Here we go again, this time with a new way to root the Cisco Meraki MR18. Note that this method will ONLY work on the MR18, and I am not responsible for any damaged devices if you want to try this on something else as it will not work!
The Exploit:
Note that the below is also covered in a YouTube walkthrough which can be Found Here.
Requirements:
- Meraki MR18
- UART adapter – cp2102 variant recommended
- Ethernet Router (used in rooting process)
- A LEDE Initramfs Image & sysupgrade image – Download Here
Instructions:
- Download the required files above, and store them on your computer for later.
- Wire up UART to your Meraki MR18. More info on this can be found on the OpenWRT Wiki page.
- Hook up your MR18 to a router, and disconnect the router from the internet. DO NOT ALLOW THE MR18 TO TOUCH THE INTERNET DURING THIS PROCESS! This is important as the most reliable way to do this exploit is to have the MR18 use DHCP to get an IP on the same network as your personal computer.
- Hold the reset button on the MR18 for 10+ seconds. You should see the LED blink, and then turn off. Once the LED turns off you can stop holding the reset button. This does a “Level 2” reset and removes any configs from the access point.
- From your personal computer that has UART wired to the MR18, plug into the same router the MR18 is using. Then, remember the IP address of your system. In this example, we will use 192.168.1.102.
- Once the MR18 booted, start a HTTP server (on port 80) on your personal computer in the same directory as the firmware files. If you are running linux, this can be done using the below example:
[code]
wget https://servernetworktech.com/uploads/files/MR18-LEDE.tar.gz
tar xzvf ./MR18-LEDE.tar.gz
cd ./MR18-LEDE/
sudo python2 -m SimpleHTTPServer 80
[/code] - Once started, you can then load this image to the “part2” partition on the MR18. This is done with the following:
[code]
odm firmware part2 192.168.1.102:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin
[/code] - Once complete, remove power from the Meraki MR18. Now that power is removed, in your UART session hold down “2” on your keyboard while applying power. This should now boot you into the initramfs image you just flashed to the MR18.
- Unplug the MR18 from your router, and directly wire your computer to it. Once wired, you should get a IP from the MR18.
- Now that recovery is flashed, open a browser on your computer and navigate to 192.168.1.1. Once signed into LuCI, you can then flash lede-ar71xx-nand-mr18-squashfs-sysupgrade.tar.
- Once flashed, your MR18 should reboot and be fully running LEDE!
Why this Works:
The reason this works is thanks to the way the wget package in the busybox binary handles URLs that don’t have a protocol defined:
https://github.com/mirror/busybox/blob/1_26_1/networking/wget.c#L469
In the above, the specific code we are referring to is:
[code]
// GNU wget is user-friendly and falls back to http://
h->host = url;
goto http;
[/code]
In the above snippet, if “http://” or “ftp://” is not defined, it will fail back to HTTP. This is important for us as by default, the custom Meraki shell strips out anything with 2x forward slashes, such as “http://”. Because of this, we can leverage this feature to use the firmware command found in Meraki’s manufacturing tool, odm. From here, we replace the backup kernel on the device with a LEDE Initramfs image which we can then boot into to flash the device.
Confirmed Working On:
-
24-201611211457-G69d4dc09-mantua
-
25-201612022004-Gee01d075-debtor
- 24-201702072108-Gdc35074c-
spray-1
Hi,
Just to confirm that it went well with this firmware : 24-201611211457-G69d4dc09-mantua
LEDE Installed and operational.
Thank you a lot !
How do I find the firmware version my mr18 is running?
Does this method work with the newest firmware?
Thanks!
Hi,
I can confirm that it works with 24-201702072108-Gdc35074c-spray.
Thank you so much and keep up the good work!
Regards from Portugal
JN
I just tested this on two MR18s that were confirmed up to date today. No issues, once i got the steps down. First one took about an hour, the second took about three minutes.
Thanks for the work, but I can’t seem to get the network device to load. I get in the OpenWRT/BusyBox shell and only get lo and not eth0 when I run ifconfig. I’ve tried the bin you provided and the one Cucumber Tony provides. I’m running firmware 24-201702072108-Gdc35074c-spray
I get these errors as it boots up, which I’m assuming is the problem:
[ 10.712594] ath9k qca955x_wmac: Direct firmware load for soc_wmac.eeprom fail ed with error -2
[ 10.721280] ath9k qca955x_wmac: Falling back to user helper
[ 12.950881] ieee80211 phy0: Atheros AR9550 Rev:0 mem=0xb8100000, irq=47
[ 12.957723] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
[ 12.964148] ath9k 0000:00:00.0: Direct firmware load for pci_wmac0.eeprom fai led with error -2
[ 12.972920] ath9k 0000:00:00.0: Falling back to user helper
Any help would be appreciated!
Hey Michael,
Sounds like your hitting a very rare bug that I have heard of once or twice. Specifically, your device may be slightly different hardware wise which is causing the ethernet calibration data in the OTP to not exist.
To help me get this issue resolved once and for all, can you please shoot me an email? Best one would be my gmail below (just remove NOSPAM from it).
[email protected]
Thanks for the reply, I actually had the power pin attached to the UART port (Leftmost pin). Once removed, and on external power, the firmware installed like a dream.
Thanks again!
THANKS!
Can confirm that the UART port must NOT have the 5V pin attached! But rather run the MR18 from external power! Or else the MR18 will not be able to catch the “2” at boot.
Odd, my original post is gone…
I’m having an issue after loading the initial firmware. After reboot, I don’t have a network connection at all. After booting busybox or the other firmware, I run ifconfig and only get a LO interface. I see eeprom errors when loading. (sorry, my original post had some copy and pastes and I’m not at home atm)
Thanks!
Michael
Hi.
Just tested it but no luck.
I’ve checked on my dhcpd that the mr18 got a IP address but can’t update firmware: still getting connections time out. I also verified that the lede file is available with a simple browser.
For information, i couldn’t update the serial number also. Another protection system?
Hello,
Can you please confirm you did the device reset using the reset button? If this is not done, this may explain why the process failed. Also can you share what firmware version you are on?
Weird thing happens to me.
I am on 23-191963. I tried the method here, but the odm firmware command does not recognize the
url as http or ftp, so the “why this work” does not work!. I have rechecked the command:
odm firmware part2 192.168.11.3:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin
still “not an http or ftp url: 192.168.11.3:80/lede-ar71xx-mr18-initramfs-kernel.bin
weird
Turns out putting quotes around the url can override double forward slashes’ stripping. so this worked :
odm firmware part2 “http://192.168.11.3:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin”
now my mr18 boots LEDE!
Hi,
I’m with build 22-131521, and I got “not an http or ftp url: 192.168.11.3:80/lede-ar71xx-mr18-initramfs-kernel.“
Using quote or not, same problem… I tried other tutorials with no wget on busybox, and no device /dev/mtdblock2 for dd-ing initramfs to mtdblock2.
Any idea?
try this: do not copy and paste the command up to the name of the firmware, it might be that the source of the text you are copying contains unwanted formatting characters.
