Category Archives: Embedded

Meraki MX75 hardware overview

Leave a reply

The Meraki MX75 SD-WAN appliance (codename “Barley Wine”) offers 3 WAN uplink ports (1 SFP, 2 Gigabit Ethernet), 10 LAN ports (8 Gigabit Ethernet, 2 PoE), and a USB 3.0 port for external cellular modems¹.

Meraki MX75 SD-WAN appliance

Here is a summary of the MX75 specs:

  • NXP LayerScape LS1046A (ARM A72, 4 cores @ 1.8GHz)
  • 4GB DDR4 RAM (Micron MT40A512M16LY-075:E running at 2100MT/s, 4 chips, soldered)
  • 16GB of EMMC flash (SanDisk SDINBDA6-16G)
  • Winbond W25Q64JVSIQ, MXIC MX25U6472F
  • Aikido/Cisco TAM hardware root-of-trust (Microchip SmartFusion2 M2S010)
  • Qualcomm QCA8337-AL3C 7-port Gigabit Ethernet Switch (x2, PDF datasheet)
  • Qualcomm QCA8334-AL3C 4-port Gigabit Ethernet Switch (PDF datasheet)
  • Microchip PD69104B1 PSE controller (PoE LAN ports)
  • Sunon EG60070S1-C200-S9A fan
  • UMEC 100W power supply (MA-PWR-100WAC)

Unlike the MX85, the MX75 has no dedicated management port.

The MX75 also does not support PoE output on any of the WAN ports; Meraki sales need some justification to upsell customers to an MX85! (Public service reminder that PoE injectors exist and are considerably less expensive than the cost difference from an MX75 to an MX85)

Meraki MX75 PCB

Meraki MX75 PCB

The MX75 uses the same LS1046A found in the passively cooled MX85, but has active cooling via a Sunon EG60070S1-C200-S9A fan. The thermal pad sales department definitely earned their quarterly bonus for this design win, because the MX75 has thermal pads above and below the metal EMI shield: 1.8mm (twice) for the memory and 1.2mm (twice) for the CPU. I offer this humble edit to the MX75 mounting instructions:

Please make sure there are no blockages or obstructions within one inch of the top of the chassis or within 0.5 inches of the sides so that nothing [except our overzealous use of thermal pads] interferes with cooling.

The UART header is J10 on the MX75 and follows the standard Meraki UART pinout (1: Vcc, 2: Tx, 3: Rx, 4: GND) at 3.3V and 115200 baud. Unlike the MX85 there are no resistors are missing, so just solder the 2.54mm header or use pogo pins.

MX75 PCB bottom

MX75 PCB bottom

The U-Boot release on the MX75 is 2018.09julia-spl-dandybar and, like all other recent Meraki products, it does not allow interrupting boot.

U-Boot SPL 2018.09julia-spl-dandybar (Mar 16 2021 - 00:27:48 +0000)
Initializing DDR....using SPD
Trying to boot from BOOTROM

U-Boot 2018.09julia-spl-dandybar (Mar 16 2021 - 00:27:48 +0000)

SoC:  LS1046AE Rev1.0 (0x87070010)
Clock Configuration:
       CPU0(A72):1800 MHz  CPU1(A72):1800 MHz  CPU2(A72):1800 MHz  
       CPU3(A72):1800 MHz  
       Bus:      700  MHz  DDR:      2100 MT/s  FMAN:     800  MHz
Reset Configuration Word (RCW):
       00000000: 0e150012 10000000 00000000 00000000
       00000010: 33330000 00b00012 40000000 c1000000
       00000020: 00000000 00000000 00000000 00018ffc
       00000030: 20004504 05003000 00000096 00000001
Model: LS1046A RDB Board
Board: LS1046ARDB, boot from Invalid setting of SW5
CPLD:  V0.0
PCBA:  V0.0
SERDES Reference Clocks:
SD1_CLK1 = 100.00MHZ, SD1_CLK2 = 100.00MHZ
I2C:   ready
DRAM:  Detected UDIMM Fixed DDR on board
3.9 GiB (DDR4, 64-bit, CL=15, ECC off)
SEC0: RNG instantiated
PPA Firmware: Version LSDK-18.09
GPIO:	initialized
setting up RGB LED controller lp5562....
LM96163:	initialized
Using SERDES1 Protocol: 13107 (0x3333)
Using SERDES2 Protocol: 0 (0x0)
SERDES2[PRTCL] = 0x0 is not valid
NAND:  0 MiB
MMC:   FSL_SDHC: 0
EEPROM: meraki_MX75 600-103010
In:    serial
Out:   serial
Err:   serial
Net:   Invalid SerDes protocol 0x3333 for LS1046ARDB
Fman1: Uploading microcode version 108.4.9
Could not get PHY for MDIO1: addr 1
Failed to connect
Could not get PHY for MDIO2: addr 3
Failed to connect
Could not get PHY for MDIO2: addr 5
Failed to connect
PCIe0: pcie@3400000 disabled
PCIe1: pcie@3500000 disabled
PCIe2: pcie@3600000 disabled
FM1@DTSEC3 [PRIME], FM1@DTSEC5, FM1@DTSEC6, FM1@DTSEC9, FM1@DTSEC10

