In this first teardown we will take a look under the hood of a Defzone 300sg firewall. These firewalls have been sold around the year 2007 and are not supported anymore. Moreover, there is no information in the internet on this device and its manufacturer. Time to take a closer look at the hardware used in these devices!

Case

The case is a simple looking 19 inch 1U rack mount case. The case also has rubber feet so it can be placed on any flat surface without the need for a 19 inch rack.

Defzone 300sg case

On the front there are seven LEDs indicating the status of Power, DIAG, DMZ, Wan 1, Wan 2, Wan 3, and Wan 4. Next to the LEDs there are 16 RJ45 ports. These are labeled 1 through 11, 12/Wan 4, 13/Wan 3, Wan 2, Wan 1, and DMZ. On the right of the RJ45 ports is also a Reset button which needs to be pressed with a screwdriver or other small object.

Defzone 300sg case rear

The back of the device is nothing special, just a standard IEC C14 power connector.

PSU

The PSU is an off-the-shelf part made by Seasonic. Its part number is SSF-0251-2 and it is capable of outputting 5V at 5A.

PSU

The device is protected by a slow-blow 1.0A 250V fuse. Located around the fuse are the X and Y rated capacitors and a small choke. These components provide EMI and RFI suppression.

After the X and Y capacitors, the input current gets filtered by a common mode-choke, also to filter out EMI. The small black bar just below the common mode choke is the bridge rectifier. This part converts AC power to DC. The green part on the right of the bridge rectifier is a thermistor. This part limits the inrush current of the PSU. When not limited this may cause a circuit breaker to trigger when the device is plugged in.

PSU top

After the current has been rectified by the bridge rectifier, it is smoothed out by a large electrolytic capacitor. This one is made by Nippon Chemi-Con and rated 400V 68µF. Mounted on the large heatsink above the capacitor is a Fairchild KA1M0265R power switch. This component contains a PWM IC and a power MOSFET which will switch the power to the transformer on and off.

The large component to the right of the capacitor is the transformer. The four pin chip right above the transformer is an optocoupler which provides feedback to the power switch. The power switch needs this feedback to adjust the PWM based on the power draw of the circuit being powered by this PSU.

The transformer converts the given voltage on its primary winding to a lower voltage on its secondary winding. Since the current coming from the transformer is alternating it has to be rectified again. This is done by two power diodes in a single TO-220 package. The part number for the component used in this power supply is LT5250. This part is screwed to the L-shaped heatsink on the right side of the power supply.

The output is then again smoothed by two 6.3V 2200µF electrolytic capacitors made by Rubycon. The current then passes through an inductor and past another electrolytic capacitor (6.3V 1600µF, Nippon Chemi-Con) to filter out ripple which may be present in the output of the PSU.

Mainboard

The mainboard is the only other board in this firewall, apart from the PSU. The first thing that stood out was the amount of empty space on the board. As a result of the empty space, the mainboard has a very clear layout.

Mainboard

The power coming from the PSU enters the mainboard via the white connector on the left side of the mainboard. This connector has two ground pins and two 5V pins. Two 16V 1000µF are located directly after the input connector. From there, the voltage gets stepped down to 3.3V.

To step the voltage down to 3.3V there is a RT9214 chip made by Richtek which controls a MOSFET. The MOSFET has the same SOP-8 package as the controller chip and its part number is 4812. I was unable to find any datasheet on that particular component. The MOSFET switches the power going through a quite large toroidal inductor. The 3.3V is then smoothed by two 16V 1000µF capacitors.

The voltage is then stepped down for a second time, from 3.3V to 1.8V. This is done by a Nikos L1085S3G. This is a linear regulator instead of a switched regulator.

Mainboard: power supply

The firewall is based around the Intel PRIXP425ABD processor. The processor in this device has been manufactured in the year 2006. The Intel IXP42X line processors where designed specifically for network applications. This processor is not based on the x86 architecture. Instead, this processor implements a subset of ARMv5 which Intel called XScale. Also, the developers manual can still be found online.

The processor is surrounded by two Samsung K4S561632E-UC75 256Mb SDRAM chips. There are two unpopulated spots next to these chips for more SRAM chips. In addition to the SDRAM there is a single Intel Flash chip. The chip's type number is JS28F128.

The small chip in between the processor, SDRAM and Flash is a PI6C24, manufactured by Pericom. This chip is a so called clock buffer featuring five outputs. It is used to distribute the clock signal to the SDRAM and Flash memory
chips.

Another small chip can be seen just below the processor chip. This is a Cypress CY25100 spread spectrum clock generator. The main function of this device is to reduce EMI emitted from the system. This chip is surrounded by multiple crystals used for generating the clock signals.

On the left side of the CY25100 are two 74LVC04AD Hex inverters. The ones used on this board are manufactured by Philips (currently NXP).

Mainboard: processor and memory

The network connections are handled by a Realtek RTL8318P chip. This chip is an ethernet switch controller. It has two companion chips of which I could not remove the heatsinks. Based on the RTL8318's datasheet I assume these are RTL8208B chips, which are octal 10/100base TX/FX PHY trancievers.

The trancievers translate the digital signal coming from the RTL8318P to signals suitable for the ethernet physical layer. The inputs coming from the RJ45 connectors are filtered by Delta LFE8731 filters.

Both the tranciever chips have got an B1182 medium power transistor next to them. These parts are manufactured by Rohm semiconductor. Note the size of the copper their heatsink is mounted to. This extended copper area will act as heatsink for the transistor.

Mainbord: network chips

The RJ45 ports themselfes are placed on a separate ground plane, disconnected from the rest of the mainboard's ground plane. This has probably something to do with preventing ground loops.

Mainboard: RJ45 connectors

SNx4LV164A shift registers are located outside and on both sides of the RJ45 connector ground plane. These shift registers are used as LED drivers for the device's status LEDs and for the status leds integrated in the RJ45 connectors.

Mainboard: shift register LED driver chips

A 3V coin cell battery is located on the lower right side of the mainboard. This battery powers an RTC chip. The power coming from the battery goed through three zener diodes, each dropping the voltage 0.4V. This results in a 1.8V supply voltage for the RTC. This is a simple but effective way to "regulate" the voltage for the RTC. The RTC itself is a Ricoh RS5C372A real time clock.

Mainboard: RTC

The last components that remain are the ones on the right side of the board. There are some unlabelled and unpopulated headers located there, together with a Xilinx XC2C32A CPLD.

Two 6-pin single row headers are connected to the CPLD. The largest header looks like a JTAG header used for debugging purposes. Then there is a 10-pin double row header connected to the main processor.

Hacking

This device has some potential for hacking its hardware. The programming manual for the processor and the datasheet for the Realtek network chips are available. Since there might also be an JTAG header available, there might be a possibility to flash the device via this JTAG header.