Pwning/Rooting the Meraki MR18 – Again!

Here we go again, this time with a new way to root the Cisco Meraki MR18. Note that this method will ONLY work on the MR18, and I am not responsible for any damaged devices if you want to try this on something else as it will not work!

The Exploit:

Note that the below is also covered in a YouTube walkthrough which can be Found Here.

Requirements:

  • Meraki MR18
  • UART adapter – cp2102 variant recommended
  • Ethernet Router (used in rooting process)
  • A LEDE Initramfs Image & sysupgrade image – Download Here

Instructions:

  1. Download the required files above, and store them on your computer for later.
  2. Wire up UART to your Meraki MR18. More info on this can be found on the OpenWRT Wiki page.
  3. Hook up your MR18 to a router, and disconnect the router from the internet. DO NOT ALLOW THE MR18 TO TOUCH THE INTERNET DURING THIS PROCESS! This is important as the most reliable way to do this exploit is to have the MR18 use DHCP to get an IP on the same network as your personal computer.
  4. Hold the reset button on the MR18 for 10+ seconds. You should see the LED blink, and then turn off. Once the LED turns off you can stop holding the reset button. This does a “Level 2” reset and removes any configs from the access point.
  5. From your personal computer that has UART wired to the MR18, plug into the same router the MR18 is using. Then, remember the IP address of your system. In this example, we will use 192.168.1.102.
  6. Once the MR18 booted, start a HTTP server (on port 80) on your personal computer in the same directory as the firmware files. If you are running linux, this can be done using the below example:
    wget https://servernetworktech.com/uploads/files/MR18-LEDE.tar.gz
    tar xzvf ./MR18-LEDE.tar.gz
    cd ./MR18-LEDE/
    sudo python2 -m SimpleHTTPServer 80
    
  7. Once started, you can then load this image to the “part2” partition on the MR18. This is done with the following:
    odm firmware part2 192.168.1.102:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin
    
  8. Once complete, remove power from the Meraki MR18. Now that power is removed, in your UART session hold down “2” on your keyboard while applying power. This should now boot you into the initramfs image you just flashed to the MR18.
  9. Unplug the MR18 from your router, and directly wire your computer to it. Once wired, you should get a IP from the MR18.
  10. Now that recovery is flashed, open a browser on your computer and navigate to 192.168.1.1. Once signed into LuCI, you can then flash lede-ar71xx-nand-mr18-squashfs-sysupgrade.tar.
  11. Once flashed, your MR18 should reboot and be fully running LEDE!

Why this Works:

The reason this works is thanks to the way the wget package in the busybox binary handles URLs that don’t have a protocol defined:

https://github.com/mirror/busybox/blob/1_26_1/networking/wget.c#L469

In the above, the specific code we are referring to is:

// GNU wget is user-friendly and falls back to http://
h->host = url;
goto http;

In the above snippet, if “http://” or “ftp://” is not defined, it will fail back to HTTP. This is important for us as by default, the custom Meraki shell strips out anything with 2x forward slashes, such as “http://”. Because of this, we can leverage this feature to use the firmware command found in Meraki’s manufacturing tool, odm. From here, we replace the backup kernel on the device with a LEDE Initramfs image which we can then boot into to flash the device.

Confirmed Working On:

  • 24-201611211457-G69d4dc09-mantua

  • 25-201612022004-Gee01d075-debtor

  • 24-201702072108-Gdc35074c-spray-1

40 thoughts on “Pwning/Rooting the Meraki MR18 – Again!

  1. bat

    Hi,

    Just to confirm that it went well with this firmware : 24-201611211457-G69d4dc09-mantua
    LEDE Installed and operational.

    Thank you a lot !

    Reply
  2. Alex

    How do I find the firmware version my mr18 is running?
    Does this method work with the newest firmware?
    Thanks!

    Reply
  3. Jorge Nogueira

    Hi,
    I can confirm that it works with 24-201702072108-Gdc35074c-spray.
    Thank you so much and keep up the good work!
    Regards from Portugal
    JN

    Reply
  4. MR

    I just tested this on two MR18s that were confirmed up to date today. No issues, once i got the steps down. First one took about an hour, the second took about three minutes.

