I have found that the Meraki Z3 has very similar hardware to the MR33 and MR74. It has the same NAND flash and RAM. It has two radios from the IPQ4029 CPU and a QCA8075 lan controller. I have tried putting the MR33 uboot and MR33 UBI on it and it fails to boot. I'll post the stock serial output and the after flash below.
Stock Output
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000025
S - Core 0 Frequency, 0 MHz
B - 261 - PBL, Start
B - 1339 - bootable_media_detect_entry, Start
B - 2611 - bootable_media_detect_success, Start
B - 2625 - elf_loader_entry, Start
B - 7341 - auth_hash_seg_entry, Start
B - 1380976 - auth_hash_seg_exit, Start
B - 1448589 - elf_segs_hash_verify_entry, Start
B - 1569878 - PBL, End
B - 1569902 - SBL1, Start
B - 1658615 - pm_device_init, Start
D - 6 - pm_device_init, Delta
B - 1660132 - boot_flash_init, Start
D - 87428 - boot_flash_init, Delta
B - 1751601 - boot_config_data_table_init, Start
D - 13994 - boot_config_data_table_init, Delta - (419 Bytes)
B - 1768292 - clock_init, Start
D - 7578 - clock_init, Delta
B - 1779268 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:1
B - 1782756 - sbl1_ddr_set_params, Start
B - 1787740 - cpr_init, Start
D - 2 - cpr_init, Delta
B - 1792230 - Pre_DDR_clock_init, Start
D - 5 - Pre_DDR_clock_init, Delta
D - 13141 - sbl1_ddr_set_params, Delta
B - 1805508 - pm_driver_init, Start
D - 2 - pm_driver_init, Delta
B - 1876517 - sbl1_wait_for_ddr_training, Start
D - 27 - sbl1_wait_for_ddr_training, Delta
B - 1894031 - Image Load, Start
D - 1311000 - QSEE Image Loaded, Delta - (268504 Bytes)
B - 3205530 - Image Load, Start
D - 2118 - SEC Image Loaded, Delta - (2048 Bytes)
B - 3215613 - Image Load, Start
D - 1322127 - APPSBL Image Loaded, Delta - (308968 Bytes)
B - 4538166 - QSEE Execution, Start
D - 56 - QSEE Execution, Delta
B - 4544344 - SBL1, End
D - 2976523 - SBL1, Delta
S - Flash Throughput, 1983 KB/s (579939 Bytes, 292356 us)
S - DDR Frequency, 672 MHz
U-Boot 2017.07-RELEASE-ge148443fbd (Jun 06 2019 - 15:23:18 -0700)
DRAM: 242 MiB
machid : 0x8010001
Product: meraki_Fuzzy_Cricket
NAND: ONFI device found
ID = 1d80f101
Vendor = 1
Device = f1
128 MiB
Using default environment
In: serial
Out: serial
Err: serial
machid: 8010001
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 112 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 896, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 6, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 430/135, WL threshold: 4096, image sequence number: 1218587189
ubi0: available PEBs: 119, total reserved PEBs: 777, PEBs reserved for bad PEB handling: 20
Secure boot enabled.
Read 0 bytes from volume part.safe to 84000000
No size specified -> Using max size (25628672)
