OpenWrt support for Xiaomi AX9000

Yes, they really dont respect GPL.

Mine was on 1.0.82 as well by default, I got annoyed and updated it to 1.0.108 late last night.
I think I have 1.0.103 locally as well.

You may be on the right track, because I can find some references to the extended wifi in binaries in the unpacked 1.0.108 firmware, I did no check on the older ones.

Did you try this regarding samba?

No, I think it has a lot of hardcoded stuff for the Technicolor implementation

I thought it's a generic vulnerability.

btw:
Aliexpress asked me to leave a review on there site.

Maybe we should take our chances :slight_smile:

Oh, looks like the functions for it are still in there, but they never registered the entry for them in the index() function for luci to connect it up.

Essentially uncallable. :frowning:

Too bad.

Thanks anyway.

Hmm, then maybe the "mesh" has vulnerabilities?
That looks like the potentially most bug-prone part

I have tried a lot of the API calls I can find, but it looks like all of them are sanitized as even though it returns code 0 nothing happens.

Too bad that it does not use SPI-NOR for U-boot like most devices, then I could simply edit the U-boot env and flash it back.
I have tried using the recovery as well, but it also checks both the header and signature of the image.

I also tried digging through the usual Chinese forums, but nothing on AX9000

How do they generate that signature?

And what would we need to generate a proper signature?

I think its signed with a X.509 certificate as I can find X.509 related stuff as well as nvram values they want to protect like ssh, telnet and UART there in usr/share/xiaoqiang

Basically, the private key the use to sign is required and that is something I doubt that will ever leak.
Or a vulnerability in the algorithm that verifies the images.

Header can be simply copied to the image start, but the signature is also somewhere in the image.
Its not just certificate attached as binwalk does not see it, so they gotta be using their own format.

BTW, I checked and I have 1.0.101 FW locally as well.

I have to say that I am really not paitent with this kind of stuff, I like developing code and not finding a vulnerability in LUA which I have no idea.

It looks like api/xqsystem/extendwifi_connect_inited_router has almost the exact same implementation as api/misystem/extendwifi_connect did, so maybe it was just Xiaomi deduplicating code.

http://api.miwifi.com/upgrade/log/list?typeList=RA70STA
Here you go, the full list of firmwares for the AX9000.
I keep looking at this thread hoping you guys find a vulnerability. I actually have an AX6000, unpacked the ROM and decrypted/decompiled the lua files, but I could not find anything to enable ssh (but I have zero experience with programming and pen testing, so maybe there is something actually obvious on the lua files that I simply didn't see lol).

Edit: I don't know if you know this, but https://github.com/zh-explorer/mi_lua is able to decrypt/transform the lua files from Xiaomi into normal compiled lua files. Just run then through main.py and, after that, through luadec

@namidairo That API link appears to be calling IW directly, as without any args I get this:

	event [-t|-r] [-f]
		Monitor events from the kernel.
		-t - print timestamp
		-r - print relative timstamp
		-f - print full frame for auth/assoc etc.

	features 
		

	phy
	list
		List all wireless devices and their capabilities.

	phy <phyname> info
		Show capabilities for the specified wireless device.

	phy <phyname> channels
		Show available channels.

	dev
		List all network interfaces for wireless hardware.

	dev <devname> info
		Show information for this interface.

	dev <devname> del
		Remove this virtual interface

	dev <devname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
	phy <phyname> interface add <name> type <type> [mesh_id <meshid>] [4addr on|off] [flags <flag>*] [addr <mac-addr>]
		Add a new virtual interface with the given configuration.
		Valid interface types are: managed, ibss, monitor, mesh, wds.
		
