Hmm, then maybe the "mesh" has vulnerabilities?
That looks like the potentially most bug-prone part
I have tried a lot of the API calls I can find, but it looks like all of them are sanitized as even though it returns code 0 nothing happens.
Too bad that it does not use SPI-NOR for U-boot like most devices, then I could simply edit the U-boot env and flash it back.
I have tried using the recovery as well, but it also checks both the header and signature of the image.
I also tried digging through the usual Chinese forums, but nothing on AX9000
I think its signed with a X.509 certificate as I can find X.509 related stuff as well as nvram values they want to protect like ssh, telnet and UART there in usr/share/xiaoqiang
Basically, the private key the use to sign is required and that is something I doubt that will ever leak.
Or a vulnerability in the algorithm that verifies the images.
Header can be simply copied to the image start, but the signature is also somewhere in the image.
Its not just certificate attached as binwalk does not see it, so they gotta be using their own format.
BTW, I checked and I have 1.0.101 FW locally as well.
I have to say that I am really not paitent with this kind of stuff, I like developing code and not finding a vulnerability in LUA which I have no idea.
It looks like api/xqsystem/extendwifi_connect_inited_router has almost the exact same implementation as api/misystem/extendwifi_connect did, so maybe it was just Xiaomi deduplicating code.
http://api.miwifi.com/upgrade/log/list?typeList=RA70STA
Here you go, the full list of firmwares for the AX9000.
I keep looking at this thread hoping you guys find a vulnerability. I actually have an AX6000, unpacked the ROM and decrypted/decompiled the lua files, but I could not find anything to enable ssh (but I have zero experience with programming and pen testing, so maybe there is something actually obvious on the lua files that I simply didn't see lol).
Edit: I don't know if you know this, but https://github.com/zh-explorer/mi_lua is able to decrypt/transform the lua files from Xiaomi into normal compiled lua files. Just run then through main.py and, after that, through luadec
@namidairo That API link appears to be calling IW directly, as without any args I get this:
event [-t|-r] [-f]
Monitor events from the kernel.
-t - print timestamp
-r - print relative timstamp
-f - print full frame for auth/assoc etc.
features
phy
list
List all wireless devices and their capabilities.
phy <phyname> info
Show capabilities for the specified wireless device.
phy <phyname> channels
Show available channels.
dev
List all network interfaces for wireless hardware.
dev <devname> info
Show information for this interface.
dev <devname> del
Remove this virtual interface
dev <devname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
Add a new virtual interface with the given configuration.
Valid interface types are: managed, ibss, monitor, mesh, wds.
The flags are only used for monitor interfaces, valid flags are:
none: no special flags
fcsfail: show frames with FCS errors
control: show control frames
otherbss: show frames from other BSSes
cook: use cooked mode
active: use active mode (ACK incoming unicast packets)
mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address
The mesh_id is used only for mesh mode.
dev <devname> ibss join <SSID> <freq in MHz> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz] [fixed-freq] [<fixed bssid>] [beacon-interval <TU>] [basic-rates <rate in Mbps,rate2,...>] [mcast-rate <rate in Mbps>] [key d:0:abcde]
Join the IBSS cell with the given SSID, if it doesn't exist create
it on the given frequency. When fixed frequency is requested, don't
join/create a cell on a different frequency. When a fixed BSSID is
requested use that BSSID and do not adopt another cell's BSSID even
if it has higher TSF and the same SSID. If an IBSS is created, create
it with the specified basic-rates, multicast-rate and beacon-interval.
dev <devname> ibss leave
Leave the current IBSS cell.
dev <devname> station set <MAC address> vlan <ifindex>
Set an AP VLAN for this station.
dev <devname> station dump [-v]
List all stations known, e.g. the AP on managed interfaces
dev <devname> station del <MAC address> [subtype <subtype>] [reason-code <code>]
Remove the given station entry (use with caution!)