Valid image
## Loading kernel from FIT Image at 84000028 ...
Using 'config@1' configuration
Trying 'kernel@1' kernel subimage
Description: wired-arm-qca Kernel
Type: Kernel Image
Compression: uncompressed
Data Start: 0x84000138
Data Size: 2410736 Bytes = 2.3 MiB
Architecture: ARM
OS: Linux
Load Address: 0x80208000
Entry Point: 0x80208000
Hash algo: sha1
Hash value: 1fc1ce81c9d71bd8dba945d19def480832bf785c
Verifying Hash Integrity ... sha1+ OK
## Loading ramdisk from FIT Image at 84000028 ...
Using 'config@1' configuration
Trying 'ramdisk@1' ramdisk subimage
Description: wired-arm-qca Ramdisk
Type: RAMDisk Image
Compression: uncompressed
Data Start: 0x8424cb1c
Data Size: 23104340 Bytes = 22 MiB
Architecture: ARM
OS: Linux
Load Address: 0x82200000
Entry Point: unavailable
Hash algo: sha1
Hash value: 19da05d6e5603a09ba59daf688a487babed57feb
Verifying Hash Integrity ... sha1+ OK
Loading ramdisk from 0x8424cb1c to 0x82200000
## Loading fdt from FIT Image at 84000028 ...
Using 'config@1' configuration
Trying 'fdt@1' fdt subimage
Description: Fuzzy Cricket Device Tree
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x85855754
Data Size: 24451 Bytes = 23.9 KiB
Architecture: ARM
Hash algo: sha1
Hash value: 47f1f7c7078bcea22b7525a692957f4903f523ef
Verifying Hash Integrity ... sha1+ OK
Loading fdt from 0x85855754 to 0x89000000
Booting using the fdt blob at 0x89000000
Loading Kernel Image ... OK
Using Device Tree in place at 89000000, end 89008f82
Using machid 0x8010001 from environment
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 4.4.177-meraki (oe-user@oe-host) (gcc version 7.3.0 (GCC) ) #1 SMP PREEMPT Fri Feb 25 23:05:50 UTC 2022
[ 0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[ 0.000000] Machine model: Meraki Fuzzy Cricket
[ 0.000000] Memory policy: Data cache writealloc
[ 0.000000] PERCPU: Embedded 11 pages/cpu @dfa38000 s14668 r8192 d22196 u45056
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 126850
[ 0.000000] Kernel command line: loader=u-boot maxcpus=1 console=ttyMSM0,115200n8 ubi.mtd=ubi clk_ignore_unused maxcpus=1
[ 0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Memory: 476156K/512000K available (4680K kernel code, 268K rwdata, 1580K rodata, 216K init, 240K bss, 35844K reserved, 0K cma-reserved, 0K highmem)
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xffc00000 - 0xfff00000 (3072 kB)
[ 0.000000] vmalloc : 0xe0000000 - 0xff800000 ( 504 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xdff00000 ( 511 MB)
[ 0.000000] pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
[ 0.000000] modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
[ 0.000000] .text : 0xc0008000 - 0xc0625414 (6262 kB)
[ 0.000000] .init : 0xc0626000 - 0xc065c000 ( 216 kB)
[ 0.000000] .data : 0xc065c000 - 0xc069f048 ( 269 kB)
[ 0.000000] .bss : 0xc06a2000 - 0xc06de154 ( 241 kB)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] Build-time adjustment of leaf fanout to 32.
[ 0.000000] NR_IRQS:16 nr_irqs:16 16
[ 0.000000] Architected cp15 timer(s) running at 48.00MHz (virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb11fd3bfb, max_idle_ns: 440795203732 ns
[ 0.000009] sched_clock: 56 bits at 48MHz, resolution 20ns, wraps every 4398046511096ns
[ 0.000024] Switching to timer-based delay loop, resolution 20ns
[ 0.000223] Calibrating delay loop (skipped), value calculated using timer frequency.. 96.00 BogoMIPS (lpj=480000)
[ 0.000243] pid_max: default: 32768 minimum: 301
[ 0.000388] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.000403] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.001233] Initializing cgroup subsys io
[ 0.001262] Initializing cgroup subsys memory
[ 0.001299] Initializing cgroup subsys devices
[ 0.001315] Initializing cgroup subsys freezer
[ 0.001341] Initializing cgroup subsys pids
[ 0.001371] CPU: Testing write buffer coherency: ok
[ 0.001745] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[ 0.001835] Setting up static identity map for 0x800082c0 - 0x80008318
[ 0.060184] Brought up 1 CPUs
[ 0.060204] SMP: Total of 1 processors activated (96.00 BogoMIPS).
[ 0.060213] CPU: All CPU(s) started in SVC mode.
