Archive for April, 2013

A few words of advice for used equipment sellers

I purchase a good deal of used electronic equipment for both work and personal use. Some of that equipment comes from eBay, some is purchased from companies who sell used equipment for a living. The two aren’t mutually exclusive, of course – there are a number of commercial vendors who sell through eBay as well as their own site.

Used equipment can represent a sizable savings over new, particularly when a manufacturer only has a “list price” and doesn’t offer discounts to any but their largest customers. Of course, you need to consider the cost of any required re-licensing (for example, on Cisco gear) when comparing the used price with new. But a large number of manufacturers make updates available for free to all, and in that cases you can often save a great deal of money. Most used equipment will come with at least a one-week warranty against being defective, but some sellers will offer a longer warranty – up to 1 year is common.

One of the best times for great deals is just as a device is no longer being sold as new by the manufacturer. There’s a further drop once the manufacturer no longer supports it with software updates, spare parts, and so on – but you probably don’t want to buy something that far along unless you plan to use it for spare parts yourself.

That’s the benefit to the buyer. But I’d now like to give some advice to sellers, both to ensure the largest market for their items and to avoid potential problems.

Getting the item ready for sale

  1. If the device has any configuration data, erase it before listing the device for sale.
    • Some devices have no way of resetting them to the default state unless the existing password is given, which means that if the seller doesn’t erase it before selling, the only way a buyer will be able to use it is if the seller is willing to tell them what the password is (not practical if it is the same password the seller is using on equipment they’re still using, or if they don’t know it). Otherwise, the device has to go back to the seller and the transaction voided.
    • Some other devices have a “reset the password only” option, or (insecurely) a “backdoor” password that works on all units. If the user does that, they will have access to the entire configuration of the device as the seller last used it – at a minimum, things like IP addresses, SNMP communities, and so on. Potentially even more sensitive information like access lists can be disclosed. Additionally, at least two major brands of devices have the (undocumented, but widely known) ability to read or decrypt the original password cleartext once a password recovery procedure is performed.
    • This is particularly important for disk drives and other storage media. Even if the drives were part of a RAID set, it might still be possible to recover chunks of data from individual drives. You can use a utility such as DBAN to erase drives that are still in the system. It offers a variety of erasure options, from a simple “write zeros to the whole drive” to multiple erase passes with random data. Note that even with this type of erasure, it may still be possible to recover data from certain areas of the disk (replaced defective sectors, for example). If you (or your company) doesn’t want to take the risk, you can remove the drives – but read on for a suggestion about disk trays and mounting hardware.
  2. If you’re selling something like a server and your company policy requires removal of the drives before the sale, put the empty hot-swap drive trays back in the server instead of trashing them with the drives. If the trays require oddball hardware to hold the drives in, put the screws in a small plastic bag and tape them securely to the disk tray(s). The buyer will thank you as they won’t have to scavenge for drive trays to get the server running with new drives.
  3. Unless you’re explicitly selling the item “as-is” or “non-working”, please test it before listing it. Having a 14-day (or longer) “no questions asked” return policy is nice, but neither the buyer nor you want to deal with shipping defective items back and forth. For some items, this can simply be installing (or leaving) them in a system and seeing if they work. Mechanical items like disk drives need some additional testing. Modern drives (anything in the last decade or so) have S.M.A.R.T. testing built in, so it is a simple matter to use something like smartmontools to test the drive and see if it has any problems before listing it. Just today I received a pair of SAS drives, each with less than 30 power-on hours on them, which had over 50 media errors each and had been logging S.M.A.R.T. errors since new (the first failure was logged at 0 power-on hours).
  4. Along with the above, it would be helpful to update the device to the latest available firmware “while you’re in there”, if that is something the manufacturer allows. I’ve received devices that were so old that several intermediate firmware updates were needed to get them to the current revision. In a number of those cases, the intermediate updates were themselves so old that the manufacturer had removed them from their web site as obsolete. That requires the user to go on a “scavenger hunt” through potentially untrustworthy sites to try to find firmware. Another reason to update before selling is that in some cases, the update procedure will only work in the specific brand of equipment the device came from. An example is Dell network cards – the Dell Server Update Utility only runs on Dell-branded servers. Dell network cards are mostly-generic Broadcom, Intel, etc. cards but often have Dell listed in the PCI Vendor ID on the card. This means that generic firmware updates from the manufacturer may fail to recognize the card. To continue my example, even if the user is putting the card in a Dell server, unless Dell offered the specific option card for the user’s server, the appropriate Server Update Utility may not detect / update it.

