openWRT on Meraki MR 18

2020

I got an old Meraki MR18 from my dad to play around with openWRT. After some looking around the web, it seems, these devices were once handed out for attending some webinar by Cisco. As they are cloud managed devices, they are basically bricked as soon as their subscription runs out if you don't want to pay. Of course Cisco didn't want people to use their hardware with an alternative frimware and lose subscription money so they made it comparatively hard to flash a new firmware. However following this guide (state on date of acces) it can be done just using a Raspberry Pi and a bit of patience.

While the guide is factually correct, it took me some time to properly follow it, as I was not familiar with all the tools used.

The guide is using a Raspberyy Pi Rev B but you can follow it also when using a never version as the relevant pins are identical (at least up to the current version 4). However to do this, you will need to adjust the openOCD config. More on this later.

Preparations

Up to the section JTAG connection (OpenOCD) you can follow the guide. Here, we need to use a different cfg file when using a newer Raspberry Pi. Instead of copying the raspberrypi-native.cfg to your home diretory, just use this file when using a Raspberry 4.

Then you create the mr18.cfg file as described in the guide.

At this point, you should have one ssh connection open with picocom running and one terminal listening on the UART port (for me this connection sometimes sputtered out some mess, you just have to retry then).

Open up a second ssh connection and prepare it to run:

sudo openocd -f raspberrypi4-native.cfg -f mr18.cfg -c "init; halt"

at the push of the enter button.

In your first ssh terminal you can follow the router booting. Now reboot your router by powercycling. Quickly hit enter in your second ssh terminal to use openOCD to halt the Meraki during boot.

Here I ran into problems initially as the provided cfg file was not matching with my Raspberry Pi and was not halting the boot process.

After halting the boot process, OpenOCD opens a telnet connection on port 4444. To communicate with the router you now have to open a third ssh connection and run

telnet localhost 4444

to connect to openocd.

Issuing the command

resume

over telnet to openOCD will let the boot resume.

Once this all works, we prepare the images we will be using. Download a stable version of openWRT to the Raspberry Pi using wget: Wget https://github.com/riptidewave93/Openwrt-MR18/releases/download/1.0-Final/OpenWRT-MR18-V1.0-Final.tar.gz

And then use

tar –xvzf OpenWRT-MR18-V1.0-Final.tar.gz

to unpack the tarball.

Flashing

Here comes the exciting part. We halt the bootprocess, then change the firmware and let the device boot into our new firmware. I nearly gave up at this step but after about 30 tries it finally worked. I think what is critical is to halt the boot process as quickly as you can!

For this, ready your terminal again to halt the boot process using openocd, once you powercycle the router immediately (from what i can tell you have less than 1 second time) run the openocd command.

Telnet into openocd:

telnet localhost 4444

and then issue the follwoing commands over this connection:

mww 0xb8060008 0x0

load_image openwrt-ar71xx-nand-mr18-initramfs-kernel.bin 0x8005FC00

This takes around 30sec

verify_image openwrt-ar71xx-nand-mr18-initramfs-kernel.bin 0x8005FC00

This verification often failed for me and took a long time, after a couple attempts i just stopped veryfying the image, I think you can't break anything by not doing it.

reg r4 0 reg r4 0 reg r5 0 reg r6 0 reg r7 0 resume 0x80060000

If you can't see anything in the serial monitor, you restart the whole ordeal. Once you see the device booting you have succeeded, congratulations!

You can then follow the guide from section Flashing OpenWrt until the end.

Configuration

To configure your openWRT installation you have to connect to the Meraki over ethernet. Then you can access the WebGUI over 192.168.1.1. Once I was able to connect to the WebGUI and changed the default password I started to adjusted some settings.

First I enabled the two WiFi modules, the third one is apparently just used to look for busy bands and switch away from those to ensure a good service.

The default configuration for the Meraki is a bit weird as it only has one ethernet port. All three physical interfaces (2.4Ghz, 5Ghz and ethernet) are combined into one bridged interface. When you connect your computer

So to use the Meraki as an access point, I excluded the ethernet port from the bridged interface and created a new virtual interface called "WAN" which only includes the ethernet port. This interface is then set to DHCP client.

After a reboot I was able to access the Meraki over WiFi.

Besides the WebGUI you can also ssh into openWRT to change configs, we use this to download an DNS based ad blocker.

ssh into openwrt with:

ssh root@192.168.50.1

Then update the package list of the opkg package manager:

opkg update

Hint: good practice for connected systems running Ubuntu for example is to auto upgrade all the packages from time to time. DO NOT upgrade all packages of your openWRT installation (eg. by issuing opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade) as it can lead to a non working installation. I learned this the hard way and had to reset all my configurations.

Install adblock

                Install luci-app-adblock

                Install uclient-fetch

                Install libustream-mbedtls

                Install tcpdump-mini

                reboot

To configure the adblocker we go back to the WebGUI.

Go into "Services" -> "Adblock"

Then set startup trigger and dns report.

I wanted my Raspberry Pi to have a static IP adress as I am using it as a local server to test various things. You can do this as follows::

"Network" -> "DHCP and DNS" then select "Static Lease".