New Xiaomi router AC2100

For Developers
142

Who tried the old workaround on all firmware versions?

143

https://pastebin.com/qu1TSEB2

Well that's weird, those aren't the registers that were supposed to get overwritten...

144

I think you are confusing something:
that's what otapredownload say:

local cmdpending = miscpredflag and "" or " &"
local result = os.execute("flash.sh "..filepath..cmdpending)

the cmdpending can only be "" or "&", however it requires something like "flash.sh XXX.bin 2" to trigger that logic. So it you want to exploit it, you must make the filepath returned by downloader to be something like "XXX.bin 2", instead of that miscpredflag

145

Brilliant work! Would you like to share the modified decompiler?

146

That's proving Xiaomi developers are big fans of Fate series :rofl:

147

It is not finished, but I am happy to share.

I got stuck with exception like below, it may be caused by wrong definition of opcodes. I will be appreciate if any one can help.

local L0_0
L0_0 = module
L0_0("xiaoqiang.module.XQNetworkSpeedTest", package.seeall)
L0_0 = require
L0_0 = L0_0("luci.util")
uploadSpeedTest, L0_0, L0_0 = function(A0_1, A1_2)
given: 8 37
expected: 0 38
Exception in thread "main" java.lang.IllegalStateException
	at unluac.decompile.Registers.setInternalLoopVariable(Registers.java:140)
	at unluac.decompile.block.TForBlock.handleVariableDeclarations(TForBlock.java:41)
	at unluac.decompile.ControlFlowHandler.find_fixed_blocks(ControlFlowHandler.java:420)
	at unluac.decompile.ControlFlowHandler.process(ControlFlowHandler.java:104)
	at unluac.decompile.Decompiler.decompile(Decompiler.java:103)
	at unluac.decompile.expression.ClosureExpression.printMain(ClosureExpression.java:103)
	at unluac.decompile.expression.ClosureExpression.print(ClosureExpression.java:67)
	at unluac.decompile.expression.Expression.printSequence(Expression.java:118)
	at unluac.decompile.statement.Assignment.print(Assignment.java:218)
	at unluac.decompile.statement.Statement.printSequence(Statement.java:27)
	at unluac.decompile.block.OuterBlock.print(OuterBlock.java:43)
	at unluac.decompile.Decompiler.print(Decompiler.java:123)
	at unluac.decompile.Decompiler.print(Decompiler.java:114)
	at unluac.Main.main(Main.java:48)
148

Not worked. Rom uploaded will be renamed to "customrom.bin", which is at
usr/lib/lua/luci/controller/api/xqsystem.lua

function uploadRom()
    local XQConfigs = require("xiaoqiang.common.XQConfigs")
    local XQSysUtil = require("xiaoqiang.util.XQSysUtil")
    local LuciSys = require("luci.sys")
    local LuciFs = require("luci.fs")
    local XQLog = require("xiaoqiang.XQLog")
	local LuciUtil = require("luci.util")

    local code = 0
    local canupload = true

    local uploadDir = XQSysUtil.getUploadDir()
    local uploadFilepath = XQSysUtil.getUploadRomFilePath()
    local tmpfile = uploadDir..LuciSys.uniqueid(16)
    local fileSize = tonumber(LuciHttp.getenv("CONTENT_LENGTH"))

    local nginxCachePath = LuciHttp.getenv("UPLOADFILE")
    local nginxCache = nginxCachePath and true or false
	
	LuciUtil.exec("/usr/sbin/kill_plugin_process.sh")

    if nginxCache then
        if uploadFilepath and LuciFs.access(nginxCachePath) then
            LuciFs.rename(nginxCachePath, uploadFilepath)
            XQLog.log(6, "nginx upload file ok, file rename " .. tostring(nginxCachePath) .. "=>" .. tostring(uploadFilepath) )
            if not XQSysUtil.cutImage(uploadFilepath) then
                code = 1554
                LuciFs.unlink(uploadFilepath)
            end
        else
            XQLog.log(6, "nginx upload file fail, file not exits!" .. tostring(nginxCachePath) .. "=>" .. tostring(uploadFilepath) )
        end
    else

