Pwning/rooting the Cisco Meraki MR18

If you haven’t noticed, in my spare time I really enjoy breaking into embedded devices for the fun of things. Over the past year, I have spent a ton of time rooting the Cisco Meraki MR18, and today I get the chance to publicly disclose my findings.

To start, let me note by saying I have properly disclosed this issue to Cisco Meraki months ago, but due to the fact they are no longer replying to my emails or honoring their own Bug Bounty, I have decided to publicly disclose this after waiting over 90 days since their last reply. Hopefully one of these days I will write up the process I used to find this “exploit”.

NOTE: A new flashing method can be found In This Post.

Exploit Process:

  1. Power on the MR18, and hook it up to UART. (No ethernet should be plugged in)
  2. Hold the Reset Button for 10+ seconds until the LEDs on the device turn off, then release.
  3. The device should reboot, at this point pressing Enter on UART should show the following:
    <Meraki>
  4. At this point, you will want to enter
    odm help
  5. If you get a “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.” reply, then please try holding the button to do another reset of the device. If you continue to get this message, then sadly your firmware version is NOT rootable using this method. (please comment to this post sharing your results/firmware version)
  6. If you got a “Help” output for the ‘odm’ command, then run the following commands:
    odm serial_num write Q2XX-XXXX-XXXV
    odm serial_num read
  7. At this point the output should show “Q2XX-XXXX-XXXV” and your device should have it’s LED’s flashing. At this point, pull the power from the device, and hold down “s” on your UART console when you power back on the device.
  8. After a bit, you should then drop to a initramfs root shell, and the device is pwned! Feel free to follow the OpenWRT flashing guide found on the OpenWRT Forums.

Bonus Rooting:

Doing the above gets you root on the initramfs, but what about the stock firmware? No worries, as I have that covered as well!

  1. Once in the root initramfs shell, run the following commands on your device:
    cd /storage/
    rm ./config*
    rm ./odm_test.log
    echo "serial_allow_odm true" > ./config
    echo "serial_access_enabled true" >> ./config
    echo "serial_access_check false" >> ./config
    echo "valid_config true" >> ./config
    cp ./config ./config.local
    exit
    
  2. Once the above is ran, the firmware should continue to boot, and you will then be back in the stock OS. Once here you will want to restore the Serial Number of your device, which can be done with:
    odm serial_num write Q242-1111-111V

Just be sure to make sure to set your serial to the one on the bottom of the device. Changing the serial to any thing else CAN CAUSE ISSUES with the device. Also note that once networking is re-attached, you will lose root access!

Confirmed Working On:

  • Firmware Build 22-140575
  • Firmware Build 22-149780
  • Firmware Build 23-162921
  • Firmware Build 23-188206

Overall this exploit isn’t much more than taking advantage of an engineering back door, but I got to dock Meraki some serious points for closing all forms of communication with me. The entire point of Bug Bounties is to encourage proper disclosures, and not following through does not reflect well upon the company.

Timeline of Events:

  1. First contact to Meraki’s Security Team (10-20-2015)
  2. Exploit Confirmed by Meraki (10-22-2015)
  3. Reached out to Meraki for an update – No Response (01-06-2016)
  4. Second & Final Reach out to Meraki – No Response (01-27-2016)
  5. Public Disclosure of Exploit (02-09-2016)
  6. Email from Meraki, emails were “lost”, no longer eligible for bounty (04-20-2016)
  7. Reached out to Meraki (04-20-2016)

105 thoughts on “Pwning/rooting the Cisco Meraki MR18

  1. Ryan

    Hmm

    I have been trying for a few hours and am unable to get access to the unit.

    When are you supposed to press enter?

    Thanks for any help
    Ryan

    Reply
    1. Chris B - Admin Post author

      Hey Ryan,

      To get to the Console over UART, this should show up after the device has fully booted, so pressing Enter any time after this should work. If nothing shows up when pressing enter, make sure your TX pin on your UART adapter is wired up correctly.

      Reply
    1. Chris B - Admin Post author

      Hey there,

      Once flashed with 1.0 from github, you can then freely install any of the official OpenWRT snapshot releases for the MR18, just note they won’t come with LuCI installed by default so you may just want to wait for the next official OpenWRT release, which will then include LuCI.