[ 0.060728] devtmpfs: initialized
[ 0.070278] VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
[ 0.070853] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.070891] futex hash table entries: 1024 (order: 4, 65536 bytes)
[ 0.080437] pinctrl core: initialized pinctrl subsystem
[ 0.081673] NET: Registered protocol family 16
[ 0.083301] DMA: preallocated 2048 KiB pool for atomic coherent allocations
[ 0.110397] cpuidle: using governor ladder
[ 0.130307] cpuidle: using governor menu
[ 0.154034] pstore: Registered ramoops as persistent store backend
[ 0.154056] ramoops: attached 0x100000@0x8ff00000, ecc: 0/0
[ 0.154098] No ATAGs?
[ 0.154129] hw-breakpoint: Debug register access (0xee003e17) caused undefined instruction on CPU 0
[ 0.154140] hw-breakpoint: CPU 0 failed to disable vector catch
[ 0.157438] IPC logging disabled
[ 0.157451] IPC logging disabled
[ 0.157458] IPC logging disabled
[ 0.157464] IPC logging disabled
[ 0.157470] IPC logging disabled
[ 0.157993] sps:sps is ready.
[ 0.231884] usbcore: registered new interface driver usbfs
[ 0.231983] usbcore: registered new interface driver hub
[ 0.232700] usbcore: registered new device driver usb
[ 0.235851] Bluetooth: Core ver 2.21
[ 0.236050] NET: Registered protocol family 31
[ 0.236063] Bluetooth: HCI device and connection manager initialized
[ 0.236086] Bluetooth: HCI socket layer initialized
[ 0.236100] Bluetooth: L2CAP socket layer initialized
[ 0.237885] clocksource: Switched to clocksource arch_sys_counter
[ 0.241724] NET: Registered protocol family 2
[ 0.242858] TCP established hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.242931] TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.243020] TCP: Hash tables configured (established 4096 bind 4096)
[ 0.243093] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 0.243128] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 0.243393] NET: Registered protocol family 1
[ 0.244325] Unpacking initramfs...
[ 15.051802] Freeing initrd memory: 22564K
[ 15.367517] io scheduler noop registered
[ 15.367546] io scheduler deadline registered (default)
[ 15.369656] 40000000.pci supply vdda not found, using dummy regulator
[ 15.369739] 40000000.pci supply vdda_phy not found, using dummy regulator
[ 15.369821] 40000000.pci supply vdda_refclk not found, using dummy regulator
[ 15.370159] PCI host bridge /soc/pci@40000000 ranges:
[ 15.370195] IO 0x40200000..0x402fffff -> 0x40200000
[ 15.370216] MEM 0x40300000..0x40ffffff -> 0x40300000
[ 16.436316] qcom-pcie 40000000.pci: phy link never came up
[ 16.473990] qcom-pcie 40000000.pci: hostinit failed
[ 16.474005] qcom-pcie 40000000.pci: cannot initialize host
[ 16.474248] qcom-pcie: probe of 40000000.pci failed with error -110
[ 16.516971] tcsr 1953000.ess_tcsr: setting ess interface select = 0
[ 16.517076] tcsr 1949000.tcsr: setting wifi_glb_cfg = 41000000
[ 16.517139] tcsr 1957000.tcsr: setting wifi_noc_memtype_m0_m2 = 2222222
[ 16.590601] msm_serial 78af000.serial: msm_serial: detected port #0
[ 16.590658] msm_serial 78af000.serial: uartclk = 1843200
[ 16.590720] 78af000.serial: ttyMSM0 at MMIO 0x78af000 (irq = 26, base_baud = 115200) is a MSM
[ 16.590762] msm_serial: console setup on port #0
[ 17.198924] console [ttyMSM0] enabled
[ 17.204324] msm_serial 78b0000.serial: msm_serial: detected port #1
[ 17.211811] msm_serial 78b0000.serial: uartclk = 1843200
[ 17.213248] 78b0000.serial: ttyMSM1 at MMIO 0x78b0000 (irq = 27, base_baud = 115200) is a MSM
[ 17.219720] msm_serial: driver initialized
[ 17.236340] Trying to register dev faulty etc
[ 17.327875] loop: module loaded
[ 17.357082] nand: device found, Manufacturer ID: 0x01, Chip ID: 0xf1
[ 17.357119] nand: AMD/Spansion S34ML01G2
[ 17.362504] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[ 17.368015] 12 ofpart partitions found on MTD device qcom_nand.0
[ 17.373793] Creating 12 MTD partitions on "qcom_nand.0":
[ 17.380051] 0x000000000000-0x000000100000 : "sbl1"
[ 17.398306] 0x000000100000-0x000000200000 : "mibib"
[ 17.427800] 0x000000200000-0x000000300000 : "bootconfig"
[ 17.450634] 0x000000300000-0x000000400000 : "qsee"
[ 17.481894] 0x000000400000-0x000000500000 : "qsee_alt"
