Downgraded to 1.0.82 and with:
http://192.168.31.1/cgi-bin/luci/;stok=0a445755411dc750673aea041adcd06f/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSK&enctype=CCMP&channel=11&band=2g&admin_username=user&admin_password=pwd&admin_nonce=xxx
It now returns:
{"msg":"一键换机过程中请求对端接口失败","code":1643}
which is translated:
{"msg":"Failed to request the peer interface during the one-key exchange","code":1643}
Hmm, I can see it connected now but SSH is unfortunately not being enabled.
UPDATE:
It works, SSH is enabled.
I used: http://192.168.31.1/cgi-bin/luci/;stok=0a445755411dc750673aea041adcd06f/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSKenctype=CCMP&channel=11&band=2g&admin_username=root&admin_password=admin&admin_nonce=xxx
Now, I gotta figure out the SSH password or not since I got UART enabled through the same exploit.
I will write a full tutorial on how to exploit this, I also downloaded the 1.0.82 image so that if its fixed in later versions anybody can flash it.