Support for Xiaomi MiWiFi 3C

murraydr44 · February 13, 2018, 7:50pm

Looking for root access.

Xiaomi MiWiFi 3C

https://wikidevi.com/wiki/Xiaomi_MiWiFi_3C

Under the center of the label lies a philips tapping screw.
The mir3c reset button case hole was enlarged with a 1/8" drill, allowing ballpoint pen access.

Router info
Mi Wi-Fi 3C(R3L) MiWiFi Stable 2.8.27

I managed to install the Taiwan firmware (2.8.27) to get native English menus on the router by holding down the reset button for 20 seconds at boot up so far.
Serial port works one-way only.

When I try to get ssh access, with root access, I get this message:
(the 3 curl for windows files are in the Downloads folder for this exercise)

C:\Users\murra\Downloads>curl -d "oldPwd=12345678&newPwd=12345678" "http://192.168.31.1/cgi-bin/luci/;stok=4fa0b125e49d5928acbcc85d45a717c3/api/xqsystem/set_name_password"
{"code":1523,"msg":"Invalid value"}
C:\Users\murra\Downloads>

For the mi nano, the message was {"code":0,"msg":""}, indicating a successful browser injection exploit, as per https://wiki.openwrt.org/toh/xiaomi/nano notes

Xiaomi Mi WiFi 3C (Mi Wifi Router 3C / R3C / R3L)
Attaching 3 berg pins to J1 and connecting with a USB PL2303 cable on COM4 115200bps using TeraTerm UART console
From the mir3c J1:

1 —— VCC blank (not a square pad or silkscreened square)
2 —— RX green (PC's USB PL2302 Rx green line)
3 —— GND black (PC's USB PL2302 Rx black line)
4 —— TX white (PC's USB PL2302 Rx white line)

Serial port works one-way only (no input going through pin4, sitting at 3.3V, like pin 1).

[    1.460000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    1.470000] serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
[    1.470000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
[    1.480000] led=44, on=4000, off=1, blinks,=1, reset=1, time=4000
[    1.490000] Ralink gpio driver initialized
[    1.490000] flash manufacture id: c2, device id 20 18
[    1.500000] MX25L12805D(c2 2018c220) (16384 Kbytes)
[    1.500000] mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
[    1.510000] Creating 10 MTD partitions on "raspi":
[    1.520000] 0x000000000000-0x000001000000 : "ALL"
[    1.520000] 0x000000000000-0x000000030000 : "Bootloader"
[    1.530000] 0x000000030000-0x000000040000 : "Config"
[    1.540000] 0x000000040000-0x000000050000 : "Bdata"
[    1.540000] 0x000000050000-0x000000060000 : "Factory"
[    1.550000] 0x000000060000-0x000000070000 : "crash"
[    1.560000] 0x000000070000-0x000000080000 : "cfg_bak"
[    1.560000] 0x000000080000-0x000000140000 : "overlay"
[    1.570000] 0x000000140000-0x0000008a0000 : "OS1"
[    1.580000] 0x0000008a0000-0x000001000000 : "OS2"
[    1.580000] mtd: try split OS2 partition
[    1.590000] mtd: split_firmware
[    1.590000] mtd: firmware_partition->size   0x760000
[    1.590000] mtd: firmware_partition->offset 0x8a0000
[    1.600000] mtd: uimage_len 1411044
[    1.600000] mtd: uimage_len 1441792
[    1.610000] mtd: rootfs_partition->size   0x600000
[    1.610000] mtd: rootfs_partition->offset 0xa00000
[    1.620000] mtd: partition "rootfs" created automatically, ofs=A00000, len=600000
[    1.620000] 0x000000a00000-0x000001000000 : "rootfs"
[    1.630000] PPP generic driver version 2.4.2

Things left to do:
get root password first

ssh 192.168.31.1
cd /tmp
wget https://breed.hackpascal.net/breed-mt7628-hiwifi-hc5661a.bin
mv breed-mt7628-hiwifi-hc5661a.bin breed.img
mtd write breed.img Bootloader
rm breed.img
wget https://downloads.lede-project.org/releases/17.01.4/targets/ramips/mt7628/lede-17.01.4-ramips-mt7628-miwifi-nano-squashfs-sysupgrade.bin
mv lede-17.01.4-ramips-mt7628-miwifi-nano-squashfs-sysupgrade.bin os1.bin
mtd write os1.bin OS1
rm os1.bin
wget PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin
mv PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin os2.bin
mtd write os2.bin OS2
reboot

related posts:

LESHIY_ODESSANov '17
How does one flash lede using BREED? I’ve tried to do this a couple of times without success.
You need to merge the kernel and rootfs.

