Yes Openwrt based but 'highly customized'
It looks like the serial console is read-only, i can't interrupt the boot process or get a login prompt. I do see messages like ttyS1: 8 input overruns(s) so it seems to be connected but there may be some trick needed to enable input? If you power it on while pressing the reset button it tries to do a network firmware upgrade so that's promising:
Thanks, yes it looks almost identical (not surprising). I'll have to order a SPI flasher but it seems we'll need some kind of exploit to make it useful to those that don't want to mess with hw modifications
Thanks for this, did you by any chance capture this bootlog on first boot?
If its like some of Xiaomi's previous NAND based devices, the console would be disabled after first boot, so you might be able to reset to stock, and enter u-boot console (option 4) and enable a few things such as:
I'll post it here since this thread already has all the other information. I just got the router and did a NAND dump. Here is the file. Maybe someone finds something or needs it after bricking his own^^
The dump was done using NANDway intended for PS3 flashing since I already had everything for it. I don't know if that affects the file.
Sadly no sop8 pads under it. I'll have to order some chip quik before I try re soldering it, just in case I have to desolder it again. This time I used leaded solder and hot air but it took too long for my liking.
Much harder than with SPI flash. @Percy if you managed to do a flash dump, probably setting:
uart_en, telnet_en, ssh_en to 1 and boot_wait to 5 (replace 'off' with ' 5') would be sufficient - tell if you can access uboot after that.
Another idea is to try to find weak point on luci (I mean trying command injection)
Here's the boot log after factory reset: https://pastebin.com/P4SVA2KU
I was unable to get a u-boot console, the bootdelay flag seems to be already in place.
@spyking I have one here too, soldered a pinheader on the serial port, and am thinking of buying a flashcat USB to dump/flash the NAND flash chip. But if it's possible to abuse the system through the LUCI webinterface, that would be awesome. With me the /cgi-bin/luci/;stok=d8a978fa56818ef9e091e4dcb7361c48/api/xqsystem url is available (different stok though). So is there a known command injection vulnerability there? If so, can you provide details/links? Cheers
Wait, I just realized, I have the redmi ac2100 (white with 6 external antennas), not the AC2100 (which is black). It is still based on the same chip though. Much of it seems the same. Here is my bootlog: https://pastebin.com/xGc9J3GC