Hacking into QNAP QSW-1105-5T (2.5G Broadcom-based switch)

I have recently purchased the QNAP QSW-1105-5T switch which is advertised as an unmanaged 5x2.5G switch for home or small office use. I’m generally satisfied with the switch, but I’m desperately need VLANs to be able to segregate my home, guest and iot vlans that I already use with two openwrt tplink devices. I believe that the most of switches that are advertised as unmanaged are in fact manageable if proper UI is developed for them, so I started poking around to discover what’s inside.

Switch is based on BCM53161 SoC, more specifically the BCM53161XMB1. By checking the devices marketing material on Broadcom site, immediately you can see that the SoC is intended to be used with more capable, managed switches which gave me some hope. I found a datasheet for the unmanaged version, the BCM53161XU here: https://www.mouser.jp/datasheet/2/678/broadcom_limited_avgo-s-a0007199304-1-1683284.pdf

And details about ordering information here
https://docs.broadcom.com/doc/5316X-PB100

Internal photos of the QNAP switch can be seen on the following website:

I have opened my switch and found an unlabeled 4-pin header near the SoC populated with headers. Some poking around with a multimeter with an assumption that this was a serial port, I figured out the pinout, confirmed it was 3.3V, attached it to USB-to-serial converter, opened putty assuming 9600 baud rate and turned the device on…

WOW…

Buffered Logs:


Broadcom ROBO OS Bootloader Version 2.3

Bootloader: QSPI flash Model: winbond Size: 128 Mbit

DEVFS: Initializing..
DEVFS: Device /dev/ttyS0 registered
DEVFS: Device /dev/flash0 registered
Press any key to interrupt Auto Boot
Autoboot starting...
Bootloader: Loading image at 1
Bootloader: Image Version SW-UT2205_1.00-0.05
Watchdog timeout value is 1250000000 (4a817c80)


Copyright 2015-2017 Broadcom Limited
         All rights reserved

ChipId: BCM53161 RevId: 17
Version Regs:
Software: ROBO_OS_REL_1_4_2 Build: Tue Jan 19 00:16:59 2021
MPU enabled
Unit 0: ChipID: 53161 Rev 17
Unit 0: Straps: 00005041
Unit 0: PLL1 CH1 POSTDIV 10
LED Boot up -> 3s-6s
Unit 0: LED Start
Buffered Logs:


Watchdog Setup with timeout 1250000000 (4a817c80)
Reading Primary Avenger OTP...
Starting Dynamic AVS Using ROs on Primary Avenger...
Applying Saved Core Voltage:9536 with saved DAC Code: 604.
dwl......avs.c:AvsSetDac=604, cur_dac=604 delta=0
........avs.c:SetPVTctrl setting AVS_PVT_MNTR_CONFIG_PVT_MNTR_CTRL from 0x80 to 0x180
SetAvsVoltage - Final Result: 1
Core Voltage After applying saved AVS results on Primary Avenger: 9518
cbxi_slictcam_init()
QSPI FLASH MPU region re-sized to 16 MB
sal_fs_init_all:114 File system initialized
sal_fs_init_all:122 File system obtained from TOC
sal_fs_init_all:128 File system initialized
cbxi_lin_init()
cbxi_encap_init()
cbx_port_init()
Unit 0 Mac init Ports: 8 9 10 11 12 13 14 15
cbx_lag_init()
cbx_port_create()
Unit 0: PBMP_ALL(unit)=ff00
cbxi_trap_init()
cbxi_stg_init()
cbxi_vlan_init()
cbxi_l2_init()
cbxi_mcast_init()
cbx_mirror_init()
cbx_meter_init()
cbx_cosq_init()
cbx_stat_init()
cbx_cfp_init()
cbx_auth_init()
cbx_link_scan_init()
cbx_link_scan_enable_set()
cbx_pktio_init()
------->cbx_stg_stp_set 1, 67108872, 3, 1
------->cbx_stg_stp_set 1, 67108873, 3, 1
------->cbx_stg_stp_set 1, 67108874, 3, 1
------->cbx_stg_stp_set 1, 67108875, 3, 1
------->cbx_stg_stp_set 1, 67108876, 3, 1
------->cbx_stg_stp_set 1, 67108877, 3, 1
LWIP successfully initialized
LBD enabled
LED Normal
Broadcom Cli Starting....

