Flashing OpenWRT on an HPE 1920-24G JG924A network switch
I was recently looking for a reliable network switch for my home, which needed to have:
- A management interface and support for VLANs
- At least 12 ethernet ports
- Passive noiseless cooling
- Affordable (< €40,-)
- Low power consumption (idle power consumption <10W)
- Supported with software & security updates
I often prefer buying used enterprise hardware compared to new consumer devices as the latter are often designed and built to be offered at a much lower price point. Additionally, recycling compared to buying new and encouraging others to do the same feels good.
While doing research, I discovered that second-hand Realtek-based enterprise switches matching all these requirements are available for very low prices. However, security updates for these switches are often no longer provided by the manufacturer. This is not acceptable for me, as I want to build out a secure network. Despite functioning perfectly well from a hardware standpoint, these switches have become e-waste because of lacking software support, explaining the low price.
Fortunately, OpenWRT has recently added (basic) support for these switches. OpenWRT is a free open source firmware project, providing custom firmware for embedded devices such as routers and other network appliances. It is known for its extensibility and for providing software and security updates for devices long after original manufacturers stop doing so. I’ve already used it for years on a wireless access point.
I found the HPE 1920-24G JG924A Ethernet switch for €24,-, including shipping, on a local online marketplace. It was missing one of its rack-mounting ears (which I don’t need) and had a scratch in its top cover, but apart from that it seemed fine. It has:
- A management interface with VLAN support
- 24 ethernet + 4 SFP ports
- Passive cooling
- Idle power consumption of around 7W
To flash it with OpenWRT, gaining access to the serial console is required. This is quite straightforward on this switch, as it doesn’t need to be disassembled to access the serial console — a port is conveniently provided on the front. To use this port, you need an 8P8C RS232 to USB adapter. You will also need an ethernet cable to hook up the switch to your network. To avoid confusion, don’t hook up anything else to the switch yet. As I needed to mount the switch in a shallow cupboard, I also ordered this 90 degree right angle power cord.
Before flashing the switch with OpenWRT, you may want to first flash the latest official HPE firmware. At the time of writing version CMW520-R1121. However, obtaining that firmware through the HPE support site and going through the effort of creating an account and navigating through the walled gardens on their website is outside of the scope of this post. In my case, I tested both upgrading and not upgrading the OEM firmware before flashing OpenWRT and was fine without doing so.
If you decide to follow these steps, something can always go wrong and without proper knowledge, you may not be able to recover the switch on your own. Use these steps at your own risk.
Prepare a TFTP server
To provide the OpenWRT firmware upgrade, you’ll need to set up a TFTP server to perform the initial setup. Create a Debian VM or use an existing install to set this up. Alternatively, you can do this by creating a bootable USB drive with Debian Live Gnome. Balena Etcher provides a convenient way to do so. With a Live USB, you can temporarily boot an existing system into Debian from the USB without altering anything on your main operating system.
If you use this approach, it might be convenient to open this post on the live system in Firefox (“Activities -> Firefox”).
On your system or in the Debian Live Gnome environment, open the terminal by going to “Activities”, type “Terminal” and install tftpd-hpa by executing the following command.
sudo apt install tftpd-hpa
Configure tftpd-hpa by opening its configuration file
sudo nano /etc/default/tftpd-hpa
Make sure it contains the following lines:
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="-4 --secure -vvv"
Save and exit by pressing Ctrl+X, then y, Enter.
Restart tftpd-hpa so it uses the new settings.
sudo systemctl restart tftpd-hpa
Install wget in order to download files
sudo apt install wget
Download the OpenWRT kernel image using wget
wget https://downloads.openwrt.org/releases/23.05.5/targets/realtek/rtl838x/openwrt-23.05.5-realtek-rtl838x-hpe_1920-24g-initramfs-kernel.bin
Move it to the tftp server public folder
sudo mv openwrt-23.05.5-realtek-rtl838x-hpe_1920-24g-initramfs-kernel.bin /srv/tftp/openwrt-kernel.bin
Check if the file was moved successfully
sudo ls -lha /srv/tftp
Find out which IP address your system is using. In my case, this was 192.168.8.44, which will be used as an example through the rest of this post. If you’re using the Debian Live Gnome environment, you can click in the top right corner, click the cogwheel -> Network -> click the cogweel next to “Connected”. You should now see your IPv4 address. Write this address down, as we will need it later. You could also check your router for the IP address or use ip a.
Connect to serial console
Having set up the tftp server, it is now time to connect to the serial console on the switch. We will do so using the program screen.
Install screen
sudo apt install screen
In the terminal, execute
ls /dev/ | grep tty
Identify the RS232 to USB serial adapter, which will be named something similar to ttyUSB0 or tty.usbserial-FTB6SPL3
Then, use screen to open a serial connection to the switch
screen /dev/ttyUSB0 38400,cs8,-ixon,-ixoff
Cut power to the switch and after a few seconds power it on again. After a few seconds, you should see the switch powering on in the serial console.
