There is an option to manual upgrade, since I don't have a previous international image file I cannot determine if you can use this option do downgrade the firmware
2 Likes
3.0.16 is probably initial INT firmware release
Can you gain SSH access to it and maybe backup the MTD firmware partition?
I've finished fuzzing update server, without positive results i've tried all adresses that match
http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_all_FUZZ_3.0.16.bin
where FUZZ = 5 lowercase letters and numbers
1 Like
thank you for providing this information.
after you said that this one doesn't work I tried to search online where xiaomi keeps other international firmware and after some research I've seen that you can download international firmware of mi4a from this link:
http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r4a/miwifi_r4a_all_03233_3.0.24_INT.bin
I created a fuzzer myself that will search in:
'http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_all_{fuzz}_3.0.16_INT.bin'
it'll take 16.5 hours approx for me.
@Leniek if you want to run your fuzzer again, but now including "_INT" before .bin it could be very helpful.
4 Likes
any luck?????
only 5 numbers i guess
I've used the bash script below for fuzzing and haven't success.
I think that 3.0.16 is the initial international firmware that isn't downloadabel from the cdn's.
I've took a look at http://miwifi.com/miwifi_download.html and guessed that the five chars are only hex numbers.
Also some images use "all" some use "firmware" and some use "ENG" and some use "INT" for the english firmware.
So thats why i used wfuzz's hexrange for url fuzzing.
#!/bin/bash
# fast working example:
# wfuzz -z hexrange,f7f30-f7f3f --filter "c!=404 and c!=403" http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_FUZZ_1.0.67.bin
# wfuzz -z hexrange,f7f30-f7f3f --filter "c=200" http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_FUZZ_1.0.67.bin
SERVERS="
http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom
http://bigota.miwifi.com/xiaoqiang/rom
http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom
"
PATHS="
r3600/miwifi_r3600_firmware_FUZZ_VERSION_INT.bin
r3600/miwifi_r3600_firmware_FUZZ_VERSION_ENG.bin
r3600/miwifi_r3600_firmware_FUZZ_VERSION.bin
r3600/miwifi_r3600_all_FUZZ_VERSION_INT.bin
r3600/miwifi_r3600_all_FUZZ_VERSION_ENG.bin
r3600/miwifi_r3600_all_FUZZ_VERSION.bin
"
VERSION=${1:-"3.0.16"}
trap "kill 0" EXIT
trap "exit" INT TERM
for path in $PATHS ; do
for server in $SERVERS ; do
wfuzz -z hexrange,00000-fffff --filter "c!=404 and c!=403" "${server}/${path/VERSION/${VERSION}}" &
done
wait
done
So we have to wait until anyone will get a update for there global ax3600/r3600.
3 Likes
These five characters are most likely git sha256 hash of commit that is base for image
1 Like
There is no point in running fuzzer the way I did if Your is MUCH MUCH faster (30 days vs 16 hours)
I am afraid that we will not get anything until first INT firmware update unless someone manages to dump 3.0.16 from their device (not sure if possible)
Hello everyone!
There is such a request, which outputs json with available firmware
http://api.miwifi.com/upgrade/log/list?typeList=R3600STA
But
http://api.miwifi.com/upgrade/log/list?typeList=R3600ENG
http://api.miwifi.com/upgrade/log/list?typeList=R3600INT
http://api.miwifi.com/upgrade/log/list?typeList=R3600BETA
do not give json, any ideas?
3 Likes
how did you find that the name of the router is R3600STA ?
if there is anyway that I can find the device name from my router / the logs given from the Xiaomi's GUI let me know.
According to the logs taken from the router ther git revision of the 3.0.16 INT version is:
5db4a63b1045ba6d638819af5a465ccfecfd8150
http://api.miwifi.com/upgrade/log/list?typeList=R4ASTA
and
http://api.miwifi.com/upgrade/log/list?typeList=R3GSTA
does provide the asian firmware for Mi Router 4A and 3G respectively.
We have to find how Xiaomi names the international types for this request.
from here http://www1.miwifi.com/statics/js/miwifi_js.js?20200225
maybe worth a try:
http://192.168.31.1/cgi-bin/luci/;stok=<YOU_STOK>/api/xqsystem/init_info
http://192.168.31.1/cgi-bin/luci/;stok=<YOU_STOK>/api/misystem/sys_log
But - cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_5db4a_3.0.16.bin - 404 error
hi,
For information other xiaomi products (ie vacuum cleaner) use these links too, to download package update :
https://cdn.awsbj0.fds.api.mi-img.com/
https://cdn.awsde0.fds.api.mi-img.com/
https://cdn.awsbj0.fds.api.mi-img.com
https://cdn.cnbj2.fds.api.mi-img.com/
https://cdn.cnbj0.fds.api.mi-img.com/
https://cdn.awsde0.fds.api.mi-img.com
https://cdn.awsbj0.fds.api.mi-img.com/
I try to reverse the miwifi Android app. after some research the token is a static constant and always the same :
sb.append("8007236f-a2d6-4847-ac83-c49395ad6d65");
's' parameter is a concatenation of all the parameter of the request then convert to bytes from utf-8 and then cipher.
'
public static final String a = "SHA";
public static final String b = "MD5";
public static final String c = "HmacMD5";
public static final String d = "PBKDF2WithHmacSHA1";
private static final String e = "HmacSHA1";
private static final String f = "SHA-256";
'
But my reverse crypto skill is not good enough to get further information 
sorry
1 Like
I checked the git commit assumption with a known link (for chinese 1.0.67 version) and it seems incorrect: the link is http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_f7f3e_1.0.67.bin (f7f3e) and the git commit is
45608193e74e72cb472f20d06870695779ea1001 so I don't find a connection between the two.
plus, I run my fuzzer on http://api.miwifi.com/upgrade/log/list?typeList=R3600{FUZZ} when the FUZZ is ascii_uppercase 3 and 4 letters. I can confirm the the only link that responds without code different from -1 is http://api.miwifi.com/upgrade/log/list?typeList=R3600STA. I will let know when the 5 letter finishes if there is any good news
1 Like
This one looks promissing, as it returns url for all known FW
anyone here with INT firmware?
for my chinese AX3600 i can get url to
1.0.17, 1.0.20, 1.0.50, 1.0.66, 1.0.67