Did you manage to install OpenWrt after the modification?
I never compiled OpenWrt for a new device, so I concentrated on searching possible exploits. If you have any tips on how I might reuse some existing configs, so I don't have to start from scratch I'm thankful for suggestions.
Honestly I am not experienced at all when it comes to add support for a new device.
It might be good to use the Xiaomi 3Pro config as a base, it is very similar regarding the hardware (CPU and wireless).
I am counting on your exploits searching skills - would be nice to avoid the nand flashing! 
fingers crossed!
i did the port for the xiaomi router 3 pro (MIR3P).... it was the first time for me too...
it's actually quite easy. you need to have some understanding about what all that stuff is all about, but most of it (especially at the beginning) can be copy+paste...
look through the git log to see the PR where mir3p support was added... then look at the diffs that i had to put in (i think there was a follow-on push and some other stuff in the .dts file changed... so might as well start with the current .dts and modify that)...
there's also a page somewhere on the openwrt site about porting new devices... it's helpful.
the most important thing is: setup a tftp server and just tftp-boot your test images (the on that's called initramfs.bin ... that way you're not constantly writing to your NAND and you're just a reboot away from sanity in case something goes wrong 
PM me if there are any particular questions you have... i probably don't know every answer, but i'll try to help.
1 Like
There may be some potential exploiting dnsmasq. From what i can tell it runs 2.71 which contains some bugs (see https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html), though i didn't succeed in making it crash using the PoC code. Perhaps the mips executable isn't susceptible.
Even if it would work, someone would still have to craft some MIPS assembler to i.e. modify nvram or open a shell which is far beyond my experience.
1 Like
did you try this one:
Nice find but it doesn't support MIPS architecture
damn should have read it properly before ... 
My ac2100 just arrived, any news I should know before powering it on for the first time? 
I was stumbling over this git repository: https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC, maybe we can use it for gaining full UART access ...
1 Like
I'm surprised not to see anything discussed here about GPL. If the Xiaomi AC2100 is based on Openwrt, they should release its sources. Anybody wanting to ask Xiaomi about this?
2 Likes
i don't think the problem is the sources. the problem is how to get into the machine to change the nvram settings so the console works. i think @thorsten97's approach is the right way... can't expect every user to have a NAND programmer can we now
unfortunately it is not working as it is.
on the serial console I get this:
[ 1707.870000] dev_redirect OFF.dev_redirect OFF.
[ 2030.830000] dev_redirect OFF.
which is the same output as your get if you start the speedtest via the web interface.
My Chinese is not the best :D, therefore I am not completely getting what the founder of the exploit writes on his page ...
Maybe we have to adopt something for out router? Ideas are highly appreciated.
I wrote them yesterday, that's what the support answered:
Thank you for contacting Xiaomi Customer Support. I am xxxx and understand that you want the GPL source for the Mi Router model AC 2100.
I am sorry to inform you that as of now we are not selling our devices through our Global website, so we won't be able to assure you regarding the link. However, would request you to visit our website for more information: http://www.mi.com/en/ and our Facebook page https://www.facebook.com/xiaomiglobal for more updates. Also, Xiaomi does not provide international shipping.
For any further queries, feel free to contact us.
Regards,
xxxx
Xiaomi Customer Support
I don't understand their reply. What's the difference whether the device is shipped internationally or not?
Or GPL terms aren't valid in China?
2 Likes
Did you try the exploit while in router (not AP) mode and connected to the internet? I'm looking at the lua scripts and it seems the speedtest is only performed when configured a certain way....
I am quite sure that it was configured in Router mode ...
and by going through the sysapihttp.conf file from the firmware dump that was uploaded here it looks like they have already patched the hole ...
If I interpreted the Chinese things correctly the bug was in sysapihttp.conf:
location /api-third-party/download/extdisks {
alias /extdisks/;
in ours its
location /api-third-party/download/extdisks/ {
alias /extdisks/
the slash at the end is (I guess) the fix that avoids the command injection.
I am wondering how we could trigger
# OTA upgrade
108 │ if [ "$restore" = "2" ]; then
109 │ do_xiaoqiang_defaults
110 │ flag_override
111 │ fi
which would activate the UART and BOOT_wait...
As the option is in there, I would assume that we can trigger it.
My interpretation would be that if the nvram gets corrupted during ota update it runs:
# OTA upgrade
108 │ if [ "$restore" = "2" ]; then
109 │ do_xiaoqiang_defaults
110 │ flag_override
So maybe just pull the power during the update? 
The only place i can find where restore_defaults is set to 2, is in flash.sh. If you look in /usr/sbin/otapredownload you will see that it gets set when miscpredflag is true. It seems these scripts are only used for OTA updates not when you manually update firmware 
24 function miscpred()
25 local uci = require("luci.model.uci").cursor()
26 local download = uci:get("misc", "ota_pred", "download")
27 if tonumber(download) and tonumber(download) == 1 then
28 miscpredflag = true
29 else
30 miscpredflag = false
31 end
32 end
so the question is:
can we do anything that "if tonumber(download) and tonumber(download)" becomes unequal 1!
After fiddling around with the router (several resets) I bricked it, honestly not sure how exactly ...
console output stops right before the bootloader would start. Does it look like the NAND is broken?
do MEMPLL setting..
MEMPLL Config : 0x11100000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-1200Mhz ===
PLL4 FB_DL: 0x7, 1/0 = 653/371 1D000000
PLL2 FB_DL: 0x10, 1/0 = 669/355 41000000
PLL3 FB_DL: 0x14, 1/0 = 550/474 51000000
do DDR setting..[00320381]
Apply DDR3 Setting...(use customer AC)
0 8 16 24 32 40 48 56 64 72 80 88 96 104 112 120
--------------------------------------------------------------------------------
0000:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0001:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0002:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0003:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0004:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0005:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0006:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0007:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0008:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0009:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000A:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000B:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000C:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000D:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1
000E:| 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
000F:| 0 0 0 0 1 1 1 1 1 1 1 1 1 0 0 0
0010:| 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
0011:| 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
0012:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0013:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0014:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0015:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0016:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0017:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0018:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0019:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001A:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001B:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001C:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001D:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001E:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001F:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
DRAMC_DQSCTL1[0e0]=13000000
DRAMC_DQSGCTL[124]=80000033
rank 0 coarse = 15
rank 0 fine = 64
B:| 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0
opt_dle value:11
DRAMC_DDR2CTL[07c]=C287223D
DRAMC_PADCTL4[0e4]=000044B3
DRAMC_DQIDLY1[210]=08080808
DRAMC_DQIDLY2[214]=07080806
DRAMC_DQIDLY3[218]=08050503
DRAMC_DQIDLY4[21c]=06060706
DRAMC_R0DELDLY[018]=00001D1E
==================================================================
RX DQS perbit delay software calibration
==================================================================
1.0-15 bit dq delay value
==================================================================
bit| 0 1 2 3 4 5 6 7 8 9
--------------------------------------
0 | 7 7 7 8 5 7 7 7 2 4
10 | 5 6 6 6 5 6
--------------------------------------
==================================================================
2.dqs window
x=pass dqs delay value (min~max)center
y=0-7bit DQ of every group
input delay:DQS0 =30 DQS1 = 29
==================================================================
bit DQS0 bit DQS1
0 (1~58)29 8 (1~56)28
1 (1~58)29 9 (1~56)28
2 (1~58)29 10 (1~58)29
3 (1~60)30 11 (1~54)27
4 (1~57)29 12 (1~58)29
5 (1~58)29 13 (1~55)28
6 (1~58)29 14 (1~56)28
7 (1~60)30 15 (1~57)29
==================================================================
3.dq delay value last
==================================================================
bit| 0 1 2 3 4 5 6 7 8 9
--------------------------------------
0 | 8 8 8 8 6 8 8 7 3 5
10 | 5 8 6 7 6 6
==================================================================
==================================================================
TX perbyte calibration
==================================================================
DQS loop = 15, cmp_err_1 = ffffa045
DQS loop = 14, cmp_err_1 = ffff0001
dqs_perbyte_dly.last_dqsdly_pass[1]=14, finish count=1
DQS loop = 13, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqsdly_pass[0]=13, finish count=2
DQ loop=15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=15, finish count=1
dqs_perbyte_dly.last_dqdly_pass[1]=15, finish count=2
byte:0, (DQS,DQ)=(8,9)
byte:1, (DQS,DQ)=(8,8)
DRAMC_DQODLY1[200]=99999999
DRAMC_DQODLY2[204]=88888888
20,data:88
[EMI] DRAMC calibration passed
===================================================================
MT7621 stage1 code done
CPU=50000000 HZ BUS=16666666 HZ
===================================================================