
Realtek RTL836x series of Ethernet switch ICs has a 8051 hidden inside - dexen
https://twitter.com/whitequark/status/1175701730819895296
======
mbell
This is rather misleading. The RTL8366 pictured in the tweet doesn't have an
8051 in it which is why it's absent from the datasheet. I don't see anything
in this thread that contradicts this. The RTL8367 does have an 8051 in it, and
it is covered in the datasheet. As near as I can tell this entire claim is
based on reading a RTL8366 datasheet when the part in question was a RTL8367.

I'm not seeing anything nefarious here at all, the RTL8367 is designed for
'smart switches', the 8051 is there to run the webUI. In general, 8051s are
_everywhere_, it's one of the most used IP cores in the world. I'd bet the
average household has a a few dozen of them in various devises.

EDIT: Looking through some older tweets from the same author, I think the
claim is based on pinout similarities between the RTL8366 and the RTL8367. My
guess would be that these two parts are the same die and the RTL8366 parts are
the ones where a defect was found in the CPU core which would be a likely
source of manufacturing defects.

~~~
joezydeco
It's not always a binning thing.

I've used similar parts, like bluetooth transceivers, where there are two
SKUs: one is a cheaper commodity part and comes with built-in firmware.

The other more expensive part allows for modifiable firmware (and, thus,
exposes the processor inside). My cynical POV is that the chipmaker knows
they'll be spending more internally on SDK development/support and field rep
time. So that needs to be recaptured in the cost of the part.

~~~
sharpneli
It is expensive to tape out a different chip. As 8051 originally was about
50000 transistors that’s peanuts nowadays.

Likely cheaper to manufacture a single chip and do market segmentation via
software than manufacture two if the savings are measly (let’s assume 16nm
process) 1/500 mm^2 per chip.

~~~
mbell
It's not so much the 'core' as the memory. For example it looks like the
RTL8367 has 16KB of program memory, 32KB of data memory, 256bytes of SRAM and
a 12KB nic buffer. These memory cells will make up the bulk of the transistors
in the 8051 part of the chip and tend to be points of manufacturing failure.
In many cases the chip would be designed with more memory than it needs under
the assumption there will always be a few failures. So if you need 16KB, you
design in 18KB and turn off the rows/banks that fail or test as the worst. If
too many fail you sell it as next memory size down, or in this case you zap a
couple fuses and sell it as the part without an MCU on board. Of course this
doesn't always work, sometimes you need more of the non-perfect parts than you
have to fill orders so you just zap the fuses anyway.

------
ryanianian
Tweet has been deleted (URL 404s). Internet archive has some but not all of
the thread
[https://web.archive.org/web/20190922094616/https://twitter.c...](https://web.archive.org/web/20190922094616/https://twitter.com/whitequark/status/1175701730819895296)

~~~
victorheld
[https://twitter.com/whitequark/status/1175767033360740352](https://twitter.com/whitequark/status/1175767033360740352)

~~~
tambourine_man
I’ve seen this hatred towards HN before on Twitter and I don’t really get it.
HN is one of the most polite places on the internet, including Twitter.

~~~
Osiris
Having made (what I thought were polite) comments on Reddit only to get down-
voted into oblivion, I agree that HN has one of the most thoughtful and
respectful communities I've participated in.

~~~
0xcde4c3db
In my experience, it's pretty easy to misjudge the expected overall level and
style of politeness in a given social space. Many people were raised with the
idea of politeness being a safe default, but in some spaces being _too_ polite
can come off as aloof or condescending.

------
tyingq
There's even some existing code to manipulate the firmware:

[http://arny.tjps.eu/OpenWrt/EasyBox904xDSL/oem-firmware-
info...](http://arny.tjps.eu/OpenWrt/EasyBox904xDSL/oem-firmware-
info/research/)

And

[https://github.com/uwehermann/easybox-904-xdsl-
firmware/blob...](https://github.com/uwehermann/easybox-904-xdsl-
firmware/blob/master/package/infineon-
utilities/feeds/ifx_feeds_uboot/open_uboot/src.904dsl/drivers/net/vr9_sw.c)