Hi,
I got root access to my Meraki MR18, but I get stuck when it comes to the initramfs boot, when I push ‘2’ it keep loggin this:
Got magic key 2[ 2.320000] Mapping
8388608 bytes for /dev/mtdblock/part2
Got magic key 2[ 3.068000] Mapping
8388608 bytes for /dev/mtdblock/part2
Got magic key 2[ 3.816000] Mapping
8388608 bytes for /dev/mtdblock/part2
Got magic key 2[ 4.568000] Mapping
8388608 bytes for /dev/mtdblock/part2
Got magic key 2[ 5.316000] Mapping
8388608 bytes for /dev/mtdblock/part2
and if I stop pushing 2 I get this:
[ 6.064000] UBIFS: un-mount UBI device 0, volume 1
[ 6.068000] Starting new kernel
[ 6.072000] Will call new kernel at 80060000
[ 6.072000] Bye …
Did anyone experience this behavior?
Hello,
This means you are holding down “2” too late in the boot process. You need to ensure that you are pressing “2” as soon as the device is powered on, as this needs to be seen by the bootloader. From the output you shared, it seems you were not pressing 2 until the stock firmware started booting.
I experience the same behaviour. Firmware 24-201611211457-G69d4dc09-mantua
I tried many times, but the result is the same. Why is it that pressing 2 too late brings the machine anyway to a different state than not pressing it at all?
I’ll give it again a go, but this time by resetting rather than unplugging the PoE. I suspect taking power off disables the serial interface too long making it impossible to have the 2 detected early enough. Does it make sense?
Found what might be the original poster problem, and is my problem: upon booting having pressed 2 I get an error:
loading fw at 4352
hdr: [0x3c21444f : 0x43545950 : 0x45206874 ]
part2: invalid magic, expected 0x8e73ed8a versus 0x3c21444f
bootkernel 1 failed!
However, checking the file:
hexdump openwrt-ar71xx-nand-mr18-initramfs-kernel.bin | head
0000000 8e 73 ed 8a 00 00 04 00 00 60 ec 6c a6 f9 25 a2
so the magic appears totally different to what the loader sees.
SOLVED for Firmware 24-201611211457-G69d4dc09-mantua:
PROBLEM: wget does ignore the URL after the / so anything in:
odd firmware part2 192.168.2.1/BLAHBLAH
results in a request for /
SOLUTION: rename your firmware so that it is server as the index file, I used apache so that I could see what was happening and because of better control.
In the serial console you will see, when downloading the firmware:
firmware.tmp 100% |*******************************| 7169k 0:00:00 ETA
and the after the Erasing lines, a lot of Writing lines, before I would see only the Erasing ones…
So:
BusyBox v1.26.2 () built-in shell (ash)
_________
/ /\ _ ___ ___ ___
/ LE / \ | | | __| \| __|
/ DE / \ | |__| _|| |) | _|
/________/ LE \ |____|___|___/|___| lede-project.org
\ \ DE /
\ LE \ / —————————————————————————————
\ DE \ / Reboot (SNAPSHOT, r4125-83e4ed3)
\________\/ —————————————————————————————
I now have to see how to proceed from there, but I am happy for the moment and can go do some gardening.
after flashing the firmware I connected the iMac to the MR18 on the ethernet, set to use DHCP and yet the mac was not getting an address. So, knowing that the MR18 was on 192.168.1.1, I simply set the address of the iMac ethernet manually. I was then able to connect to the MR18 web interface and proceed like instructed on this page.
Thanks A LOOOOOT
‘successfully upgraded an up-to-date (24-201702072108-Gdc35074c-spray) unit
Hi,
Just try to install Firmware, i successfuly did with my UART USB from Windows computer but i’m stuck at the boot 2 command, when I type 2 while plug in the device it’s like it didn’t take the command device try to boot to FF .
” test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
error booting{FF}”
I try with another uart software and it say : Try to boot to ÿ
” test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
error bootingÿ”
It’s just like my 2 command is bypassed by another send before when plug in my device.
Maybe a problem from my UART adapter or Windows driver, I will try tomorrow on linux .
Just to note : I did’n plug the VCC only 3 wires, the only way to sucessfuly install firmware on part 2.
Thanks for your work and your help 🙂
Hi, any ideas how to deal with version: 25-201703281425-G5ffc1c24-select ?
I’m on this FW and having no luck – 🙁
> Hopefully one of these days I will write up the process I used to find this “exploit”.
Could you give us a pointer or two ?
Hi,
Which UART adaptator do you advice to realizz this hack?
Is this one ok for example? https://www.aliexpress.com/item/1PCS-CP2102-USB-2-0-to-TTL-UART-Module-6Pin-Serial-Converter-STC-Replace-FT232/32786777167.html
Hello,
I personally use CP2102 based UART adapters without issue.
Hi Chris,
Does it mean the one I linked will work?
If not, could you please post some links of adaptaters that does?
Thanks in advance 🙂
This is the link to one on amazon.it that works on my iMac. IIRChttps://www.amazon.it/gp/product/B00AFRXKFU/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1
The drivers (also Mac ones) are available on the site of the chip manufacturer http://www.silabs.com.
Remember that only TX, RX and GND must be connected, and that if you invert TX and RX it will not work. Also what are you using as a console programme?
Any idea what to do with a MR18 that doesn’t accept any input from the serial port? It never get’s to the prompt and doesn’t echo any input.
The only thing I can think of is a blown serial RX on the AP.
This is the bootlog:
https://gist.github.com/mterron/4b4ac5afc79455e30f05be29cded3935
I had this problem, found my serial adapter tx and rx are backwards.
Were you able to see output though? I’m quite sure my RX is properly connected as I can observe the bootlog.
Is there any other place to tap into the serial port or another serial port?
Hi, I have an MR18 with FW 24-20170207…
and a silabs cp2102 connected to it, with RX,TX and GND,
I can see the output, but it’s as if the pc is sending keystrokes without pressing any button,
lines and lines of “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.”
when I disconnect the silabs’ TX, everything ok but I cannot send any keystrokes of course,
any ideas ? (can the voltages be wrong even though I see output or something ?)
Thanks,
on what platform are you and what are you using as terminal emulator? On Mac OS I am using serialTools, simpler to install than minicom.
Hello,
I’ve succesfully installed LEDE on two MR18’s using this guide, thank you a lot Chris. Here’s a few tips that helped me:
– don’t use fake PL2303 chinese TTL (you’ll recognize them as they’re very cheap), they need older drivers which cause BSOD’s on Win10
– DO NOT CONNECT VCC! only TX, RX and GND. Also, if there’s no output on screen, reverse TX and RX
– be very patient while trying to press ‘2’ – in my case it took half an hour of trying on one MR18. On another I managed it in the first try.
@Chris, can you please change the sysupgrade image in https://servernetworktech.com/uploads/files/MR18-LEDE.tar.gz to newer one? The image in package shows Segmentation fault after running ‘opkg update ; opkg find something’. After upgrading to http://downloads.lede-project.org/releases/17.01.2/targets/ar71xx/nand/lede-17.01.2-ar71xx-nand-mr18-squashfs-sysupgrade.tar (from Sat Jun 10 17:07:45 2017) that error is gone and I could download packages.
@Peter, the images I provide are mainly just for the initial flash, it’s expected that users will upgrade after the fact. The main reason I offer an uploaded image is so a copy of the initramfs build is available, as this is not generated by the LEDE build system.
BTW Chris, I think I forgot to thank you for this page and your work. There’s no need you approve this post, as it is just for thanking you really!
