PoE: Quick Guide & Cheap Hardware

I have been looking around for Power over Ethernet (PoE) devices to supply power to some networking hardware that will be located in a remote location, without a convenient power outlet. These networking hardware do not have built-in PoE support, so I have to find both an injector and a splitter device.

PoE is typically found on enterprise networking equipment, which usually means a higher price tag. Not wanting to spend a ton on PoE hardware, I did some research to understand what was required to make it work.

Hopefully this will help you understand PoE, how it works, and what to look out for when shopping for PoE hardware that are suitable for your needs.

PoE Quick Guide

Active vs Passive

Passive adapters are very simple, and you will see them mostly as an RJ45 socket with pigtails for power and Ethernet. These adapters do not contain or require any circuitry, which also explains why they are the more inexpensive option between the two.

Photo of a passive PoE injector & splitter pair, sold on Adafruit

Active PoE (the real Power over Ethernet) on the other hand requires some negotiation between the two devices, called the PSE (power sourcing equipment) and the PD (powered device).

There are several PoE standards. 802.3af, 802.3at and the newer 802.3bt. The difference is mainly in the maximum power is made available to PDs:

  • 802.3af – 15.4W
  • 802.3at – 30W
  • 802.3bt – 60W to 100W

802.3bt was just ratified in the last year (2017). In the time span before the 802.3bt standards was ratified (~8 years!), some companies like Linear Technolgy & Cisco Systems took it upon themselves to find other means of carrying up to 60W. The result was LTPoE++ and UPOE, an evolution of the existing 802.3af/at standards, but may not be compatible with the final standard arrived at by committee.

Mode A or B

The Cat5 cable has 8 wires, forming 4 twisted pairs. For 10/100Mbps, only 2 pairs are used: pair 1/2 for Tx and pair 3/6 for Rx.

The modes refer to how power is delivered to the device:

  • Mode A: pairs 1/2, 3/6
  • Mode B: pairs 4/5, 7/8

PoE mode A & B wiring diagram

Mode A uses the data pairs for power. This mode is well suited for very old cabling which didn’t connect all 4 pairs end-to-end. You might see some manufacturers calling this mode End-span wiring. To carry power over the same data cables, phantom power delivery is used (more on this later).

Mode B uses the unused (or spare) pairs for power. You might see this being referred to as Mid-span. This type of wiring is easier because it knows the pair is not carrying any data and thus can be wired directly.

Unlike mode A, mode B in this form cannot be used to carry power for Gigabit networks, because a Gigabit connection will require all 4 pairs for data transmission. Power must therefore be delivered via centre-tapped transformers, or what is known as phantom power. How this works is explained in a 1944 US Army video on telephone electronics.

Power Capacity

The committee decided that two pairs of Cat5 wire should only carry up to 30W of power; which two pairs will depend on whether mode A or B wiring is used.

For higher power capacity like 802.3bt (PoE++) or the non-standards-based UPOE and LTPoE++, the other 2 pairs will be paralleled up, making use of all 4 pairs to carry higher currents.

PoE wiring diagram for 4-pair based PoE

For Gigabit Ethernet (1000Mbps), because all 4 pairs are used to carry data, power (regardless of which pairs used) must be delivered via phantom power delivery.

Why use Active PoE?

In short, because it is safer.

It was designed with the consideration that not all network equipment can accept power, whether via the data pairs or spare pairs.

During the detection phase, the PSE will apply 2.7V to 10V to check for a known resistance. This voltage is low enogh and also for a brief period such that it wouldn’t matter if the device on the other end is shorted. A device that was not designed for PoE would thus never see any higher voltage beyond the detection phase.

Graph depicting voltage vs time during various PoE phases

In contrast, passive PoE makes the full voltage and current available on the data/spare pairs. If the remote end is using a magnetics configuration that shorts out the centre taps, the 30W of power would just melt the port (one would assume).

Integrated PSE controller chipsets will also contain features like overcurrent protection, thermal cut-offs and surge protection, etc. which all contribute towards keeping your PDs safe from harm.

