Mellanox/Nvidia Connectx-7 fw update

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
Does anyone know of a way around the following error msg:

-E- Burning encrypted image on non-encrypted device is not allowed.



I am trying to burn a newer version of the connectx-7 ethernet nic fw but am getting that error msg above.

I have an mtusb-1 device and am able to update fw on most of my other nics.

I am hoping that I am just missing a parameter in my flint command:

flint -d /dev/mst/mtusb-1 -i /tmp/fw-ConnectX7-rel-28_34_4000-MCX713106AC-VEA_Ax-UEFI-14.27.15-FlexBoot-3.6.700.signed.bin --allow_psid_change --override_cache_replacement --no_flash_verify b


flint -d /dev/mst/mtusb-1 query
Image type: FS4
FW Version: 28.33.0751
FW Release Date: 21.3.2022
Product Version: 28.33.0751
Description: UID GuidsNumber
Base GUID: 00000000000bbb11 8
Base MAC: 0000000bbb11 8
Image VSD: N/A
Device VSD: N/A
PSID: MT_0000000841
Security Attributes: N/A
 
N

necr

Active Member
Dec 27, 2017
156
48
28
124
Hmm, it seems your currently running FW has no "secure-fw", NIC MCX713106AC-VEAT should support it. Why do you need to cross-flash, especially with secure-fw? Why do you need mtusb-1 at all?
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
I am trying to update to the latest fw in hopes that it might work with esx 8. the card came with this fw but all of the updated fw from nvidia/mellanox seemed to be signed.
I initially tried to flash without the mtusb-1 but got that error msg.
In the past, the mtusb-1 has allowed me to get around some of those types of issues (usually a nic that has secure-fw on it and I wanted to apply fw with a different psid.)
I am hoping that I am just missing some parameters to workaround this issue as I can't seem to find any fw for this nic that isn't signed.
thanks for chiming in.
 
N

necr

Active Member
Dec 27, 2017
156
48
28
124
the image that's already on the NIC seems suspicious, the MAC and GUID are not genuine. Can you please dump config of that image (flint -d xxx ri; flint -i image.bin q; flint -i image.bin dc)?
Have you tried shorting recovery pins and then burning with mtusb-1?
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
top of the dc output below: (it looks like the secure part is commented out. I can try to put into livefish mode (short the pins) and burn the signed image now that I have a backup of the current image.)

PS C:\mellanox> flint -i image.bin dc
;; Generated automatically by iniprep tool on Sun Jan 16 18:56:19 IST 2022 from ./cx7_MCX713106A_EN_200g_2p_crypto_sb.prs;; FW version: 28.98.1802

;; Generated by INIzer tool on 11/10/2021, 08:37:59
;; Intended for ConnectX-7 network adapters.

;; NVIDIA Corporation


;;[PS_INFO]
;;Name = MCX713106AC-VEA_Ax
;;Description = NVIDIA ConnectX-7 Ethernet adapter card; 200 GbE; Dual-port QSFP; PCIe 5.0 x16; Crypto and Secure Boot

[image_info]
;;;;; This section contains info which is shared by FW and burning tool

psid = MT_0000000841
name = MCX713106AC-VEA_Ax
description = NVIDIA ConnectX-7 Ethernet adapter card; 200 GbE; Dual-port QSFP; PCIe 5.0 x16; Crypto and Secure Boot
prs_name = cx7_MCX713106A_EN_200g_2p_crypto_sb.prs



;mcc_en = 1
;frc_supported = 1
;cs_tokens_supported = 1
;debug_fw_tokens_supported = 1
;signed_fw = 1
;secure_fw = 1
;encrypted_fw = 2
[mfg_info]
guids.guids.num_allocated = 8
guids.macs.num_allocated = 8