Hi,
I successfully used this method, until step 10. When I try to flash the sysupgrade.tar file, I see this in the serial console:
root@LEDE:/# [ 204.777210] ecc unrecoverable error
[ 204.781504] ecc unrecoverable error
[ 204.794983] ecc unrecoverable error
[ 204.799476] ecc unrecoverable error
[ 204.812984] ecc unrecoverable error
[ 204.817343] ecc unrecoverable error
Then the mr18 reboots and I am back at the start.
Any Idea what I do wrong or how I can solve this?
Hello,
These errors are normal as this is the setup script making sure your caldata is configured correctly. Once rebooted, it should be fully flashed with LEDE and be good to go. Does it not boot into LEDE after you did the sysupgrade?
Regards,
Chris B
Hi Chris,
this actually worked. Also upgrading afterwards to the latest LEDE firmware.
Thanks.
I bought this UART: https://fr.aliexpress.com/item/1PCS-CP2102-USB-2-0-to-TTL-UART-Module-6Pin-Serial-Converter-STC-Replace-FT232/32713654275.html
I plugged the 3 pins of my Meraki MR 18 to the UART, as explained here: https://i.imgur.com/gjkYb4K.jpg
White wire from J1 (ground) to GND
Black wire from J2 (TX) to TXD
Grey wire from J3 (RX) to RXD
as shown in the 3 attached pictures: https://framapic.org/gallery#9wgPD5IJYa64/jyEMXHiQkpPn.jpg,R0b5HwOEL4jW/SZDQ8mcskjuw.jpg,KnlEUfRcYR2j/6dBjwnG8wmVQ.jpg
No ethernet plugged into the MR18.
I plug the UART USB adapter to my computer.
“dmesg | grep tty” learns me that “[35539.155078] usb 2-1.8.2: cp210x converter now attached to ttyUSB0”
Then I run a “sudo screen /dev/ttyUSB0 115200” in a terminal.
Screen remain black/empty, untill I plug the external power to the Meraki.
And now, problems appear: screen is full of quick and endless lines, like a bootloop.
When I unplug the external power, here are pieces of the logs that remain on screen:
————————————
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
qca955x_init_ddr ok
test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
error booting�
__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x31c59
Nand Flash init
hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
nand_load_fw: read 13 pages
nand_load_fw: 0x10000 0x800 0xbd000bf0
nand_load_fw: 0x20000 0x800 0xbd0013f0
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
qca955x_init_ddr ok
test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
error booting�
__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x31c59
Nand Flash init
hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
nand_load_fw: read 13 pages
nand_load_fw: 0x10000 0x800 0xbd000bf0
nand_load_fw: 0x20000 0x800 0xbd0013f0
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
qca955x_init_ddr ok
test_me
————————————
How can I solve that issue?
Thanks in advance for your kind help 🙂
Hello,
This is a sign that your UART is not playing nice with the board when powered on. Please confirm it’s 3.3v. If so, you may need to flash the initramfs directly to the main kernel partition of “part1”.
Hi Chris,
You asked if my UART is 3.3v.
As you can see on the pictures I’ve posted previously (and especially this one: https://framapic.org/R0b5HwOEL4jW/SZDQ8mcskjuw.jpg), this UART is supposed to handle 3.3V and 5V.
Is this UART compatible with your hack?
Is it well connected, as shown on my pictures?
Thanks for your kind help! 🙂
Hello,
It seems you have a UART adapter that should work. As you are seeing the boot issue with UART plugged in while the board first boots, try powering your MR18 and then plugging in UART. This may help you get around the issue.
I never could get the MR18 to boot with the serial attached- got the error above-, but just flashed the image to partition 1 instead.
Hi,
I could use some help as I’m not geting anywhere fast:
I am trying to do this from a windows 7 machine using putty.
After pressing reset on the MR18 for 10 seconds, when I open the console I am prompted for a login and password. I can’t get past this, and I thought that there would be no login needed?
I am sure the UART is wired ok. Any ideas?
Hello,
Normally there should be no login, so it’s possible Meraki changed their console setup on a newer firmware. Can you please share your full boot log, as well as firmware version?
I’d love to provide this information, only problem is I don’t know how! Can you point me in the right direction on how to do this please? Thank you.
Hello, you need to configure PuTTY for logging. You can google around for instructions. Once done, upload the log to a file sharing site (gist.github.com or pastebin.com) and share a link here.
Hello again, sorry it’s been a while…
I have managed to create a log file with PuTTy, using the SSH Raw option, it’s pasted here: https://pastebin.com/raw/Y7NgDKrm
I hope I’ve got this right and that you can help.
Thanks
Can anyone help me please?
Hello guys,
I have MR18 running 24-201611211457-G69d4dc09-mantua.
Boot alwaysends with this:
[ 13.940000] brain: loading click config
[ 18.584000] In write handler ‘device_id’ for ‘wired0_cdpsource :: CDPSource’:
[ 18.588000] Bad string passed to device_id
[ 18.596000] In write handler ‘device_id’ for ‘wired1_cdpsource :: CDPSource’:
[ 18.604000] Bad string passed to device_id
[ 18.624000] In write handler ‘run’ for ‘set_dstore_keys :: Script’:
[ 18.632000] While calling ‘dstore_encrypt.keys’:
[ 18.636000] warning: key material 0 too short (minimum 16+4+20=40)
[ 18.640000] While calling ‘dstore_decrypt.keys’:
[ 18.648000] warning: key material 0 too short (minimum 16+4+20=40)
And after that I cant get constole. Any ideas?
Tnx,
I too get with 24-201611211457-G69d4dc09-mantua:
[ 13.980000] brain: loading click config
[ 18.636000] In write handler ‘device_id’ for ‘wired0_cdpsource :: CDPSource’:
[ 18.644000] Bad string passed to device_id
[ 18.648000] In write handler ‘device_id’ for ‘wired1_cdpsource :: CDPSource’:
[ 18.656000] Bad string passed to device_id
[ 18.676000] In write handler ‘run’ for ‘set_dstore_keys :: Script’:
[ 18.680000] While calling ‘dstore_encrypt.keys’:
[ 18.688000] warning: key material 0 too short (minimum 16+4+20=40)
[ 18.692000] While calling ‘dstore_decrypt.keys’:
[ 18.700000] warning: key material 0 too short (minimum 16+4+20=40)
ok… self help…
using minicom on linux, disable Hardware Flow Control and now I have:
[ 18.680000] warning: key material 0 too short (minimum 16+4+20=40)
UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.
[ 18.688000] warning: key material 0 too short (minimum 16+4+20=40)
odm help
odm CLI help:
mac_verify, serial_verify, hw_rev_verify, hw_minor_verify
.
.
