Pwning/rooting the Cisco Meraki MR18

If you haven’t noticed, in my spare time I really enjoy breaking into embedded devices for the fun of things. Over the past year, I have spent a ton of time rooting the Cisco Meraki MR18, and today I get the chance to publicly disclose my findings.

To start, let me note by saying I have properly disclosed this issue to Cisco Meraki months ago, but due to the fact they are no longer replying to my emails or honoring their own Bug Bounty, I have decided to publicly disclose this after waiting over 90 days since their last reply. Hopefully one of these days I will write up the process I used to find this “exploit”.

NOTE: A new flashing method can be found In This Post.

Exploit Process:

  1. Power on the MR18, and hook it up to UART. (No ethernet should be plugged in)
  2. Hold the Reset Button for 10+ seconds until the LEDs on the device turn off, then release.
  3. The device should reboot, at this point pressing Enter on UART should show the following:
    <Meraki>
  4. At this point, you will want to enter
    odm help
  5. If you get a “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.” reply, then please try holding the button to do another reset of the device. If you continue to get this message, then sadly your firmware version is NOT rootable using this method. (please comment to this post sharing your results/firmware version)
  6. If you got a “Help” output for the ‘odm’ command, then run the following commands:
    odm serial_num write Q2XX-XXXX-XXXV
    odm serial_num read
  7. At this point the output should show “Q2XX-XXXX-XXXV” and your device should have it’s LED’s flashing. At this point, pull the power from the device, and hold down “s” on your UART console when you power back on the device.
  8. After a bit, you should then drop to a initramfs root shell, and the device is pwned! Feel free to follow the OpenWRT flashing guide found on the OpenWRT Forums.

Bonus Rooting:

Doing the above gets you root on the initramfs, but what about the stock firmware? No worries, as I have that covered as well!

  1. Once in the root initramfs shell, run the following commands on your device:
    cd /storage/
    rm ./config*
    rm ./odm_test.log
    echo "serial_allow_odm true" > ./config
    echo "serial_access_enabled true" >> ./config
    echo "serial_access_check false" >> ./config
    echo "valid_config true" >> ./config
    cp ./config ./config.local
    exit
    
  2. Once the above is ran, the firmware should continue to boot, and you will then be back in the stock OS. Once here you will want to restore the Serial Number of your device, which can be done with:
    odm serial_num write Q242-1111-111V

Just be sure to make sure to set your serial to the one on the bottom of the device. Changing the serial to any thing else CAN CAUSE ISSUES with the device. Also note that once networking is re-attached, you will lose root access!

Confirmed Working On:

  • Firmware Build 22-140575
  • Firmware Build 22-149780
  • Firmware Build 23-162921
  • Firmware Build 23-188206

Overall this exploit isn’t much more than taking advantage of an engineering back door, but I got to dock Meraki some serious points for closing all forms of communication with me. The entire point of Bug Bounties is to encourage proper disclosures, and not following through does not reflect well upon the company.

Timeline of Events:

  1. First contact to Meraki’s Security Team (10-20-2015)
  2. Exploit Confirmed by Meraki (10-22-2015)
  3. Reached out to Meraki for an update – No Response (01-06-2016)
  4. Second & Final Reach out to Meraki – No Response (01-27-2016)
  5. Public Disclosure of Exploit (02-09-2016)
  6. Email from Meraki, emails were “lost”, no longer eligible for bounty (04-20-2016)
  7. Reached out to Meraki (04-20-2016)

160 thoughts on “Pwning/rooting the Cisco Meraki MR18

  1. Ryan

    Hmm

    I have been trying for a few hours and am unable to get access to the unit.

    When are you supposed to press enter?

    Thanks for any help
    Ryan

    Reply
    1. Chris B - Admin Post author

      Hey Ryan,

      To get to the Console over UART, this should show up after the device has fully booted, so pressing Enter any time after this should work. If nothing shows up when pressing enter, make sure your TX pin on your UART adapter is wired up correctly.

      Reply
    1. Chris B - Admin Post author

      Hey there,

      Once flashed with 1.0 from github, you can then freely install any of the official OpenWRT snapshot releases for the MR18, just note they won’t come with LuCI installed by default so you may just want to wait for the next official OpenWRT release, which will then include LuCI.

      Reply
      1. Ben

        I’m unable to send any input to the board.

        Beginning to think it’s my adapter, it’s a six year old eBay special, though when I shorted TX and RX I can confirm data is being sent. Just another excuse to buy a Bus Pirate…

        Reply
        1. Chris B - Admin Post author

          If you are getting a bad signature error, this just means the nightly you flashed had an issue with the LuCI package. You can either flash one of my older OpenWRT images from my GitHub repo (which include LuCI) or you will want to wait for the next nightly, upgrade, and then try installing LuCI again following the OpenWRT Wiki documentation.

          – Chris B

          Reply
          1. blackie

            Thank you for your advice. I was finally able to reflash my Meraki with your github repo image, Luci worked, but I was unable to configure network the way that internet worked without hdcp (with static IP).
            At the end I killed the network config in the rooter and had to reset the settings via reset button, but from that time something is broken.
            Normally via serial console the firmware is not started properly, initialization finished with “Failed to executPlease press Enter to activate this console.”.
            I’m uable to access bash and send any commands.

            i can access via failsafe mode, but there is no /etc/config/network file and my attempt to reflash the nightly build via sysupgrade finished with error “Failed to connect to ubus”.
            Would be very gratefull for advice how to properly reset my device or reflash with setting reset. Thanks

          2. blackie

            I managed to restore the healthy state of my router 🙂 In failsafe mode i had to mount the root filesys and manually correct the network config file and then(after luci was accessible via 192.168.1.1 address) to re-flash the nightly build.
            I still can’t figure why I can’t access internet from the rooter, so I’m unable to do opkg update and install anything.

