Xiaomi MiWIFI Mesh Router (D01) support

Hah, ive tried to push original image ive downloaded from official site, but it said

Invalid signature
Header check error!

UPD. False alert, it's fine, file was really broken)))

fw recovery log

Looks like this isn´t useable for custom firmware flashing... :frowning:

But i think there is no signature check on a already flashed image as they are using a fit image (new uImage format) without signature.

So you have to find a way how to interrupt the boot process at the bootloader level or how to get a shell on linux.

Good luck

I can interrupt it only once, at first boot after successful recovery i can enter into uboot shell and run any commands


U-Boot 2012.07 [Standard IPQ806X.LN,unknown] (Jul 02 2019 - 11:17:57)

smem ram ptable found: ver: 1 len: 3
 ---- init buttons ----
DRAM:  256 MiB
machid : 0x8010001
NAND:  ID = 9580d1c8
Vendor = c8
Device = d1
ONFI device found
SF NAND unsupported id:ff:ff:ff:ffSF: Unsupported manufacturer ff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC:   
In:    serial
Out:   serial
Err:   serial
machid: 8010001
flash_type: 2
 restore_defaults is set, enlarge xqup detect time 
 trigger button release!
Hit any key to stop autoboot:  5  0 
Net:    , sfi->flash_type vs SMEM_BOOT_MMC_FLASH: 5 vs 132 
MAC0 addr:50:d2:f5:15:65:22
PHY ID1: 0x4d
PHY ID2: 0xd0b1
 setup phy led ctrl pattern 
ipq40xx_ess_sw_init done
eth0

(IPQ40xx) # 

(IPQ40xx) # 

(IPQ40xx) # 

(IPQ40xx) # help

?       - alias for 'help'
base    - print or set address offset
bootipq - bootipq from flash device
bootm   - boot application image from memory
bootmiwifi- bootmiwifi from flash device
bootp   - boot image via network using BOOTP/TFTP protocol
btnc    -  check reset button if pressed to 5s  - if so ret 1 

btni    -  init gpios for button 

chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
dhcp    - boot image via network using DHCP/TFTP protocol
dumpipq_data- dumpipq_data crashdump collection from memory
dumpipq_flash_data- dumpipq_flash_data crashdump collection and storing in flash
echo    - echo args to console
env     - environment handling commands
exit    - exit script
false   - do nothing, unsuccessfully
fdt     - flattened device tree utility commands
fuseipq - fuse QFPROM registers from memory

go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
iminfo  - print header information for application image
imxtract- extract a part of a multi-image
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
phyled  - debug - 8075 phy led dump / write
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
rgbled  - rgbled
rmemcrash-  miwifi check and save crash buff to mtd
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
showvar - print local hushshell variables
smeminfo- print SMEM FLASH information
source  - run script from memory
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true    - do nothing, successfully
uartrd  - uartrd read from second UART
uartwr  - uartwr to second UART
ubi     - ubi commands
version - print monitor, compiler and linker version
xqup    -  load image and upgrade to flash 

(IPQ40xx) # 

tried to boot linksys image for lulz, failed, but it's a good news anyway

Filename 'ls_fact.bin'.
Load address: 0x84000000
Loading: *#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 ###############################################################
done
Bytes transferred = 7602432 (740100 hex)
(IPQ40xx) # bootm

## Booting kernel from FIT Image at 84000000 ...
   Using 'config@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM OpenWrt Linux-4.14.162
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x840000e4
     Data Size:    2053816 Bytes = 2 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x80208000
     Entry Point:  0x80208000
     Hash algo:    crc32
     Hash value:   69ecc29d
     Hash algo:    sha1
     Hash value:   5c7480088d8997df312c76ac5136e39347b7d42a
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Flattened Device Tree from FIT Image at 84000000
   Using 'config@1' configuration
   Trying 'fdt@1' FDT blob subimage
     Description:  ARM OpenWrt linksys_ea8300 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x841f58d4
     Data Size:    17347 Bytes = 16.9 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   e828b72b
     Hash algo:    sha1
     Hash value:   eb01db16b1f68c863b28c8cb2d373703c8535a0a
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x841f58d4
   Loading Kernel Image ... OK
OK
   Loading Device Tree to 86ff8000, end 86fff3c2 ... OK
Device nand2 not found!
 ft_board_setup, miwifi gmac_no = 4 
 , sfi->flash_type vs SMEM_BOOT_MMC_FLASH: 5 vs 132 
 ipq40xx_set_ethmac_addr, miwifi  eth0addr =  50:d2:f5:15:65:22 
 ipq40xx_set_ethmac_addr, miwifi  eth1addr =  50:d2:f5:15:65:23 
 ipq40xx_set_ethmac_addr, miwifi  eth2addr =  50:d2:f5:15:65:27 
 ipq40xx_set_ethmac_addr, miwifi  eth3addr =  50:d2:f5:15:65:28 
Using machid 0x8010001 from environment

