Recently I had a Tablo Dual Lite OTA DVR appliance fall into my hands from a family member after its wireless started to act up. Doing what I do best, I decided to tear it apart and figure out how it works and in doing so found a few methods to gain root access into the stock firmware. One thing I did not expect to find, however, is an engineering backdoor that could be hijacked to provide an easy method for root access.Continue reading
Here we go again, this time with a new way to root the Cisco Meraki MR18. Note that this method will ONLY work on the MR18, and I am not responsible for any damaged devices if you want to try this on something else as it will not work!
If you haven’t noticed, in my spare time I really enjoy breaking into embedded devices for the fun of things. Over the past year, I have spent a ton of time rooting the Cisco Meraki MR18, and today I get the chance to publicly disclose my findings.
To start, let me note by saying I have properly disclosed this issue to Cisco Meraki months ago, but due to the fact they are no longer replying to my emails or honoring their own Bug Bounty, I have decided to publicly disclose this after waiting over 90 days since their last reply. Hopefully one of these days I will write up the process I used to find this “exploit”.
Every now and then I come across some interesting devices, one of which was the Cisco Air-OEAP602 “Access Point”. This little guy has an impressive spec sheet with a BCM4718A1 CPU running at 480Mhz, 16MB of flash, and 64MB of RAM but sadly the stock firmware lacks many standard features. Obviously as an enterprise offering it has unique things such as OfficeExtend, but what good are they if they are closed source? Time to hack this thing!