[ 17.516019] 0x000000500000-0x000000580000 : "cdt"
[ 17.555780] 0x000000580000-0x000000600000 : "cdt_alt"
[ 17.595710] 0x000000600000-0x000000680000 : "ddrparams"
[ 17.627752] 0x000000700000-0x000000900000 : "u-boot"
[ 17.661761] 0x000000900000-0x000000b00000 : "u-boot-backup"
[ 17.707219] 0x000000b00000-0x000000b80000 : "ART"
[ 17.747987] 0x000000c00000-0x000007c00000 : "ubi"
[ 18.029951] ipq40xx-mdio 90000.mdio: Could not find phy-reset-gpio
[ 18.030139] libphy: ipq40xx_mdio: probed
[ 18.077069] ipq40xx-mdio 90000.mdio: ipq40xx-mdio driver was registered
[ 18.077229] tun: Universal TUN/TAP device driver, 1.6
[ 18.082492] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 18.117176] PPP generic driver version 2.4.2
[ 18.117643] PPP BSD Compression module registered
[ 18.120524] PPP Deflate Compression module registered
[ 18.125133] NET: Registered protocol family 24
[ 18.151621] usbcore: registered new interface driver cdc_ether
[ 18.151824] usbcore: registered new interface driver cdc_eem
[ 18.170455] usbcore: registered new interface driver net1080
[ 18.170746] usbcore: registered new interface driver plusb
[ 18.184682] usbcore: registered new interface driver cdc_subset
[ 18.184961] usbcore: registered new interface driver zaurus
[ 18.194328] usbcore: registered new interface driver sierra_net
[ 18.195179] usbcore: registered new interface driver cdc_ncm
[ 18.210629] usbcore: registered new interface driver qmi_wwan
[ 18.210835] usbcore: registered new interface driver cdc_mbim
[ 18.758530] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 18.758587] ehci-pci: EHCI PCI platform driver
[ 18.786950] ehci-platform: EHCI generic platform driver
[ 18.787456] ehci-msm: Qualcomm On-Chip EHCI Host Controller
[ 18.796780] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 18.796848] ohci-platform: OHCI generic platform driver
[ 18.811883] uhci_hcd: USB Universal Host Controller Interface driver
[ 18.812835] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
[ 18.827059] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 1
[ 18.827362] xhci-hcd xhci-hcd.0.auto: hcc params 0x0228f665 hci version 0x100 quirks 0x00010010
[ 18.833592] xhci-hcd xhci-hcd.0.auto: irq 229, io mem 0x08a00000
[ 18.847457] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[ 18.848461] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 18.855144] usb usb1: Product: xHCI Host Controller
[ 18.862347] usb usb1: Manufacturer: Linux 4.4.177-meraki xhci-hcd
[ 18.867094] usb usb1: SerialNumber: xhci-hcd.0.auto
[ 18.874398] hub 1-0:1.0: USB hub found
[ 18.883903] hub 1-0:1.0: 1 port detected
[ 18.884458] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
[ 18.887441] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 2
[ 18.896755] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 18.900434] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003
[ 18.908230] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 18.914766] usb usb2: Product: xHCI Host Controller
[ 18.921950] usb usb2: Manufacturer: Linux 4.4.177-meraki xhci-hcd
[ 18.926708] usb usb2: SerialNumber: xhci-hcd.0.auto
[ 18.934010] hub 2-0:1.0: USB hub found
[ 18.943460] hub 2-0:1.0: 1 port detected
[ 18.944171] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 18.947022] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 3
[ 18.952035] xhci-hcd xhci-hcd.1.auto: hcc params 0x0220f665 hci version 0x100 quirks 0x00010010
[ 18.964104] xhci-hcd xhci-hcd.1.auto: irq 230, io mem 0x06000000
[ 18.968442] usb usb3: New USB device found, idVendor=1d6b, idProduct=0002
[ 18.974236] usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 18.981148] usb usb3: Product: xHCI Host Controller
[ 18.988097] usb usb3: Manufacturer: Linux 4.4.177-meraki xhci-hcd
[ 18.992808] usb usb3: SerialNumber: xhci-hcd.1.auto
[ 19.000237] hub 3-0:1.0: USB hub found
[ 19.009505] hub 3-0:1.0: 1 port detected
[ 19.010134] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 19.013048] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 4
[ 19.022637] usb usb4: We don't know the algorithms for LPM for this host, disabling LPM.