BCMCLI> Setting ip address to 1.1.1.100
app_user_account_cfg_load:69 Failed to load USER config from 'cfg:/config.jsn'
app_user_account_cfg_load:72 Failed to load default USER config from '/json/config.jsn'
app_host_cfg_load:64 Failed to load HOST config from 'cfg:/config.jsn'
app_host_cfg_load:67 Failed to load default HOST config from '/json/config.jsn'
app_sntp_cfg_load:96 Failed to load SNTP config from 'cfg:/config.jsn'
Failed to load Loopback Detection config from 'cfg:/config.jsn'
app_lbd_cfg_load:65 Failed to load Loopback Detection config from 'cfg:/config.jsn'
Failed to load default Loopback Detection config from '/json/config.jsn'
app_lbd_cfg_load:69 Failed to load default Loopback Detection config from '/json/config.jsn'
Starting web server on port :80
uport = 0, fport=8, flow =0
uport = 1, fport=9, flow =0
uport = 2, fport=10, flow =0
uport = 3, fport=11, flow =0
uport = 4, fport=12, flow =0
uport = 5, fport=13, flow =0
uport = 10, tx pause =off
uport = 2, fport=10, flow =0
uport = 11, tx pause =off
uport = 3, fport=11, flow =0
uport = 13, tx pause =off
uport = 5, fport=13, flow =0
uport = 8, tx pause =off
uport = 0, fport=8, flow =0
uport = 9, tx pause =off
uport = 1, fport=9, flow =0
E_BI_CHK_INIT ... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 0
stop ip/arp traffic !

Quite a verbose bootlog, which I did not expect! Couple of things to note

• Seems like switch is indeed running the Robo OS
• Seems that bootloader can be interrupted (there is a press any key line…)
• Seems that the CPU is configured with the IP 1.1.1.100 and that a webserver is started on port 80, but
• It also seems that all IP/ARP traffic is stopped some time after boot

So I tried browsing the http://1.1.1.100 during boot, and indeed:

image912×465 16.9 KB

It also replies to pings during boot. I tried entering some passwords (blank, admin, device serial number…) but without success. Webserver stops responding 10-15 sec after boot, but serial CLI remains active.

BCMCLI>

BCMCLI> ?

BCMCLI> help

Unknown Command help

BCMCLI> ?

Unknown

BCMCLI> ping

Unknown Command ping

Obviously, my BCM shell skills are quite low

I tried interrupting the boot by pressing a key at the right moment and that causes the switch to jump to BCMCLI directly. It does not work as a switch at that moment, probably because startup config is not loaded. After reboot, everything goes back to normal (thankfully )

Any idea what can be done here? Of course, full openwrt remains a dream (there is 400 MHz ARM CPU inside connected using internal 1G ethernet port, however) but I would be more than satisfied if I could configure a few VLANs and leave it there.

QNAP moved to using the primary MAC address (upper case, without separators) as the default password for their NAS units.

Not sure if Robo OS would be configured to use the same, but it's worth a try.

https://ripcaster.co.uk/qnap_password_reset#:~:text=If%20the%20QNAP%20NAS%20is%20shown%20in%20QFinder,admin%20password%20for%20the%20QNAP%20NAS%20was%20admin

Otherwise, you might be better off posting on QNAP forums.

No, I've tried that as well, but forgot to mention...no luck. Tried vendor part only, also...

This all seems to be Broadcom software with very little touch from QNAP themselves. And I also believe there are far more proficient people here

The ARM CPU in there is a Cortex-M7, RoboOS is proprietary and based on a non-public fork of OpenRTOS.

I only looked briefly, but can't find mainline kernel sources for this SOC. There is probably also not enough RAM on the board to run a full Linux.

Yeah, you are probably right. I missed the M7 part...

Anyway I hope some other way of at least configuring VLANs could be found. If some BCMCLI commands are found to achieve that, it would be easy to add an ESP32 which could update the running config after every boot via serial

It seems that during boot some config files are attempted to be loaded. Maybe something could be added to a flash. There is a flash chip on the other side of the board, but I'm not brave enough to attach a soic clip to it...

16345683544311150×1055 276 KB

This came up during my research prior to purchasing a QSW-2104-2S and piqued my curiosity.

Broadcom has released the source code. And although on quick inspection I did not see a SHA256 implementation they hardcode a password as such:

5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8

Didn't spend enough time reading the code, just wanted to say that it's out there. happy hacking!

