Disabling Xserve FireWire Lock

Discussion in 'Mac OS X Server, Xserve, and Networking' started by bmehilos, Feb 12, 2014.

  1. bmehilos macrumors newbie

    Joined:
    Feb 19, 2007
    Location:
    Illinois
    #1
    Hello all,

    So Xserves have these little hardware locks that lock down the case and the drives, as well as disabling the USB/Firewire ports. Handy, but not for me.

    I'm trying to set up a little local FireWire network between a mac mini server which rests on the rack below it, and the Xserve itself, to keep heavy file transfers from slowing down the rest of the machines on the switch. Is there anyway to keep the lock on without it disabling the FireWire ports? If I switch the lock off, set up the IP over FireWire network, then switch it back on, will that be enough to keep the FW net in place?

    PS: There is no other way to do this either. The mini has no TB port, and its Ethernet port is occupied permanently.
     
  2. AmestrisXServe macrumors 6502

    Joined:
    Feb 6, 2014
    #2
    As far as I understand, that lock prevents most FW operations, and I would highly suspect that IPoFW is one of them. You can certainly try unlocking it, setting up a link, and relocking it to see if the link remains. if it does, then you will know that it works; and if not, you shall know otherwise.

    Why not put a small (secondary) ethernet switch on your mini, and route the XServe to the switch, on its own subnet, and that switch to your main switch?

    That will keep your mini on your main subnet, and allow a secondary subnet to handle your larger traffic file transfers between the two machines. Yes, this would use ethernet bandwidth on the mini, but it won't clog the rest of your network. (The XServe has two ethernet ports, so you can easily route one to the secondary switch, or add another NIC on the XServe, if you have an empty slot, to handle the second subnet.)

    For the record, why are you locking the system at all?

    (This is rather why I don't recommend Minis for networking in the first place, as unless they have TB, and you want to buy a TB PCIe cage, they have no expansion possibilities..)
     
  3. bmehilos thread starter macrumors newbie

    Joined:
    Feb 19, 2007
    Location:
    Illinois
    #3
    I've sort of inherited this whole setup at this job so as to why its locked, even though its in a card-access locked server room, I really don't know. I don't think anyone who works here is going to try and steal some old DDR2 RAM or plug in some malicious USB stick to it.

    I just needed to know if there was a way to do it via software, rather than hardware, as I don't have card access to the aforementioned server room, so me getting in there means taking someone else away from their work and making them watch me fuddle around in there (I mean what do they think I'm going to do, start going crazy with a pair of scissors? Hit the reset button on the big rack labelled AD?)
     
  4. AmestrisXServe, Feb 13, 2014
    Last edited: Feb 13, 2014

    AmestrisXServe macrumors 6502

    Joined:
    Feb 6, 2014
    #4
    The HW lock will override any SW tools in any event. You will need to have access, and there should be someone who can give it to you. To be frank, if there is no admin on-site, then there is a huge problem.

    If you don't have access to the systems, then you can't do much. If you aren't authorised to unlock the front panel, then you probably aren't authorised to make any server admin changes either.

    If you can't access the systems physically, you also can't make a FW interface between two of them; right?

    It takes all of 30 seconds with a small hex or Torx-15 screwdriver to unset the lock. You don't have to open the system, or remove it from a cage. You only need to access the front bezel, insert a hex key or T15 driver into the slot, and turn it off.

    If you are the on-site server administrator, then you should request your own keycard. If someone else is the on-site server administrator with the keycard, you should set aside a few moments to explain what you would like to do with him, and see if he approves.

    If I was the admin there, and someone fiddled with the network in any way without my approval, I would be sure to have them fired, or suspended, or penalised, for not going through the correct channels. Even if what you want to do is an improvement, there is always the possibility of it causing havoc with something else that you may not be aware exists.

    Let me explain why: If you are a proper admin, or SysOp, and someone else does something to muddle a network, either in hardware or in software, they aren't the ones who have to fix it, and if you were to allow something like that to happen, you jeopardise your position as an administrator.

    I am the HW and SW admin at two locations. I am the only one with root access on any system, and one of only two or three people with admin login privileges for any one machine. (That narrows the scope of determining the cause of any possible problem.)

    I keep a digest on paper of every authentication protcol, code, password, login, etc., in case i ever need to hand it over to anyone else. I do not keep digital records of any of that kind of material.

    SysOps and Admins are generally very paranoid about allowing high-level access, and usually rightly so. it takes but one damaged file to take down an entire array of servers. We also don't want anyone else getting their hands on the equipment, as any changes someone else makes won't be documented, and when we need to go and do something, the unknown changes can waste hours of time.

    I would need to know a lot more about your work procedures, who is the proper adminstrator, and who has access to the HW before I would ever document any kind of bypass. It's simple ethics.

    That said, I will repeat, the lock is a hardware lock. It triggers hardware lockouts (or firmware lockouts, I'm not 100% certain which) that prevent a lot of things from happening. Any software that you run will not bypass a low-level change in the system state. That is why you have such a locking mechanism on this kind of machine.

    I'm not saying that anything you are trying to do is evil, but if you do not own the network, and work for those who do, you need to either go through the proper channels to gain direct access, or meet with the admin and discuss your ideas. If what you suggest is actually going to increase network performance, he will probably be happy to permit it, or to do it directly. He may have some reason not to do it, which you should hear in full before questioning it.

    On the other hand, if you are the top-level administrator, you need HW access to do your job, and should request an entry key and code from the owner of the business.
     

Share This Page