Meraki Z3 Support

hmartin · August 10, 2022, 10:48am

This in theory should disable signature verification for the OS partition

Okay, I guess it's impossible to keep this quiet now that people are talking about it.

Yes, changing the product ID in the EEPROM will disable u-boot signature verification for the OS partition:

gist.github.com

https://gist.github.com/halmartin/99f96e21f647ddb696202d328ba2b378

bootlog.txt

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000025
S - Core 0 Frequency, 0 MHz
B -       261 - PBL, Start
B -      1340 - bootable_media_detect_entry, Start
B -      2615 - bootable_media_detect_success, Start

This file has been truncated. show original

The boot chain up to and including u-boot must be signed. The u-boot environment is compiled into the signed binary, so there is nothing we can do up to that point.

By digging through their U-boot sources I found references for multiple boards.

Meraki are using the same u-boot binary for both secure (Z3) and non-secure platforms (MR33). It will be trivial for them to close this vulnerability (I won't give them any hints though ). I think it should always be possible to flash an older u-boot binary to NAND, I don't think they can change the certificate they burned into QFPROM.

I may be wrong though, so if you care about flashing another firmware to your Z3, don't ever let it talk to Meraki again.