Build for Cisco Meraki Z1

OpenWRT firmware for Cisco Meraki Z1

Proceed with caution

Using and flashing a custom firmware is a very delicate process. You might damage your device, so proceed with care! Use this guide and firmware at your own risk.

About this build

OpenWRT already supports the Cisco Meraki Z1. However, I needed to build an additional initramfs image in order to flash the router for the first time. Plus, the TOH entry of this device at OpenWRT is incomplete and has dead links. I'll just put this here in case someone needs it.

This guide may not work on all firmware versions available for the Z1 router. I do not have any data to suggest which stock firmware versions are able to flash OpenWRT using this method. You are free to try. No permanent damage is done if your firmware version is not eligible aside from dissembling the router.

Software and hardware prerequisites

Listed are the required software and hardware with examples.

  • Terminal client. Use minicom (Linux), PuTTY (Windows), or other preferred software. This software is used to access the router terminal, either via SSH or a serial connection.

  • SCP client. Use scp (Linux), WinSCP (Windows), or other preferred software. This software is used to transfer files between the client and the router.

  • Other operational router. You must be able to disconnect this other router from the internet. Usually you can use your working home router and annoy your family members with no internet access.

  • Local HTTP server. I use a local HTTP server on my working machine to serve firmware images to the Z1 router. In theory, you could use the SCP client to transfer firmware images to your Z1 router instead.

  • USB TTL converter. FTDI FT232RL based boards are good and cheap USB TTL converters (€1.50 on your favorite China webshop). This converted is needed to establish a serial connection between the router and your working machine using the terminal client.

Procedure

  1. Download firmware image
  2. Set up root access
  3. Backup original firmware
  4. Flash initramfs image
  5. Remove stock partitions
  6. Flash sysupgrade image
  7. Extra: Update OpenWRT to latest version

This guide assumes you follow steps 1 to 6 consecutively. You might miss some configuration or important details if you do not follow the steps correctly.

Download firmware image

First, visit my OneDrive to download an initramfs image based on LEDE 17.01.4. The initramfs image for the Meraki Z1 is not provided as download on the OpenWRT website, and you'll need this in order to flash OpenWRT for the first time.

Second, download a recent sysupgrade image for the Meraki Z1 on the OpenWRT website. Browse to releases/<version>/targets/ar71xx/nand/openwrt-<version>-ar71xx-nand-z1-squashfs-sysupgrade.tar for the image, it should be a tar file.

Make sure you have set up all software prerequisites and downloaded the initramfs and sysupgrade images before continuing. We have to disconnect from the internet during this operation.

Set up root access

In order to start flashing we need to setup the router with root access.

  1. Power off device and remove all power and ethernet cables.

  2. Open the device. There are four screws located under the rubber pads.

  3. Connect the USB TTL converter the serial UART interface at JP1 on the routers PCB. Look for the printed JP1 marking.

(jumper furthest away from USB port)
J1 = GND and should be connected to GND of USB TTL converter
J2 = RxD and should be connected to TxD of USB TTL converter
J3 = TxD and should be connected to RxD of USB TTL converter
J4 = Vcc and should not be connected to USB TTL converter
(jumper most close to USB port)
  1. Connect the USB TTL converter to your working machine using using a USB cable. Reconnect the power cable to the router and power on the device.

  2. Open a serial connection between your working machine and the router using the terminal client. You can find used port with Device Manager in Windows (look for serial COM ports), or use the ls /dev/tty* command in Linux (look for /dev/ttyUSB* or /dev/ttyACM* devices). The baudrate (speed) is 115200 Baud.

  3. Hold the Z1 reset button for 10-15 seconds until the LED on the device turns off.

  4. Let the device boot, and after a few minutes press enter in the terminal window. It should output <Meraki>. If you have no text output in the terminal window, check the connection between the router and USB TTL converter.

  5. Check if you can use the ODM command by typing odm help.

  6. If the router outputs the help text, continue with step 15. If you keep getting a UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS message, repeat steps 6-8 for a few times and continue with step 10 if the odm help command still does not work.

