I’m a prophet, don’t take shit, won’t harm shit — Samara Cyn, “Sinner”
Posts 3 and 4 gave the high-level overview of the load pipeline—flush, load, flush again, verify, launch. This deep-dive series rips open the actual Python and walks through the code. We’re starting with phases 0 through 2 of load_and_run(), which covers everything up to but not including the XOR verification passes.
The selfish are constantly profitin’ off the helpless — Denzel Curry, “Walking”
Post 3 gave the high-level overview of the timing attack—power on, wait 1.5 seconds, halt the CPU before Cisco’s kernel murders the JTAG interface. This post rips open mr18_flash.py and walks through every halt strategy and the main retry loop in detail. None of this is elegant. It’s the kind of code you write at 2am when you’ve already power-cycled an access point forty times and you’re starting to take it personally.
I got my mind on my money and my money on my mind — Lil Wayne, “Money On My Mind”
Every previous post in this series focused on the dramatic stuff—cache coherency nightmares, hand-encoded MIPS assembly, twenty-minute UART transfers. But none of that works without the plumbing. The mr18_flash.py script has about 300 lines of infrastructure code that handles three things: talking to a bench power supply, talking to OpenOCD over telnet, and managing the OpenOCD process itself. It’s not glamorous. It’s the kind of code you write at 1am because you’re tired of manually typing commands into four different terminals. Let’s walk through it.
Post 4 mentioned that I hand-encoded every MIPS instruction as hex constants directly in Python. Here’s what that actually looks like in practice—every trampoline, every encoding decision, and the one-bit typo that almost ruined everything.
Read more →Crocodile leather patches, baby, oh (We made it on our own) — Yeat ft. EsDeeKid, “Made It On Our Own”
Read more →
I know you’re somewhere out there, somewhere far away — Bruno Mars, “Talking to the Moon”
Okay so the kernel booted. Like actually booted. I saw Linux version 6.6.73 scroll across the UART console. The CPU was running, the scheduler was active, idle task spinning. I set up my host Ethernet at 192.168.1.2/24, pointed my browser at 192.168.1.1, and… nothing. Ping? Nothing. Telnet? Nothing. ARP? Nothing.
I be going through some things, you don’t know what I’ve been thinkin’ — YG ft. Kendrick Lamar, “Really Be (Smokin N Drinkin)”
Read more →
She said, “Where we goin’?” I said, “The moon” — Travis Scott, “SICKO MODE”
Alright so we left off with all the wires connected, the bench power supply ready, and my ESP-Prog looking like a spaghetti monster grew on my desk. Time to actually make this thing do something.
Read more →I got hoes that I’m keepin’ in the dark — Drake ft. Rick Ross, “Money In The Grave”
Okay, but really though, where do I start? Right now we know that the Meraki MR18 is cloud-locked by Cisco. Without an active Meraki dashboard license there are many niceties that I don’t have access to such as:
Read more →This is my first blog—I am not very proficient in writing, especially not technical writing and my grammar sucks, but hey who cares. I will have a series of posts talking about how I managed to install OpenWrt on a Meraki MR18 access point. I will try to explain things as I go to not leave readers in the dark, but some background technical understanding/ability to research more in-depth confusing topics will greatly help the reader.
Read more →