- Repeatedly press
ctrl+Bto enter the extended boot menu. - Hit enter to access the menu
- Press
3Enter Ethernet SubMenu - Press
5Modify Ethernet Parameter - Protocol:
tftp - Load File Name:
openwrt-kernel.bin - Target File Name: leave unchanged
- Server IP Address: 192.168.8.44 (Change this to the IP address of the TFTP server you identified above)
- Local IP Address: 192.168.8.2 (Change this to the IP address you want to give the switch temporarily)
- Press
1Download Application Program To SDRAM And Run
OpenWRT is loaded from the TFTP server into the RAM of the switch and booted.
After around 2-3 minutes, press enter to drop into the OpenWRT console. Then, wait another 3 minutes to ensure you are not disturbed by system messages while editing, as these can be confusing.
Open the network configuration in the vi editor.
vi /etc/config/network
Press i to start editing. Configure the switch to acquire an IP address using DHCP by changing the config interface 'lan' section to look like this:
config interface 'lan'
option device 'switch.1'
option proto 'dhcp'
Press Esc then :wq to stop editing, write the changes to the file and quit.
If you make any mistake while editing and want to retry, press Esc, then :q to exit without saving and start over.
Restart the OpenWRT network stack to use the new configuration
service network restart
Retrieve the new ip address of the switch by checking your router or executing
ip address show switch.1
This should show something like:
34: switch.1@switch: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.8.2/24 brd 192.168.8.255 scope global switch.1
valid_lft forever preferred_lft forever
inet6 fe80:::::f49f/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
In this case the IP address of the switch is 192.168.8.2.
Flashing OpenWRT to the switch
From the Debian Live Gnome environment, open Firefox and go to http://192.168.8.2 (change to the switch’s IP address you looked up above). Login with username root and an empty password.
Download the sysupgrade image from the OpenWRT firmware selector.
Go to System -> Backup / Flash Firmware. Using the “Flash new firmware image” box, upload the sysupgrade image. Unset the “Keep settings and retain the current configuration” flag.
After a while, the switch will reboot. OpenWRT is now permanently installed on the switch’s storage flash, but the extended bootloader doesn’t know yet that it should boot OpenWRT from now on. Let’s fix this:
On the serial console, perform the following steps:
- Upon powering up the switch, press
Ctrl+Brepeatedly again to enter the Extended Bootware menu. - Press
ENTERto continue. - Choose
4File Control. - Choose
2Set Application File type. - Enter the number of
openwrt-kernel.bin. This should be1. Hit1again to mark it as the main OS image. - After this completes, press
0Exit To Main Menu. - Press
0Reboot. - OpenWRT should boot up automatically from now on.
NB: Be aware fully booting up the switch with OpenWRT, can take around 2 minutes before the web interface is available and network switching works.
Setting up OpenWRT
OpenWRT is now fully installed, but as it was previously running from RAM rather than the internal flash memory, all settings have been reverted back to their default values. Therefore, we need to set the switch up as a DHCP client again.
After around 2-3 minutes, press enter to drop into the OpenWRT console. Then, wait another 3 minutes to ensure you are not disturbed by system messages while editing, as these can be confusing.
Open the network configuration in the vi editor.
vi /etc/config/network
Press i to start editing. Configure the switch to acquire an IP address using DHCP by changing the config interface 'lan' section to look like this:
config interface 'lan'
option device 'switch.1'
option proto 'dhcp'
Press Esc then :wq to stop editing, write the changes to the file and quit.
If you make any mistake while editing and want to retry, press Esc, then :q to exit without saving and start over.
Restart the OpenWRT network stack to use the new configuration
service network restart
Retrieve the new ip address of the switch by checking your router or executing
ip address show switch.1
The switch should now function properly. If you don’t plan on using any advanced functionality such as VLANs, at least set a secure password in the web interface available at the switch’s IP address in System -> Administration.
Maintaining your switch
From now on, you shouldn’t need to use the serial console anymore. Although the initial setup described above is quite involved, performing software upgrades is easy. Check the OpenWRT website from time to time for firmware upgrades. For convenient upgrading, use the OpenWRT firmware selector to automatically download the right firmware version.
When a new version is available, open the web interface of the switch and go to System -> Backup / Flash Firmware. Using the “Flash new firmware image” box, upload the new sysupgrade image.
A word of caution: OpenWRT is very extensible and was originally developed to run on wireless routers. It can theoretically run any software setup imaginable, that’s up to you as the user to decide. However, with great power comes great responsibility. Please make sure not to install too many additional packages on the switch, preferably none. Compared to a router, the CPU and memory of a switch are very limited and only designed for running the software to manage the network switch chip. Additionally, the flash storage chip of the switch is not designed to sustain many writes outside of periodical software and security updates and retaining configuration settings. Never use the package manager (System -> Software) to blindly install software updates, as this creates unnecessary writes and may cause serious problems. Only upgrade OpenWRT using the above described official sysupgrade images.
Recovering your switch
If you accidentally mess up your install while trying things out, you can use the serial console connection again to access OpenWRT to recover your install. To connect using the serial console, use screen using the steps described above. The following command will reset OpenWRT back to how it was configured at the “OpenWRT is now fully installed” sentence above.
firstboot && reboot
Closing thoughts
I welcome your feedback and hearing about your experiences! If this post has been useful to you, please feel free to leave a comment down below.
