OpenWrt support for Meraki MR46

Any update?

Has anyone bumping for an update requested the source code for the MR46 from Meraki? Email open-source@meraki.com, be sure to also mention that your request covers the bootloader source code.

Meraki's standard practice is to compile the environment into u-boot, and sign the whole thing. Since the environment is in the signed u-boot, you cannot modify bootcmd.

Meraki used the same u-boot release for the ipq40xx, which contained a bug allowing you to bypass secure boot.

The MR46 is a different SoC, uses a different u-boot release: U-Boot 2018.01-RELEASE-gb0bd058b3f and as far as I know, all of their newer products come with secure boot enabled by default (meaning, there will be no code paths in u-boot that don't enforce signature verification).

It will only be possible to give a more definitive answer when we have the u-boot source code from Meraki

3 Likes

this is super helpful. I requested the uboot source code from Meraki. I will look whether the bug is present, once I get the code from them.

1 Like

Yes, very helpful, thanks! I also requested the U-Boot sources from Meraki, albeit for the MR44 which I have a few at hand to tinker with. Also checking...

1 Like

Hello any news ?

You can be sure that OpenWrt support for these newer MR's will never be realized due to their properly implemented secure boot.

I would not be that sure:

  1. Properly implemented secure boot: Something is only secure until somebody has proven it otherwise. E.g. so far most implementations had some flaws or ways to circumvent it.

  2. From a legal point of view Cisco will need to comply with the GPL and release source code of certain parts. Analysis thereof might help.

  3. Later legislation prevents vendors from locking down a device completely as this basically adverts a rightful owner repairing a device and just creates more electronic waste.

Let's see...

This could also be considered under the E.U. Right to Repair Stuff too.

You're talking about enterprise and government targeted products. Security is their paramount concern and the need to prevent non-signed firmware from running on such devices is the very first requirement to even sell to these customers. No government regulation will be created to prevent them from doing so. Don't compare them to Netgear, Linksys stuff etc.

Not true, Meraki/Cisco will take whatever buyers they can.

Whatever you want to say, secure boot is the only way forward for them.

Need I remind you that U-Boot Can and HAS been recompiled.

You clearly don't know what secure boot is. All newer Meraki products have secure boot enabled by default. Any custom u-boot that is not signed with a Meraki private key will not be allowed to run, and any image that is not signed with the Meraki private key will not be able to boot from within the signed u-boot.

Of course, as with any products, there exists a (albeit very small) possibility of some security hole in their secure boot implementation that may allow it to be bypassed.

1 Like

I DO know what it is, I'm a I.T. Guy after all. I'm just getting VERY tired of the dismissive attitudes around here.

I think that, just like in the case of MR33, without looking at the source files it is impossible to detect something like this and the possibility of interrupting the loading and entering u-boot.

Until we have the U-Boot source code from Meraki, it will not be possible to state whether any mistakes were made in the secure boot implementation.

There is no possibility to interrupt boot as on MR33 U-Boot prior to 2017; Meraki have closed the xyzzy door a long time ago. You can easily verify this yourself by dumping the flash and running strings. So any bypass would involve the use of an external flasher.


Unless you are posting to share the U-Boot source code Meraki provided, please refrain from :eggplant: measuring contests. This includes asking for updates; it is not productive.

1 Like

Hi

This first thing what i do xyzzy :slight_smile: i check all other possibility without success.

Sweet dream till eternity :slight_smile:

Secure boot means any custom uboot that is side-loaded will not run, unless it is properly signed with the vendor's private key. Where can you get that private key? Cracking RSA, ECDSA?

Welp, looks like it's time to get rid of my 46.

Stop this melodramatic nonsense.

We don't have the U-Boot source code from Meraki yet, everything in this thread so far about secure boot is all unfounded speculation.

Ship your MR46 to me, or put it on a shelf and be patient.

1 Like

Exactly. What would it take to get it, I'll write a email to them, anything else I should request for?