OpenWrt support for Xiaomi AX9000

that's cursed :frowning:

anyway can someone post some image of how much big it is?

The base is like 28 x 28 cm (with the antenna attached) and them antennas are 20 cm high.

For the rest I recommend watching the teardown video.

problem is that with a white background i can't really understand the real size of the product :frowning:

Finally got the damn thing opened and UART soldered, I have when they have so small pads around the hole.
Then I have to be extra carefull to make sure its soldered and I am not that good soldering.

BTW, I have a crazy idea to try and connect a USB keyboard.
Nah, they dont have USB HID driver packed.

I am looking at the AX6 SSH method, its documented only in chinese.

1 Like

Ahh, they are using old Samba but the one vulnerability I can try and exploit using metasploit is not working.

This is gonna be a painful experience as I dont usully do pen testing.

They have Samba with anonyimous credentials running, its sharing /tmp over it.
Nothing usefull unfortunately.

Anybody can explaint the AX6 SSH method?

@kirdes Have you tried anything?

unfortunately i don't have access to my AX9000 until Sunday.

The ax6 method is also described here:

basically it's using the extend_wifi api on the ax6. As far as i understand, you setup a second wifi-Router with a special xqsystem.lua file (including the nvram commands) and then connect to that router via wifi and the ax6 reads that file during the wifi connect.

And those extenwifi api's are also there in the AX9000 firmware. So i think it's worth a shot.

This is the URL to connect to the others router wifi (from the ax6 or AX9000:);stok={STOK}/api/misystem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWORD}

:slight_smile: I also had that USB keyboard idea.

Looks really cool for a router. Good luck guys!

@robimarko how much did you get yours for again ?

As soon as I know that UART tx/rx can be enabled I'll probably get one.

If you try to abuse connect via mesh router path there's already some development with some code that "allows to bypass Singapure region select to create mesh wifi" and it uses Xiaomi API.

@Apache14 It was around 200 EUR with shipping.
It should probably be cheaper a bit now.

UART RX works, TX needs to be enabled via nvram(In reality its just U-boot env).

@adamhnat That looks like a potential route

@kirdes Hm, looks like the extend page is missing.

No page is registered at '/api/misystem/extendwifi_connect'.
If this url belongs to an extension, make sure it is properly installed.
If the extension was recently installed, try removing the /tmp/luci-indexcache file.

I have been poking for way too many hours now, and I just don't see an obvious vulnerability.
I just hate when I have to hope for our Chinese friends to find a vulnerability in order to run code on my HW.

1 Like

Yes it's frustrating, especially 'cause Xiaomi doesn't respect the GPL at all.

But i think time is on our side, sooner or later we or someone else will find a usable vulnerability.

What firmware version does your device have?

Mine has 1.0.82.

I only found the version 1.0.101 last time i checked (now they updated to .108)

So I'm looking in the .101 lua files, maybe they added that extendwifi_connect function at first in version .101?

I know it's just a lucky guess.

If I remember correctly, you wrote that you downloaded the firmware as well.
What version is that?

Yes, they really dont respect GPL.

Mine was on 1.0.82 as well by default, I got annoyed and updated it to 1.0.108 late last night.
I think I have 1.0.103 locally as well.

You may be on the right track, because I can find some references to the extended wifi in binaries in the unpacked 1.0.108 firmware, I did no check on the older ones.

Did you try this regarding samba?

No, I think it has a lot of hardcoded stuff for the Technicolor implementation

I thought it's a generic vulnerability.

Aliexpress asked me to leave a review on there site.

Maybe we should take our chances :slight_smile:

Oh, looks like the functions for it are still in there, but they never registered the entry for them in the index() function for luci to connect it up.

Essentially uncallable. :frowning:

Too bad.

Thanks anyway.

Hmm, then maybe the "mesh" has vulnerabilities?
That looks like the potentially most bug-prone part

I have tried a lot of the API calls I can find, but it looks like all of them are sanitized as even though it returns code 0 nothing happens.

Too bad that it does not use SPI-NOR for U-boot like most devices, then I could simply edit the U-boot env and flash it back.
I have tried using the recovery as well, but it also checks both the header and signature of the image.

I also tried digging through the usual Chinese forums, but nothing on AX9000