Example subtype values: 0xA (disassociation), 0xC (deauthentication)
dev <devname> station get <MAC address>
Get information for a specific station.
dev <devname> survey dump
List all gathered channel survey data
dev <devname> mesh leave
Leave a mesh.
dev <devname> mesh join <mesh ID> [[freq <freq in MHz> <NOHT|HT20|HT40+|HT40-|80MHz>] [basic-rates <rate in Mbps,rate2,...>]], [mcast-rate <rate in Mbps>] [beacon-interval <time in TUs>] [dtim-period <value>] [vendor_sync on|off] [<param>=<value>]*
Join a mesh with the given mesh ID with frequency, basic-rates,
mcast-rate and mesh parameters. Basic-rates are applied only if
frequency is provided.
dev <devname> mpath dump
List known mesh paths.
dev <devname> mpath set <destination MAC address> next_hop <next hop MAC address>
Set an existing mesh path's next hop.
dev <devname> mpath new <destination MAC address> next_hop <next hop MAC address>
Create a new mesh path (instead of relying on automatic discovery).
dev <devname> mpath del <MAC address>
Remove the mesh path to the given node.
dev <devname> mpath get <MAC address>
Get information on mesh path to the given node.
dev <devname> mpp dump
List known mesh proxy paths.
dev <devname> mpp get <MAC address>
Get information on mesh proxy path to the given node.
dev <devname> scan [-u] [freq <freq>*] [ies <hex as 00:11:..>] [meshid <meshid>] [lowpri,flush,ap-force] [randomise[=<addr>/<mask>]] [ssid <ssid>*|passive]
Scan on the given frequencies and probe for the given SSIDs
(or wildcard if not given) unless passive scanning is requested.
If -u is specified print unknown data in the scan results.
Specified (vendor) IEs must be well-formed.
dev <devname> scan abort
Abort ongoing scan
dev <devname> scan trigger [freq <freq>*] [ies <hex as 00:11:..>] [meshid <meshid>] [lowpri,flush,ap-force] [randomise[=<addr>/<mask>]] [ssid <ssid>*|passive]
Trigger a scan on the given frequencies with probing for the given
SSIDs (or wildcard if not given) unless passive scanning is requested.
dev <devname> scan dump [-u]
Dump the current scan results. If -u is specified, print unknown
data in scan results.
phy <phyname> reg get
Print out the devices' current regulatory domain information.
reg get
Print out the kernel's current regulatory domain information.
reg set <ISO/IEC 3166-1 alpha2>
Notify the kernel about the current regulatory domain.
dev <devname> auth <SSID> <bssid> <type:open|shared> <freq in MHz> [key 0:abcde d:1:6162636465]
Authenticate with the given network.
dev <devname> connect [-w] <SSID> [<freq in MHz>] [<bssid>] [key 0:abcde d:1:6162636465] [mfp:req/opt/no]
Join the network with the given SSID (and frequency, BSSID).
With -w, wait for the connect to finish or fail.
dev <devname> disconnect
Disconnect from the current network.
dev <devname> link
Print information about the current link, if any.
phy <phyname> set antenna_gain <antenna gain in dBm>
Specify antenna gain.
phy <phyname> set antenna <bitmap> | all | <tx bitmap> <rx bitmap>
Set a bitmap of allowed antennas to use for TX and RX.
The driver may reject antenna configurations it cannot support.
dev <devname> set txpower <auto|fixed|limit> [<tx power in mBm>]
Specify transmit power level and setting type.
phy <phyname> set txpower <auto|fixed|limit> [<tx power in mBm>]
Specify transmit power level and setting type.
phy <phyname> set distance <auto|distance>
Enable ACK timeout estimation algorithm (dynack) or set appropriate
coverage class for given link distance in meters.
To disable dynack set valid value for coverage class.
Valid values: 0 - 114750
phy <phyname> set coverage <coverage class>
Set coverage class (1 for every 3 usec of air propagation time).
Valid values: 0 - 255.
phy <phyname> set netns { <pid> | name <nsname> }
Put this wireless device into a different network namespace:
<pid> - change network namespace by process id
<nsname> - change network namespace by name from /var/run/netns
or by absolute path (man ip-netns)
phy <phyname> set retry [short <limit>] [long <limit>]
Set retry limit.
phy <phyname> set rts <rts threshold|off>
Set rts threshold.
phy <phyname> set frag <fragmentation threshold|off>
Set fragmentation threshold.
dev <devname> set channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
phy <phyname> set channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
dev <devname> set freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
dev <devname> set freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
phy <phyname> set freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
phy <phyname> set freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
Set frequency/channel the hardware is using, including HT
configuration.
phy <phyname> set name <new name>
Rename this wireless device.
dev <devname> set mcast_rate <rate in Mbps>
Set the multicast bitrate.
dev <devname> set noack_map <map>
Set the NoAck map for the TIDs. (0x0009 = BE, 0x0006 = BK, 0x0030 = VI, 0x00C0 = VO)
dev <devname> set 4addr <on|off>
Set interface 4addr (WDS) mode.
dev <devname> set type <type>
Set interface type/mode.
