Here we go again, this time with a new way to root the Cisco Meraki MR18. Note that this method will ONLY work on the MR18, and I am not responsible for any damaged devices if you want to try this on something else as it will not work!
Note that the below is also covered in a YouTube walkthrough which can be Found Here.
- Meraki MR18
- UART adapter – cp2102 variant recommended
- Ethernet Router (used in rooting process)
- A LEDE Initramfs Image & sysupgrade image – Download Here
- Download the required files above, and store them on your computer for later.
- Wire up UART to your Meraki MR18. More info on this can be found on the OpenWRT Wiki page.
- Hook up your MR18 to a router, and disconnect the router from the internet. DO NOT ALLOW THE MR18 TO TOUCH THE INTERNET DURING THIS PROCESS! This is important as the most reliable way to do this exploit is to have the MR18 use DHCP to get an IP on the same network as your personal computer.
- Hold the reset button on the MR18 for 10+ seconds. You should see the LED blink, and then turn off. Once the LED turns off you can stop holding the reset button. This does a “Level 2” reset and removes any configs from the access point.
- From your personal computer that has UART wired to the MR18, plug into the same router the MR18 is using. Then, remember the IP address of your system. In this example, we will use 192.168.1.102.
- Once the MR18 booted, start a HTTP server (on port 80) on your personal computer in the same directory as the firmware files. If you are running linux, this can be done using the below example:
wget https://servernetworktech.com/uploads/files/MR18-LEDE.tar.gz tar xzvf ./MR18-LEDE.tar.gz cd ./MR18-LEDE/ sudo python2 -m SimpleHTTPServer 80
- Once started, you can then load this image to the “part2” partition on the MR18. This is done with the following:
odm firmware part2 192.168.1.102:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin
- Once complete, remove power from the Meraki MR18. Now that power is removed, in your UART session hold down “2” on your keyboard while applying power. This should now boot you into the initramfs image you just flashed to the MR18.
- Unplug the MR18 from your router, and directly wire your computer to it. Once wired, you should get a IP from the MR18.
- Now that recovery is flashed, open a browser on your computer and navigate to 192.168.1.1. Once signed into LuCI, you can then flash lede-ar71xx-nand-mr18-squashfs-sysupgrade.tar.
- Once flashed, your MR18 should reboot and be fully running LEDE!
Why this Works:
The reason this works is thanks to the way the wget package in the busybox binary handles URLs that don’t have a protocol defined:
In the above, the specific code we are referring to is:
// GNU wget is user-friendly and falls back to http:// h->host = url; goto http;
In the above snippet, if “http://” or “ftp://” is not defined, it will fail back to HTTP. This is important for us as by default, the custom Meraki shell strips out anything with 2x forward slashes, such as “http://”. Because of this, we can leverage this feature to use the firmware command found in Meraki’s manufacturing tool, odm. From here, we replace the backup kernel on the device with a LEDE Initramfs image which we can then boot into to flash the device.
Confirmed Working On: