Author Archives: Hal Martin

About Hal Martin

In my free time I like experiment with hardware and embedded systems. Here I write about personal projects and random adventures into firmware land.

Meraki MX75 hardware overview

Leave a reply

The Meraki MX75 SD-WAN appliance (codename “Barley Wine”) offers 3 WAN uplink ports (1 SFP, 2 Gigabit Ethernet), 10 LAN ports (8 Gigabit Ethernet, 2 PoE), and a USB 3.0 port for external cellular modems¹.

Meraki MX75 SD-WAN appliance

Here is a summary of the MX75 specs:

  • NXP LayerScape LS1046A (ARM A72, 4 cores @ 1.8GHz)
  • 4GB DDR4 RAM (Micron MT40A512M16LY-075:E running at 2100MT/s, 4 chips, soldered)
  • 16GB of EMMC flash (SanDisk SDINBDA6-16G)
  • Winbond W25Q64JVSIQ, MXIC MX25U6472F
  • Aikido/Cisco TAM hardware root-of-trust (Microchip SmartFusion2 M2S010)
  • Qualcomm QCA8337-AL3C 7-port Gigabit Ethernet Switch (x2, PDF datasheet)
  • Qualcomm QCA8334-AL3C 4-port Gigabit Ethernet Switch (PDF datasheet)
  • Microchip PD69104B1 PSE controller (PoE LAN ports)
  • Sunon EG60070S1-C200-S9A fan
  • UMEC 100W power supply (MA-PWR-100WAC)

Unlike the MX85, the MX75 has no dedicated management port.

The MX75 also does not support PoE output on any of the WAN ports; Meraki sales need some justification to upsell customers to an MX85! (Public service reminder that PoE injectors exist and are considerably less expensive than the cost difference from an MX75 to an MX85)

Meraki MX75 PCB

Meraki MX75 PCB

The MX75 uses the same LS1046A found in the passively cooled MX85, but has active cooling via a Sunon EG60070S1-C200-S9A fan. The thermal pad sales department definitely earned their quarterly bonus for this design win, because the MX75 has thermal pads above and below the metal EMI shield: 1.8mm (twice) for the memory and 1.2mm (twice) for the CPU. I offer this humble edit to the MX75 mounting instructions:

Please make sure there are no blockages or obstructions within one inch of the top of the chassis or within 0.5 inches of the sides so that nothing [except our overzealous use of thermal pads] interferes with cooling.

The UART header is J10 on the MX75 and follows the standard Meraki UART pinout (1: Vcc, 2: Tx, 3: Rx, 4: GND) at 3.3V and 115200 baud. Unlike the MX85 there are no resistors are missing, so just solder the 2.54mm header or use pogo pins.

MX75 PCB bottom

MX75 PCB bottom

The U-Boot release on the MX75 is 2018.09julia-spl-dandybar and, like all other recent Meraki products, it does not allow interrupting boot.

U-Boot SPL 2018.09julia-spl-dandybar (Mar 16 2021 - 00:27:48 +0000)
Initializing DDR....using SPD
Trying to boot from BOOTROM

U-Boot 2018.09julia-spl-dandybar (Mar 16 2021 - 00:27:48 +0000)

SoC:  LS1046AE Rev1.0 (0x87070010)
Clock Configuration:
       CPU0(A72):1800 MHz  CPU1(A72):1800 MHz  CPU2(A72):1800 MHz  
       CPU3(A72):1800 MHz  
       Bus:      700  MHz  DDR:      2100 MT/s  FMAN:     800  MHz
Reset Configuration Word (RCW):
       00000000: 0e150012 10000000 00000000 00000000
       00000010: 33330000 00b00012 40000000 c1000000
       00000020: 00000000 00000000 00000000 00018ffc
       00000030: 20004504 05003000 00000096 00000001
Model: LS1046A RDB Board
Board: LS1046ARDB, boot from Invalid setting of SW5
CPLD:  V0.0
PCBA:  V0.0
SERDES Reference Clocks:
SD1_CLK1 = 100.00MHZ, SD1_CLK2 = 100.00MHZ
I2C:   ready
DRAM:  Detected UDIMM Fixed DDR on board
3.9 GiB (DDR4, 64-bit, CL=15, ECC off)
SEC0: RNG instantiated
PPA Firmware: Version LSDK-18.09
GPIO:	initialized
setting up RGB LED controller lp5562....
LM96163:	initialized
Using SERDES1 Protocol: 13107 (0x3333)
Using SERDES2 Protocol: 0 (0x0)
SERDES2[PRTCL] = 0x0 is not valid
NAND:  0 MiB
MMC:   FSL_SDHC: 0
EEPROM: meraki_MX75 600-103010
In:    serial
Out:   serial
Err:   serial
Net:   Invalid SerDes protocol 0x3333 for LS1046ARDB
Fman1: Uploading microcode version 108.4.9
Could not get PHY for MDIO1: addr 1
Failed to connect
Could not get PHY for MDIO2: addr 3
Failed to connect
Could not get PHY for MDIO2: addr 5
Failed to connect
PCIe0: pcie@3400000 disabled
PCIe1: pcie@3500000 disabled
PCIe2: pcie@3600000 disabled
FM1@DTSEC3 [PRIME], FM1@DTSEC5, FM1@DTSEC6, FM1@DTSEC9, FM1@DTSEC10