And file download will be renamed to "rom.bin", defined at usr/lib/lua/xiaoqiang/common/XQConfigs.lua

-- Download Rom file
ROM_CACHE_FILEPATH = "/tmp/rom.bin"
--ROM_DISK_CACHE_FILEPATH = "/userdisk/rom.bin"
-- Upload Rom file
CROM_CACHE_FILEPATH = "/tmp/customrom.bin"
--CROM_DISK_CACHE_FILEPATH = "/userdisk/upload/customrom.bin"
--USERDISK_UPLOAD_DIR = "/userdisk/upload/"
-- Download Rom dir
--USERDISK_DOWNLOAD_DIR = "/userdisk/download/"
149

There is a newer device called 'AX3600', and the lua files of it probably are the same as ac2100.
It's amazing that the lua files in it are not compiled, I think maybe that's helpful in rooting both two routers. http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_aa047_1.0.20.bin

150

Well maybe we can use luadec? Switching from unluac to luadec should be quite easy.
I remember that unluac stopped its development at 2015, while luadec stopped at 2017.
Also luadec can dump the bytecode, which would be much more helpful for debugging.

151

Hello! Has anyone tested this exploit? https://github.com/acecilia/OpenWRTInvasion
Is new and work on MiRouter 4A Gigabit, MiRouter 4A 100M , MiRouter 4C and Mi Router 3Gv2. Maybe work on Redmi AC2100.

152

It will not. The code in the speedtest script that reads from /tmp/speedtests_urls.xml is commented out on the RM2100 firmware.

:stuck_out_tongue:

153

Yesterday my router arrived from China. I don't have a nand programmer, it's on the way, but I desoldering the nand chip and i tried to program the nand with my old xiaomi mi3 with help from this: https://4pda.ru/forum/index.php?showtopic=736801&st=30980#entry86905571

After soldering nand in my old router i tried to write boot loader partition. This is the message I received from NAND:

nand init 1
!!! nand page size = 2048, addr len=4

MT7620 # nand id
flash id: c8 d1 80 95

MT7620 # nand oob 0
ïïâ ðáge 0 (addr 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 0° °° °0 00 00 00 00 00 00 00 00 08 00 c1 28 2e 00 20 14
21 1° ¸° °° 26 50 a4 00 03 00 4a 31 33 00 40 15 ff ff ff ff ff ff ææ ææ ac d8 61 5a 0a 85 fd ff

MT7620 # nand read 0 1
nfc_ecc_verify mode:read, invalid ecc, page: 0 rea亰 ° 0, ecc:599966
nfc_ecc_verify mode:read, invalid ecc2, ðáçåº 0 read:0 0 8, ecc2:f30f3c
nfc_ecc_verify mode:read, iîöáìéä ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
nfc_ecc_öåòéæù mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff æææææfac, ecc4:a559a6
nfc_ecc_verify mode:read, invalid ec㬠ðáçå: 0 read:0 0 0, ecc:599966
nfc_ecc_verify mode:read, éîöáìéd ecc2, page: 0 read:0 0 8, ecc2:f30f3c
nfc_ecc_verify íïäåºread, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a59¹¹á Šîfc_ecc_verify mode:read, invalid ecc4, page: 0 read:fffæææææ ffffffff ffffffac, ecc4:a559a6
nfc_ecc_verify mode:reaä¬ éîöalid ecc, page: 0 read:0 0 0, ecc:599966
nfc_ecc_veriæù íïäå:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
îæãßåãc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 ° ³¬ åcc3:a5999a
nfc_ecc_verify mode:read, invalid ecc4, paçåº ° òead:ffffffff ffffffff ffffffac, ecc4:a559a6
trying to äï ãïrrection!
correction : 0 0 0
correction : 66 ffffff99 µ¹Šøïr = 599966 (0 599966)
1. correct byte 165, bit 1!
coròåãôéïî : 0 0 8
correction : 3c f fffffff3
failed to correct¡Šîæã_read_page: fail, buf:87f022a0, page:0,
read again:
nfc_ecc_verify mode:read, invalid ecc, page: 0 òåá亰 0 0, ecc:599966
nfc_ecc_verify mode:read, invalid ec㲬 ðáçe: 0 read:0 0 8, ecc2:f30f3c
nfc_ecc_verify mode:read¬ éîöálid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
nfc_eããßöåòify mode:read, invalid ecc4, page: 0 read:ffffffff ffffææææ ææffffac, ecc4:a559a6
nfc_ecc_verify mode:read, invalid åã㬠page: 0 read:0 0 0, ecc:599966
nfc_ecc_verify mode:reaä¬ éîöalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
nfc_ecc_veòéæù íïde:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:áµ¹¹¹á 
nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ææææææff ffffffff ffffffac, ecc4:a559a6
nfc_ecc_verify modeºòåáä¬ invalid ecc, page: 0 read:0 0 0, ecc:599966
nfc_ecc_våòéæù íode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c Šîæã_ecc_verify mode:read, invalid ecc3, page: 0 read:fffffæá´ ° ³, ecc3:a5999a
nfc_ecc_verify mode:read, invalid ecc4, ðáçåº 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
trying ôï äï correction!
correction : 0 0 0
xor = 599966 (0 599966)¹ µ¹Š
1. correct byte 165, bit 1!
ãïòòåãôion : 0 0 8
correction : 3c f fffffff3
failed to corråãô¡Šnfc_read_page: fail, buf:87f022a0, page:0,
ranand_read: skip reading a bad block 0 -> 20000