This string is literally a SHA256 hash of a string password

I refuse to believe it is that simple

I just bought a QSW-2104-2S-A (apparently the -A is a new rev?) Got the serial 'console' on it just like above.. similar logs, though both the bootloader and the 'shell' have working help. Can't do a whole lot with it, but can do a few things including look at the filesystem and cat the files on it... Sadly it cuts off IP/ARP before the network interfaces actually come up. Attached what info I got as well.. Note: I grabbed all the files from the web interface, and it can't actually DO anything other than show you the FW version (or upgrade the firmware version). I've attached what the interface looks like (no data because it's being used off the switch). The /JSON directory has a json config it uses.

Boot log:

BCM53158 SWITCH firmware Feb 22 2018
boot_src = M7. Initializing M7


Copyright 2015-2017 Broadcom Limited
         All rights reserved

Unit 0: ChipID: 53161 Rev 17
Unit 0: Straps: 00005041
Unit 0: PLL1 CH1 POSTDIV 13
LED Boot up -> 0s-3s
Unit 0: LED Refresh cycle config
Unit 0: LED Delay config
Unit 0: LED Strap load
Loading LED Firmware
.......
Unit 0: bootloader LED Start
Buffered Logs:
OTP_FLAGS = 0x8c


Broadcom ROBO OS Bootloader Version 2.4

Bootloader: QSPI flash Model: winbond Size: 128 Mbit

DEVFS: Initializing..
DEVFS: Device /dev/ttyS0 registered
DEVFS: Device /dev/flash0 registered
Press any key to interrupt Auto Boot
Autoboot starting...
Bootloader: Loading image at 1
Bootloader: Image Version SW-UT2206QG_1.00-0.07
Watchdog timeout value is 1250000000 (4a817c80)


Copyright 2015-2017 Broadcom Limited
         All rights reserved

ChipId: BCM53161 RevId: 17 
Version Regs: 
Software: ROBO_OS_REL_1_4_8 Build: Mon Nov 8 10:15:56 2021
MPU enabled
Unit 0: ChipID: 53161 Rev 17
Unit 0: Straps: 00005041
Unit 0: PLL1 CH1 POSTDIV 10
LED Boot up -> 3s-6s
Unit 0: LED Start
Buffered Logs:
OTP_FLAGS = 0x8c


Watchdog Setup with timeout 1250000000 (4a817c80)
Reading Primary Avenger OTP...
Starting Dynamic AVS Using ROs on Primary Avenger...
Applying Saved Core Voltage:9469 with saved DAC Code: 609.
dwl......avs.c:AvsSetDac=609, cur_dac=609 delta=0 
........avs.c:SetPVTctrl setting AVS_PVT_MNTR_CONFIG_PVT_MNTR_CTRL from 0x80 to 0x180 
SetAvsVoltage - Final Result: 1
Core Voltage After applying saved AVS results on Primary Avenger: 9462
cbxi_slictcam_init()
QSPI FLASH MPU region re-sized to 16 MB
sal_fs_init_all:114 File system initialized
sal_fs_init_all:122 File system obtained from TOC
sal_fs_init_all:128 File system initialized
cbxi_lin_init()
cbxi_encap_init()
cbx_port_init()
Unit 0 Mac init Ports: 8 9 10 11 12 13 14 15 
cbx_lag_init()
cbx_port_create()
Unit 0: PBMP_ALL(unit)=ff00
cbxi_trap_init()
cbxi_stg_init()
cbxi_vlan_init()
cbxi_l2_init()
cbxi_mcast_init()
cbx_mirror_init()
cbx_meter_init()
cbx_cosq_init()
cbx_stat_init()
cbx_cfp_init()
cbx_auth_init()
cbx_link_scan_init()
cbx_link_scan_enable_set()
cbx_pktio_init()
LWIP successfully initialized
LBD enabled 
QOS disabled 
port 8, pri=0, dp=0 
port 9, pri=1, dp=0 
port 10, pri=2, dp=0 
port 11, pri=3, dp=0 
port 12, pri=4, dp=0 
port 13, pri=5, dp=0 
extPhyIdentify: fport=8, phyaddr=1. id0=0x1c, id1=0xc848, type=3 ! 
rtlPhyInit: phyaddr=1 ! 
phyaddr=1, serdes = 0
extPhyIdentify: fport=9, phyaddr=2. id0=0x1c, id1=0xc848, type=3 ! 
rtlPhyInit: phyaddr=2 ! 
phyaddr=2, serdes = 0
extPhyIdentify: fport=10, phyaddr=3. id0=0x1c, id1=0xc848, type=3 ! 
rtlPhyInit: phyaddr=3 ! 
phyaddr=3, serdes = 0
extPhyIdentify: fport=11, phyaddr=4. id0=0x1c, id1=0xc848, type=3 ! 
rtlPhyInit: phyaddr=4 ! 
phyaddr=4, serdes = 0
extPhyIdentify: fport=12, phyaddr=5. id0=0xffff, id1=0xffff, type=0 ! 
extPhyIdentify: fport=13, phyaddr=6. id0=0xffff, id1=0xffff, type=0 ! 
LED Normal
Broadcom Cli Starting....

