While they do have fairly distinct model names, the global model name is fairly generic sounding.
Hopefully no sellers will attempt to make misrepresentations... (Ha!)
I was trying to find this router in the FCC's database. I expected it to be 2AFZZ RB01 or RB03, but did not find any entries. I did find the Xiaomi Mi 4A under RB02. FCC search
Should I expect the x3200 version (RB01) it to appear in the US FCC database at some point, or would it be under a different ID? Are there equivalent non-US databases that it appears in?
Aliexpress will ship a ax6s or x3200 to the US, but I have thoughts about it lacking an FCC ID and whether it's actually legal to possess, to use, to engage in interstate commerce with, etc.
I've discovered some things:
Telnet is enabled by default
MTD is write-enabled by default
If you want to edit the Bdata partition, and the mtd is RO, you can set it RW editing the crash partition, first make a dump of the partition and edit it with an hex editor like this:
and save it like edited_crash.img
Then copy it back to the router and write it to the crash partition:
mtd write /tmp/edited_crash.img crash
Reboot and the mtd partitions will be RW
if you want to set the mtd to read only again:
mtd erase crash
If you want to enable RW, just reflash the modded crash partition.
I've dumped my bdata partition and edited it to enable ssh, uart, and boot wait, and then re-flashed the bdata partition with the modifications, erased the crash partition to set the bdata partition RO, and then updated the router to the latest version (1.0.71).
Telnet was still enabled and my modifications were still there.
The crash partition modification also works in the AX1800, so I think is something common to xiaomi routers.
3 Likes
Full dump of nand: https://drive.google.com/file/d/1GoWfwbHYtMgjcCJp7aFWozTFQbreXelo/view?usp=sharing (RB03, FW v1.0.19)
I will receive a global one that hopefully has telnet enabled soon.
What are the steps to get OpenWrt to the unit?
Start the dropbear service and, the firmware and install it using mtd?
Or is there anything else necessary?
1 Like
Just received the "Global" version:
{"telnet":false,"init":false,"wl0_ssid":"xiaomi-router_5G","ssh":false,"version":"1.0.50","facmode":false,"4kblock":false,"secboot":false,"wl1_ssid":"xiaomi-router-rb01","uart":false}
You should try to enable root access with openwrt invasion, if it works, just take a dump of your bdata partition, enable uart, ssh, etc. then just wait for an openwrt release.
1 Like
Did it come with that firmware version by default or did you have it hooked up to a network and it auto-updated?
The latest version reported by my router is 1.0.71, so I think it came with that version.
All simple ways to get root were fixed back in 2021.
1 Like
1.0.50 out of the box, it's trying to upgrade to 1.0.69 but I'm blocking it..
I canβt understand why Xiaomi's servers offer different firmwares for downloading.
How to edit the bdata partition from a dump to enable ssh, uart, boot wait, telnet.
I'll use the dump posted a few posts above dump_AX6S_1.0.19_data_512-16.bin
You'll need an Hex Editor, I Use HxD.
First we'll check the checksum
Open the dump with hxd
Search -> Go To -> 180000
Take note of the first 4 bytes, in this case:
42 66 F9 39 that's the bdata partition checksum in reverse order:
so we'll check this:
Edit -> select block
Start Offset -> 180004 (Bdata partition minus the 4 bytes of the checksum)
End Offset -> 18FFFF (end of data)
And then:
Analysis -> Checksums -> CRC-32
Result:
CRC-32: 39F96642
So if you look at the first 4 bytes of the partition
First 4 bytes: 42 66 F9 39
CRC32: 39 F9 66 42
CRC32 is the same as the first 4 bytes in reverse order so it's ok.
Now we'll edit the bdata values, just overwrite the 0 with 1, don't press the backspace or delete the value.
If you want to enable boot wait, just add it at the end of the variables, don't add space with the spacebar just add it after "one point" (just look at the picture)
Now, the checksum needs to be corrected after we altered the data, so
Edit -> select block
Start Offset -> 180004 (Bdata partition minus the 4 bytes of the checksum)
End Offset -> 18FFFF (end of data)
And then:
Analysis -> Checksums -> CRC-32
Result:
CRC-32 048308DE
So the checksum changed
CRC-32 048308DE
Reversed: DE088304
So we need to change the first 4 bytes, remember just to overwrite without delete.
And now save it and flash it.
If you dump only the bdata partition the procedure is exactly the same, but obviously the offsets are different.
The AX1800 bdata partition doesn't contain the telnet_en, ssh_en, uart_en, or boot_wait variables, so you must add them like the boot_wait in this example.
3 Likes
Firmware 1.0.71 for RB01 (2022-01-11)
http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/rb01/miwifi_rb01_firmware_bbc77_1.0.71_INT.bin
https://drive.google.com/drive/folders/1s8dvZEUg_xuIJyfrgJgkyTZCkh8bRhSE?usp=sharing
I figured I should probably build some images for distro.
Probably test the tftpboot over uart first if you can, since I built these on a potato Ampere server, since I don't have access to my usual build environment...
Also realised that the vuln probably only affected the chinese units. Gotta love their software branches.
1 Like
thank you! so what is the best way to flash those images? a short instruction perhaps?
1 Like
anyone tried to flash it with a clip? i don't like to solder really.
It's hard to flash a WSON-8 flash using a clip: it is nearly impossible for it to touch the pins. Even if the clip can connect to all 8 pins, you may still need to cut down the VCC line on the PCB to prevent it from "stealing" the power from your flasher. (The same is true for SOP-8 flash chips. That's why a flash clip is usually a useless thing, lol)
I was looking through lua files to find some way to get shell access, but I'm not that experienced. So, I decided to use the hardware way.
Is it safe to cut VCC? Will the router work after that? Or I need to fix it back?
Is it safe to cut VCC? Will the router work after that? Or I need to fix it back?
That's unsafe. You must find an approach to re-connect it after that. remitto's method is simple and safe to a certain extent, but soldering is needed.