[ 19.025535] usb usb4: New USB device found, idVendor=1d6b, idProduct=0003
[ 19.033829] usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 19.040660] usb usb4: Product: xHCI Host Controller
[ 19.047584] usb usb4: Manufacturer: Linux 4.4.177-meraki xhci-hcd
[ 19.052262] usb usb4: SerialNumber: xhci-hcd.1.auto
[ 19.059698] hub 4-0:1.0: USB hub found
[ 19.069263] hub 4-0:1.0: config failed, hub doesn't have any ports! (err -19)
[ 19.070140] usbcore: registered new interface driver cdc_acm
[ 19.075382] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[ 19.090790] usbcore: registered new interface driver cdc_wdm
[ 19.091186] usbcore: registered new interface driver usbserial
[ 19.114403] usbcore: registered new interface driver usbserial_generic
[ 19.114673] usbserial: USB Serial support registered for generic
[ 19.124770] usbcore: registered new interface driver cp210x
[ 19.126141] usbserial: USB Serial support registered for cp210x
[ 19.140896] usbcore: registered new interface driver ftdi_sio
[ 19.141082] usbserial: USB Serial support registered for FTDI USB Serial Device
[ 19.160032] usbcore: registered new interface driver ipw
[ 19.160280] usbserial: USB Serial support registered for IPWireless converter
[ 19.173927] usbcore: registered new interface driver option
[ 19.174177] usbserial: USB Serial support registered for GSM modem (1-port)
[ 19.183547] usbcore: registered new interface driver qcaux
[ 19.185404] usbserial: USB Serial support registered for qcaux
[ 19.200457] usbcore: registered new interface driver qcserial
[ 19.200636] usbserial: USB Serial support registered for Qualcomm USB modem
[ 19.219342] usbcore: registered new interface driver sierra
[ 19.219583] usbserial: USB Serial support registered for Sierra USB modem
[ 19.223775] usbip_core: usbip_core_init:754: USB/IP Core v1.0.0
[ 19.235518] usbcore: registered new device driver usbip-host
[ 19.236417] usbip_host: usbip_host_init:388: USB/IP Host Driver v1.0.0
[ 19.247607] i2c /dev entries driver
[ 19.255064] at24 0-0050: 8192 byte 24c64 EEPROM, writable, 32 bytes/write
[ 19.281110] Bluetooth: HCI UART driver ver 2.3
[ 19.281143] Bluetooth: HCI UART protocol H4 registered
[ 19.379968] lp5562 1-0030: internal clock used
[ 19.384903] usbcore: registered new interface driver usbhid
[ 19.384933] usbhid: USB HID core driver
[ 19.422343]
[ 19.422343] Version Rollback Feature Disabled
[ 19.422906] qcom_scm_sec_auth_available is not supported
[ 19.437797] meraki-config soc:board-data: Meraki config device loaded
[ 19.461649] Initializing XFRM netlink socket
[ 19.476737] NET: Registered protocol family 10
[ 19.507295] NET: Registered protocol family 17
[ 19.507354] NET: Registered protocol family 15
[ 19.510742] l2tp_core: L2TP core driver, V2.0
[ 19.515084] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 19.519602] 8021q: 802.1Q VLAN Support v1.8
[ 19.524334] Registering SWP/SWPB emulation handler
[ 19.547183] qcom_wdt b017000.watchdog: boot reason:0
[ 19.548461] ubi0: attaching mtd11
[ 19.931175] random: nonblocking pool is initialized
[ 20.175265] ubi0: scanning is finished
[ 20.213672] ubi0: attached mtd11 (name "ubi", size 112 MiB)
[ 20.213705] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 20.233982] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 20.234018] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 20.306715] ubi0: good PEBs: 896, bad PEBs: 0, corrupted PEBs: 0
[ 20.306753] ubi0: user volume: 6, internal volumes: 1, max. volumes count: 128
[ 20.311799] ubi0: max/mean erase counter: 430/135, WL threshold: 4096, image sequence number: 1218587189
[ 20.380350] ubi0: available PEBs: 119, total reserved PEBs: 777, PEBs reserved for bad PEB handling: 20
[ 20.380414] ubi0: background thread "ubi_bgt0d" started, PID 699
[ 20.554423] input: soc:gpio_keys as /devices/platform/soc/soc:gpio_keys/input/input0
[ 20.617228] SD0 VccQ: disabling
[ 20.617268] clk: Not disabling unused clocks
[ 20.619321] devtmpfs: mounted
[ 20.624482] Freeing unused kernel memory: 216K
[ 20.992720] Made it into bootsh: Feb 25 2022 23:16:42
[ 20.992856] bootsh build wired-16-202202250026-G7f216daf-rel-influence
[ 21.009717] mknod_from_sysfs_entry: error creating /dev/mtdchar/ART(90:34
): File exists
[ 21.017035] mknod_from_sysfs_entry: error creating /dev/mtdblock/ART(31:17
): File exists
[ 21.031004] UBIFS (ubi0:1): background thread "ubifs_bgt0_1" started, PID 798
[ 21.066322] UBIFS (ubi0:1): recovery needed
[ 21.147937] UBIFS (ubi0:1): recovery completed
[ 21.148157] UBIFS (ubi0:1): UBIFS: mounted UBI device 0, volume 1, name "storage"
[ 21.151389] UBIFS (ubi0:1): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 21.158934] UBIFS (ubi0:1): FS size: 15618048 bytes (14 MiB, 123 LEBs), journal size 1015809 bytes (0 MiB, 6 LEBs)
[ 21.168766] UBIFS (ubi0:1): reserved for root: 737678 bytes (720 KiB)
[ 21.178997] UBIFS (ubi0:1): media format: w4/r0 (latest is w4/r0), UUID D4FDEFF5-51BC-467D-A135-5FCCAA27B7A6, small LPT model
After uboot and ubi flash
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000025
S - Core 0 Frequency, 0 MHz
B - 261 - PBL, Start
B - 1339 - bootable_media_detect_entry, Start
B - 2611 - bootable_media_detect_success, Start
B - 2626 - elf_loader_entry, Start
B - 7341 - auth_hash_seg_entry, Start
B - 1380976 - auth_hash_seg_exit, Start
B - 1448588 - elf_segs_hash_verify_entry, Start
B - 1569846 - PBL, End
B - 1569870 - SBL1, Start
B - 1658594 - pm_device_init, Start
D - 6 - pm_device_init, Delta
B - 1660111 - boot_flash_init, Start
D - 87428 - boot_flash_init, Delta
B - 1751582 - boot_config_data_table_init, Start
D - 13986 - boot_config_data_table_init, Delta - (419 Bytes)
B - 1768264 - clock_init, Start
D - 7575 - clock_init, Delta
B - 1779238 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:1
B - 1782727 - sbl1_ddr_set_params, Start
B - 1787713 - cpr_init, Start
D - 2 - cpr_init, Delta
B - 1792203 - Pre_DDR_clock_init, Start
D - 5 - Pre_DDR_clock_init, Delta
D - 13143 - sbl1_ddr_set_params, Delta
B - 1805482 - pm_driver_init, Start
D - 2 - pm_driver_init, Delta
B - 1876734 - sbl1_wait_for_ddr_training, Start
D - 27 - sbl1_wait_for_ddr_training, Delta
B - 1894359 - Image Load, Start
D - 1311926 - QSEE Image Loaded, Delta - (268504 Bytes)
B - 3206785 - Image Load, Start
D - 2121 - SEC Image Loaded, Delta - (2048 Bytes)
B - 3216876 - Image Load, Start
B - 3222208 - Boot error ocuured!. Error code: 302e
That's game over for this device. Having secure boot enabled means no third-party firmware support.
