New Xiaomi router AC2100

Hi,

I saw Xiaomi launched a new router that has a rom that should be based on OpenWrt, anyone familiar with this or have any other info?

"It arrives with Miwifi ROM, A highly customized operating system based on OpenWRT"

4 Likes

that's really not news anymore

1 Like

“Highly customized” does not imply “supported”.

1 Like

It's another Mediatek MIPS dual core so probably not too difficult to get supported but somebody would have to crack it open and get at least a boot log.

Did someone get their hands already on one of the things?

I've got one, delivered today. It works and performs well. Some weirdness is going on with the app, Mi account and location settings. Initially it set itself up with a location of 'Other'. I changed this to Europe, which is where I live, which caused the app to disconnect, device removed from my account and unable to find it. Did a factory reset and tried to set it up with location Europe but either fails to find the device, or fails to pair in the last setup step. At some point the app suggested i change location to Mainland China. Eventually I return location to 'Other' and it worked fine. I wonder if this is related to 5G frequencies / regulations.

The app is in English, the webif is Chinese only. It would be great to install custom firmware but as of now it doesn't even allow SSH access. I'll post logs if i'm able to get serial console access.

we are expectant thanks

## Booting image at bc600000 ...
   Image Name:   MIPS OpenWrt Linux-3.10.14
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3391601 Bytes =  3.2 MB
   Load Address: 81001000
   Entry Point:  81436420

Full log here: https://pastebin.com/dX3StU26

3 Likes

So it does run an openwrt based build?

I really hope there is a chance for openwrt on this device. It runs good, but the UI from Xiaomi is a) pretty bad and b) mostly chinese.

Yes Openwrt based but 'highly customized'
It looks like the serial console is read-only, i can't interrupt the boot process or get a login prompt. I do see messages like ttyS1: 8 input overruns(s) so it seems to be connected but there may be some trick needed to enable input? If you power it on while pressing the reset button it tries to do a network firmware upgrade so that's promising:

============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: NAND Flash
Date:Aug 26 2019  Time:12:47:18
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN WLLLL


NetTxPacket = 0x87FE4200

KSEG1ADDR(NetTxPacket) = 0xA7FE4200

NetLoop,call eth_halt !

NetLoop,call eth_init !
Trying Eth0 (10/100-M)

Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
BOOTP broadcast 1
BOOTP broadcast 2

Abort
========Upgrade fail!========
1 Like

Take a look at this thread:

Possibly you can use the same process.

Thanks, yes it looks almost identical (not surprising). I'll have to order a SPI flasher but it seems we'll need some kind of exploit to make it useful to those that don't want to mess with hw modifications :frowning:

The same process is not possible, as we have NAND flash here

Thanks for this, did you by any chance capture this bootlog on first boot?
If its like some of Xiaomi's previous NAND based devices, the console would be disabled after first boot, so you might be able to reset to stock, and enter u-boot console (option 4) and enable a few things such as:

setenv uart_en 1
setenv ssh_en 1
saveenv

I do not have this router, so can not try.. somebody else have to check this.

I'll post it here since this thread already has all the other information. I just got the router and did a NAND dump. Here is the file. Maybe someone finds something or needs it after bricking his own^^
The dump was done using NANDway intended for PS3 flashing since I already had everything for it. I don't know if that affects the file.

2 Likes

Neato, I just ordered a nand flasher and tsop48 adapter, but its on the slow boat from China. Did you find anything interesting under the nand pads?

FWIW: If you are feeling brave enough, could try enabling the console and flashing it back --

Sadly no sop8 pads under it. I'll have to order some chip quik before I try re soldering it, just in case I have to desolder it again. This time I used leaded solder and hot air but it took too long for my liking.

Much harder than with SPI flash. @Percy if you managed to do a flash dump, probably setting:
uart_en, telnet_en, ssh_en to 1 and boot_wait to 5 (replace 'off' with ' 5') would be sufficient - tell if you can access uboot after that.

Another idea is to try to find weak point on luci (I mean trying command injection)