		The flags are only used for monitor interfaces, valid flags are:
		none:     no special flags
		fcsfail:  show frames with FCS errors
		control:  show control frames
		otherbss: show frames from other BSSes
		cook:     use cooked mode
		active:   use active mode (ACK incoming unicast packets)
		mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
		mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address
		
		The mesh_id is used only for mesh mode.

	dev <devname> ibss join <SSID> <freq in MHz> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz] [fixed-freq] [<fixed bssid>] [beacon-interval <TU>] [basic-rates <rate in Mbps,rate2,...>] [mcast-rate <rate in Mbps>] [key d:0:abcde]
		Join the IBSS cell with the given SSID, if it doesn't exist create
		it on the given frequency. When fixed frequency is requested, don't
		join/create a cell on a different frequency. When a fixed BSSID is
		requested use that BSSID and do not adopt another cell's BSSID even
		if it has higher TSF and the same SSID. If an IBSS is created, create
		it with the specified basic-rates, multicast-rate and beacon-interval.

	dev <devname> ibss leave
		Leave the current IBSS cell.

	dev <devname> station set <MAC address> vlan <ifindex>
		Set an AP VLAN for this station.

	dev <devname> station dump [-v]
		List all stations known, e.g. the AP on managed interfaces

	dev <devname> station del <MAC address> [subtype <subtype>] [reason-code <code>]
		Remove the given station entry (use with caution!)
		Example subtype values: 0xA (disassociation), 0xC (deauthentication)

	dev <devname> station get <MAC address>
		Get information for a specific station.

	dev <devname> survey dump
		List all gathered channel survey data

	dev <devname> mesh leave
		Leave a mesh.

	dev <devname> mesh join <mesh ID> [[freq <freq in MHz> <NOHT|HT20|HT40+|HT40-|80MHz>] [basic-rates <rate in Mbps,rate2,...>]], [mcast-rate <rate in Mbps>] [beacon-interval <time in TUs>] [dtim-period <value>] [vendor_sync on|off] [<param>=<value>]*
		Join a mesh with the given mesh ID with frequency, basic-rates,
		mcast-rate and mesh parameters. Basic-rates are applied only if
		frequency is provided.

	dev <devname> mpath dump
		List known mesh paths.

	dev <devname> mpath set <destination MAC address> next_hop <next hop MAC address>
		Set an existing mesh path's next hop.

	dev <devname> mpath new <destination MAC address> next_hop <next hop MAC address>
		Create a new mesh path (instead of relying on automatic discovery).

	dev <devname> mpath del <MAC address>
		Remove the mesh path to the given node.

	dev <devname> mpath get <MAC address>
		Get information on mesh path to the given node.

	dev <devname> mpp dump
		List known mesh proxy paths.

	dev <devname> mpp get <MAC address>
		Get information on mesh proxy path to the given node.

	dev <devname> scan [-u] [freq <freq>*] [ies <hex as 00:11:..>] [meshid <meshid>] [lowpri,flush,ap-force] [randomise[=<addr>/<mask>]] [ssid <ssid>*|passive]
		Scan on the given frequencies and probe for the given SSIDs
		(or wildcard if not given) unless passive scanning is requested.
		If -u is specified print unknown data in the scan results.
		Specified (vendor) IEs must be well-formed.

	dev <devname> scan abort 
		Abort ongoing scan

	dev <devname> scan trigger [freq <freq>*] [ies <hex as 00:11:..>] [meshid <meshid>] [lowpri,flush,ap-force] [randomise[=<addr>/<mask>]] [ssid <ssid>*|passive]
		Trigger a scan on the given frequencies with probing for the given
		SSIDs (or wildcard if not given) unless passive scanning is requested.

	dev <devname> scan dump [-u]
		Dump the current scan results. If -u is specified, print unknown
		data in scan results.

	phy <phyname> reg get
		Print out the devices' current regulatory domain information.

	reg get
		Print out the kernel's current regulatory domain information.

	reg set <ISO/IEC 3166-1 alpha2>
		Notify the kernel about the current regulatory domain.

	dev <devname> auth <SSID> <bssid> <type:open|shared> <freq in MHz> [key 0:abcde d:1:6162636465]
		Authenticate with the given network.
		

	dev <devname> connect [-w] <SSID> [<freq in MHz>] [<bssid>] [key 0:abcde d:1:6162636465] [mfp:req/opt/no]
		Join the network with the given SSID (and frequency, BSSID).
		With -w, wait for the connect to finish or fail.

	dev <devname> disconnect
		Disconnect from the current network.

	dev <devname> link
		Print information about the current link, if any.

	phy <phyname> set antenna_gain <antenna gain in dBm>
		Specify antenna gain.

	phy <phyname> set antenna <bitmap> | all | <tx bitmap> <rx bitmap>
		Set a bitmap of allowed antennas to use for TX and RX.
		The driver may reject antenna configurations it cannot support.

