If you haven’t noticed, in my spare time I really enjoy breaking into embedded devices for the fun of things. Over the past year, I have spent a ton of time rooting the Cisco Meraki MR18, and today I get the chance to publicly disclose my findings.
To start, let me note by saying I have properly disclosed this issue to Cisco Meraki months ago, but due to the fact they are no longer replying to my emails or honoring their own Bug Bounty, I have decided to publicly disclose this after waiting over 90 days since their last reply. Hopefully one of these days I will write up the process I used to find this “exploit”.
NOTE: A new flashing method can be found In This Post.
Exploit Process:
- Power on the MR18, and hook it up to UART. (No ethernet should be plugged in)
- Hold the Reset Button for 10+ seconds until the LEDs on the device turn off, then release.
- The device should reboot, at this point pressing Enter on UART should show the following:
<Meraki>
- At this point, you will want to enter
odm help
- If you get a “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.” reply, then please try holding the button to do another reset of the device. If you continue to get this message, then sadly your firmware version is NOT rootable using this method. (please comment to this post sharing your results/firmware version)
- If you got a “Help” output for the ‘odm’ command, then run the following commands:
odm serial_num write Q2XX-XXXX-XXXV odm serial_num read
- At this point the output should show “Q2XX-XXXX-XXXV” and your device should have it’s LED’s flashing. At this point, pull the power from the device, and hold down “s” on your UART console when you power back on the device.
- After a bit, you should then drop to a initramfs root shell, and the device is pwned! Feel free to follow the OpenWRT flashing guide found on the OpenWRT Forums.
Bonus Rooting:
Doing the above gets you root on the initramfs, but what about the stock firmware? No worries, as I have that covered as well!
- Once in the root initramfs shell, run the following commands on your device:
cd /storage/ rm ./config* rm ./odm_test.log echo "serial_allow_odm true" > ./config echo "serial_access_enabled true" >> ./config echo "serial_access_check false" >> ./config echo "valid_config true" >> ./config cp ./config ./config.local exit
- Once the above is ran, the firmware should continue to boot, and you will then be back in the stock OS. Once here you will want to restore the Serial Number of your device, which can be done with:
odm serial_num write Q242-1111-111V
Just be sure to make sure to set your serial to the one on the bottom of the device. Changing the serial to any thing else CAN CAUSE ISSUES with the device. Also note that once networking is re-attached, you will lose root access!
Confirmed Working On:
- Firmware Build 22-140575
- Firmware Build 22-149780
- Firmware Build 23-162921
- Firmware Build 23-188206
Overall this exploit isn’t much more than taking advantage of an engineering back door, but I got to dock Meraki some serious points for closing all forms of communication with me. The entire point of Bug Bounties is to encourage proper disclosures, and not following through does not reflect well upon the company.
Timeline of Events:
- First contact to Meraki’s Security Team (10-20-2015)
- Exploit Confirmed by Meraki (10-22-2015)
- Reached out to Meraki for an update – No Response (01-06-2016)
- Second & Final Reach out to Meraki – No Response (01-27-2016)
- Public Disclosure of Exploit (02-09-2016)
- Email from Meraki, emails were “lost”, no longer eligible for bounty (04-20-2016)
- Reached out to Meraki (04-20-2016)
Hmm
I have been trying for a few hours and am unable to get access to the unit.
When are you supposed to press enter?
Thanks for any help
Ryan
Hey Ryan,
To get to the Console over UART, this should show up after the device has fully booted, so pressing Enter any time after this should work. If nothing shows up when pressing enter, make sure your TX pin on your UART adapter is wired up correctly.
Worked great on an MR18 running firmware 22-140575! Thanks!
Hello!
I have on my meraki mr18 rom 1.0 from https://github.com/riptidewave93/Openwrt-MR18/releases and i wonder if I can upgrade device by any rom from official openwrt site.
Precisely. Is MR18 only upgradeable by special cooked rom from https://github.com/riptidewave93/Openwrt-MR18/releases ?