    Reply
  5. michael

    Thanks for the work, but I can’t seem to get the network device to load. I get in the OpenWRT/BusyBox shell and only get lo and not eth0 when I run ifconfig. I’ve tried the bin you provided and the one Cucumber Tony provides. I’m running firmware 24-201702072108-Gdc35074c-spray

    I get these errors as it boots up, which I’m assuming is the problem:

    [ 10.712594] ath9k qca955x_wmac: Direct firmware load for soc_wmac.eeprom fail ed with error -2
    [ 10.721280] ath9k qca955x_wmac: Falling back to user helper
    [ 12.950881] ieee80211 phy0: Atheros AR9550 Rev:0 mem=0xb8100000, irq=47
    [ 12.957723] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
    [ 12.964148] ath9k 0000:00:00.0: Direct firmware load for pci_wmac0.eeprom fai led with error -2
    [ 12.972920] ath9k 0000:00:00.0: Falling back to user helper

    Any help would be appreciated!

    Reply
    1. Chris B - Admin Post author

      Hey Michael,

      Sounds like your hitting a very rare bug that I have heard of once or twice. Specifically, your device may be slightly different hardware wise which is causing the ethernet calibration data in the OTP to not exist.

      To help me get this issue resolved once and for all, can you please shoot me an email? Best one would be my gmail below (just remove NOSPAM from it).
      [email protected]

      Reply
      1. Michael

        Thanks for the reply, I actually had the power pin attached to the UART port (Leftmost pin). Once removed, and on external power, the firmware installed like a dream.

        Thanks again!

        Reply
        1. Alexander

          THANKS!

          Can confirm that the UART port must NOT have the 5V pin attached! But rather run the MR18 from external power! Or else the MR18 will not be able to catch the “2” at boot.

          Reply
  6. Michael

    Odd, my original post is gone…

    I’m having an issue after loading the initial firmware. After reboot, I don’t have a network connection at all. After booting busybox or the other firmware, I run ifconfig and only get a LO interface. I see eeprom errors when loading. (sorry, my original post had some copy and pastes and I’m not at home atm)

    Thanks!
    Michael

    Reply
  7. Seb

    Hi.
    Just tested it but no luck.
    I’ve checked on my dhcpd that the mr18 got a IP address but can’t update firmware: still getting connections time out. I also verified that the lede file is available with a simple browser.

    For information, i couldn’t update the serial number also. Another protection system?

    Reply
    1. Chris B - Admin Post author

      Hello,
      Can you please confirm you did the device reset using the reset button? If this is not done, this may explain why the process failed. Also can you share what firmware version you are on?

      Reply
  8. Isa

    Weird thing happens to me.
    I am on 23-191963. I tried the method here, but the odm firmware command does not recognize the
    url as http or ftp, so the “why this work” does not work!. I have rechecked the command:

    odm firmware part2 192.168.11.3:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin

    still “not an http or ftp url: 192.168.11.3:80/lede-ar71xx-mr18-initramfs-kernel.bin

    weird

    Reply
    1. Isa

      Turns out putting quotes around the url can override double forward slashes’ stripping. so this worked :

      odm firmware part2 “http://192.168.11.3:80/lede-ar71xx-nand-mr18-initramfs-kernel.bin”

      now my mr18 boots LEDE!

      Reply
      1. Dje

        Hi,

        I’m with build 22-131521, and I got “not an http or ftp url: 192.168.11.3:80/lede-ar71xx-mr18-initramfs-kernel.“

        Using quote or not, same problem… I tried other tutorials with no wget on busybox, and no device /dev/mtdblock2 for dd-ing initramfs to mtdblock2.

        Any idea?

        Reply
        1. giuliano

          try this: do not copy and paste the command up to the name of the firmware, it might be that the source of the text you are copying contains unwanted formatting characters.

