New Xiaomi router AC2100

DO NOT MESS TOPIC for chineese firmware links!!! PM him!!!

1 Like

Hi Percy,

I am having some odd issues where I would request your help.

Followed all steps where CVE exploit appears to work well. Also start netcat listen on proper port 31337 where if I also netcat on this port I can see a connection and chars passing over the two process.

But even exploit sends a package between IPs 192.168.31.1 to hard coded 192.168.31.177 on port 31337, this package is not reaching netcat listening process.

See nc:

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337

Also a tcpdump on the same interface from the scripts:

04:17:11.116047 IP 192.168.31.1.48445 > 192.168.31.177.31337: Flags [S], seq 304914382, win 14600, options [mss 1460,sackOK,TS val 6079 ecr 0,nop,wscale 7], length 0

No TCP 3way hadshake, indicating this frame was not moved from interface to netcat by some reason.

Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: 88:c3:97:07:a9:83 (88:c3:97:07:a9:83)
Unused: 0000
Protocol: IPv4 (0x0800)

Only difference I see is the Source Address and Link-layer address type.

Any recommendation why this connection is not working, even CVE exploit apparently is working just fine?

sessionid:45
src:00:e0:4c:53:44:58
dst:88:c3:97:07:a9:82
.
Sent 1 packets.

Hi all,

For some reason I cannot identify even seeing the CVE exploit package trying to connect with IP 192.168.31.177 on port 31337, for some reason the package is not reached on the netcat listening process.

Then I cannot open a telnetd process to install openwrt. Exploit is working since at interface level Is see the frame passing:

04:17:11.116047 IP 192.168.31.1.48445 > 192.168.31.177.31337: Flags [S], seq 304914382, win 14600, options [mss 1460,sackOK,TS val 6079 ecr 0,nop,wscale 7], length 0

Any ideas why thif frame is not reaching the netcat listening on this port?

I am using CentOS 7.8, for reference.

Since you receive a package from the router addressed to 31337 there shouldn't be anything wrong with the exploit or pppoe server.

How are you connected to the router?
Do you have a separate host running ncat or did you bridge WAN and LAN?
Is the 192.168.31.177 IP of your cat host configured correctly & can you ping 192.168.31.1?
Can you try netcat and not ncat? (haven't tried it with ncat)
If you have a separate host or android phone with nc try it there.

I suspect some routing problem, if nothing of the above works you can send me a pcap file and I can get a better picture.

@emirefek valid, but no need for caps in my opinion. This isn't the most organized thread any way^^

I can also provide download links via PM from right.com.cn. I also have an alipay setup so I can get invite links if requested.

Hi Percy,

Thanks for the answer!

I figure out. There was enabled my Linux firewall blocking this port. I disabled completely firewall making it work.

I am just having an issue to login after OpenWRT is installed since pass is not being accepted as blank. I download image from internet where not sure if it is enforcing some password I did not notice.

Any recommendation to login on LUCI? Or which location for the squarefs images to be used?

Any recommendation to login on LUCI? Or which location for the squarefs images to be used?

You won't be have Luci if you didn't configure it while compiling.

Btw. @Percy and @namidairo. I found an MT7615E chip on aliexpress. I'm talking with seller. If I get mt7615e and swap it with mt7603e. Will it work without any hardware mod except chip soldering? I readed mt7615e chip is works fine at openwrt but mt7603e is not quite well. I wondering that. If its possible to do that. It will be awesome.

And if someone have inside picture of RedmiAC2100 can send me?

Hi namidairo,

I used your provided image to flash my RM2100 router. I could install it successfully and have OpenWRT fully accessible.

But I was expecting that on Luci Network menu I would have Switch option available since I want to setup my FTTH with VLAN 10 and PPPoE over an ONT interconnection on it WAN port.

Right now I have a VM with Linux Mate 32 bits but I had a lot of difficulty to prepare compilation environment stable for OpenWRT.

Could someone help me to know if a OpenWRT image for this HW device RM2100, having MediaTek MT7530 switch HW, could have VLAN setup on this switch? Anyone could send some directions about how to enable it on an image?

Both mt7603 and mt7615 work fine with Mediatek drivers, and both do not work fine with mt76 drivers.

Oh wasn't know that. Which device are you using? And which firmware are you on? Whats your bitrate of wireless interfaces?


Via BusyBox, but using MediaTek driver as mention by another other users. So, stay away from mt76 drivers, as mac80211 is also part of it.

Can you send example dts file for R2100?
What should I change in that file to what?

Btw this is 5ghz or 2.4ghz??
And as I see this is LEDE. Can you share source??

I will appreciate if you sent me an invite link to register at right.cn.com.

regards

Hi,

I don't know what is happening but I have tried the scripts with Redmi AC2100 on Linux, MacOs and Windows with same result. I have set the IP address to 192.168.31.177, but I know that I am not even reaching the step of opening telnet from router.
When I execute the script of simulating PPPoE over the interface nothing happens (I've double checked the interface on the script). I have looked at Wireshark for packets travelling and no movement appears. It is weird because none of the prints in the script is actually printed on terminal (except for the waiting response one which is placed before sniff).
I must be missing something because I get that unsuccessful result with all OS. Ping to router works, LAN with other devices (either wifi or ethernet) works, LAN and WAN bridged. Using python 3.

Could you give any clue to continue?

Thank you very much in advance!

If you put this("pppoed or pppoes") as a display filter for Wireshark you should at least see the incomming PADI requests of the router. Did you set the router WAN mode to PPPoE in the network settings?

From what I have seen, the dts would only differ in LEDs and board name. No functional difference apart from the lights. :slight_smile:

Uh. I wasn't know that. How to compile with mt7603e and mt7615e drivers?

And why editing old messages disabled in forum. Thats too awful. We can't change our mistakes on previous posting.

Have you compiled before?
LEDE source is available on GitHub: https://github.com/lede-project/source

Connected via 5Ghz, however I'm not next to the router. Roughly, 14 meters away in a straight line, but they are walls in between.

I don't have idea about that didn't tried compile other than Openwrt(Just Latest snapshot). And 5ghz works fine(around 200mbps) with openwrt too. Can you try to iperf with 2devices at 2.4ghz

And if I compile LEDE with snapshot should be fine?? Or I need to compile with v19 or v18. If I need to compile with stable. I don't know how to do because too many changes applied between snapshot and stables.

I don't understant why after @namidairo pushed his changes into master, we don't have the official build of Xioami RM2100 for openwrt 19.07.03 :frowning:

You can install your own image but you will have a lot of dependency problema because of kernel checksum :frowning:

Images are available in snapshot https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/ which will become 20.y release in some point of time. We don't usually backport support for new devices into stable releases.