Best regards.
Hey there,
Once flashed with 1.0 from github, you can then freely install any of the official OpenWRT snapshot releases for the MR18, just note they won’t come with LuCI installed by default so you may just want to wait for the next official OpenWRT release, which will then include LuCI.
I’m on build 23-188206 and not able to send any keys.
I’ve verified that the USB to UART adapter does actually TX. Here’s my bootlog: https://gist.github.com/anonymous/b21eb09eee686f73825c
Any ideas?
Hmm, were you able to go through the process to change the serial number of the device using the “odm” command, or are you unable to access the prompt at all? Also, do you have any other UART adapters you could try and are you using the UART pinout at https://i.imgur.com/McxTAsJ.jpg?
I’m unable to send any input to the board.
Beginning to think it’s my adapter, it’s a six year old eBay special, though when I shorted TX and RX I can confirm data is being sent. Just another excuse to buy a Bus Pirate…
So, Can I install roms from f.e. http://downloads.openwrt.org/latest/ar71xx/nand/ ?
Which one?
As the MR18 code was not backported, you can only install from the nightly Snapshots at https://downloads.openwrt.org/snapshots/trunk/, which is currently offline. If you need LuCI, then you will want to use the version from my repo until the next major release of OpenWRT.
Hi, after successful flashing of sysupgrade image openwrt is working, but I’m unable to activate luci (opkg update command is returning bad signature).
Could you please send a link to your repository, or describe how to install luci after flashing https://downloads.openwrt.org/snapshots/trunk/ar71xx/nand/openwrt-ar71xx-nand-mr18-squashfs-sysupgrade.tar file.
Thanks a lot.
If you are getting a bad signature error, this just means the nightly you flashed had an issue with the LuCI package. You can either flash one of my older OpenWRT images from my GitHub repo (which include LuCI) or you will want to wait for the next nightly, upgrade, and then try installing LuCI again following the OpenWRT Wiki documentation.
– Chris B
Thank you for your advice. I was finally able to reflash my Meraki with your github repo image, Luci worked, but I was unable to configure network the way that internet worked without hdcp (with static IP).
At the end I killed the network config in the rooter and had to reset the settings via reset button, but from that time something is broken.
Normally via serial console the firmware is not started properly, initialization finished with “Failed to executPlease press Enter to activate this console.”.
I’m uable to access bash and send any commands.
i can access via failsafe mode, but there is no /etc/config/network file and my attempt to reflash the nightly build via sysupgrade finished with error “Failed to connect to ubus”.
Would be very gratefull for advice how to properly reset my device or reflash with setting reset. Thanks
I managed to restore the healthy state of my router 🙂 In failsafe mode i had to mount the root filesys and manually correct the network config file and then(after luci was accessible via 192.168.1.1 address) to re-flash the nightly build.
I still can’t figure why I can’t access internet from the rooter, so I’m unable to do opkg update and install anything.
My etc/config/network :
config interface ‘loopback’
option ifname ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’
option ipv6 ‘0’
config globals ‘globals’
option ula_prefix ‘fd19:445c:44f7::/48’
config interface ‘lan’
option type ‘bridge’
option ifname ‘eth0’
option proto ‘static’
option ipaddr ‘10.1.0.45’
option netmask ‘255.255.255.0’
option gateway ‘10.1.1.254’
option dns ‘10.1.0.13 10.1.0.10’
option ipv6 ‘0’
option ip6assign ’60’
network acceess problem resolved, mea culpa, incorrect network mask…
opkg worked, Luci online 🙂
Thanks so much for a non-destructive way into these things! After following step 8, i was able to get openWRT loaded! However I cannot get the procedure under “bonus rooting” to work. Is this because i followed the openWRT procedure here:
“go to the System Upgrade tab, and select the downloaded sysupgrade image named openwrt-ar71xx-nand-mr18-squashfs-sysupgrade.tar. This will then remove the stock Meraki kernel, flash OpenWRT, fix the caldata partition if needed, and auto-expand rootfs_data to use the rest of the UBI free space.”
