Xiaomi AX3600 INT firmware

itay · October 9, 2020, 2:41pm

There is an option to manual upgrade, since I don't have a previous international image file I cannot determine if you can use this option do downgrade the firmware

Leniek · October 9, 2020, 10:14pm

3.0.16 is probably initial INT firmware release

Gingernut · October 10, 2020, 5:15am

Can you gain SSH access to it and maybe backup the MTD firmware partition?

itay · October 10, 2020, 11:14am

I tried to gain ssh access using this link, unfortunatly this method doesn't work in this version.

Leniek · October 10, 2020, 12:58pm

I've finished fuzzing update server, without positive results i've tried all adresses that match

http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_all_FUZZ_3.0.16.bin

where FUZZ = 5 lowercase letters and numbers

itay · October 10, 2020, 7:55pm

thank you for providing this information.
after you said that this one doesn't work I tried to search online where xiaomi keeps other international firmware and after some research I've seen that you can download international firmware of mi4a from this link:

http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r4a/miwifi_r4a_all_03233_3.0.24_INT.bin

I created a fuzzer myself that will search in:
'http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_all_{fuzz}_3.0.16_INT.bin'
it'll take 16.5 hours approx for me.

@Leniek if you want to run your fuzzer again, but now including "_INT" before .bin it could be very helpful.

Frifox · October 11, 2020, 5:52pm

any luck?????

Frifox · October 11, 2020, 5:52pm

only 5 numbers i guess

juppin · October 11, 2020, 6:47pm

I've used the bash script below for fuzzing and haven't success.
I think that 3.0.16 is the initial international firmware that isn't downloadabel from the cdn's.

I've took a look at http://miwifi.com/miwifi_download.html and guessed that the five chars are only hex numbers.
Also some images use "all" some use "firmware" and some use "ENG" and some use "INT" for the english firmware.
So thats why i used wfuzz's hexrange for url fuzzing.

#!/bin/bash

# fast working example:
# wfuzz -z hexrange,f7f30-f7f3f --filter "c!=404 and c!=403" http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_FUZZ_1.0.67.bin
# wfuzz -z hexrange,f7f30-f7f3f --filter "c=200" http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_FUZZ_1.0.67.bin

SERVERS="
http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom
http://bigota.miwifi.com/xiaoqiang/rom
http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom
"

PATHS="
r3600/miwifi_r3600_firmware_FUZZ_VERSION_INT.bin
r3600/miwifi_r3600_firmware_FUZZ_VERSION_ENG.bin
r3600/miwifi_r3600_firmware_FUZZ_VERSION.bin
r3600/miwifi_r3600_all_FUZZ_VERSION_INT.bin
r3600/miwifi_r3600_all_FUZZ_VERSION_ENG.bin
r3600/miwifi_r3600_all_FUZZ_VERSION.bin
"

VERSION=${1:-"3.0.16"}

trap "kill 0" EXIT
trap "exit" INT TERM

for path in $PATHS ; do
  for server in $SERVERS ; do
    wfuzz -z hexrange,00000-fffff --filter "c!=404 and c!=403" "${server}/${path/VERSION/${VERSION}}" &
  done
  wait
done

So we have to wait until anyone will get a update for there global ax3600/r3600.

Leniek · October 13, 2020, 8:52pm

These five characters are most likely git sha256 hash of commit that is base for image

Leniek · October 13, 2020, 8:56pm

There is no point in running fuzzer the way I did if Your is MUCH MUCH faster (30 days vs 16 hours)

I am afraid that we will not get anything until first INT firmware update unless someone manages to dump 3.0.16 from their device (not sure if possible)

PaCTaRU · October 14, 2020, 6:17pm

Hello everyone!
There is such a request, which outputs json with available firmware
http://api.miwifi.com/upgrade/log/list?typeList=R3600STA
But
http://api.miwifi.com/upgrade/log/list?typeList=R3600ENG
http://api.miwifi.com/upgrade/log/list?typeList=R3600INT
http://api.miwifi.com/upgrade/log/list?typeList=R3600BETA
do not give json, any ideas?

itay · October 14, 2020, 7:18pm

how did you find that the name of the router is R3600STA ?
if there is anyway that I can find the device name from my router / the logs given from the Xiaomi's GUI let me know.

itay · October 14, 2020, 7:24pm

According to the logs taken from the router ther git revision of the 3.0.16 INT version is:
5db4a63b1045ba6d638819af5a465ccfecfd8150

juppin · October 14, 2020, 8:49pm

http://api.miwifi.com/upgrade/log/list?typeList=R4ASTA
and
http://api.miwifi.com/upgrade/log/list?typeList=R3GSTA
does provide the asian firmware for Mi Router 4A and 3G respectively.

We have to find how Xiaomi names the international types for this request.

PaCTaRU · October 14, 2020, 8:56pm

from here http://www1.miwifi.com/statics/js/miwifi_js.js?20200225

maybe worth a try:
http://192.168.31.1/cgi-bin/luci/;stok=<YOU_STOK>/api/xqsystem/init_info
http://192.168.31.1/cgi-bin/luci/;stok=<YOU_STOK>/api/misystem/sys_log

But - cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_5db4a_3.0.16.bin - 404 error

thelittlefireman · October 14, 2020, 9:41pm

hi,
For information other xiaomi products (ie vacuum cleaner) use these links too, to download package update :

https://cdn.awsbj0.fds.api.mi-img.com/
https://cdn.awsde0.fds.api.mi-img.com/
https://cdn.awsbj0.fds.api.mi-img.com
https://cdn.cnbj2.fds.api.mi-img.com/
https://cdn.cnbj0.fds.api.mi-img.com/
https://cdn.awsde0.fds.api.mi-img.com
https://cdn.awsbj0.fds.api.mi-img.com/

thelittlefireman · October 14, 2020, 10:25pm

I try to reverse the miwifi Android app. after some research the token is a static constant and always the same :
sb.append("8007236f-a2d6-4847-ac83-c49395ad6d65");

's' parameter is a concatenation of all the parameter of the request then convert to bytes from utf-8 and then cipher.

'
public static final String a = "SHA";
public static final String b = "MD5";
public static final String c = "HmacMD5";
public static final String d = "PBKDF2WithHmacSHA1";
private static final String e = "HmacSHA1";
private static final String f = "SHA-256";
'

But my reverse crypto skill is not good enough to get further information sorry

itay · October 15, 2020, 4:05am

I checked the git commit assumption with a known link (for chinese 1.0.67 version) and it seems incorrect: the link is http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_f7f3e_1.0.67.bin (f7f3e) and the git commit is
45608193e74e72cb472f20d06870695779ea1001 so I don't find a connection between the two.

plus, I run my fuzzer on http://api.miwifi.com/upgrade/log/list?typeList=R3600{FUZZ} when the FUZZ is ascii_uppercase 3 and 4 letters. I can confirm the the only link that responds without code different from -1 is http://api.miwifi.com/upgrade/log/list?typeList=R3600STA. I will let know when the 5 letter finishes if there is any good news

Leniek · October 15, 2020, 8:08am

This one looks promissing, as it returns url for all known FW
anyone here with INT firmware?

for my chinese AX3600 i can get url to
1.0.17, 1.0.20, 1.0.50, 1.0.66, 1.0.67