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.14.162 (builder@buildhost) (gcc version 7.5.0 (OpenWrt GCC 7.5.0 r10860-a3ffeb413b)) #0 SMP Mon Jan 6 16:47:09 2020
[    0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[    0.000000] CPU: div instructions available: patching division code
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] OF: fdt: Machine model: Linksys EA8300 (Dallas)
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] random: get_random_bytes called from 0xc09008d0 with crng_init=0
[    0.000000] percpu: Embedded 15 pages/cpu s29388 r8192 d23860 u61440
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 64512
[    0.000000] Kernel command line:  root=/dev/ubiblock0_0 rootfstype=squashfs ro
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Memory: 249924K/260096K available (4452K kernel code, 146K rwdata, 688K rodata, 1024K init, 236K bss, 10172K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xd0800000 - 0xff800000   ( 752 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xd0000000   ( 256 MB)
[    0.000000]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000]       .text : 0xc0208000 - 0xc0759078   (5445 kB)
[    0.000000]       .init : 0xc0900000 - 0xc0a00000   (1024 kB)
[    0.000000]       .data : 0xc0a00000 - 0xc0a24b80   ( 147 kB)
[    0.000000]        .bss : 0xc0a26000 - 0xc0a61018   ( 237 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] NR_IRQS: 16, nr_irqs: 16, preallocated irqs: 16
[    0.000000] arch_timer: cp15 timer(s) running at 48.00MHz (virt).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb11fd3bfb, max_idle_ns: 440795203732 ns
[    0.000008] sched_clock: 56 bits at 48MHz, resolution 20ns, wraps every 4398046511096ns
[    0.000022] Switching to timer-based delay loop, resolution 20ns
[    0.000254] Calibrating delay loop (skipped), value calculated using timer frequency.. 96.00 BogoMIPS (lpj=480000)
[    0.000271] pid_max: default: 32768 minimum: 301
[    0.000404] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000419] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000951] CPU: Testing write buffer coherency: ok
[    0.001625] Setting up static identity map for 0x80300000 - 0x80300060
[    0.001766] Hierarchical SRCU implementation.
[    0.002410] smp: Bringing up secondary CPUs ...
[    0.005092] smp: Brought up 1 node, 4 CPUs
[    0.005111] SMP: Total of 4 processors activated (384.00 BogoMIPS).
[    0.005119] CPU: All CPU(s) started in SVC mode.
[    0.009266] VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
[    0.009418] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.009441] futex hash table entries: 1024 (order: 4, 65536 bytes)
[    0.009619] pinctrl core: initialized pinctrl subsystem
[    0.010527] NET: Registered protocol family 16
[    0.010827] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.011813] cpuidle: using governor ladder
[    0.011856] cpuidle: using governor menu
[    0.029002] usbcore: registered new interface driver usbfs
[    0.029062] usbcore: registered new interface driver hub
[    0.029147] usbcore: registered new device driver usb
[    0.029191] pps_core: LinuxPPS API ver. 1 registered
[    0.029200] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.029224] PTP clock support registered
[    0.030483] clocksource: Switched to clocksource arch_sys_counter
[    0.031304] NET: Registered protocol family 2
[    0.031972] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.032013] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.032062] TCP: Hash tables configured (established 2048 bind 2048)
[    0.032166] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.032201] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.032383] NET: Registered protocol family 1
[    0.033386] No memory allocated for crashlog
[    0.033586] workingset: timestamp_bits=30 max_order=16 bucket_order=0
[    0.036806] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.036821] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.041858] io scheduler noop registered
[    0.041876] io scheduler deadline registered (default)
[    0.043612] OF: PCI: host bridge /soc/pci@40000000 ranges:
[    0.043648] OF: PCI:    IO 0x40200000..0x402fffff -> 0x40200000
[    0.043666] OF: PCI:   MEM 0x40300000..0x40ffffff -> 0x40300000
[    1.160491] qcom-pcie 40000000.pci: phy link never came up
[    1.170519] qcom-pcie 40000000.pci: cannot initialize host
[    1.170627] qcom-pcie: probe of 40000000.pci failed with error -110
[    1.172019] bam-dma-engine 8e04000.dma: num-channels unspecified in dt
[    1.172036] bam-dma-engine 8e04000.dma: num-ees unspecified in dt
[    1.173298] tcsr 1949000.tcsr: setting wifi_glb_cfg = 41000000
[    1.173387] tcsr 194b000.tcsr: setting usb hs phy mode select = e700e7
[    1.173461] tcsr 1953000.ess_tcsr: setting ess interface select = 0
[    1.173534] tcsr 1957000.tcsr: setting wifi_noc_memtype_m0_m2 = 2222222
[    1.173767] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    1.175466] msm_serial 78af000.serial: msm_serial: detected port #0
[    1.175514] msm_serial 78af000.serial: uartclk = 1843200
[    1.175566] 78af000.serial: ttyMSM0 at MMIO 0x78af000 (irq = 24, base_baud = 115200) is a MSM
[    1.175592] msm_serial: console setup on port #0
[    1.718414] console [ttyMSM0] enabled
[    1.723317] msm_serial: driver initialized
[    1.730860] loop: module loaded
[    1.732389] nand: device found, Manufacturer ID: 0xc8, Chip ID: 0xd1
[    1.733657] nand: ESMT PSU1GA30DT
[    1.740250] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    1.743598] 16 fixed-partitions partitions found on MTD device qcom_nand.0
[    1.750947] Creating 16 MTD partitions on "qcom_nand.0":
[    1.757800] 0x000000000000-0x000000100000 : "sbl1"
[    1.764722] 0x000000100000-0x000000200000 : "mibib"
[    1.769222] 0x000000200000-0x000000300000 : "qsee"
[    1.774034] 0x000000300000-0x000000380000 : "cdt"
[    1.778452] 0x000000380000-0x000000400000 : "appsblenv"
[    1.783273] 0x000000400000-0x000000480000 : "ART"
[    1.788263] 0x000000480000-0x000000680000 : "appsbl"
[    1.794336] 0x000000680000-0x000000700000 : "u_env"
[    1.798165] 0x000000700000-0x000000740000 : "s_env"
[    1.802586] 0x000000740000-0x000000780000 : "devinfo"
[    1.807425] 0x000000780000-0x000005f80000 : "kernel"
[    1.818441] random: fast init done
[    1.882079] 0x000000a80000-0x000005f80000 : "rootfs"
[    1.949811] mtd: device 11 (rootfs) set to be root filesystem
[    1.950106] mtdsplit: no squashfs found in "rootfs"
[    1.954584] 0x000005f80000-0x00000b780000 : "alt_kernel"
[    1.959224] mtd: partition "alt_kernel" extends beyond the end of device "qcom_nand.0" -- size truncated to 0x2080000
[    1.991007] 0x000006280000-0x00000b780000 : "alt_rootfs"
[    1.991035] mtd: partition "alt_rootfs" extends beyond the end of device "qcom_nand.0" -- size truncated to 0x1d80000
[    2.019274] 0x00000b780000-0x00000b880000 : "sysdiag"
[    2.019299] mtd: partition "sysdiag" is out of reach -- disabled
[    2.023877] 0x00000b880000-0x00000ff00000 : "syscfg"
[    2.029376] mtd: partition "syscfg" is out of reach -- disabled
[    2.035805] libphy: ipq40xx_mdio: probed
[    2.070676] ESS reset ok!
[    2.103666] ESS reset ok!
[    2.540861] libphy: Fixed MDIO Bus: probed
[    2.640609] i2c /dev entries driver
[    2.671426] NET: Registered protocol family 10
[    2.673694] Segment Routing with IPv6
[    2.674869] NET: Registered protocol family 17
[    2.678556] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    2.683271] 8021q: 802.1Q VLAN Support v1.8
[    2.696094] Registering SWP/SWPB emulation handler
⸮[    2.706102] VFS: Cannot open root device "ubiblock0_0" or unknown-block(0,0): error -6
[    2.706134] Please append a correct "root=" boot option; here are the available partitions:
[    2.712970] 1f00            1024 mtdblock0 
[    2.712975]  (driver?)
[    2.725328] 1f01            1024 mtdblock1 
[    2.725333]  (driver?)
[    2.731851] 1f02            1024 mtdblock2 
[    2.731856]  (driver?)
[    2.738344] 1f03             512 mtdblock3 
[    2.738348]  (driver?)
[    2.744851] 1f04             512 mtdblock4 
[    2.744855]  (driver?)
[    2.751371] 1f05             512 mtdblock5 
[    2.751375]  (driver?)
[    2.757872] 1f06            2048 mtdblock6 
[    2.757875]  (driver?)
[    2.764394] 1f07             512 mtdblock7 
[    2.764397]  (driver?)
[    2.770904] 1f08             256 mtdblock8 
[    2.770907]  (driver?)
[    2.777404] 1f09             256 mtdblock9 
[    2.777407]  (driver?)
[    2.783939] 1f0a           90112 mtdblock10 
[    2.783944]  (driver?)
[    2.790783] 1f0b           87040 mtdblock11 
[    2.790787]  (driver?)
[    2.797370] 1f0c           33280 mtdblock12 
[    2.797373]  (driver?)
[    2.803977] 1f0d           30208 mtdblock13 
[    2.803981]  (driver?)
[    2.810574] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[    2.812749] CPU0: stopping
[    2.820982] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.162 #0
[    2.823672] Hardware name: Generic DT based system
[    2.829846] Function entered at [<c030e2a8>] from [<c030a7a8>]
[    2.834525] Function entered at [<c030a7a8>] from [<c073f994>]
[    2.840342] Function entered at [<c073f994>] from [<c030d58c>]
[    2.846155] Function entered at [<c030d58c>] from [<c030143c>]
[    2.851973] Function entered at [<c030143c>] from [<c030b30c>]
[    2.857789] Exception stack(0xc0a01f40 to 0xc0a01f88)
[    2.863610] 1f40: 00000001 00000000 00000000 c0313960 ffffe000 c0a03cb8 c0a03c6c 00000000
[    2.868736] 1f60: 00000000 00000001 cfffcdc0 c092da28 c0a01f88 c0a01f90 c0307d88 c0307d8c
[    2.876888] 1f80: 60000013 ffffffff
[    2.885042] Function entered at [<c030b30c>] from [<c0307d8c>]
[    2.888345] Function entered at [<c0307d8c>] from [<c0352058>]
[    2.894248] Function entered at [<c0352058>] from [<c0352378>]
[    2.900064] Function entered at [<c0352378>] from [<c0900c04>]
[    2.905880] Function entered at [<c0900c04>] from [<8020807c>]
[    2.911698] CPU1: stopping
[    2.917509] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.14.162 #0
[    2.920199] Hardware name: Generic DT based system
[    2.926365] Function entered at [<c030e2a8>] from [<c030a7a8>]
[    2.931053] Function entered at [<c030a7a8>] from [<c073f994>]
[    2.936866] Function entered at [<c073f994>] from [<c030d58c>]
[    2.942684] Function entered at [<c030d58c>] from [<c030143c>]
[    2.948500] Function entered at [<c030143c>] from [<c030b30c>]
[    2.954315] Exception stack(0xcf859f80 to 0xcf859fc8)
[    2.960137] 9f80: 00000001 00000000 00000000 c0313960 ffffe000 c0a03cb8 c0a03c6c 00000000
[    2.965265] 9fa0: 00000000 410fc075 00000000 00000000 cf859fc8 cf859fd0 c0307d88 c0307d8c
[    2.973418] 9fc0: 60000013 ffffffff
[    2.981569] Function entered at [<c030b30c>] from [<c0307d8c>]
[    2.984871] Function entered at [<c0307d8c>] from [<c0352058>]
[    2.990775] Function entered at [<c0352058>] from [<c0352378>]
[    2.996589] Function entered at [<c0352378>] from [<8030170c>]
[    3.002406] CPU2: stopping
[    3.008220] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.14.162 #0
[    3.010911] Hardware name: Generic DT based system
[    3.017078] Function entered at [<c030e2a8>] from [<c030a7a8>]
[    3.021764] Function entered at [<c030a7a8>] from [<c073f994>]
[    3.027580] Function entered at [<c073f994>] from [<c030d58c>]
[    3.033395] Function entered at [<c030d58c>] from [<c030143c>]
[    3.039212] Function entered at [<c030143c>] from [<c030b30c>]
[    3.045028] Exception stack(0xcf85bf80 to 0xcf85bfc8)
[    3.050849] bf80: 00000001 00000000 00000000 c0313960 ffffe000 c0a03cb8 c0a03c6c 00000000
[    3.055977] bfa0: 00000000 410fc075 00000000 00000000 cf85bfc8 cf85bfd0 c0307d88 c0307d8c
[    3.064129] bfc0: 60000013 ffffffff
[    3.072279] Function entered at [<c030b30c>] from [<c0307d8c>]
[    3.075582] Function entered at [<c0307d8c>] from [<c0352058>]
[    3.081485] Function entered at [<c0352058>] from [<c0352378>]
[    3.087301] Function entered at [<c0352378>] from [<8030170c>]
[    3.093126] Rebooting in 1 seconds..

Seems promising :slight_smile:

There are a lot usefull available commands in uboot :slight_smile:

You should try to boot a initram image first... Is a lot easier without persistent storage at the beginning.

1 Like

yeah, thats what i just have done :grin:

https://pastebin.com/edkN7CZj

seems like i need to start with custom dts file to define partitions at least and build my own initramfs
huh, im a noob in dts stuff but i will try to do smth

upd.
@juppin
i cant make new replies, cuz registered at new board only yesterday, so its limiting my replies count

but i wanna say ive got a working console for the stock rom :crazy_face:

1 Like

Learning something new is always great...
I think here are a lot people that can assist you and you have a lot examples in the source tree.

I would start with a almost clean dts (soc and basic hw like serial) and go step by step for every peace of the device specific hw.

Probably this will be my next device to play with, thanks :slight_smile:

1 Like

For partition layout, you can do it like on the xiaomi mir3g and use only kernel1 for the kernel and merge everything behind into a single ubi partition. But check what the hell "cfg_bak" is and if we can merge it also into "ubi".

:partying_face:

1 Like
1 Like

Good work.

Why not squashing everything between kernel1 and cfg_bak into a big single writeable ubi partition?

Or implement real dual partition layout with added u-boot env support.
u-boot env support has to be added here:

You should add a install description to the commit message and some details about how specs.

at this moment ive kept stock as a backup system, it can be easy switched modifying one ubootenv var
imo 40Mb (23Mb free) is enuff space to start with

1 Like

@stas2z could you please explain a bit how you managed to flash OpenWRT? Maybe is helpful for the MIRouter 4A, which at the time has no easy way for flashing (Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer) :slight_smile:

ive already answered similar question here

Nice. Yes, agree, the firmwares do not include telnet/ssh. I managed to get a shell on the Xiaomi 4A by using netcat: https://security.stackexchange.com/questions/53345/can-pipe-shell-nc-pipe-achieve-remote-shell

sure, netcat is a nice solution, ive used netcat when i tried to upload standalone busybox binary to it
but to use netcat you need to get access to the shell anyway

1 Like

Where did you find a stand-alone busybox?

I assume he built a static busybox with the sdk.

Or from here: https://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/

1 Like

i am so sorry fo stupid question..... but i cant find any good instruction how to install open wrt on D01 Xiaomi mi mesh....
if it possible can u give me some advice. from what can i start? this is me first time for installing open wrt, but i have not another device for experiments....
with best regards
Young Padawan of open wrt tech )

There is no easy way to build and install openwrt to this device. Very bad choise to start with.