Am i out of luck here or should i still be able to hold S and get the meraki console again to use the odm commands?
Thanks!
You got it. If you flashed sysupgrade, then your MR18 will now only boot OpenWRT as the Meraki kernel was removed, so the bonus root has no use/value to your device anymore.
I have this log after change the serial number, cant send the S key 🙁
If i boot the Meraki with the USB-UART plugged, I get the sequence :
__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x31459
Nand Flash init
hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
nand_load_fw: read 13 pages
nand_load_fw: 0x10000 0x800 0xbd000bf0
nand_load_fw: 0x20000 0x800 0xbd0013f0
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
qca955x_init_ddr ok
test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
error booting
__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x31459
Nand Flash init
hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
nand_load_fw: read 13 pages
nand_load_fw: 0x10000 0x800 0xbd000bf0
nand_load_fw: 0x20000 0x800 0xbd0013f0
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
This error means your UART adapter is either running at the wrong voltage (5 instead of 3.3), or you have VCC wired up incorrectly. To fix this you will want to use a different UART adapter, such as http://www.ebay.com/itm/USB-to-TTL-adapter-Replace-CP2102-chip-module-serial-ports-UART-module-New-GT-/272139098624?hash=item3f5cc11a00:g:UK4AAOSwzgRWx02c
Thank you for your reply,
I’m using this one: http://www.ebay.com/itm/USB-To-RS232-TTL-PL2303HX-Auto-Converter-Module-Converter-Adapter-For-arduino-/180953299346
Do I really need to buy another? It’s a little hard to find those adapters in Brazil 🙁
Sadly yes as it sounds like yours is not working correctly, but as long as you find one based on the CP2102 chip that uses 3.3v, you should be good to go. 🙂
Thank you, that’s what I’m gonna do.
Hi,
I am using this adapter and I am getting an exact same error as soon as I connect the cables.
And now when I power my device On, the led just blinks and nothing happens.
Any suggestions?
Gustavo- Be sure you are only hooking up RX, RX and GND. I had the same error when i hooked up VCC on mine. Removing VCC fixed the issue for me
This worked on my up to date 34 build 23-191963
After doing this to another MR18 I realized how this worked before. If you do the 30s reboot procedure the odm cmd is not found. I then rebooted normally and let it boot. The prompt then has the odm cmd allowing you to change the SN. Now follow the rest of the steps in the guide.
-PiXEL8
Trying to free my Mr-18
I am on fw version 22-140575 but getting a problem at the odm serial_num change stage, when I try to write the serial_num I am getting:
board_data_config: bad serial given, you can try using -f
board_data_config: bad write
Checking odm help I can see:
mac, seral_num, product_id, hw_rev, hw_minor,
So tried to run odm serial_num write value Q2XX-XXXX-XXXX and still same result.
Tried to set force switch, but not sure where is should go in syntax, tried various but not working either.
Any ideas? Thanks
Never mind guys – got it.
Chris, I absolutely love to read a write up on how you found the exploit!
Hey Mike,
Will see if I can find the time later. For a quick TL;DR, It’s somewhat similar to my older Cisco OEAP602 root at https://servernetworktech.com/2015/05/rooting-and-converting-the-cisco-air-oeap602-to-an-e3000/ which involved digging around the init/startup binary, as well as the startup scripts in /etc/init.d for clues as to how the startup process works to spawn a shell. 🙂
Hi!. I’m following this procedure and I’m getting stuck.
Could you tell me the right moment to plug in the ethernet to the meraki????
I’m following this guide just fine but when i try to connect to my PC to download the firmware I lost UART connectivity.
Thanks in advance.
You sir are a gentleman and a scholar!
Thank you for the awesome powning of this device!