            My etc/config/network :

            config interface ‘loopback’
            option ifname ‘lo’
            option proto ‘static’
            option ipaddr ‘127.0.0.1’
            option netmask ‘255.0.0.0’
            option ipv6 ‘0’

            config globals ‘globals’
            option ula_prefix ‘fd19:445c:44f7::/48’

            config interface ‘lan’
            option type ‘bridge’
            option ifname ‘eth0’
            option proto ‘static’
            option ipaddr ‘10.1.0.45’
            option netmask ‘255.255.255.0’
            option gateway ‘10.1.1.254’
            option dns ‘10.1.0.13 10.1.0.10’
            option ipv6 ‘0’
            option ip6assign ’60’

          3. blackie

            network acceess problem resolved, mea culpa, incorrect network mask…
            opkg worked, Luci online 🙂

  2. chune

    Thanks so much for a non-destructive way into these things! After following step 8, i was able to get openWRT loaded! However I cannot get the procedure under “bonus rooting” to work. Is this because i followed the openWRT procedure here:

    “go to the System Upgrade tab, and select the downloaded sysupgrade image named openwrt-ar71xx-nand-mr18-squashfs-sysupgrade.tar. This will then remove the stock Meraki kernel, flash OpenWRT, fix the caldata partition if needed, and auto-expand rootfs_data to use the rest of the UBI free space.”

    Am i out of luck here or should i still be able to hold S and get the meraki console again to use the odm commands?

    Thanks!

    Reply
    1. Chris B - Admin Post author

      You got it. If you flashed sysupgrade, then your MR18 will now only boot OpenWRT as the Meraki kernel was removed, so the bonus root has no use/value to your device anymore.

      Reply
  3. Gustavo

    I have this log after change the serial number, cant send the S key 🙁

    If i boot the Meraki with the USB-UART plugged, I get the sequence :
    __________________sri____________________
    944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
    _________________________________________
    find_hif: bootstrap = 0x31459
    Nand Flash init
    hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
    nand_load_fw: read 13 pages
    nand_load_fw: 0x10000 0x800 0xbd000bf0
    nand_load_fw: 0x20000 0x800 0xbd0013f0
    nand_load_fw: 0x30000 0x800 0xbd001bf0
    nand_load_fw: 0x40000 0x800 0xbd0023f0
    nand_load_fw: 0x50000 0x800 0xbd002bf0
    nand_load_fw: 0x60000 0x800 0xbd0033f0
    nand_load_fw: 0x70000 0x800 0xbd003bf0
    nand_load_fw: 0x80000 0x800 0xbd0043f0
    nand_load_fw: 0x90000 0x800 0xbd004bf0
    nand_load_fw: 0xa0000 0x800 0xbd0053f0
    nand_load_fw: 0xb0000 0x800 0xbd005bf0
    nand_load_fw: 0xc0000 0x800 0xbd0063f0
    nand_load_fw: 0xd0000 0x800 0xbd006bf0
    f/w 0 read complete, jumping to 0xbd000400

    Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
    qca955x_init_ddr ok
    test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
    error booting
    __________________sri____________________
    944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
    _________________________________________
    find_hif: bootstrap = 0x31459
    Nand Flash init
    hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
    nand_load_fw: read 13 pages
    nand_load_fw: 0x10000 0x800 0xbd000bf0
    nand_load_fw: 0x20000 0x800 0xbd0013f0
    nand_load_fw: 0x30000 0x800 0xbd001bf0
    nand_load_fw: 0x40000 0x800 0xbd0023f0
    nand_load_fw: 0x50000 0x800 0xbd002bf0
    nand_load_fw: 0x60000 0x800 0xbd0033f0
    nand_load_fw: 0x70000 0x800 0xbd003bf0
    nand_load_fw: 0x80000 0x800 0xbd0043f0
    nand_load_fw: 0x90000 0x800 0xbd004bf0
    nand_load_fw: 0xa0000 0x800 0xbd0053f0
    nand_load_fw: 0xb0000 0x800 0xbd005bf0
    nand_load_fw: 0xc0000 0x800 0xbd0063f0
    nand_load_fw: 0xd0000 0x800 0xbd006bf0
    f/w 0 read complete, jumping to 0xbd000400

    Reply
      1. Vinay

        Hi,
        I am using this adapter and I am getting an exact same error as soon as I connect the cables.
        And now when I power my device On, the led just blinks and nothing happens.
        Any suggestions?

        Reply
  4. chune

    Gustavo- Be sure you are only hooking up RX, RX and GND. I had the same error when i hooked up VCC on mine. Removing VCC fixed the issue for me

    Reply
    1. PiXEL8

      After doing this to another MR18 I realized how this worked before. If you do the 30s reboot procedure the odm cmd is not found. I then rebooted normally and let it boot. The prompt then has the odm cmd allowing you to change the SN. Now follow the rest of the steps in the guide.

      -PiXEL8

      Reply
  5. Stinkbug

    Trying to free my Mr-18

    I am on fw version 22-140575 but getting a problem at the odm serial_num change stage, when I try to write the serial_num I am getting:
    board_data_config: bad serial given, you can try using -f
    board_data_config: bad write

    Checking odm help I can see:
    mac, seral_num, product_id, hw_rev, hw_minor,
    So tried to run odm serial_num write value Q2XX-XXXX-XXXX and still same result.

    Tried to set force switch, but not sure where is should go in syntax, tried various but not working either.
    Any ideas? Thanks

    Reply
  6. Alberto

    Hi!. I’m following this procedure and I’m getting stuck.
    Could you tell me the right moment to plug in the ethernet to the meraki????
    I’m following this guide just fine but when i try to connect to my PC to download the firmware I lost UART connectivity.

    Thanks in advance.

    Reply
  7. Sam

    Thanks so much for this, ive got so far but hoping for a little assistance…

    I’ve completed everything as above which worked great and I’m trying to get files over to the device but the Ethernet does not appear to be working (lights are on port and amber flashing on meraki). if I run ‘ifconfig eth0’ I get device not found. When the device boots the following lines appear at the end.