          Reply
  9. Meekly

    Hi,
    I got root access to my Meraki MR18, but I get stuck when it comes to the initramfs boot, when I push ‘2’ it keep loggin this:
    Got magic key 2[ 2.320000] Mapping
    8388608 bytes for /dev/mtdblock/part2
    Got magic key 2[ 3.068000] Mapping
    8388608 bytes for /dev/mtdblock/part2
    Got magic key 2[ 3.816000] Mapping
    8388608 bytes for /dev/mtdblock/part2
    Got magic key 2[ 4.568000] Mapping
    8388608 bytes for /dev/mtdblock/part2
    Got magic key 2[ 5.316000] Mapping
    8388608 bytes for /dev/mtdblock/part2

    and if I stop pushing 2 I get this:

    [ 6.064000] UBIFS: un-mount UBI device 0, volume 1
    [ 6.068000] Starting new kernel
    [ 6.072000] Will call new kernel at 80060000
    [ 6.072000] Bye …

    Did anyone experience this behavior?

    Reply
    1. Chris B - Admin Post author

      Hello,

      This means you are holding down “2” too late in the boot process. You need to ensure that you are pressing “2” as soon as the device is powered on, as this needs to be seen by the bootloader. From the output you shared, it seems you were not pressing 2 until the stock firmware started booting.

      Reply
      1. giuliano

        I experience the same behaviour. Firmware 24-201611211457-G69d4dc09-mantua
        I tried many times, but the result is the same. Why is it that pressing 2 too late brings the machine anyway to a different state than not pressing it at all?
        I’ll give it again a go, but this time by resetting rather than unplugging the PoE. I suspect taking power off disables the serial interface too long making it impossible to have the 2 detected early enough. Does it make sense?

        Reply
        1. giuliano

          Found what might be the original poster problem, and is my problem: upon booting having pressed 2 I get an error:

          loading fw at 4352
          hdr: [0x3c21444f : 0x43545950 : 0x45206874 ]
          part2: invalid magic, expected 0x8e73ed8a versus 0x3c21444f
          bootkernel 1 failed!

          However, checking the file:
          hexdump openwrt-ar71xx-nand-mr18-initramfs-kernel.bin | head
          0000000 8e 73 ed 8a 00 00 04 00 00 60 ec 6c a6 f9 25 a2

          so the magic appears totally different to what the loader sees.

          Reply
          1. giuliano

            SOLVED for Firmware 24-201611211457-G69d4dc09-mantua:
            PROBLEM: wget does ignore the URL after the / so anything in:
            odd firmware part2 192.168.2.1/BLAHBLAH
            results in a request for /
            SOLUTION: rename your firmware so that it is server as the index file, I used apache so that I could see what was happening and because of better control.
            In the serial console you will see, when downloading the firmware:

            firmware.tmp 100% |*******************************| 7169k 0:00:00 ETA
            and the after the Erasing lines, a lot of Writing lines, before I would see only the Erasing ones…

            So:

            BusyBox v1.26.2 () built-in shell (ash)

            _________
            / /\ _ ___ ___ ___
            / LE / \ | | | __| \| __|
            / DE / \ | |__| _|| |) | _|
            /________/ LE \ |____|___|___/|___| lede-project.org
            \ \ DE /
            \ LE \ / —————————————————————————————
            \ DE \ / Reboot (SNAPSHOT, r4125-83e4ed3)
            \________\/ —————————————————————————————

            I now have to see how to proceed from there, but I am happy for the moment and can go do some gardening.

          2. giuliano

            after flashing the firmware I connected the iMac to the MR18 on the ethernet, set to use DHCP and yet the mac was not getting an address. So, knowing that the MR18 was on 192.168.1.1, I simply set the address of the iMac ethernet manually. I was then able to connect to the MR18 web interface and proceed like instructed on this page.

  10. Sdfr

    Hi,
    Just try to install Firmware, i successfuly did with my UART USB from Windows computer but i’m stuck at the boot 2 command, when I type 2 while plug in the device it’s like it didn’t take the command device try to boot to FF .
    ” test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
    error booting{FF}”
    I try with another uart software and it say : Try to boot to ÿ
    ” test_memoryfailed RAM BORKED: (0xa0000000) 0x5a5a5a5a != 0x0
    error bootingÿ”

    It’s just like my 2 command is bypassed by another send before when plug in my device.

