MS120-8LP Compatibility

[Coolguy3289]

Would this work for a Meraki MS120 8 port switch?

[halmartin]

I don't have the GPL archive for this hardware as I don't own it. Could you please request it from open-source@meraki.com?

[Coolguy3289]

I've sent the email, waiting on a reply

[Coolguy3289]

Got the reply!

https://dl.meraki.net/switch-12-28-ms120-20201028.tar.bz2

Instructions for building the OpenWRT source code and the Linux kernel for the MS120 are below.

After downloading and unpacking the tarball:

To build OpenWRT firmware:

cd meraki-firmware/openwrt
cp config-arm-mrvl-4.4 .config
make oldconfig
make -j1 BOARD=arm-mrvl-4.4 OPENWRT_EXTRA_BOARD_SUFFIX=_mrvl_4.4

To build Linux-4.4 kernel:

cd meraki-firmware/linux-4.4
cp ../openwrt/target/linux/switch-arm-mrvl-4.4/config .config
make CROSS_COMPILE=../openwrt/staging_dir_arm_mrvl_4.4/bin/arm-unknown-linux-uclibcgnueabihf- ARCH=arm oldconfig
make CROSS_COMPILE=../openwrt/staging_dir_arm_mrvl_4.4/bin/arm-unknown-linux-uclibcgnueabihf- ARCH=arm prepare
touch rootlist
make CROSS_COMPILE=../openwrt/staging_dir_arm_mrvl_4.4/bin/arm-unknown-linux-uclibcgnueabihf- ARCH=arm vmlinux

[halmartin]

Thanks a lot! It would appear the MS120 is Marvell ARM based, while the MS220 is Vitesse MIPS based. Since they are completely different switching ASICs, the current firmware is not applicable to the MS120.

Could you provide the factory boot log for your device? This will require opening the device and locating the uart header. The uart baud rate is 115200n8.

Support may be possible, but more information on the bootloader and exact SoC used in the MS120 are needed before a determination can be made.

I have mirrored the source code you provided in switch-12-28-ms120

[halmartin]

I found an eBay seller with photos of the internals of the MS120-8LP and MS120-8FP. There is a visible Marvell PHY in the photos

MS120-8LP:

MS120-8FP:

[halmartin]

With some regret (who pays 12€/port for Gigabit in 2020?) I bought an MS120-8~LP~.

I will update this with more information on the hardware, software, and possible support status when it arrives.

[Coolguy3289]

Yeah, I got mine as a Promo from Cisco, else I wouldn't have gotten one.

[halmartin]

Here is a high resolution photo of the MS120-8-HW (non-PoE model, apparently I can't read eBay descriptions):

The UART is header J16 with the following pinout: 1: VCC 2: Rx 3: Tx 4: GND

Pin 1 is closest to the SFP cage.

Here is the bootlog:

BootROM 1.41
Booting from SPI flash

General initialization - Version: 1.0.0
Serdes initialization - Version: 1.0.2
mvCtrlPexPolaritySet: TWSI Write failed, leaving PEX polarity in EP mode
PEX: pexIdx 0, detected no link
DDR3 Training Sequence - Ver TIP-1.18.0
DDR3 Training Sequence - Ended Successfully 
BootROM: Image checksum verification PASSED
 __   __                      _ _
|  \/  | __ _ _ ____   _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| |  | | (_| | |   \ V /  __/ | |
|_|  |_|\__,_|_|    \_/ \___|_|_|
         _   _     ____              _
        | | | |   | __ )  ___   ___ | |_ 
        | | | |___|  _ \ / _ \ / _ \| __| 
        | |_| |___| |_) | (_) | (_) | |_ 
         \___/    |____/ \___/ \___/ \__| 
 ** LOADER **

U-Boot 2013.01_Kelpie_vKP100b2-g7d5c2a6d0e (Sep 22 2017 - 12:05:53) Marvell version: 2014_T3.0_eng_dropv6

Board: ALLEYCAT3-Customer-Board-0
SoC:   Alleycat3
CPU:   Marvell PJ4B (584) v7 (Rev 2) LE
       CPU    @ 400 [MHz]
       L2     @ 200 [MHz]
       TClock @ 200 [MHz]
       DDR    @ 400 [MHz]
       DDR 32Bit Width, FastPath Memory Access, DLB Enabled
       DDR ECC Disabled
DRAM:  512 MiB