Configuration File Description: '1.4.8.0'
Setting IP address to : 1.1.1.100
Setting Network Mask to : 255.255.255.0
Setting Gateway IP to : 1.1.1.1
app_user_account_cfg_load:85 Failed to parse userCfg
app_host_cfg_load:64 Failed to load TRUSTHOST configuration
app_sntp_cfg_load:98 Failed to load SNTP configuration
Failed to load Loopback Detection config from 'cfg:/config.jsn'
Loaded default config for Loopback Detection from '/json/config.jsn'
cfg_json_get:426 Invalid parameters
Starting web server on port :80
uport = 0, fport=8, flow =0 
uport = 1, fport=9, flow =0 
uport = 2, fport=10, flow =0 
uport = 3, fport=11, flow =0 
uport = 4, fport=12, flow =0 
uport = 5, fport=13, flow =0 
stop ip/arp traffic ! =13, flow =0 

stop ip/arp traffic ! 

Shell Help:

BCMCLI> help
getparam   <name>
setparam   <name> <value>
ifconfig
ls         <dir_name>
rm         <file_name>
rmdir      <dir_name>
cat        <file_name>
format_cfg
heap_stats
lldp       print_mib
lldp       <all|port_num> <tx|rx> <on|off>
igmpsnoop  <enable|disable>
igmpsnoop  stats_get
igmpsnoop  stats_reset
stack_stats
pkt_trace  <tx|rx|all|off>
cb_counters <unit>
port_counters <port|cpu>
<port>
getreg <register>
setreg <register> <value>
hparegdump <unit>
lwipstats
port_status <unit>
rstp forceversion <stp|rstp>
rstp fwddelay <value>
rstp maxage <value>
rstp priority <value>
rstp admin <port> <enable|disable>
rstp edge <port> <enable|disable>
rstp ptpmac <port> <enable|disable>
rstp mcheck <port> <enable|disable>
rstp ppriority <port>dump_table <tid> <start> <num entries>
pkt_send <port> <vlan> <mgid> <tagged> <mode>
        Mode is Ucast(0x20000) Mcast(0x40000)
        Tagged = 0 for untagged packet
wdt test
fw_toggle
led_dump
led_set <offset> <val>
gpio_read
led_lb_sys <1/0>
dump_phy_driver
phyread <addr> <reg>
phywrite <addr> <reg> <ext> <value>
tscread <port> <reg>
tscwrite <port> <reg> <value>
phy_debug <0/1>
int_phy_sp <int> <int>
cut_thru <0/1>
egress_rate <fport> <kbps>
get_websession
get_system
fdb
speed_set <addr> <speed:10G or 5G or 2_5G or 1000F or 100F or 10G/5G/2_5G/1000F/100F>
speed_get
mac_agingtime_set <second>
mac_agingtime_get
fc_para_get <port>
fc_para_set <port> <int> <int> <int> <int> <int>
sfp_get <port>
loopback_mode <0/1>
reboot

Bootloader:

BCMCLI> help
config_get [<param>] (get all or given config)
config_set <param> <value> (set given config)
list (List all images)
getreg <register>
reboot (Reboot the system)
rz (receive a file via zmodem)
setreg <register> <value>
save (save boot config)

Bootloader list images:

BCMCLI> list
+-----------------------------------------------------------------+
| Image | Offset   | Len      |       Version                     |
+-----------------------------------------------------------------+
|  1    | 10060000 | 3092020 | SW-UT2206QG_1.00-0.07 |
|  2    | 103a0000 | 3092020 | SW-UT2206QG_1.00-0.07  |
+-----------------------------------------------------------------+

Bootloader config_get:

BCMCLI> config_get
stop_on_wdt = 0(0x0)
wdt_timeout = 100(0x64)
countdown = 1(0x1)
reboot_after_upload = 1(0x1)
boot_image = 1(0x1)

Root Dir:

BCMCLI> ls /
EDI_WEB/         2021-11-08 00:00:00     0000000000 bytes
JSON/    2021-11-08 00:00:00     0000000000 bytes
CERTS/   2021-11-08 00:00:00     0000000000 bytes

Web Interface:

Very interesting, I just came across this thread and repeated the above for my QSW-2104-2S and also dumped the contents of the flash chip. See here for current work in progress: https://github.com/danieltwagner/qsw-2104-2s

Good news, the QSW-2104-2S offers an API that you can make requests to and configure options like VLANs.It's likely that the QSW-2104-2T and the 1105-5T offer the same functionality. I've documented my current findings at my github above but TL;DR: running this just after the switch boots will create a new VLAN and add one trunked port and two untagged ports

curl 1.1.1.100/api/session/login -d '{"user":"admin", "pwd":"Qsw_Update"}' -v 2>&1 | grep Set-Cookie
< Set-Cookie: mgs=d1aeaad27e1dbff3;
curl 1.1.1.100/api/vlan/create -H "Cookie: mgs=d1aeaad27e1dbff3" -d '{"vlan":2}'
curl 1.1.1.100/api/vlan/set -H "Cookie: mgs=d1aeaad27e1dbff3" -d '{"vlan":1, "membership":[{"intf":0,"mbr":0},{"intf":1,"mbr":0},{"intf":2,"mbr":1},{"intf":3,"mbr":1},{"intf":4,"mbr":1},{"intf":5,"mbr":1}]}'
curl 1.1.1.100/api/vlan/set -H "Cookie: mgs=d1aeaad27e1dbff3" -d '{"vlan":2, "membership":[{"intf":0,"mbr":1},{"intf":1,"mbr":1},{"intf":2,"mbr":0},{"intf":3,"mbr":0},{"intf":4,"mbr":0},{"intf":5,"mbr":2}]}'

The config is temporary unless explicitly persisted:

curl 1.1.1.100/api/cfg/save -H "Cookie: mgs=d1aeaad27e1dbff3"

One more update: I've created a modified firmware for the -2S that keeps the web interface active indefinitely. It's on my github. In principle the same should be possible for other Robo2-based switches, though I don't have access to any.

Thanks a million! I can confirm that the API works on my 1105-5T as well. At least I succeded in getting some information from the switch and creating an empty VLAN. I haven't tried it with actual traffic.

Indeed, as per SoC datasheet, even this switch appears to have 6 ports internally: 4x2.5G, 1x10G with speed set to 2.5G and one 10G which is not exposed.

curl 1.1.1.100/api/port/get -H "Cookie: mgs=287a7122d950c935"
{"portData":[{"port":0,"descr":"","lag":0,"admin":1,"link":1,"capabAutoneg":1,"autoneg":1,"speed":1000,"speedCfg":2500,"capabHdx":1,"fdx":1,"fdxCfg":1,"flow":0,"pvid":1},{"port":1,"descr":"","lag":0,"admin":1,"link":1,"capabAutoneg":1,"autoneg":1,"speed":1000,"speedCfg":2500,"capabHdx":1,"fdx":1,"fdxCfg":1,"flow":0,"pvid":1},{"port":2,"descr":"","lag":0,"admin":1,"link":1,"capabAutoneg":1,"autoneg":1,"speed":1000,"speedCfg":2500,"capabHdx":1,"fdx":1,"fdxCfg":1,"flow":0,"pvid":1},{"port":3,"descr":"","lag":0,"admin":1,"link":1,"capabAutoneg":1,"autoneg":1,"speed":1000,"speedCfg":2500,"capabHdx":1,"fdx":1,"fdxCfg":1,"flow":0,"pvid":1},{"port":4,"descr":"","lag":0,"admin":1,"link":0,"capabAutoneg":0,"autoneg":0,"speed":2500,"speedCfg":10000,"capabHdx":1,"fdx":1,"fdxCfg":1,"flow":0,"pvid":1},{"port":5,"descr":"","lag":0,"admin":1,"link":0,"capabAutoneg":0,"autoneg":0,"speed":2500,"speedCfg":10000,"capabHdx":1,"fdx":1,"fdxCfg":1,"flow":0,"pvid":1}],"portCount":6,"portFirst":0,"lagFirst":16,"status":0}

curl 1.1.1.100/api/port/list/get -H "Cookie: mgs=287a7122d950c935"
{"portList":[0,1,2,3,4,5],"portCount":6,"portFirst":0,"status":0}

