A liiiittle off-topic, but it piqued my interest, as I had looked at the local MQTT implementation on Xiaomi routers recently.
Check the references to json_object_new_object if you want to see what kind of responses they build to send upstream.
For example, this is what it sends on connect. (In function ma_sys_info_generate_register_payload)
However, I'm a little more worried about what they can send back to you. Sweats profusely
I really hope that does not look what I think it looks like.
Hi! Thanks for the reply!
I analysed binaries left on the device and I am worried too that there is a persistent connection to the Xiaomi network. I think this is how the mobile application for the router works - it sends commands to the Xiaomi network and the router receives them back via MQTT protocol. I think it is worth knowing for other users that this firmware is persistent-connected to receive many/different commands (RCE).
(btw. Xiaomi can send commands using api.miwifi.com/rom_config.)
I wonder if this can be used to root the router by spoofing the mqtt server IP. Is there any encryption/authentication taking place?
Xiaomi firmware uses mosquitto MQTT client.
I've installed "Mosquito MQTT server" on my linux box and redirected the connection from the router to my server (option BROKER_HOST in /etc/config/messaging on the router).
Does it uses any authentication? Yes it does but I skipped it using 'allow_anonymous true' in mosquitto config.
Does it uses any encryption? Yes it does - messages from the router are encrypted. I think that messages from the xiaomi network may be encrypted too but I haven't seen any.
I haven't made a connection to xiaomi mqtt server (yet, no time).
Can it be used to root the router (...)?- I think this may be possible if we upload our own (PEM) certificates. This path should be definitely explored.
Nobody manage to activate guest mode on all mesh nodes with fw 3.0.34??
I'm using 3.0.34 global (AX1800 white), but there's some error that reset router can't fix. Could you send me global firmware (any version) for this router?
Could you post original 3.0.34 firmware?
Tired of waiting I decided to delve into the subject, I'm researching similar things and I believe that the contents below can add into something
Anyone able to run doh or dot? DNS-over-HTTPS or stubby..
3.0.4 root version.
https://4pda.to/forum/index.php?showtopic=992964&st=1340#entry103632561
1-3
opkg isntall https-dns-proxy
???
installing, but not running 
ln -s /lib/ld-musl-arm.so.1 /lib/ld-musl-armhf.so.1
opkg install https-dns-proxy --force-reinstall
it worked thanks,When I look at Wireshark program, dns is not encrypting.I guess because the files are old.
Hello All, once rolled back to 1.0.16 for ssh access, can I update the firmware to keep access or does it get reset?
what is this doing?
About those MQTT connections, adding those few hosts/IPs in adblock blacklist would be enough to prevent any communication with xiaomi? (I personally have gathered a pretty big xiaomi list and added the few missing ones)
I just succeeded in opening ssh port with 1.0.16 Chinese version on AX1800 (RA67). What is now best practice? To update on last available Chinese version or use the Global version included in this youtube video?
Thank.
Best regards
I believe your answers are in earlier comments, for example: Add support for Xiaomi AX1800 Wifi 6 router - #293 by sapporo111
Hi,
Thanks for fast answer. I read that message, but my question is regarding the fact that the Global version is not updated, it is old, possibly with some exploits, is it still ok to use it or is it better to go with Chinese version? If there is an answer here in this thread I am sorry, but I did not find it 
And if the advice is to go with Chinese version, should I just use the latest or is there a proven and stable version better suited. Once again thanks for your time.
Best regards
