2nd step

3d step

Thanks a lot for all the work and effort to this amazing community. I just discovered recently and I love it.

Somehow solved. After a few factory resets and following the same procedure... :confused:

https://www.oxygen7.cn/miwifi/ sometimes cannot be accessed, so I made a mirror: https://kopijahe.my.id/miwifi


Thanks for that.

There is also a python script that works https://github.com/YangWang92/AX6S-unlock/raw/master/unlock_pwd.py

FWIW lua has been removed from latest snapshot builds so the xqsystem.lua script won't work.
At the moment latest stable builds are still valid.

Most frustrating problem appreciate help:

• I set up B router, step 4 bullet 3 get {"msg":"connect succces!","code":0}
• Then point 4 bullet 4;stok=f939229610bc973d27ba82c216df279a/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx

I get message in chinses, the translation is {"msg":"Failed to request the peer interface during one-key switch","code":1643}

I tried with or without a password.
Any ideas about what is going wrong?

I somehow managed to get over error 1643 by resetting and redoing everything.

Now another challenge: I generate a password based on the serial number in two different ways and go the same one.
Nonetheless, when I log in as <[root@]> and type the password, permission is continuously denied.

Any hits?

Interestingly, using the site (typed in SN) and python script (directly looking up SN from bdata) both calculate the same password for my AX3600, but telnet doesn’t accept it in my case either.

Unfortunate as it would make life easier (wouldn’t have to go through setup with internet connected etc) to get token and then use the JS exploit),

Would also love to hear if anyone else has experienced that / if there’s an updated algorithm to calculate the password.

Thanks Eric, so what is the solution you found? Does the exploit work without having the root password?
On the AX6, Telnet is disabled in the first place, SSH could create connection but no password could go through.

I don’t have an AX6. The AX3600 has a browser exploit outlined in the wiki. You may try that to see if it works on AX6 as well.
With that exploit the SSH password is set via the JS.

1 Like

I had success gaining access to a AX6 using the Python script https://raw.githubusercontent.com/YangWang92/AX6S-unlock/master/unlock_pwd.py to calculate the root password.

1 Like