nfc_eããßöåòéfy mode:read, invalid ecc, page: 40 read:ffffff99 fffffæ¸æ ¸¬ ecc:f03f3f
nfc_ecc_verify mode:read, invalid ecc2, paçåº ´° read:ffffffbf ffffff8f 70, ecc2:a59965
nfc_ecc_verifù íïäåºread, invalid ecc3, page: 40 read:1c 3c 3c, ecc3:5a6959 Šîæã_ecc_verify mode:read, invalid ecc4, page: 40 read:fffffæææ ææffffff ffffffd0, ecc4:3f3c0f
nfc_ecc_verify mode:read¬ éîöáìid ecc, page: 40 read:ffffff99 ffffff8f 8, ecc:f03f3f
     îæãßåcc_verify mode:read, invalid ecc2, page: 40 read:ffffffbæ ææææff8f 70, ecc2:a59965
nfc_ecc_verify mode:read, invaliä åã㳬 page: 40 read:1c 3c 3c, ecc3:5a6959
nfc_ecc_verify mïäåºòåád, invalid ecc4, page: 40 read:ffffffff ffffffff ffffffä°¬ åãc4:3f3c0f
nfc_ecc_verify mode:read, invalid ecc, pageº ´° òåad:ffffff99 ffffff8f 8, ecc:f03f3f
nfc_ecc_verify modåºòåáä¬ invalid ecc2, page: 40 read:ffffffbf ffffff8f 70, ecc2ºáµ¹¹¶5
nfc_ecc_verify mode:read, invalid ecc3, page: 40 reá亱㠳c 3c, ecc3:5a6959
nfc_ecc_verify mode:read, invalid eãã´¬ ðáge: 40 read:ffffffff ffffffff ffffffd0, ecc4:3f3c0f
tòùéîç to do correction!
correction : ffffff99 ffffff8f 8
coròåãôéïn : 3f 3f fffffff0
failed to correct!
nfc_read_page: æáéì¬ âuf:87f022a0, page:40,
read again:
nfc_ecc_verify modeºòåáä¬ invalid ecc, page: 40 read:ffffff99 ffffff8f 8, ecc:f03æ³æ Šnfc_ecc_verify mode:read, invalid ecc2, page: 40 read:fæææææâæ ffffff8f 70, ecc2:a59965
nfc_ecc_verify mode:read, iîöáìéä ecc3, page: 40 read:1c 3c 3c, ecc3:5a6959
nfc_ecc_veréæù íïde:read, invalid ecc4, page: 40 read:ffffffff ffffffff ææææææä0, ecc4:3f3c0f
nfc_ecc_verify mode:read, invalid ecc, ðáçåº 40 read:ffffff99 ffffff8f 8, ecc:f03f3f
nfc_ecc_verifù íïäå:read, invalid ecc2, page: 40 read:ffffffbf ffffff8f 70¬ åã㲺a59965
nfc_ecc_verify mode:read, invalid ecc3, page: ´° òåád:1c 3c 3c, ecc3:5a6959
nfc_ecc_verify mode:read, invaìéä åãc4, page: 40 read:ffffffff ffffffff ffffffd0, ecc4:3f3c°æ Šîæc_ecc_verify mode:read, invalid ecc, page: 40 read:ffffææ¹¹ ææffff8f 8, ecc:f03f3f
nfc_ecc_verify mode:read, invaliä åãã², page: 40 read:ffffffbf ffffff8f 70, ecc2:a59965
nfcßåããßöårify mode:read, invalid ecc3, page: 40 read:1c 3c 3c, eã㳺µá¶959
nfc_ecc_verify mode:read, invalid ecc4, page: 40 òåáäºæfffffff ffffffff ffffffd0, ecc4:3f3c0f
trying to do cïòòåãôéon!
correction : ffffff99 ffffff8f 8
correction : 3f ³æ ææææfff0
failed to correct!
nfc_read_page: fail, buf:87f0²²á°¬ page:40,
read again fail
ranand_read: skip reading a âáä âlock 20000 -> 40000
read len: 1
ff

Can anyone help me with this?

154

I forgot to say that the old nand from mi3 I managed to rewrite it with the whole dump from here: https://drive.google.com/file/d/1vLRYd6ZqNbymUG7IYrLHHsWnM7AEYvFw/edit thanks to @Percy, without error, but router does not want to start, is dead.
Basically I used the old xiaomi mi3 router as a programmer. :slight_smile:

155

I can read Bootloader partition from original NAND AC2100 with OpenWRT and help of old Xiaomi 3. Please anyone confirm if is saved corect.

But with this errors when saved:

root@OpenWrt:/# dd if=/dev/mtd0 of=/tmp/Bootloader.bin
[  313.109850] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.117660] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.125563] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.134113] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.143896] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.151633] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.159544] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.168072] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.177840] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.185562] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.193471] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.202001] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.211762] trying to do correction!
[  313.215408] correction : 0 0 0
[  313.218529] correction : 66 ffffff99 59
[  313.222441] xor = 599966 (0 599966)
[  313.226005] 1. correct byte 165, bit 1!
[  313.229924] correction : 0 0 8
[  313.233037] correction : 3c f fffffff3
[  313.236855] failed to correct!
[  313.239981] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  313.245836] read again:
[  313.248631] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.256354] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.264265] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.272796] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.282563] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.290293] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.298200] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.306721] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.316488] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.324219] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.332128] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.340658] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.350418] trying to do correction!
[  313.354062] correction : 0 0 0
[  313.357182] correction : 66 ffffff99 59
[  313.361091] xor = 599966 (0 599966)
[  313.364646] 1. correct byte 165, bit 1!
[  313.368565] correction : 0 0 8
[  313.371677] correction : 3c f fffffff3
[  313.375496] failed to correct!
[  313.378618] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  313.384474] read again fail
[  313.391015] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.398810] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.406715] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.415251] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.425030] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.432767] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.440677] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.449207] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.458973] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.466694] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.474603] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.483134] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.492895] trying to do correction!
[  313.496541] correction : 0 0 0
[  313.499662] correction : 66 ffffff99 59
[  313.503572] xor = 599966 (0 599966)
[  313.507129] 1. correct byte 165, bit 1!
[  313.511049] correction : 0 0 8
[  313.514162] correction : 3c f fffffff3
[  313.517989] failed to correct!
[  313.521105] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  313.526961] read again:
[  313.529748] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.537479] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.545379] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.553911] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.563680] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.571410] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.579319] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.587847] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.597615] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.605336] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.613245] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.621778] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.631541] trying to do correction!
[  313.635183] correction : 0 0 0
[  313.638306] correction : 66 ffffff99 59
[  313.642215] xor = 599966 (0 599966)
[  313.645782] 1. correct byte 165, bit 1!
[  313.649702] correction : 0 0 8
[  313.652814] correction : 3c f fffffff3
[  313.656632] failed to correct!
[  313.659755] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  313.665610] read again fail
[  313.672137] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.679931] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.687843] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.696368] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.706147] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.713885] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.721795] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.730333] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.740104] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.747832] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.755731] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.764261] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.774023] trying to do correction!
[  313.777674] correction : 0 0 0
[  313.780789] correction : 66 ffffff99 59
[  313.784701] xor = 599966 (0 599966)
[  313.788266] 1. correct byte 165, bit 1!
[  313.792176] correction : 0 0 8
[  313.795288] correction : 3c f fffffff3
[  313.799118] failed to correct!
[  313.802231] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  313.808094] read again:
[  313.810872] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.818606] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.826506] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.835036] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.844804] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.852535] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.860445] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.868982] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.878750] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.886470] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.894379] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.902909] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.912671] trying to do correction!
[  313.916315] correction : 0 0 0
[  313.919437] correction : 66 ffffff99 59
[  313.923346] xor = 599966 (0 599966)
[  313.926901] 1. correct byte 165, bit 1!
[  313.930820] correction : 0 0 8
[  313.933931] correction : 3c f fffffff3
[  313.937756] failed to correct!
[  313.940870] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  313.946725] read again fail
[  313.953188] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.960977] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  313.968889] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  313.977430] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  313.987203] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  313.994926] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  314.002836] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  314.011368] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  314.021134] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  314.028863] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  314.036763] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  314.045293] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  314.055055] trying to do correction!
[  314.058706] correction : 0 0 0
[  314.061820] correction : 66 ffffff99 59
[  314.065730] xor = 599966 (0 599966)
[  314.069295] 1. correct byte 165, bit 1!
[  314.073206] correction : 0 0 8
[  314.076317] correction : 3c f fffffff3
[  314.080150] failed to correct!
[  314.083267] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  314.089132] read again:
[  314.091909] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  314.099642] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  314.107549] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  314.116070] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  314.125838] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  314.133569] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  314.141477] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  314.150007] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  314.159775] nfc_ecc_verify mode:read, invalid ecc, page: 0 read:0 0 0, ecc:599966
[  314.167503] nfc_ecc_verify mode:read, invalid ecc2, page: 0 read:0 0 8, ecc2:f30f3c
[  314.175403] nfc_ecc_verify mode:read, invalid ecc3, page: 0 read:ffffffa4 0 3, ecc3:a5999a
[  314.183933] nfc_ecc_verify mode:read, invalid ecc4, page: 0 read:ffffffff ffffffff ffffffac, ecc4:a559a6
[  314.193694] trying to do correction!
[  314.197345] correction : 0 0 0
[  314.200457] correction : 66 ffffff99 59
[  314.204368] xor = 599966 (0 599966)
[  314.207931] 1. correct byte 165, bit 1!
[  314.211840] correction : 0 0 8
[  314.214953] correction : 3c f fffffff3
[  314.218780] failed to correct!
[  314.221894] nfc_read_page: fail, buf:87db4040, page:0, flag:5
[  314.227758] read again fail
[  314.234184] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.242682] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.251838] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.261085] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.270683] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.279126] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.288273] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.297511] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.305943] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.315092] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.324331] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.333914] trying to do correction!
[  314.337568] correction : ffffffc0 36 a
[  314.341389] correction : ffffff96 6a ffffffaa
[  314.345830] xor = a05c56 (a36c0 aa6a96)
[  314.349749] failed to correct!
[  314.352865] nfc_read_page: fail, buf:87db4040, page:1, flag:5
[  314.358729] read again:
[  314.361507] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.369949] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.379099] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.388335] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.397928] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.406359] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.415509] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.424745] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.433187] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.442336] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.451575] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.461160] trying to do correction!
[  314.464804] correction : ffffffc0 36 a
[  314.468633] correction : ffffff96 6a ffffffaa
[  314.473074] xor = a05c56 (a36c0 aa6a96)
[  314.476981] failed to correct!
[  314.480103] nfc_read_page: fail, buf:87db4040, page:1, flag:5
[  314.485958] read again fail
[  314.492081] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.500587] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.509744] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.518990] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.528588] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.537021] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.546172] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.555410] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.563850] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.573000] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.582240] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.591823] trying to do correction!
[  314.595470] correction : ffffffc0 36 a
[  314.599300] correction : ffffff96 6a ffffffaa
[  314.603742] xor = a05c56 (a36c0 aa6a96)
[  314.607656] failed to correct!
[  314.610772] nfc_read_page: fail, buf:87db4040, page:1, flag:5
[  314.616628] read again:
[  314.619417] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.627858] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.636998] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.646236] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.655827] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.664268] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.673428] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.682673] nfc_ecc_verify mode:read, invalid ecc, page: 1 read:ffffffc0 36 a, ecc:aa6a96
[  314.691115] nfc_ecc_verify mode:read, invalid ecc2, page: 1 read:ffffffe8 fffffff3 8, ecc2:3c0ffc
[  314.700264] nfc_ecc_verify mode:read, invalid ecc3, page: 1 read:ffffff80 fffffff1 10, ecc3:f0fcc3
[  314.709502] nfc_ecc_verify mode:read, invalid ecc4, page: 1 read:ffffffff ffffffff ffffff83, ecc4:ff3c
[  314.719086] trying to do correction!
[  314.722730] correction : ffffffc0 36 a
[  314.726573] correction : ffffff96 6a ffffffaa
[  314.731033] xor = a05c56 (a36c0 aa6a96)
[  314.734941] failed to correct!
[  314.738063] nfc_read_page: fail, buf:87db4040, page:1, flag:5
[  314.743919] read again fail
[  270.901129] nfc_ecc_verify mode:read, invalid ecc, page: 7f read:ffffffff ffffffff ffffffff, ecc:0
[  270.910379] nfc_ecc_verify mode:read, invalid ecc2, page: 7f read:ffffffff ffffffff ffffffff, ecc2:3c003c
[  270.920238] nfc_ecc_verify mode:read, invalid ecc3, page: 7f read:ffffffff ffffffff ffffffff, ecc3:3c003c
[  270.930095] nfc_ecc_verify mode:read, invalid ecc4, page: 7f read:ffffffff ffffffff 26, ecc4:3c003c
[  270.939421] nfc_ecc_verify mode:read, invalid ecc, page: 7f read:ffffffff ffffffff ffffffff, ecc:0
[  270.948658] nfc_ecc_verify mode:read, invalid ecc2, page: 7f read:ffffffff ffffffff ffffffff, ecc2:3c003c
[  270.958516] nfc_ecc_verify mode:read, invalid ecc3, page: 7f read:ffffffff ffffffff ffffffff, ecc3:3c003c
[  270.968374] nfc_ecc_verify mode:read, invalid ecc4, page: 7f read:ffffffff ffffffff 26, ecc4:3c003c
[  270.977701] nfc_ecc_verify mode:read, invalid ecc, page: 7f read:ffffffff ffffffff ffffffff, ecc:0
[  270.986938] nfc_ecc_verify mode:read, invalid ecc2, page: 7f read:ffffffff ffffffff ffffffff, ecc2:3c003c
[  270.996796] nfc_ecc_verify mode:read, invalid ecc3, page: 7f read:ffffffff ffffffff ffffffff, ecc3:3c003c
[  271.006654] nfc_ecc_verify mode:read, invalid ecc4, page: 7f read:ffffffff ffffffff 26, ecc4:3c003c
[  271.015972] trying to do correction!
[  271.019617] correction : ffffffff ffffffff ffffffff
[  271.024594] correction : 0 0 0
[  271.027707] xor = ffffff (ffffff 0)
[  271.031260] failed to correct!
[  271.034382] nfc_read_page: fail, buf:87db4040, page:7f, flag:5
[  271.040326] read again fail
512+0 records in
512+0 records out

When i want to write Bootloader partition from OpenWRT resuts is this:

root@OpenWrt:/tmp# mtd write Bootloader.bin Bootloader_
Unlocking Bootlo[  367.813708] nand_block_checkbad: offs:0 tag: BAD
ader_ ...

Wri[  367.818924] nand_block_checkbad: offs:20000 tag: BAD
ting from Bootloader.bin to Bootloader_ ...  [e]
Skipping bad block at 0x00000000[e]
Skipping bad block at 0x00020000[e]Failed to get erase block status
1 Like
156

I suspect that it has something to do with the different ECCs used by the MT7620(Hamming Code) CPU compared to the MT7621(BCH Code). You can look up some info about the ECC used here. You could try to use nand write.raw or nand write.oob to write the (oob-)data for the MT7621 without the ECC check form the MT7620.

157

Thank for answer @Percy. I think you're right about ECC used by proc.
Very useful your documentation. I tried to use nand write.raw or nand write.oob but i dont have u-boot to support this. :frowning:
Full dump from you to old NAND, i writed after installed pb-boot bootloader and pandora box, who gave it opportunity to write fullflash partition 0 8000000. All data was written perfectly on the flash, i tested all sectors with "nand read" after and no error. Unfortunately router no boot.
I think is need to wait about a month until the programmer will arrive. I
order Teensy++ 2.0 with tsop48 adapter. :frowning:

158

for those who are luckily able to get in to uboot, could you try https://github.com/tkso1997/openwrt-ac2100

159

Turns out I'm terrible with mips and can't get more complex ROP chains than simple jumps to sleep() to run.

https://pastebin.com/ci1787zh

Someone who knows what they're doing give that a twice-over and see where I screwed up. Or better yet, if anyone with gdb working on the RM2100 stock 1.0.14 can breakpoint 0x42590C in pppd and tell me where I screwed up... (Granted, you'd need to setup pppoe-server too...)

Edit: Someone really needs to go check if the AX3600 rom actually got built with this fixed and/or has FORTIFY_SOURCE actually used.

160

Anyone else having problems with 5Ghz on this router?
I have issue that sometimes i loose internet connection on 5Ghz, while internet on 2.4Ghz works fine.

Im using the router as a wired repeater.

161

OpenWRT or stock rom? MT76 support for the chips on these boards are pretty WIP and they only bump the MT76 commit periodically in OpenWRT master.

In unrelated news:

listening on [any] 31337 ...
connect to [192.168.31.177] from (UNKNOWN) [192.168.31.1] 49743
id
uid=0(root) gid=0(root)

Well it works now, but the watchdog kills the process pretty quickly. Just fork your own shell or something in your own payload.

Trying to rewind the stack pointer hurt my brain too much, so I just brute forced a stack address that worked because there's no ASLR anyway.

2 Likes