Linux
cp lede-ramips-mt7621-mir3g-squashfs-kernel1.bin firmware.bin && truncate --size 4194304 firmware.bin && cat lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin >> firmware.bin
Windows
for /f %%i in ("lede-ramips-mt7621-mir3g-squashfs-kernel1.bin") do ( set /a size = 4194304 - %%~zi >nul ) fsutil file createnew dummy.bin %size% >nul copy /y /b lede-ramips-mt7621-mir3g-squashfs-kernel1.bin + /b dummy.bin + /b lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin firmware.bin >nul del dummy.bin

jknee00 · February 20, 2018, 1:15pm

is there a support yet even for openwrt

tmomas · February 21, 2018, 6:48am

No, the 3C is not supported.

jknee00 · February 21, 2018, 7:39am

for the meantime or there will never be?

jknee00 · February 22, 2018, 9:57am

up there's plenty of 3c here

murraydr44 · March 2, 2018, 12:00am

The 3C is a third of the cost of the 3G.

jknee00 · March 2, 2018, 1:06am

hoping there will be since in core is openwrt...

jknee00 · March 18, 2018, 11:28am

up up and god bless

doreks · June 22, 2018, 12:26pm

is there any way to install packet newt ?

https://pagure.io/newt

thanks for your help!

dude789 · August 3, 2018, 8:47pm

Up again
It isn't hard to support MT 7628N if someone experienced tries it

jknee00 · August 5, 2018, 2:56pm

i hope there would be for this router..

eduardo010174 · April 28, 2020, 8:52am

https://github.com/acecilia/OpenWRTInvasion

https://github.com/acecilia/OpenWRTInvasion/releases

Has three methods of attack.
one for telnet over netcat, telnet and other for ftp direct for filesystem.

eduardo010174 · May 2, 2020, 4:00pm

Does anyone have the router to test if exploit works?

@murraydr44 @dude789

kshitijqwerty · May 2, 2020, 4:56pm

I tried it its working on firmware 2.9.217 and 2.14.45 and 2.8.51_INT
And SSH is working on 2.9.217 but I dont know the password
get the dev firmware 2.9.217 from here:
https://git.captnemo.in/nemo/mir3c

kshitijqwerty · May 3, 2020, 12:46pm

I Compiled Padavan from Prometheus for 3C
https://drive.google.com/file/d/1331JB1Zyw22M6ZTV0foHMc6UOXKVZz5m/view?usp=sharing

kshitijqwerty · May 3, 2020, 5:02pm

Sadly the rom I compiled isnt working
But I managed to install Breed Bootloader via telnet (Mi Wifi Nano Bootloader)
And installed Padavan precompiled for Mi Wifi Nano
Need to test all the features now

earth08 · May 4, 2020, 3:42pm

Any news on this device,
Did it worked?

eduardo010174 · May 5, 2020, 10:27am

Try run this exploit. it resets the root user's pw.
This exploit run over speedtest native of firmware.

eduardo010174 · May 5, 2020, 10:34am

Ok. This exploit worked? My english is very bad. Sorry.

kshitijqwerty · May 5, 2020, 11:56am

Yes this worked flawlessly!
After I got access to telnet server, I installed breed bootloader (Only compatible is of Mi Wifi Nano)
DONT USE THE MINI BOOTLOADER USE THE ONE FOR NANO FROM BREED OFFICIAL WEBSITE
Mi Nano Breed Bootloader -> https://breed.hackpascal.net/breed-mt7628-hiwifi-hc5661a.bin
Instrcutions to install bootloader and Flash Firmwares->

Now for the firmware, I installed OpenWRT 19.07.2 (Mi Wifi Nano) using breed web
Its working, only problem is WAN and LAN1 Ports are interchanged so for internet I need to connect to LAN1, WAN port is working as regular LAN.

Firmware -> http://downloads.openwrt.org/releases/19.07.2/targets/ramips/mt76x8/openwrt-19.07.2-ramips-mt76x8-miwifi-nano-squashfs-sysupgrade.bin