Map:   Code:        0x1fd3b000:0x1fe163b8
       BSS:     0x1fe6f86c
       Stack:       0x1f9baef0
       Heap:        0x1f9bb000:0x1febb000

NAND:  256 MiB
MMC:   MRVL_MMC: 0
Using default environment

PCI-e 0: Detected No Link.
FPU initialized to Run Fast Mode.
USB2.0 0: Host Mode
Port0: phyAddr=0x1, Not Marvell PHY id1 ffff id2 ffff
PHY error - shutdown port0
mvEthPhyRegWrite: Err. Illegal phy address 0x30
Port1: phyAddr=0x30 -  phy set page 0 failed
PHY error - shutdown port1
Net:   No ethernet found.
SoC         : Alleycat3
CPU         : Marvell PJ4B (584) v7 (Rev 2) LE
DDR         : 32Bit Width, FastPath Memory Access, DLB Enabled , ECC Disabled
NAND        : id da01, 49 MiB
U-Boot VER  : U-Boot 2013.01_Kelpie_vKP100b2-g7d5c2a6d0e

 Found SKU in EEPROM as: 61010Hit any key to stop autoboot:  0 
gpio: pin 7 (gpio 7) value is 0, INTER_REGS_BASE = f1000000
gpio: pin 8 (gpio 8) value is 1, INTER_REGS_BASE = f1000000
Creating 1 MTD partitions on "nand0":
0x000000800000-0x000010000000 : "mtd=1"
UBI: attaching mtd1 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd1 to ubi0
UBI: MTD device name:            "mtd=1"
UBI: MTD device size:            248 MiB
UBI: number of good PEBs:        1976
UBI: number of bad PEBs:         8
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     4
UBI: available PEBs:             1152
UBI: total number of reserved PEBs: 824
UBI: number of PEBs reserved for bad PEB handling: 19
UBI: max/mean erase counter: 44/27
## Starting application at 0x0C100000 ...

----Security Versions----
SecureBoot:  R03.11b39af022017-07-25
SB Core:     F01114R18.1680555472017-07-12
Microloader: MG0008R01.0103302017

----SecureBoot Registers----
system_invalid:            0
boot_check_count_error:    0
boot_done:                 1
boot_ok:                   1
boot_check_count_golden:   0
boot_check_count_upgrade:  2
boot_status_golden:        0
boot_status_upgrade:       1
first_bootloader:          1

----Upgrade----
boot_error:                0
boot_check_count_error_vc: 0
boot_check_count_error:    0
boot_timeout_vc:           0
boot_timeout:              0
boot_cs_good:              1
boot_config_error:         0
boot_version_error:        0
boot_config_error_code:    0
boot_error_code:           0
boot_cs_good:              1
boot_version_error:        0
boot1_cs_key_type:         1
boot1_cs_return_code:      0
boot1_cs_key_index:        5
boot2_cs_return_code:      0
boot2_cs_key_index:        5
boot2_cs_key_type:         1

----Other Registers----
fpga_version:      001b

Reading whitelist from TAM
whitelist.bin: 1252 bytes

Converting whitelist to signature fdt
KELPIE-BL_LDWM-rel
switch-arm-mrvl-RT-SECP384R1_1-rel
switch-arm-mrvl-RT-RSA3072_1-rel
switch-arm-mrvl-OD-SECP384R1_1-rel
switch-arm-mrvl-AP-SECP384R1_1-rel
wrote 574 bytes to 0c130000
## Application terminated, rc = 0x0
## Starting application at 0x0C100000 ...
bootselect
## Application terminated, rc = 0x0
Read 0 bytes from volume part.safe to 02000000
No size specified -> Using max size (18681856)
## Booting kernel from FIT Image at 02000000 ...
   Using 'kelpie-8' configuration
   Verifying Hash Integrity ... sha384,secp384r1:switch-arm-mrvl-RT-SECP384R1_1-rel+ OK
   Trying 'kernel@1' kernel subimage
     Description:  Kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x02000128
     Data Size:    2215824 Bytes = 2.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00008000
     Entry Point:  0x00008000
     Hash algo:    sha1
     Hash value:   b4bb0c0c99d6dbe79ffec11660a570e1d13529e4
   Verifying Hash Integrity ... sha1+ OK
## Loading init Ramdisk from FIT Image at 02000000 ...
   Using 'kelpie-8' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  Ramdisk
     Type:         RAMDisk Image
     Compression:  Unknown Compression
     Data Start:   0x0221d19c
     Data Size:    16386576 Bytes = 15.6 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x00000000
     Entry Point:  0x00000000
     Hash algo:    sha1
     Hash value:   b8218a11fc40cb87e461cbbc987125c3797fdd3d
   Verifying Hash Integrity ... sha1+ OK
## Flattened Device Tree from FIT Image at 02000000
   Using 'kelpie-8' configuration
   Trying 'fdt@kelpie-8' FDT blob subimage
     Description:  Kelpie-8 Device Tree
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x031bdca0
     Data Size:    14017 Bytes = 13.7 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   111ff92dfb28b3b6b166f12969df67052544f011
   Verifying Hash Integrity ... sha1+ OK
   Loading FDT from 0x031bdca0 to 0x00000000
   Booting using the fdt blob at 0x00000000
   Loading Kernel Image ... OK
OK
   Loading Ramdisk to 1ea18000, end 1f9b8a10 ... OK
   Loading Device Tree to 00ff9000, end 00fff6c0 ... OK
gpio: pin 5 (gpio 5) value is 0, INTER_REGS_BASE = f1000000
FFFFFFFFFF

