First Packet: A Bare-Metal Switch Running 100% Our Own Code

Five packets sent, five received — across a Broadcom Trident+ ASIC programmed without the proprietary SDK. The milestone, and the ten undocumented walls it took to get there.

If you’ve been following the reverse engineering journey — there’s finally data flowing through silicon. The switch is talking to a Cisco Nexus on the other end, forwarding real traffic through the hardware. A simple ping: five packets sent, five received. A small thing in networking, but a massive milestone when every byte is moving through an ASIC you programmed yourself.

I wrote a custom network operating system for the Edgecore AS5610-52X — a 48-port 10GbE whitebox switch powered by a Broadcom BCM56846 (Trident+) ASIC. No proprietary Broadcom SDK. No binary blobs. Just Linux, a custom switch daemon, and a lot of reverse engineering to get pure Linux running on a bare-metal switch.

What’s running

Linux 5.10 on the PowerPC P2020 control plane
A custom switchd handling all ASIC programming
Full DMA packet I/O through the ASIC
TAP interfaces for every port — the switch looks like a normal Linux box
ARP, ICMP, and L2 forwarding, all working through the silicon

About OpenMDK

During the reverse engineering process I leaned on Broadcom’s OpenMDK — a source-available library (note: source-available, not open-source — it ships under Broadcom’s own license, not an OSI one) with register definitions and basic chip-init routines (CDK/BMD/PHY), published on GitHub only about seven months ago. It was a huge help for identifying register layouts, SerDes firmware loading, and the S-Channel protocol.

But OpenMDK does not give you a working NOS. Not even close. There’s no DMA engine configuration for big-endian hosts, no CPU punt setup, no packet I/O framework, no platform integration — it gives you building blocks and you have to figure out the rest. “The rest” turned out to be the hard part. (The full proprietary SDK was reference-only, and never shipped in this work.)

What it took

Ten separate technical breakthroughs that aren’t documented anywhere — from retimer CDR reset sequencing, to big-endian DMA descriptor byte-swapping, to discovering that the ASIC silently strips VLAN tags on CPU-bound frames. Each one was a wall. Each had to be debugged on live hardware with register dumps, hex packet traces, and cross-referencing against reverse-engineered Cumulus Linux captures.

This is just the beginning. L2 switching works. L3 routing runs in the kernel. Next up: more ports, hardware offload, and a proper CLI.

source: Expanded from a LinkedIn post (2,000+ impressions). OpenMDK described per its actual license: source-available, not open-source.