      Reply
      1. Ben

        I’m unable to send any input to the board.

        Beginning to think it’s my adapter, it’s a six year old eBay special, though when I shorted TX and RX I can confirm data is being sent. Just another excuse to buy a Bus Pirate…

        Reply
        1. Chris B - Admin Post author

          If you are getting a bad signature error, this just means the nightly you flashed had an issue with the LuCI package. You can either flash one of my older OpenWRT images from my GitHub repo (which include LuCI) or you will want to wait for the next nightly, upgrade, and then try installing LuCI again following the OpenWRT Wiki documentation.

          – Chris B

          Reply
          1. blackie

            Thank you for your advice. I was finally able to reflash my Meraki with your github repo image, Luci worked, but I was unable to configure network the way that internet worked without hdcp (with static IP).
            At the end I killed the network config in the rooter and had to reset the settings via reset button, but from that time something is broken.
            Normally via serial console the firmware is not started properly, initialization finished with “Failed to executPlease press Enter to activate this console.”.
            I’m uable to access bash and send any commands.

            i can access via failsafe mode, but there is no /etc/config/network file and my attempt to reflash the nightly build via sysupgrade finished with error “Failed to connect to ubus”.
            Would be very gratefull for advice how to properly reset my device or reflash with setting reset. Thanks

          2. blackie

            I managed to restore the healthy state of my router 🙂 In failsafe mode i had to mount the root filesys and manually correct the network config file and then(after luci was accessible via 192.168.1.1 address) to re-flash the nightly build.
            I still can’t figure why I can’t access internet from the rooter, so I’m unable to do opkg update and install anything.

            My etc/config/network :

            config interface ‘loopback’
            option ifname ‘lo’
            option proto ‘static’
            option ipaddr ‘127.0.0.1’
            option netmask ‘255.0.0.0’
            option ipv6 ‘0’

            config globals ‘globals’
            option ula_prefix ‘fd19:445c:44f7::/48’

            config interface ‘lan’
            option type ‘bridge’
            option ifname ‘eth0’
            option proto ‘static’
            option ipaddr ‘10.1.0.45’
            option netmask ‘255.255.255.0’
            option gateway ‘10.1.1.254’
            option dns ‘10.1.0.13 10.1.0.10’
            option ipv6 ‘0’
            option ip6assign ’60’

          3. blackie

            network acceess problem resolved, mea culpa, incorrect network mask…
            opkg worked, Luci online 🙂

  2. chune

    Thanks so much for a non-destructive way into these things! After following step 8, i was able to get openWRT loaded! However I cannot get the procedure under “bonus rooting” to work. Is this because i followed the openWRT procedure here:

    “go to the System Upgrade tab, and select the downloaded sysupgrade image named openwrt-ar71xx-nand-mr18-squashfs-sysupgrade.tar. This will then remove the stock Meraki kernel, flash OpenWRT, fix the caldata partition if needed, and auto-expand rootfs_data to use the rest of the UBI free space.”

    Am i out of luck here or should i still be able to hold S and get the meraki console again to use the odm commands?

    Thanks!

    Reply
    1. Chris B - Admin Post author

      You got it. If you flashed sysupgrade, then your MR18 will now only boot OpenWRT as the Meraki kernel was removed, so the bonus root has no use/value to your device anymore.

      Reply
  3. Gustavo

    I have this log after change the serial number, cant send the S key 🙁

    If i boot the Meraki with the USB-UART plugged, I get the sequence :
    __________________sri____________________
    944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
    _________________________________________
    find_hif: bootstrap = 0x31459
    Nand Flash init
    hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
    nand_load_fw: read 13 pages
    nand_load_fw: 0x10000 0x800 0xbd000bf0
    nand_load_fw: 0x20000 0x800 0xbd0013f0
    nand_load_fw: 0x30000 0x800 0xbd001bf0
    nand_load_fw: 0x40000 0x800 0xbd0023f0
    nand_load_fw: 0x50000 0x800 0xbd002bf0
    nand_load_fw: 0x60000 0x800 0xbd0033f0
    nand_load_fw: 0x70000 0x800 0xbd003bf0
    nand_load_fw: 0x80000 0x800 0xbd0043f0
    nand_load_fw: 0x90000 0x800 0xbd004bf0
    nand_load_fw: 0xa0000 0x800 0xbd0053f0
    nand_load_fw: 0xb0000 0x800 0xbd005bf0
    nand_load_fw: 0xc0000 0x800 0xbd0063f0
    nand_load_fw: 0xd0000 0x800 0xbd006bf0
    f/w 0 read complete, jumping to 0xbd000400

    Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
    qca955x_init_ddr ok
    test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
    error booting
    __________________sri____________________
    944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
    _________________________________________
    find_hif: bootstrap = 0x31459
    Nand Flash init
    hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
    nand_load_fw: read 13 pages
    nand_load_fw: 0x10000 0x800 0xbd000bf0
    nand_load_fw: 0x20000 0x800 0xbd0013f0
    nand_load_fw: 0x30000 0x800 0xbd001bf0
    nand_load_fw: 0x40000 0x800 0xbd0023f0
    nand_load_fw: 0x50000 0x800 0xbd002bf0
    nand_load_fw: 0x60000 0x800 0xbd0033f0
    nand_load_fw: 0x70000 0x800 0xbd003bf0
    nand_load_fw: 0x80000 0x800 0xbd0043f0
    nand_load_fw: 0x90000 0x800 0xbd004bf0
    nand_load_fw: 0xa0000 0x800 0xbd0053f0
    nand_load_fw: 0xb0000 0x800 0xbd005bf0
    nand_load_fw: 0xc0000 0x800 0xbd0063f0
    nand_load_fw: 0xd0000 0x800 0xbd006bf0
    f/w 0 read complete, jumping to 0xbd000400

    Reply
      1. Vinay

        Hi,
        I am using this adapter and I am getting an exact same error as soon as I connect the cables.
        And now when I power my device On, the led just blinks and nothing happens.
        Any suggestions?

        Reply
  4. chune

    Gustavo- Be sure you are only hooking up RX, RX and GND. I had the same error when i hooked up VCC on mine. Removing VCC fixed the issue for me

    Reply
    1. PiXEL8

      After doing this to another MR18 I realized how this worked before. If you do the 30s reboot procedure the odm cmd is not found. I then rebooted normally and let it boot. The prompt then has the odm cmd allowing you to change the SN. Now follow the rest of the steps in the guide.

      -PiXEL8

      Reply
  5. Stinkbug

    Trying to free my Mr-18

    I am on fw version 22-140575 but getting a problem at the odm serial_num change stage, when I try to write the serial_num I am getting:
    board_data_config: bad serial given, you can try using -f
    board_data_config: bad write

    Checking odm help I can see:
    mac, seral_num, product_id, hw_rev, hw_minor,
    So tried to run odm serial_num write value Q2XX-XXXX-XXXX and still same result.

    Tried to set force switch, but not sure where is should go in syntax, tried various but not working either.
    Any ideas? Thanks

    Reply
  6. Alberto

    Hi!. I’m following this procedure and I’m getting stuck.
    Could you tell me the right moment to plug in the ethernet to the meraki????
    I’m following this guide just fine but when i try to connect to my PC to download the firmware I lost UART connectivity.

    Thanks in advance.

    Reply
  7. Sam

    Thanks so much for this, ive got so far but hoping for a little assistance…

    I’ve completed everything as above which worked great and I’m trying to get files over to the device but the Ethernet does not appear to be working (lights are on port and amber flashing on meraki). if I run ‘ifconfig eth0’ I get device not found. When the device boots the following lines appear at the end.

    In write handler ‘device_id’ for wired0_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘device_id’ for wired1_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘product_model’ for wired0_cdpsource ~:: CDPSource’:
    Cannot parse product model
    In write handler ‘product_model’ for wired1_cdpsource ~:: CDPSource’:
    Cannot parse product model

    Really appreciate your assistance.

    Reply
    1. Chris B - Admin Post author

      Hmm. I have seen similar issues on other devices where a UART adapter was used that was either over voltage, or had VCC wired up. Can you confirm you are using a 3.3V UART adapter and only have TX/RX/GRND wired up? It also seems your board is unable to read the UBI partition that contains your board information. Did you ever try the pin jump method, and does your MR18 work normally when you try to let it boot fully?

      Reply
  8. JD

    Hello

    I have an issue when dd the openwrt.bin file, seems like the mtdblock2 is too small or corrupted ? Any idea ?

    /storage # dd if=/storage/openwrt.bin of=/dev/mtdblock2
    [ 73.312000] ecc unrecoverable error
    [ 73.316000] ecc unrecoverable error
    [ 73.320000] ecc unrecoverable error
    [ 73.324000] ecc unrecoverable error
    [ 73.328000] end_request: I/O error, dev mtdblock2, sector 8960
    dd: writing ‘/dev/mtdblock2’: Input/output error
    8961+0 records in
    8960+0 records out
    4587520 bytes (4.4MB) copied, 2.852310 seconds, 1.5MB/s
    /storage #

    Thanks 😉

    Reply
  9. JD

    Hello Chris,

    yes, that’s what I was afraid of…. I ended up writing to mtdblock1 directly and this worked !
    Now this AP is free 🙂

    Thanks!

    Reply
  10. JayBee

    Hi Chris

    Thanks for the article.

    I am having some trouble. I can get to the step where I unplug the power to the AP and hold down S and power back on, then UART Terminal returns a bunch but ends with:

    In write handler ‘device_id’ for wired0_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘device_id’ for wired1_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘product_model’ for wired0_cdpsource ~:: CDPSource’:
    Cannot parse product model
    In write handler ‘product_model’ for wired1_cdpsource ~:: CDPSource’:
    Cannot parse product model

    I am using this adapter http://www.ebay.com.au/itm/201505399580

    This is how I am wiring it to the AP
    https://imgur.com/gjkYb4K

    Any ideas?

    Reply
    1. Chris B - Admin Post author

      If you are seeing those messages that is normally a sign that you have passed the boot process where “S” is required, so you may need to keep trying. You can also check out the flashing video I made in the OpenWRT forum post to get an idea of what you should be seeing on the Console.

      Reply
      1. JayBee

        Thanks Chris. I am still having issues with not getting past the hold S and boot. I can’t seem to find your video on the OpenWRT forum. Can you link me?

        Reply
  11. Rob

    Confirmed working on an MR32 also:
    Meraki-build is 24-201607201515

    Board is running a BCM5301X ARMv7. Will take a look at running up Lede/openwrt on it as they do have kernel support.

    Flash layout:
    [ 1.490000] Creating 5 MTD partitions on “nand_iproc.0”:
    [ 1.490000] 0x000000000000-0x000000100000 : “U-boot”
    [ 1.500000] 0x000000100000-0x000000400000 : “bootkernel1”
    [ 1.500000] 0x000000400000-0x000000500000 : “senao_nvram”
    [ 1.510000] 0x000000500000-0x000000800000 : “bootkernel2”
    [ 1.520000] 0x000000800000-0x000007f80000 : “ubi”

    I’ve got a few more Meraki boards so will take a look at these also.

    Reply
    1. Philip

      Hey Rob!

      I have an MR33 – and i can boot as root …. can u help me installing openWRT on it!?…
      would be nice to hear from you…

      greets phil

      Reply
      1. Chris B - Admin Post author

        Hey Philip,

        Note that at this time the MR32 and MR33 do not have LEDE/OpenWRT support. I do have a MR32 in hand ATM that I plan to port over later, but note it does not have GPL driver support for the main AC wireless radios. I am unsure of the situation with the MR33, as I am not sure what radios are used on that board.

        Reply
  12. 4JB

    Hi Chris! First off, awesome findings and write-up!! My MR-18 is in the mail currently. I’m just curious if there is any benefit of doing this exploit initially upon unboxing to try to ensure root access if I intend to start out using the normal Meraki firmware until my “license” expires? I understand I can always go JTAG, but I’d like to use it without worrying about future firmware downloads breaking UART access if at all possible.