	dev <devname> set txpower <auto|fixed|limit> [<tx power in mBm>]
		Specify transmit power level and setting type.

	phy <phyname> set txpower <auto|fixed|limit> [<tx power in mBm>]
		Specify transmit power level and setting type.

	phy <phyname> set distance <auto|distance>
		Enable ACK timeout estimation algorithm (dynack) or set appropriate
		coverage class for given link distance in meters.
		To disable dynack set valid value for coverage class.
		Valid values: 0 - 114750

	phy <phyname> set coverage <coverage class>
		Set coverage class (1 for every 3 usec of air propagation time).
		Valid values: 0 - 255.

	phy <phyname> set netns { <pid> | name <nsname> }
		Put this wireless device into a different network namespace:
		    <pid>    - change network namespace by process id
		    <nsname> - change network namespace by name from /var/run/netns
		               or by absolute path (man ip-netns)
		

	phy <phyname> set retry [short <limit>] [long <limit>]
		Set retry limit.

	phy <phyname> set rts <rts threshold|off>
		Set rts threshold.

	phy <phyname> set frag <fragmentation threshold|off>
		Set fragmentation threshold.

	dev <devname> set channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	phy <phyname> set channel <channel> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> set freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	dev <devname> set freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
	phy <phyname> set freq <freq> [NOHT|HT20|HT40+|HT40-|5MHz|10MHz|80MHz]
	phy <phyname> set freq <control freq> [5|10|20|40|80|80+80|160] [<center1_freq> [<center2_freq>]]
		Set frequency/channel the hardware is using, including HT
		configuration.

	phy <phyname> set name <new name>
		Rename this wireless device.

	dev <devname> set mcast_rate <rate in Mbps>
		Set the multicast bitrate.

	dev <devname> set noack_map <map>
		Set the NoAck map for the TIDs. (0x0009 = BE, 0x0006 = BK, 0x0030 = VI, 0x00C0 = VO)

	dev <devname> set 4addr <on|off>
		Set interface 4addr (WDS) mode.

	dev <devname> set type <type>
		Set interface type/mode.
		Valid interface types are: managed, ibss, monitor, mesh, wds.

	dev <devname> set meshid <meshid>
	dev <devname> set monitor <flag>*
		Set monitor flags. Valid flags are:
		none:     no special flags
		fcsfail:  show frames with FCS errors
		control:  show control frames
		otherbss: show frames from other BSSes
		cook:     use cooked mode
		active:   use active mode (ACK incoming unicast packets)
		mumimo-groupid <GROUP_ID>: use MUMIMO according to a group id
		mumimo-follow-mac <MAC_ADDRESS>: use MUMIMO according to a MAC address

	dev <devname> set mesh_param <param>=<value> [<param>=<value>]*
		Set mesh parameter (run command without any to see available ones).

	dev <devname> set power_save <on|off>
		Set power save state to on or off.

	dev <devname> set bitrates [legacy-<2.4|5> <legacy rate in Mbps>*] [ht-mcs-<2.4|5> <MCS index>*] [vht-mcs-<2.4|5> <NSS:MCSx,MCSy... | NSS:MCSx-MCSy>*] [sgi-2.4|lgi-2.4] [sgi-5|lgi-5]
		Sets up the specified rate masks.
		Not passing any arguments would clear the existing mask (if any).

	dev <devname> get mesh_param [<param>]
		Retrieve mesh parameter (run command without any to see available ones).

	dev <devname> get power_save <param>
		Retrieve power save state.


Commands that use the netdev ('dev') can also be given the
'wdev' instead to identify the device.

You can omit the 'phy' or 'dev' if the identification is unique,
e.g. "iw wlan0 info" or "iw phy0 info". (Don't when scripting.)

Do NOT screenscrape this tool, we don't consider its output stable.

Status: 500 Internal Server Error
Content-Type: text/plain
Cache-Control: no-cache
Expires: 0

Internal Server Error

I have tried passing various args but no change.