    In write handler ‘device_id’ for wired0_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘device_id’ for wired1_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘product_model’ for wired0_cdpsource ~:: CDPSource’:
    Cannot parse product model
    In write handler ‘product_model’ for wired1_cdpsource ~:: CDPSource’:
    Cannot parse product model

    Really appreciate your assistance.

    Reply
    1. Chris B - Admin Post author

      Hmm. I have seen similar issues on other devices where a UART adapter was used that was either over voltage, or had VCC wired up. Can you confirm you are using a 3.3V UART adapter and only have TX/RX/GRND wired up? It also seems your board is unable to read the UBI partition that contains your board information. Did you ever try the pin jump method, and does your MR18 work normally when you try to let it boot fully?

      Reply
  8. JD

    Hello

    I have an issue when dd the openwrt.bin file, seems like the mtdblock2 is too small or corrupted ? Any idea ?

    /storage # dd if=/storage/openwrt.bin of=/dev/mtdblock2
    [ 73.312000] ecc unrecoverable error
    [ 73.316000] ecc unrecoverable error
    [ 73.320000] ecc unrecoverable error
    [ 73.324000] ecc unrecoverable error
    [ 73.328000] end_request: I/O error, dev mtdblock2, sector 8960
    dd: writing ‘/dev/mtdblock2’: Input/output error
    8961+0 records in
    8960+0 records out
    4587520 bytes (4.4MB) copied, 2.852310 seconds, 1.5MB/s
    /storage #

    Thanks 😉

    Reply
  9. JD

    Hello Chris,

    yes, that’s what I was afraid of…. I ended up writing to mtdblock1 directly and this worked !
    Now this AP is free 🙂

    Thanks!

    Reply
  10. JayBee

    Hi Chris

    Thanks for the article.

    I am having some trouble. I can get to the step where I unplug the power to the AP and hold down S and power back on, then UART Terminal returns a bunch but ends with:

    In write handler ‘device_id’ for wired0_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘device_id’ for wired1_cdpsource ~:: CDPSource’:
    Bad String passed to device_id
    In write handler ‘product_model’ for wired0_cdpsource ~:: CDPSource’:
    Cannot parse product model
    In write handler ‘product_model’ for wired1_cdpsource ~:: CDPSource’:
    Cannot parse product model

    I am using this adapter http://www.ebay.com.au/itm/201505399580

    This is how I am wiring it to the AP
    https://imgur.com/gjkYb4K

    Any ideas?

    Reply
    1. Chris B - Admin Post author

      If you are seeing those messages that is normally a sign that you have passed the boot process where “S” is required, so you may need to keep trying. You can also check out the flashing video I made in the OpenWRT forum post to get an idea of what you should be seeing on the Console.

      Reply
      1. JayBee

        Thanks Chris. I am still having issues with not getting past the hold S and boot. I can’t seem to find your video on the OpenWRT forum. Can you link me?

        Reply
  11. Rob

    Confirmed working on an MR32 also:
    Meraki-build is 24-201607201515

    Board is running a BCM5301X ARMv7. Will take a look at running up Lede/openwrt on it as they do have kernel support.

    Flash layout:
    [ 1.490000] Creating 5 MTD partitions on “nand_iproc.0”:
    [ 1.490000] 0x000000000000-0x000000100000 : “U-boot”
    [ 1.500000] 0x000000100000-0x000000400000 : “bootkernel1”
    [ 1.500000] 0x000000400000-0x000000500000 : “senao_nvram”
    [ 1.510000] 0x000000500000-0x000000800000 : “bootkernel2”
    [ 1.520000] 0x000000800000-0x000007f80000 : “ubi”

    I’ve got a few more Meraki boards so will take a look at these also.

    Reply
    1. Philip

      Hey Rob!

      I have an MR33 – and i can boot as root …. can u help me installing openWRT on it!?…
      would be nice to hear from you…

      greets phil

      Reply
      1. Chris B - Admin Post author

        Hey Philip,

        Note that at this time the MR32 and MR33 do not have LEDE/OpenWRT support. I do have a MR32 in hand ATM that I plan to port over later, but note it does not have GPL driver support for the main AC wireless radios. I am unsure of the situation with the MR33, as I am not sure what radios are used on that board.

        Reply
  12. 4JB

    Hi Chris! First off, awesome findings and write-up!! My MR-18 is in the mail currently. I’m just curious if there is any benefit of doing this exploit initially upon unboxing to try to ensure root access if I intend to start out using the normal Meraki firmware until my “license” expires? I understand I can always go JTAG, but I’d like to use it without worrying about future firmware downloads breaking UART access if at all possible.

    Cheers!

    Reply
    1. Chris B - Admin Post author

      Hey there,

      As for your question, note that this method will probably get patched via Cisco/Meraki down the line, so if you have any intentions of using OpenWRT/LEDE on the device it would be best to follow this guide, and flash your device before hooking it up to the internet. This is because on first boot, the Meraki on stock firmware will download and install the latest OTA which may prevent this method from working in the future. If you don’t mind going the JTAG route though, then feel free to use the device as is.

      Reply
  13. Mooo123123

    Works fine on 23-198280, just reset it until “odm help'” works. You can use SW2 to do that, J2 also does crazy things.

    Reply
  14. Admin

    Hi there,

    I just tried a MR18 and build “24-201609272213-G374d42aa-daybed” – doesn’t work. Anyone else successfully used that version?

    Reply
  15. Admin

    Hi there,

    I just tried a MR18 and build “24-201609272213-G374d42aa-daybed” – doesn’t work. It works until pressing the “s” key. Holding after re-powering doesnt’ bring the root shell..

    Anyone else successfully used that version?

