New Xiaomi router AC2100

xeonpj · December 26, 2019, 10:22am

we are expectant thanks

patrickm · December 31, 2019, 2:08pm

## Booting image at bc600000 ...
   Image Name:   MIPS OpenWrt Linux-3.10.14
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3391601 Bytes =  3.2 MB
   Load Address: 81001000
   Entry Point:  81436420

Full log here: https://pastebin.com/dX3StU26

Frozer · December 31, 2019, 3:13pm

So it does run an openwrt based build?

dedors · December 31, 2019, 5:52pm

I really hope there is a chance for openwrt on this device. It runs good, but the UI from Xiaomi is a) pretty bad and b) mostly chinese.

patrickm · December 31, 2019, 5:57pm

Yes Openwrt based but 'highly customized'
It looks like the serial console is read-only, i can't interrupt the boot process or get a login prompt. I do see messages like ttyS1: 8 input overruns(s) so it seems to be connected but there may be some trick needed to enable input? If you power it on while pressing the reset button it tries to do a network firmware upgrade so that's promising:

============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: NAND Flash
Date:Aug 26 2019  Time:12:47:18
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN WLLLL


NetTxPacket = 0x87FE4200

KSEG1ADDR(NetTxPacket) = 0xA7FE4200

NetLoop,call eth_halt !

NetLoop,call eth_init !
Trying Eth0 (10/100-M)

Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
BOOTP broadcast 1
BOOTP broadcast 2

Abort
========Upgrade fail!========

Gingernut · December 31, 2019, 6:39pm

Take a look at this thread:

Possibly you can use the same process.

patrickm · December 31, 2019, 7:13pm

Thanks, yes it looks almost identical (not surprising). I'll have to order a SPI flasher but it seems we'll need some kind of exploit to make it useful to those that don't want to mess with hw modifications

lukasz92 · January 17, 2020, 3:14pm

The same process is not possible, as we have NAND flash here

spyking · January 21, 2020, 12:13am

Thanks for this, did you by any chance capture this bootlog on first boot?
If its like some of Xiaomi's previous NAND based devices, the console would be disabled after first boot, so you might be able to reset to stock, and enter u-boot console (option 4) and enable a few things such as:

setenv uart_en 1
setenv ssh_en 1
saveenv

lukasz92 · January 21, 2020, 10:29am

I do not have this router, so can not try.. somebody else have to check this.

Percy · January 21, 2020, 3:09pm

I'll post it here since this thread already has all the other information. I just got the router and did a NAND dump. Here is the file. Maybe someone finds something or needs it after bricking his own^^
The dump was done using NANDway intended for PS3 flashing since I already had everything for it. I don't know if that affects the file.

spyking · January 21, 2020, 6:06pm

Neato, I just ordered a nand flasher and tsop48 adapter, but its on the slow boat from China. Did you find anything interesting under the nand pads?

FWIW: If you are feeling brave enough, could try enabling the console and flashing it back --

Percy · January 21, 2020, 6:55pm

Sadly no sop8 pads under it. I'll have to order some chip quik before I try re soldering it, just in case I have to desolder it again. This time I used leaded solder and hot air but it took too long for my liking.

lukasz92 · January 21, 2020, 8:12pm

Much harder than with SPI flash. @Percy if you managed to do a flash dump, probably setting:
uart_en, telnet_en, ssh_en to 1 and boot_wait to 5 (replace 'off' with ' 5') would be sufficient - tell if you can access uboot after that.

Another idea is to try to find weak point on luci (I mean trying command injection)

spyking · January 21, 2020, 8:17pm

Similar to the Rgv2/4A, can just flip bootdelay from off to 5 and then try and find some weakness..

~/RouterStuff/miwifi_rm2100 $ xxd ./nand_ac2100/ac2100.bin | grep bootdelay 
000255e0: 626f 6f74 6465 6c61 7900 0000 6f66 6600  bootdelay...off.
00084010: 0062 6f6f 7464 656c 6179 3d35 0065 7468  .bootdelay=5.eth

Was fooling around a bit more, and came across this titbit while grepping strings

/luci/;stok=42822adbabf606fe7946cd2e9b98d9a5/api/xqsystem/

Could someone try the command injection?

patrickm · January 21, 2020, 9:11pm

Here's the boot log after factory reset: https://pastebin.com/P4SVA2KU
I was unable to get a u-boot console, the bootdelay flag seems to be already in place.

thorsten97 · January 24, 2020, 6:27pm

any news with this, I just ordered one

thorsten97 · January 24, 2020, 6:59pm

maybe use Wireshark see what it expects to get over network?

dolfandringa · January 26, 2020, 7:10am

@spyking I have one here too, soldered a pinheader on the serial port, and am thinking of buying a flashcat USB to dump/flash the NAND flash chip. But if it's possible to abuse the system through the LUCI webinterface, that would be awesome. With me the /cgi-bin/luci/;stok=d8a978fa56818ef9e091e4dcb7361c48/api/xqsystem url is available (different stok though). So is there a known command injection vulnerability there? If so, can you provide details/links? Cheers

dolfandringa · January 26, 2020, 7:52am

Wait, I just realized, I have the redmi ac2100 (white with 6 external antennas), not the AC2100 (which is black). It is still based on the same chip though. Much of it seems the same. Here is my bootlog: https://pastebin.com/xGc9J3GC