    Cheers!

    Reply
    1. Chris B - Admin Post author

      Hey there,

      As for your question, note that this method will probably get patched via Cisco/Meraki down the line, so if you have any intentions of using OpenWRT/LEDE on the device it would be best to follow this guide, and flash your device before hooking it up to the internet. This is because on first boot, the Meraki on stock firmware will download and install the latest OTA which may prevent this method from working in the future. If you don’t mind going the JTAG route though, then feel free to use the device as is.

      Reply
  13. Mooo123123

    Works fine on 23-198280, just reset it until “odm help'” works. You can use SW2 to do that, J2 also does crazy things.

    Reply
  14. Admin

    Hi there,

    I just tried a MR18 and build “24-201609272213-G374d42aa-daybed” – doesn’t work. Anyone else successfully used that version?

    Reply
  15. Admin

    Hi there,

    I just tried a MR18 and build “24-201609272213-G374d42aa-daybed” – doesn’t work. It works until pressing the “s” key. Holding after re-powering doesnt’ bring the root shell..

    Anyone else successfully used that version?

    Reply
  16. Matthew

    I have bootsh build 24-201610261613-Gb6d270c7-onion

    I am able to change the serial number but it will not enter the ‘s’ console even though it accepts the ‘magic key’
    Got magic key s [ 1.632000] Bootsh: trying rootfs path:
    /dev/mtdblock/rootfs-24-201610261613-Gb6d270c7-onion-1
    Attempting to setup root /dev/mtdblock/rootfs-24-201610261613-Gb6d270c7-onion-1…

    log here: http://pastebin.com/huUQc9ut

    Reply
  17. areig1979

    Tried to boot into root and continue to get “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS”.

    Firmware: rootfs-22-130961-1
    Is there anyway to bypass this firmware version? or am I stuck with a non-rootable MR18?
    __________________sri____________________
    944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
    _________________________________________
    find_hif: bootstrap = 0x31c58

    Nand Flash init
    hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]

    nand_load_fw: read 13 pages

    nand_load_fw: 0x10000 0x800 0xbd000bf0

    nand_load_fw: 0x20000 0x800 0xbd0013f0

    nand_load_fw: 0x30000 0x800 0xbd001bf0

    nand_load_fw: 0x40000 0x800 0xbd0023f0

    nand_load_fw: 0x50000 0x800 0xbd002bf0

    nand_load_fw: 0x60000 0x800 0xbd0033f0

    nand_load_fw: 0x70000 0x800 0xbd003bf0

    nand_load_fw: 0x80000 0x800 0xbd0043f0

    nand_load_fw: 0x90000 0x800 0xbd004bf0

    nand_load_fw: 0xa0000 0x800 0xbd0053f0

    nand_load_fw: 0xb0000 0x800 0xbd005bf0

    nand_load_fw: 0xc0000 0x800 0xbd0063f0

    nand_load_fw: 0xd0000 0x800 0xbd006bf0

    f/w 0 read complete, jumping to 0xbd000400
    Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22

    Reply
    1. Chris B - Admin Post author

      Hello,

      This is normally a sign you didn’t hold the reset button for 10+ seconds first to reset the device, so please try the process again. With that said though, I have heard that newer firmwares (build 24 and up) may no longer be rootable.

      Reply
  18. MeMyselfAndI

    Just dropping by to thank you for your effort, Chris. As I’m writing this, I’m connected to an MR18 running OpenWRT, freed thanks to your instructions.

    I received it in November or December 2016 from Cisco running firmware 22-140575 (does everyone get those things with such an old firmware version?). Shipped to Poland after having to remind Cisco that they forgot about me. I was told of some kind of supply shortage. Whatever.

    No need to do the pin shortening tricks whatsoever with this firmware, but anyway thanks for putting my serial adapter to use that I got years ago for a never finished project and forcing me to learn serial communication stuff 🙂

    Right. Upgrading to the MR18 from my 8 years old TP-Link 1043nd v1 access point (running flawlessly, mind you) is definitely a step up 🙂

    Reply
  19. Knucklebusted

    I have an old computer with a physical serial port. Can I use that? I have tried but hooking TX to SND, and SND to TX did not work. When I connected SND to SND and TX to TX, it got gibberish ASCII characters that look like bad speed/data/stop/parity configuration but nothing I’ve tried works.

