RRCP – Realtek Remote Control Protocol

Recently during investigating some strange network packets sourced from my new D-Link switch when configured for “loopback detection” I came across “RRCP”, or “Realtek Remote Control Protocol” (ethertype 0x8899). I had never heard of it before, even though it seems to be quite interesting.

Basically it’s a protocol for configuring a network switch without the need of an embedded microcontroller usually used for displaying fancy web GUIs or telnet prompts. It works with Realtek chips RTL8316BP, RTL8318P, RTL8324P, RTL8316B, RTL8324, RTL8326 and RTL8326S that are often found in switches, even in cheap unmanaged ones. Depending on the specific type of switch this basically means – RRCP can sometimes be used to more or less turn a cheap unmanaged switch into a managed one, in some cases even without any hardware changes or with only minor changes such as soldering off a small SMD resistor.

Links: Wikipedia on RRCP, OpenRRCP project

The OpenRRCP project provides some more details about the inner workings of RRCP including authentication and featureset. Security seems to be an issue there if the switch MAC is known as RRCP security is based on knowledge of the switch’ MAC address and a 16bit key value which should be easy to brute-force. There is a hardware list available that even provides details about the (hardware-)changes necessary to use RRCP on certain switches.

To use the OpenRRCP tools for RRCP one has to download the source code, preferrably from SVN. There are two different branches, the official one (SVN snapshot) and one called “littlesavage’s branch” (SVN snapshot) that contains some extra features such as switch autodetection while the other branch seems to be more up to date.

Compiling the source code is straight-forward with “make” as long as the necessary compile tols and libraries are in place. The result are a few binaries such as “rtl83xx” for command-line switch control and “rrcpcli” that emulates a Cisco command line interface – pretty cool stuff considering the usual price of such cheap “unmanaged” switches.

Unfortunately my switch is a managed one (based on rtl8389m), so I don’t really need RRCP – it doesn’t even seem to respond to RRCP even though it sources a type of RRCP packet when in “loopback detection” mode. But that could also be related to the fact that I don’t know the RRCP AuthKey – and didn’t bother (yet?) to try to brute-force it, given that my switch is manage-able anyway via a nice Web GUI (and the specific Realtek chip is not supported by OpenRRCP).

But nevertheless the topic of RRCP might be interesting for some. 🙂


Comments are closed.