Thank you for your work. I have the Redmi ac2100, but muy knowledge about programming are extremely poors.
I have a computer with Windows 10, and a Raspberry Pi 3 with raspbian.
I think I hace everything to install but I need a tutorial for noobs.
Can anyone put here, step by step with links how to install openwrt on my router?
There are no tutorial on YouTube, It os increíble, sonething wich os nota on YouTube!!!
Thanks un advance
So I just updated my script. It now responds to HTTP requests with local files. I tried a few things:
Summary
Forwarding HTTP request to a localhost server: Scapy doesn’t work too well on the loopback interface without OS dependent hacks.
Unpacking the IP frames and forwarding them: Worked but speed was limited to 0.2MBit/s with dropped frames. Scapy can’t handle the load.
Implementing chunked HTTP responses with Scapy: I get speeds of up to 2MBit/s since scapy only has to capture the PPPoE frames. Stuck with this one :)
After the PPPoE connection is established the script will answer to any HTTP request to files that are in the local folder with a command like “wget http://10.15.0.8/busybox-mipsel -O /tmp/busybox”
If anyone could modify the exploit shell code to, for example wget a script file and execute it instead of generating a netcat reverse shell we could have an exploit that works on WAN only and only has Python3, scapy and the two scripts as dependencies. No more PPPoE server setup or Netcat connection needed.
My script is far from pretty since it’s a result of trial and error so I can’t guarantee for anything but if anyone wants to improve it feel free to do so^^
@namidairo 
seen the posts on right.com.cn? They are already quite active with multiple tutorials all using your exploit plus some using my script^^
EDIT: WOW. Just looked through some of the tutorials. They already share a pre made package with all the scripts you need with an easy script that starts all the necessary services/scripts. The problem of needing 2 interfaces they simply solved by bridging LAN and WAN 
So looks like changing the shell code won't be necessary if its not really easy since a spare LAN cable serves the same purpose^^
I assumed WAN connectivity during payload execution would be broken because... you're doing it in pppd?
Yes, I kind of knew that the process needed to be streamlined somewhat when I saw someone post a 13 minute long video tutorial...
That's useful. More people will certainly have a spare cable as opposed to nic...
Damn... I just assumed that since the router continiued to send requests it would still be able to communicate. I did all my debugging over serial without the exploit enabled since it's so unstable. Now I realized that I get the request fine, but as soon as I ACK them pppd crashes.
Any news about this? I see there are lot of developments on the right.com.cn forum with also "one click unlock" guides and updated firmwares (with same and even better wifi performance than the stock firmware).
I'm using it as my only main router and I wouldn't like to risk bricking it due to a bad chinese translation.
Custom firmwares dont have better wireless performance. But custom firmwares are better at UPnP and other NAT stuff. I think you must hack the router before Xiaomi blocks it. But you can stay official firmware with moddified bootloader. You can try to install Breed bootloader rather than openwrt. If flashing to bootloader wont allowed ançt xiaomis firmware you can flash openwrt, flash bootloader, go back to stock. Btw Percy's old method is just fine. Dont ramble with too many things and process or "one click scripts". 2 scripts+1 android phone.
I would like to try it as well!
Any installation instructions? - found here https://openwrt.org/inbox/toh/xiaomi/xiaomi_redmi_router_ac2100
How stable is this release?
Is it possible to go back to stock after flashing?
Openwrt 19.07.2 official branch just add mir4 and redmi ac2700 support
@ioiot Thanks for posting.
Still waiting for my router to arrive. Out of curiosity, whats the kernel version of this build?
Do you think it would it be possible to use the prebuilt proprietary drivers from
http://nossiac.com/download/mtk-wifi-ko/
if the open source drivers aren't fast/stable enough ?
edit: there are some hints in here how to get the proprietary driver running
You can restore it using Xiaomi's official repair tool
I am waiting for the router and will test drivers.
I am also wondering if anyone tried to test cfg80211 support of official mediatek drivers.
I managed to succesfully compile mt7615 in such way, and also after lot of patches mt7603 (only old version https://github.com/atvcaptain/mt7603u for usb dongles, which also can also be compiled for PCI devices).
If it works, additional scripts (for luci and driver itself) for proprietary drivers would be unnecessary.
Can you double check that your mtd-eeprom offsets are correct? The RM2100 has the 7603 at 0x0 of factory and the 7615 at 0x8000, but you seem to have yours flipped on your R2100 dts.
Hi. I have R2100 and I was sended all my stock images to you. I don't know how to check eeprom thing but I'm getting terrible wireless performance. Can you check it for me? Thanks...
Have you tried disable or enable wmm?
I had some bad performance uploading suff to an external ftp and when I disable wmm, it's like a boost, in the other way, the connection is then limited to 54mb.
I don't know exactly where the bottleneck is.
Yes. I tried. I don't know whats wrong. I don't know how to contribute development of R2100. But in chineese forums(right.com.cn) guys are creating interesting firmwares for RM2100 and they are working fine. I didn't test them but I have account on right.com.cn If you ask for a firmware I can send files to anybody who wants.
Btw I have all backed up official MTD partitions of R2100. If someone who knows what he is doing. I can send all of them with PM. I don't know anything about openwrt development but at least I can share them to developers.
I would like to download a firmware from chinesse forum, but to ingress at forum I hace to pay, so if you please download for me the next firmware I would thank you.
Here you are
I could create AsusWRT firmware for this router, only need some time and a hardware.
1 Like
DO NOT MESS TOPIC for chineese firmware links!!! PM him!!!
1 Like
Hi Percy,
I am having some odd issues where I would request your help.
Followed all steps where CVE exploit appears to work well. Also start netcat listen on proper port 31337 where if I also netcat on this port I can see a connection and chars passing over the two process.
But even exploit sends a package between IPs 192.168.31.1 to hard coded 192.168.31.177 on port 31337, this package is not reaching netcat listening process.
See nc:
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Also a tcpdump on the same interface from the scripts:
04:17:11.116047 IP 192.168.31.1.48445 > 192.168.31.177.31337: Flags [S], seq 304914382, win 14600, options [mss 1460,sackOK,TS val 6079 ecr 0,nop,wscale 7], length 0
No TCP 3way hadshake, indicating this frame was not moved from interface to netcat by some reason.
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: 88:c3:97:07:a9:83 (88:c3:97:07:a9:83)
Unused: 0000
Protocol: IPv4 (0x0800)
Only difference I see is the Source Address and Link-layer address type.
Any recommendation why this connection is not working, even CVE exploit apparently is working just fine?
sessionid:45
src:00:e0:4c:53:44:58
dst:88:c3:97:07:a9:82
.
Sent 1 packets.
Hi all,
For some reason I cannot identify even seeing the CVE exploit package trying to connect with IP 192.168.31.177 on port 31337, for some reason the package is not reached on the netcat listening process.
Then I cannot open a telnetd process to install openwrt. Exploit is working since at interface level Is see the frame passing:
04:17:11.116047 IP 192.168.31.1.48445 > 192.168.31.177.31337: Flags [S], seq 304914382, win 14600, options [mss 1460,sackOK,TS val 6079 ecr 0,nop,wscale 7], length 0
Any ideas why thif frame is not reaching the netcat listening on this port?
I am using CentOS 7.8, for reference.