Hello,
I have my meraki MR18 which crashes with a block on it THX
__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x31c58
Nand Flash init
hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
nand_load_fw: read 13 pages
nand_load_fw: 0x10000 0x800 0xbd000bf0
nand_load_fw: 0x20000 0x800 0xbd0013f0
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
qca955x_init_ddr ok
test_memory ok
D-cache size: 64K
I-cache size: 32K
init_dram_uncached ok
init_icache ok
init_dcache ok
enable_caches ok
test_memory ok
nand_flash_init ok
loading fw at 256
hdr: [0x8e73ed8a : 0x400 : 0x16be88 ]
part1: Copying image to memory … ………..
done.
part1: Checking sha1 (from 0x80060000 length 1490568) … match
part1: sha1 calculated: 8d85c821ed1e9ca895269100f57a396d6df07768
starting stage2
decompressing embedded kernel image 0x81a024f0(0x169975)
got osize 46cac4
…………………done
starting linux
[ 0.000000] Linux version 3.4.112-meraki-ar7100 ([email protected]) (gcc version 4.8.3 (GCC) ) #4 Thu Sep 14 11:16:28 PDT 2017
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 00019750 (MIPS 74Kc)
[ 0.000000] SoC: Qualcomm Atheros QCA9558 rev 0
[ 0.000000] Clocks: CPU:720.000MHz, DDR:600.000MHz, AHB:200.000MHz, Ref:40.000MHz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 07fb0000 @ 00050000 (usable)
[ 0.000000] Wasting 2560 bytes for tracking 80 unused pages
[ 0.000000] Initrd not found or empty – disabling initrd
[ 0.000000] Zone PFN ranges:
[ 0.000000] Normal 0x00000050 -> 0x00008000
[ 0.000000] Movable zone start PFN for each node
[ 0.000000] Early memory PFN ranges
[ 0.000000] 0: 0x00000050 -> 0x00008000
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32432
[ 0.000000] Kernel command line: console=ttyS0,115200 machtype=Meraki ubi.mtd=3 root=/dev/mtdblock8
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 124848k/130752k available (1987k kernel code, 5904k reserved, 406k data, 2136k init, 0k highmem)
[ 0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Calibrating delay loop… 359.42 BogoMIPS (lpj=718848)
[ 0.028000] pid_max: default: 32768 minimum: 301
[ 0.032000] Mount-cache hash table entries: 512
[ 0.036000] Performance counters: mips/74K PMU enabled, 4 32-bit counters available to each CPU, irq 13
[ 0.040000] devtmpfs: initialized
[ 0.044000] NET: Registered protocol family 16
[ 0.048000] gpiochip_add: registered GPIOs 0 to 23 on device: ath79
[ 0.052000] MIPS: machine is Meraki Access Point
[ 0.056000] registering PCI controller with io_map_base unset
[ 0.060000] registering PCI controller with io_map_base unset
[ 0.068000] bio: create slab at 0
[ 0.072000] PCI host bridge to bus 0000:00
[ 0.076000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff]
[ 0.080000] pci_bus 0000:00: root bus resource [io 0x0000]
[ 0.084000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1001ffff 64bit]
[ 0.088000] pci 0000:00:00.0: BAR 6: assigned [mem 0x10020000-0x1002ffff pref]
[ 0.092000] PCI host bridge to bus 0000:01
[ 0.096000] pci_bus 0000:01: root bus resource [mem 0x12000000-0x13ffffff]
[ 0.100000] pci_bus 0000:01: root bus resource [io 0x0001]
[ 0.104000] pci 0000:01:00.0: BAR 0: assigned [mem 0x12000000-0x1201ffff 64bit]
[ 0.108000] pci 0000:01:00.0: BAR 6: assigned [mem 0x12020000-0x1202ffff pref]
[ 0.112000] pci 0000:00:00.0: using irq 40 for pin 1
[ 0.116000] pci 0000:01:00.0: using irq 41 for pin 1
[ 0.120000] Switching to clocksource MIPS
[ 0.124000] NET: Registered protocol family 2
[ 0.140000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.148000] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.152000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.160000] TCP: Hash tables configured (established 4096 bind 4096)
[ 0.164000] TCP: reno registered
[ 0.168000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.176000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.180000] NET: Registered protocol family 1
[ 0.204000] Detected Meraki MR18
[ 0.220000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.224000] msgmni has been set to 243
[ 0.228000] io scheduler noop registered
[ 0.232000] io scheduler deadline registered (default)
[ 0.240000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.264000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[ 0.272000] console [ttyS0] enabled, bootconsole disabled
[ 0.272000] console [ttyS0] enabled, bootconsole disabled
[ 0.284000] tun: Universal TUN/TAP device driver, 1.6
[ 0.292000] tun: (C) 1999-2004 Max Krasnyansky
[ 0.296000] input: gpio-keys-polled as /devices/platform/gpio-keys-polled/input/input0
[ 0.308000] TCP: cubic registered
[ 0.312000] NET: Registered protocol family 17
[ 0.316000] devtmpfs: mounted
[ 0.328000] Freeing unused kernel memory: 2136k freed
[ 0.336000] Made it into bootsh: Sep 14 2017 11:16:14
[ 0.340000] bootsh build 24-201709141029-Ge5080440-clip
[ 0.344000] Mapping 5960 bytes for /lib/modules/nand_ids.ko
[ 0.352000] Mapping 13616 bytes for /lib/modules/bch.ko
[ 0.356000] Mapping 4920 bytes for /lib/modules/nand_bch.ko
[ 0.364000] Mapping 5232 bytes for /lib/modules/nand_ecc.ko
[ 0.372000] Mapping 58104 bytes for /lib/modules/nand.ko
[ 0.376000] Mapping 7748 bytes for /lib/modules/ath79_nand.ko
[ 0.384000] ONFI param page 0 valid
[ 0.388000] ONFI flash detected
[ 0.392000] NAND device: Manufacturer ID: 0xad, Chip ID: 0xf1 (Hynix H27U1G8F2BTR-BC)
[ 0.400000] Scanning device for bad blocks
[ 0.440000] Bad eraseblock 606 at 0x000004bc0000
[ 0.468000] Creating 5 MTD partitions on “ath79-nand”:
[ 0.472000] 0x000000000000-0x000000080000 : “nandloader”
[ 0.480000] 0x000000080000-0x000000880000 : “part1”
[ 0.484000] 0x000000880000-0x000001080000 : “part2”
[ 0.492000] 0x000001080000-0x000007f80000 : “ubi”
[ 0.496000] 0x000007fe0000-0x000008000000 : “odm-caldata”
[ 0.504000] Mapping 116568 bytes for /lib/modules/ubi.ko
[ 0.512000] UBI: attaching mtd3 to ubi0
[ 0.516000] UBI: physical eraseblock size: 131072 bytes (128 KiB)
[ 0.524000] UBI: logical eraseblock size: 129024 bytes
[ 0.528000] UBI: smallest flash I/O unit: 2048
[ 0.532000] UBI: sub-page size: 512
[ 0.540000] UBI: VID header offset: 512 (aligned 512)
[ 0.544000] UBI: data offset: 2048
[ 0.692000] UBI: max. sequence number: 1592465
[ 0.704000] UBI: attached mtd3 to ubi0
[ 0.708000] UBI: MTD device name: “ubi”
[ 0.712000] UBI: MTD device size: 111 MiB
[ 0.716000] UBI: number of good PEBs: 887
[ 0.720000] UBI: number of bad PEBs: 1
[ 0.728000] UBI: number of corrupted PEBs: 0
[ 0.732000] UBI: max. allowed volumes: 128
[ 0.736000] UBI: wear-leveling threshold: 4096
[ 0.740000] UBI: number of internal volumes: 1
[ 0.744000] UBI: number of user volumes: 7
[ 0.748000] UBI: available PEBs: 483
[ 0.756000] UBI: total number of reserved PEBs: 404
[ 0.760000] UBI: number of PEBs reserved for bad PEB handling: 8
[ 0.764000] UBI: max/mean erase counter: 2226/1796
[ 0.768000] UBI: image sequence number: 0
[ 0.776000] UBI: background thread “ubi_bgt0d” started, PID 223
[ 0.780000] Mapping 9148 bytes for /lib/modules/gluebi.ko
[ 0.796000] Mapping 235308 bytes for /lib/modules/ubifs.ko
[ 0.816000] Mapping 5400 bytes for /lib/modules/leds-gpio.ko
[ 0.824000] Mapping 129424 bytes for /lib/modules/ag7240_mod.ko
[ 0.836000] qca955x_GMAC: Length per segment 1536
[ 0.840000] 955x_GMAC: qca955x_gmac_attach
[ 0.844000] 955x_GMAC: qca955x_set_gmac_caps
[ 0.848000] Currently in polling mode unit0
[ 0.852000] Registering AR8033 Phy….