Valid interface types are: managed, ibss, monitor, mesh, wds.
dev <devname> set meshid <meshid>
dev <devname> set monitor <flag>*
Set monitor flags. Valid flags are:
none: no special flags
fcsfail: show frames with FCS errors
control: show control frames
otherbss: show frames from other BSSes
cook: use cooked mode
active: use active mode (ACK incoming unicast packets)
mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address
dev <devname> set mesh_param <param>=<value> [<param>=<value>]*
Set mesh parameter (run command without any to see available ones).
dev <devname> set power_save <on|off>
Set power save state to on or off.
dev <devname> set bitrates [legacy-<2.4|5> <legacy rate in Mbps>*] [ht-mcs-<2.4|5> <MCS index>*] [vht-mcs-<2.4|5> <NSS:MCSx,MCSy... | NSS:MCSx-MCSy>*] [sgi-2.4|lgi-2.4] [sgi-5|lgi-5]
Sets up the specified rate masks.
Not passing any arguments would clear the existing mask (if any).
dev <devname> get mesh_param [<param>]
Retrieve mesh parameter (run command without any to see available ones).
dev <devname> get power_save <param>
Retrieve power save state.
Commands that use the netdev ('dev') can also be given the
'wdev' instead to identify the device.
You can omit the 'phy' or 'dev' if the identification is unique,
e.g. "iw wlan0 info" or "iw phy0 info". (Don't when scripting.)
Do NOT screenscrape this tool, we don't consider its output stable.
Status: 500 Internal Server Error
Content-Type: text/plain
Cache-Control: no-cache
Expires: 0
Internal Server Error
I have tried passing various args but no change.
Hm, appears that AC2350 exploited this.
I have another OpenWrt router configured, and ran this: http://192.168.2.58/cgi-bin/luci/;stok=9c5111b8484f6b56f9baf11168d33d46/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSK&enctype=CCMP&channel=11&band=2g&admin_username=root&admin_password=pwd&admin_nonce=xxx
It times out unfortunately, but its doing something:
@namidairo
Maybe you can have a look in the usr/lib/lua/xiaoqiang/module/XQBackup.lua.
Looks like there are setting a few variables (L6 macaddr, a base64 encoded value (L2) and so on)
Probably this is the method to encrypt/decrypt the backup file.
But I'm not sure of the right order of the values and which encryption the are actually using (in the lua there is a link to aeslua), but the actual backup file has the suffix .des
It now returns: {"msg":"一键换机过程中请求对端接口失败","code":1643}
which is translated:
{"msg":"Failed to request the peer interface during the one-key exchange","code":1643}
Hmm, I can see it connected now but SSH is unfortunately not being enabled.
UPDATE:
It works, SSH is enabled.
I used: http://192.168.31.1/cgi-bin/luci/;stok=0a445755411dc750673aea041adcd06f/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSKenctype=CCMP&channel=11&band=2g&admin_username=root&admin_password=admin&admin_nonce=xxx
Now, I gotta figure out the SSH password or not since I got UART enabled through the same exploit.
I will write a full tutorial on how to exploit this, I also downloaded the 1.0.82 image so that if its fixed in later versions anybody can flash it.
Could be, I just tried an online calculator for per SN based password on Xiaomi routers and that did not work.
Since UART is working its not an problem for me, and we can just add password setting in the exploit string.
A little off-topic, but I tried your method in AX6000 (rom version 1.0.41) and it worked! Thank you.
The password I already had saved from the site that calculates from the serial number and it worked for me.
well ordering a ax9000 too aahhahahah @robimarko remember just to make sure to save somewhere the firmware in case they have some fun and delete the vulnerable firmware
@Sanzium Great to hear that, they are obviously using the same base for all of the devices.
Do you have a link to that site, so I can link it in the wiki as I have started documenting how to root.
@Ansuel Yeah, I already have all 3 FW releases for AX9000 downloaded locally including 1.0.82, but I think that this has not been fixed even in later versions.
I have not seen that so far, how does that work?
I mean, xqrepack just needs to be updated to work with this.
All it takes is to enable dropbear by default, change the channel to debug and kill the nvram reset stuff.
Those magic bytes in the crash partition allow editing bdata, see https://www.5v13.com/mesh/26276.html for the details (google translate does a good enough job on it).
Ok,now I understand.
Those are read to recreate the default nvram(U-boot env in reality) if the bootloader is updated or fw updates decides to wipe config.
So editing them would make the changes pernament, good idea as I need UART to always work as that is easier then using the exploit.