Listing the item for sale

  1. Be as descriptive as possible when listing the item. To give a specific example of why this is a problem, look for “PowerEdge R300” on eBay. That model was available with or without hot-swap drives and with or without redundant power supplies. It is not possible to convert a chassis from any of those configurations to another. Many times a seller will just say something like “PowerEdge R300 Quad-core 2.33GHz 4GB 2x 146GB HDD”. That doesn’t convey much useful information – in addition to the chassis type, it would be useful to know the exact CPU model, whether the disks are SATA or SAS and if there’s an add-on disk controller in the system, and whether or not there’s a remote access card. This is made even worse by the sellers that say “Stock photo” or “Photo may not represent actual item”. To add insult to injury, some of those same sellers will say “if it isn’t in the picture, it isn’t included” in the body of the listing. Dell’s web site is pretty good – if you know the “service tag” of a system, Dell’s site will show you the configuration as it shipped from Dell. Of course, the seller or a previous owner may have added, removed, or modified components, so don’t take the Dell list as the last word. As the seller, you can go to the Dell site and copy/paste the configuration into your sale listing once you verify that it’s accurate.
  2. If you’re selling something that isn’t an add-on component (like a network card or a disk drive), but can function as a standalone device (like a server, Ethernet switch or network-controlled outlet strip), provide all of the necessary accessories with it or explain clearly that they’re missing. This definitely includes rack mount ears/rails (if the device is rack mountable) and console cables (no two vendors do exactly the same thing once you get to anything newer than 9-pin serial connectors). If the device has cable-management hardware (bracket, etc.) and you have it, include that with the item. Likewise for the faceplate. It is also thoughtful to include the required power cord, at least if the seller and the buyer use the same type of electrical outlets. This isn’t vital, as there are a small number of possible mating power cords for modern equipment. But the buyer will usually appreciate your thoughfulness, particularly if it is an unsual cord like an IEC C20 and they have to order one once they receive your shipment.

Shipping the item to the buyer

Pack the item well, preferably using the original manufacturer packaging (if still available). You’d be amazed at the way some stuff arrives here. I’ve received memory DIMMs ratlling around loose inside a cardboard box. I’ve received servers where parts of the chassis were dented or damaged (usually parts that protrude beyond the basic rectangular shape, but sometimes the main chassis itself). I’ve received devices with glass faceplates that were smashed. I’ve received boxes where the cardboard was too thin for the weight of the item and has ripped during normal handling, with accessories falling out of the box and being lost in transit.

I’d like to be able to say “just take the item to your nearest parcel store and have them pack and ship it”, but that’s generally not a good idea. It seems that their solution for shipping anything is a thin-wall cardboard box and packing peanuts. Those peanuts are not acceptable for anything that might shift around or settle in the box. With enough practice, it is possible to ship fragile items using common materials – I have purchased many items from ex-Soviet countries where the contents were packaged entirely (but carefully) in newspaper and placed in a cardboard box and which arrived here in perfect condition despite their international travel and the rough handling of various foreign postal services.

Large items are generally either heavy or are light enough that they get charged “dimensional weight”, where the shipping company charges the package as if it weighs a certain amount per cubic inch. In general, the cost of reasonable insurance (value up to some hundreds of dollars) will be a small part of the total shipping cost, so it makes sense to insure the package. If you have to file a claim, be aware that you will often be asked to provide proof of adequate packaging before the shipping company will process the claim. I know of one company that took pictures of each box while it was being packaged and retained those pictures, both to deal with shipping damage claims and to prove that a certain item was in the box when it was shipped.

