
7200 NPE150 R4700 150MHz ? PA ?
7200 NPE175 RM5270 200MHz ? PA ?
7200 NPE200 R5000 200MHz ? PA ?
7200 NPE225 RM5271 225MHz ? PA ?
7200 NPE300 RM7000 262MHz ? PA ?
7200 NPE400 RM7000 350MHz ? PA ?
7200 NSE-1 RM7000 263MHz ? PA ?
7200 NPE-G1 BCM-1250 800MHz ? PA ?
7200 NPE-G2 PowerPC 7448 1.67GHz ? PA ?
7500 RSP1/2 R4600 100MHz ? CyBus
7500 RSP4 R5000 200MHz ? CyBus
7500 RSP8 RM7000 250MHz ? CyBus
VIP4-50 RM7000 ? ? ?
VIP4-80 RM7000 ? ? ?
12000 GRP R5000 200MHz ? ?
12000 PRP-1 PowerPC 7450 667MHz ? ?
12000 PRP-2 PowerPC 7455 1GHz ? ?

The Boot ROM

The Cisco Boot ROM firmware contains startup diagnostic code (ROM monitor, or ROMmon) as well as the boot loader for the Cisco Internetworking Operating System, or IOS for short.

During early boot, the code in the boot ROM performs a Power-on Self Test (POST) and, if all tests are passed, boot into IOS from the flash.

The Boot ROM CLI

In order to gain access to the monitor in the Boot ROM, send a break sequence to the device early on in the boot process. This can be done with a C-a f (Ctrl+a f) in Minicom, for example.

Recently boot ROMs have had an undocumented priv command. This command then can be used to gain access to several additional commands, including a debugger, disassembler and additional hardware tests. To use this command, a secret password is required, known only to Cisco representatives. However, in recent times this has been cracked and the password for many models of Cisco routers can be calculated using the tool at http://ers.pp.ru/cisco/priv.html.

Environment variables

Boot ROM maintains certain system configuration parameters in environment variables. For example, the $MONRC can contain a starup command sequence, $PS1 contains the command prompt, and so forth. As well, the BootROM supports basic command aliasing. Both the environment variables and the alias table are stored in NVRAM so that their values persist, even when power is off.

The Boot ROM API

The Boot ROM API provides some simple APIs for IOS (for example, putchar and version information commands). Unlike many other firmwares in the world of MIPS, the syscall opcode is used to call these firmware APIs. Note that register a0 must contain the syscall number.

A sample "Hello, world!" program can be found here.

Binary Format

IOS executables are shipped in a raw binary format (known as a .bin file to many). For MIPS-based devices, this is just conventional MIPS Big-Endian ELF, however Cisco does play a dirty trick in using a non-standard e_machine value in the ELF header. This seems to be based on the router model. For example, the Cisco 3600 routers have an e_machine value of 0x1e.

In order to alter the e_machine value, a recent version of objcopy can be used with the switch --alt-machine-code 0x1e (in this example for a Cisco 3600 series machine).

As well, there are limitations placed on the binary format due to the behaviour of the software in the Boot ROM. Boot ROM cannot load multiple ELF program headers. Thus, to work around this problem, toolchains must be built with --target=mips-elf.

Finally, all symbol tables must be removed.

Boot sequence

The Boot ROM can load and execute a block of executable code (such as IOS) from various internal locations: the internal FLASH module(s), a PCMCIA Linear Flash card and (unofficially) TFTP. More recent models also support PCMCIA IDE, CompactFlash and USB flash. Also the Boot ROM supports compressed images (.gz) with embedded helper and text files that contain a command sequence (like a shell script). Nowadays -mz- IOS distributions are compressed with ZIP and have a built-in ELF ZIP decompressor "piggybacked" on top, since ZIP provides better compression.

To boot from the PCMCIA ATA or CompactFlash the media should be formatted on the CISCO router with format disk0: command. This command creates a FAT structure with second bootloader (MONLIB) resides in the hidden FAT area. More inforamtion may be found in the ATA Monlib Enhancements article.

Cisco 3600

CISCO 3640

The Cisco 3600-series were entry-level edge routers built on the IDT R4700 MIPS CPUs. The system controller is a Galileo GT-64010.

The Cisco 3600-series routers were designed with limited expandability in mind. As such, the Cisco 3620 has two expansion slots; the 3640 has four (as is reflected in the size of the units). These expansion modules sit on the NM expansion bus, which is essentially a modified PCI 2.1 bus with some proprietary extensions relating to EEPROM identication and what Cisco calls OIR, or Online Insertion and Removal.

Deeper technical information on the Cisco 3600-series can be found at http://www.cisco.com/warp/public/63/36xx-arch.pdf.

Current Status

Presently Linux does not boot on the Cisco 3600 series in any usable form. However, a PROM library has been established and most PROM calls of importance have been reverse engineered. As well, efforts to make Linux run on the 3600 seriers are well underway and could very well be bootable soon.

External Links