  7. Connect the WAN port of the Z1 to a LAN port of the other router. This other router must also be disconnected from the internet (unplug the WAN ethernet cable on that router).

  8. Hold the Z1 reset button for 10-15 seconds until the LED on the device turn off.

  9. Let the device boot, and after a few minutes press enter in the serial terminal. It should output <Meraki>.

  10. Check if you can use the ODM command by typing odm help.

  11. If the router outputs the help text, continue with step 15. If you keep getting a UNRECOGNIZED COMMAND LOGGED TO CLOUD SERVERS message, repeat steps 11-13 for a few times. At this point the odm help command was working for me. If not, then sadly your firmware version is NOT rootable using this method. Back to resassembly...

  12. Change the serial number of your device to Q2XX-XXXX-XXXV in order to gain root access. This is part of the exploit. Please write down your original serial number if you don't know it. It's usually printed on the sticker at the bottom of the Z1 (or use the command in step 16).

<Meraki> odm serial_num write Q2XX-XXXX-XXXV
  1. Check if the serial number is changed to Q2XX-XXXX-XXXV.
<Meraki> odm serial_num read
  1. If the serial number is changed correctly, power off the device and hold down the s key in the serial terminal while powering on the device till you get a Busybox prompt.
Got magic key s

BusyBox v1.20.2 (2014-09-19 12:42:33 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ #
  1. To root the firmware, use the following commands. These commands will remove some config and log files. Make a copy if you want to keep these files!
/ # cd /storage/
/ # rm ./config*
/ # rm ./odm_test.log
/ # echo "serial_allow_odm true" > ./config
/ # echo "serial_access_enabled true" >> ./config
/ # echo "serial_access_check false" >> ./config
/ # echo "valid_config true" >> ./config
/ # cp ./config ./config.local
/ # exit
  1. After entering the exit command, the device will proceed with booting.

  2. Change the serial number back to your original serial number.

m001122334455:/# odm serial_num write <your_original_serial_number>
  1. You will now have root access. Please note that you may lose root when connecting the device to the internet again.

Backup original firmware

With root access, we can now create a backup of the original firmware. You can use this in case something went wrong, or if you want to revert back to stock firmware.

  1. Disconnect all ethernet cables in case you have not.

  2. Connect your working machine to the LAN1 port on the Z1 using a ethernet cable.

  3. Retrieve the routers IP address (tip: it is the gateway address on your working machine).

  4. Set a root password using the serial terminal.

m001122334455:/# passwd
  1. List all partitions by entering cat /proc/mtd. Your partition scheme may differ, but should be the same for mtd0 up to and including mtd4.
m001122334455:/# cat /proc/mtd
mtd0: 00020000 00020000 "loader1"
mtd1: 007e0000 00020000 "bootkernel1"
mtd2: 00020000 00020000 "loader2"
mtd3: 007e0000 00020000 "bootkernel2"
mtd4: 06fe0000 00020000 "ubi"
mtd5: 00020000 00020000 "origcaldata"
mtd6: 0001f800 0001f800 "board-config"
mtd7: 0087d800 0001f800 "rootfs-wired-9-144173-1-2"
mtd8: 0086a000 0001f800 "rootfs-wired-9-144173-1-1"
mtd9: 0501a800 0001f800 "storage"
mtd10: 0003f000 0001f800 "caldata"
  1. Create a backup of loader1 by using cat and store it on the /storage/ folder.
m001122334455:/# cat /dev/mtd0 > /storage/mtd0
  1. Retrieve the backup using your SCP client. Establish a connection using SCP protocol, with username root and the password set in step 4. The address is the IP retrieved in step 3.

  2. Once you retrieved and stored the backup on your local PC, remove the backup from your router. Delete it using the SCP client or use rm in the serial terminal.

m001122334455:/# rm /storage/mtd0 
  1. Repeat step 6-8 for the bootkernel1, loader2, bootkernel2, board-config and caldata partitions. Do this one at a time, as you may run out of memory.

  2. Also, make a backup of the storage partition. This is a big partition, so just transfer all the files in the /storage/ folder to your local PC using SCP.

  3. To verify your backups, repeat steps 6-10 once again and compare (e.g. checksum or cmp in Linux) the files retrieved in both attempts.

