@namidairo the reboot payload works fine on ac2100 (black cylinder) but shell doesn't open. Not sure if i'm doing something wrong, it doesn't seem to crash either. But I can't get the logs, the url you mentioned only gives a json response that logs are saved somewhere on the device?
It should give you a link to a tar.gz archive for you to download. The messages will be inside somewhere in the /data path on there. From what I've noticed, it don't spit out the mappings or useful information except when it sigsegv's.
As in you replaced stg3_SC with reboot_shell or you just uncommented the registers and return address I had commented out under "Debug Reboot"? And it actually rebooted?
If the former actually reboots, there's no reason why it shouldn't work. If it's the latter, then the addresses the modules are correct and maybe the last stack address I jump to is wrong?
I replaced stg3_SC with reboot_shell and it reboots, can see it happen on the serial console. For the shell i have nc -lvp 31337 running on a client with ip 192.168.31.177 on a lan port but nothing happens. I don't have a fully working pppoe-server setup but it seems sufficient to initiate a connection without establishing it.
Can't believe i didn't even try to download the logs, assuming it was just on the device not accessible by the webserver. I don't think it segfaults as i still see pppoe traffic in wireshark but who knows, it may get restarted. I'll spend some more time on it after the weekend.
DSA & kernel 5.4 on ramips sounds like a total cluster$%^& at the moment with many devices not booting.
Maybe give it a while before uploading any images based on 5.4 you aren't certain actually boots...
That and the instructions for flashing these devices in the commit message are going to be as long as my arm.
@namidairo
The device boots perfectly with the image I made. There may be some gpio things that are not perfectly implemented, but as far as I can tell the device runs smoothly and everything seems to work.
Regarding the the flashing instructions you are totally right. I think we have to wait a bit to get a good working method without NAND soldering external flashing etc. and describe it properly.
added to my GitHub:
by the way:
I changed the patch to address most of the changes you suggested.
https://gofile.io/?c=XWwRBp
The instructions once you get root and bring the files over should be the sameish as the mir3g instructions. Ie.
mtd write rm2100-squashfs-kernel1.bin kernel1
mtd write rm2100-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
Well there's a decent amount of room for the payload in the exploit. One could somewhat easily change it to curl busybox off your pc, chmod a+x it, and startup telnetd all in one go. It was just that a reverse connect shell was easily available at the time. I'd imagine it would be something along the lines of
lui/ori $t0 half words to make up the parameters
sw $t0,offset $sp
move $a0, $sp
lui/ori $t9 half words that make up the system() address
jalr $t9
Then rinse and repeat for each command
Although come to think of it, people probably shouldn't use these devices with PPPoE if they don't trust their ISP...
We're probably okay in terms of brick protection, as the stock kernel will still let you tftp over a signed stock image, but I'm not too sure how that's triggered and whether it works after setting flag_try_sys1_failed in order to boot OpenWRT. Does the device uboot just boot kernel0 to do recovery when you hold reset on boot or does one need working uart in order to flip the flag back first?
2 Likes
hold reset and power on will trigger router entering recovery mode. in recovery mode, router try to get ip and boot image from bootp server. preparing stock firmware and a bootp server will help you to de-brick the router.
Xiaomi even offers a recovery tool which runs on Windows. So you only need to download the recovery tool and stock firmware. However, I remember that recovery tool comes with Chinese user interface.
1 Like
Hi,
i need help.
I buy one AC2100, but i try to make a login in a website of the router, and i dont no the password to login,
Thk
Can confirm the exploit by @namidairo works on ac2100!
It sometimes takes a couple of retries before it works but i just run the script in a loop which also works well to restart it when the shell gets killed. Sometimes after mere seconds other times it seems to keep running forever.
The password is the same as the wifi password you setup using the app
Can you please how make this step by step? I don't no how to modify mac address source - destination and interface into script. Thank you!
Updated the script to grab the mac addresses from the packet it just sniffed, and 0x200 bytes more room for payloads.
One only needs to input the interface now. (You know, and have a PPPoE server for valid sessionid.)
I suppose one could wrangle Scapy in order to send the extra couple packets to setup a pppoe session too, but effort. 
Edit:
Looks at the version of u-boot deployed on the RM2100
U-Boot 1.1.3 (Dec 26 2019 - 08:42:20)
Sigh.
1 Like
As this is the only english thread i found for this router, i have to ask here, what is the version of your router firmware?
Since i bought it i never had ANY update to it? My version is: 1.0.11
Is there actually any way to update it?
thanks.
Thks Patrick 
The images I build never have the switch come up soooo I'll just leave it up to people with uart to debug.
The last version of firmware is 1.0.14. You can download from here: http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rm2100/miwifi_rm2100_firmware_d517e_1.0.14.bin
2 Likes
About 200 messages but I have the impression that here there is a great confusion between Xioami Redmi AC2100 and Xiaomi MI AC2100 (both with the same suffix in the product code - OMG).
I do not know if they are identical inside (same motherboard) and only the exterior changes (the first one white with antennas, the second one with the shape of a black cylinder, as showed in post n.1)...
The Redmi is at version 1.0.14.
The MI is at 2.0.376
Would it be time to clarify or not needed?
Thank you.
1 Like
They do a bunch of cost-cutting to bring the price of the Redmi one down. No switch leds, soldered antennas, and they flip the radios and cpu over to one side so they can reuse the backing plate as passive cooling. Fairly different board, sameish specs. Same nand layout, and share quite a few gpios.
1 Like
Thank you @namidaro for your feedback and explanations about the differences (Redmi & MI)
Very appreciated here.
Can you double check that your mtd-eeprom offsets are correct? The RM2100 has the 7603 at 0x0 of factory and the 7615 at 0x8000, but you seem to have yours flipped on your R2100 dts.
Edit: I'm starting to think we might need a subtarget or another one entirely for the two devices.