    I’d really like to get something usable on this MR18 but it doesn’t seem to be working. I also can’t see what version it is running from the Meraki cloud page. It just says “up to date”

    Thanks

    Reply
  20. Chip Pierpoint

    Just to confirm what everyone probably already knows …

    /dev/mtdblock/rootfs-24-201611211457-G69d4dc09-mantua-1 won’t respond to ‘s’ on boot.

    Can change serial number though.

    Thanks for all the great work .

    Chip

    Reply
    1. mo

      Unfortunately I am in the same boat as Chip here. Any way to downgrade the firmware, or will the short on the board trick work? Or is it a paperweight/>

      Reply
  21. zilcher

    I wish there was some way owners with more recent firmware could unlock their devices. Mine is able to change serial number, but nothing else, like many others. Any progress being made on this front?

    Reply
  22. pilkington

    Looks like I am late to the party. I just recevied a Meraki MR18, connected it to UART, can change the serial number, but nothing else. Is there another solution for folks like me?

    I’ve found I can access BusyBox by holding the reset key for 10 seconds to trigger a restart, then continuing to hold it. Not sure if this would be helpful to anyone.

    Reply
    1. Chris B - Admin Post author

      This boots the device into “diagnostic” mode, which is a barebones qualcomm testing environment. While you have a root shell, you are unable to access the NAND that stores the stock firmware due to the ECC differences. Specifically, the stock firmware and environment use BCH ECC, which is not enabled for this environment.

      Reply
  23. RobC

    I can get to prompt and have changed serial number.
    Also ran ‘odm fw_version read’ which reported back 22-140575
    Which seems to tally with the list of compatible firmware versions.
    But device will not respond to ‘s’ when powering back on.
    Using Putty, I unplug power, press ‘s’ on keyboard then plug power back in.
    It boots without LED’s & outputs unreadable characters & just continues to output them. Waited for about 2 minutes.
    Any advice offered greatly appreciated

    Reply
    1. Chris B - Admin Post author

      If you are getting junk back, this can be a sign it may be a problem with your UART adapter or wiring. Make sure you are only connecting GND, RX, and TX, and you have a 3.3v adapter. I personally use CP2102 based UART adapters, and have never had any issues.

      Reply
      1. RobC

        Thanks Chris, I appreciate your response.
        I have this UART adapter http://ebay.eu/2m2f1Dz and have definitely got GND, RX, TX hooked up correctly. I tried switching them around and only got junk. Where as I can get to ODM HELP prompt, but cannot activate magic key press ‘s’

        Reply
  24. Knucklebusted

    Is there anyone with a JTAG that would flash them for us for a small fee to cover shipping and your time?

    Reply
  25. Knucklebusted

    Mine is/has expired the 3yr service and it is running the following:

    odm fw_version read
    24-201611211457-G69d4dc09-mantua

    Reply
  26. Shane

    Is there any way to check the firmware version before opening this up?

    I do know that it is not the newest version (which was released a week or two ago), so it might be 24-201611211457-G69d4dc09-mantua?

    Reply
  27. MeMyselfAndI

    Hi Chris,

    have you taken a look at the MR32? You said you got one to play with over at the OpenWRT forums.

    Cisco just quit selling the MR18 a couple of days ago and now you get an MR32 for attending the webinar, so there will be more and more people bugging you 🙂

    Not to be pushing you or anything. Once again thanks for your work.

    Reply
  28. Marian

    I got a meraki z1 from work for free, now thanks for your guide I have a new gigabit router at home. Thank you!

    Reply
  29. Damion

    Hi Chris,
    After reading the openwrt forum and this post, i’m actually more confused as to how this ‘s’ backdoor actually works.
    Firstly, is it lower-case ‘s’ or upper ‘S’ ( or does it not matter) ?

    But, eitherway, I can not make it work.
    I have firmware 22-130961, which seems to be earlier than other confirmed explotable versions.
    I’ve successfully changed the serial number, but no amount of hitting/holding the s key during boot gives me a shell.

