New method for root shell when flashing Meraki MR18

Hi folks,

I have a Meraki MR18 running the Cisco fw version 25 (the normal boot-up sequence displays /dev/mtdblock/rootfs-25-201804051805-G885d6d78-dhow-rel-1), so the methods A, B and C detailed in the wiki don't work.

Fortunately, when I was soldering the JTAG jumpers, I discovered by chance (i.e. by randomly holding the reset button one too many times) a new method of getting a maintenance root shell. It goes like this:

  • Power up the MR18, let it boot the Cisco fw. A serial cable connected to the UART should display the <Meraki> prompt, and LED2 should be cycling through RGB colours.
  • Hold down the reset button
  • LED2 starts blinking green for some seconds
  • LED2 turns off
  • Release the reset button
  • LED3 blinks orange once for around half a second
  • LED3 turns off
  • Hold down the reset button again
  • LED1 (white) and LED3 (orange) should blink on a 2-blink pattern
  • Release the reset button

(If LED3 stays orange for ~15 seconds, then you were too late holding the reset button - the MR18 is undergoing the normal boot sequence)

By doing that, I'm greeted with a BusyBox prompt on the serial console:

BusyBox v1.01 (2013.11.05-04:45+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ #

This maintenance BusyBox has network connectivity (with eth0 reachable at, httpd, telnetd, tftpd, and other niceties. I can even telnet by using username root and passwd 5up (so in theory this allows flashing OpenWRT without opening the case!). httpd serves a generic Atherod accesspoint configuration website, but I cannot readily see an option to upload a fw update.

By doing a cat /proc/partitions I can see that my MR18 seems to have the root fs at /dev/mtdblock0.

I guess that I could tftp the openwrt files over and then dd them. But I'm unsure as to whether the files from the current release of OpenWRT for the MR18 would work (they are a squashfs filesystem, but dd would need a initramfs image, right?). I could try with some old initramfs files, but I fear really bricking the device.

I would appreciate some guidance on what would be the best way to proceed from here :slight_smile:


I am in the same boat. Did you find a solution?


It's a hopeful discovery!
Did you finally get it working with a propper firmware to flash?

Thank you in advance!

Unfortunately I haven't been able to spend much time in this. I'm still confused at what firmware image should go into which /dev/mtdblock* partition, which is the biggest hurdle.

Hi Iván

Finally I got it working. I veryfied all the wires, and I realized thre was a little shotcut near the contacts. It was some residual tin almost invisible. So, after cleaning everything again, I got it working. The most difficult trick after that, was to stop the AP in the very begginning. Once done, everything was easy.

Do you still need some help with your AP? I'm from Spain. As I can see your nick, I think you are as well.


@oloco You mean you soldered the JTAG headers and used the method described in ?

That's not what I'm looking for - my goal is to adapt "Method A" from so something similar can be done with the root shell I "discovered".

The main fear is that I don't know if running dd if=/storage/openwrt.bin of=/dev/mtdblock2 on such a OEM root shell will work or not.

Not sure, but I think it's gonna be more difficult than just flashing via dd. I suppose you should tell the AP where from wich adress you'll need to start/end. But, in the case it doesn´t work, I think you are going to be able to restore original firmware using JTAG.

I hope you can find the answers soon.


For what it's worth, I discovered this shell a couple of days ago and managed to get networking up and running.

ifconfig br0 netmask up
route add default gw
echo "nameserver" > /etc/resolv.conf

I successfully managed to download an image into ram but failed when trying to flash it.

/ # ls /dev
caldata    i2c-3      mtdblock3  mtdr0      ptyp2      tty1       ttyp1
console    kmem       mtdblock4  null       ram0       tty2       ttyp2
dk0        mem        mtdblock5  nvram      random     ttyS0      urandom
dk1        mtd0       mtdblock6  ptmx       sda        ttyS1      watchdog
i2c-0      mtdblock0  mtdblock7  pts        sdb        ttyS2      zero
i2c-1      mtdblock1  mtdblock8  ptyp0      tty        ttyUSB0
i2c-2      mtdblock2  mtdblock9  ptyp1      tty0       ttyp0
/storage # dd if=/storage/lede-ar71xx-nand-mr18-initramfs-kernel.bin of=/dev/mtdblock2
dd: /dev/mtdblock2: No such device or address
/ # 

Since the shell runs off ram once booted I do think something could be done. Unfortunately this would probably require a whole lot of research, trial and error, and writing some kind of script or program tool which would probably have to be compiled for the said os and architecture.

Guys, did you find more about this? I have one MR18 at the desk :slight_smile: For some reason the UART console doesn't show anything but your method works and I can see the web console and telnet works. Have you found how to flash from here?