I have recently purchased the QNAP QSW-1105-5T switch which is advertised as an unmanaged 5x2.5G switch for home or small office use. I’m generally satisfied with the switch, but I’m desperately need VLANs to be able to segregate my home, guest and iot vlans that I already use with two openwrt tplink devices. I believe that the most of switches that are advertised as unmanaged are in fact manageable if proper UI is developed for them, so I started poking around to discover what’s inside.
Switch is based on BCM53161 SoC, more specifically the BCM53161XMB1. By checking the devices marketing material on Broadcom site, immediately you can see that the SoC is intended to be used with more capable, managed switches which gave me some hope. I found a datasheet for the unmanaged version, the BCM53161XU here: https://www.mouser.jp/datasheet/2/678/broadcom_limited_avgo-s-a0007199304-1-1683284.pdf
And details about ordering information here
Internal photos of the QNAP switch can be seen on the following website:
I have opened my switch and found an unlabeled 4-pin header near the SoC populated with headers. Some poking around with a multimeter with an assumption that this was a serial port, I figured out the pinout, confirmed it was 3.3V, attached it to USB-to-serial converter, opened putty assuming 9600 baud rate and turned the device on…
Buffered Logs: Broadcom ROBO OS Bootloader Version 2.3 Bootloader: QSPI flash Model: winbond Size: 128 Mbit DEVFS: Initializing.. DEVFS: Device /dev/ttyS0 registered DEVFS: Device /dev/flash0 registered Press any key to interrupt Auto Boot Autoboot starting... Bootloader: Loading image at 1 Bootloader: Image Version SW-UT2205_1.00-0.05 Watchdog timeout value is 1250000000 (4a817c80) Copyright 2015-2017 Broadcom Limited All rights reserved ChipId: BCM53161 RevId: 17 Version Regs: Software: ROBO_OS_REL_1_4_2 Build: Tue Jan 19 00:16:59 2021 MPU enabled Unit 0: ChipID: 53161 Rev 17 Unit 0: Straps: 00005041 Unit 0: PLL1 CH1 POSTDIV 10 LED Boot up -> 3s-6s Unit 0: LED Start Buffered Logs: Watchdog Setup with timeout 1250000000 (4a817c80) Reading Primary Avenger OTP... Starting Dynamic AVS Using ROs on Primary Avenger... Applying Saved Core Voltage:9536 with saved DAC Code: 604. dwl......avs.c:AvsSetDac=604, cur_dac=604 delta=0 ........avs.c:SetPVTctrl setting AVS_PVT_MNTR_CONFIG_PVT_MNTR_CTRL from 0x80 to 0x180 SetAvsVoltage - Final Result: 1 Core Voltage After applying saved AVS results on Primary Avenger: 9518 cbxi_slictcam_init() QSPI FLASH MPU region re-sized to 16 MB sal_fs_init_all:114 File system initialized sal_fs_init_all:122 File system obtained from TOC sal_fs_init_all:128 File system initialized cbxi_lin_init() cbxi_encap_init() cbx_port_init() Unit 0 Mac init Ports: 8 9 10 11 12 13 14 15 cbx_lag_init() cbx_port_create() Unit 0: PBMP_ALL(unit)=ff00 cbxi_trap_init() cbxi_stg_init() cbxi_vlan_init() cbxi_l2_init() cbxi_mcast_init() cbx_mirror_init() cbx_meter_init() cbx_cosq_init() cbx_stat_init() cbx_cfp_init() cbx_auth_init() cbx_link_scan_init() cbx_link_scan_enable_set() cbx_pktio_init() ------->cbx_stg_stp_set 1, 67108872, 3, 1 ------->cbx_stg_stp_set 1, 67108873, 3, 1 ------->cbx_stg_stp_set 1, 67108874, 3, 1 ------->cbx_stg_stp_set 1, 67108875, 3, 1 ------->cbx_stg_stp_set 1, 67108876, 3, 1 ------->cbx_stg_stp_set 1, 67108877, 3, 1 LWIP successfully initialized LBD enabled LED Normal Broadcom Cli Starting.... BCMCLI> Setting ip address to 126.96.36.199 app_user_account_cfg_load:69 Failed to load USER config from 'cfg:/config.jsn' app_user_account_cfg_load:72 Failed to load default USER config from '/json/config.jsn' app_host_cfg_load:64 Failed to load HOST config from 'cfg:/config.jsn' app_host_cfg_load:67 Failed to load default HOST config from '/json/config.jsn' app_sntp_cfg_load:96 Failed to load SNTP config from 'cfg:/config.jsn' Failed to load Loopback Detection config from 'cfg:/config.jsn' app_lbd_cfg_load:65 Failed to load Loopback Detection config from 'cfg:/config.jsn' Failed to load default Loopback Detection config from '/json/config.jsn' app_lbd_cfg_load:69 Failed to load default Loopback Detection config from '/json/config.jsn' Starting web server on port :80 uport = 0, fport=8, flow =0 uport = 1, fport=9, flow =0 uport = 2, fport=10, flow =0 uport = 3, fport=11, flow =0 uport = 4, fport=12, flow =0 uport = 5, fport=13, flow =0 uport = 10, tx pause =off uport = 2, fport=10, flow =0 uport = 11, tx pause =off uport = 3, fport=11, flow =0 uport = 13, tx pause =off uport = 5, fport=13, flow =0 uport = 8, tx pause =off uport = 0, fport=8, flow =0 uport = 9, tx pause =off uport = 1, fport=9, flow =0 E_BI_CHK_INIT ... next 2 E_BI_CHK_LINK (0)... next 2 E_BI_CHK_LINK (0)... next 2 E_BI_CHK_LINK (0)... next 2 E_BI_CHK_LINK (0)... next 2 E_BI_CHK_LINK (0)... next 2 E_BI_CHK_LINK (0)... next 0 stop ip/arp traffic !
Quite a verbose bootlog, which I did not expect! Couple of things to note
- Seems like switch is indeed running the Robo OS
- Seems that bootloader can be interrupted (there is a press any key line…)
- Seems that the CPU is configured with the IP 188.8.131.52 and that a webserver is started on port 80, but
- It also seems that all IP/ARP traffic is stopped some time after boot
So I tried browsing the
http://184.108.40.206 during boot, and indeed:
It also replies to pings during boot. I tried entering some passwords (blank, admin, device serial number…) but without success. Webserver stops responding 10-15 sec after boot, but serial CLI remains active.
BCMCLI> BCMCLI> ? BCMCLI> help Unknown Command help BCMCLI> ? Unknown BCMCLI> ping Unknown Command ping
Obviously, my BCM shell skills are quite low
I tried interrupting the boot by pressing a key at the right moment and that causes the switch to jump to BCMCLI directly. It does not work as a switch at that moment, probably because startup config is not loaded. After reboot, everything goes back to normal (thankfully )
Any idea what can be done here? Of course, full openwrt remains a dream (there is 400 MHz ARM CPU inside connected using internal 1G ethernet port, however) but I would be more than satisfied if I could configure a few VLANs and leave it there.