Do we not have a way to overwrite the keys or disable the Secure Boot?
I wish it were that easy, if you could just flip a switch and it goes away. 
But then if it were, then it wouldn't be called Secure Boot now would it? 
Maybe we can get a leaked signed Kernel from somewhere?
Whatever you do, use the signed 4.4.177 kernel?
Start to sound a lot like Broadcom.
Where could I go about getting something like that?
At least on ipq807x, many of the secure boot implementations can be circumvented by setting a custom boot command (not verifying the secure boot), but if the vendor did its homework and prevented that possibility, it's indeed game over.
2 Likes
@phantomstranger what if you put the I2C EEPROM contents from MR33 there, but kept the rest of the boot stack, i.e. the signed part stock? This in theory should disable signature verification for the OS partition, because it is not enabled for the "stinkbug" board. By digging through their U-boot sources I found references for multiple boards.
I myself tried to do the other thing, putting NAND image dumped from Z3 on a hard-bricked MR33, but it would not output anything. Here I can see that at least SBL1 runs.
Do you have some internal photos of debug connectors, etc?
Edit: please see my new findings for MR33: https://github.com/riptidewave93/LEDE-MR33/issues/13#issuecomment-1209621380
This in theory should disable signature verification for the OS partition
Okay, I guess it's impossible to keep this quiet now that people are talking about it.
Yes, changing the product ID in the EEPROM will disable u-boot signature verification for the OS partition:
The boot chain up to and including u-boot must be signed. The u-boot environment is compiled into the signed binary, so there is nothing we can do up to that point.
By digging through their U-boot sources I found references for multiple boards.
Meraki are using the same u-boot binary for both secure (Z3) and non-secure platforms (MR33). It will be trivial for them to close this vulnerability (I won't give them any hints though ). I think it should always be possible to flash an older u-boot binary to NAND, I don't think they can change the certificate they burned into QFPROM.
I may be wrong though, so if you care about flashing another firmware to your Z3, don't ever let it talk to Meraki again.
When I did my MR33 conversions in the past using external programmer, I chose to rewrite whole UBI image from converted MR33, one from this image: https://www.usbjtag.com/filedownload/mr33ubootandubi.php. It was just a matter of patching it into the whole NAND image using dd, in a similar way to U-boot, or rewriting it on appropriate offset, and worked both on Spansion and Macronix chips. The only part left to do was restoring calibration data back into UBI from the raw partition still left on NAND after the system booted. So maybe it's worth a shot?
Could you retake the 1st photo with MAC/SN sticker lifted? I believe, that factory programming connector footprint is hidden there, as it was in MR33.
If I know Qualcomm chips well, it may be possible, that for factory programming, an USB A-A cable is used. Fresh units will expose the previously mentioned EDL interface on the socket. Or something is hiding beneath upper shielding on the PCB.
Doesn't look like there is a anything hidden under the upper shielding: https://fccid.io/UDX-60053010/Internal-Photos/Internal-Photo-3501220
I realised, that on Z3 it would not be of much use anyway. The device has secure boot enabled from factory, and this means, that a signed EDL loader matching the fused keys would be needed to access the NAND this way, and chance of getting it is next to nothing.
We may still try to check if the device enters this mode if it is forced by bringing NAND_WE pin high on the NAND flash chip, which doubles as enforcing USB boot.
The only other chance would be to use JTAG, unless it is fused out as well, that is. But even if not, we can use the 360 clip or desolder NANDs to flash, this was proven working already.
We are trying to run anything on secured device Huawei B628-350 (ipq4018 SoC), but no luck.
ipq4018 has A90 pin with interesting description: "Secure boot enabled". 
But changing it do not help. Any change in PBL code => complete brick. Any change in SBL/QSEE/Uboot => "Boot error ocuured".
May be someone could get ipq40xx chip developer guide?