As we can see from the above ECC off output, the MX75 is using non-ECC RAM. This is similar to the MX65 which also did not include ECC memory. To my knowledge, no Meraki ARM-based designs incorporate ECC memory.

The MX75 also contains the Cisco TAM, implemented using a SmartFusion2 M2S010. The TAM is used for secure boot.

----Security Versions----
SecureBoot:  R6.3.101-42a1499-20201106
SB Core:     F01257R21.039b56e6b2020-06-29
Microloader: MK0007R01.0105062020
SF: Detected SPI Generic with page size 256 Bytes, erase size 4 KiB, total 16 MiB

----SecureBoot Registers----
system_invalid:            0
boot_check_count_error:    0
boot_done:                 1
boot_ok:                   1
boot_check_count_golden:   0
boot_check_count_upgrade:  2
boot_status_golden:        0
boot_status_upgrade:       1
first_bootloader:          1

----Upgrade----
boot_error:                0
boot_check_count_error_vc: 0
boot_check_count_error:    0
boot_timeout_vc:           0
boot_timeout:              0
boot_cs_good:              1
boot_config_error:         0
boot_version_error:        0
boot_config_error_code:    0
boot_error_code:           0
boot_cs_good:              1
boot_version_error:        0
boot1_cs_key_type:         1
boot1_cs_return_code:      0
boot1_cs_key_index:        5
boot2_cs_return_code:      0
boot2_cs_key_index:        5
boot2_cs_key_type:         1

----Other Registers----
fpga_version:      0090

Reading whitelist from TAM
whitelist.bin: 744 bytes

Converting whitelist to signature fdt
BARLEY-WINE_LDWM-rel
wired-arm64-OD-SECP384R1_1-rel
wired-arm64-RT-SECP384R1_1-rel
wired-arm64-AP-SECP384R1_1-rel
wrote 558 bytes to 0000000082330000

Same story as the MX85, do not expect any OpenWrt support for this device.

Idle power consumption: ~15W

The MA-PWR-100WAC power supply (P/N: 640-76010) is manufactured by UMEC and outputs 54V @ 1.85A with a 6.5 x 3.0 mm center-positive barrel tip on a 175 cm long cable. It weighs 553g (without C13 cable) and has dimensions 170 x 70 x 40 mm.

The MA-PWR-100WAC power supply is physically larger and heavier than the MA-PWR-90WAC (427g, 153 x 65 x 36 mm) so it is more than an uprated version of the 90W power supply.

Model Codename Part number
MX75 Barley Wine 600-103010

There are references to an MX75W in the firmware, however it appears this model was never publicly released. Certainly it would require a different PCB, as there are no unpopulated components on the MX75 PCB for a wireless radio or antennas.

The MX75 unit weighs 840g.

¹: USB modems with MX/Z series devices running firmware MX 18 or newer will be limited to best effort support and will not be receiving any future firmware fixes or improvements. Meraki documentation

It would seem that Meraki prefers their customers purchase an MG41 or MG51 than plug in their own USB LTE modem. Better margins and less to support, win-win!

