If you haven’t noticed, in my spare time I really enjoy breaking into embedded devices for the fun of things. Over the past year, I have spent a ton of time rooting the Cisco Meraki MR18, and today I get the chance to publicly disclose my findings.
To start, let me note by saying I have properly disclosed this issue to Cisco Meraki months ago, but due to the fact they are no longer replying to my emails or honoring their own Bug Bounty, I have decided to publicly disclose this after waiting over 90 days since their last reply. Hopefully one of these days I will write up the process I used to find this “exploit”.
- Power on the MR18, and hook it up to UART. (No ethernet should be plugged in)
- Hold the Reset Button for 10+ seconds until the LEDs on the device turn off, then release.
- The device should reboot, at this point pressing Enter on UART should show the following:
- At this point, you will want to enter
- If you get a “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.” reply, then please try holding the button to do another reset of the device. If you continue to get this message, then sadly your firmware version is NOT rootable using this method. (please comment to this post sharing your results/firmware version)
- If you got a “Help” output for the ‘odm’ command, then run the following commands:
odm serial_num write Q2XX-XXXX-XXXV odm serial_num read
- At this point the output should show “Q2XX-XXXX-XXXV” and your device should have it’s LED’s flashing. At this point, pull the power from the device, and hold down “s” on your UART console when you power back on the device.
- After a bit, you should then drop to a initramfs root shell, and the device is pwned! Feel free to follow the OpenWRT flashing guide found on the OpenWRT Forums.
Doing the above gets you root on the initramfs, but what about the stock firmware? No worries, as I have that covered as well!
- Once in the root initramfs shell, run the following commands on your device:
cd /storage/ rm ./config* rm ./odm_test.log echo "serial_allow_odm true" > ./config echo "serial_access_enabled true" >> ./config echo "serial_access_check false" >> ./config echo "valid_config true" >> ./config cp ./config ./config.local exit
- Once the above is ran, the firmware should continue to boot, and you will then be back in the stock OS. Once here you will want to restore the Serial Number of your device, which can be done with:
odm serial_num write Q242-1111-111V
Just be sure to make sure to set your serial to the one on the bottom of the device. Changing the serial to any thing else CAN CAUSE ISSUES with the device. Also note that once networking is re-attached, you will lose root access!
Confirmed Working On:
- Firmware Build 22-140575
- Firmware Build 22-149780
- Firmware Build 23-162921
- Firmware Build 23-188206
Overall this exploit isn’t much more than taking advantage of an engineering back door, but I got to dock Meraki some serious points for closing all forms of communication with me. The entire point of Bug Bounties is to encourage proper disclosures, and not following through does not reflect well upon the company.
Timeline of Events:
- First contact to Meraki’s Security Team (10-20-2015)
- Exploit Confirmed by Meraki (10-22-2015)
- Reached out to Meraki for an update – No Response (01-06-2016)
- Second & Final Reach out to Meraki – No Response (01-27-2016)
- Public Disclosure of Exploit (02-09-2016)
- Email from Meraki, emails were “lost”, no longer eligible for bounty (04-20-2016)
- Reached out to Meraki (04-20-2016)