As we can see from the above ECC off output, the MX75 is using non-ECC RAM. This is similar to the MX65 which also did not include ECC memory. To my knowledge, no Meraki ARM-based designs incorporate ECC memory.

The MX75 also contains the Cisco TAM, implemented using a SmartFusion2 M2S010. The TAM is used for secure boot.

----Security Versions----
SecureBoot:  R6.3.101-42a1499-20201106
SB Core:     F01257R21.039b56e6b2020-06-29
Microloader: MK0007R01.0105062020
SF: Detected SPI Generic with page size 256 Bytes, erase size 4 KiB, total 16 MiB

----SecureBoot Registers----
system_invalid:            0
boot_check_count_error:    0
boot_done:                 1
boot_ok:                   1
boot_check_count_golden:   0
boot_check_count_upgrade:  2
boot_status_golden:        0
boot_status_upgrade:       1
first_bootloader:          1

----Upgrade----
boot_error:                0
boot_check_count_error_vc: 0
boot_check_count_error:    0
boot_timeout_vc:           0
boot_timeout:              0
boot_cs_good:              1
boot_config_error:         0
boot_version_error:        0
boot_config_error_code:    0
boot_error_code:           0
boot_cs_good:              1
boot_version_error:        0
boot1_cs_key_type:         1
boot1_cs_return_code:      0
boot1_cs_key_index:        5
boot2_cs_return_code:      0
boot2_cs_key_index:        5
boot2_cs_key_type:         1

----Other Registers----
fpga_version:      0090

Reading whitelist from TAM
whitelist.bin: 744 bytes

Converting whitelist to signature fdt
BARLEY-WINE_LDWM-rel
wired-arm64-OD-SECP384R1_1-rel
wired-arm64-RT-SECP384R1_1-rel
wired-arm64-AP-SECP384R1_1-rel
wrote 558 bytes to 0000000082330000

Same story as the MX85, do not expect any OpenWrt support for this device.

Idle power consumption: ~15W

The MA-PWR-100WAC power supply (P/N: 640-76010) is manufactured by UMEC and outputs 54V @ 1.85A with a 6.5 x 3.0 mm center-positive barrel tip on a 175 cm long cable. It weighs 553g (without C13 cable) and has dimensions 170 x 70 x 40 mm.

The MA-PWR-100WAC power supply is physically larger and heavier than the MA-PWR-90WAC (427g, 153 x 65 x 36 mm) so it is more than an uprated version of the 90W power supply.

Model Codename Part number
MX75 Barley Wine 600-103010

There are references to an MX75W in the firmware, however it appears this model was never publicly released. Certainly it would require a different PCB, as there are no unpopulated components on the MX75 PCB for a wireless radio or antennas.

The MX75 unit weighs 840g.

¹: USB modems with MX/Z series devices running firmware MX 18 or newer will be limited to best effort support and will not be receiving any future firmware fixes or improvements. Meraki documentation

It would seem that Meraki prefers their customers purchase an MG41 or MG51 than plug in their own USB LTE modem. Better margins and less to support, win-win!

The GPL source code for the MX75 was requested from Meraki in September 2024. At the time of writing Meraki has not provided any of the requested source code.

Meraki MS425 hardware overview

Leave a reply

The Meraki MS425 series switches (codename “Hungry Hungry Hippo”) offer 16 or 32 ports of 10Gbit SFP+ Ethernet, two 40Gbit QSFP+ stacking ports, and a Gigabit Ethernet management port.

Meraki MS425-16 Switch with cover removed

Meraki MS425-16 internal view

The MS425 was discontinued in June 2024, and is too old to support secure boot.