Flashing initramfs image

The initramfs image has to be flashed twice. Once we can confirm this flash was succesfull, we flash it one more time to the recovery partition.

  1. Connect your working machine to the LAN1 port on the Z1 using a ethernet cable. It should be already connected, you did make a backup right?

  2. Set up a HTTP server on your local computer to serve the initramfs image.

  3. Retrieve your computers local IP address (tip: it is the IP address assigned by the Z1's DHCP).

  4. Download the initramfs image onto your router in the /storage/ folder using wget in the serial terminal. If the HTTP server is set up correctly, you can access the file using the IP address retrieved in step 3.

m001122334455:/# wget <url_to_initramfs_file> -O /storage/initramfs.bin
  1. You might want to verify the downloaded initramfs image. Download a second one and compare if there are any differences (it should not, and cmp should not return any output).
m001122334455:/# wget <url_to_initramfs_file> -O /storage/initramfs2.bin
m001122334455:/# cmp /storage/initramfs.bin /storage/initramfs2.bin
m001122334455:/# rm /storage/initramfs2.bin
  1. Write the downloaded initramfs image to the bootkernel1 partition using the dd command.
m001122334455:/storage# dd if=/storage/initramfs.bin of=/dev/mtdblock1
  1. Remove the downloaded initramfs image using the rm command.
m001122334455:/# rm /storage/initramfs.bin
  1. Reboot the router using the reboot command.
m001122334455:/# reboot now
  1. If everything is done correctly, LEDE should boot up now. Retrieve your computers new local IP address. Do not proceed if LEDE does not boot: try to redownload and reflash the initramfs image or reflash your bootkernel1 backup. You can check the terminal prompt if LEDE is properly booted (root@LEDE:/# vs. m001122334455:#).

  2. Download the initramfs image onto your router in the /tmp/ folder using wget in the serial terminal.

root@LEDE:/# wget <url_to_initramfs_file> -O /tmp/initramfs.bin
  1. You might want to verify the downloaded initramfs image. Download a second one and compare if there are any differences (it should not, and cmp should not return any output).
root@LEDE:/# wget <url_to_initramfs_file> -O /tmp/initramfs2.bin
root@LEDE:/# cmp /tmp/initramfs.bin /tmp/initramfs2.bin
root@LEDE:/# rm /tmp/initramfs2.bin
  1. Write the downloaded initramfs image to the bootkernel3 partition (recovery) using the dd command.
root@LEDE:/# dd if=/tmp/initramfs.bin of=/dev/mtdblock3
  1. Remove the downloaded initramfs image using the rm command.
root@LEDE:/# rm /tmp/initramfs.bin
  1. Reboot the router using the reboot command.
root@LEDE:/# reboot now

Remove stock partitions

There are some stock partitions left on the memory which LEDE doesn't use. We can delete these before flashing the sysupgrade image in order free up some space (approximately 100MB).

  1. List al UBI volumes with ubinfo using the serial terminal.
root@LEDE:/# ubinfo -a
  1. Remove the listed UBI volumes using the ubirmvol commando, except for the board-config volume. Repeat the command for each UBI volume. Never delete the board-config volume!
root@LEDE:/# ubirmvol /dev/ubi0 -N <volume_name>
  1. Create a new volume for calibration data using ubimkvol.
root@LEDE:/# ubimkvol /dev/ubi0 -N caldata -s 252KiB
  1. Verify your UBI volume with ubinfo. It should show two volumes: the board-config volume and the newly created caldata volume.
root@LEDE:/# ubinfo -a

Flash sysupgrade image

The router is now set up to flash the sysupgrade image. Flashing the sysupgrade image will repopulate the calibration data, create the rootfs and expand the rootfs_data to use the rest of the UBI free space.