    Reply
  16. Matthew

    I have bootsh build 24-201610261613-Gb6d270c7-onion

    I am able to change the serial number but it will not enter the ‘s’ console even though it accepts the ‘magic key’
    Got magic key s [ 1.632000] Bootsh: trying rootfs path:
    /dev/mtdblock/rootfs-24-201610261613-Gb6d270c7-onion-1
    Attempting to setup root /dev/mtdblock/rootfs-24-201610261613-Gb6d270c7-onion-1…

    log here: http://pastebin.com/huUQc9ut

    Reply
  17. areig1979

    Tried to boot into root and continue to get “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS”.

    Firmware: rootfs-22-130961-1
    Is there anyway to bypass this firmware version? or am I stuck with a non-rootable MR18?
    __________________sri____________________
    944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
    _________________________________________
    find_hif: bootstrap = 0x31c58

    Nand Flash init
    hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]

    nand_load_fw: read 13 pages

    nand_load_fw: 0x10000 0x800 0xbd000bf0

    nand_load_fw: 0x20000 0x800 0xbd0013f0

    nand_load_fw: 0x30000 0x800 0xbd001bf0

    nand_load_fw: 0x40000 0x800 0xbd0023f0

    nand_load_fw: 0x50000 0x800 0xbd002bf0

    nand_load_fw: 0x60000 0x800 0xbd0033f0

    nand_load_fw: 0x70000 0x800 0xbd003bf0

    nand_load_fw: 0x80000 0x800 0xbd0043f0

    nand_load_fw: 0x90000 0x800 0xbd004bf0

    nand_load_fw: 0xa0000 0x800 0xbd0053f0

    nand_load_fw: 0xb0000 0x800 0xbd005bf0

    nand_load_fw: 0xc0000 0x800 0xbd0063f0

    nand_load_fw: 0xd0000 0x800 0xbd006bf0

    f/w 0 read complete, jumping to 0xbd000400
    Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22

    Reply
    1. Chris B - Admin Post author

      Hello,

      This is normally a sign you didn’t hold the reset button for 10+ seconds first to reset the device, so please try the process again. With that said though, I have heard that newer firmwares (build 24 and up) may no longer be rootable.

      Reply
  18. MeMyselfAndI

    Just dropping by to thank you for your effort, Chris. As I’m writing this, I’m connected to an MR18 running OpenWRT, freed thanks to your instructions.

    I received it in November or December 2016 from Cisco running firmware 22-140575 (does everyone get those things with such an old firmware version?). Shipped to Poland after having to remind Cisco that they forgot about me. I was told of some kind of supply shortage. Whatever.

    No need to do the pin shortening tricks whatsoever with this firmware, but anyway thanks for putting my serial adapter to use that I got years ago for a never finished project and forcing me to learn serial communication stuff 🙂

    Right. Upgrading to the MR18 from my 8 years old TP-Link 1043nd v1 access point (running flawlessly, mind you) is definitely a step up 🙂

    Reply
  19. Knucklebusted

    I have an old computer with a physical serial port. Can I use that? I have tried but hooking TX to SND, and SND to TX did not work. When I connected SND to SND and TX to TX, it got gibberish ASCII characters that look like bad speed/data/stop/parity configuration but nothing I’ve tried works.

    I’d really like to get something usable on this MR18 but it doesn’t seem to be working. I also can’t see what version it is running from the Meraki cloud page. It just says “up to date”

    Thanks

    Reply
  20. Chip Pierpoint

    Just to confirm what everyone probably already knows …

    /dev/mtdblock/rootfs-24-201611211457-G69d4dc09-mantua-1 won’t respond to ‘s’ on boot.

    Can change serial number though.

    Thanks for all the great work .

    Chip

    Reply
    1. mo

      Unfortunately I am in the same boat as Chip here. Any way to downgrade the firmware, or will the short on the board trick work? Or is it a paperweight/>

      Reply
  21. zilcher

    I wish there was some way owners with more recent firmware could unlock their devices. Mine is able to change serial number, but nothing else, like many others. Any progress being made on this front?

    Reply
  22. pilkington

    Looks like I am late to the party. I just recevied a Meraki MR18, connected it to UART, can change the serial number, but nothing else. Is there another solution for folks like me?

    I’ve found I can access BusyBox by holding the reset key for 10 seconds to trigger a restart, then continuing to hold it. Not sure if this would be helpful to anyone.

    Reply
    1. Chris B - Admin Post author

      This boots the device into “diagnostic” mode, which is a barebones qualcomm testing environment. While you have a root shell, you are unable to access the NAND that stores the stock firmware due to the ECC differences. Specifically, the stock firmware and environment use BCH ECC, which is not enabled for this environment.

      Reply
  23. RobC

    I can get to prompt and have changed serial number.
    Also ran ‘odm fw_version read’ which reported back 22-140575
    Which seems to tally with the list of compatible firmware versions.
    But device will not respond to ‘s’ when powering back on.
    Using Putty, I unplug power, press ‘s’ on keyboard then plug power back in.
    It boots without LED’s & outputs unreadable characters & just continues to output them. Waited for about 2 minutes.
    Any advice offered greatly appreciated

    Reply
    1. Chris B - Admin Post author

      If you are getting junk back, this can be a sign it may be a problem with your UART adapter or wiring. Make sure you are only connecting GND, RX, and TX, and you have a 3.3v adapter. I personally use CP2102 based UART adapters, and have never had any issues.

      Reply
      1. RobC

        Thanks Chris, I appreciate your response.
        I have this UART adapter http://ebay.eu/2m2f1Dz and have definitely got GND, RX, TX hooked up correctly. I tried switching them around and only got junk. Where as I can get to ODM HELP prompt, but cannot activate magic key press ‘s’

        Reply
  24. Knucklebusted

    Is there anyone with a JTAG that would flash them for us for a small fee to cover shipping and your time?

    Reply
  25. Knucklebusted

    Mine is/has expired the 3yr service and it is running the following:

    odm fw_version read
    24-201611211457-G69d4dc09-mantua

    Reply
  26. Shane

    Is there any way to check the firmware version before opening this up?

    I do know that it is not the newest version (which was released a week or two ago), so it might be 24-201611211457-G69d4dc09-mantua?

    Reply
  27. MeMyselfAndI

    Hi Chris,

    have you taken a look at the MR32? You said you got one to play with over at the OpenWRT forums.

    Cisco just quit selling the MR18 a couple of days ago and now you get an MR32 for attending the webinar, so there will be more and more people bugging you 🙂

    Not to be pushing you or anything. Once again thanks for your work.

    Reply
  28. Marian

    I got a meraki z1 from work for free, now thanks for your guide I have a new gigabit router at home. Thank you!

    Reply
  29. Damion

    Hi Chris,
    After reading the openwrt forum and this post, i’m actually more confused as to how this ‘s’ backdoor actually works.
    Firstly, is it lower-case ‘s’ or upper ‘S’ ( or does it not matter) ?

    But, eitherway, I can not make it work.
    I have firmware 22-130961, which seems to be earlier than other confirmed explotable versions.
    I’ve successfully changed the serial number, but no amount of hitting/holding the s key during boot gives me a shell.

    The only thing of interest, is I always get junk over the serial at boot-up (soft or hard reboot), the first legible line is:
    [ 0.256000] console [ttyS0] enabled, bootconsole disabled

    Any clues?
    I’d prefer not to have to resort to shorting resistors or buying a jtag…

    Reply
    1. Damion

      Got a CP2102 usb uart, and I can now see the output from the bootloader on power-on.
      Still can’t get ‘s’ to gain me root though 🙁

      Reply
  30. Pete

    I’ve got a CP2102 UART adapter. Managed to get the serial changed and up to the point of booting using the special key ‘s’, but it didn’t work. I can confirm I’m running firmware 24.
    This has been confirmed as not working.

    What I did however manage was to still get root access to the device by holding the reset button for 5 secs or so. The device would reboot me into a root unix prompt. Sadly the ‘wget’ command wouldn’t work……any idea’s guys? Could there be another way to update the device using this method.

    I was able to change the IP address of the device when I got this prompt and ping my laptop. just the ‘wget’ command was unrecognized.

    Reply
    1. Chris B - Admin Post author

      Pete,
      This means you booted into the diagnostic image on the MR18. Sadly it has the NAND blocked off at a kernel level as it’s hard programmed to use a different ECC mode, so you can’t flash the device from this environment.

      Reply
      1. Pete

        Thanks Chris…I was so close!! Look at the latest flashing method, I only needed to hold down the reset button for another 5 seconds.

        I managed to get it working using the latest method.

        Reply
    1. Niels

      Same problem here 115200 N81 – Lots of garbage – If I start with the cable inserted, i get some “half readable” text, but is will not boot, just keeps circling in some kind of startup-diag.
      If i connect the cable after initial power-on, I get lots of unreadable garbage like Steeve.

      Current version: MR 24.6

      Reply
  31. Sven

    Hi everybody,

    I have a Problem, I can not access to the MR 18 wile pressing the key “s”.
    I could successfull Change the Serial Number.
    The Firmware is: 22-131521

    1 week ago I successfully flashed another MR18 with OpenWrt but with a different Firmware.

    Thank you for your help.

    P.S. The flasehd MR 18 works like a charme

    Reply
    1. Tony

      Sven,

      Did you ever get this to work on this firmware? I have the same firmware and am getting the same results as you.

      Thanks,
      Tony

      Reply
  32. giuliano

    I have a 24-201611211457-G69d4dc09-mantua firmware, initially when performing the
    odm serial_num write Q2XX-XXXX-XXXV
    the subsequent “odm serial_num read” would either produce nothing or, at times, give the original number. Then I left the machine attached to PoE and serial cable, and when I gave the “odd show_system” command I noticed the line
    serial_num Q2XX-XXXX-XXXV
    and now having it left again for some time alone, it apparently did a spontaneous reboot, and yet the serial number is stil the one I set! So, I will now proceed with the rest of the process (reboot while pressing s and see how it goes…

    Reply
    1. giuliano

      (re: my 24-201611211457-G69d4dc09-mantua FW)
      No joy…. the boot process still ends, like before, with a
      [ 18.544000] warning: key material 0 too short (minimum 16+4+20=40)
      and yet the serial number is still set!
      What else should I try?

      Reply
      1. Bogdan

        Hi, I need some help if possible. How did you managed to boot past the 18.544000] warning: key material 0 too short (minimum 16+4+20=40) boot stop point? I checked the other post but didn’t saw any specific info. Thanks

        Reply
  33. Chris Watling

    Hi,

    I am trying to root my MR-18 but I am unable to get to a prompt. I can get the console via the uart and see the unit loading, I have firmware 22-140575 wich says will work with above method, but after holding the reset button, I see the unit boot and the prompt flashes by and keeps loading unit keeps loading until it says “Cannot parse product model” and just stops with no prompt.

    I had a DHCP server running but the unit did not grab an IP address either. I have tried pressing 2 or s but I am unable to get the unit to a prompt so I can type.

    Any suggestions as to what I can try next?

    Reply
  34. Starlord

    get a “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.” with Firmware 25.11.

    I managed to get a shell prompt but ODM command non-existant
    set of available command:
    ———————————————————————–
    / # set
    HISTFILE=’/root/.ash_history’
    HOME=’/root’
    IFS=’

    LOGNAME=’root’
    OLDPWD=’/root’
    PATH=’/usr/sbin:/bin:/usr/bin:/sbin:/usr/local/sbin:/tmp/tools:/etc/ath’
    PPID=’1′
    PS1=’\w \$ ‘
    PS2=’> ‘
    PS4=’+ ‘
    PWD=’/’
    SHELL=’/bin/sh’
    TERM=’vt102′
    USER=’root’
    _=’serial’
    / # help

    Built-in commands:
    ——————-
    . : alias bg break cd chdir continue eval exec exit export false
    fg hash help jobs kill let local pwd read readonly return set
    shift times trap true type ulimit umask unalias unset wait

    Does anyone have a solution with this firmware?

    Thanks

    Reply
  35. Z

    I reach the ash shell, but I cannot type anything.

    usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
    usb usb2: Product: ATH EHCI
    usb usb2: Manufacturer: Linux 2.6.31–LSDK-9.5.3.15-ga2a05dd-dirty ehci_hcd
    usb usb2: SerialNumber: platform
    usb usb2: configuration #1 chosen from 1 choice
    hub 2-0:1.0: USB hub found
    hub 2-0:1.0: 0 ports detected
    Initializing USB Mass Storage driver…
    usbcore: registered new interface driver usb-storage
    USB Mass Storage support registered.
    usbcore: registered new interface driver cdc_ether
    tar: /sbin/debug.tgz: No such file or directory
    factoryreset: /dev/freset: N**** drop_caches_sysctl_handler: all done timer added …****
    o such file or directory
    Starting pid 731, console /dev/ttyS0: '/sbin/autologin'
    Jan 1 00:00:06 login[731]: root login on `ttyS0'

    BusyBox v1.01 (2013.11.05-04:45+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    Any advice?

    Reply
  36. Mikethebake

    I am also having issues getting this thing flashed. I have tried the all the guides that I can find. Below is the three guides and errors I can find.

    I have feeling I am on the wrong firmware version. I don’t know what firmware I am on because when I connect to the mr18 everything on the screen scrolls quickly but I cannot go back and see what version I have (I cannot scroll and normal commands do not work).

    I can run the odm command to change the serial, when I try to get into the initramfs root shell I can’t seem to get there very easily. I have to use the reset button to and force into crash the kernel to get in. Once I get into the initramfs root shell, i go to run the command but /storage cannot be found. I can create mkdir storage and it creates, That doesn’t really help since the .configfiles are not there.

    I have also tried to follow these guides and https://wiki.openwrt.org/toh/meraki/mr18. I still have to create the /storage and run the script that all finishes properly, but when I run the WGET command it says WGET is not found

    When I try the ODM firmware part2 command it fails to find the URL.

    Any help will be appreciated.

    Reply
  37. Jeff

    Any chance to to do this on MX65 ?
    Can find anywhere firmware for MX65 series as bin or tar.gz file, any advice to find it?
    Thanks!

    Reply
  38. Frank

    Hi Guys,
    anyone had any progress with MR18s with build 25. If not has anyone had any luck with a cheap JTAG setup.

    Reply
  39. Hayman

    Can I use this method to get in the uboot mode of MR33 ,by holding the reset or holding 2 while starting up the mr33??

    Every time I start the mr33 its boot up to it’s stock firmware,and I don’t know how to get to the uboot???
    Thanks

    Reply
  40. Dean Moore

    Hi,

    I have FW version 22-131521 and cant get it to reboot to root while holding S.

    I’ve used a mac using screen and minicom, a windows PC with putty and even a linux VM.

    Just cant seem to get it to receive the command. I’ve set flow control off still no luck.

    Any last tips?

    Reply
  41. Ties

    I’m using a Raspberry pi as serial device but I’m not getting any input.

    Also a bit confused about the LED, I have 2 orange LEDs and a RGB rainbow fading LED sometimes.

    Reply
  42. Thomasver

    Ordering medicine online is very convenient.
    It’s possible to shop at any hour without stepping out of your house.
    Internet drugstores let you easily check prices and locate the best deal.
    Your meds are sent straight to your address, saving time and effort.
    provera breast tenderness
    There’s no requirement to wait in long lines at a local pharmacy.
    When dealing with chronic illnesses, automatic refills make treatment stress‑free.
    To sum up, digital ordering for medicine preserves your time and energy.

    Reply
  43. Malcolmglowl

    Digital transaction platforms are essential for today’s economies.
    They enable funds to flow swiftly and safely across borders.
    Popular examples include bank cards, digital wallets, and wire transfers.
    Each system provides a unique balance between speed, fees, and safety.
    https://artlover.e-copies.ru/hOq7fGAUcWdM/
    Choosing the right transaction method depends on the customer’s needs and region.
    Good financial gateways safeguard private information and block unauthorised access.
    Ultimately, reliable transaction processing is the foundation of online business and fintech.

    Reply
  44. binance

    I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.

    Reply
  45. проктолог-эксперт.рф

    Проктологическое заболевание — это повсеместная патология, нуждающаяся своевременного терапии.
    Игнорирование симптомов или отсрочка обращения к врачу может обернуться серьёзными осложнениями, такими как кровотечение.
    Современная проктология располагает разнообразные способы коррекции: от щадящих процедур до медикаментозной поддержки.
    удалить атерому в москве
    Ранняя помощь позволяет эффективно устранить дискомфортные проявления и восстановить качество жизни.
    В случае появлении первых признаков (зуд, жжение, следы крови) необходимо немедленно обратиться к проктологу для обследования.
    Адекватное воздействие не только избавляет от телесного дискомфорта, но и препятствует развитию болезни и потребности в хирургическом вмешательстве.

    Reply
  46. Johnsoncqb

    They spent weekends exploring art galleries, making an attempt regional cuisines, and exchanging stories about their childhood traditions. And if you’re keen on exploring specific areas, there are area of interest platforms devoted to East European dating or connecting with women from Eastern Europe. Before selecting a great courting web site, it will be significant to think about the amount of people who’ve used it. Who’s Alexei Navalny? Ukrainian girls love men who show genuine interest. As of January 2017, Rwanda had the best variety of girls parliamentarians, who hold 63.8% of seats within the decrease house. April 30: The primary prefabricated, $2,200 dwelling goes on show in London, upfront of Churchill’s plan to make use of hundreds of 1000’s of those buildings to home those left homeless by the war. ● Use our translation system in other packages. Some 1,200 warships, 4,200 touchdown ships and touchdown craft, and 1,200 merchant ships have been engaged off Normandy. Although the U.S. Fifth Corps touchdown on Omaha Beach at first encountered extreme difficulties, Anglo-Canadian-U.S. Eastern time in the U.S.

    This assault was carried out by 20,000 paratroopers and glider-borne infantry of the U.S. We’ll help you to know every thing and type out the small print. May 6: Nazi Germany orders an additional 1,800 laborers from France to help workers the Mittelbau-Dora slave labor camp close to Nordhausen, Germany. Breaking through the Nazi Atlantic Wall proves perilous: To defend against an Allied invasion from Britain, the Germans constructed the Atlantic Wall — fortifications alongside the western coast of Europe. A joint U.S.-RAF aerial assault over Nazi Germany inflicts heavy injury on the Luftwaffe whereas wreaking havoc on a number of synthetic-oil manufacturing facilities. Together they transported 185,000 men and 20,000 automobiles within the preliminary assault carry. The seaborne operation — Operation Neptune — was preceded by a big-scale airborne assault during the evening of June 5-6 into the inland areas past and on the flanks of the landing beaches. In Lviv’s galleries, museums and churches, a huge operation is below technique to safeguard the town’s cultural heritage. Operation Overlord, the Allied invasion of mainland Europe and the institution of the second entrance lengthy advocated by Stalin to relieve pressure on the Russians in the East, was the best amphibious touchdown operation in history.

    First Army (beneath General Bradley) and British Second Army (General Dempsey), which together comprised General Montgomery’s 21st Army Group, had gained a foothold on the five predominant landing beaches. Army commander for the invasion of France. The 5 beaches of Normandy are given code names: Sword and Gold have been code names for the beaches attacked by the British Second Army. As a huge fleet of cargo- and troop-carrying vessels plied steadily from ports in England to the newly established beachheads and synthetic “Mulberry” [url=https://www.pinterest.com/charmdater/]charmdate review[/url] harbors, Allied strength in Normandy elevated with each week that handed, and was soon unstoppable. Meanwhile, Hitler and the German excessive command believed that the principle invasion was still to come back on the Pas de Calais, with Normandy merely a diversion. Over Harris’s robust objections, Portal sided with Eisenhower’s dedication to the “Transportation Plan” of bombing French railroads as an alternative of German cities in preparation for D-Day. A Free French tribunal finds Vichy Admiral Edmond Darian guilty of collaborating with the Nazis and sentences him to life imprisonment. May 12: The Allies interact in heated battles with German troops across much of Italy, and manage to make steady positive factors. Also, ensure to browse opinions in the site and examine their security and personal privacy policies.

    Make certain you’re both on the identical page about your goals. When looking for romantic companions on the most effective European dating site, you get entry to a large female person database and may make sure that these ladies have the identical intentions. Our workforce of pros and assist workforce are able to provide you with fast assistance in the sector of on-line courting. We take a look at a photograph, perhaps learn a fast bio, and then swipe left or proper to signify our interest. Harmony has in all probability the most advanced technologies to make sure they match the precise folks. European girls make good sense as girlfriends and wives to American males. As you may see, it’s not that arduous to attract Ukrainian women searching for American men if in case you have the following tips in mind. A recent survey showed that over 30% of Ukrainian women at the moment are the first earners in their households. But as soon as over the sea wall, they faced much less opposition.

    Reply
  47. проктолог-эксперт.рф

    Проктологическое заболевание — это частая проблема, требующая незамедлительного терапии.
    Отсутствие симптомов или затягивание визита к специалисту способно привести серьёзными последствиями, такими как выпадение узлов.
    Современная медицина располагает многочисленные методы лечения: от малоинвазивных вмешательств до медикаментозной терапии.
    колоноскопия под наркозом в москве цена
    Своевременная терапия позволяет быстро купировать дискомфортные проявления и восстановить повседневный комфорт.
    При возникновении первых симптомов (зуд, жжение, кровянистые выделения) важно немедленно обратиться к врачу-проктологу для диагностики.
    Правильное лечение не лишь избавляет от физического дискомфорта, но и препятствует прогрессированию болезни и необходимости в хирургическом вмешательстве.

    Reply
  48. eurogal-surveys.ru

    Draught Survey (https://eurogal-surveys.ru/) — это метод определения осадки судна для установления массы находящегося на борту груза.
    Этот подход базируется на закон Архимеда и даёт возможность расчёта объёма груза по изменению водоизмещения.
    Процедура выполняется перед и после загрузки или разгрузки, чтобы зафиксировать фактическое количество перемещённого товара.
    Сам процесс состоит из записи показаний осадки в различных местах и проведения поправок на плотность жидкости.
    Драфт сюрвей повсеместно востребован в судоходстве для финансовых сверок и инспекций.
    Данная процедура считается достоверным инструментом проверки массы товаров, признанным международными конвенциями.

    Reply
  49. rosagrogrunt.ru

    Почва повсеместно применяется в аграрном производстве для производства насаждений.
    В теплицах грунт является базой для салатных культур.
    На плантациях земля задействуется для высадки кормовых и технических растений.
    грунт плодородная земля
    Субстраты требуются для устройства дёрна и садового оформления.
    В дендрариях грунт играет ключевую функцию при производстве рассады.
    Кроме того грунт используется для оздоровления деградированных территорий.

    Reply
  50. Playday

    На данном ресурсе удастся отыскать немало полезной информации.
    На страницах сайта содержатся обзоры и руководства на различный вкус.
    Посетитель имеете возможность отыскать как широкую базу, так и углублённые данные.
    Данный портал поможет экспертам в их обучении.
    https://energiadoma.ru/full-read/55-vliyanie-kriptovalyut-na-industriyu-onlayn-kazino-plyusy-i-minusy-ispolzovaniya-bitkoina-i-efira.html
    Также на сайте часто появляются свежие обновления.
    Предлагаем с интересом изучить доступную здесь базу.
    Следовательно, этот сайт служит отличным хранилищем сведений.

    Reply
  51. Peterpre

    Every profile is bursting at the seams with footage and videos. I consider SakuraDate probably the greatest Asian dating site overall, as it gives an excellent collection of options for search and communication, the opportunity to share photographs and videos during conversations, and plenty of verified profiles with detailed bios and quite a few pictures. Community help: They often embody boards or teams the place users can share experiences and recommendation. We want you to find a platform that’s finest for you, so we provide you with entry to instruments like free trials the place you may test-drive the product to see if it’s going to be an excellent fit. Online dating can be overwhelming, but MagnoliaDate takes care of that, making it a perfect choice if you wish to explore the Asian dating pool at your own pace. It’s not that all of them are trying to find a husband, but it’s uncommon to satisfy girls who wish to find a one-night time stand on these websites. In accordance with the house owners of these websites, they are 100% legit and have actual ladies, and in accordance with fake critiques, these websites are a minimum of 10/10. It looks like you possibly can simply choose any and discover love in a matter of days.

    How can I ensure a safe on-line courting expertise? This determine underscores the significance of selecting a relationship webpage that not solely gives advanced video chat choices and secure messaging but additionally gives a user-pleasant interface for a seamless relationship journey. Hence, the options are quite few on eHarmony, however they are quality. 🔥 Join probably the greatest Asian American dating websites, Gochatty, claim your bonus, add a photo, and in a couple of minutes, you’ll start getting messages from real Asian ladies! That’s how on-line courting works in 2024: you spend 2-three minutes and start chatting with real overseas women. Tailored Matchmaking: Many dating platforms make use of superior algorithms that ensure you meet asian single ladies or males who align together with your relationship objectives. Always protect your personal data, meet in public places, and belief your instincts. Be Respectful: Always respect the cultural background and private boundaries of your matches.

    Her writing is predicated on thorough tutorial analysis and personal and matchmaking expertise, which she transforms into sensible and easily comprehensible content material. For more up-to-date info, please conduct your own research. Most profiles have 1 image and no extra information, and it’s an enormous downgrade after web sites like NaomiDate or SakuraDate. But it’s the one advantage of those websites over the platforms like SakuraDate or MagnoliaDate. 1 choose total for the entire US, but it’s an awesome match for the family-oriented [url=http://asiamereview.blogspot.com/]asiame review[/url] nature you see in the Asian community and in Dallas as a whole. These are the most effective Asian American relationship sites and apps to get you started on your subsequent dating journey. In many communities, dishonest is a serious downside; for instance, within the Philippines, love triangles between a man and two ladies are quite common, so don’t attempt to spice up your relationship by making her jealous. The relationship with foreigners are at all times fascinating and engaging whether or not there are friendships, life associate, enterprise or touring pal. By respecting their cultural background, language preferences, and individual identity as a deaf person, you are laying the inspiration for a powerful and trusting relationship.

    When utilizing a dating site, it is crucial to create an enticing profile that highlights your personality, cultural background, and dating goals. How can I enhance my profile on these apps? Our matchmakers serve clients throughout the globe, so whether you’re in Los Angeles, Vancouver, or London, we may also help you find real, lasting love. Most such web sites, however, find a compromise, providing each free and premium companies without making a consumer pay for registration. On this planet of online relationship, Asian girls relationship apps have carved out a significant niche, offering unique opportunities for people in search of significant connections. Be Clear About Intentions: Asian girls usually seek severe relationships. Building belief through clear and sincere communication types the muse of sturdy relationships with Asians. Respect, patience, and real curiosity are crucial when building connections with Asian women. The following pointers delve deeper into fostering intimacy, strengthening communication, and constructing a basis of belief that transcends language obstacles. For example, she invitations you to her place as a small gesture of willingness to belief you. The relationship pool is very small right here.

    Reply
  52. vof

    Ответственная игра — это стратегия к азартным сессиям, основанный на контроле и понимании последствий.
    Она предполагает добровольное лимитирование времени и бюджета на процесс.
    Любой игрок обязан предварительно устанавливать пределы ставок и строго их придерживаться.
    https://dvery35.ru/article/4219-rich-casino-vs-competitors-a-comparative-analysis.html

    Reply
  53. vof

    Осознанный гемблинг — это принцип к казино, основанный на контроле и осознании последствий.
    Эта концепция включает осознанное лимитирование продолжительности и бюджета на игру.
    Каждый участник должен заранее устанавливать пределы ставок и неукоснительно их придерживаться.
    https://dvery35.ru/article/4307-top-5-slot-raketok-maksimiziruyushchikh-vyplaty-v-1win.html

    Reply
  54. vof

    Осознанный гемблинг — это стратегия к казино, основанный на самоограничении и понимании последствий.
    Она подразумевает осознанное лимитирование времени и бюджета на процесс.
    Каждый участник должен заранее определять пределы ставок и строго их соблюдать.
    https://techblog.omskdaily.ru/lQUo7zeSV7IX/

    Reply
  55. vof

    Ответственная игра — это стратегия к азартным сессиям, базирующийся на контроле и понимании последствий.
    Эта концепция подразумевает осознанное ограничение продолжительности и расходов на процесс.
    Любой участник должен предварительно устанавливать пределы ставок и строго их придерживаться.
    https://petlover.nash-mihailovsk.ru/u8U5J7qOHbA4/

    Reply
  56. vof

    Ответственная игра — это стратегия к игровым развлечениям, основанный на контроле и осознании рисков.
    Она включает осознанное ограничение продолжительности и расходов на игру.
    Любой участник обязан заранее определять лимиты потерь и неукоснительно их придерживаться.
    https://labdiz.ru/full/512-cryptocurrency-in-cashman-casino-how-it-has-changed-the-gaming-landscape.htm

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *