Memory organization in SFP, QSFP and XFP transceivers

Interesting examples and tutorials about REVELPROG-IS features and device programming
Post Reply
ArT
Posts: 1235
Joined: Wed Mar 25, 2015 8:54 am
Location: Warsaw, Poland
Has thanked: 38 times
Been thanked: 127 times

Memory organization in SFP, QSFP and XFP transceivers

Postby ArT » Thu Jan 30, 2020 10:23 am

In REVELPROG-IS you can select transceiveirs with [USER] suffix in memory database, e.g. SFP [USER], QSFP [USER] and XFP [USER]. Using device with [USER] suffix allows you to program any area in memory map. In this tutorial I'll show you what's typical memory organization for SFP, QSFP and XFP modules based on MSA Standard. Please check latest speficiations on SNIA organization page: https://www.snia.org/technology-communi ... ifications to keep up to date (e.g. SFF-8472, SFF-8636, INF-8077i for module interface description).

SFP/SFP+ memory map

SFP [USER] allows read/erase/write of any block or page in memory map. Please take a look at memory organization for typical SFP & SFP+ transceivers:

sfp-memory-organization.png
SFP memory map from SFF-8472 specification
sfp-memory-organization.png (81 KiB) Viewed 9243 times

  • In block A0h (256bytes) first 128bytes (00h – 7Fh) are for serial ID and vendor information. It may be write protected (password may be required). Second 128bytes (80h-FFh) are reserved.

  • In block A2h (256bytes) first 127bytes (00h – 7Eh) are diagnostic information (alarm and warning thresholds, cal constants, real time diagnostics) and optional password entry area. 128th byte (7Fh) is page select byte (only if SFP supports pages). Next 128 bytes (80h-FFh) is page content (depends on selected page). SFP may not support A2h block (it will be communication error) or page select (it may contain only single page). Page 00h or 01h is User Writable EEPROM (120bytes) and vendor specific (8bytes). Page 0 may be write protected (password may be required). Page 02h is for control functions. Pages 03h-7Fh are reserved. Pages 80h-FFh are vendor specific.

  • In SFF-8472 specification starting from page 11 you can check exactly what information is stored in memory

QSFP/QSFP+ (QSFP28) memory map

QSFP [USER] allows to read/erase/write of any block or page in QSFP/QSFP+ memory map. The [USER] mode allows to read/write specific part of memory. Please check memory organization table for your QSFP/QSFP+ module datasheet or in MSA Standard (SFF-8636 specification):

QSFP_memory_map.jpg
QSFP memory organization table from SFF-8636 specification
QSFP_memory_map.jpg (146.05 KiB) Viewed 9243 times

  • QSFP/QSFP+ contains only block A0h (256 bytes) divided into pages (byte 7Fh in block A0h is page select byte). Pages are 128bytes length. Page 00h is required and provides static module identity and capabilities information (it may be write protected with password). Other pages may be optional.

  • Please note that Read-Only bytes can NOT be modified - it will be no effect (or verification error) if you try to change these bytes

  • In SFF-8636 specification starting from page 32 you can check exactly what information is stored in specific memory areas

With REVELPROG-IS you can select page from menu and read/write specific pages.
Please note that you do not have to change page bytes manually in buffer.
QSFP_Write_Pages.jpg
Write specific pages using REVELPROG-IS
QSFP_Write_Pages.jpg (95.45 KiB) Viewed 9243 times



XFP memory map

XFP [USER] allows to read/erase/write of any block or table in XFP memory map. Please check memory organization for your XFP module datasheet or in MSA Standard (INF-8077i specification):

XFP_memory_map.jpg
SFP memory map from INF-8077i specification
XFP_memory_map.jpg (51.23 KiB) Viewed 9243 times

  • XFP contains only block A0h (256 bytes) divided into tables (byte 7Fh in block A0h is table select byte). Tables are 128bytes length. Table 01h is default and contains Serial ID Data. Table 02h is User EEPROM. Tables may be write protected (password may be required for erase or write). Other pages may be optional.
With REVELPROG-IS you can select table from menu (you do not have to change page bytes manually in buffer) and read/write specific tables.

Write protected transceivers and password entry

Some transceivers also provides an optional password entry location that may be used to protect vendor internal functions or user writable memory. Password shall not be required to read any data, but it may be used for write protection for specific areas. Nor shall passwords be required to write any controls defined in the digital diagnostics functions. Passwords may be used by manufacturers to control write access to MSA defined read only data for factory setup, or to OEMs to limit write access in the User EEPROM area. Finally, passwords may be used to control read or write access to the vendor specific pages or tables. Separate passwords value ranges will be defined to prevent accidental writing to critical module control areas. There are 2 types of passwords: manufacturer password and host password (also known as user password). You can enter password using password tool in REVEPLROG-IS application. If you do not know password, you can try to hack it using brute force password tool.

Please check this topic for more details how to password entry or how to search password for protected modules:
Writing protected SFP / QSFP / XFP and searching password (brute force method)
Top
Post Reply

Return to “Tutorials and Examples”

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Limited
Style by Marc Alexander ©