The SDSL Journey Reverse engineering, open source con- nectivity - - PowerPoint PPT Presentation

the sdsl journey
SMART_READER_LITE
LIVE PREVIEW

The SDSL Journey Reverse engineering, open source con- nectivity - - PowerPoint PPT Presentation

Oct 31, 2022 313 likes •576 views

The SDSL Journey Reverse engineering, open source con- nectivity and ARPANET replacement Michael Sokolov Harhan Engineering Co. Open WAN Connectivity Project What is SDSL? Same low speed up and down Pay more for less downstream

slide-1
SLIDE 1

The SDSL Journey

Reverse engineering, open source con- nectivity and ARPANET replacement Michael Sokolov Harhan Engineering Co. Open WAN Connectivity Project

slide-2
SLIDE 2

What is SDSL?

  • Same low speed up and down
  • Pay more for less downstream

bandwidth!

  • ‘‘Business service’’: it’s all about the

feeling of being elite

  • Can be used as ARPANET

replacement

slide-3
SLIDE 3

USA-specific Who offers SDSL? Back-end operators:

  • Rhythms/WorldCom (gone)
  • Covad
  • DSL.net (now MegaPath)

Front-end providers:

  • AT&T
  • Covad.net
  • MegaPath
  • Many small ISPs going through Covad
slide-4
SLIDE 4

Bridging vs. true routing SDSL does NOT use PPPoE! Networking models used with SDSL:

  • Bridging / MER
  • True routed circuit
  • PPPoA (Covad.net only)
slide-5
SLIDE 5

Bridged SDSL circuit

ISP side User side DSLAM Bridge CPE

MAC encapsulation 42424 virt_eth

10BaseT

SDSL bit pipe Virtual Ethernet cable

slide-6
SLIDE 6

Standard bridge CPE (Copper Mountain)

  • CM flavor only, bridged circuits only
  • Configurationless
  • Converts between Ethernet-over-SDSL and

real Ethernet

slide-7
SLIDE 7

... but some of us prefer the routed network model:

Classic Router ISP A ISP B Ethernet 1 Ethernet 2 Token Ring

slide-8
SLIDE 8

Key difference in circuit config:

Bridged/MER circuit:

<dest MAC addr><src MAC addr><0806><ARP packet> <dest MAC addr><src MAC addr><0800><IP packet>

True routed circuit:

<FR/ATM header><IP packet>

No MAC addresses and no ARP!

slide-9
SLIDE 9

Standard CPE for routed circuits (circa 2001)

Yes, it’s a router, but it isn’t chosen by the end site’s own god!

slide-10
SLIDE 10

Would like to extract the SDSL PHY part

  • f those routers and offer it by itself, letting

the user choose his own router. How do we do it?

  • Social engineering
  • Reverse engineering
  • Confirmed the use of a standard HDLC

bit stream (CM SDSL)

  • Needed to identify the part of SDSL CPE

called the ‘‘bitpump’’

slide-11
SLIDE 11

Someone had already done this before us: ... but it was made of unobtainium, so I set out to recreate it.

slide-12
SLIDE 12

What is SDSL in technical terms? North American SDSL/2B1Q is NOT the same as ETSI SDSL or G.shdsl! G.991 and ETSI standards are free and open, but useless for SDSL/2B1Q

slide-13
SLIDE 13

What is SDSL/2B1Q in technical terms?

  • De facto pseudostandard defined by the

makers of Bt8960, Bt8970 and RS8973 chips

  • Based on HDSL, an internal telco technology
  • 2B1Q line code dates back to ISDN BRI

More generally:

  • Full-duplex synchronous serial bit stream
  • 2-wire transmission via echo-cancelling

hybrid

  • Choice of several data rates
slide-14
SLIDE 14

What does it take to build SDSL CPE?

  • Understanding the physics involved
  • Using the RS8973 bitpump chip
  • Software/firmware to control that chip
  • SDSL flavors: each DSLAM vendor invented

their own!

slide-15
SLIDE 15

Flavors Flavors Flavors Common invariant:

  • Bitpump chip
  • Sync serial bit stream
  • 2B1Q line code
  • HDSL heritage

Flavor-dependent:

  • Choice of data rates
  • Quat orientation
  • Pre-activation signaling
  • Bit stream format
slide-16
SLIDE 16

Strategies for open source connectivity to SDSL

  • Bit-transparent DSU like the elusive

Cupré box: great for Copper Mountain

  • Layer 2 converter for SDSL/ATM
  • Do both with a single hardware

platform: OSDCU

slide-17
SLIDE 17

Hack-o-Rocket: let’s take an existing SDSL CPE board and turn it into a hacking instrument

MC68LC302 CPU RAM 64 KB Flash 256 KB Bt8970 SDSL CS8900 Ethernet SCC1 SCC2

Hidden serial port

slide-18
SLIDE 18

Socketed PLCC32 flash chips were easy to read out and the M68K code was easy to disassemble! Learned from CR201 firmware disassembly: CM flavor of SDSL:

  • Confirmed that it’s standard HDLC
  • Speed autodetection reverse-engineered

Using CR201 hardware:

  • Supplemented the data from physical H/W

examination

slide-19
SLIDE 19

By running our own code on CR201s hardware, we were able to:

  • Play with the bitpump and put it

through startup sequences

  • Lay the software foundation for our
  • wn OSDCU
  • Use the SCC to study the bit stream

formats

slide-20
SLIDE 20

Let’s look at the Nokia SDSL/ATM flavor now

Most of the Nokia reverse eng work was done in the absence of a real Covad line to test on!

  • Beige box test: no pre-activation present
  • Oscilloscope probe on QCLK: got the true

data rates

  • Run Hack-o-Rocket as HTU-C, linking up

with Nokia flavor CPE

  • Bit stream capture revealed the framing

format

slide-21
SLIDE 21

Proof of concept open source SDSL and IDSL implementation on the Hack-o-Rocket

  • Tested and proven working on real

Covad lines, both SDSL and IDSL.

  • Demo given to a Covad install

technician!

slide-22
SLIDE 22

Finally built our own hardware!

slide-23
SLIDE 23

SDSL in, EIA-530 out

slide-24
SLIDE 24

Testing: CM DSLAM Works like a charm!

slide-25
SLIDE 25

More testing

  • Verified interoperability with XSB-2000

DSUs

  • Linking up with Netopia CPE

(pretending to be a Nokia DSLAM)

slide-26
SLIDE 26

Where do we go from here?

  • Nokia DSLAM bring-up
  • FPGA acceleration for Nokia L2

converter

  • Bring the OSDCU board to production

quality http://ifctfvax.Harhan.ORG/OpenWAN/