Support for Xiaomi MiWiFi 3C

Looking for root access.

Xiaomi MiWiFi 3C

Under the center of the label lies a philips tapping screw.
The mir3c reset button case hole was enlarged with a 1/8" drill, allowing ballpoint pen access.

Router info
Mi Wi-Fi 3C(R3L) MiWiFi Stable 2.8.27

I managed to install the Taiwan firmware (2.8.27) to get native English menus on the router by holding down the reset button for 20 seconds at boot up so far.
Serial port works one-way only.

When I try to get ssh access, with root access, I get this message:
(the 3 curl for windows files are in the Downloads folder for this exercise)

C:\Users\murra\Downloads>curl -d "oldPwd=12345678&newPwd=12345678" ";stok=4fa0b125e49d5928acbcc85d45a717c3/api/xqsystem/set_name_password"
{"code":1523,"msg":"Invalid value"}

For the mi nano, the message was {"code":0,"msg":""}, indicating a successful browser injection exploit, as per notes

Xiaomi Mi WiFi 3C (Mi Wifi Router 3C / R3C / R3L)
Attaching 3 berg pins to J1 and connecting with a USB PL2303 cable on COM4 115200bps using TeraTerm UART console
From the mir3c J1:

1 —— VCC blank (not a square pad or silkscreened square)
2 —— RX green (PC's USB PL2302 Rx green line)
3 —— GND black (PC's USB PL2302 Rx black line)
4 —— TX white (PC's USB PL2302 Rx white line)

Serial port works one-way only (no input going through pin4, sitting at 3.3V, like pin 1).

[    1.460000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    1.470000] serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
[    1.470000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
[    1.480000] led=44, on=4000, off=1, blinks,=1, reset=1, time=4000
[    1.490000] Ralink gpio driver initialized
[    1.490000] flash manufacture id: c2, device id 20 18
[    1.500000] MX25L12805D(c2 2018c220) (16384 Kbytes)
[    1.500000] mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
[    1.510000] Creating 10 MTD partitions on "raspi":
[    1.520000] 0x000000000000-0x000001000000 : "ALL"
[    1.520000] 0x000000000000-0x000000030000 : "Bootloader"
[    1.530000] 0x000000030000-0x000000040000 : "Config"
[    1.540000] 0x000000040000-0x000000050000 : "Bdata"
[    1.540000] 0x000000050000-0x000000060000 : "Factory"
[    1.550000] 0x000000060000-0x000000070000 : "crash"
[    1.560000] 0x000000070000-0x000000080000 : "cfg_bak"
[    1.560000] 0x000000080000-0x000000140000 : "overlay"
[    1.570000] 0x000000140000-0x0000008a0000 : "OS1"
[    1.580000] 0x0000008a0000-0x000001000000 : "OS2"
[    1.580000] mtd: try split OS2 partition
[    1.590000] mtd: split_firmware
[    1.590000] mtd: firmware_partition->size   0x760000
[    1.590000] mtd: firmware_partition->offset 0x8a0000
[    1.600000] mtd: uimage_len 1411044
[    1.600000] mtd: uimage_len 1441792
[    1.610000] mtd: rootfs_partition->size   0x600000
[    1.610000] mtd: rootfs_partition->offset 0xa00000
[    1.620000] mtd: partition "rootfs" created automatically, ofs=A00000, len=600000
[    1.620000] 0x000000a00000-0x000001000000 : "rootfs"
[    1.630000] PPP generic driver version 2.4.2

Things left to do:
get root password first

cd /tmp
mv breed-mt7628-hiwifi-hc5661a.bin breed.img
mtd write breed.img Bootloader
rm breed.img
mv lede-17.01.4-ramips-mt7628-miwifi-nano-squashfs-sysupgrade.bin os1.bin
mtd write os1.bin OS1
rm os1.bin
wget PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin
mv PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin os2.bin
mtd write os2.bin OS2

related posts:

How does one flash lede using BREED? I’ve tried to do this a couple of times without success.
You need to merge the kernel and rootfs.

cp lede-ramips-mt7621-mir3g-squashfs-kernel1.bin firmware.bin && truncate --size 4194304 firmware.bin && cat lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin >> firmware.bin
for /f %%i in ("lede-ramips-mt7621-mir3g-squashfs-kernel1.bin") do ( set /a size = 4194304 - %%~zi >nul ) fsutil file createnew dummy.bin %size% >nul copy /y /b lede-ramips-mt7621-mir3g-squashfs-kernel1.bin + /b dummy.bin + /b lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin firmware.bin >nul del dummy.bin

is there a support yet even for openwrt

No, the 3C is not supported.

for the meantime or there will never be?

up there's plenty of 3c here

1 Like

The 3C is a third of the cost of the 3G.

hoping there will be since in core is openwrt...

up up and god bless

is there any way to install packet newt ?

thanks for your help!

Up again :frowning:
It isn't hard to support MT 7628N if someone experienced tries it :frowning:

i hope there would be for this router..

Has three methods of attack.
one for telnet over netcat, telnet and other for ftp direct for filesystem.

Does anyone have the router to test if exploit works?

@murraydr44 @dude789

I tried it its working on firmware 2.9.217 and 2.14.45 and 2.8.51_INT
And SSH is working on 2.9.217 but I dont know the password
get the dev firmware 2.9.217 from here:

I Compiled Padavan from Prometheus for 3C

Sadly the rom I compiled isnt working
But I managed to install Breed Bootloader via telnet (Mi Wifi Nano Bootloader)
And installed Padavan precompiled for Mi Wifi Nano
Need to test all the features now

Any news on this device,
Did it worked?

Try run this exploit. it resets the root user's pw.
This exploit run over speedtest native of firmware.

Ok. This exploit worked? My english is very bad. Sorry.

Yes this worked flawlessly!
After I got access to telnet server, I installed breed bootloader (Only compatible is of Mi Wifi Nano)
Mi Nano Breed Bootloader ->
Instrcutions to install bootloader and Flash Firmwares->

Now for the firmware, I installed OpenWRT 19.07.2 (Mi Wifi Nano) using breed web
Its working, only problem is WAN and LAN1 Ports are interchanged so for internet I need to connect to LAN1, WAN port is working as regular LAN.

Firmware ->