  1. Connect your PC to the LAN1 port on the Z1. It should be already connected, you did make a backup right?

  2. Set up a HTTP server on your local computer to serve the sysupgrade image.

  3. Download the sysupgrade image onto your router in the /tmp/ folder using wget in the serial terminal.

root@LEDE:/# wget <url_to_sysupgrades_file> -O /tmp/sysupgrade.tar
  1. You might want to verify the downloaded sysupgrade image. Download a second one and compare if there are any differences (it should not, and cmp should not return any output).
root@LEDE:/# wget <url_to_sysupgrades_file> -O /tmp/sysupgrade2.tar
root@LEDE:/# cmp /tmp/sysupgrade.tar /tmp/sysupgrade2.tar
root@LEDE:/# rm /tmp/sysupgrade2.tar
  1. Perform the sysupgrade using the sysupgrade command.
root@LEDE:/# sysupgrade -v /tmp/sysupgrade.tar
  1. Congratulations, you're running OpenWRT on the Meraki Z1! Power off the device, disconnect the USB cable between your working machine and the USB TTL converter. You can now disconnect the USB TTL converter from the main PCB and reassemble the router.

  2. You are now ready to integrate your OpenWRT powered Z1 into your network and configure the router.

Extra: Update OpenWRT to latest version

If new firmware images are released, you can easily update your Z1 router using only SSH and a sysupgrade image. No need to disassemble the router or using serial connections. Just use the LuCI web interface or follow these steps if you prefer to use the command line.

  1. Use SSH to gain shell access to your router using your terminal client. You can use the wget command to download the sysupgrade file. Use the direct file link to the sysupgrade tar provided by the OpenWRT website or serve the file yourself using a local network HTTP server.
root@OpenWRT:/# wget <url_to_sysupgrade_file> -O /tmp/sysupgrade.tar
  1. Optionally adjust the /etc/sysupgrade.conf to tell LEDE which settings should be kept during upgrading.
root@OpenWRT:/# vi /etc/sysupgrade.conf
  1. Enter the sysupgrade command to perform the upgrade.
root@OpenWRT:/# sysupgrade -v /tmp/sysupgrade.tar

References

1 Like

Hi,
could you help me with my problem??
Magic key s not funktion...

A big thank you - awesome build doc.

I'd failed twice all ready until I followed your directions.
Now I have a useful Z1 instead of an unlicensed brick in the draw! :slight_smile: Now, time to test performance...

Magic key S is working buddy! Note that kernel messages can 'disrupt' your console output. Just look at line 6 and further

<some of your s'es> Got magic key s <some kernel output>
<some kernel output>
<some kernel output>
<some kernel output>
<more lines of kernel output>
<some kernel output> BusyBox v1.24.1 (2018-09-12 12:04:41 PDT)
<more of your s'es> <some warning message>
<Meraki>

However, I can see you run on a fairly recent firmware and I'm not sure the serial number exploit is still working. It looks like you do not have root yet. You should try again from the beginning.

That's nice to hear! Do you have any information about the stock firmware or busybox version that you were running before flashing OpenWRT?

Performance is really good. It's stable with full gigabit capabilities without running out of hardware resources. Barely using any RAM or storage. I running an adblocker and IPsec IKEv2 VPN server on the Z1. I never have to reboot the device. And the best thing: no more artificial software limitations, ugh why did they even did that bandwidth cap on this device.

I couldn't get the maximum performance out of the WiFi but it was very stable! Since this device is only 802.11 b/g/n, I know use a external UniFi access point and disabled the build in wireless. Now my wifi is limited by the gigabit capabilities of the Z1..

Well 10 gbit networking is still too expensive, so i'm still very happy with this router running OpenWRT. And almost got for free because it's just a brick without license.

1 Like

I have an ASUS RT-AC58U with 4CPUs I bought 2nd hand coming so I'm going to flash that with OpenWRT in client mode as my main WiFi AP, and maybe leave the Z1 as the gateway so we'll see.

Sorry, I didn't bother to note the stock firmware as it was a couple of years out of support anyway, literally just a brick!

Depending on how busy the gateway gets, (four kids streaming Netflix in HD mode over a Gb fibre connection!), I might swap out another ASUS RT-AC58U to ensure the firewall can cope with inspecting all the traffic. But I guess watching the CPU etc at peak times will let me know that. Thanks again.

Next Up - OpenWRT build for an ASUS RT-AC58U :slight_smile: