Add support to Unifi Switch - BCM53343

Here is the binwalk of the OEM current firmware. My "defective" unit is not running this same version. It's running a very old one, actually. This switch has failed on me about 2 years ago and I just recently found the time to see if it's still salvageable.

cesarvog@ubuntu:~/Unifi$ binwalk -e US.bcm5334x_5.43.34+12682.210318.0402.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Ubiquiti firmware header, header size: 264 bytes, ~CRC32: 0xA43D534C, version: "US.bcm5334x.v5.43.34+12682.210318.0402"
268           0x10C           Ubiquiti partition header, header size: 56 bytes, name: "PARTu-boot", base address: 0x1C000000, data size: 443926 bytes
281552        0x44BD0         CRC32 polynomial table, little endian
325488        0x4F770         gzip compressed data, maximum compression, from Unix, last modified: 2013-04-09 21:31:53
433824        0x69EA0         CRC32 polynomial table, little endian
444258        0x6C762         Ubiquiti partition header, header size: 56 bytes, name: "PARTkernel0", base address: 0x1C0E0000, data size: 15117696 bytes
444314        0x6C79A         uImage header, header size: 64 bytes, header CRC: 0x933AD13D, created: 2021-03-18 04:10:43, image size: 15117632 bytes, Data Address: 0x18000, Entry Point: 0x18000, data CRC: 0x36C962F9, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Ubiquiti 5.43.34.12682"
1559231       0x17CABF        Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
1559351       0x17CB37        Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
2433319       0x252127        Certificate in DER format (x509 v3), header length: 4, sequence length: 1292
2433323       0x25212B        Certificate in DER format (x509 v3), header length: 4, sequence length: 1316
2433327       0x25212F        Certificate in DER format (x509 v3), header length: 4, sequence length: 1320
2979916       0x2D784C        Linux kernel version 3.6.5
3451044       0x34A8A4        Unix path: /sys/bcm/mem
3451086       0x34A8CE        Unix path: /sys/bcm/mem
3451134       0x34A8FE        Unix path: /sys/bcm/mem
3516802       0x35A982        xz compressed data
3574391       0x368A77        Neighborly text, "NeighborSolicitsgrams"
3574408       0x368A88        Neighborly text, "NeighborAdvertisements"
3576758       0x3693B6        Neighborly text, "neighbor %.2x%.2x.%pM lostename link %s to %s"
3956394       0x3C5EAA        LZMA compressed data, properties: 0x6D, dictionary size: 1048576 bytes, uncompressed size: -1 bytes
15441370      0xEB9DDA        CRC32 polynomial table, little endian
15486258      0xEC4D32        Intel x86 or x64 microcode, sig 0x18012fff, pf_mask 0x00, 2000-18-01, size 2048
15496605      0xEC759D        LZMA compressed data, properties: 0xC0, dictionary size: 0 bytes, uncompressed size: 32 bytes
15562018      0xED7522        Signed Ubiquiti end header, RSA 2048 bit, header size: 264 bytes
1 Like
Please press Enter to activate this console. 
UBNT login: ubnt
Password: 


BusyBox v1.23.2 (2019-01-16 18:00:28 MST) built-in shell (ash)


  ___ ___      .__________.__
 |   |   |____ |__\_  ____/__|
 |   |   /    \|  ||  __) |  |   (c) 2010-2019
 |   |  |   |  \  ||  \   |  |   Ubiquiti Networks, Inc.
 |______|___|  /__||__/   |__|
            |_/                  https://www.ui.com/

      Welcome to UniFi USW-16P-150!

UBNT-US.v4.0.18# cat /proc/iproc-pse/enable
1 (0=off, 1=on)

Problem is, how to change it from 1 to 0, since the damn thing keeps rebooting and reading it's config back from the flash storage?

Just finished configuring my OpenWrt build environment. Currently awaiting make to finish. While I do not expect my first attempt to even boot, it's certainly a first step moving forward...

1 Like

one of the advantages of having a bootable initramfs... even with no networking... is you can get direct access to on-device flash / hardware without having to rip the board apart...

another thing you may wish to try... is in the normalOS... addingto/setting the uboot bootargs

init=/bin/bash #or /bin/sh or /bin/ash etc. etc.

this may get you a small shell so you can poke around a little... i.e.;

strings /sbin/init
strings $(cat /proc/mtd | grep EEPROM | cut -d' ' -f1)

Yeah, I'm yet to investigate more from the bootable initramfs shared by @clayface above.

https://community.ui.com/questions/ES-8-150W-uboot-recovery-options/aa3e58b5-18cc-4bf8-bd42-7ec1f16ce2cf

I used the information above to find out how to backup the flash storage directly by using a FlashcatUSB and a Pomona Clip. The last post got me thinking wether it would be possible to flash just a portion of the firmware. I have not investigated more, because my initial intent was only getting a backup of the current "defective" situation, and trying to restore the backup from a working switch, as already discussed above. But, may be a path moving forward....

Gee, this thing takes forever...

Yeah, my first attempt failed miserably with code 1:

    ERROR: target/linux failed to build.
make -r world: build failed. Please re-run make with -j1 V=s or V=sc for a higher verbosity level to see what's going on
make: *** [/home/cesarvog/openwrt/include/toplevel.mk:230: world] Error 1

Tried re-running with -J1 V=s and got so overwhelmed by the amount of scrolling text that decided to take a deep breath and get back to it sometime in the future. Not being a developer, I found most of the scrolling text totally gibberish.

On a side note, I found out that the D-LINK DGS1210 rev C1 carries VERY similar hardware as the US-8-150 and it's bigger siblings:

https://openwrt.org/toh/d-link/dgs-1210?s[]=bcm56150

Wikidevi seems to corroborate this information:

https://wikidevi.wi-cat.ru/D-Link_DGS-1210-24_rev_A1

I seem to remember that the same product is already supported by OpenWrt, albeit only for Revisions F1 and G1...

Found the link:
https://forum.openwrt.org/t/support-for-rtl838x-based-managed-switches/57875

and
https://gitlab.com/bkoblitz/openwrt-rtl838x

Wondering if experienced developers would be able to take the .config from the DGS-1210 switch from the links above and somehow add support to BCM-Iproc... For now its WAY above my pay grade...

Tks for your input on this. I recently found out that the DLink DGS-1210-ME-B1-Series uses the same SOC. I was even able to download the GPL files of the above mentioned series, but it's way over my head. I cannot make much sense of its content because I lack the necessary knowledge to fully undestand what I see.
In case anyone is interested, here is the link: https://tsd.dlink.com.tw
From there, select DGS on the left dropdown and 1210/ME on the right dropdown. On the next page, scroll to the end to obtain the GPL Source Code of each particular model and firmware version.

Even though the OpenWrt initramfs file you provided earlier did boot in my US-16-150, as you predicted, it did not go much further as ethernet was not operational. Since my switch is "defective", I do not know if it's problems go beyond PoE, including the ethernet ports, or the image was lacking support for it. If you are still interested in taking your ES-8-150 into working condition with OpenWrt, maybe the above post will be of interest to you.
Best regards.

I have an US8-150W here with which we could test.

Can you sum up, what to do? And provide the image to test?

The US-8-150 does not have a console port, like it's bigger brothers. You will have to open your unit and find the serial connection. You may also need to solder pins to the connector, as the pins may be missing altogether. Once you have serial connection operational, boot your unit, and look for the u-boot prompt to press any key to interrupt loading the OEM kernel. From there, you will need to transfer the file provided by @clayface (on post #44 above) to the memory of your US-8-150. Once it's transferred, type 'bootm 0x1000000' (without the single quotes). if it does not boot, then try bootm 0x1008000, as I really don't quite remember the correct memory load address. The correct load address is shown many times above, you will need to read the posts after #44 to get the correct address.

That should be no problem. Do you have a picture with the GPIO Header configuration (TX / RX / GND / 3,3V)?

Sorry I do not

Just for reference, I started a new thread for the Unifi switch us-8-60w (OpenWrt Support for Unifi switch 8 (us-8-60w)). The us-8-60w is using a different SOC and has no SPF ports.
Did anybody here got any further ?

Hello @cesarvog,

I finally found the time to look into this.

This is about: US8-150W

There are pins on the header. Connections works with

sudo screen /dev/ttyUSB0 115200,cs8

Unfortunately I can't type anything. Maybe the RX is not correctly wired on the board.

Never mind, we didn't connect the cable correctly.


(Picture is WTFPL in case someone needs it)

Here a full bootlog:

U-Boot usw-v1.1.4.115-g14af1ee6 (Feb 14 2017 - 18:50:54)