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.4.174-devel-16.06.1 (jenkins@dal248.meraki.com) (gcc version 5.4.0 (GCC) ) #2 SMP Tue Aug 25 01:03:15 UTC 2020
[    0.000000] CPU: ARMv7 Processor [562f5842] revision 2 (ARMv7), cr=10c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
[    0.000000] Machine model: Meraki Kelpie
[    0.000000] bootconsole [earlycon0] enabled
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] PERCPU: Embedded 11 pages/cpu @dfbce000 s13324 r8192 d23540 u45056
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 130048
[    0.000000] Kernel command line: console=ttyS0,115200n81 earlyprintk=ttyS0,115200n81 ubi.mtd=ubi
[    0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Memory: 497356K/524288K available (4350K kernel code, 205K rwdata, 1252K rodata, 260K init, 118K bss, 26932K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xe0800000 - 0xff800000   ( 496 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xe0000000   ( 512 MB)
[    0.000000]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000]       .text : 0xc0008000 - 0xc0580df0   (5604 kB)
[    0.000000]       .init : 0xc0581000 - 0xc05c2000   ( 260 kB)
[    0.000000]       .data : 0xc05c2000 - 0xc05f5550   ( 206 kB)
[    0.000000]        .bss : 0xc05f5550 - 0xc06130e4   ( 119 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000]  Build-time adjustment of leaf fanout to 32.
[    0.000000]  RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=1.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=32, nr_cpu_ids=1
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] Aurora cache controller enabled, 8 ways, 512 kB
[    0.000000] Aurora: CACHE_ID 0x00000100, AUX_CTRL 0x1a68e712
[    0.000000] CPU freq select unsupported 0
[    0.000000] Switching to timer-based delay loop, resolution 40ns
[    0.000014] sched_clock: 32 bits at 25MHz, resolution 40ns, wraps every 85899345900ns
[    0.007913] clocksource: armada_370_xp_clocksource: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 76450417870 ns
[    0.019281] Calibrating delay loop (skipped), value calculated using timer frequency.. 50.00 BogoMIPS (lpj=250000)
[    0.029742] pid_max: default: 32768 minimum: 301
[    0.034597] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.041300] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.049269] CPU: Testing write buffer coherency: ok
[    0.054543] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.060376] Setting up static identity map for 0x82c0 - 0x8318
[    0.066835] mvebu-soc-id: MVEBU SoC ID=0xFC00, Rev=0x4
[    0.072348] mvebu-pmsu: Initializing Power Management Service Unit
[    0.080096] Brought up 1 CPUs
[    0.083154] SMP: Total of 1 processors activated (50.00 BogoMIPS).
[    0.089429] CPU: All CPU(s) started in SVC mode.
[    0.095034] devtmpfs: initialized
[    0.105777] VFP support v0.3: implementor 56 architecture 2 part 20 variant 9 rev 6
[    0.113986] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.123921] futex hash table entries: 256 (order: 2, 16384 bytes)
[    0.130810] pinctrl core: initialized pinctrl subsystem
[    0.137482] NET: Registered protocol family 16
[    0.142490] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.159377] pstore: Registered ramoops as persistent store backend
[    0.165634] ramoops: attached 0x10000@0x1fff0000, ecc: 0/0
[    0.174084] hw-breakpoint: Debug register access (0xee003e17) caused undefined instruction on CPU 0
[    0.183185] hw-breakpoint: CPU 0 failed to disable vector catch
[    0.217447] usbcore: registered new interface driver usbfs
[    0.223231] usbcore: registered new interface driver hub
[    0.228702] usbcore: registered new device driver usb
[    0.238199] clocksource: Switched to clocksource armada_370_xp_clocksource
[    0.252829] NET: Registered protocol family 2
[    0.258196] TCP established hash table entries: 4096 (order: 2, 16384 bytes)
[    0.265475] TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
[    0.272094] TCP: Hash tables configured (established 4096 bind 4096)
[    0.278584] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.284537] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.291162] NET: Registered protocol family 1
[    0.297800] Unpacking initramfs...
[    0.927264] Freeing initrd memory: 16004K
[    0.931767] hw perfevents: enabled with armv7_cortex_a9 PMU driver, 7 counters available
[    0.942328] Initialise system trusted keyring
[    0.969686] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.975609] fuse init (API version 7.23)
[    0.990445] NET: Registered protocol family 38
[    0.994998] Key type asymmetric registered
[    0.999243] Asymmetric key parser 'x509' registered
[    1.004250] io scheduler noop registered
[    1.008259] io scheduler deadline registered
[    1.012711] io scheduler cfq registered (default)
[    1.020130] msys-pinctrl f1018000.pinctrl: registered pinctrl driver
[    1.027640] irq: Cannot allocate irq_descs @ IRQ35, assuming pre-allocated
[    1.035071] irq: Cannot allocate irq_descs @ IRQ67, assuming pre-allocated
[    1.043609] mvebu-pcie soc:pcie-controller: PCI host bridge to bus 0000:00
[    1.050614] pci_bus 0000:00: root bus resource [io  0x1000-0xfffff]
[    1.056957] pci_bus 0000:00: root bus resource [mem 0xe8000000-0xefdfffff]
[    1.063925] pci_bus 0000:00: root bus resource [bus 00-ff]
[    1.069629] pci 0000:00:01.0: BAR 4 size: [??? 0x00000000 flags 0x0] is corrupted - skipping
[    1.078130] pci 0000:00:01.0: BAR 2 size: [??? 0x00000000 flags 0x0] is corrupted - skipping
[    1.087069] PCI: bus0: Fast back to back transfers disabled
[    1.092744] pci 0000:00:01.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    1.101091] PCI: bus1: Fast back to back transfers enabled
[    1.106716] pci 0000:00:01.0: PCI bridge to [bus 01]
[    1.112173] mv_xor f10f0800.xor: Marvell shared XOR driver
[    1.161069] mv_xor f10f0800.xor: Marvell XOR (Registers Mode): ( xor cpy intr )
[    1.169585] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[    1.180053] console [ttyS0] disabled
[    1.203929] f1012000.serial: ttyS0 at MMIO 0xf1012000 (irq = 21, base_baud = 12500000) is a 16550A
[    1.212997] console [ttyS0] enabled
[    1.212997] console [ttyS0] enabled
[    1.220120] bootconsole [earlycon0] disabled
[    1.220120] bootconsole [earlycon0] disabled
[    1.244461] loop: module loaded
[    1.248311] pxa3xx-nand f10d0000.nand: This platform can't do DMA on this device
[    1.257593] nand: device found, Manufacturer ID: 0x01, Chip ID: 0xda
[    1.264066] nand: AMD/Spansion S34ML02G2
[    1.268025] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 128
[    1.275790] pxa3xx-nand f10d0000.nand: ECC strength 16, ECC step size 2048
[    1.283215] Bad block table found at page 131008, version 0x01
[    1.289652] Bad block table found at page 130944, version 0x01
[    1.296174] 7 ofpart partitions found on MTD device pxa3xx_nand-0
[    1.302358] Creating 7 MTD partitions on "pxa3xx_nand-0":
[    1.307802] 0x000000000000-0x000000020000 : "sig0"
[    1.314925] 0x000000020000-0x000000120000 : "ddrInit0"
[    1.322561] 0x000000120000-0x000000320000 : "uboot0"
[    1.330037] 0x000000320000-0x000000420000 : "ddrInit1"
[    1.337610] 0x000000420000-0x000000620000 : "uboot1"
[    1.345129] 0x000000700000-0x000000720000 : "sig1"
[    1.352659] 0x000000800000-0x000010000000 : "ubi"
[    1.366368] libphy: Fixed MDIO Bus: probed
[    1.370628] tun: Universal TUN/TAP device driver, 1.6
[    1.375717] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    1.384930] libphy: orion_mdio_bus: probed
[    1.393075] mvneta f1070000.ethernet eth0: Using random mac address 76:f0:cb:XX:XX:XX
[    1.401295] PPP generic driver version 2.4.2
[    1.408514] PPP BSD Compression module registered
[    1.413371] PPP Deflate Compression module registered
[    1.418488] NET: Registered protocol family 24
[    1.423209] usbcore: registered new interface driver asix
[    1.428750] usbcore: registered new interface driver ax88179_178a
[    1.434980] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.441587] ehci-pci: EHCI PCI platform driver
[    1.446200] ehci-orion: EHCI orion driver
[    1.450531] orion-ehci f1050000.usb: EHCI Host Controller
[    1.456010] orion-ehci f1050000.usb: new USB bus registered, assigned bus number 1
[    1.463814] orion-ehci f1050000.usb: irq 27, io mem 0xf1050000
[    1.489035] orion-ehci f1050000.usb: USB 2.0 started, EHCI 1.00
[    1.496490] hub 1-0:1.0: USB hub found
[    1.500631] hub 1-0:1.0: 1 port detected
[    1.505492] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    1.513072] rtc-mv f1010300.rtc: rtc core: registered f1010300.rtc as rtc0
[    1.520278] i2c /dev entries driver
[    1.525469] at24 0-0057: 8192 byte 24c64 EEPROM, writable, 32 bytes/write
[    1.536705] orion_wdt: Initial timeout 171 sec
[    1.542767] i2c i2c-0: mv64xxx_i2c_fsm: Ctlr Error -- state: 0x6, status: 0x0, addr: 0x32, flags: 0x0
[    1.600015] lp5521 0-0032: internal clock used
[    1.608902] lp5521 0-0032: lp5521 programmable led chip found
[    1.617123] usbcore: registered new interface driver usbhid
[    1.622786] usbhid: USB HID core driver
[    1.628413] meraki-config board-data: Meraki config device loaded
[    1.634993] cisco-act-spi spi0.0: FPGA bus set to secondary
[    1.640890] cisco-act-spi spi0.0: Multiboot timer disabled
[    1.646942] Initializing XFRM netlink socket
[    1.653212] NET: Registered protocol family 10
[    1.660359] NET: Registered protocol family 17
[    1.664881] NET: Registered protocol family 15
[    1.669457] l2tp_core: L2TP core driver, V2.0
[    1.673870] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[    1.678703] 8021q: 802.1Q VLAN Support v1.8
[    1.683087] ThumbEE CPU extension supported.
[    1.687411] Registering SWP/SWPB emulation handler
[    1.693750] Loading compiled-in X.509 certificates
[    1.718548] Loaded X.509 cert 'Cisco Meraki: Auto-generated kernel signing key: d871c14fc68bc00b2ff5de9760011b9fc460bd87'
[    1.733797] input: sfp-bus:gpio-buttons as /devices/platform/sfp-bus/sfp-bus:gpio-buttons/input/input0
[    1.745604] i2c i2c-0: Added multiplexed i2c bus 1
[    1.751414] i2c i2c-0: Added multiplexed i2c bus 2
[    1.756252] i2c-mux-gpio i2c-mux: 2 port mux on mv64xxx_i2c adapter adapter
[    1.764139] ubi0: attaching mtd6
[    2.278612] random: nonblocking pool is initialized
[    2.763101] ubi0: scanning is finished
[    2.780414] ubi0: attached mtd6 (name "ubi", size 248 MiB)
[    2.785949] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.792924] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.799782] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.806789] ubi0: good PEBs: 1976, bad PEBs: 8, corrupted PEBs: 0
[    2.812943] ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128
[    2.820231] ubi0: max/mean erase counter: 44/27, WL threshold: 4096, image sequence number: 1203951280
[    2.829612] ubi0: available PEBs: 1139, total reserved PEBs: 837, PEBs reserved for bad PEB handling: 32
[    2.839229] ubi0: background thread "ubi_bgt0d" started, PID 539
[    2.855450] rtc-mv f1010300.rtc: hctosys: unable to read the hardware clock
[    2.867875] devtmpfs: mounted
[    2.871932] Freeing unused kernel memory: 260K