Thanks so much for this, ive got so far but hoping for a little assistance…
I’ve completed everything as above which worked great and I’m trying to get files over to the device but the Ethernet does not appear to be working (lights are on port and amber flashing on meraki). if I run ‘ifconfig eth0’ I get device not found. When the device boots the following lines appear at the end.
In write handler ‘device_id’ for wired0_cdpsource ~:: CDPSource’:
Bad String passed to device_id
In write handler ‘device_id’ for wired1_cdpsource ~:: CDPSource’:
Bad String passed to device_id
In write handler ‘product_model’ for wired0_cdpsource ~:: CDPSource’:
Cannot parse product model
In write handler ‘product_model’ for wired1_cdpsource ~:: CDPSource’:
Cannot parse product model
Really appreciate your assistance.
Hmm. I have seen similar issues on other devices where a UART adapter was used that was either over voltage, or had VCC wired up. Can you confirm you are using a 3.3V UART adapter and only have TX/RX/GRND wired up? It also seems your board is unable to read the UBI partition that contains your board information. Did you ever try the pin jump method, and does your MR18 work normally when you try to let it boot fully?
what is the PIN jump method, can you link me?
Hello
I have an issue when dd the openwrt.bin file, seems like the mtdblock2 is too small or corrupted ? Any idea ?
/storage # dd if=/storage/openwrt.bin of=/dev/mtdblock2
[ 73.312000] ecc unrecoverable error
[ 73.316000] ecc unrecoverable error
[ 73.320000] ecc unrecoverable error
[ 73.324000] ecc unrecoverable error
[ 73.328000] end_request: I/O error, dev mtdblock2, sector 8960
dd: writing ‘/dev/mtdblock2’: Input/output error
8961+0 records in
8960+0 records out
4587520 bytes (4.4MB) copied, 2.852310 seconds, 1.5MB/s
/storage #
Thanks 😉
Sadly that can be a sign your NAND may have some corruption. Did you ever try using the “pin short” method in the MR18 thread on the OpenWRT forums?
Hello Chris,
yes, that’s what I was afraid of…. I ended up writing to mtdblock1 directly and this worked !
Now this AP is free 🙂
Thanks!
Hi Chris
Thanks for the article.
I am having some trouble. I can get to the step where I unplug the power to the AP and hold down S and power back on, then UART Terminal returns a bunch but ends with:
In write handler ‘device_id’ for wired0_cdpsource ~:: CDPSource’:
Bad String passed to device_id
In write handler ‘device_id’ for wired1_cdpsource ~:: CDPSource’:
Bad String passed to device_id
In write handler ‘product_model’ for wired0_cdpsource ~:: CDPSource’:
Cannot parse product model
In write handler ‘product_model’ for wired1_cdpsource ~:: CDPSource’:
Cannot parse product model
I am using this adapter http://www.ebay.com.au/itm/201505399580
This is how I am wiring it to the AP
https://imgur.com/gjkYb4K
Any ideas?
If you are seeing those messages that is normally a sign that you have passed the boot process where “S” is required, so you may need to keep trying. You can also check out the flashing video I made in the OpenWRT forum post to get an idea of what you should be seeing on the Console.
Thanks Chris. I am still having issues with not getting past the hold S and boot. I can’t seem to find your video on the OpenWRT forum. Can you link me?
Sure thing, video is at http://youtu.be/ZTywBt3_W8Y
Confirmed working on an MR32 also:
Meraki-build is 24-201607201515
Board is running a BCM5301X ARMv7. Will take a look at running up Lede/openwrt on it as they do have kernel support.
Flash layout:
[ 1.490000] Creating 5 MTD partitions on “nand_iproc.0”:
[ 1.490000] 0x000000000000-0x000000100000 : “U-boot”
[ 1.500000] 0x000000100000-0x000000400000 : “bootkernel1”
[ 1.500000] 0x000000400000-0x000000500000 : “senao_nvram”
[ 1.510000] 0x000000500000-0x000000800000 : “bootkernel2”
[ 1.520000] 0x000000800000-0x000007f80000 : “ubi”
I’ve got a few more Meraki boards so will take a look at these also.
Hey Rob!
I have an MR33 – and i can boot as root …. can u help me installing openWRT on it!?…
would be nice to hear from you…
greets phil
Hey Philip,
Note that at this time the MR32 and MR33 do not have LEDE/OpenWRT support. I do have a MR32 in hand ATM that I plan to port over later, but note it does not have GPL driver support for the main AC wireless radios. I am unsure of the situation with the MR33, as I am not sure what radios are used on that board.
Hi Chris! First off, awesome findings and write-up!! My MR-18 is in the mail currently. I’m just curious if there is any benefit of doing this exploit initially upon unboxing to try to ensure root access if I intend to start out using the normal Meraki firmware until my “license” expires? I understand I can always go JTAG, but I’d like to use it without worrying about future firmware downloads breaking UART access if at all possible.
Cheers!
Hey there,
As for your question, note that this method will probably get patched via Cisco/Meraki down the line, so if you have any intentions of using OpenWRT/LEDE on the device it would be best to follow this guide, and flash your device before hooking it up to the internet. This is because on first boot, the Meraki on stock firmware will download and install the latest OTA which may prevent this method from working in the future. If you don’t mind going the JTAG route though, then feel free to use the device as is.
Works fine on 23-198280, just reset it until “odm help'” works. You can use SW2 to do that, J2 also does crazy things.
Hi there,
I just tried a MR18 and build “24-201609272213-G374d42aa-daybed” – doesn’t work. Anyone else successfully used that version?
Hi there,
I just tried a MR18 and build “24-201609272213-G374d42aa-daybed” – doesn’t work. It works until pressing the “s” key. Holding after re-powering doesnt’ bring the root shell..
Anyone else successfully used that version?
I have bootsh build 24-201610261613-Gb6d270c7-onion
I am able to change the serial number but it will not enter the ‘s’ console even though it accepts the ‘magic key’
Got magic key s [ 1.632000] Bootsh: trying rootfs path:
/dev/mtdblock/rootfs-24-201610261613-Gb6d270c7-onion-1
Attempting to setup root /dev/mtdblock/rootfs-24-201610261613-Gb6d270c7-onion-1…
log here: http://pastebin.com/huUQc9ut
Hi,
confirmed fw_version 23-177858
Thanks.
Tried to boot into root and continue to get “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS”.
Firmware: rootfs-22-130961-1
Is there anyway to bypass this firmware version? or am I stuck with a non-rootable MR18?
__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x31c58
Nand Flash init
hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
nand_load_fw: read 13 pages
nand_load_fw: 0x10000 0x800 0xbd000bf0
nand_load_fw: 0x20000 0x800 0xbd0013f0
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
Hello,
This is normally a sign you didn’t hold the reset button for 10+ seconds first to reset the device, so please try the process again. With that said though, I have heard that newer firmwares (build 24 and up) may no longer be rootable.
Hi there,
Do you know of any method that will work on an MR42?
Hello,
Sadly I don’t have any MR42 to play with so I can’t confirm if the above method works on this device or not.
Just dropping by to thank you for your effort, Chris. As I’m writing this, I’m connected to an MR18 running OpenWRT, freed thanks to your instructions.
I received it in November or December 2016 from Cisco running firmware 22-140575 (does everyone get those things with such an old firmware version?). Shipped to Poland after having to remind Cisco that they forgot about me. I was told of some kind of supply shortage. Whatever.
No need to do the pin shortening tricks whatsoever with this firmware, but anyway thanks for putting my serial adapter to use that I got years ago for a never finished project and forcing me to learn serial communication stuff 🙂
Right. Upgrading to the MR18 from my 8 years old TP-Link 1043nd v1 access point (running flawlessly, mind you) is definitely a step up 🙂
I have an old computer with a physical serial port. Can I use that? I have tried but hooking TX to SND, and SND to TX did not work. When I connected SND to SND and TX to TX, it got gibberish ASCII characters that look like bad speed/data/stop/parity configuration but nothing I’ve tried works.
I’d really like to get something usable on this MR18 but it doesn’t seem to be working. I also can’t see what version it is running from the Meraki cloud page. It just says “up to date”
Thanks
Just to confirm what everyone probably already knows …
/dev/mtdblock/rootfs-24-201611211457-G69d4dc09-mantua-1 won’t respond to ‘s’ on boot.
Can change serial number though.
Thanks for all the great work .
Chip
Unfortunately I am in the same boat as Chip here. Any way to downgrade the firmware, or will the short on the board trick work? Or is it a paperweight/>
+1 to chips comment. Foiled! but great job everyone.
I wish there was some way owners with more recent firmware could unlock their devices. Mine is able to change serial number, but nothing else, like many others. Any progress being made on this front?
Besides JTAG which is mentioned in the OpenWRT thread, there is currently no other known way to roll back the device or flash it after taking a newer firmware.
Looks like I am late to the party. I just recevied a Meraki MR18, connected it to UART, can change the serial number, but nothing else. Is there another solution for folks like me?
I’ve found I can access BusyBox by holding the reset key for 10 seconds to trigger a restart, then continuing to hold it. Not sure if this would be helpful to anyone.
This boots the device into “diagnostic” mode, which is a barebones qualcomm testing environment. While you have a root shell, you are unable to access the NAND that stores the stock firmware due to the ECC differences. Specifically, the stock firmware and environment use BCH ECC, which is not enabled for this environment.
I can get to prompt and have changed serial number.
Also ran ‘odm fw_version read’ which reported back 22-140575
Which seems to tally with the list of compatible firmware versions.
But device will not respond to ‘s’ when powering back on.
Using Putty, I unplug power, press ‘s’ on keyboard then plug power back in.
It boots without LED’s & outputs unreadable characters & just continues to output them. Waited for about 2 minutes.
Any advice offered greatly appreciated
If you are getting junk back, this can be a sign it may be a problem with your UART adapter or wiring. Make sure you are only connecting GND, RX, and TX, and you have a 3.3v adapter. I personally use CP2102 based UART adapters, and have never had any issues.
Thanks Chris, I appreciate your response.
I have this UART adapter http://ebay.eu/2m2f1Dz and have definitely got GND, RX, TX hooked up correctly. I tried switching them around and only got junk. Where as I can get to ODM HELP prompt, but cannot activate magic key press ‘s’
Is there anyone with a JTAG that would flash them for us for a small fee to cover shipping and your time?
Mine is/has expired the 3yr service and it is running the following:
odm fw_version read
24-201611211457-G69d4dc09-mantua
Is there any way to check the firmware version before opening this up?
I do know that it is not the newest version (which was released a week or two ago), so it might be 24-201611211457-G69d4dc09-mantua?
Hi Chris,
have you taken a look at the MR32? You said you got one to play with over at the OpenWRT forums.
Cisco just quit selling the MR18 a couple of days ago and now you get an MR32 for attending the webinar, so there will be more and more people bugging you 🙂
Not to be pushing you or anything. Once again thanks for your work.
I got a meraki z1 from work for free, now thanks for your guide I have a new gigabit router at home. Thank you!
Hi Chris,
After reading the openwrt forum and this post, i’m actually more confused as to how this ‘s’ backdoor actually works.
Firstly, is it lower-case ‘s’ or upper ‘S’ ( or does it not matter) ?
But, eitherway, I can not make it work.
I have firmware 22-130961, which seems to be earlier than other confirmed explotable versions.
I’ve successfully changed the serial number, but no amount of hitting/holding the s key during boot gives me a shell.
The only thing of interest, is I always get junk over the serial at boot-up (soft or hard reboot), the first legible line is:
[ 0.256000] console [ttyS0] enabled, bootconsole disabled
Any clues?