[ 0.856000] qca955x_GMAC: Mac address for unit 0:bfff1000
[ 0.860000] qca955x_GMAC: 00:00:00:00:00:00
[ 0.868000] qca955x_GMAC: Max segments per packet : 1
[ 0.872000] qca955x_GMAC: Max tx descriptor count : 100
[ 0.876000] qca955x_GMAC: Max rx descriptor count : 252
[ 0.884000] qca955x_GMAC: Mac capability flags : 4200
[ 0.888000] 955x_GMAC: qca955x_gmac_attach
[ 0.892000] 955x_GMAC: qca955x_set_gmac_caps
[ 0.896000] Currently in polling mode unit1
[ 0.900000] Registering AR8033 Phy….
[ 0.904000] qca955x_GMAC: Mac address for unit 1:bfff1006
[ 0.912000] qca955x_GMAC: 00:00:00:00:00:00
[ 0.916000] qca955x_GMAC: Max segments per packet : 1
[ 0.920000] qca955x_GMAC: Max tx descriptor count : 100
[ 0.928000] qca955x_GMAC: Max rx descriptor count : 252
[ 0.932000] qca955x_GMAC: Mac capability flags : 4200
[ 1.588000] UBIFS: mounted UBI device 0, volume 1, name “storage”
[ 1.592000] UBIFS: file system size: 19869696 bytes (19404 KiB, 18 MiB, 154 LEBs)
[ 1.600000] UBIFS: journal size: 1032193 bytes (1008 KiB, 0 MiB, 8 LEBs)
[ 1.608000] UBIFS: media format: w4/r0 (latest is w4/r0)
[ 1.616000] UBIFS: default compressor: lzo
[ 1.620000] UBIFS: reserved for root: 938494 bytes (916 KiB)
In manufacturing: FALSE
[ 1.664000] hdr: [0x8e73ed8a : 0x00000400 : 0x0016be88 : 0x8d85c821 : 0xed1e9ca8]
[ 1.672000] loading bootkernel size 1490568
[ 1.820000] UBIFS: un-mount UBI device 0, volume 1
[ 1.824000] Starting new kernel
[ 1.828000] Will call new kernel at 80060000
[ 1.828000] Bye …
starting stage2
decompressing embedded kernel image 0x81a024f0(0x169975)
got osize 46cac4
…………………done
starting linux
[ 0.000000] Linux version 3.4.112-meraki-ar7100 ([email protected]) (gcc version 4.8.3 (GCC) ) #4 Thu Sep 14 11:16:28 PDT 2017
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 00019750 (MIPS 74Kc)
[ 0.000000] SoC: Qualcomm Atheros QCA9558 rev 0
[ 0.000000] Clocks: CPU:720.000MHz, DDR:600.000MHz, AHB:200.000MHz, Ref:40.000MHz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 07fb0000 @ 00050000 (usable)
[ 0.000000] Wasting 2560 bytes for tracking 80 unused pages
[ 0.000000] Initrd not found or empty – disabling initrd
[ 0.000000] Zone PFN ranges:
[ 0.000000] Normal 0x00000050 -> 0x00008000
[ 0.000000] Movable zone start PFN for each node
[ 0.000000] Early memory PFN ranges
[ 0.000000] 0: 0x00000050 -> 0x00008000
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32432
[ 0.000000] Kernel command line: console=ttyS0,115200 machtype=Meraki ubi.mtd=3 root=/dev/mtdblock8
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 124848k/130752k available (1987k kernel code, 5904k reserved, 406k data, 2136k init, 0k highmem)
[ 0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Calibrating delay loop… 359.42 BogoMIPS (lpj=718848)
[ 0.028000] pid_max: default: 32768 minimum: 301
[ 0.032000] Mount-cache hash table entries: 512
[ 0.036000] Performance counters: mips/74K PMU enabled, 4 32-bit counters available to each CPU, irq 13
[ 0.040000] devtmpfs: initialized
[ 0.044000] NET: Registered protocol family 16
[ 0.048000] gpiochip_add: registered GPIOs 0 to 23 on device: ath79
[ 0.052000] MIPS: machine is Meraki Access Point
[ 0.056000] registering PCI controller with io_map_base unset
[ 0.060000] registering PCI controller with io_map_base unset
[ 0.068000] bio: create slab at 0
[ 0.072000] PCI host bridge to bus 0000:00
[ 0.076000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff]
[ 0.080000] pci_bus 0000:00: root bus resource [io 0x0000]
[ 0.084000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1001ffff 64bit]
[ 0.088000] pci 0000:00:00.0: BAR 6: assigned [mem 0x10020000-0x1002ffff pref]
[ 0.092000] PCI host bridge to bus 0000:01
[ 0.096000] pci_bus 0000:01: root bus resource [mem 0x12000000-0x13ffffff]
[ 0.100000] pci_bus 0000:01: root bus resource [io 0x0001]
[ 0.104000] pci 0000:01:00.0: BAR 0: assigned [mem 0x12000000-0x1201ffff 64bit]
[ 0.108000] pci 0000:01:00.0: BAR 6: assigned [mem 0x12020000-0x1202ffff pref]
[ 0.112000] pci 0000:00:00.0: using irq 40 for pin 1
[ 0.116000] pci 0000:01:00.0: using irq 41 for pin 1
[ 0.120000] Switching to clocksource MIPS
[ 0.124000] NET: Registered protocol family 2
[ 0.140000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.148000] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.156000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.160000] TCP: Hash tables configured (established 4096 bind 4096)
[ 0.168000] TCP: reno registered
[ 0.172000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.176000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.184000] NET: Registered protocol family 1
[ 0.204000] Detected Meraki MR18
[ 0.224000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.228000] msgmni has been set to 243
[ 0.232000] io scheduler noop registered
[ 0.236000] io scheduler deadline registered (default)
[ 0.244000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.268000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[ 0.276000] console [ttyS0] enabled, bootconsole disabled
[ 0.276000] console [ttyS0] enabled, bootconsole disabled
[ 0.288000] tun: Universal TUN/TAP device driver, 1.6
[ 0.296000] tun: (C) 1999-2004 Max Krasnyansky
[ 0.300000] input: gpio-keys-polled as /devices/platform/gpio-keys-polled/input/input0
[ 0.312000] TCP: cubic registered
[ 0.316000] NET: Registered protocol family 17
[ 0.320000] devtmpfs: mounted
[ 0.332000] Freeing unused kernel memory: 2136k freed