Conclusion

If, as a seller, you follow these steps I think you will find that your items will sell faster and your customers will be happier. And if I’m the customer, I’ll definitely be happier.

Dell PowerEdge R300 ESM / BMC firmware updates on non-supported operating systems

Dell has generally been quite good about making firmware updates available in a variety of formats. In addition to the normal Windows and Linux versions, most patches are also available as a floppy / USB image or an ISO image (depending on size). Those of us who don’t run one of the operating systems Dell provides support for appreciate them going through the trouble.

However, newer updates for older systems and updates for newer systems seem to no longer provide standalone installers. In theory, Dell provides a quarterly packaged roll-up of all available updates on a pair of DVD images (CDU and SUU). Booting these and wasting about 10 minutes switching discs should get your system updated to the latest versions of all firmware without any additional steps.

Unfortunately, the firmware for the R300’s ESM / BMC has not been on any SUU discs I’ve looked at, and the update is listed as “Critical Security Update” on Dell’s site (look under ESM on the R300’s downloads and drivers page). The only two formats it is available in are “Windows Update Package” and “Linux Update Package”. I figure that’s not a problem, as I can boot a Windows 7 recovery disk and then run the ESM update from a USB drive. Unfortunately, that doesn’t work. You get an error about “unsupported operating system”.

Next, I boot the CDU DVD and select F3 for Advanced Options. This eventually gets me to a Linux shell prompt (CDU/SUU operates under Linux). I mount the USB drive and execute the Linux version of the ESM update. That errors out with “Not compatible with your system configuration” for some unknown reason. Time to investigate further…

Clicking on “Previous Versions” on the Dell page shows the previous version as 2.46 from 2009. Looking at the available formats, one is listed as “Hard-Drive”. Depending on the mood Dell is in when they create the kit, this could be anything from a freestanding binary that writes a floppy image to a drive, to creating an ISO file, or something that just unpacks into a bunch of loose files somewhere, perhaps then trying to run them (incorrectly) on the local system.

I downloaded that file (link here) and discovered it created 3 useful files when it was executed:

  • bmcfl16d.exe – a DOS-based flash utility
  • bmccfg.def – some sort of configuration file
  • bmcflsh.dat – the actual firmware to be flashed

Now all I needed to do was to find newer versions of the last 2 files inside either the Linux or Windows installer. The Linux installer was a pain, and I quickly gave up on it. I had much better luck with the Windows version (link here). Despite being an EXE file, I was able to use WinZip 16.5 to open the file (browse to the directory where you downloaded the Dell update, then make sure you’ve selected “All files (*.*)” in WinZip’s Open Archive dialog). There’s a whole load of un-needed stuff in there (which doesn’t completely explain how a 655KB update turns into a 4800KB Windows binary). Find the bmccfg.def and bmcflsh.dat files and extract them on top of (replacing) the ones from unpacking the older download.

I copied the 3 files onto a bootable USB stick and then used that to boot the R300 to be updated. Here are some screnshots of the various stages of the procedure (it’s very simple – just answer Y or N when asked if you want to perform the update):



If the firmware is already at the latest revision, the utility will tell you that and exit. This can also be used to double-check that the update was successful:

That’s all there is to it. If you want a pre-built .ZIP file with the flash utility and the 2.50 image, I have placed one here for your convenience.

Advanced topics

The bmcfl16d.exe utility has a number of documented and undocumented additional features. You can use the -help option to get a list of the documented features. Before using one of these features when updating a system, be sure you know what you’re doing and have a fallback plan in case the update fails and you’re left with a non-operable system.

There is also an undocumented -advhelp (advanced help) option, which shows the additional undocumented options:

The above caution about knowing what you’re doing and having a fallback plan is doubly important if you try using any of the advanced options.