*[USER] suffix it is abandoned in recent versions - you can change banks, tables & pages selecting transceiver without suffix.
SFP / SFP+ / SFP28 memory map
SFP [USER] allows read/erase/write of any block or page in memory map. Please take a look at memory organization for typical SFP & SFP+ transceivers:
- SFP memory map from SFF-8472 specification
- sfp-memory-organization.png (81 KiB) Viewed 11523 times
- In block A0h (256bytes) first 128bytes (00h – 7Fh) are for serial ID and vendor information. It may be write protected (password may be required). Second 128bytes (80h-FFh) are reserved.
- In block A2h (256bytes) first 127bytes (00h – 7Eh) are diagnostic information (alarm and warning thresholds, cal constants, real time diagnostics) and optional password entry area. 128th byte (7Fh) is page select byte (only if SFP supports pages). Next 128 bytes (80h-FFh) is page content (depends on selected page). SFP may not support A2h block (it will be communication error) or page select (it may contain only single page). Page 00h or 01h is User Writable EEPROM (120bytes) and vendor specific (8bytes). Page 0 may be write protected (password may be required). Page 02h is for control functions. Pages 03h-7Fh are reserved. Pages 80h-FFh are vendor specific.
- In SFF-8472 specification starting from page 11 you can check exactly what information is stored in memory
QSFP / QSFP+ / QSFP28 memory map
QSFP [USER] allows to read/erase/write of any block or page in QSFP/QSFP+ memory map. The [USER] mode allows to read/write specific part of memory. Please check memory organization table for your QSFP/QSFP+ module datasheet or in MSA Standard (SFF-8636 specification):
- QSFP memory organization table from SFF-8636 specification
- QSFP_memory_map.jpg (146.05 KiB) Viewed 11523 times
- QSFP/QSFP+ contains only block A0h (256 bytes) divided into pages (byte 7Fh in block A0h is page select byte). Pages are 128bytes length. Page 00h is required and provides static module identity and capabilities information (it may be write protected with password). Other pages may be optional.
- Please note that Read-Only bytes can NOT be modified - it will be no effect (or verification error) if you try to change these bytes
- In SFF-8636 specification starting from page 32 you can check exactly what information is stored in specific memory areas
With REVELPROG-IS you can select page from menu and read/write specific pages.
Please note that you do not have to change page bytes manually in buffer.
- Write specific pages using REVELPROG-IS
- QSFP_Write_Pages.jpg (95.45 KiB) Viewed 11523 times
XFP memory map
XFP [USER] allows to read/erase/write of any block or table in XFP memory map. Please check memory organization for your XFP module datasheet or in MSA Standard (INF-8077i specification):
- SFP memory map from INF-8077i specification
- XFP_memory_map.jpg (51.23 KiB) Viewed 11523 times
- XFP contains only block A0h (256 bytes) divided into tables (byte 7Fh in block A0h is table select byte). Tables are 128bytes length. Table 01h is default and contains Serial ID Data. Table 02h is User EEPROM. Tables may be write protected (password may be required for erase or write). Other pages may be optional.
SFP-DD / QSFP-DD / QSFP-DD800/ OSFP and other multiple lines transceivers
This option will be available in future update - please contact me if you need it earlier.
SFP-DD / QSFP-DD / OSFP allows to read/erase/write of any block or page for all CMIS compatible transceivers. CMIS standard has been desgined largely after the QSFP Memory Map so it's quite similar to SFF-8636 - memory map has been changed in order to accomodate more electrical lanes
In CMIS 5.2 specification starting from page 118 you can check exactly what information is stored in specific memory areas
- CMIS Module Memory Map from OIF-CMIS-05.2 specification
- CMIS_module_memory_map.jpg (174.64 KiB) Viewed 250 times
Memory map for OSFP / QSFP-DD / SFP-DD and other multiple lines transceivers (CMIS standad) is divided in two segments:
- Lower Memory (128 bytes -> addresses from 00h to 7Fh)
- Upper Memory (128 bytes -> addresses from 80h to FFh)
Lower memory is fixed. It's available in all transceivers. 2 last bytes in Lower Memory are for 3D addressing of Upper Memory. Byte 7Eh is Bank Address and byte 7Fh is Page Address. Basic modules that support only Bank 0 and Page 0 (fixed address) are called flat memory modules, whereas modules that support many banks and/or pages are called paged memory modules. Flat memory modules support only Lower Memory and Page 00h. Paged memory modules must additionaly support pages 01h, 02h and bank 0 of pages 10h and 11h.
Lower Memory Map Overwiew (00h-7Fh)
- CMIS Module Lower Memory Map from OIF-CMIS-05.2 specification
- CMIS_lower_memory_map.jpg (147.78 KiB) Viewed 250 times
As mentioned before bytes 126-127 (add 7Eh and 7Fh) are responsible for bank & page mapping. When you overwrite byte 7Eh you will select bank number. When you overwrite byte 7Fh you will select page number. For example, when you set Bank=00h and Page=00h in bytes 127-128 you can read administrative information from Upper Memory bytes 129-256 (manufacturer name, vendor name, s/n, part number, revision etc.). This area is selected by default and is supported by all transceivers.
Upper Memory - Bank 0 & Page 0
- CMIS Module Upper Memory Map Page 0 from OIF-CMIS-05.2 specification
- CMIS_upper_memory_page0.jpg (166.71 KiB) Viewed 250 times
Page 01h is Advertising. Page 02h are configured Thresholds. Page 03h is USER EEPROM etc. Below is list of all possible pages, but as mentioned before - implementation depends on specific transceiver. It may be flat module with only support for page 0.
- CMIS Module Upper Memory Map Page List from OIF-CMIS-05.2 specification
- CMIS_pages.jpg (420.7 KiB) Viewed 250 times
It's worth to mention also about lane banked modules. Bank 0 of pages 10h - 1Fh and 20h - 2Fh provides lane specific registers for the first 8 lanes, and each additional bank (Bank 1, Bank 2... etc) provides support for an additional set of 8 lines.
- CMIS Module Upper Memory Map Lane Banked from OIF-CMIS-05.2 specification
- CMIS_lane_banked.jpg (115.24 KiB) Viewed 250 times
Some bank & pages are read only. Some of them will be not implemented. For more information please check your transceiver datasheet which standard it supports and which bank & pages it supports. Next you can check more details in CMIS specification. With REVELPROG-IS programmer you can access to any bank or page directly from GUI:
- REVELPROG-IS Transceiver Programming Bank & Pages
- REVELPROG-IS_Transceiver-Programming_Bank-Pages.jpg (146.06 KiB) Viewed 250 times
Some of pages may be write protected (you can read it without password, but you can not overwrite data without valid password).
Write protected transceivers and password entry
Some transceivers also provides an optional password entry location that may be used to protect vendor internal functions or user writable memory. Password shall not be required to read any data, but it may be used for write protection for specific areas. Nor shall passwords be required to write any controls defined in the digital diagnostics functions. Passwords may be used by manufacturers to control write access to MSA defined read only data for factory setup, or to OEMs to limit write access in the User EEPROM area. Finally, passwords may be used to control read or write access to the vendor specific pages or tables. Separate passwords value ranges will be defined to prevent accidental writing to critical module control areas. There are 2 types of passwords: manufacturer password and host password (also known as user password). You can enter password using password tool in REVEPLROG-IS application. If you do not know password, you can try to hack it using brute force password tool.
Please check this topic for more details how to password entry or how to search password for protected modules:
Writing protected SFP / QSFP / XFP and searching password (brute force method)