The GPL source code for the MX75 was requested from Meraki in September 2024. At the time of writing Meraki has not provided any of the requested source code.

Meraki MS425 hardware overview

Leave a reply

The Meraki MS425 series switches (codename “Hungry Hungry Hippo”) offer 16 or 32 ports of 10Gbit SFP+ Ethernet, two 40Gbit QSFP+ stacking ports, and a Gigabit Ethernet management port.

Meraki MS425-16 Switch with cover removed

Meraki MS425-16 internal view

The MS425 was discontinued in June 2024, and is too old to support secure boot.

Here is a quick summary of the MS425 specs:

  • Broadcom BCM56854 “Trident II” ASIC
  • Broadcom BCM5862x “StrataGX” management CPU
  • 16MB of SPI flash (MX25L12805D)
  • 2GB DDR3 RAM (soldered)
  • 1024MB NAND flash (Micron MT29F8G08ABACA; PDF datasheet)
  • MA-PWR-250WAC (identical to PWR-C2-250WAC)

The UART header in the MS425 is CONN7 (silk screen: UART Console) and follows the standard Meraki UART pinout (1: 3.3V Vcc, 2: Tx, 3: Rx, 4: GND) at 115200 baud.

The MS425-16 uses the same PCB as the MS425-32, but missing 16 SFP+ cages and two PHYs. This is the same technique Meraki used for the MS420-24 model.

The stock Meraki boot process uses u-boot on SPI to load a “bootkernel” (also from SPI), which then initializes NAND and using kexec boots the main firmware. The firmware layout follows the standard Meraki practice of having A/B firmware images: bootkernel1, bootkernel2, part.safe, part.old.

The firmware layout on SPI is:

0x000000-0x100000 : "uboot"
0x100000-0x800000 : "bootkernel1"
0x800000-0xf00000 : "bootkernel2"

Unlike the MS350, the management plane is not an x86 CPU, but a Broadcom “StrataGX” ARMv7. The MS425 runs the same firmware release (switch-arm) as the MS210/MS225/MS250 series.

PCI devices present:

00:00.0 PCI bridge: Broadcom Inc. and subsidiaries Device 8025 (rev 12)
01:00.0 Ethernet controller: Broadcom Inc. and subsidiaries Device b854 (rev 03)

The Broadcom SDK series implements the packet engine in userspace, using the GPL-licensed linux_kernel_bde and linux_user_bde kernel modules to interface with the ASIC. In the Meraki firmware, the packet engine is a component of the userspace click daemon, which loads the bcm_click shared object during click router initialisation.

Similar to the MS420, the three 40mm system fans in the MS425 are controlled by an onsemi ADT7473 (PDF datasheet). The MS425 fans have a Meraki part number: MA-FAN-18K (P/N 680-29010) and contain the Delta FFB0412UHN-C (PDF datasheet). These are identical to the Cisco FAN-T1, which can be purchased for considerably less than the Meraki branded part.

The MS425 accepts two hot-swap power supplies (model MA-PWR-250WAC, P/N 640-20010), which in my units are Delta model DPS-250AB-86 with 12V/20.83A output. Note that the MA-PWR-250WAC is physically and electrically compatible with PWR-C2-250WAC. Higher wattage power supplies like the PWR-C2-640WAC and PWR-C2-1025WAC will also power the MS425.

Idle power consumption:
MS425-16: 72W
MS425-32: 78W

Interesting to note is that the Trident II ASIC found in the MS425 supports VxLAN, however this feature is absent from Meraki’s datasheet and does not appear to be supported by their firmware. Apart from 40Gbit stacking ports, there is not much to be gained from the Trident II in the MS425 over the Trident+ in the MS420: idle power consumption is slightly lower, and it is still supported (see note below).

Meraki have chosen to EoL all of their Broadcom based switches. Being a Broadcom design, the MS425 was axed from the product portfolio on 2024-06-24. The MS425 will continue to receive limited software support from Meraki until Q3 2029. Big “we cancelled all our contracts with Broadcom and are now a Marvell/Catalyst shop” energy.

The GPL source code for the MS425 was requested from Meraki in December 2023, and at the time of writing Meraki has not provided any of the requested source code.

