Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200"

That's right, I've obtained the root password deriving the serial number with your python script.
I would like to know if telenet will be disabled if I update the firmware, because it is enabled by default in the bdata partition. I disabled most of the xiaomi services looking at the xqrepack script and applying the fixes manually, I don't want to lose telnet access by an automatic update (to flash openwrt when a stable release appears).
I extracted the squashfs from the latest official firmware, applied the xqrepack script (https://github.com/geekman/xqrepack/), but I don't know how to rebuild the firmware image again, because the script was made for ubifs firmware, someone knows how to "glue" the firmware again?.
Sorry if I'm being a little offtopic.

Looks like mine finally arrived today. Guess mine is the Chinese version and doesn't have telnet enabled. So sad.

{"telnet":false,"init":true,"wl0_ssid":"xxx_plus_5G","ssh":false,"version":"1.0.19","facmode":false,"4kblock":false,"secboot":false,"wl1_ssid":"xxx_plus","uart":false}

Looks like I'm off to dig for some exploits

While they do have fairly distinct model names, the global model name is fairly generic sounding.

Hopefully no sellers will attempt to make misrepresentations... (Ha!)

I was trying to find this router in the FCC's database. I expected it to be 2AFZZ RB01 or RB03, but did not find any entries. I did find the Xiaomi Mi 4A under RB02. FCC search

Should I expect the x3200 version (RB01) it to appear in the US FCC database at some point, or would it be under a different ID? Are there equivalent non-US databases that it appears in?

Aliexpress will ship a ax6s or x3200 to the US, but I have thoughts about it lacking an FCC ID and whether it's actually legal to possess, to use, to engage in interstate commerce with, etc.

I've discovered some things:
Telnet is enabled by default
MTD is write-enabled by default

If you want to edit the Bdata partition, and the mtd is RO, you can set it RW editing the crash partition, first make a dump of the partition and edit it with an hex editor like this:
image
and save it like edited_crash.img
Then copy it back to the router and write it to the crash partition:
mtd write /tmp/edited_crash.img crash

Reboot and the mtd partitions will be RW
if you want to set the mtd to read only again:

mtd erase crash

If you want to enable RW, just reflash the modded crash partition.

I've dumped my bdata partition and edited it to enable ssh, uart, and boot wait, and then re-flashed the bdata partition with the modifications, erased the crash partition to set the bdata partition RO, and then updated the router to the latest version (1.0.71).

Telnet was still enabled and my modifications were still there.

The crash partition modification also works in the AX1800, so I think is something common to xiaomi routers.

3 Likes

Full dump of nand: https://drive.google.com/file/d/1GoWfwbHYtMgjcCJp7aFWozTFQbreXelo/view?usp=sharing (RB03, FW v1.0.19)

I will receive a global one that hopefully has telnet enabled soon.
What are the steps to get OpenWrt to the unit?
Start the dropbear service and, the firmware and install it using mtd?

Or is there anything else necessary?

1 Like

Just received the "Global" version:
{"telnet":false,"init":false,"wl0_ssid":"xiaomi-router_5G","ssh":false,"version":"1.0.50","facmode":false,"4kblock":false,"secboot":false,"wl1_ssid":"xiaomi-router-rb01","uart":false}

You should try to enable root access with openwrt invasion, if it works, just take a dump of your bdata partition, enable uart, ssh, etc. then just wait for an openwrt release.

1 Like

Did it come with that firmware version by default or did you have it hooked up to a network and it auto-updated?

The latest version reported by my router is 1.0.71, so I think it came with that version.

All simple ways to get root were fixed back in 2021.

1 Like

1.0.50 out of the box, it's trying to upgrade to 1.0.69 but I'm blocking it..

I can’t understand why Xiaomi's servers offer different firmwares for downloading.

How to edit the bdata partition from a dump to enable ssh, uart, boot wait, telnet.
I'll use the dump posted a few posts above dump_AX6S_1.0.19_data_512-16.bin
You'll need an Hex Editor, I Use HxD.

First we'll check the checksum
Open the dump with hxd
Search -> Go To -> 180000
image

Take note of the first 4 bytes, in this case:
42 66 F9 39 that's the bdata partition checksum in reverse order:
image

so we'll check this:
Edit -> select block
Start Offset -> 180004 (Bdata partition minus the 4 bytes of the checksum)
End Offset -> 18FFFF (end of data)
image

And then:
Analysis -> Checksums -> CRC-32
Result:
CRC-32: 39F96642

So if you look at the first 4 bytes of the partition
First 4 bytes: 42 66 F9 39
CRC32: 39 F9 66 42

CRC32 is the same as the first 4 bytes in reverse order so it's ok.

Now we'll edit the bdata values, just overwrite the 0 with 1, don't press the backspace or delete the value.
If you want to enable boot wait, just add it at the end of the variables, don't add space with the spacebar just add it after "one point" (just look at the picture)

Now, the checksum needs to be corrected after we altered the data, so
Edit -> select block
Start Offset -> 180004 (Bdata partition minus the 4 bytes of the checksum)
End Offset -> 18FFFF (end of data)

And then:
Analysis -> Checksums -> CRC-32
Result:
CRC-32 048308DE
image

So the checksum changed
CRC-32 048308DE
Reversed: DE088304

So we need to change the first 4 bytes, remember just to overwrite without delete.

And now save it and flash it.
image

If you dump only the bdata partition the procedure is exactly the same, but obviously the offsets are different.
The AX1800 bdata partition doesn't contain the telnet_en, ssh_en, uart_en, or boot_wait variables, so you must add them like the boot_wait in this example.

3 Likes

Firmware 1.0.71 for RB01 (2022-01-11)
http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/rb01/miwifi_rb01_firmware_bbc77_1.0.71_INT.bin

https://drive.google.com/drive/folders/1s8dvZEUg_xuIJyfrgJgkyTZCkh8bRhSE?usp=sharing

I figured I should probably build some images for distro.

Probably test the tftpboot over uart first if you can, since I built these on a potato Ampere server, since I don't have access to my usual build environment...

Also realised that the vuln probably only affected the chinese units. Gotta love their software branches.

1 Like

thank you! so what is the best way to flash those images? a short instruction perhaps?

1 Like

anyone tried to flash it with a clip? i don't like to solder really.

It's hard to flash a WSON-8 flash using a clip: it is nearly impossible for it to touch the pins. Even if the clip can connect to all 8 pins, you may still need to cut down the VCC line on the PCB to prevent it from "stealing" the power from your flasher. (The same is true for SOP-8 flash chips. That's why a flash clip is usually a useless thing, lol)