OpenWrt Forum Archive

Topic: Xiaomi Mi Wifi Nano

The content of this topic has been archived between 22 Mar 2018 and 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

UbuntuInMacBook wrote:

Please, is it possible that someone who has ssh access to Nano can do this to any firmware file and enable then ssh:
mkxqimage -x <firmware_name.bin>

Here is guide how to validate modified firmware (If you don't understand Chinese use chrome and translator):
http://www.iptvfans.cn/wiki/index.php/% … E%E6%94%B9

In original firmware mkxqimage is in /bin/ folder. You can copy private.pem and public.pem from that web site.

I tried to do it in mini router with official OpenWrt release, and it can't find /proc/xiaoqiang/model file. I copied mkxqimage and crypt 1.0.0 library from nano filesystem to mini router without success. I don't have access to nano, so I can't do it there.

I can try, but I don't get it. Nano doesn't have access to SSH.

If you have UART connected to Nano then you can take serial connection to Nano and to do those things. Right?
Personally I can't do that, because I barely can solder two cables together.

Or perhaps it might be possible some how to create fake file to /proc/xiaoqiang/model in Mini router and tell that this is r1cl.

(Last edited by UbuntuInMacBook on 8 Dec 2015, 22:16)

UbuntuInMacBook wrote:

If you have UART connected to Nano then you can take serial connection to Nano and to do those things. Right?
Personally I can't do that, because I barely can solder two cables together.

Or perhaps it might be possible some how to create fake file to /proc/xiaoqiang/model in Mini router and tell that this is r1cl.

UART just works on UBOOT, it is disabled on boot.

How about if someone has already updated official OpenWrt via boot, then revert back Xiaomi original firmware + enable ssh. Then eh can do those things in official firmware.

I am able to ssh into the developer firmware (miwifi_r1cl_all_59371_2.1.26.bin).

After installing it and verifying ssh is open, the root password needs to be changed.

Looking at /usr/lib/lua/luci/controller/api/xqsystem.lua, in the setPassword() function, it there is no nonce then it'll execute XQSysUtil.setSysPassword (/usr/lib/lua/xiaoqiang/util/XQSysUtil.lua).  That in turn will get into user.setpasswd in /usr/lib/lua/luci/sys.lua, which executes 'passwd' to set it.

Login to their web interface (192.168.31.1).  Grab a valid stok.  Then in a UNIX shell, execute:

curl -d "oldPwd=<your admin password>&newPwd=<what you'd like the root password to be>" "http://192.168.31.1/cgi-bin/luci/;stok=<the stok from above>/api/xqsystem/set_name_password" 

That should print out:

{"code":0}

If so, you should be able to ssh into the Xiaomi as root using the password supplied above.

$ ssh root@192.168.31.1
root@192.168.31.1's password: 


BusyBox v1.19.4 (2015-10-15 20:51:43 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 -----------------------------------------------------
    Welcome to XiaoQiang!
 -----------------------------------------------------
root@XiaoQiang:~# uname -a
Linux XiaoQiang 3.10.14 #1 Thu Oct 15 21:03:57 CST 2015 mips GNU/Linux
root@XiaoQiang:~# 

(Last edited by pablo_marx on 9 Dec 2015, 05:01)

Thanks pablo_marx, now I can take ssh connection to the router. Next I am trying to update PandoraBox OpenWrt firmware.

Edit:
cat /proc/mtd
dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00ba0000 00010000 "OS1"
mtd5: 00a30000 00010000 "rootfs"
mtd6: 00240000 00010000 "OS2"
mtd7: 000c0000 00010000 "data"
mtd8: 00100000 00010000 "overlay"
mtd9: 00010000 00010000 "crash"
mtd10: 00ba0000 00010000 "firmware"

(Last edited by UbuntuInMacBook on 9 Dec 2015, 18:48)

Hi everybody,

I managed to get root telnet access on stock firmware with code injection from web interface. Ssh won't execute because host keys are missing!

I believe the same is doable for Xiaomi Mini router, so no need to go to the Xiaomi website, and download two different firmwares or to create account.

I'd rather not post the code exploit here, so if is there any info I can extract please let me know.

Best,
A.

(Last edited by santamanno on 10 Dec 2015, 19:45)

santamanno wrote:

Hi everybody,

I managed to get root telnet access on stock firmware with code injection from web interface. Ssh won't execute because host keys are missing!

I believe the same is doable for Xiaomi Mini router, so no need to go to the Xiaomi website, and download two different firmwares or to create account.

I'd rather not post the code exploit here, so if is there any info I can extract please let me know.

Best,
A.

Are you sure? I have seen SSH is working, but no pwd

the backdoor works well. In 2 minutes i have pandora box on my xiaomi nano big_smile

thx

I wait  now for Chaos Calmer firmware, nobody tests ?

(Last edited by realynot on 20 Jan 2016, 09:10)

There is no imag3, sadly. The wifi driver doesnt exists on openwrt sad

Nobody have a problem  with laptops  wifi cant between  ping ?
Ethernet no problem. . Exists  anothers  roms of  Pandora  / openwrt  ? Thx

@unmesh

Is the Padavan firmware any good? Is it based off OpenWRT (can you install packages such as freeradius and qos-scripts?)

Also, has anyone found a way to make vanilla Chaos Calmer OpenWRT work with wifi on this nano? PandoraBox does but it's outdated and the packages I want won't work with it...

@Silkerdax,

Padavan has a very clean GUI that I'm liking more and more every day and it has rich functionality. I'm familiar with dd-wrt, Tomato, LuCi as well as OEM firmware and their GUIs!

If it is based on OpenWRT and packages can be installed, I haven't been able to find a way.

Radius support is included as is OpenVPN Server and Client. I don't see anything about QOS though.

Since there is no WiFi driver for OpenWRT from what I've read, you might want to take Padavan out for a test drive yourself.

(Last edited by unmesh on 26 Feb 2016, 08:59)

The latest designated driver has mt7628 wifi support now. The evaluation board image works great except for it only uses 32M ram, hopefully a nano image will be available soon

I posted instructions on how to load without opening the case here

(Last edited by noblepepper on 12 Mar 2016, 21:32)

noblepepper wrote:

The latest designated driver has mt7628 wifi support now. The evaluation board image works great except for it only uses 32M ram, hopefully a nano image will be available soon

I posted instructions on how to load without opening the case here

Thanks to your instructions I have succesfully flashed the latest trunk (openwrt-ramips-mt7628-miwifi-nano-squashfs-sysupgrade.bin) image onto the router.

Is it possible that this image doesn't have Luci included? I can ssh in, but no browser access.

santamanno wrote:

Hi everybody,

I managed to get root telnet access on stock firmware with code injection from web interface. Ssh won't execute because host keys are missing!

I believe the same is doable for Xiaomi Mini router, so no need to go to the Xiaomi website, and download two different firmwares or to create account.

I'd rather not post the code exploit here, so if is there any info I can extract please let me know.

Best,
A.

you tried this? https://forum.openwrt.org/viewtopic.php … 01#p316901

benoe77 wrote:

Is it possible that this image doesn't have Luci included? I can ssh in, but no browser access.

I managed to install the necesary packages, now I have LuCi

Hi,

I am also trying to put openwrt on the XIAOMI Youth Router aka NANO.
Ordered one with inofficial english firmware.
As I don't know what this firmware does in regards to data privacy I am looking into alternatives.

I first read the discription here https://wiki.openwrt.org/toh/xiaomi/mini
which is for the mini not the nano (which nearly looks the same, mini only has an additional usb) wink
The description how to enable telnet via URL code injection described under Quick Step
works also on the nano with english firmware.

So somebody could add that to the page for the nano as well https://wiki.openwrt.org/toh/xiaomi/nano

And maybe also add a hint on the page for the mini to double check what hardware you have.
I accidently flashed the mini firmware onto the nano. Which freezes the nano on reboot.

To find out what the problem was I opened the nano case to hook up a serial usb connector to UART PINs.
The case can be opened at the bottom. There are no hidden screws.
Just use a slim plastic card and gently put into gaps at the side of the casing.  Gently leverage the plastic bottom
plate which is hold by small clamps at the side from the inside. Using serial usb connector the console log can read
via UART to see what is happening on boot.

I managed to recovery the nano by putting the xiamomi developer version onto it using the web interface which comes up
when booting into recovery mode.
Telnet can be enabled here as well by URL code injection ...

so now I can put the correct openwrt version onto the device.
What version should I use 15.05 or developer trunk ?

thanks

Does anyone know if this router supports WDS?

benoe77 wrote:

Does anyone know if this router supports WDS?

Once it is running OpenWRT?  I'm not sure, but I think the chances are good that it will work as a WDS client, since that has worked fine on all the MediaTek/Ralink based devices I've tried (v5_r11, WT3020, Xiaomi WiFi Mini). I don't think I've tried using any of them as AP+WDS.

(Last edited by eas on 30 Apr 2016, 04:41)

I tested current openwrt developer's image and some other images, so

On current openwrt developer's trunk
1) wifi speed about 7mbit, "unstable" (i changed all settings - no luck)
2) "see" only 8mb of flash memory


Other info - i flashed http://downloads.pandorabox.com.cn/pand … /firmware/ - it is openwrt14 based fork

1) wifi speed ok
2) it see all 16mb flash http://i77.fastpic.ru/big/2016/0503/30/6a3c0b04777cb82b95e13b90cbb33430.png

May be this info can help someone - device have cool price for 16mbit\64ram and 600mhz CPU

painfull30 wrote:

I tested current openwrt developer's image and some other images, so

On current openwrt developer's trunk
1) wifi speed about 7mbit, "unstable" (i changed all settings - no luck)
2) "see" only 8mb of flash memory

Have you tried the device specific version of openwrt?