Here is a quick summary of the MS425 specs:

  • Broadcom BCM56854 “Trident II” ASIC
  • Broadcom BCM5862x “StrataGX” management CPU
  • 16MB of SPI flash (MX25L12805D)
  • 2GB DDR3 RAM (soldered)
  • 1024MB NAND flash (Micron MT29F8G08ABACA; PDF datasheet)
  • MA-PWR-250WAC (identical to PWR-C2-250WAC)

The UART header in the MS425 is CONN7 (silk screen: UART Console) and follows the standard Meraki UART pinout (1: 3.3V Vcc, 2: Tx, 3: Rx, 4: GND) at 115200 baud.

The MS425-16 uses the same PCB as the MS425-32, but missing 16 SFP+ cages and two PHYs. This is the same technique Meraki used for the MS420-24 model.

The stock Meraki boot process uses u-boot on SPI to load a “bootkernel” (also from SPI), which then initializes NAND and using kexec boots the main firmware. The firmware layout follows the standard Meraki practice of having A/B firmware images: bootkernel1, bootkernel2, part.safe, part.old.

The firmware layout on SPI is:

0x000000-0x100000 : "uboot"
0x100000-0x800000 : "bootkernel1"
0x800000-0xf00000 : "bootkernel2"

Unlike the MS350, the management plane is not an x86 CPU, but a Broadcom “StrataGX” ARMv7. The MS425 runs the same firmware release (switch-arm) as the MS210/MS225/MS250 series.

PCI devices present:

00:00.0 PCI bridge: Broadcom Inc. and subsidiaries Device 8025 (rev 12)
01:00.0 Ethernet controller: Broadcom Inc. and subsidiaries Device b854 (rev 03)

The Broadcom SDK series implements the packet engine in userspace, using the GPL-licensed linux_kernel_bde and linux_user_bde kernel modules to interface with the ASIC. In the Meraki firmware, the packet engine is a component of the userspace click daemon, which loads the bcm_click shared object during click router initialisation.

Similar to the MS420, the three 40mm system fans in the MS425 are controlled by an onsemi ADT7473 (PDF datasheet). The MS425 fans have a Meraki part number: MA-FAN-18K (P/N 680-29010) and contain the Delta FFB0412UHN-C (PDF datasheet). These are identical to the Cisco FAN-T1, which can be purchased for considerably less than the Meraki branded part.

The MS425 accepts two hot-swap power supplies (model MA-PWR-250WAC, P/N 640-20010), which in my units are Delta model DPS-250AB-86 with 12V/20.83A output. Note that the MA-PWR-250WAC is physically and electrically compatible with PWR-C2-250WAC. Higher wattage power supplies like the PWR-C2-640WAC and PWR-C2-1025WAC will also power the MS425.

Idle power consumption:
MS425-16: 72W
MS425-32: 78W

Interesting to note is that the Trident II ASIC found in the MS425 supports VxLAN, however this feature is absent from Meraki’s datasheet and does not appear to be supported by their firmware. Apart from 40Gbit stacking ports, there is not much to be gained from the Trident II in the MS425 over the Trident+ in the MS420: idle power consumption is slightly lower, and it is still supported (see note below).

Meraki have chosen to EoL all of their Broadcom based switches. Being a Broadcom design, the MS425 was axed from the product portfolio on 2024-06-24. The MS425 will continue to receive limited software support from Meraki until Q3 2029. Big “we cancelled all our contracts with Broadcom and are now a Marvell/Catalyst shop” energy.

The GPL source code for the MS425 was requested from Meraki in December 2023, and at the time of writing Meraki has not provided any of the requested source code.

“[F]ulfilling your requests are an important priority for [Meraki]” so I am sure they will comply with their license obligations… Any day now… Just wait for it… It is almost as if they know that providing the GPL source code would enable people to re-use claimed/EOL products and are avoiding doing that. 🤔

Model Meraki Board Part number
MS425-16 Hungry Hungry Hippo 600-45010
MS425-32 Hungry Hungry Hippo 600-45015, 600-45020

Gigabyte MJ11-EC1 PCIe Bifurcation

Leave a reply

The Gigabyte MJ11-EC1 motherboard is an ITX motherboard with an AMD EPYC 3151 (4C8T) onboard. These motherboards were being liquidated from the Gigabyte G431-MM0 GPU server in 2023, and could be purchased for around 60 Euros in the EU. The bare-bones G431-MM0 can still be purchased for around 170 Euros.

The MJ11-EC1 is very similar to the Gigabyte MJ11-EC0 with the main difference being the MJ11-EC0 has a PCIe x16 slot while the MJ11-EC1 has a SlimSAS (SFF-8654 8i) connector for use with the GPU riser in the G431-MM0.

You can purchase the SlimSAS cable (~18 Euros) and a PCIe riser (~15 Euros) from several AliExpress sellers. The added cost of the cable and PCIe riser does reduce the value proposition of the motherboard somewhat. Additionally, user testing showed that PCIe bifurcation was non-functional on the SlimSAS port, meaning only a single PCIe device could be recognized on the SlimSAS 8i port unless a PCIe switch was used.

However, I can demonstrate that bifurcation does work on the MJ11-EC1, and in fact it is possible to access all PCIe x16 lanes if you add the unpopulated U2_1 SFF-8654 connector. All the passive components for the SFF-8654 connector are already present on the motherboard, so only the physical connector needs to be added to unlock an additional 8 lanes of PCIe.

Two MJ11-EC1 motherboards, one with U2_1 unpopulated and one with a SlimSAS 8i connector soldered

However, PCIe Bifurcation does not work under every condition. The following scenarios do not work:

Cable Adapter Bifurcation working
SlimSAS 8i to dual 4i SlimSAS 4i to PCIe x4 No
SlimSAS 8i to 8i SlimSAS 8i to Dual NVMe No
Dual SlimSAS 8i to 8i PCIe x16 (JHHP1B) No

The first attempt was with a SlimSAS 8i to dual 4i cable. Unfortunately, bifurcation did not work with this cable, only one device was visible.

Only one device is recognized

The second attempt was with a SlimSAS 8i to dual NVMe adapter. Again, only the first NVMe device was visible, so I do not recommend purchasing this for use with the MJ11-EC1.

Only one device is recognized

I then tried this dual SlimSAS 8i to PCIe x16 adapter, which did not work at all. In my subsequent discussion with the vendor in the AliExpress dispute, it appears this adapter is only compatible with their PCIe x16 to SlimSAS riser. So despite using the SFF-8654 connector, it is not standards compliant with SlimSAS 8i and cannot be used with the MJ11-EC1. Do not purchase this.

This adapter does not work at all. Avoid purchasing the “2 Port SlimSAS 8i x2 to PCIe 4.0 x16 Slot Adapter Card SFF8654 Riser Card GEN4”

The following combinations are fully functional:

Cable Adapter BIOS configuration PCIe devices Bifurcation working
SlimSAS 8i to 8i PCIe x8 x8x8 2 Yes
SlimSAS 8i to 8i PCIe x8 with 4xNVMe riser, 2xNVMe x8x4x4 3 Yes
SlimSAS 8i to 8i PCIe x8 with 4xNVMe riser, 2xNVMe x4x4x4x4 4 Yes

The following SlimSAS 8i to PCIe x8 adapters were used during testing and worked as expected. The adapters were purchased with my own funds and I have no relationship to the brands or sellers.

CEACENT CNS41CX16W

The CEACENT CNS41CX16W places a decoupling capacitor (C21) in the path of the power connector. Cover this in glue/epoxy or it will get knocked off the board.

“SFF-8654 8i to PCIe 4.0 x16 External Graphics Card Adapter SFF-8654 8i Adapter Card” N-P548-A

The designer of this adapter does not seem to have considered the lack of clearance between the SFF-8654 and SATA power connector. I would call it “challenging” to plug in the SFF-8654 connector.

Most SFF-8654 to PCIe x8 adapters from China seem to have fundamentally flawed physical layouts, which is unfortunate given they are otherwise inexpensive and effective.

This NVMe adapter is great, my only wish is that they made a 1U compatible 2 NVMe version as inexpensive as the 4 NVMe model.

There are dual SlimSAS 8i to PCIe x16 adapters available, however they are cost prohibitive. Given the PCIe bifurcation options available in BIOS and the fact that there are 16 accessible PCIe lanes, I suspect a standards-compliant adapter (e.g. Ceacent CNS52CX16R) would work to expose all 16 lanes.

MJ11-EC1 with two PCIe x8 adapters; HP 544FLR-QSFP installed and BIOS configured for x8x8 bifurcation:

05:00.0 Ethernet controller: Mellanox Technologies MT27520 Family [ConnectX-3 Pro]
06:00.0 Ethernet controller: Mellanox Technologies MT27520 Family [ConnectX-3 Pro]
(...)
# lspci -s 05:00.0 -vvv
05:00.0 Ethernet controller: Mellanox Technologies MT27520 Family [ConnectX-3 Pro]
        Subsystem: Hewlett-Packard Company InfiniBand FDR/Ethernet 10Gb/40Gb 2-port 544+FLR-QSFP Adapter
(...)
                LnkCap: Port #8, Speed 8GT/s, Width x8, ASPM L0s, Exit Latency L0s unlimited
                        ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk+
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 8GT/s, Width x8
                        TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
# lspci -s 06:00.0 -vvv
06:00.0 Ethernet controller: Mellanox Technologies MT27520 Family [ConnectX-3 Pro]
        Subsystem: Hewlett-Packard Company InfiniBand FDR/Ethernet 10Gb/40Gb 2-port 544+FLR-QSFP Adapter
(...)
                LnkCap: Port #8, Speed 8GT/s, Width x8, ASPM L0s, Exit Latency L0s unlimited
                        ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk+
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 8GT/s, Width x8
                        TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-

MJ11-EC1 with two PCIe x8 adapters, each with 4xNVMe adapters, NVMe 1 and 2 sockets populated; BIOS configured for x4x4x4x4 bifurcation:

05:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd NVMe SSD Controller 980 (DRAM-less)
06:00.0 Non-Volatile memory controller: KIOXIA Corporation NVMe SSD Controller BG4 (DRAM-less)
07:00.0 Non-Volatile memory controller: SK hynix 960GB TLC PCIe Gen3 x4 NVMe M.2 22110
08:00.0 Non-Volatile memory controller: Sandisk Corp WD PC SN810 / Black SN850 NVMe SSD (rev 01)
(...)
# lspci -s 05:00.0 -vvv
05:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd NVMe SSD Controller 980 (DRAM-less) (prog-if 02 [NVM Express])
        Subsystem: Samsung Electronics Co Ltd Device a801
(...)
                LnkCap: Port #0, Speed 8GT/s, Width x4, ASPM L1, Exit Latency L1 <64us
                        ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk+
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 8GT/s, Width x4
                        TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
# lspci -s 06:00.0 -vvv
06:00.0 Non-Volatile memory controller: KIOXIA Corporation NVMe SSD Controller BG4 (DRAM-less) (prog-if 02 [NVM Express])
        Subsystem: KIOXIA Corporation NVMe SSD Controller BG4 (DRAM-less)
(...)
                LnkCap: Port #0, Speed 8GT/s, Width x4, ASPM L1, Exit Latency L1 <32us
                        ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk+
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 8GT/s, Width x4
                        TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
# lspci -s 07:00.0 -vvv
07:00.0 Non-Volatile memory controller: SK hynix 960GB TLC PCIe Gen3 x4 NVMe M.2 22110 (prog-if 02 [NVM Express])
        Subsystem: SK hynix Device 0000
(...)
                LnkCap: Port #0, Speed 8GT/s, Width x4, ASPM not supported
                        ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk-
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 8GT/s, Width x4
                        TrErr- Train- SlotClk- DLActive- BWMgmt- ABWMgmt-
# lspci -s 08:00.0 -vvv
08:00.0 Non-Volatile memory controller: Sandisk Corp WD PC SN810 / Black SN850 NVMe SSD (rev 01) (prog-if 02 [NVM Express])
        Subsystem: Sandisk Corp WD PC SN810 / Black SN850 NVMe SSD
(...)
                LnkCap: Port #0, Speed 16GT/s, Width x4, ASPM L1, Exit Latency L1 <8us
                        ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk+
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 8GT/s (downgraded), Width x4
                        TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-

This was a fun modification but the economic case is dubious at best. With the SFF-8654 8i cables being roughly 18 Euros each, and SlimSAS 8i to PCIe x8 adapters ranging in price from 18-22 Euros (+shipping) the additional cost to fully utilise 16 PCIe lanes easily exceeds the entire cost of the motherboard.

The SFF-8654 connector (Amphenol U10-B074-200T) proved very hard to source from Western Distributors as they are discontinued, and are not available at a reasonable price on AliExpress. I ended up purchasing them on Taobao via a Chinese based forwarding service. The cost for QTY 20 was 523¥ on Taobao, plus forwarding agent fees, shipping to Europe, and VAT.

Soldering the connector is also a nightmare. The ground plane on the MJ11-EC1 is very effective at dissipating heat. I used a pre-heater, hot air station (set to 200C with high flow to avoid melting the plastic), leaded solder, sticky flux, and still required some touch up work with a very fine tip on the soldering iron to fix bad connections.

It should be noted that bifurcation of the populated U2_2 SFF-8654 port works. Anyone owning the MJ11-EC1 wishing to do that just needs to flash the MJ11-EC0 BIOS via the BMC to expose PCIe bifurcation settings in BIOS, and they should be able to install two PCIe x4 devices (subject to the limitations mentioned above regarding cables/risers).