“[F]ulfilling your requests are an important priority for [Meraki]” so I am sure they will comply with their license obligations… Any day now… Just wait for it… It is almost as if they know that providing the GPL source code would enable people to re-use claimed/EOL products and are avoiding doing that. 🤔

Model Meraki Board Part number
MS425-16 Hungry Hungry Hippo 600-45010
MS425-32 Hungry Hungry Hippo 600-45015, 600-45020

Meraki MG21 hardware overview and secure boot bypass

Leave a reply

The Meraki MG21, introduced in 2019, is a Cat 6 LTE gateway intended for fail-over connectivity. It features a soldered modem module and either two internal (MG21) or two external (MG21E) antennas.

Meraki MG21 LTE gateway

Here is a summary of the MG21 specs:

  • Qualcomm IPQ4029 (ARM A7, 4 cores @ ~700MHz)
  • 512MB DDR3 RAM (soldered)
  • 128MB of NAND flash (Winbond W29N01HV)
  • Cinterion PLAS9-X LTE Cat 6 modem module (LCC, soldered)
  • Gigabit Ethernet (x2, QCA8072 PHY)
  • Nano-SIM slot

There are no screws holding the MG21 together, the case is glued. As Meraki used glue and not adhesive to hold the MG21 together, heat does not help in opening the device. To open the MG21/MG21E: guitar picks and Isopropyl alcohol are recommended, with a lot of patience.

Opening the MG21 with guitar picks and Isopropyl alcohol

The 3.3V UART header in the MG21 is J5, which is unpopulated, and follows the standard Meraki pinout (1: VCC, 2: Tx, 3: Rx, 4: GND) with a 115200 baud rate. It looks like Meraki may have planned to ship the MG21 with an integrated u-blox module (U22), however on my production units the module is absent.

540-00144-01 48RLEQ01.0GA 2019.08.22

With the summary aside, let us focus on the secure boot status of the device. For context, see Breaking secure boot on the Meraki Z3 and Meraki Go GX20.

U-Boot 2017.07-RELEASE-gf49d105aeb-dirty (Jul 13 2020 - 11:22:51 -0700)

DRAM:  242 MiB
machid : 0x8010001
Product: meraki_Tie_Fighter
NAND:  ONFI device found
128 MiB
Using default environment

In:    serial
Out:   serial
Err:   serial
machid: 8010001
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 112 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 896, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 235/60, WL threshold: 4096, image sequence number: 2046230850
ubi0: available PEBs: 157, total reserved PEBs: 739, PEBs reserved for bad PEB handling: 20


Secure boot enabled.

Read 0 bytes from volume part.safe to 84000000
No size specified -> Using max size (29196288)
Valid image
## Loading kernel from FIT Image at 84000028 ...

Foreshadowing: You will notice that this output is very similar to that of the Z3 and GX20.

Unfortunately changing the EEPROM value to the MR33 (stinkbug) does not work, because Meraki have removed support for the legacy non-secure boot devices from recent U-Boot builds:

U-Boot 2017.07-RELEASE-gf49d105aeb-dirty (Jul 13 2020 - 11:22:51 -0700)

DRAM:  242 MiB
machid : 0x8010001
No product detected! (Major Number 30)
NAND:  ONFI device found
128 MiB
Using default environment

In:    serial
Out:   serial
Err:   serial
machid: 8010001
ubi0: attaching mtd1
(...)

Secure boot enabled.

Removing the BGA NAND and replacing the u-boot region with a dump of the Z3 2018 U-Boot build, U-Boot is still performing signature validation:

U-Boot 2017.07-RELEASE-g39cabb9bf3 (May 24 2018 - 14:07:32 -0700)

DRAM:  242 MiB
machid : 0x8010001
NAND:  ONFI device found
128 MiB
Using default environment

(...)

Secure boot enabled.

The reason for this is that the EEPROM is not found. But why? We have a clue from the stock bootlog of the device:

[   15.287320] i2c /dev entries driver
[   15.302889] at24 0-0056: 8192 byte 24c64 EEPROM, writable, 32 bytes/write

The EEPROM in the MG21 has the address 0x56 instead of 0x50 as on the Z3. This causes the downgraded Z3 U-Boot build to not detect the EEPROM.

