Hacking into QNAP QSW-1105-5T (2.5G Broadcom-based switch)

I have recently purchased the QNAP QSW-1105-5T switch which is advertised as an unmanaged 5x2.5G switch for home or small office use. I’m generally satisfied with the switch, but I’m desperately need VLANs to be able to segregate my home, guest and iot vlans that I already use with two openwrt tplink devices. I believe that the most of switches that are advertised as unmanaged are in fact manageable if proper UI is developed for them, so I started poking around to discover what’s inside.

Switch is based on BCM53161 SoC, more specifically the BCM53161XMB1. By checking the devices marketing material on Broadcom site, immediately you can see that the SoC is intended to be used with more capable, managed switches which gave me some hope. I found a datasheet for the unmanaged version, the BCM53161XU here: https://www.mouser.jp/datasheet/2/678/broadcom_limited_avgo-s-a0007199304-1-1683284.pdf

And details about ordering information here
https://docs.broadcom.com/doc/5316X-PB100

Internal photos of the QNAP switch can be seen on the following website:

I have opened my switch and found an unlabeled 4-pin header near the SoC populated with headers. Some poking around with a multimeter with an assumption that this was a serial port, I figured out the pinout, confirmed it was 3.3V, attached it to USB-to-serial converter, opened putty assuming 9600 baud rate and turned the device on…

WOW…

Buffered Logs:


Broadcom ROBO OS Bootloader Version 2.3

Bootloader: QSPI flash Model: winbond Size: 128 Mbit

DEVFS: Initializing..
DEVFS: Device /dev/ttyS0 registered
DEVFS: Device /dev/flash0 registered
Press any key to interrupt Auto Boot
Autoboot starting...
Bootloader: Loading image at 1
Bootloader: Image Version SW-UT2205_1.00-0.05
Watchdog timeout value is 1250000000 (4a817c80)


Copyright 2015-2017 Broadcom Limited
         All rights reserved

ChipId: BCM53161 RevId: 17
Version Regs:
Software: ROBO_OS_REL_1_4_2 Build: Tue Jan 19 00:16:59 2021
MPU enabled
Unit 0: ChipID: 53161 Rev 17
Unit 0: Straps: 00005041
Unit 0: PLL1 CH1 POSTDIV 10
LED Boot up -> 3s-6s
Unit 0: LED Start
Buffered Logs:


Watchdog Setup with timeout 1250000000 (4a817c80)
Reading Primary Avenger OTP...
Starting Dynamic AVS Using ROs on Primary Avenger...
Applying Saved Core Voltage:9536 with saved DAC Code: 604.
dwl......avs.c:AvsSetDac=604, cur_dac=604 delta=0
........avs.c:SetPVTctrl setting AVS_PVT_MNTR_CONFIG_PVT_MNTR_CTRL from 0x80 to 0x180
SetAvsVoltage - Final Result: 1
Core Voltage After applying saved AVS results on Primary Avenger: 9518
cbxi_slictcam_init()
QSPI FLASH MPU region re-sized to 16 MB
sal_fs_init_all:114 File system initialized
sal_fs_init_all:122 File system obtained from TOC
sal_fs_init_all:128 File system initialized
cbxi_lin_init()
cbxi_encap_init()
cbx_port_init()
Unit 0 Mac init Ports: 8 9 10 11 12 13 14 15
cbx_lag_init()
cbx_port_create()
Unit 0: PBMP_ALL(unit)=ff00
cbxi_trap_init()
cbxi_stg_init()
cbxi_vlan_init()
cbxi_l2_init()
cbxi_mcast_init()
cbx_mirror_init()
cbx_meter_init()
cbx_cosq_init()
cbx_stat_init()
cbx_cfp_init()
cbx_auth_init()
cbx_link_scan_init()
cbx_link_scan_enable_set()
cbx_pktio_init()
------->cbx_stg_stp_set 1, 67108872, 3, 1
------->cbx_stg_stp_set 1, 67108873, 3, 1
------->cbx_stg_stp_set 1, 67108874, 3, 1
------->cbx_stg_stp_set 1, 67108875, 3, 1
------->cbx_stg_stp_set 1, 67108876, 3, 1
------->cbx_stg_stp_set 1, 67108877, 3, 1
LWIP successfully initialized
LBD enabled
LED Normal
Broadcom Cli Starting....