Finding Low-Cost PoE Hardware

It was quite a daunting task, trawling AliExpress for PoE injectors & splitters. The description or specifications for items are also not accurate; it’s like finding a USB cable listed as capable of carrying 2A when in fact it does not.

While passive injectors are the cheapest option, most of them are not meant for Gigabit Ethernet. Recall that Mode B wiring is the easiest and most low-cost method for building a passive device, and that is what you will mostly find. This wiring configuration does not pass through all 4 pairs and thus cannot be used for Gigabit.

Most active PoE splitters output 12V, or 5V via USB. This is largely due to the fact that these devices were meant for IP cameras, which operate at that voltage. If your target device uses a non-standard voltage, you will have difficulty finding a suitable (and yet low-cost) splitter.

Here’s a list of hardware I’ve found; which one is suitable for you depends on your requirements:

  • Do you need 1000Mbps, or just 10/100Mbps would suffice?
  • What voltage does your target device require?
  • How much power does it require? 13W, 30W?

Continue reading


Crypto-Erasing BitLocker Drives

These days with larger and larger drive capacities, erasing stored data takes longer and longer. Another problem is also the inability to do so when the time comes, due to bad sectors or hardware failures. Just because the data is not accessible by you does not mean that it is also inaccessible to someone else with the know-how.

Cryptographic erasure to the rescue!

Crypto erase simply erases the encryption key that is used to encrypt the data on your drive. This is the primary reason why I encrypt my drives.

Oddly, I have not found anyone talking about BitLocker crypto erasure or doing it. The closest I have seen is manage-bde -forcerecovery, which removes all TPM-related key protectors. This is briefly described in a TechNet article titled BitLockerâ„¢ Drive Encryption and Disk Sanitation.

But what if we are not running Windows? What if the disk is not a Windows boot drive that is protected by a TPM key protector?

In order to erase the (key) data, we first need to know how the data is stored on disk. For open-source FDE implementations, this is easy because the disk format is well-documented, but BitLocker is not exactly open.

BitLocker Disk Format

BitLocker was first introduced in Windows Vista and has gone through changes since then. Some changes were made to the format in Windows 7, but has largely remained unchanged through Windows 8 till 10.

For LUKS, it is simple – there is a LUKS header at the start of the disk, followed by the encrypted volume data. For BitLocker, it is slightly more involved, probably due to backward-compatible design considerations.

The header at the start of the partition is a valid boot sector (or boot block), so not all BitLocker information can be stored within. Instead, this volume header points to the FVE metadata block where most of the data is kept. In fact, there are 3 of these for redundancy. This metadata block is what holds all the key material.

The metadata blocks are spaced (almost) evenly apart, located near the start of the volume.

# blwipe -offset 0x2010000 bitlocker-2gb.vhd
metadata offset 0: 0x02100000
metadata offset 1: 0x100c8000
metadata offset 2: 0x1e08f000
metadata block 0 (size 65536): parsed OK
metadata block 1 (size 65536): parsed OK
metadata block 2 (size 65536): parsed OK

The first metadata block usually begins at 0x02100000. This illustration depicts the locations for a 2 GB volume:

Diagram of disk layout with FVE metadata blocks marked out

If there are 3 of these blocks, how do we know know which ones contain valid data?

Continue reading

Replacing a Linux RAID Drive

NAS drives

I have been running a software RAID array at home for some time now. It’s a single network storage where I consolidate all my files. I manage this array manually using the mdadm command. Some people choose to buy a NAS storage box which hides all of the implementation details behind a nice Web GUI, but it’s essentially the same thing under the hood.

It operates with 4 drives using Linux software RAID 5, which means it can tolerate a single drive failure, but failures don’t always take out an entire drive. They usually manifest as bad sectors in a drive. As an illustration, the RAID 5 array below can still operate properly (meaning no data loss, yet) with bad sectors on two of its drives:

RAID 5 array with damaged blocks

As long as the other drives in the array doesn’t develop bad sectors in the same stripe, the data can still be reconstructed from the remaining good blocks. This means that you can somewhat leave the drive as it is for a period without replacement, but of course you are taking a risk.