The Meraki Go GR10 (Maggot) also has the EEPROM at address 0x56:

struct eeprom_i2c_config
{
	uint16_t gpio_scl;
	uint16_t gpio_scl_func;
	uint16_t gpio_sda;
	uint16_t gpio_sda_func;
	uint16_t eeprom_addr;
};
/* valid eeprom configuration for insects */
static const struct eeprom_i2c_config valid_eeprom_i2c_config[] = {
    { 20, 1, 21, 1, 0x50 }, // Stinkbug, Ladybug, Noisy Cricket
    { 10, 4, 11, 4, 0x56 }, // Maggot
};

However, the GR10 uses different GPIO pins to access the EEPROM.

I do not have the U-Boot source code of the MG21 to review (see endnote). Lacking the U-Boot source code, we can hexdump the Z3 and MG21 U-Boot regions from the flash dumps and compare.

Z3:

00044360  0f 00 14 00 01 00 15 00  01 00 50 00 0a 00 04 00  |..........P.....|
00044370  0b 00 04 00 56 00 00 00  00 f0 f4 a1 ea ea fb 01  |....V...........|

MG21:

000452f0  0f 00 14 00 01 00 15 00  01 00 50 00 14 00 01 00  |..........P.....|
00045300  15 00 01 00 56 00 00 00  00 f0 f4 a1 ea ea fb 01  |....V...........|

Decoding the structs from the hexdump we can infer the C source code used in the MG21 U-Boot build:

static const struct eeprom_i2c_config valid_eeprom_i2c_config[] = {
    { 20, 1, 21, 1, 0x50 }, // Fuzzy Cricket, Fairyfly, Heart of Gold
    { 20, 1, 21, 1, 0x56 }, // Tie Fighter
};

The only difference between the MG21 and Z3 is in the EEPROM address, the GPIO configuration remains the same.

Reviewing the datasheet of the at24 EEPROM, we can see that the address is set by the first 3 pins (A0-A2) being pulled to ground or Vcc. Since the EEPROM has the address 0x56, that must correspond to the bitmask 110 or: A0: 0, A1: Vcc, A2: Vcc.

After some verification on the PCB, removing the surface mount resistor R50 (4.7k) above U6 will remove Vcc from A1 and A2, changing the EEPROM address from 0x56 to 0x50.

The signed Z3 2018 U-Boot build now properly detects the EEPROM at address 0x50 and disables signature validation on the payload.

The chain-loaded U-Boot I used as a proof-of-concept is based on the Z3 GPL source code provided by Meraki in 2021, which does not include support for the MG21. Networking is non-functional, which makes further development challenging as images must be (slowly) transferred via UART.

Some readers may be wondering about the MG41. This secure boot bypass does not work on the MG41.

Meraki has signed the MG41 bootloader with a unique device certificate (x-wing), so cross-flashing U-Boot from another device such as the Z3 will not work.

Although the FCC internal photos of the MG41 show both NAND and EMMC, the production MG41 has only EMMC present. The boot_meraki_qca function has been re-written as boot_meraki_mmc_qca. During this re-write, Meraki removed the vulnerable switch statement that aborts enforcing signature validation on legacy products.

tl;dr

  1. MG21 uses the same device signing certificate as the Z3 and GX20
  2. Overwrite u-boot on NAND with dump from Z3 running 2018 release
  3. Change Product ID in EEPROM to device without secure boot (MR33)
  4. Desolder R50 to change EEPROM address

The MG41 is not vulnerable to this technique.

Model Meraki Board Part number
MG21 Tie Fighter 600-89010
MG21E Tie Fighter 600-89010
MG41 X-Wing 600-119020
MG41E X-Wing 600-119010

There is still a long road ahead to support the MG21 with any custom firmware such as OpenWrt. Downgrading U-Boot on the device is not easy due to the weather proofing of the device, and the use of BGA NAND.

The GPL source code for the MG21 and MG41 was requested from Meraki in April 2024. At the time of writing Meraki has not provided any of the requested source code.

Meraki announced the end of sale of the MG21 and MG41 in March 2024, and stopped selling the MG21 and MG41 on 2024-09-18.