~~~
rasz
not really

>SMI SLAVE FOR EXTERNAL CPU

your links talk about external programming of smart switches, you could do
this 10 years ago with RTL3866

[https://hackaday.com/2010/05/26/unlocking-the-crippled-
poten...](https://hackaday.com/2010/05/26/unlocking-the-crippled-potential-of-
an-unmanaged-switch/)

[http://spritesmods.com/?art=rtl8366sb](http://spritesmods.com/?art=rtl8366sb)

or 15 years ago with RTL8309sb

[https://web.archive.org/web/20061118184321/http://pupa.da.ru...](https://web.archive.org/web/20061118184321/http://pupa.da.ru/avrsw/)

------
garamirez
Wow! I just went back some 20+ years ago going through 8051 instruction set
while at the University. It's amazing how versatile and useful it still is.

------
raverbashing
A lot of devices use these simple microprocessors to do general management and
talk to low speed buses

I remember in the times of region locked DVD players, some device hacks
targeted the same processor inside the DVD player unit (I'm talking about the
IDE/SATA drive, not the whole player)

------
milankragujevic
I actually have a switch (TP-Link TL-SG105E "Easy Smart") that runs a whole
Web UI on that built in CPU. It's quite neat, as the switch is 20$ yet has
some "smart"-esque features :)

------
mysterydip
A reply in the twitter thread makes the most sense to me: "Interesting! I can
imagine this being used to generate & monitor traffic for factory test." That
would make verification much easier and also explain why it's undocumented. Of
course if there's a way for testers to use it, there's potentially a way for
others to use it as well.

~~~
8K832d7tNmiQ
why would you need an 8051 to do an internal testing, though? and why would
make it easier to test?

~~~
mysterydip
I see it like debug statements in code. If the only access you have to a
function is from the inputs and returns, it's difficult to see where the issue
lies when the return value is wrong. Having an internally accessible layer of
I/O lets you bypass certain areas or get values at different steps to
determine root cause. Could be useful for firmware testing, fixing ones that
fail a normal test, and RMA's.

You would want to leave the circuitry in place for production because it's
largely unnoticeable and changing it could introduce bugs.

------
dexen
Context - these two twitter threads:
[https://twitter.com/whitequark/status/1175692789171884032](https://twitter.com/whitequark/status/1175692789171884032)

 _> so apparently most unmanaged switches have a 8051 connected to the switch
fabric inside. would it occur to you that pretty much any switch on your
network could be monitoring or injecting traffic? sure would not to me_

[https://twitter.com/whitequark/status/1175692567150653440](https://twitter.com/whitequark/status/1175692567150653440)

 _> i wasn't previously aware that it's possible (it does makes sense i guess?
doing switching entirely in gateware is more risky), and it's an absolutely
incredible placement for a near-undetectable implant_

------
tambourine_man
Honest, tangentially related question from someone unfamiliar with the field:

Why are we still using old 80xx chips in embedded applications? Expired
patents? Existing toolchain? Inertia?

It’s hard to believe we couldn’t do better, cheaper and more power efficient
solutions with all the tricks we’ve learned in those almost 40 years.

~~~
antonyme
The core is simple, small, cheap or even free, requires few resources, has
plenty of tool support, is well-understood and well-documented, and is easy to
debug and deploy. The 8051 is perfectly sufficient for many simple embedded
applications that only require an 8-bit micro.

It's the instruction set that has been retained, not the silicon design. The
variants these days are more power-efficient and powerful in terms of MIPS and
peripherals, and have indeed benefited from years of R&D.

~~~
tambourine_man
But is a ISA that wasn’t designed for embedded really that well suited for it?

And if the silicon design is new, we are not benefiting all the much from
decades of battle testing, right?