    The only thing of interest, is I always get junk over the serial at boot-up (soft or hard reboot), the first legible line is:
    [ 0.256000] console [ttyS0] enabled, bootconsole disabled

    Any clues?
    I’d prefer not to have to resort to shorting resistors or buying a jtag…

    Reply
    1. Damion

      Got a CP2102 usb uart, and I can now see the output from the bootloader on power-on.
      Still can’t get ‘s’ to gain me root though 🙁

      Reply
  30. Pete

    I’ve got a CP2102 UART adapter. Managed to get the serial changed and up to the point of booting using the special key ‘s’, but it didn’t work. I can confirm I’m running firmware 24.
    This has been confirmed as not working.

    What I did however manage was to still get root access to the device by holding the reset button for 5 secs or so. The device would reboot me into a root unix prompt. Sadly the ‘wget’ command wouldn’t work……any idea’s guys? Could there be another way to update the device using this method.

    I was able to change the IP address of the device when I got this prompt and ping my laptop. just the ‘wget’ command was unrecognized.

    Reply
    1. Chris B - Admin Post author

      Pete,
      This means you booted into the diagnostic image on the MR18. Sadly it has the NAND blocked off at a kernel level as it’s hard programmed to use a different ECC mode, so you can’t flash the device from this environment.

      Reply
      1. Pete

        Thanks Chris…I was so close!! Look at the latest flashing method, I only needed to hold down the reset button for another 5 seconds.

        I managed to get it working using the latest method.

        Reply
    1. Niels

      Same problem here 115200 N81 – Lots of garbage – If I start with the cable inserted, i get some “half readable” text, but is will not boot, just keeps circling in some kind of startup-diag.
      If i connect the cable after initial power-on, I get lots of unreadable garbage like Steeve.

      Current version: MR 24.6

      Reply
  31. Sven

    Hi everybody,

    I have a Problem, I can not access to the MR 18 wile pressing the key “s”.
    I could successfull Change the Serial Number.
    The Firmware is: 22-131521

    1 week ago I successfully flashed another MR18 with OpenWrt but with a different Firmware.

    Thank you for your help.

    P.S. The flasehd MR 18 works like a charme

    Reply
    1. Tony

      Sven,

      Did you ever get this to work on this firmware? I have the same firmware and am getting the same results as you.

      Thanks,
      Tony

      Reply
  32. giuliano

    I have a 24-201611211457-G69d4dc09-mantua firmware, initially when performing the
    odm serial_num write Q2XX-XXXX-XXXV
    the subsequent “odm serial_num read” would either produce nothing or, at times, give the original number. Then I left the machine attached to PoE and serial cable, and when I gave the “odd show_system” command I noticed the line
    serial_num Q2XX-XXXX-XXXV
    and now having it left again for some time alone, it apparently did a spontaneous reboot, and yet the serial number is stil the one I set! So, I will now proceed with the rest of the process (reboot while pressing s and see how it goes…

    Reply
    1. giuliano

      (re: my 24-201611211457-G69d4dc09-mantua FW)
      No joy…. the boot process still ends, like before, with a
      [ 18.544000] warning: key material 0 too short (minimum 16+4+20=40)
      and yet the serial number is still set!
      What else should I try?

      Reply
      1. Bogdan

        Hi, I need some help if possible. How did you managed to boot past the 18.544000] warning: key material 0 too short (minimum 16+4+20=40) boot stop point? I checked the other post but didn’t saw any specific info. Thanks

        Reply
  33. Chris Watling

    Hi,

    I am trying to root my MR-18 but I am unable to get to a prompt. I can get the console via the uart and see the unit loading, I have firmware 22-140575 wich says will work with above method, but after holding the reset button, I see the unit boot and the prompt flashes by and keeps loading unit keeps loading until it says “Cannot parse product model” and just stops with no prompt.

    I had a DHCP server running but the unit did not grab an IP address either. I have tried pressing 2 or s but I am unable to get the unit to a prompt so I can type.

    Any suggestions as to what I can try next?

    Reply
  34. Starlord

    get a “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.” with Firmware 25.11.

    I managed to get a shell prompt but ODM command non-existant
    set of available command:
    ———————————————————————–
    / # set
    HISTFILE=’/root/.ash_history’
    HOME=’/root’
    IFS=’

    LOGNAME=’root’
    OLDPWD=’/root’
    PATH=’/usr/sbin:/bin:/usr/bin:/sbin:/usr/local/sbin:/tmp/tools:/etc/ath’
    PPID=’1′
    PS1=’\w \$ ‘
    PS2=’> ‘
    PS4=’+ ‘
    PWD=’/’
    SHELL=’/bin/sh’
    TERM=’vt102′
    USER=’root’
    _=’serial’
    / # help

    Built-in commands:
    ——————-
    . : alias bg break cd chdir continue eval exec exit export false
    fg hash help jobs kill let local pwd read readonly return set
    shift times trap true type ulimit umask unalias unset wait

    Does anyone have a solution with this firmware?

    Thanks

    Reply
  35. Z

    I reach the ash shell, but I cannot type anything.

    usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
    usb usb2: Product: ATH EHCI
    usb usb2: Manufacturer: Linux 2.6.31–LSDK-9.5.3.15-ga2a05dd-dirty ehci_hcd
    usb usb2: SerialNumber: platform
    usb usb2: configuration #1 chosen from 1 choice
    hub 2-0:1.0: USB hub found
    hub 2-0:1.0: 0 ports detected
    Initializing USB Mass Storage driver…
    usbcore: registered new interface driver usb-storage
    USB Mass Storage support registered.
    usbcore: registered new interface driver cdc_ether
    tar: /sbin/debug.tgz: No such file or directory
    factoryreset: /dev/freset: N**** drop_caches_sysctl_handler: all done timer added …****
    o such file or directory
    Starting pid 731, console /dev/ttyS0: '/sbin/autologin'
    Jan 1 00:00:06 login[731]: root login on `ttyS0'

    BusyBox v1.01 (2013.11.05-04:45+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    Any advice?

    Reply
  36. Mikethebake

    I am also having issues getting this thing flashed. I have tried the all the guides that I can find. Below is the three guides and errors I can find.

    I have feeling I am on the wrong firmware version. I don’t know what firmware I am on because when I connect to the mr18 everything on the screen scrolls quickly but I cannot go back and see what version I have (I cannot scroll and normal commands do not work).

    I can run the odm command to change the serial, when I try to get into the initramfs root shell I can’t seem to get there very easily. I have to use the reset button to and force into crash the kernel to get in. Once I get into the initramfs root shell, i go to run the command but /storage cannot be found. I can create mkdir storage and it creates, That doesn’t really help since the .configfiles are not there.

    I have also tried to follow these guides and https://wiki.openwrt.org/toh/meraki/mr18. I still have to create the /storage and run the script that all finishes properly, but when I run the WGET command it says WGET is not found

    When I try the ODM firmware part2 command it fails to find the URL.

    Any help will be appreciated.

    Reply
  37. Jeff

    Any chance to to do this on MX65 ?
    Can find anywhere firmware for MX65 series as bin or tar.gz file, any advice to find it?
    Thanks!

    Reply
  38. Frank

    Hi Guys,
    anyone had any progress with MR18s with build 25. If not has anyone had any luck with a cheap JTAG setup.

    Reply
  39. Hayman

    Can I use this method to get in the uboot mode of MR33 ,by holding the reset or holding 2 while starting up the mr33??

    Every time I start the mr33 its boot up to it’s stock firmware,and I don’t know how to get to the uboot???
    Thanks

    Reply
  40. Dean Moore

    Hi,

    I have FW version 22-131521 and cant get it to reboot to root while holding S.

    I’ve used a mac using screen and minicom, a windows PC with putty and even a linux VM.

    Just cant seem to get it to receive the command. I’ve set flow control off still no luck.

    Any last tips?

    Reply
  41. Ties

    I’m using a Raspberry pi as serial device but I’m not getting any input.

    Also a bit confused about the LED, I have 2 orange LEDs and a RGB rainbow fading LED sometimes.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *