Thanks for the tips to lead to getting SSH. On the unit I just received and downgraded to 1.0.17 - none of your commands as written worked. This appears to be due to the fact that this firmware performs some auto-filtering of characters that could lead to escape. Specifically ; & $ appear to not be permitted. After searching around a bit I came across this article:
In there it details that you can use newlines (%0A) [percent zero capital-A] instead of semicolons with some Xiaomi routers. With that, I was able to confirm escape via the following URL:
Which, happily, rebooted the router. From there I was able to enable nvram SSH and then deleted the IF in /etc/init.d/dropbear by piping the dropbear contents to sed '135d' three times (which deleted the IF, the return 0, and the FI to stop the init file from keeping SSH off). I then used your command to change admin password, however, there is a password length requirement (8 characters seemed to do the trick).
I have confirmed that the %0Areboot%0A does not work on the 1.0.50 firmware (which is the latest as of this post).
Let me know if anyone would like more specifics or details. Happy to help to bring OpenWRT to this puppy.
Yes, but we could still use 1.0.17 as a vector to get in the router and flash openwrt. Even as an install instruction it shouldn't be something difficult to do(as long as Xiaomi doesn't release firmwares that blocks downgrade-ing to 1.0.17).
What we need now is a openwrt build for this device, right?
Alex - as has been mentioned before it's risky as Xiaomi could patch to prevent downgrade (and then users would be stuck with having to wire up to the serial port). I think with the amount of product out there currently - we are likely safe for now. I've also seen some other research going on around decoding the Xiaomi FW update bin's which could lead being able to craft a Xiaomi compliant update bin.
From an exploit perspective - I think the next step would be to figure out how to modify the uboot config in order to enable RW access to all the partitions. At that point you would have similar access as to what efsg has with his serial port access. It seems to me like you could potentially do a sysupgrade to patch the currently writable partitions to get OpenWRT on there (the ax3600 does a custom process pulling various images out of the uploaded bin and then deploying directly to partitions). However, that would still require all the drivers to be in place and from my reading would only put you in a one off hack jobbed OpenWRT.