[ 0.340000] Made it into bootsh: Sep 14 2017 11:16:14
[ 0.344000] bootsh build 24-201709141029-Ge5080440-clip
[ 0.348000] Mapping 5960 bytes for /lib/modules/nand_ids.ko
[ 0.356000] Mapping 13616 bytes for /lib/modules/bch.ko
[ 0.360000] Mapping 4920 bytes for /lib/modules/nand_bch.ko
[ 0.368000] Mapping 5232 bytes for /lib/modules/nand_ecc.ko
[ 0.376000] Mapping 58104 bytes for /lib/modules/nand.ko
[ 0.380000] Mapping 7748 bytes for /lib/modules/ath79_nand.ko
[ 0.388000] ONFI param page 0 valid
[ 0.392000] ONFI flash detected
[ 0.396000] NAND device: Manufacturer ID: 0xad, Chip ID: 0xf1 (Hynix H27U1G8F2BTR-BC)
[ 0.404000] Scanning device for bad blocks
[ 0.444000] Bad eraseblock 606 at 0x000004bc0000
[ 0.472000] Creating 5 MTD partitions on “ath79-nand”:
[ 0.476000] 0x000000000000-0x000000080000 : “nandloader”
[ 0.484000] 0x000000080000-0x000000880000 : “part1”
[ 0.488000] 0x000000880000-0x000001080000 : “part2”
[ 0.496000] 0x000001080000-0x000007f80000 : “ubi”
[ 0.500000] 0x000007fe0000-0x000008000000 : “odm-caldata”
[ 0.508000] Mapping 116568 bytes for /lib/modules/ubi.ko
[ 0.516000] UBI: attaching mtd3 to ubi0
[ 0.520000] UBI: physical eraseblock size: 131072 bytes (128 KiB)
[ 0.528000] UBI: logical eraseblock size: 129024 bytes
[ 0.532000] UBI: smallest flash I/O unit: 2048
[ 0.540000] UBI: sub-page size: 512
[ 0.544000] UBI: VID header offset: 512 (aligned 512)
[ 0.548000] UBI: data offset: 2048
[ 0.696000] UBI: max. sequence number: 1592466
[ 0.708000] UBI: attached mtd3 to ubi0
[ 0.712000] UBI: MTD device name: “ubi”
[ 0.716000] UBI: MTD device size: 111 MiB
[ 0.720000] UBI: number of good PEBs: 887
[ 0.728000] UBI: number of bad PEBs: 1
[ 0.732000] UBI: number of corrupted PEBs: 0
[ 0.736000] UBI: max. allowed volumes: 128
[ 0.740000] UBI: wear-leveling threshold: 4096
[ 0.744000] UBI: number of internal volumes: 1
[ 0.748000] UBI: number of user volumes: 7
[ 0.752000] UBI: available PEBs: 483
[ 0.760000] UBI: total number of reserved PEBs: 404
[ 0.764000] UBI: number of PEBs reserved for bad PEB handling: 8
[ 0.768000] UBI: max/mean erase counter: 2226/1796
[ 0.776000] UBI: image sequence number: 0
[ 0.780000] UBI: background thread “ubi_bgt0d” started, PID 223
[ 0.784000] Mapping 9148 bytes for /lib/modules/gluebi.ko
[ 0.800000] Mapping 235308 bytes for /lib/modules/ubifs.ko
[ 0.824000] Mapping 5400 bytes for /lib/modules/leds-gpio.ko
[ 0.828000] Mapping 129424 bytes for /lib/modules/ag7240_mod.ko
[ 0.840000] qca955x_GMAC: Length per segment 1536
[ 0.844000] 955x_GMAC: qca955x_gmac_attach
[ 0.848000] 955x_GMAC: qca955x_set_gmac_caps
[ 0.852000] Currently in polling mode unit0
[ 0.856000] Registering AR8033 Phy….
[ 0.860000] qca955x_GMAC: Mac address for unit 0:bfff1000
[ 0.868000] qca955x_GMAC: 00:00:00:00:00:00
[ 0.872000] qca955x_GMAC: Max segments per packet : 1
[ 0.876000] qca955x_GMAC: Max tx descriptor count : 100
[ 0.884000] qca955x_GMAC: Max rx descriptor count : 252
[ 0.888000] qca955x_GMAC: Mac capability flags : 4200
[ 0.892000] 955x_GMAC: qca955x_gmac_attach
[ 0.896000] 955x_GMAC: qca955x_set_gmac_caps
[ 0.900000] Currently in polling mode unit1
[ 0.908000] Registering AR8033 Phy….
[ 0.908000] qca955x_GMAC: Mac address for unit 1:bfff1006
[ 0.916000] qca955x_GMAC: 00:00:00:00:00:00
[ 0.920000] qca955x_GMAC: Max segments per packet : 1
[ 0.924000] qca955x_GMAC: Max tx descriptor count : 100
[ 0.932000] qca955x_GMAC: Max rx descriptor count : 252
[ 0.936000] qca955x_GMAC: Mac capability flags : 4200
[ 1.592000] UBIFS: mounted UBI device 0, volume 1, name “storage”
[ 1.596000] UBIFS: file system size: 19869696 bytes (19404 KiB, 18 MiB, 154 LEBs)
[ 1.604000] UBIFS: journal size: 1032193 bytes (1008 KiB, 0 MiB, 8 LEBs)
[ 1.612000] UBIFS: media format: w4/r0 (latest is w4/r0)
[ 1.620000] UBIFS: default compressor: lzo
[ 1.624000] UBIFS: reserved for root: 938494 bytes (916 KiB)
In manufacturing: FALSE
[ 1.668000] Mapping 8388608 bytes for /dev/mtdblock/part1
[ 2.416000] UBIFS: un-mount UBI device 0, volume 1
[ 2.424000] Starting new kernel
[ 2.428000] Will call new kernel at 80060000
[ 2.428000] Bye …
Just wanted to post a huge thanks for this guide.
Initially I had issues trying to flash my MR18 using the previous guide. So updated to the firmware through the Meraki portal to 24-201702072108-Gdc35074c-spray-1.
Still had issues in trying to boot to part2 by holding ‘2’ during boot sequence.
Purchased another UART – thinking this may be the issue. Ensured new one was a CP2102 variant. Still had issues with getting the ‘2’ input captured.
Once the initramfs was loaded onto the second partition and i rebooted I just got garbled output to the console. I had to remove the GND pin & reattach at the exact moment the device booted and in enough time for the ‘2’ key press to be captured. This was fairly tricky to achieve. I had to reboot via power strip with a switch on it that I could operate with my toes. Leaving my hands free to re-attach the GND pin whilst also constantly pressing ‘2’ on the keyboard.
Needless to say I did manage it and the MR18 is now free’d.
I have loaded the Cucumber WiFi firmware on it, which is highly recommended.
Thanks again Chris!
I can boot into LEDE, but when I plug my mr18 directly into my laptop, DHCP doesn’t provide an ip address.
I tried giving a static ip from the 192.168.1.0/24 subnet to my laptop, and access the mr18 from the browser with 192.168.1.1, but no success.
Can anyone provide some tips?
