OpenWrt support for Xiaomi AX9000

Ansuel · June 11, 2021, 1:39pm

that's cursed

anyway can someone post some image of how much big it is?

sumo · June 11, 2021, 2:07pm

The base is like 28 x 28 cm (with the antenna attached) and them antennas are 20 cm high.

For the rest I recommend watching the teardown video.

Ansuel · June 11, 2021, 2:28pm

problem is that with a white background i can't really understand the real size of the product

robimarko · June 11, 2021, 4:57pm

Finally got the damn thing opened and UART soldered, I have when they have so small pads around the hole.
Then I have to be extra carefull to make sure its soldered and I am not that good soldering.

BTW, I have a crazy idea to try and connect a USB keyboard.
Nah, they dont have USB HID driver packed.

I am looking at the AX6 SSH method, its documented only in chinese.

robimarko · June 11, 2021, 5:53pm

Ahh, they are using old Samba but the one vulnerability I can try and exploit using metasploit is not working.

This is gonna be a painful experience as I dont usully do pen testing.

They have Samba with anonyimous credentials running, its sharing /tmp over it.
Nothing usefull unfortunately.

Anybody can explaint the AX6 SSH method?

@kirdes Have you tried anything?

kirdes · June 11, 2021, 6:47pm

unfortunately i don't have access to my AX9000 until Sunday.

The ax6 method is also described here:

basically it's using the extend_wifi api on the ax6. As far as i understand, you setup a second wifi-Router with a special xqsystem.lua file (including the nvram commands) and then connect to that router via wifi and the ax6 reads that file during the wifi connect.

And those extenwifi api's are also there in the AX9000 firmware. So i think it's worth a shot.

This is the URL to connect to the others router wifi (from the ax6 or AX9000:)

http://192.168.31.1/cgi-bin/luci/;stok={STOK}/api/misystem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWORD}

kirdes · June 11, 2021, 6:57pm

I also had that USB keyboard idea.

ulpian · June 11, 2021, 7:03pm

Looks really cool for a router. Good luck guys!
ulpian

Apache14 · June 11, 2021, 7:48pm

@robimarko how much did you get yours for again ?

As soon as I know that UART tx/rx can be enabled I'll probably get one.

adamhnat · June 11, 2021, 7:49pm

If you try to abuse connect via mesh router path there's already some development with some code that "allows to bypass Singapure region select to create mesh wifi" and it uses Xiaomi API.

robimarko · June 11, 2021, 7:56pm

@Apache14 It was around 200 EUR with shipping.
It should probably be cheaper a bit now.

UART RX works, TX needs to be enabled via nvram(In reality its just U-boot env).

@adamhnat That looks like a potential route

robimarko · June 11, 2021, 9:20pm

@kirdes Hm, looks like the extend page is missing.

No page is registered at '/api/misystem/extendwifi_connect'.
If this url belongs to an extension, make sure it is properly installed.
If the extension was recently installed, try removing the /tmp/luci-indexcache file.

I have been poking for way too many hours now, and I just don't see an obvious vulnerability.
I just hate when I have to hope for our Chinese friends to find a vulnerability in order to run code on my HW.

kirdes · June 12, 2021, 1:00am

Yes it's frustrating, especially 'cause Xiaomi doesn't respect the GPL at all.

But i think time is on our side, sooner or later we or someone else will find a usable vulnerability.

What firmware version does your device have?

Mine has 1.0.82.

I only found the version 1.0.101 last time i checked (now they updated to .108)

So I'm looking in the .101 lua files, maybe they added that extendwifi_connect function at first in version .101?

I know it's just a lucky guess.

If I remember correctly, you wrote that you downloaded the firmware as well.
What version is that?

robimarko · June 12, 2021, 1:05am

Yes, they really dont respect GPL.

Mine was on 1.0.82 as well by default, I got annoyed and updated it to 1.0.108 late last night.
I think I have 1.0.103 locally as well.

You may be on the right track, because I can find some references to the extended wifi in binaries in the unpacked 1.0.108 firmware, I did no check on the older ones.

kirdes · June 12, 2021, 1:06am

Did you try this regarding samba?

robimarko · June 12, 2021, 1:07am

No, I think it has a lot of hardcoded stuff for the Technicolor implementation

kirdes · June 12, 2021, 1:17am

I thought it's a generic vulnerability.

github.com/openwrt/packages

samba4: privilege escalation exploit (low severity)

opened 02:39PM - 24 Oct 20 UTC

closed 10:54PM - 26 Jan 21 UTC

hauke

security

Maintainer: @Andy2244 Environment: OpenWrt master and OpenWrt 19.07 Descript…ion: There is a privilege escalation problem in the samba init script: https://github.com/full-disclosure/FDEU-CVE-2020-1FC5 The author of this problem contacted us some time ago, sorry for the delay: > Hi, > > we would like to report a vulnerability in /etc/init.d/samba script > which may allow to make arbitrary changes in smb.conf, such as enable > symlink and set root user for guest > > Vulnerable code is: > > https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/samba36/files/samba.init;h=1c5bb3b3c43eacc6ee3a181a16b63c906365b81b;hb=refs/heads/openwrt-18.06#l32 > > > 32 sed -e "s#|NAME|#$name#g" \ > 33 -e "s#|WORKGROUP|#$workgroup#g" \ > 34 -e "s#|DESCRIPTION|#$description#g" \ > 35 -e "s#|INTERFACES|#$interfaces#g" \ > 36 -e "s#|CHARSET|#$charset#g" \ > 37 /etc/samba/smb.conf.template > /var/etc/smb.conf > > > The variables $name, $workgroup and others passed into sed must be > sanitized and all symbols such "#" replaced > > An example of an exploit is this value for "Description": > > > pwned#g ; s#follow symlinks = no#follow symlinks = yes#g ; s#wide links > = no#wide links = yes#g ; s#security = share#security = user#g ; s#guest > account = nobody#guest account = root > > > This will enable R/W access on the symlink pointed to "/" > > > The severity for OpenWRT is probably low, as only admin can change > smb.conf template. But in other systems, like Technicolor this allows > local privilege escalation > > As soon as Luci releases restricted users functionality - this would > also become an issue for privilege escalation > > > A PoC is available that attacks Technicolor routers: > > > https://github.com/full-disclosure/FDEU-CVE-2020-1FC5 > > > Hope this helps, > > Full Disclosure team I agree that the severity for OpenWrt is low, but this should get fixed anyway. This was reported for the old samba3 package which is already removed in OpenWrt master, but the same code is also in the samba4 package. If someone wants to develop a fixes, I can take care of backporting it to samba3 package in OpenWrt 19.07 and 18.06.

btw:
Aliexpress asked me to leave a review on there site.

Maybe we should take our chances

namidairo · June 12, 2021, 5:49am

Oh, looks like the functions for it are still in there, but they never registered the entry for them in the index() function for luci to connect it up.

Essentially uncallable.

kirdes · June 12, 2021, 6:59am

Too bad.

Thanks anyway.

robimarko · June 12, 2021, 8:09am

Hmm, then maybe the "mesh" has vulnerabilities?
That looks like the potentially most bug-prone part

I have tried a lot of the API calls I can find, but it looks like all of them are sanitized as even though it returns code 0 nothing happens.

Too bad that it does not use SPI-NOR for U-boot like most devices, then I could simply edit the U-boot env and flash it back.
I have tried using the recovery as well, but it also checks both the header and signature of the image.

I also tried digging through the usual Chinese forums, but nothing on AX9000