Does the international firmware allow using channels ch52-ch64 and ch100-ch144, assuming those are legal in your region?
If I read the stated advertising/ specification correctly, xiaomi seems to only list ch36-ch48 and ch149-ch165 in compliance with chinese non-DFS regulations, which would be rather a pity for usage in ETSI/ FCC regions.
There is an option to manual upgrade, since I don't have a previous international image file I cannot determine if you can use this option do downgrade the firmware
thank you for providing this information.
after you said that this one doesn't work I tried to search online where xiaomi keeps other international firmware and after some research I've seen that you can download international firmware of mi4a from this link:
I've used the bash script below for fuzzing and haven't success.
I think that 3.0.16 is the initial international firmware that isn't downloadabel from the cdn's.
I've took a look at http://miwifi.com/miwifi_download.html and guessed that the five chars are only hex numbers.
Also some images use "all" some use "firmware" and some use "ENG" and some use "INT" for the english firmware.
So thats why i used wfuzz's hexrange for url fuzzing.
#!/bin/bash
# fast working example:
# wfuzz -z hexrange,f7f30-f7f3f --filter "c!=404 and c!=403" http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_FUZZ_1.0.67.bin
# wfuzz -z hexrange,f7f30-f7f3f --filter "c=200" http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_FUZZ_1.0.67.bin
SERVERS="
http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom
http://bigota.miwifi.com/xiaoqiang/rom
http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom
"
PATHS="
r3600/miwifi_r3600_firmware_FUZZ_VERSION_INT.bin
r3600/miwifi_r3600_firmware_FUZZ_VERSION_ENG.bin
r3600/miwifi_r3600_firmware_FUZZ_VERSION.bin
r3600/miwifi_r3600_all_FUZZ_VERSION_INT.bin
r3600/miwifi_r3600_all_FUZZ_VERSION_ENG.bin
r3600/miwifi_r3600_all_FUZZ_VERSION.bin
"
VERSION=${1:-"3.0.16"}
trap "kill 0" EXIT
trap "exit" INT TERM
for path in $PATHS ; do
for server in $SERVERS ; do
wfuzz -z hexrange,00000-fffff --filter "c!=404 and c!=403" "${server}/${path/VERSION/${VERSION}}" &
done
wait
done
So we have to wait until anyone will get a update for there global ax3600/r3600.
There is no point in running fuzzer the way I did if Your is MUCH MUCH faster (30 days vs 16 hours)
I am afraid that we will not get anything until first INT firmware update unless someone manages to dump 3.0.16 from their device (not sure if possible)
how did you find that the name of the router is R3600STA ?
if there is anyway that I can find the device name from my router / the logs given from the Xiaomi's GUI let me know.
I try to reverse the miwifi Android app. after some research the token is a static constant and always the same : sb.append("8007236f-a2d6-4847-ac83-c49395ad6d65");
's' parameter is a concatenation of all the parameter of the request then convert to bytes from utf-8 and then cipher.
'
public static final String a = "SHA";
public static final String b = "MD5";
public static final String c = "HmacMD5";
public static final String d = "PBKDF2WithHmacSHA1";
private static final String e = "HmacSHA1";
private static final String f = "SHA-256";
'
But my reverse crypto skill is not good enough to get further information sorry