init started: BusyBox v1.29.0 (2020-08-25 00:26:38 UTC)
[    4.017453] UBIFS (ubi0:2): background thread "ubifs_bgt0_2" started, PID 684
[    4.056383] UBIFS (ubi0:2): recovery needed
[    4.146115] UBIFS (ubi0:2): recovery completed
[    4.150768] UBIFS (ubi0:2): UBIFS: mounted UBI device 0, volume 2, name "storage"
[    4.158305] UBIFS (ubi0:2): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    4.168307] UBIFS (ubi0:2): FS size: 51171328 bytes (48 MiB, 403 LEBs), journal size 2539520 bytes (2 MiB, 20 LEBs)
[    4.178819] UBIFS (ubi0:2): reserved for root: 2416947 bytes (2360 KiB)
[    4.185500] UBIFS (ubi0:2): media format: w4/r0 (latest is w4/r0), UUID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, small LPT model
WARNING! THIS CONSOLE IS LOGGED! UNAUTHORIZED ACCESS FORBIDDEN!
<Meraki> [   13.603781] ip_local_port_range: prefer different parity for start/end values.
[   13.736570] ICMPv6: process `sysctl' is using deprecated sysctl (syscall) net.ipv6.neigh.default.base_reachable_time - use net.ipv6.neigh.default.base_reachable_time_ms instead
[   13.766235] nr_pdflush_threads exported in /proc is scheduled for removal
[   20.477004] mvneta f1070000.ethernet mgmt0: renamed from eth0
[   20.751269] IPv6: ADDRCONF(NETDEV_UP): mgmt0: link is not ready
[   20.757469] device mgmt0 entered promiscuous mode
[   21.036639] mvDmaDrv: loading out-of-tree module taints kernel.
[   21.043375] Got dynamic major for mvDmaDrv: 251
[   21.133880] Got dynamic major for mvIntDrv: 250
[   21.223873] Got dynamic major for mvMbusDrv: 249
[   22.748966] mvneta f1070000.ethernet mgmt0: Link is Up - 1Gbps/Full - flow control off
[   22.756977] IPv6: ADDRCONF(NETDEV_CHANGE): mgmt0: link becomes ready
[   74.256993] remap_pfn_range(phys=0xf8000000, PAGE_SHIFT=c, 0xb27e2000, 0xf8000, 0x4000000, 0x703)
[   74.289003] remap_pfn_range(phys=0x84000000, PAGE_SHIFT=c, 0xb27d2000, 0x84000, 0x10000, 0x703)
[   74.297810] remap_pfn_range(phys=0x80000000, PAGE_SHIFT=c, 0xb27c2000, 0x80000, 0x10000, 0x703)
[   75.877327] remap_pfn_range(phys=0xf8000000, PAGE_SHIFT=c, 0xb27de000, 0xf8000, 0x4000000, 0x703)
[   75.909098] remap_pfn_range(phys=0x84000000, PAGE_SHIFT=c, 0xb27ce000, 0x84000, 0x10000, 0x703)
[   75.917913] remap_pfn_range(phys=0x80000000, PAGE_SHIFT=c, 0xb27be000, 0x80000, 0x10000, 0x703)
[   77.339826] !!!!! {/usr/bin/led_ssi} open failed for "/click/sw0_ctrl/led_mode", error: No such file or directory
[   80.565891] remap_pfn_range(phys=0xf8000000, PAGE_SHIFT=c, 0xb2783000, 0xf8000, 0x4000000, 0x703)
[   80.589050] remap_pfn_range(phys=0x84000000, PAGE_SHIFT=c, 0xb2773000, 0x84000, 0x10000, 0x703)
[   80.597866] remap_pfn_range(phys=0x80000000, PAGE_SHIFT=c, 0xb2763000, 0x80000, 0x10000, 0x703)
[  108.589620] !!!!! {/usr/bin/led_ssi} open failed for "/click/sw0_ctrl/led_mode", error: No such file or directory
[  109.410434] remap_pfn_range(phys=0xf1000000, PAGE_SHIFT=c, 0xb4659000, 0xf1000, 0x100000, 0x703)
[  109.429520] remap_pfn_range(phys=0xf8000000, PAGE_SHIFT=c, 0xb0659000, 0xf8000, 0x4000000, 0x703)
[  109.449006] remap_pfn_range(phys=0xfc000000, PAGE_SHIFT=c, 0xb0559000, 0xfc000, 0x100000, 0x703)
[  109.457971] remap_pfn_range(phys=0x80000000, PAGE_SHIFT=c, 0xb0549000, 0x80000, 0x10000, 0x703)
[  109.488956] remap_pfn_range(phys=0x84000000, PAGE_SHIFT=c, 0xb0539000, 0x84000, 0x10000, 0x703)
[  109.497866] mvDmaDrv_open(file=df327300) data=df191900
[  109.518962] mvDmaDrv_mmap(file=df327300) data=df191900
[  109.526317] dma_alloc_coherent() virt=e1901000 dma=0x1a800000
[  109.532227] m->phys=0x1a800000
[  109.535318] remap_pfn_range(phys=0x1a800000 vm_start=0xb0339000, vm_pgoff=0x1a800, vm_size=0x200000, )