BCMCLI> Setting ip address to 1.1.1.100
app_user_account_cfg_load:69 Failed to load USER config from 'cfg:/config.jsn'
app_user_account_cfg_load:72 Failed to load default USER config from '/json/config.jsn'
app_host_cfg_load:64 Failed to load HOST config from 'cfg:/config.jsn'
app_host_cfg_load:67 Failed to load default HOST config from '/json/config.jsn'
app_sntp_cfg_load:96 Failed to load SNTP config from 'cfg:/config.jsn'
Failed to load Loopback Detection config from 'cfg:/config.jsn'
app_lbd_cfg_load:65 Failed to load Loopback Detection config from 'cfg:/config.jsn'
Failed to load default Loopback Detection config from '/json/config.jsn'
app_lbd_cfg_load:69 Failed to load default Loopback Detection config from '/json/config.jsn'
Starting web server on port :80
uport = 0, fport=8, flow =0
uport = 1, fport=9, flow =0
uport = 2, fport=10, flow =0
uport = 3, fport=11, flow =0
uport = 4, fport=12, flow =0
uport = 5, fport=13, flow =0
uport = 10, tx pause =off
uport = 2, fport=10, flow =0
uport = 11, tx pause =off
uport = 3, fport=11, flow =0
uport = 13, tx pause =off
uport = 5, fport=13, flow =0
uport = 8, tx pause =off
uport = 0, fport=8, flow =0
uport = 9, tx pause =off
uport = 1, fport=9, flow =0
E_BI_CHK_INIT ... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 2
E_BI_CHK_LINK (0)... next 0
stop ip/arp traffic !

Quite a verbose bootlog, which I did not expect! Couple of things to note

  • Seems like switch is indeed running the Robo OS
  • Seems that bootloader can be interrupted (there is a press any key line…)
  • Seems that the CPU is configured with the IP 1.1.1.100 and that a webserver is started on port 80, but
  • It also seems that all IP/ARP traffic is stopped some time after boot

So I tried browsing the http://1.1.1.100 during boot, and indeed:

It also replies to pings during boot. I tried entering some passwords (blank, admin, device serial number…) but without success. Webserver stops responding 10-15 sec after boot, but serial CLI remains active.

BCMCLI>

BCMCLI> ?

BCMCLI> help

Unknown Command help

BCMCLI> ?

Unknown

BCMCLI> ping

Unknown Command ping

Obviously, my BCM shell skills are quite low :slight_smile:

I tried interrupting the boot by pressing a key at the right moment and that causes the switch to jump to BCMCLI directly. It does not work as a switch at that moment, probably because startup config is not loaded. After reboot, everything goes back to normal (thankfully :slight_smile: )

Any idea what can be done here? Of course, full openwrt remains a dream (there is 400 MHz ARM CPU inside connected using internal 1G ethernet port, however) but I would be more than satisfied if I could configure a few VLANs and leave it there.

1 Like

QNAP moved to using the primary MAC address (upper case, without separators) as the default password for their NAS units.

Not sure if Robo OS would be configured to use the same, but it's worth a try.

https://ripcaster.co.uk/qnap_password_reset#:~:text=If%20the%20QNAP%20NAS%20is%20shown%20in%20QFinder,admin%20password%20for%20the%20QNAP%20NAS%20was%20admin

Otherwise, you might be better off posting on QNAP forums.

No, I've tried that as well, but forgot to mention...no luck. Tried vendor part only, also...

This all seems to be Broadcom software with very little touch from QNAP themselves. And I also believe there are far more proficient people here :slight_smile:

The ARM CPU in there is a Cortex-M7, RoboOS is proprietary and based on a non-public fork of OpenRTOS.

I only looked briefly, but can't find mainline kernel sources for this SOC. There is probably also not enough RAM on the board to run a full Linux.

Yeah, you are probably right. I missed the M7 part...

Anyway I hope some other way of at least configuring VLANs could be found. If some BCMCLI commands are found to achieve that, it would be easy to add an ESP32 which could update the running config after every boot via serial

It seems that during boot some config files are attempted to be loaded. Maybe something could be added to a flash. There is a flash chip on the other side of the board, but I'm not brave enough to attach a soic clip to it...