Today we are looking at the TP-Link TL-SG108, an 8 port Gigabit Ethernet plug-and-play desktop switch. It is a little less capable and cheaper than the usual fare here, but it does hide some interesting surprises!

Removing the two small screws on the bottom allows us to remove the top cover and see that the switch is based on the Realtek RTL8370N.

The RTL8370N is a low-cost Gigabit Ethernet switch chip first released in the mid 2010s and today is found in many low-cost 5 and 8 port gigabit switches. It may surprise you to learn that 5-8 port “web smart” managed switches are also using the RTL8370N. The feature difference is (mostly) a software limitation.

The RTL8370N has an embedded 8051 microcontroller, which for web managed switches is used to serve the web UI. Notably these switches do not offer cli access (telnet/ssh) as they lack the resources to run those services.

The Realtek description of the chip is very brief:

The RTL8370N-VB features low-power integrated 8-port Giga-PHYs that support 1000Base-T, 100Base-T, and 10Base-T.

Looking at the TL-SG108 switch and the box, there is no MAC address, no default IP address, and nothing to suggest that this switch would ever support more advanced features like VLAN tagging.

Luckily, the “Not for public release” datasheet on the RTL8370N can easily be found online.

The RTL8370N supports reading from an I2C EEPROM, or SPI flash after reset. The chip can operate with the 8051 core disabled, reading the configuration from directly from an I2C EEPROM into the chip registers. Which mode to operate in is determined at power-on by reading the value of pin straps:

The TL-SG108 uses a 4Mbit (512KiB) SPI flash chip from Cfeon, which is too small to contain any assets for a web management interface. We can infer from the pin strapping configuration that the 8051 core is active, because there is no I2C EEPROM present and direct register loads are not supported with SPI flash.

Luckily, someone has created a GitHub repository containing firmware dumps from various switches based on the RTL8370N. Since there is no firmware dump of the TL-SG108E, we choose the the GS308Ev4 which ships with a 32MBit (4MiB) SPI flash. To turn the TL-SG108 into a managed switch, we must first upgrade the flash capacity from 4Mbit to 32Mbit. Note that the TL-SG108 uses a 150mil SOP8 package, not the more common 200 mil SOP8; a GigaDevice GD25Q32 works nicely.

The second issue after confirming “does the switch boot?” is that converting multiple switches from unmanaged to managed will just create a MAC address conflict on the same L2 network, since all the switches will have the same MAC address.

With just a bit of searching, the flash offset of the switch MAC address and serial number are located at address 0x1fc000.

001fc000  54 07 7d 20 be 1b 37 48  39 31 34 38 35 58 41 30  |T.} ..7H91485XA0|
001fc010  45 36 45 00 ff ff ff ff  ff ff ff ff ff ff ff ff  |E6E.............|

The MAC address is contained in the first 6 bytes, with the remaining 16 bytes are used for the null-terminated serial number. There is no checksum or hash of these values, so to change the MAC address or serial number you just need to replace the bytes.

001fc000  54 07 7d 20 be ef 37 48  39 31 34 38 35 58 41 30  |T.} ..7H91485XA0|
001fc010  45 36 45 00 ff ff ff ff  ff ff ff ff ff ff ff ff  |E6E.............|

So we can easily modify the MAC address 54:07:7d:20:be:1b from the dumped firmware to 54:07:7d:20:be:ef.

Apologies to Netgear for the firmware gore, but now we have VLAN management on our TL-SG108.

There are, of course, some downsides to reflashing plug-and-play switches to be managed:

1. Cost: the TL-SG108E is only around $5 more new than the TL-SG108, which is roughly the cost of components to perform the upgrade
2. Functionality: while the TL-SG108 boots the GS308Ev4 firmware and now supports VLAN management, none of the LEDs on the device work, and as it lacks a physical reset button, resetting from a configuration mistake is tedious
3. Uncertainty: the packaging does not specify the hardware revision, and brands often revise their hardware to change suppliers or to reduce the bill-of-materials cost

In summary, given the price point of these switches when buying new I would highly recommend that you instead look for a used managed Gigabit switch. The price of these has come down considerably in recent years and many L2/L3 managed switches based on Realtek run Linux and can be supported by OpenWrt. I would stick to buying switches with stated compatibility with OpenWrt rather than risking buying something with an unsupported chip.

If you happen to already own a TL-SG108 and want to turn it into a managed switch, the components (ch341a programmer, 32MBit SPI flash) to do so are very inexpensive.

Next question: what does the Araknis Networks 110 series 8 port switch (AN-110-SW-F-8) have in common with the TL-SG108?

They are both based on the RTL8370N! I bet you did not see that coming 😉

The AN-110 is sold as an “Unmanaged+” switch and it does not include VLAN management but does have a web interface. For anyone wondering what “Unmanaged+” means: it offers monitoring via OvrC, a very bare-bones local web interface, and the capability for firmware updates (not that I could find any publicly available).

There are no VLAN features despite the RTL8370N supporting it.

While the Araknis AN-110 series uses a Winbond 25Q16JVSSIQ, the offset of the MAC address and length of the serial number are identical to the GS308Ev4 dump:

001fc000  14 3f 01 02 03 04 53 54  30 30 30 30 30 30 30 30  |.?....ST00000000|
001fc010  30 30 30 30 30 30 00 ff  ff ff ff ff ff ff ff ff  |000000..........|

0x1fc000 is probably the default offset for the MAC address and serial number in the Realtek SDK. I wonder if every RTL8370N switch is required to have a 16 character serial? If you happen to own an unmanaged desktop switch with a 16 character serial number, please disassemble it and leave a comment with your findings!

So, can the Araknis Networks AN-110 switch can be flashed to enable management features? None of the firmware dumps contained in the GitHub repository seemed to boot on the switch, despite it using the same pin strapping configuration as the TL-SG108 (8051: enabled, SPI boot). J1 is an I2C header, not UART. The RTL8370N does not appear to have UART, so there is not much in the way of debugging options.

Epilogue

TP-Link (Systems) in the West is not the same TP-Link (Technology) company as found in China. TP-Link restructured in 2024 in response to US threats to ban the sale of products from Chinese owned IT companies. It is clear that the TL-SG108 design predates this split, as TP-Link has several different different brands and the Mercury SG108 Pro is nearly identical externally to the SG108.

Despite the GitHub repository containing a dump of the SG108 Pro, flashing that dump to the TL-SG108 did not work to enable any management features. The TL-SG108 does boot the Mercury SG108 Pro firmware and obtains an IP address via DHCP, but no web interface is accessible and the Mercury utility to find and configure switches on the LAN is unable to locate it.

But what about backdoors?!1!1!?

I have not disassembled the 512KiB firmware that shipped on the TL-SG108, but it seems unlikely, especially on a switch that lacks even a MAC address in the firmware dump.