[Ordspilleren]

I'm just going to chime in here. Some time ago, I spent a good while trying to flash OpenWrt onto this device. During this effort, I made a couple of interesting finding that may be useful to you.

The SoC appears to be Marvell 98DX3236. This SoC already has support in upstream u-boot. For Marvell devices, you can use a utility called kwboot, which will theoretically allow you to upload a new u-boot version via serial. I believe this will be a possible entry into the device.

During one of my tries uploading a new u-boot to the device via kwboot, I somehow managed to get access to the existing u-boot on the device (I am not sure exactly how, I gave up trying to find a reproduceable way). I never managed to build a version of OpenWrt that would boot however.

If you have any questions, feel free to send them my way, maybe I somehow stumbled upon it in my search 😃

[halmartin]

@Ordspilleren You need to patch kwboot for Armada devices, the default version of kwboot has the correct handshake for Kirkwood, but not Armada.

I previously used these patches to kwboot an Armada 385

Which upstream defconfig did you use for your testing?

[Ordspilleren]

@Ordspilleren You need to patch kwboot for Armada devices, the default version of kwboot has the correct handshake for Kirkwood, but not Armada.

I previously used these patches to kwboot an Armada 385

Which upstream defconfig did you use for your testing?

I tried and compiled many different kwboot versions, including patches for Armada devices. However, I am not an expert, so something may very well have been wrong on my end.

For U-boot, I tried versions related to the mentioned SoC. I should mention this commit, which adds support for an Alleycat3 development board, which is also the exact SoC seen in the boot logs.

I also got the U-boot source from Meraki, which is probably the best place to start. See below.

The U-boot source code for the MS120 you requested is available for download at
https://dl.meraki.net/U-boot-MS120-20191119.tar.bz2

After downloading and uncompressing the tarball, to build the MS120 U-boot:
export CROSS_COMPILE=/path/to/arm32-cross-toolchain
export CROSS_COMPILE_BH=/path/to/arm32-cross-toolchain
cd U-boot.MS120
./build.pl -f nand -b ac3_customer0 -i spi:nand -a -r

[Coolguy3289]

I'll be honest, most if not all of this is over my head, I don't do much with flashing on this level, but I'm glad that I got the conversation started and there is some progress! :)

[halmartin]

I dumped the 32Mbit SPI flash on the board (U28), but it seems to be connected to the SmartFusion and binwalk didn't identify anything in the dump.

Here's the entropy:

It might be the encrypted bitstream for the FPGA in the SmartFusion.

[halmartin]

@Ordspilleren Thanks for the link to the u-boot GPL archive! I was despairing that it had been slightly more than 3 years since the build date of u-boot on my MS120 and I wouldn't expect Meraki to reply.

Because it's so incredibly lame that Meraki does not provide the Marvell toolchain for building u-boot with the source, I wrote a thing to automate building it. You can find that work here.

It will download the Western Digital GPL archive for the EX2100 (which uses the same Marvell u-boot fork and does include the Marvell toolchain, good guy WD 👍) and build u-boot in Docker using the Marvell toolchain.

