Looking for root access.
Xiaomi MiWiFi 3C
https://wikidevi.com/wiki/Xiaomi_MiWiFi_3C
Under the center of the label lies a philips tapping screw.
The mir3c reset button case hole was enlarged with a 1/8" drill, allowing ballpoint pen access.
Router info
Mi Wi-Fi 3C(R3L) MiWiFi Stable 2.8.27
I managed to install the Taiwan firmware (2.8.27) to get native English menus on the router by holding down the reset button for 20 seconds at boot up so far.
Serial port works one-way only.
When I try to get ssh access, with root access, I get this message:
(the 3 curl for windows files are in the Downloads folder for this exercise)
C:\Users\murra\Downloads>curl -d "oldPwd=12345678&newPwd=12345678" "http://192.168.31.1/cgi-bin/luci/;stok=4fa0b125e49d5928acbcc85d45a717c3/api/xqsystem/set_name_password"
{"code":1523,"msg":"Invalid value"}
C:\Users\murra\Downloads>
For the mi nano, the message was {"code":0,"msg":""}, indicating a successful browser injection exploit, as per https://wiki.openwrt.org/toh/xiaomi/nano notes
Xiaomi Mi WiFi 3C (Mi Wifi Router 3C / R3C / R3L)
Attaching 3 berg pins to J1 and connecting with a USB PL2303 cable on COM4 115200bps using TeraTerm UART console
From the mir3c J1:
1 —— VCC blank (not a square pad or silkscreened square)
2 —— RX green (PC's USB PL2302 Rx green line)
3 —— GND black (PC's USB PL2302 Rx black line)
4 —— TX white (PC's USB PL2302 Rx white line)
Serial port works one-way only (no input going through pin4, sitting at 3.3V, like pin 1).
[ 1.460000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[ 1.470000] serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
[ 1.470000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
[ 1.480000] led=44, on=4000, off=1, blinks,=1, reset=1, time=4000
[ 1.490000] Ralink gpio driver initialized
[ 1.490000] flash manufacture id: c2, device id 20 18
[ 1.500000] MX25L12805D(c2 2018c220) (16384 Kbytes)
[ 1.500000] mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
[ 1.510000] Creating 10 MTD partitions on "raspi":
[ 1.520000] 0x000000000000-0x000001000000 : "ALL"
[ 1.520000] 0x000000000000-0x000000030000 : "Bootloader"
[ 1.530000] 0x000000030000-0x000000040000 : "Config"
[ 1.540000] 0x000000040000-0x000000050000 : "Bdata"
[ 1.540000] 0x000000050000-0x000000060000 : "Factory"
[ 1.550000] 0x000000060000-0x000000070000 : "crash"
[ 1.560000] 0x000000070000-0x000000080000 : "cfg_bak"
[ 1.560000] 0x000000080000-0x000000140000 : "overlay"
[ 1.570000] 0x000000140000-0x0000008a0000 : "OS1"
[ 1.580000] 0x0000008a0000-0x000001000000 : "OS2"
[ 1.580000] mtd: try split OS2 partition
[ 1.590000] mtd: split_firmware
[ 1.590000] mtd: firmware_partition->size 0x760000
[ 1.590000] mtd: firmware_partition->offset 0x8a0000
[ 1.600000] mtd: uimage_len 1411044
[ 1.600000] mtd: uimage_len 1441792
[ 1.610000] mtd: rootfs_partition->size 0x600000
[ 1.610000] mtd: rootfs_partition->offset 0xa00000
[ 1.620000] mtd: partition "rootfs" created automatically, ofs=A00000, len=600000
[ 1.620000] 0x000000a00000-0x000001000000 : "rootfs"
[ 1.630000] PPP generic driver version 2.4.2
Things left to do:
get root password first
ssh 192.168.31.1
cd /tmp
wget https://breed.hackpascal.net/breed-mt7628-hiwifi-hc5661a.bin
mv breed-mt7628-hiwifi-hc5661a.bin breed.img
mtd write breed.img Bootloader
rm breed.img
wget https://downloads.lede-project.org/releases/17.01.4/targets/ramips/mt7628/lede-17.01.4-ramips-mt7628-miwifi-nano-squashfs-sysupgrade.bin
mv lede-17.01.4-ramips-mt7628-miwifi-nano-squashfs-sysupgrade.bin os1.bin
mtd write os1.bin OS1
rm os1.bin
wget PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin
mv PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin os2.bin
mtd write os2.bin OS2
reboot
related posts:
LESHIY_ODESSANov '17
How does one flash lede using BREED? I’ve tried to do this a couple of times without success.
You need to merge the kernel and rootfs.
Linux
cp lede-ramips-mt7621-mir3g-squashfs-kernel1.bin firmware.bin && truncate --size 4194304 firmware.bin && cat lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin >> firmware.bin
Windows
for /f %%i in ("lede-ramips-mt7621-mir3g-squashfs-kernel1.bin") do ( set /a size = 4194304 - %%~zi >nul ) fsutil file createnew dummy.bin %size% >nul copy /y /b lede-ramips-mt7621-mir3g-squashfs-kernel1.bin + /b dummy.bin + /b lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin firmware.bin >nul del dummy.bin