    Maybe a problem from my UART adapter or Windows driver, I will try tomorrow on linux .

    Just to note : I did’n plug the VCC only 3 wires, the only way to sucessfuly install firmware on part 2.

    Thanks for your work and your help 🙂

    Reply
    1. John

      > Hopefully one of these days I will write up the process I used to find this “exploit”.

      Could you give us a pointer or two ?

      Reply
      1. Oskar

        Hi Chris,

        Does it mean the one I linked will work?
        If not, could you please post some links of adaptaters that does?

        Thanks in advance 🙂

        Reply
        1. giuliano

          This is the link to one on amazon.it that works on my iMac. IIRChttps://www.amazon.it/gp/product/B00AFRXKFU/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1
          The drivers (also Mac ones) are available on the site of the chip manufacturer http://www.silabs.com.
          Remember that only TX, RX and GND must be connected, and that if you invert TX and RX it will not work. Also what are you using as a console programme?

          Reply
  11. D

    Hi, I have an MR18 with FW 24-20170207…
    and a silabs cp2102 connected to it, with RX,TX and GND,
    I can see the output, but it’s as if the pc is sending keystrokes without pressing any button,
    lines and lines of “UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS.”
    when I disconnect the silabs’ TX, everything ok but I cannot send any keystrokes of course,
    any ideas ? (can the voltages be wrong even though I see output or something ?)

    Thanks,

    Reply
    1. giuliano

      on what platform are you and what are you using as terminal emulator? On Mac OS I am using serialTools, simpler to install than minicom.

      Reply
  12. Petar

    Hello,

    I’ve succesfully installed LEDE on two MR18’s using this guide, thank you a lot Chris. Here’s a few tips that helped me:
    – don’t use fake PL2303 chinese TTL (you’ll recognize them as they’re very cheap), they need older drivers which cause BSOD’s on Win10
    – DO NOT CONNECT VCC! only TX, RX and GND. Also, if there’s no output on screen, reverse TX and RX
    – be very patient while trying to press ‘2’ – in my case it took half an hour of trying on one MR18. On another I managed it in the first try.

    @Chris, can you please change the sysupgrade image in https://servernetworktech.com/uploads/files/MR18-LEDE.tar.gz to newer one? The image in package shows Segmentation fault after running ‘opkg update ; opkg find something’. After upgrading to http://downloads.lede-project.org/releases/17.01.2/targets/ar71xx/nand/lede-17.01.2-ar71xx-nand-mr18-squashfs-sysupgrade.tar (from Sat Jun 10 17:07:45 2017) that error is gone and I could download packages.

    Reply
    1. Chris B - Admin Post author

      @Peter, the images I provide are mainly just for the initial flash, it’s expected that users will upgrade after the fact. The main reason I offer an uploaded image is so a copy of the initramfs build is available, as this is not generated by the LEDE build system.

      Reply
      1. giuliano

        BTW Chris, I think I forgot to thank you for this page and your work. There’s no need you approve this post, as it is just for thanking you really!

        Reply
  13. Auroranl

    Hi,

    I successfully used this method, until step 10. When I try to flash the sysupgrade.tar file, I see this in the serial console:
    [email protected]:/# [ 204.777210] ecc unrecoverable error
    [ 204.781504] ecc unrecoverable error
    [ 204.794983] ecc unrecoverable error
    [ 204.799476] ecc unrecoverable error
    [ 204.812984] ecc unrecoverable error
    [ 204.817343] ecc unrecoverable error
    Then the mr18 reboots and I am back at the start.

    Any Idea what I do wrong or how I can solve this?

    Reply
    1. Chris B - Admin Post author

      Hello,

      These errors are normal as this is the setup script making sure your caldata is configured correctly. Once rebooted, it should be fully flashed with LEDE and be good to go. Does it not boot into LEDE after you did the sysupgrade?

      Regards,
      Chris B

      Reply

Leave a Reply to Chris B - Admin Cancel reply

Your email address will not be published. Required fields are marked *