[halmartin]

So, it seems like we might have a path forward with kwboot, though it dies quite early in the transfer (using u-boot.bin built using the instructions from Meraki):

$ ./kwboot -f -t -B 115200 /dev/ttyUSB0 -b /tmp/u-boot.bin -s 0 -q 1
Sending boot message. Please reboot the target...|
BootROM 1.41
Pattern detecte/ on UART\
BootROM 1.41
Pattern detected on UART\ (Boot)
|
Sending boot image...
  0 % [+++++++++++++++++xmodem: Bad message

The timing to get kwboot to send the boot image is quite difficult to achieve. I'd say 1/10 attempts succeeds as far as uploading the image, the rest sit at Pattern detected on UART indefinitely.

There's a mysterious button on the board (S2) that ~I haven't tried pressing yet~ resets the Marvell ASIC when you press it. Interesting that they're shipping a button on each MS120 that no one will ever touch that resets the ASIC...

[Ordspilleren]

So, it seems like we might have a path forward with kwboot, though it dies quite early in the transfer (using u-boot.bin built using the instructions from Meraki):

$ ./kwboot -f -t -B 115200 /dev/ttyUSB0 -b /tmp/u-boot.bin -s 0 -q 1
Sending boot message. Please reboot the target...|
BootROM 1.41
Pattern detecte/ on UART\
BootROM 1.41
Pattern detected on UART\ (Boot)
|
Sending boot image...
  0 % [+++++++++++++++++xmodem: Bad message

The timing to get kwboot to send the boot image is quite difficult to achieve. I'd say 1/10 attempts succeeds as far as uploading the image, the rest sit at Pattern detected on UART indefinitely.

There's a mysterious button on the board (S2) that ~I haven't tried pressing yet~ resets the Marvell ASIC when you press it. Interesting that they're shipping a button on each MS120 that no one will ever touch that resets the ASIC...

Now that you mention it, I saw this behavior too. I tried different combinations of pressing the button, but no luck.

I have this guide bookmarked where a different approach is used to upload u-boot using Xmodem and a simple bash script. I remember seeing better progress using this, but it never succeeded unfortunately. Maybe it will be useful to you.

[halmartin]

If anyone in the US is interested in poking at the MS120 series, there's currently an MS120-24 on eBay for cheap.

Fair warning: it seems that Meraki have enabled SecureBoot on the MS120 series, and they're Marvell based so datasheets won't be forthcoming.

[halmartin]

Since the MS120 is based on a completely different platform (Marvell) and there is currently no known way to boot a custom u-boot/kernel on them, I'm going to close this issue for now.

MS120 series is not supported. Won't be supported unless a workaround to boot unsigned code is found.

[halmartin]

The SoC appears to be Marvell 98DX3236.

I think it's actually the 98DX3235 (see page 19). The 98DX3236 has 10G/SFP+ whereas the 98DX3235 has only 1G/SFP support.

[FCLC]

Any movement/news on this front? I've got an MS120LP that's about to expire, and can't justify a license for my homelab.

[halmartin]

No. It would appear that the Cisco ACT2/TAM implements a secure boot chain as described in this Microsemi whitepaper:

Short of an invasive hardware modification to bypass the FPGA, which I have not done and do not plan to undertake, I don't see how new Meraki hardware will ever run a third party firmware. If some FPGA whisperer finds a software vulnerability in the SmartFusion 2, I'm all ears, but this is not my specialty. As far as I know, all of Meraki's new designs incorporate a hardware root-of-trust and secure boot chain.

Therefore, I am focused on Meraki designs that do not have the ACT2 (like #23)

Moral of the story: current-gen Meraki hardware that is very locked to running their firmware, probably forever. Don't buy their products if you ever want to use it without paying them :wink:

[vov4ik-il]

I dumped the 32Mbit SPI flash on the board (U28), but it seems to be connected to the SmartFusion and binwalk didn't identify anything in the dump.

Hi, Would you share the dump pls? Did you strip otp?

[halmartin]

Hi, Would you share the dump pls? Did you strip otp?

Not publicly. You can contact me via email.

The dump contains, I believe:

• An encrypted FPGA bitstream (an alternate firmware image or used during a firmware update to the FPGA)
• DDR training blob (SPL) for the Marvell ASIC which implements signature verification for U-Boot which is loaded from NAND
• LDWM signatures used to verify the signed OS image

Unless Cisco have been ridiculously sloppy, there is nothing to be gained by manipulating the contents of this flash. More likely to succeed would be to physically disable/bypass the FPGA, however they probably considered this and there may be mitigations in place for tampering.