Pingback: Freeing the Meraki MR18 with LEDE(OpenWRT) | N00b security
Hi There
I am having some trouble getting Method C for firmware (24-201611211457-G69d4dc09-mantua-1) I have 2 x MR18 AP’s I noticed on your youtube video when I am running the part2 load from my webserver I recieve the following output
odm firmware part2 192.168.0.3:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin
Connecting to 192.168.0.3:80 (192.168.0.3:80)
firmware.tmp 100% |*******************************| 1004 0:00:00 ETA
Erasing 128 Kibyte @ 0 — 0 % complete
Erasing 128 Kibyte @ 20000 — 1 % complete
Erasing 128 Kibyte @ 40000 — 3 % complete
Erasing 128 Kibyte @ 60000 — 4 % complete
Erasing 128 Kibyte @ 80000 — 6 % complete
Erasing 128 Kibyte @ a0000 — 7 % complete
Erasing 128 Kibyte @ c0000 — 9 % complete
Erasing 128 Kibyte @ e0000 — 10 % complete
Erasing 128 Kibyte @ 100000 — 12 % complete
Erasing 128 Kibyte @ 120000 — 14 % complete
Erasing 128 Kibyte @ 140000 — 15 % complete
Erasing 128 Kibyte @ 160000 — 17 % complete
Erasing 128 Kibyte @ 180000 — 18 % complete
Erasing 128 Kibyte @ 1a0000 — 20 % complete
Erasing 128 Kibyte @ 1c0000 — 21 % complete
Erasing 128 Kibyte @ 1e0000 — 23 % complete
Erasing 128 Kibyte @ 200000 — 25 % complete
Erasing 128 Kibyte @ 220000 — 26 % complete
Erasing 128 Kibyte @ 240000 — 28 % complete
Erasing 128 Kibyte @ 260000 — 29 % complete
Erasing 128 Kibyte @ 280000 — 31 % complete
Erasing 128 Kibyte @ 2a0000 — 32 % complete
Erasing 128 Kibyte @ 2c0000 — 34 % complete
Erasing 128 Kibyte @ 2e0000 — 35 % complete
Erasing 128 Kibyte @ 300000 — 37 % complete
Erasing 128 Kibyte @ 320000 — 39 % complete
Erasing 128 Kibyte @ 340000 — 40 % complete
Erasing 128 Kibyte @ 360000 — 42 % complete
Erasing 128 Kibyte @ 380000 — 43 % complete
Erasing 128 Kibyte @ 3a0000 — 45 % complete
Erasing 128 Kibyte @ 3c0000 — 46 % complete
Erasing 128 Kibyte @ 3e0000 — 48 % complete
Erasing 128 Kibyte @ 400000 — 50 % complete
Erasing 128 Kibyte @ 420000 — 51 % complete
Erasing 128 Kibyte @ 440000 — 53 % complete
Erasing 128 Kibyte @ 460000 — 54 % complete
Erasing 128 Kibyte @ 480000 — 56 % complete
Erasing 128 Kibyte @ 4a0000 — 57 % complete
Erasing 128 Kibyte @ 4c0000 — 59 % complete
Erasing 128 Kibyte @ 4e0000 — 60 % complete
Erasing 128 Kibyte @ 500000 — 62 % complete
Erasing 128 Kibyte @ 520000 — 64 % complete
Erasing 128 Kibyte @ 540000 — 65 % complete
Erasing 128 Kibyte @ 560000 — 67 % complete
Erasing 128 Kibyte @ 580000 — 68 % complete
Erasing 128 Kibyte @ 5a0000 — 70 % complete
Erasing 128 Kibyte @ 5c0000 — 71 % complete
Erasing 128 Kibyte @ 5e0000 — 73 % complete
Erasing 128 Kibyte @ 600000 — 75 % complete
Erasing 128 Kibyte @ 620000 — 76 % complete
Erasing 128 Kibyte @ 640000 — 78 % complete
Erasing 128 Kibyte @ 660000 — 79 % complete
Erasing 128 Kibyte @ 680000 — 81 % complete
Erasing 128 Kibyte @ 6a0000 — 82 % complete
Erasing 128 Kibyte @ 6c0000 — 84 % complete
Erasing 128 Kibyte @ 6e0000 — 85 % complete
Erasing 128 Kibyte @ 700000 — 87 % complete
Erasing 128 Kibyte @ 720000 — 89 % complete
Erasing 128 Kibyte @ 740000 — 90 % complete
Erasing 128 Kibyte @ 760000 — 92 % complete
Erasing 128 Kibyte @ 780000 — 93 % complete
Erasing 128 Kibyte @ 7a0000 — 95 % complete
Erasing 128 Kibyte @ 7c0000 — 96 % complete
Erasing 128 Kibyte @ 7e0000 — 98 % complete
Erasing 128 Kibyte @ 7e0000 — 100 % complete
Writing data to block 0 at offset 0x0
Successfully updated part2 to 192.168.0.3:80/
Whereas yours say its “writing” over and over instead of “erasing”
Please advise
Thanks
Kris
Got this going
Things I did are as follows
FTP started in wrong location on Mac
Renamed firmware to firmware.bin (don’t know if this did anything)
Held down 2 key whilst powering off and on after loading bin (method C)
Hi,
I would like to thanks all people for all comments. With you, I flash my MR18 (build 24-201709141029-Ge5080440-clip) with LEDE 17.01.4
Thanks a lot for all détails and all comments
Regards.
Tried this out today and ran into a similar issue someone posted earlier about. I don’t have an eth0 interface. I see in your video at the end of the boot process when booting into LEDE your eth0 int comes up. Any thoughts on how to proceed or did I just get unlucky with a slightly different board? I am on build, boot 209 build 24-201611211457-G69d4dc09-mantua board ar7100. Thanks!
Hey Mike,
You may be hitting a rare hardware level bug. Any chance you can email me directly so I can diagnose this and get it resolved once and for all? Best email is chrisrblake93 (at) gmail.
Hi Chris,
I confirm this worked like a charm on firmware build 24-201609272213-G374d42aa-daybed.
thanks !
Hi Chris,
Thank you for sharing this method!!!
I was wondering, why is the latest image lede-ar71xx-nand-mr18-squashfs-sysupgrade.tar from MR18-LEDE.tar.gz not on https://github.com/riptidewave93/Openwrt-MR18/releases page?
Hello Michael,
I no longer update the repo, as the readme says. Please get the latest images from OpenWRT/LEDE directly.
Hello,
Can we root firmware 25.9 or not? MR18
Dear All!
I’m wondering if I could use your way to convert my MR18 with MR25.9 firmware?
Did anyone ever figure out the issue with the “warning: key material 0 too short”?
I have setup a dhcp server on my linux box, watching the logs I see my MR10 continually request an IP, I Am never able to ping it and I cannot get it to download the openwrt firmware, help would be greatly appreciated, I’d hate to have to throw this thing away.
Hello all.
I am on firmware 25.9.
Followed the commands as described in “method C”. I managed to get the firmware uploaded into part 2.