I can’t imagine how a clean, embedded first 32bit ISA design wouldn’t be more
appropriate.

~~~
zokier
> But is a ISA that wasn’t designed for embedded really that well suited for
> it?

But 8051 _was_ designed for embedded:

> The Intel MCS-51 (commonly termed 8051) is a single chip microcontroller
> (MCU) series developed by Intel in 1980 for use in embedded systems

(wikipedia)

> I can’t imagine how a clean, embedded first 32bit ISA design wouldn’t be
> more appropriate

I guess we'll see how riscv will develop.

~~~
tambourine_man
Ah, I didn’t know that. I thought it was a repurposed chip. That makes sense.
Thanks for the clarification.

------
swiley
It’s fun when you find the firmware on periferals like this.

Did you know the processor in the b43 network cards use this really weird
architecture developed by the company that made the backplane? It also doesn’t
actually handle the radio baseband, that’s done entirely in hardware (If my
reading of the firmware is correct.) Which makes me wonder why having more
open source WiFi card firmware is rare, I guess it still handles calibration
and some other things that you could use to intentionally make the card
misbehave but it’s a lot more limited than I expected.

------
non-entity
A few weeks back, I was working on trying to patch a BSD driver for another
Realtek product (a wireless network adapter) and their were a handful of
comments / source reference mentioning "8051". I assumed this to be the
microcontroller and, out of curiosity, attempted to disassemble the provided
firmware binaries, sadly to no avail.

Does realtek publish their documentation on products publicly? I found it
interesting that the author of the tweet has, for example, a pinout.

~~~
andrewshadura
No, they don't, and they usually don't answer to emails asking for it. You may
be lucky finding it at pudn.com or other datasheet-sharing websites, but not
officially from them.

~~~
userbinator
It's common with a lot of Chinese companies; they won't answer requests for
datasheets, yet you can find them "leaked" elsewhere and they're not really
bothered by it.

I suspect it's more of a "we're not interested in answering your questions,
which you will certainly have if we give you a datasheet directly" than any
real concern over IP.

------
peterwwillis
This post is gone.

Tweets make bad HN posts; not only because they disappear, but they're too
short to have all the details, they don't capture a whole conversation, when
they do it's disjointed and in pieces, people jump to conclusions, etc.

~~~
whitequark_
Also I got pinged by like a dozen different HN bots, because each time any of
them tweets a link, Twitter thinks it's a quote-tweet and sends a
notification. Annoying.

------
ranma42
Old D-Link DGS-1008D switches with Vitesse chipsets also have a built-in 8051
for firmware (but only 8KB SPI flash loaded into 8KB of embedded RAM, so
pretty useless). I think it's mostly used for the cable test when powering on
the switch.

------
perlgeek
Can somebody please explain what the big deal about it is, if it's even true?

~~~
morganvachon
It's a documented part, the OP was just confusing two different parts/part
revisions.

The paranoid would say "it's a hidden backdoor for running shady code".
However, anyone with even a passing interest in embedded computing would
recognize that it's designed to store and run official firmware; nothing shady
or underhanded about it.

So in short, in this particular instance it's much ado about nothing.

~~~
RodgerTheGreat
The hardware doesn't care what it was designed for; it does what it's told. It
is extremely plausible that capabilities which exist for testing purposes can
_also_ be exploited for running malware.

~~~
morganvachon
Correct, but the implication in the tweet was that it was secretly embedded by
the manufacturer for nefarious purposes. The Twitter OP jumped to paranoid
conclusions in part because of their obvious lack of understanding of even
simple embedded hardware concepts.

You can kill someone with a hammer, but that doesn't mean the hammer was
designed for killing.

------
ngcc_hk
There is one mentioned an z80 as well.

------
Kenji
Tweet deleted. She tweeted "nonconsensually submitted to the orange website"
hahaha.

~~~
compuguy
> _Tweet deleted. She tweeted "nonconsensually submitted to the orange
> website" hahaha._

And this is why people avoid this site....

