Free the Meraki

So, around 3 years ago, we had some Meraki access points at work. I was pretty keen on the tech, but less so on the licence model, where you pay the going rate for an access point, and then have to pay for a licence to use it, or it becomes useless, because it will only work if connected to Meraki’s cloud managment.

This is no longer true, and became untrue a while ago, and as the Meraki APs we had have come due for renewal, and have been replaced, I had one thrown in my direction.

A bit of searching threw up a few pages suggesting OpenWRT will work just fine, with a couple of caveats about the difficulty of rooting the device to gain enough access to overwrite the Meraki firmware: they’d really rather not let you do this- they give away sample access points, so maintaining their licence model is the way they make money.

Anyway, I already had a CP2102 USB-Serial (TTL level) converter I’d bought to have a play with one of those dodgy webcams, so I bought a PSU from Ebay, and got out the soldering iron, PuTTY, and an ethernet crossover cable.

The basic instructions are here, but to get root, I had to follow the procedure here, and indeed root the standard firmware (to get a reboot command, as my AP would not boot properly with the UART connected to the laptop).

The first challenge was getting the UART cabled correctly: the phrase

an UART adapter wired to the MR18 (speed is 115200). Pinout (left to right): VCC/RX/TX/GND

was misleading for me: first of all, that is corrrect if you hold the AP with the connector at the top like in this picture, and secondly, the RX/TX desgnation refers to which pins you need to connect from the CP2102, rather than their function on the AP, so I had some fun getting the UART cabled.

The second, but not hard, challenge was installing a web server, and realising that openwrt-ar71xx-nand-mr18-initramfs.bin had changed name to openwrt-ar71xx-nand-mr18-initramfs-kernel.bin in a later version.

The third challange was that the AP got stuck in a boot loop from cold with the UART connected, though a warm boot was fine. That wasn’t a problem for the initial rooting (where you hold down “S”), as there’s enough time during the boot cycle after powering up the AP, but when it came to booting the OpenWRT image, I couldn’t hit “2” in time: I resolved this by rooting the Meraki firmware to get a reboot command, then hitting “2”.

With those out the way, it was as simple as setting an appropriate fixed IP on the laptop, connecting the ethernet crossover, logging in to the newly booted image’s LUCI interface, and applying the full firmware image, which erases the Meraki firmware once and for all, and you have a free MR18 🙂

3 Responses to “Free the Meraki”

  1. Willenhall Lad Says:

    Top job!

  2. species5618 Says:

    VERY interesting, a quick trawl of ebay show they are cheap enough
    i need to sort out some issues with wifi the back of my house (or face rebellion from the kids) , and been looking at budget TP-link routers and open-wrt, but wrt seem to be a little behind,

  3. stymaster Says:

    If you agree to sit in on a webinar, they might send you one. Whether the exploit will work is another question.


This blog is protected by Spam Karma 2: 41068 Spams eaten and counting...