But when removing power and applying press “2” does not work. I get the message:
Meraki Atheros LinuxLoader MR18 built Jan 31 2014 15:53:22
qca955x_init_ddr ok
test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
error booting
__________________sri____________________
944x BootROM Ver. (asic) 1.0 [Nov 8 2011 13:42:57]
_________________________________________
find_hif: bootstrap = 0x31459
Nand Flash init
hdr: [0xbd000400 : 0xbd000400 : 0x6fb4 : 0xe5c86b84]
nand_load_fw: read 13 pages
nand_load_fw: 0x10000 0x800 0xbd000bf0
nand_load_fw: 0x20000 0x800 0xbd0013f0
nand_load_fw: 0x30000 0x800 0xbd001bf0
nand_load_fw: 0x40000 0x800 0xbd0023f0
nand_load_fw: 0x50000 0x800 0xbd002bf0
nand_load_fw: 0x60000 0x800 0xbd0033f0
nand_load_fw: 0x70000 0x800 0xbd003bf0
nand_load_fw: 0x80000 0x800 0xbd0043f0
nand_load_fw: 0x90000 0x800 0xbd004bf0
nand_load_fw: 0xa0000 0x800 0xbd0053f0
nand_load_fw: 0xb0000 0x800 0xbd005bf0
nand_load_fw: 0xc0000 0x800 0xbd0063f0
nand_load_fw: 0xd0000 0x800 0xbd006bf0
f/w 0 read complete, jumping to 0xbd000400
Especially the RAM BORKED is coming immediately. And I cannot continue. No IP address on the Ethernet port, and even when I change the computer’s IP to 192.168.1.12 (fixed), I cannot ping or connect to the 192.168.1.1 IP.
What can be the problem for the RAM BORKED?
I noticed, that when the MR18 is switched off, and I connect the UART (real one, CP2102, and YES, confirmed with oscilloscope that it is 3,3V), and I see very faintly LED burning on Tx or Rx part on the USB stick.
Is it possible that the USB is powering the MR18 with Tx (Vcc is NOT connected at all!)?
i also ordered a real RS232 to UART converter, so that PuTTY can stay permanently on, since if you remove the USB device, the COM port disappears. I assume that when I plug it in, it takes tie for me to setup Putty to connect to COM8. So if I have a real serial connection (I do have one on the docking station), putty should not disconnect.
Is that an idea?
OK, Solved it. Uploaded the firmaware to part 1. That did the trick. Immediately after boot I got the Linux prompt of Lede. After that, it was easy. WebGUI works, is can see the three radio’s etc….
Zakaria: today I managed to root that firmware.
Just plug in the power, wait until fully booted (not running anymore in the terminal).
Then press the reset button until the led stops flashing.
Be sure to have a DHCP server ready on your network and no Internet access available – I used tftpd32 as DHCP server on Windows10.
Once you see on the logs of tftpd32 the MR18 got the IP and you have a MERAKI prompt you can try to start the python part. I simply copied the firmware to the directory of the python.exe, renamed to lede.bin
Then
odm firmware part2 192.168.1.102:80/lede.bin
or
odm firmware part2 “http://192.168.1.102:80/lede.bin”
(I don’t remember what was the correct as first I got a lot of times timeout (disabled windows firewall, and so on) – so to test I opened the 192.168.1.102 in a browser to see the result).
Then somehow downloaded – I think I restarted the python SimpleHTTPServer several times….
Then did the upload of the FW from the LuCi gui, and finally I upgraded with the firmware from here:
https://downloads.lede-project.org/releases/17.01.4/targets/ar71xx/nand/
(lede-17.01.4-ar71xx-nand-mr18-squashfs-sysupgrade.tar)
This is the latest stable version I found.
Found on a forum, that HTTPS will not work out of the box with this stable version, so I followed this:
SSH to the MR18 and then:
opkg update
opkg install luci-lib-px5g px5g-standalone libustream-openssl
reboot
After this HTTPS works.
Now my FW version is LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685)
Now I remember what was the issue – somehow the netmask was different on the DHCP server and the network card of the Laptop, so once I corrected it the download started perfectly.
So be sure use the same netmask on the tftpd32 (if you do it from windows) and on the network card of the laptop. Don’t be afraid if the SimpleHTTPServer shows 0.0.0.0 80 as bind address – that all the possible network interface.
My MR24 has this f/w: 25-201712141532-G0bb86dd3-hamaki
After hard reset, it does not seem to get into the mode of looking for a TFTP server.
Hi,
Im running 24-201611211457-g69d4dc09-mantua firmware (the web portal states “Current version: MR 25.11”). But I cannot seem to get into the prompt after the hard reset (step 7). I am using Putty and I can see from the UART console that the AP boots up, displays some info and then just stops and I cannot enter anything into the console. I have the UART adapter plugged in correctly (without VCC plugged in). Any ideas whatsoever?
I’m using firware 25-2018..
After all I’ve tried so far, I managed to access root shell by keep pressing the reset button and power the AP at the same time.
Everything else I tried so far was a failure. Suppose to be able to enter ODM commands but alltime I receive “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.”
Anyway, now I have access to root shell using above trick but there is no storage folder and nothing in it.
The shell script produces error while I execute and I have stuck here.
PLEASE HELP !!!
I’m having the same problem. odd never seems to work. I can also get into that root shell, but this seems to be missing the ath79_nand modules to mount the partitions on the disk.
Did you get anywhere in the mean time? I’d like to get to the bottom of this, would be a waste to throw away a perfectly good AP because of some vendor lock-in.
Hi, same problem for me (25-201804051805-G885d6d78-dhow-rel-1).
Nothing worse, I can get to a root shell but odm gives “command not found”.
Worked for me, but wondering now – is it possible to revert to original meraki firmware?
Hi. can anyone help me to flash my MR33 with LEDE?? I have tried the instruction which found here..
https://github.com/riptidewave93/LEDE-MR33. but no luck to flash the device. can anybody done to flash the MR33 with MR33?? is there any other way to do it easily? thank you for those who can help me.
look here : https://openwrt.org/toh/meraki/mr33 . you will find instructions on google drive (link on that page).
Hey. I’m running fw 22-131521 which is earlier than the versions specified in the guide, but it’s exhibiting issues not dissimilar to later versions. I’m having the same issue as the other guys with the “s” key not having any effect. I’ve tried from both minicom and screen and the result is the same.
I’m using a PL2303 serial adapter and the output is just fine. I’ve tried with and without connecting GND. I’ve also tried powering using PoE and with an external PSU.
I can write the new serial and read it back between reboots, so that part works. I can get in to the restricted initramfs, but not the main one.
Am I doing something wrong ?
Hi. I’ve got the same problem with fw 22-131251. Did you ever solve this?
Hi. I’ve got the same problem. Did you resolve this?
No, didn’t hear back from anyone and didn’t know where else to look so my MR-18 is still in bits on the shelf 🙁
Cannot get my MR18 to flash, I think Cisco removed the odm command, miserable buggers.
[ 8.768000] boot 83 build 25-201804051805-G885d6d78-dhow-rel board ar7100 mac 00:18:0A:xx:xx:xx
odm fw_version
UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.
Has anyone had any success with firmware this new? Another for landfill I guess.
Hello, there is a /usr/bin/tftp so we just need odm command from original fw.
in this firmware 25.11 is /usr/bin/tftp client so i just need odm file from original firmware.
Hi Chris.
I found an old MR-18 that was still on firmware 24. I need MR18-LEDE.tar.gz but the old download URL isn’t working anymore. Is it available on your current site anywhere? Can you point me to a copy of it please? Thanks so much.
/LJ