DEV ID= 0000db56
SKU ID = 0x8Validate Shmoo parameters stored in flash ..... OK
Press Ctrl-C to run Shmoo ..... RAM:  256 MiB                                                                                                                                                             0 
Verifying 'kernel0' parition:OK
## Booting kernel from Legacy Image at 01000000 ...
   Image: console=ttyS0,115200 mem=128M@0x0 mem=128M@0x68000000 mtdpartux on physical CPU 0
[    0.000000] Linux version 3.6.5 (builde   0.000000] BUG: mapping for 0x18000000 at 0xf0000000 out of vmalloc space
[    0.000000] BUG: mapping for 0x10:768k(u-boot),64k(u-boot-env),64k(shmoo),15360k(kernel0),15424kntries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cacheghmem
[    0.000000] Virtual kernel memory layout:
[    0.0000896 kB)
[    0.000000]     vmalloc : 0xc8800000 - 0xf0000000   0e41880   (11215 kB)
[    0.000000]       .data : 0xc0e42000 - 0xc0e6ad40   ( 164 kB)
[    0.000000]        .b000000] NR_IRQS:292
[    0.000000] sched_clock: 32 bits at 100 ting up static identity map for 0x282350 - 0x2823a8
[    0.0500 SMP: Total of 1 processors activated (795.44 BogoMIPS).
[    00000] UART clock rate 50000000
[    0.080000] bio: create slab .080000] Bluetooth: HCI device and connection manager initialized protocol family 2
[    0.090000] TCP established hash table ed 4096)
[    0.090000] TCP: reno registered
[    0.090000] UDP0000] GPIOA:intr_ioaddr f0000000 dmu_ioaddr   (n620000] reg[0xac]=0x10, reg[0xae]=0x42, reg[0xb0]=0x8000, reg[0xeg[0xd2]=0x8, reg[0xdc]=0x2, PCIE0 link=0
[   14.970000] PCIe pllip Lougher
[   14.990000] jffs2: version 2.2. (NAND) © 2001-erial8250.0: ttyS0 at MMIO 0x18000400 (irq = 1230000] serial8250.0: ttyS1 at MMIO 0x18000300 (irq = 123) is a 16[   15.500000] brd: module loaded
[   15.520000] loop: module loaded
[   15.530000] nbd: register[   15.550000] tun: Universal TUN/TAP device driver, 1.6
[   15 15.590000] sit: IPv6 over IPv4 tunneling driver
[   15.600000]00] Bluetooth: RFCOMM TTY layer initialized
[   15.610000] Blue[   15.640000] GENPLL[5] mdiv=40 rate=2000000000
[   15.640000]address
[   15.650000] m25p80 spi1.0: found mx25l25635e, expect000] 0x0000000d0000-0x0000000e0000 : "shmoo"
[   15.690000] 0x000000] 0x000000fe0000-0x000001ef0000 : "kernel1"
[   15.710000][   15.890000] Data abort at addr=0xc8a10224, fsr=0x1406 ignored.
Validating the backup image /dev/mtd4..."4.0.54.10625"
DMA pool size: 4194304
150_A0
ait ...

Applying Interface configuration, please wait ...
[   55.200000] device eth0 entered promiscuous mode

Unfortunately I can't type anything. Any suggestions?

Best,
Matthias

/edit: @cesarvog, how did you exactly manipulate the image to make it boot? We managed to copy it into the router, but it freezes after the go command.

We used this file (Add support to Unifi Switch - BCM53343 - #44 by clayface) and tried all go and bootm commands we found here. No success.

I'm sorry, but I think your kit uses a totally different SOC than the USW-8-PoE my investigation was about, so, if I'm right, the BCMxxxxx image won't ever work on your kit.
If memory serves me well, I seem to have read somewhere around this very forum that the newer gen. Ubiquiti switches are built around Realtek SOCs. I may be wrong and your particular model may indeed be based on the same SOC as mine (USW-8-PoE), but this is the best guess I can come out with now.
Regarding the input not working, your edit seem to indicate that you somehow was able to fix that, if so, for the benefit of the community, do you mind posting here which particular set of keys were used to stop the boot process?

The typing issue was just a miss-connected TX pin.

The boot process can be stopped with Escape. Have the serial connection running before plugging in power. It's like instant.

How did you compile that?

Edit:
Ah I see, lzma compression is not working.

Can someone explain me how to get a bootable image from the original firmware? I need more information than just this:

The Flash is divided in two, an Active and Backup image. The STK files are standard u-boot packed images and can be decompressed, splitted and sent to u-boot via Xmodem, no flashing necessary. With a little bash-fu, and some tools like binwalk you can split them from the flash header and use u-boot's Transfer file via serial, and then boot to the memory address where the file was uploaded. You can also dump the flash via serial port if you're a bit involved.
https://community.ui.com/questions/ES-8-150W-uboot-recovery-options/aa3e58b5-18cc-4bf8-bd42-7ec1f16ce2cf#answer/7e21961b-8888-44d3-b9da-c8d441270e3c

binwalk -e ESWH.v1.9.3.5434938.stk 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
116           0x74            uImage header, header size: 64 bytes, header CRC: 0xCF06E05F, created: 2021-09-01 07:32:36, image size: 14996095 bytes, Data Address: 0x8000, Entry Point: 0x8000, data CRC: 0xFBB4B667, OS: Linux, CPU: ARM, image type: Multi-File Image, compression type: lzma, image name: "System for iproc_wolf"
200           0xC8            LZMA compressed data, properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: -1 bytes
1181380       0x1206C4        LZMA compressed data, properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: -1 bytes
2135552       0x209600        Executable script, shebang: "/bin/sh"
2136028       0x2097DC        gzip compressed data, from Unix, last modified: 2021-09-01 07:32:35

WARNING: Extractor.execute failed to run external extractor 'unstuff '%e'': [Errno 2] No such file or directory: 'unstuff', 'unstuff '%e'' might not be installed correctly
8410598       0x8055E6        StuffIt Deluxe Segment (data): fP

Thing with .stk files is that there is additional header before the actual uImage. So far I haven't been able to find any sensible information on them, aside from sources of other switches using the Broadcom FastPath platform, which seem to be very, very similar. This applies to HP 1820-24G series (J9979A), or Netgear S3300-28X - for the latter, GPL code is available here: https://www.downloads.netgear.com/files/GPL/Smart_M4300_S3300_GPL_V6.6.4.7.zip
In the topic - has someone here tried contacting HPE for GPL sources?