Problem with flash Meraki MR18

Hi,

I try to change firmware on Cisco Meraki MR18 with firmware rootfs-25-201804051805-G885d6d78-dhow-rel.
I entered diagnostic mode as root and have a working network. So I can use tftp to transfer a new firmware. Maybe someone know how to properly use dd, because odm is not accessible in diagnostic mode?
Should I use Method A from https://openwrt.org/toh/meraki/mr18#flashing_method_a?

in /dev there is no rootfs file.
ls /dev
caldata i2c-3 mtdblock3 mtdr0 ptyp2 tty1 ttyp1
console kmem mtdblock4 null ram0 tty2 ttyp2
dk0 mem mtdblock5 nvram random ttyS0 urandom
dk1 mtd0 mtdblock6 ptmx sda ttyS1 watchdog
i2c-0 mtdblock0 mtdblock7 pts sdb ttyS2 zero
i2c-1 mtdblock1 mtdblock8 ptyp0 tty ttyUSB0
i2c-2 mtdblock2 mtdblock9 ptyp1 tty0 ttyp0

cat /proc/mtd
dev: size erasesize name
mtd0: 07fe0000 00020000 "meraki"
mtd1: 00020000 00020000 "caldata"

cat /proc/mounts
rootfs / rootfs rw,relatime 0 0
/proc /proc proc rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=622 0 0
none /tmp ramfs rw,relatime 0 0

cat /etc/fstab
/proc /proc proc defaults 0 0
devpts /dev/pts devpts mode=0622 0 0

I can use HTTP:


but there is no option to upload firmware.

Any idea, what to do next?

For anyone, who would like to enter diagnostic mode:

  1. Connect PC through UART, but without Vcc.
  2. Press reset button.
  3. Plug power to a router and wait for a LED to flash.
  4. Relase reset button and wait for restart and # prompt.

Tarts5 mentioned here: https://forum.openwrt.org/t/solved-flashing-mr18-and-latest-up-to-date-firmware/14369/3 that used "2" button and got into 25.9 (downgrade) version of firmware, but I do not know how to do it.

Try to use any portable Linux OS to connect through UART, like Kali Linux, I was have the same problem using W10. After start boot AP I can't use "2" button. On linux it's was work perfect.

I tried it but without any effect. @YakovOnline - are You sure You have version 25.11+?

I realized that before Meraki goes to diagnostic mode it write these logs:

[   16.804000] Mapping 8724480 bytes for /dev/mtdblock/diagnostic1
[   16.828000] Ehdr.e_entry = 80211840 Ehdr.e_phoff = 34
[   16.832000] Phdr.p_offset = 2000 phdr.p_vaddr=80002000 phdr.p_filesz=79a6bb phdr.p_memsz=15be330
[   17.804000] UBIFS: un-mount UBI device 0, volume 1
[   17.812000] Starting new kernel
[   17.816000] Will call new kernel at 80211840
[   17.816000] Bye ...

so, it is preparation, and next:

Booting QCA955x
▒inux version 2.6.31--LSDK-9.5.3.15-ga2a05dd-dirty (aacharya@dev104.meraki.com) (gcc version 4.3.3 (GCC) ) #6 Mon Nov 4 21:01:20 PST 2013
flash_size passed from bootloader = -2147434496
CPU revision is: 00019750 (MIPS 74Kc)
cpu apb ddr apb ath_sys_frequency: cpu 720 ddr 600 ahb 200
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS0,115200 rdinit=/sbin/init mtdparts=ath-nand:130944k(meraki),128k(caldata) mem=128M

Look at the kernel command line: in mtd0 we have all 4 original partitions:
nandloader, part1, part2, ubi
because the end address of ubi is the same as meraki partition in diagnostic mode.
The original kernel command line looks like:
Kernel command line: console=ttyS0,115200 machtype=Meraki ubi.mtd=3 root=/dev/mtdblock8

The one trick could be to modify mtd and set proper address ranges of MTD blocks, but we must load kernel if we want it (or maybe someone knows how to do it without kernel reload?).
Another trick is to use the method with loading diagnostic mode - load to memory new image/kernel and do a soft reset if it is possible.
Or, copy some tools to MR18 (eg. mtd-tools) and use them.
Is it has any sense?

The next option is to use JTAG.
Do You think that a cheap programmer from AliExpress will works?

Best regards,
Darek

This works
usb blaster altera
with dupont cables.
Also works dlc5 & wiggler unbuffered jtag cables (only more slowly for loading in to the ram)

Thanks @larsen. I wait for ST LINK V2 which bought in my country, so at the weekend I will try it. If I will have problems I will buy Blaster :slight_smile:

Have a nice day.

I received ST LINK V2, but it has not a TDI pin, so I bought Blaster. I also found the library to Arduino: https://github.com/mrjimenez/JTAG, which could also be used. Maybe someone used it and have an idea how to flash MR18 with it?

It depends on the type of ST Link V2
https://wiki.cuvoodoo.info/doku.php?id=jtag

https://sourceforge.net/projects/stm32flash/files/