I’d prefer not to have to resort to shorting resistors or buying a jtag…
Got a CP2102 usb uart, and I can now see the output from the bootloader on power-on.
Still can’t get ‘s’ to gain me root though 🙁
I’ve got a CP2102 UART adapter. Managed to get the serial changed and up to the point of booting using the special key ‘s’, but it didn’t work. I can confirm I’m running firmware 24.
This has been confirmed as not working.
What I did however manage was to still get root access to the device by holding the reset button for 5 secs or so. The device would reboot me into a root unix prompt. Sadly the ‘wget’ command wouldn’t work……any idea’s guys? Could there be another way to update the device using this method.
I was able to change the IP address of the device when I got this prompt and ping my laptop. just the ‘wget’ command was unrecognized.
Pete,
This means you booted into the diagnostic image on the MR18. Sadly it has the NAND blocked off at a kernel level as it’s hard programmed to use a different ECC mode, so you can’t flash the device from this environment.
Thanks Chris…I was so close!! Look at the latest flashing method, I only needed to hold down the reset button for another 5 seconds.
I managed to get it working using the latest method.
I connected my uart at 115200 and I only see garbage on boot.
Any Idea?
Same problem here 115200 N81 – Lots of garbage – If I start with the cable inserted, i get some “half readable” text, but is will not boot, just keeps circling in some kind of startup-diag.
If i connect the cable after initial power-on, I get lots of unreadable garbage like Steeve.
Current version: MR 24.6
Hello,
Can you confirm that you are using a 3.3V UART adapter? normally the “garbage” is a sign of a 5V adapter, or a bad physical connection.
Hi everybody,
I have a Problem, I can not access to the MR 18 wile pressing the key “s”.
I could successfull Change the Serial Number.
The Firmware is: 22-131521
1 week ago I successfully flashed another MR18 with OpenWrt but with a different Firmware.
Thank you for your help.
P.S. The flasehd MR 18 works like a charme
Sven,
Did you ever get this to work on this firmware? I have the same firmware and am getting the same results as you.
Thanks,
Tony
Hi. I’m having the same problem. Did you ever resolve this?
I have a 24-201611211457-G69d4dc09-mantua firmware, initially when performing the
odm serial_num write Q2XX-XXXX-XXXV
the subsequent “odm serial_num read” would either produce nothing or, at times, give the original number. Then I left the machine attached to PoE and serial cable, and when I gave the “odd show_system” command I noticed the line
serial_num Q2XX-XXXX-XXXV
and now having it left again for some time alone, it apparently did a spontaneous reboot, and yet the serial number is stil the one I set! So, I will now proceed with the rest of the process (reboot while pressing s and see how it goes…
(re: my 24-201611211457-G69d4dc09-mantua FW)
No joy…. the boot process still ends, like before, with a
[ 18.544000] warning: key material 0 too short (minimum 16+4+20=40)
and yet the serial number is still set!
What else should I try?
forgot to mention that I solved this problem and posted my findings under the other thread since I followed the method there: https://servernetworktech.com/2017/06/pwning-the-meraki-mr18-again/
It was not devoid of difficulties as the MR18 was not asking for the file indicated in the URL given. But you can read about it there. Thanks
Hi, I need some help if possible. How did you managed to boot past the 18.544000] warning: key material 0 too short (minimum 16+4+20=40) boot stop point? I checked the other post but didn’t saw any specific info. Thanks
Hi,
I am trying to root my MR-18 but I am unable to get to a prompt. I can get the console via the uart and see the unit loading, I have firmware 22-140575 wich says will work with above method, but after holding the reset button, I see the unit boot and the prompt flashes by and keeps loading unit keeps loading until it says “Cannot parse product model” and just stops with no prompt.
I had a DHCP server running but the unit did not grab an IP address either. I have tried pressing 2 or s but I am unable to get the unit to a prompt so I can type.
Any suggestions as to what I can try next?
get a “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.” with Firmware 25.11.
I managed to get a shell prompt but ODM command non-existant
set of available command:
———————————————————————–
/ # set
HISTFILE=’/root/.ash_history’
HOME=’/root’
IFS=’
‘
LOGNAME=’root’
OLDPWD=’/root’
PATH=’/usr/sbin:/bin:/usr/bin:/sbin:/usr/local/sbin:/tmp/tools:/etc/ath’
PPID=’1′
PS1=’\w \$ ‘
PS2=’> ‘
PS4=’+ ‘
PWD=’/’
SHELL=’/bin/sh’
TERM=’vt102′
USER=’root’
_=’serial’
/ # help
Built-in commands:
——————-
. : alias bg break cd chdir continue eval exec exit export false
fg hash help jobs kill let local pwd read readonly return set
shift times trap true type ulimit umask unalias unset wait
Does anyone have a solution with this firmware?
Thanks
Complete firmware Version: boot 100 build 25-201804051805-G885d6d78-dhow-rel
Any updates regards this anyone?
im interested too. any update?
Hi,
how are you made Magic Key S ?????
I reach the ash shell, but I cannot type anything.
usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb2: Product: ATH EHCI
usb usb2: Manufacturer: Linux 2.6.31–LSDK-9.5.3.15-ga2a05dd-dirty ehci_hcd
usb usb2: SerialNumber: platform
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 0 ports detected
Initializing USB Mass Storage driver…
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver cdc_ether
tar: /sbin/debug.tgz: No such file or directory
factoryreset: /dev/freset: N**** drop_caches_sysctl_handler: all done timer added …****
o such file or directory
Starting pid 731, console /dev/ttyS0: '/sbin/autologin'
Jan 1 00:00:06 login[731]: root login on `ttyS0'
BusyBox v1.01 (2013.11.05-04:45+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
Any advice?
I am also having issues getting this thing flashed. I have tried the all the guides that I can find. Below is the three guides and errors I can find.
I have feeling I am on the wrong firmware version. I don’t know what firmware I am on because when I connect to the mr18 everything on the screen scrolls quickly but I cannot go back and see what version I have (I cannot scroll and normal commands do not work).
I can run the odm command to change the serial, when I try to get into the initramfs root shell I can’t seem to get there very easily. I have to use the reset button to and force into crash the kernel to get in. Once I get into the initramfs root shell, i go to run the command but /storage cannot be found. I can create mkdir storage and it creates, That doesn’t really help since the .configfiles are not there.
I have also tried to follow these guides and https://wiki.openwrt.org/toh/meraki/mr18. I still have to create the /storage and run the script that all finishes properly, but when I run the WGET command it says WGET is not found
When I try the ODM firmware part2 command it fails to find the URL.
Any help will be appreciated.
Did you figure out I have thesame problem.
Guys, is build 25 rootable at all? None of the tricks here seems to work.
Any chance to to do this on MX65 ?
Can find anywhere firmware for MX65 series as bin or tar.gz file, any advice to find it?
Thanks!
Hi Guys,
anyone had any progress with MR18s with build 25. If not has anyone had any luck with a cheap JTAG setup.
Can I use this method to get in the uboot mode of MR33 ,by holding the reset or holding 2 while starting up the mr33??
Every time I start the mr33 its boot up to it’s stock firmware,and I don’t know how to get to the uboot???
Thanks
It works on this firmware build 22-133441
Hi,
I have FW version 22-131521 and cant get it to reboot to root while holding S.
I’ve used a mac using screen and minicom, a windows PC with putty and even a linux VM.
Just cant seem to get it to receive the command. I’ve set flow control off still no luck.
Any last tips?
I’m using a Raspberry pi as serial device but I’m not getting any input.
Also a bit confused about the LED, I have 2 orange LEDs and a RGB rainbow fading LED sometimes.
Booting to root with holding S doesn’t seem to work. Anyone have a fix for this?