Glad to hear it's working for you! These switches seem to be quite capable, though I haven't tried most options yet. Certainly makes them a good deal if they can become managed via the API

Did you try enabling auto-negotiation on the 10G port and seeing what happens? Is it physically capable of faster than 2.5G?

I don't think so. All 5 ports are internally wired to Intel/MaxLinear SLN8A which is a 2.5G PHY chip.

Hi,

Nice job !
Do you know if RSTP can be configured with API ?

In firmware there are some elements :

 "rstpCfg":{
            "bridge":{
               "maxAge":20,
               "fwdDelay":15,
               "priority":32768,
               "forceVer":2,
               "txHoldCount":6
            },
            "intfCfg":[
               {
                  "id":0,
                  "stpEnabled":0,
                  "pathCost":200000,
                  "priority":128,
                  "adminEdge":0,
                  "autoEdge":1,
                  "mChk":0,
                  "p2pMac":1
               }

Is there any way to change 1.1.1.100 IP address ?

In API "/api/system/params/set" there's an option to use SSL, did you try to use it ?

Thanks

Interesting, I have so far not found a way to configure RSTP. Maybe you can download, modify, and then upload the configuration to achieve that? See the /api/cfg/upload endpoint.

SSL works fine; it uses a self-signed cert that I believe is fixed and responses become a bit slower, but that's to be expected.

You can change the IP address temporarily using the /api/system/params/set endpoint by supplying ipv4, subnet, and gw together, as I've documented on my github. However, it appears those won't stick. The /api/system/params/get endpoint does return ipv4Cfg, subnetCfg, and gwCfg in addition to the previous ones, but I've found that I can't set them through the API. I did also try adding them to the config.jsn file (they're not normally in there) and it will still validate, but then will not have any effect upon reboot.

It's worth trying this on your end as you may be running different software. It's also entirely possible that I missed something.

You inspired me to dig a bit more about those IPs and I found that the dhcp setting does stick in between reboots and and if I'm reading this correctly then the ipv4, subnet, gw config is used only as a fallback in case no dhcp offer is received. I didn't try the second part, as I just added a static dhcp lease for the switch, which works well enough in my environment.

RSTP does seem to be a bit of a dead end, as I found other strings in there reference to compiling with CONFIG_RSTP=1 so it's possible this firmware was compiled without support and what we're seeing is some inactive leftovers.

Thanks !
I don't have any hardware for now so I can't help.

I'm just trying to find a switch at good price with 10GB SFP+ and 2.5GB ports. That's why I wanted to know if we could change IP address, etc.

QSW-2104-2S seems nice but if we can't use RSTP I'll have a problem because it will be meshed with 2 other switches.

As you're using DHCP, can you tell me if we can put the switch in a specific tagged VLAN for the admin interface ? I don't want to use 1.1.1.100. .

I wanted to monitor with SNMP but an API could be possible with Zabbix.

Is it possible for you to share the content of a config file (cfg/save without sensitive information of course) to see ?

The best choice for me would be to get a Trendnet TEG-3102WS but I'm unable to find one in Europe

I don't see an option to put the admin interface on a specific VLAN. I do think using the /api/port/set endpoint you could disable it listening on some physical interfaces, but I found that I could reach the admin interface on ports that were marked as e.g. VLAN 2 untagged + PVID 2, which is the extent of my testing.

The default config file looks like this: https://gist.github.com/danieltwagner/76da93fc5a8dd3b3a3fbd65600d78c36

As for other switches you might consider the QSW-M2108 series, though I don't know if they support the features you're looking for. See also https://www.reddit.com/r/homelab/comments/p4czkr/exploring_hidden_features_of_qnap_qswm21082s/

Sorry to bump an old post, did anyone figure out how to interrupt the bootloader?

I can see the serial console output, but nothing seems to work.