I thought I’d share my experiences with drive replacements thus far.

Detecting Drive Problems

Most Linux distributions provide the raid-check script for periodic RAID scrubbing. This is basically a background cron job that tells the kernel to start checking the RAID array. For RHEL/CentOS systems, this should occur every weekend.

During this scrubbing process, all drives within the array are read and their parity blocks are computed, to ensure that everything tallies.

It is during this verification process that sometimes causes hard drive errors to show up. Typically when a drive encounters a problem during read, the hardware returns an error, which will then be logged by Linux. They can look like these:

ata3.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata3.00: irq_stat 0x40000001
ata3.00: failed command: READ DMA EXT
ata3.00: cmd 25/00:00:d8:10:27/00:02:05:00:00/e0 tag 8 dma 262144 in
         res 51/40:1f:b8:12:27/00:00:05:00:00/e0 Emask 0x9 (media error)
ata3.00: status: { DRDY ERR }
ata3.00: error: { UNC }
ata3.00: configured for UDMA/133
ata3: EH complete
 . (repeats)
sd 2:0:0:0: [sdc]  Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
sd 2:0:0:0: [sdc]  Sense Key : Medium Error [current] [descriptor]
Descriptor sense data with sense descriptors (in hex):
        72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00
        05 27 12 b8
sd 2:0:0:0: [sdc]  Add. Sense: Unrecovered read error - auto reallocate failed
sd 2:0:0:0: [sdc] CDB: Read(10): 28 00 05 27 10 d8 00 02 00 00
end_request: I/O error, dev sdc, sector 86446776

Continue reading

Netbooting Your Raspberry Pi

A very long time ago, I set up and played around with diskless machines. These are basically PCs can boot up an operating system fully without hard disks. All the operating system files come from a server on the network. It was amazing (well, to me at least)!

Back then, Ethernet cards used to have a DIP/PLCC socket, which allowed you to insert an EEPROM on which you burn a boot ROM. Fortunately I didn’t have to do any of that because the network cards at that time already came with PXE ROMs built-in, just as they do today. To activate this, you just need to select the network card’s option ROM in the boot order, or make it higher up in the boot priority.

3Com network card with boot ROM socket marked

As part of the boot process, the network card will request an address from the DHCP server, which also tells the client where it can find the TFTP server with the next boot stage. The ROM will download this file from the TFTP server and start executing it.

That’s how Linux ultimately gets started from the network.

An announcement was made recently on the Raspberry Pi blog that you can achieve total network boot, just like on the PC, without any SD cards.

Continue reading

Bruteforcing LUKS Volumes Explained

Some weeks back, we were forced to reboot one of our server machines because it stopped responding. When the machine came back up, we were greeted with a password prompt to decrypt the partition. No problem, since we always used a password combination (ok, permutation) that consisted of a few words, something along the lines of “john”, “doe”, “1954”, and the server’s serial number. Except that it didn’t work, and we forgot the permutation rules AND whether we used “john” “doe” or “jack” “daniels”.

All the search results for bruteforcing LUKS are largely the same — “use cryptsetup luksOpen --test-passphrase“. In my case, the physical server is in the server room, and I don’t want to stand in front of the rack trying to figure all this out. My question is, can I do this offline on another machine? None of those blog entries were helpful in this regard.

The LUKS Header

To answer this question, I took a look at the LUKS header. This header is what provides multiple “key slots”, allowing you to specify up to 8 passwords or key files that can decrypt the volume. cryptsetup is the standard userspace tool (and library) to manipulate and mount LUKS volumes. Since LUKS was designed based on TKS1, the TKS1 document referenced by the cryptsetup project was very helpful. After consulting the documentation & code, I came up with the following diagram that describes the LUKS key verification process:

LUKS encryption flowchart

Continue reading