Hm, appears that AC2350 exploited this.
I have another OpenWrt router configured, and ran this:
http://192.168.2.58/cgi-bin/luci/;stok=9c5111b8484f6b56f9baf11168d33d46/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSK&enctype=CCMP&channel=11&band=2g&admin_username=root&admin_password=pwd&admin_nonce=xxx

It times out unfortunately, but its doing something:

[  664.943996] wlan: [30072:I:ANY] wlan_cfg80211_add_virtual_intf: 352: proprietary mode 1 for interface: wl12 : clone params: 0x00000001 
[  664.944062] wlan: [30072:I:ANY] osifp_create_wlan_vap: 9922: VDEV Create a2:9d:7e:7b:d2:9b
[  664.955115] wlan: [30072:I:ANY] wlan_vap_create: 1644: devhandle=0xffffffc0284c0880, opmode=IEEE80211_M_STA, flags=0x1
[  664.955115] 
[  664.963579] wlan: [30072:I:ANY] ol_ath_vap_set_param: 1556: Setting SGI value: 1
[  664.975439] wlan: [30072:I:ANY] ol_ath_vap_set_param: 2609: VDEV params:HE su_bfee:1|su_bfer:1|mu_bfee:0|mu_bfer:0|dl_muofdma:0|ul_muofdma:0|ul_mumimo:1|dl_muofdma_bfer:0
[  664.983023] wlan: [30072:I:ANY] ol_ath_vap_set_param: 2622: he_bf_cap=0x43
[  664.998132] wlan: [30072:I:ANY] ol_ath_vap_set_param: 2637: VDEV params: AC/VHT sounding mode:HE|SU/MU sounding mode:SU|Trig/Non-Trig sounding mode:Non-Trigged
[  665.004966] wlan: [30072:I:ANY] dp_lag_pdev_set_sta_vdev: 68: dp_lag_pdev_set_sta_vdev pdev(ffffffc03dad1408) sta_vdev ffffffc024d65800 
[  665.019201] wlan: [30072:I:ANY] osif_create_vap_complete: 10142: TX Checksum:1|SG:1|TSO:1|LRO:0
[  665.032400] wlan: [30072:I:ANY] dp_lag_pdev_set_sta_vdev: 68: dp_lag_pdev_set_sta_vdev pdev(ffffffc03dad1408) sta_vdev ffffffc024d65800 
[  665.040088] ipaccount: ifname [wl12] event[16]
[  665.053511] ipaccount: ifname [wl12] event[5]
[  665.056883] wlan: [30072:I:ANY] VAP device wl12 created osifp: (ffffffc02d872880) os_if: (ffffffc024da0000)
[  666.089057] ipaccount: ifname [wl12] event[13]
[  666.089367] 8021q: adding VLAN 0 to HW filter on device wl12
[  666.092462] ipaccount: ifname [wl12] event[1]
[  666.098324] ipaccount: ifname [wl12] event[4]
[  666.102702] ipaccount: ifname [wl12] event[4]
[  666.186431] wlan: [10705:I:ANY] wlan_cfg80211_set_wificonfiguration: 10139: wlan_cfg80211_set_wificonfiguration: Unsuported Genric command: 0 
[  674.243841] wlan: [30556:I:ANY] wlan_cfg80211_add_virtual_intf: 352: proprietary mode 1 for interface: wl12 : clone params: 0x00000001 
[  674.243886] wlan: [30556:E:ANY] osif_create_vap_netdev_alloc: 9621: wl12 net dev exists already
[  674.254925] wlan: [30556:I:ANY] osif_create_vap:create netdev failed
[  674.254925] 
[  674.263540] wlan: [30556:I:ANY] wlan_cfg80211_add_virtual_intf: 404: Failed to create VAP. osif_create_vap returned NULL!
[  697.323078] wlan: [30900:I:ANY] wlan_cfg80211_add_virtual_intf: 352: proprietary mode 1 for interface: wl12 : clone params: 0x00000001 
[  697.323123] wlan: [30900:E:ANY] osif_create_vap_netdev_alloc: 9621: wl12 net dev exists already
[  697.334229] wlan: [30900:I:ANY] osif_create_vap:create netdev failed
[  697.334229] 
[  697.342809] wlan: [30900:I:ANY] wlan_cfg80211_add_virtual_intf: 404: Failed to create VAP. osif_create_vap returned NULL!
[  697.606993] wlan: [30922:I:ANY] wlan_cfg80211_add_virtual_intf: 352: proprietary mode 1 for interface: wl12 : clone params: 0x00000001 
[  697.607038] wlan: [30922:E:ANY] osif_create_vap_netdev_alloc: 9621: wl12 net dev exists already
[  697.618046] wlan: [30922:I:ANY] osif_create_vap:create netdev failed
[  697.618046] 
[  697.626661] wlan: [30922:I:ANY] wlan_cfg80211_add_virtual_intf: 404: Failed to create VAP. osif_create_vap returned NULL!
[  706.415773] wlan: [31166:I:ANY] wlan_cfg80211_add_virtual_intf: 352: proprietary mode 1 for interface: wl12 : clone params: 0x00000001 
[  706.415817] wlan: [31166:E:ANY] osif_create_vap_netdev_alloc: 9621: wl12 net dev exists already
[  706.426854] wlan: [31166:I:ANY] osif_create_vap:create netdev failed
[  706.426854] 
[  706.435427] wlan: [31166:I:ANY] wlan_cfg80211_add_virtual_intf: 404: Failed to create VAP. osif_create_vap returned NULL!
[  729.785257] wlan: [31610:I:ANY] wlan_cfg80211_add_virtual_intf: 352: proprietary mode 1 for interface: wl12 : clone params: 0x00000001 
[  729.785304] wlan: [31610:E:ANY] osif_create_vap_netdev_alloc: 9621: wl12 net dev exists already
[  729.797091] wlan: [31610:I:ANY] osif_create_vap:create netdev failed
[  729.797091] 
[  729.805081] wlan: [31610:I:ANY] wlan_cfg80211_add_virtual_intf: 404: Failed to create VAP. osif_create_vap returned NULL!

So, we are nearing something.

@Sanzium Thanks for the link, it confirmed that 1.0.82 is the original FW, 1.0.101 was the first update and 1.0.108 current one.

1 Like

@namidairo
Maybe you can have a look in the usr/lib/lua/xiaoqiang/module/XQBackup.lua.

Looks like there are setting a few variables (L6 macaddr, a base64 encoded value (L2) and so on)

Probably this is the method to encrypt/decrypt the backup file.

But I'm not sure of the right order of the values and which encryption the are actually using (in the lua there is a link to aeslua), but the actual backup file has the suffix .des

Downgraded to 1.0.82 and with:

http://192.168.31.1/cgi-bin/luci/;stok=0a445755411dc750673aea041adcd06f/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSK&enctype=CCMP&channel=11&band=2g&admin_username=user&admin_password=pwd&admin_nonce=xxx

It now returns:
{"msg":"一键换机过程中请求对端接口失败","code":1643}
which is translated:

{"msg":"Failed to request the peer interface during the one-key exchange","code":1643}

Hmm, I can see it connected now but SSH is unfortunately not being enabled.

UPDATE:
It works, SSH is enabled.
I used: http://192.168.31.1/cgi-bin/luci/;stok=0a445755411dc750673aea041adcd06f/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSKenctype=CCMP&channel=11&band=2g&admin_username=root&admin_password=admin&admin_nonce=xxx

Now, I gotta figure out the SSH password or not since I got UART enabled through the same exploit.

I will write a full tutorial on how to exploit this, I also downloaded the 1.0.82 image so that if its fixed in later versions anybody can flash it.

5 Likes

I would assume/ hope that it's the same password as for other Xiaomi devices, derived from the serial number (e.g. via https://github.com/odedlaz/ax3600-files/blob/master/scripts/calc_passwd.py).

Could be, I just tried an online calculator for per SN based password on Xiaomi routers and that did not work.
Since UART is working its not an problem for me, and we can just add password setting in the exploit string.

1 Like

A little off-topic, but I tried your method in AX6000 (rom version 1.0.41) and it worked! Thank you.
The password I already had saved from the site that calculates from the serial number and it worked for me.

Sweet, I know what I'm ordering on pay day

well ordering a ax9000 too aahhahahah
@robimarko remember just to make sure to save somewhere the firmware in case they have some fun and delete the vulnerable firmware

that was honestly fast... impressed

1 Like

Great news. Maybe I'll get one too. With double the ram of Ax3600 I guess it can at least be run some days before it goes out of memory due to ath11k.