[device_info]
guids.guids.num_allocated = 8
guids.macs.num_allocated = 8

[boot_record]
;;;;; 1. Boot record endianes: reserved1 is the fist Byte that should be written on the NVRAM (address 0);2. Each line is protected by parity bit (bit 31) t he xor of the 32 read bits should be 1
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
Livefish ModeEnables the user to burn firmware via MTUSB when in livefish mode.
something added to cx-7 nics
this nic doesn't have the normal 2 pins or holes for shorting. It has 2 contact points (like a cmos reset). shorting them temporarily doesn't seem to have any effect.
I will try and short them continuously while I boot up with the mtusb-1 attached.
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
do you know if I can modify the output file, then convert it back to a .bin image file and then try and update with a signed image?
the goal is to be able to update to a newer version of fw. all of the newer versions of fw are signed. this card doesn't seem to allow signed fw in its current state (or I am missing some command/parameter to allow the update).
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
I tried using the mlxburn command by renaming the original .bin file to .mlx
I then modified the txt file with notepad++ to remove the some of the comments from the encrypted_fw line
I then used the following command:
mlxburn -fw orig.mlx -conf myinifile.ini -wrimage newimage.bin -dev_type 536

it didn't seem to work and got the following msg:
No CR-SPACE found!

I tried to regenerate the .txt file using the cmd vs ps but got the same error.
I then tried to use the ini file without modifying (output of the flint dc command)
still got the same msg.
Not sure if it is an issue with the .mlx file or the .ini or something else.
 
N

necr

Active Member
Dec 27, 2017
156
48
28
124
jpmomo said:
do you know if I can modify the output file, then convert it back to a .bin image file and then try and update with a signed image?
Click to expand...
was possible with BeTeP scripts for ConnectX-2/3, but now it's a new image type FS4 which would require an analysis and rewrite, so a long way.
.mlx file is a special file only Mellanox has, it includes opcodes and binary sections.

My next step would be Mellanox/Nvidia support, if you have a legit card.
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
thanks for the input. This is kind of a franken-nic so I am not sure how much mellanox can help at this point.
It is just weird that I am getting this error as we usually get the opposite. ex. trying to load unsigned fw or a different psid onto a secure-fw nic.
vs what I am seeing now: trying to load a signed fw onto an unsigned nic.
With the mtusb-1 I was able to go back and forth with the cx6-dx nics which were mostly secure_fw.
 
N

necr

Active Member
Dec 27, 2017
156
48
28
124
The only other thought I have is to erase flash so that you wouldn't get any secure-fw prompts.
Looking into this livefish-mode (there's a package mlxbf-livefish in the latest OFED) may be a way forward.
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
Do you know of any command to erase the flash? flint has an "e" parameter for erase but you need to pass a sector. I tried to jump the 2 pins (contact points) to try and put it into livefish mode but that didn't seem to work on this card.
I was able to get a backup of the current fw so I don't mind trying to experiment with this nic.
The issue still seems to be the following:
-E- Burning encrypted image on non-encrypted device is not allowed.

I have tried many combinations of the flint command and also the mlxburn. There doesn't seem to be any fw images of the newer fw that are not encrypted. I need to try and upgrade to a newer fw version so that it would be supported in vmware 8.
thanks again for trying to help.
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
some more details attached. the livefish pins/holes seem to be soldered on this card. I also have the mtusb-1 connected via another hack :)

I tried to use a flat blade screwdriver to jump the 2 points on the FNP while the server was on but that did not seem to put it into any type of flash recovery mode.

I also didn't find any info on the mlxbf-livefish.
I have multiple OSs that I have tried with this setup (currently on a bench). the current OS is ubuntu 22.04 with the latest ofed .iso
 

Attachments

C

chw

New Member
Aug 7, 2023
1
0
1
I've run into a similar issue. Got a card off ebay that has a label with MCX713106AC-VEAT (2x200G ETH) on it, but reports as MCX755206AS-NEAT (1x 400G IB, 1x400G IB or 1x200G ETH) (seemingly part of a DGX H100 system).
I suppose this has been cross-flashed or mislabeled.
Can't burn any new images onto it because it complains about non-encrypted device.

Code: 
# flint -d 41:00.0 -i fw-ConnectX7-rel-28_36_2024-MCX755206AS-NEA_Ax-UEFI-14.29.14-FlexBoot-3.6.901.signed.bin b
-E- Burning encrypted image on non-encrypted device is not allowed.
I'd like to use two ports as 200G Ethernet, but it only lets me use port P1 as Infiniband, not configurable to Ethernet. Second port P2 works fine as Ethernet.
I'm wondering if there is a possibility to either cross-flash it somehow to a VEAT firmware so, both ports can be used as 200G Ethernet, or if it is somehow possible to change the config, so that port P1 can be used as Ethernet.
(nv_config.port[0].vpi.network_link_type_eth = 0x1 instead of 0x0 in [fw_boot_config])
Any ideas what to do?
@jpmomo: did you get any further in your quest?

Code: 
# flint -i current_CX7_firmware_dump q
Image type:            FS4
FW Version:            28.34.4000
FW Release Date:       28.8.2022
Description:           UID                GuidsNumber
Base GUID:             00000002c911a4bb        16
Base MAC:              0002c911a4bb            16
Image VSD:             N/A
Device VSD:            N/A
PSID:                  MT_0000000892
Security Attributes:   N/A
Security Ver:          0

# flint -i current_CX7_firmware_dump dc
;; Generated automatically by iniprep tool on Tue Mar 29 09:09:05 IDT 2022 from ./cx7_CX755206A_VPI_400g_2p_uncrypto_sb.prs;; FW version: 28.33.0808

;; Generated by INIzer tool on 11/10/2021, 08:37:09
;; Intended for ConnectX-7 network adapters.

;; NVIDIA Corporation


;;[PS_INFO]
;;Name = MCX755206AS-NEA_Ax
;;Description = NVIDIA ConnectX-7 VPI adapter card; 400Gb/s IB and 200GbE; dual-port QSFP; PCIe 5.0 x16 with x16 PCIe extension option; dual slot; secure boot; no crypto; tall bracket for Nvidia DGX storage

[image_info]
;;;;; This section contains info which is shared by FW and burning tool

psid = MT_0000000892
name = MCX755206AS-NEA_Ax
description = NVIDIA ConnectX-7 VPI adapter card; 400Gb/s IB and 200GbE; dual-port QSFP; PCIe 5.0 x16 with x16 PCIe extension option; dual slot; secure boot; no crypto; tall bracket for Nvidia DGX storage
prs_name = cx7_CX755206A_VPI_400g_2p_uncrypto_sb.prs



;mcc_en = 1
;frc_supported = 1
;cs_tokens_supported = 1
;debug_fw_tokens_supported = 1
;signed_fw = 1
;secure_fw = 1
;encrypted_fw = 2
[mfg_info]
guids.guids.num_allocated = 16
guids.macs.num_allocated = 16

[device_info]
guids.guids.num_allocated = 16
guids.macs.num_allocated = 16

[boot_record]
;;;;; 1. Boot record endianes: reserved1 is the fist Byte that should be written on the NVRAM (address 0)\;2. Each line is protected by parity bit (bit 31) the xor of the 32 read bits should be 1
clocks.pll_i1_clk.core_r = 0x03
clocks.pll_i1_clk.core_f = 0x01cac00
clocks.pll_i1_clk.core_od = 0x7
clocks.pll_i1_clk.core_bwadj = 0x038
clocks.pll_i1_clk.core_s = 0x30d
clocks.pll_i1_clk.core_v = 0x0
clocks.pll_p1_clk.core_r = 0x03
clocks.pll_p1_clk.core_f = 0x01cee00
clocks.pll_p1_clk.core_od = 0x7
clocks.pll_p1_clk.core_bwadj = 0x039
clocks.pll_p1_clk.core_s = 0x30d
clocks.pll_p1_clk.core_v = 0x0
secondary_flash_div = 3

[fw_boot_config]
;;;;; boot + iron fw config data
pcie_cfg_data.pci_cfg_space.cfg_hdr.device_id = 4129
pcie_cfg_data.pci_cfg_space.sriov.vf_device_id = 4126
pcie_cfg_data.pci_cfg_space.cfg_hdr.subsystem_id = 0x0051
multi_function.mac_for_bmc_required = 0
nv_config.global.pci.settings.fpp_en = 1
nv_config.global.pci.settings.total_vfs = 0x10
nv_config.global.pci.settings.sriov_en = 1
nv_config.port[0].vpi.network_link_type_ib = 0x1
nv_config.port[0].vpi.network_link_type_eth = 0x0
nv_config.port[0].vpi.default_link_type_ib = 0x1
nv_config.port[0].vpi.default_link_type_eth = 0x0
nv_config.port[1].vpi.network_link_type_ib = 0x1
nv_config.port[1].vpi.network_link_type_eth = 0x1
nv_config.port[1].vpi.default_link_type_ib = 0x1
nv_config.port[1].vpi.default_link_type_eth = 0x0
multi_function.num_of_ports = 2
multi_function.physical_port_split_mask = 0x5
...
 
Last edited:
C

Civiloid

Member
Jan 15, 2024
39
22
8
Have anyone managed to figure out how to update the firmware?

I got myself a "cheap" CX-7 (half-the-price of retail one) that have Firmware that is older than oldest archive version:
Code: 
Image type:            FS4
FW Version:            28.33.0751
FW Release Date:       21.3.2022
Part Number:           MCX713106AC-VEA_Ax
Description:           NVIDIA ConnectX-7 Ethernet adapter card; 200 GbE; Dual-port QSFP; PCIe 5.0 x16; Crypto and Secure Boot
Product Version:       28.33.0751
Description:           UID                GuidsNumber
Base GUID:             00000000000bbb11        8
Base MAC:              0000000bbb11            8
Image VSD:             N/A
Device VSD:            N/A
PSID:                  MT_0000000841
Security Attributes:   N/A
Default Update Method: fw_ctrl
Life cycle:            PRODUCTION
Secure Boot Capable:   Disabled
Encryption:            Disabled
it is dual-port but performance of the card is horrible in its current state.


@chw

Probably my dump can be useful for you (if you haven't figured out how to update firmware) as it enabled second port, however when I tried stress-testing my card it performed worse than CX4 (small packet generation) on receive so might be not the best idea.
 
N

necr

Active Member
Dec 27, 2017
156
48
28
124
No ideas as of now.
The production images are fully encrypted, there are no visible sections. An upgrade is possible from a card which itself is encrypted and can do the decryption. I assume the worst, that HW_POINTERS sections could be used as additional security layer - full flash dump of a secure card didn't start on another card.

The non-encrypted images come from the "cheap" franken-cards. I have tried rewriting the DBG_FW_INI section (sure, that works), but the card doesn't care about the new speed or lane parameters, which means other sections are likely in action.

Need ex-Mellanox here to figure out what's in the other sections to edit the unencrypted image at least.
 
C

Civiloid

Member
Jan 15, 2024
39
22
8
If you want to try, I can upload firmware that I have somewhere, as both ports on mine are working, but card is misbehaving in terms of small packet performance.

And my card is also unencrypted, so maybe you can figure out something for your card from it.
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
chw said:
I've run into a similar issue. Got a card off ebay that has a label with MCX713106AC-VEAT (2x200G ETH) on it, but reports as MCX755206AS-NEAT (1x 400G IB, 1x400G IB or 1x200G ETH) (seemingly part of a DGX H100 system).
I suppose this has been cross-flashed or mislabeled.
Can't burn any new images onto it because it complains about non-encrypted device.

Code: 
# flint -d 41:00.0 -i fw-ConnectX7-rel-28_36_2024-MCX755206AS-NEA_Ax-UEFI-14.29.14-FlexBoot-3.6.901.signed.bin b
-E- Burning encrypted image on non-encrypted device is not allowed.
I'd like to use two ports as 200G Ethernet, but it only lets me use port P1 as Infiniband, not configurable to Ethernet. Second port P2 works fine as Ethernet.
I'm wondering if there is a possibility to either cross-flash it somehow to a VEAT firmware so, both ports can be used as 200G Ethernet, or if it is somehow possible to change the config, so that port P1 can be used as Ethernet.
(nv_config.port[0].vpi.network_link_type_eth = 0x1 instead of 0x0 in [fw_boot_config])
Any ideas what to do?
@jpmomo: did you get any further in your quest?

Code: 
# flint -i current_CX7_firmware_dump q
Image type:            FS4
FW Version:            28.34.4000
FW Release Date:       28.8.2022
Description:           UID                GuidsNumber
Base GUID:             00000002c911a4bb        16
Base MAC:              0002c911a4bb            16
Image VSD:             N/A
Device VSD:            N/A
PSID:                  MT_0000000892
Security Attributes:   N/A
Security Ver:          0

# flint -i current_CX7_firmware_dump dc
;; Generated automatically by iniprep tool on Tue Mar 29 09:09:05 IDT 2022 from ./cx7_CX755206A_VPI_400g_2p_uncrypto_sb.prs;; FW version: 28.33.0808

;; Generated by INIzer tool on 11/10/2021, 08:37:09
;; Intended for ConnectX-7 network adapters.

;; NVIDIA Corporation


;;[PS_INFO]
;;Name = MCX755206AS-NEA_Ax
;;Description = NVIDIA ConnectX-7 VPI adapter card; 400Gb/s IB and 200GbE; dual-port QSFP; PCIe 5.0 x16 with x16 PCIe extension option; dual slot; secure boot; no crypto; tall bracket for Nvidia DGX storage

[image_info]
;;;;; This section contains info which is shared by FW and burning tool

psid = MT_0000000892
name = MCX755206AS-NEA_Ax
description = NVIDIA ConnectX-7 VPI adapter card; 400Gb/s IB and 200GbE; dual-port QSFP; PCIe 5.0 x16 with x16 PCIe extension option; dual slot; secure boot; no crypto; tall bracket for Nvidia DGX storage
prs_name = cx7_CX755206A_VPI_400g_2p_uncrypto_sb.prs



;mcc_en = 1
;frc_supported = 1
;cs_tokens_supported = 1
;debug_fw_tokens_supported = 1
;signed_fw = 1
;secure_fw = 1
;encrypted_fw = 2
[mfg_info]
guids.guids.num_allocated = 16
guids.macs.num_allocated = 16

[device_info]
guids.guids.num_allocated = 16
guids.macs.num_allocated = 16

[boot_record]
;;;;; 1. Boot record endianes: reserved1 is the fist Byte that should be written on the NVRAM (address 0)\;2. Each line is protected by parity bit (bit 31) the xor of the 32 read bits should be 1
clocks.pll_i1_clk.core_r = 0x03
clocks.pll_i1_clk.core_f = 0x01cac00
clocks.pll_i1_clk.core_od = 0x7
clocks.pll_i1_clk.core_bwadj = 0x038
clocks.pll_i1_clk.core_s = 0x30d
clocks.pll_i1_clk.core_v = 0x0
clocks.pll_p1_clk.core_r = 0x03
clocks.pll_p1_clk.core_f = 0x01cee00
clocks.pll_p1_clk.core_od = 0x7
clocks.pll_p1_clk.core_bwadj = 0x039
clocks.pll_p1_clk.core_s = 0x30d
clocks.pll_p1_clk.core_v = 0x0
secondary_flash_div = 3

[fw_boot_config]
;;;;; boot + iron fw config data
pcie_cfg_data.pci_cfg_space.cfg_hdr.device_id = 4129
pcie_cfg_data.pci_cfg_space.sriov.vf_device_id = 4126
pcie_cfg_data.pci_cfg_space.cfg_hdr.subsystem_id = 0x0051
multi_function.mac_for_bmc_required = 0
nv_config.global.pci.settings.fpp_en = 1
nv_config.global.pci.settings.total_vfs = 0x10
nv_config.global.pci.settings.sriov_en = 1
nv_config.port[0].vpi.network_link_type_ib = 0x1
nv_config.port[0].vpi.network_link_type_eth = 0x0
nv_config.port[0].vpi.default_link_type_ib = 0x1
nv_config.port[0].vpi.default_link_type_eth = 0x0
nv_config.port[1].vpi.network_link_type_ib = 0x1
nv_config.port[1].vpi.network_link_type_eth = 0x1
nv_config.port[1].vpi.default_link_type_ib = 0x1
nv_config.port[1].vpi.default_link_type_eth = 0x0
multi_function.num_of_ports = 2
multi_function.physical_port_split_mask = 0x5
...
Click to expand...
try the following command:

mlxconfig -d /dev/mst/mt4103_pci_cr0 set LINK_TYPE_P1=2 LINK_TYPE_P2=2

where the device id is your device id of the actual nic. even though the description of the card says it is 1 IB and 1 EN, this fw should allow 2 EN ports.
 
J

jpmomo

Active Member
Aug 12, 2018
531
192
43
Civiloid said:
If you want to try, I can upload firmware that I have somewhere, as both ports on mine are working, but card is misbehaving in terms of small packet performance.

And my card is also unencrypted, so maybe you can figure out something for your card from it.
Click to expand...
what are you using to test small frame sizes?
What are your system specs?
What does the output of lspci -vv look like for the pci id of the cx7 nic?
 
You must log in or register to reply here.
Top Bottom