Adding OpenWrt support for Xiaomi AX3600

I wish I had more knowledge what is going on here, to help you guys :smiley: But i am only .Net Developer in Microsoft world... In my free time i keep reading of forum and all openwrt stuff, soo maybe someday i can help :slight_smile:

Yes, good. I'm just giving an example. It's OK to delete 3 rows with sed, but it feels dangerous if someone accidentally operate it several times

Yes, at present, only lua script in ROM of 1.0.17 is not obfuscated

I just updated the injection URL, it will deleted 3 lines after the matched line, which is much safer.

1 Like

:+1:
Can you modify the previous cmds to fit it? It's a little simple. I don't study linux commands and regularities very much. Hmmm.....
sed -i ":x:N:s/if \[.*\; then\n.*return 0\n.*fi/#tb/;b x" /etc/init.d/dropbear;

1 Like

Done.

And I successfully obtained shell permission of the device

2 Likes

That's nice.
Can you check if it has any kind of boot verification?

There is a problem with the cmds I gave. An error will be reported during execution. I want you to help me modify it to be available...
Haha...

1 Like

could you tell me how to verify if there is any boot verification?

and here is what I got from nvram show(I removed some private information)

root@XiaoQiang:~# nvram show
CountryCode=CN
Router_unconfigured=0
boot_wait=off
bootargs=ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs rootwait
bootcmd=tftp
bootdelay=5
color=101
fdt_high=0x4A400000
flag_boot_rootfs=1
flag_boot_success=1
flag_boot_type=2
flag_flash_permission=1
flag_last_success=1
flag_ota_reboot=0
flag_show_upgrade_info=1
flag_try_sys1_failed=0
flag_try_sys2_failed=0
flash_type=2
fsbootargs=ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs
ipaddr=192.168.31.1
mode=Router
model=R3600
mtddevname=fs
mtddevnum=0
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x23c0000@0x2dc0000(fs),
partition=nand0,0
restore_defaults=0
serverip=192.168.31.100
soc_version_major=2
soc_version_minor=0
ssh_en=1
stderr=serial
stdin=serial
stdout=serial
telnet_en=0
uart_en=0
wl0_radio=1
wl0_ssid=Xiaomi_5G
wl1_radio=1
wl1_ssid=Xiaomi
wl2_ssid=Xiaomi_E81A
nv_wan_type=
1 Like

Does the power supply have a German plug or just an adapter?

Not sure how QC's secure boot works, but try dumping uboot and kernel, see if they have anything like cert or signature attached.

If you order from china it has the chinese plug and the seller usually includes an adapter. If Xiaomi sells it in Europe they will include a european power adapter. It is the same for other devices like the xiaomi desktop lamp.

I think you could post a independent topic about how to open AX3600’s ssh. I know this from Chinese Enshan forum, but it seems hard to find in openwrt forum because it hide so deeply.

It's easy to get the ssh access. But it speed me much time to change the root password. Finally, i managed to change by using ld excute https://askubuntu.com/questions/354342/how-can-i-execute-a-file-without-execute-permissions

Ok, with ssh access now possible, and more and more folks seemingly interested, I am getting in on this early. I've been hunting around on Aliexpress, I can get 2x shipped via UPS Express Saver (7-10 days) for ~US$256. This will give me one for work and one for play. If anybody can point me to where it is cheaper, happy to know. BTW, there is clearly a serial header on board and the pinout is even silk-screened on:

https://www.acwifi.net/wp-content/uploads/2020/03/SAM_6424.jpg

1 Like

Hello,
Where can one see the algorithm from which I can derive the root password?

Hi
You can use the following code to change the root password to "admin"

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B
4 Likes

Thanks,

But I am also interested in the algorithm they used to create the root password based on device SN. If you can point me in the right direction.

#!/usr/bin/env php
<?php
$salt = array(
    'r1d' => 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
    'others' => 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'
);

isset($argv[1]) or die('Usage: ' . $argv[0] . " SN\n");
print_line(get_passwd($argv[1]));

function print_line($message) {
    echo $message . "\n";
}

function get_passwd($sn) {
    return substr(md5($sn . get_salt($sn)), 0, 8);
}

function get_salt($sn) {
    global $salt;
    if (false === strpos($sn, '/')) {
        return $salt['r1d'];
    } else {
        return swap_salt($salt['others']);
    }
}

function swap_salt($salt) {
    return implode('-', array_reverse(explode('-', $salt)));
}

link:https://blog.csdn.net/zhoujiazhao/article/details/102578244
use it like this:pi@DESKTOP-55HOBQT:/mnt/c/Users/someone/Desktop$ php a.php 10508/00771881

4 Likes

Thanks mate,
I appreciate it!