paldier / ax3600_tool Goto Github PK

View Code? Open in Web Editor NEW

274.0 12.0 63.0 27 KB

unlock ssh/telent for xiaomi/redmi ax3600/ax3000/ax6000/ax9000/ax1800/ax5/ax6

License: GNU General Public License v3.0

C 86.76% Shell 13.24%

ax3600 ax6000 ax9000 ax1800 ax6 ax5

ax3600_tool's Introduction

xiaomi/redmi ax router tool

cr660x is contributed by ericwang2006

Backup your mtd9(cr660x is mtd2)

nanddump -f /tmp/bdata_mtd9.img /dev/mtd9

Unlock the partition lock(automatic reboot)

/tmp/mitool.sh unlock

Set ssh/uart/telnet to enable and show the default username/password(automatic reboot and relock the partition lock)

/tmp/mitool.sh hack

Show password only

/tmp/mitool.sh password

Show model only

/tmp/mitool.sh model

Show sn only

/tmp/mitool.sh sn

set sn(automatic reboot and relock the partition lock)

/tmp/mitool.sh setsn xxxxxxxxxxxxx

ax3600_tool's People

Contributors

Stargazers

Watchers

ax3600_tool's Issues

/tmp/mitool.sh unlock 执行这个后WiFi信号丢失，已尝试恢复备份和恢复出厂设置还是没有WiFi信号

/tmp/fuckax3600 unlock

红米ax5执行命令的时候提示/tmp/fuckax3600: line 2: syntax error: unterminated quoted string
大佬怎么办

AX3600 hack ssh 固化失败

使用的版本：https://github.com/paldier/ax3600_tool/releases/tag/20210824

root@XiaoQiang:~# /tmp/mitool_arm64 unlock
mtd unlocked

root@XiaoQiang:~# Connection to 192.168.36.1 closed by remote host.
Connection to 192.168.36.1 closed.

root@XiaoQiang:~# /tmp/mitool_arm64 hack
model=AX3600
get ssh_en=0 telnet_en=0 uart_en=0        <-- 新增类似 get 查询设置的命令参数
set ssh_en=1 telnet_en=1 uart_en=1        <--
NOTE!!! ssh default/telnet usesrname:root password:...
automatic lock mtd and reboot
mtd locked

root@XiaoQiang:~# Connection to 192.168.36.1 closed by remote host.
Connection to 192.168.36.1 closed.

hack 前后重新 dump bdata 分区 md5 是一样的，修改没有生效：

00000030: 6d6f 6465 6c3d 5233 3630 3000 6d69 6f74  model=R3600.miot
00000040: 5f64 6964 3d33 3331 3232 3131 3832 006d  _did=331221182.m
00000050: 696f 745f 6b65 793d 4b59 7231 6150 4856  iot_key=KYr1aPHV
00000060: 7a56 4f76 776d 6e39 0074 656c 6e65 745f  zVOvwmn9.telnet_
00000070: 656e 3d30 0073 7368 5f65 6e3d 3000 7561  en=0.ssh_en=0.ua
00000080: 7274 5f65 6e3d 3000 776c 305f 7373 6964  rt_en=0.wl0_ssid
00000090: 3d58 6961 6f6d 695f 3937 4631 5f35 4700  =Xiaomi_97F1_5G.
000000a0: 776c 315f 7373 6964 3d58 6961 6f6d 695f  wl1_ssid=Xiaomi_
000000b0: 3937 4631 0077 6c32 5f73 7369 643d 5869  97F1.wl2_ssid=Xi
000000c0: 616f 6d69 5f39 3746 3100 0000 0000 0000  aomi_97F1.......
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

希望添加一个类似 hack 过程查询 get ssh_en=0 telnet_en=0 uart_en=0 状态的命令

在执行完 hack 后，可以使用该命令查询 hack 指令的修改是否生效，感谢！

AX1800 路由器 mitool hack 固化 ssh 失败

使用 20210815 版本的 mitool unlock 并 mitool hack 升级固件后发现 ssh 固化失败，无法 telnet 连接。

降级固件重新 hack 发现 2 个问题：

第二次 unlock 和 hack 操作能 get 到 第一次 的设置
hack 之后密码变了，第一次 hack 之后修改了 SN

希望工具可以再添加 2 个查询 mtd9 分区 bdata 的 SN 和 ssh 固化设置的命令参数。

第一次 unlock 和 hack 之前使用 password 查询的密码：

# /tmp/mitool_arm password
ssh default usesrname:root password:533249c5

第一次 unlock 和 hack 输出：

root@XiaoQiang:~# /root/mitool_arm unlock
mtd unlocked
root@XiaoQiang:~# Connection to 192.168.31.1 closed by remote host.
Connection to 192.168.31.1 closed.

root@XiaoQiang:~# /root/mitool_arm hack
model=AX1800
get ssh_en=5 telnet_en=F uart_en=0              <-- 第一次 hack
set ssh_en=1 telnet_en=1 uart_en=1
NOTE!!! ssh default usesrname:root password:b8edd250
automatic lock mtd and reboot
mtd locked
root@XiaoQiang:~# Connection to 192.168.31.1 closed by remote host.
Connection to 192.168.31.1 closed.

第二次 unlock 和 hack 输出：

root@XiaoQiang:~# ./mitool_arm unlock
mtd unlocked
root@XiaoQiang:~# Connection to 192.168.31.1 closed by remote host.
Connection to 192.168.31.1 closed.

root@XiaoQiang:~# ./mitool_arm hack
model=AX1800
get ssh_en=1 telnet_en=1 uart_en=1              <-- 第二次 hack
set ssh_en=1 telnet_en=1 uart_en=1
NOTE!!! ssh default usesrname:root password:b8edd250
automatic lock mtd and reboot
mtd locked
root@XiaoQiang:~# Connection to 192.168.31.1 closed by remote host.
Connection to 192.168.31.1 closed.

对比 hack 前后备份的 mtd9 分区 bdata SN 部分改变：

00000000: 0f6c a1ae 534e 3d32 3734 3530 2f46 3051  .l..SN=27450/F0Q
00000010: 3337 3232 3739 0063 6f6c 6f72 3d31 3031  372279.color=101
00000020: 006d 6f64 656c 3d52 4d31 3830 3000 436f  .model=RM1800.Co
00000030: 756e 7472 7943 6f64 653d 434e 006d 696f  untryCode=CN.mio
00000040: 745f 6469 643d 3434 3632 3931 3939 3800  t_did=446291998.
00000050: 6d69 6f74 5f6b 6579 3d77 6276 765a 486a  miot_key=wbvvZHj
00000060: 6169 4479 6952 5a76 4b00 776c 305f 7373  aiDyiRZvK.wl0_ss
00000070: 6964 3d58 6961 6f6d 695f 3332 3032 5f35  id=Xiaomi_3202_5
00000080: 4700 776c 315f 7373 6964 3d58 6961 6f6d  G.wl1_ssid=Xiaom
00000090: 695f 3332 3032 0000 0000 0000 0000 0000  i_3202..........
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

00000000: 561a 4f62 534e 3d32 3734 3131 2f31 3051  V.ObSN=27411/10Q
00000010: 3337 3232 3739 0063 6f6c 6f72 3d31 3031  372279.color=101
00000020: 006d 6f64 656c 3d52 4d31 3830 3000 436f  .model=RM1800.Co
00000030: 756e 7472 7943 6f64 653d 434e 006d 696f  untryCode=CN.mio
00000040: 745f 6469 643d 3434 3632 3931 3939 3800  t_did=446291998.
00000050: 6d69 6f74 5f6b 6579 3d77 6276 765a 486a  miot_key=wbvvZHj
00000060: 6169 4479 6952 5a76 4b00 776c 305f 7373  aiDyiRZvK.wl0_ss
00000070: 6964 3d58 6961 6f6d 695f 3332 3032 5f35  id=Xiaomi_3202_5
00000080: 4700 776c 315f 7373 6964 3d58 6961 6f6d  G.wl1_ssid=Xiaom
00000090: 695f 3332 3032 0000 0000 0000 0000 0000  i_3202..........
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

比对 2 次 hack 之后 dd 备份的 mtd9 分区 bdata ：

% md5 mtd9-bdata*
MD5 (mtd9-bdata) = eeeff6ef64ff636a9abe9209434996d4
MD5 (mtd9-bdata-first-hack) = 134b3ea5ecb4130a0a5c6c576ab3de82
MD5 (mtd9-bdata-second-hack) = 134b3ea5ecb4130a0a5c6c576ab3de82

hack 之后尝试 telnet 发现无法连接，也没有找到 telnet 对应的端口：

    # netstat -lntpu
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address    State     in out PID/Program name
    tcp        0      0 0.0.0.0:22              0.0.0.0:*          LISTEN     0 0 2598/dropbear
    tcp        0      0 127.0.0.1:8920          0.0.0.0:*          LISTEN     0 0 3036/fcgi-cgi
    tcp        0      0 127.0.0.1:9090          0.0.0.0:*          LISTEN     0 0 6384/datacenter
    tcp        0      0 0.0.0.0:8098            0.0.0.0:*          LISTEN     0 0 3050/nginx.conf -g
    tcp        0      0 127.0.0.1:9091          0.0.0.0:*          LISTEN     0 0 6619/plugincenter
    tcp        0      0 0.0.0.0:8080            0.0.0.0:*          LISTEN     0 0 3050/nginx.conf -g
    tcp        0      0 0.0.0.0:80              0.0.0.0:*          LISTEN     0 0 3050/nginx.conf -g
    tcp        0      0 0.0.0.0:784             0.0.0.0:*          LISTEN     0 0 2470/tbusd
    tcp        0      0 127.0.0.1:53            0.0.0.0:*          LISTEN     0 0 4436/dnsmasq
    tcp        0      0 192.168.31.1:53         0.0.0.0:*          LISTEN     0 0 4436/dnsmasq
    tcp        0      0 :::22                   :::*               LISTEN     0 0 2598/dropbear
    tcp        0      0 fe80::6664:4aff:fea9:a8d9:53 :::*          LISTEN     0 0 4436/dnsmasq
    tcp        0      0 fe80::6664:4aff:fea9:a8d8:53 :::*          LISTEN     0 0 4436/dnsmasq
    tcp        0      0 ::1:53                  :::*               LISTEN     0 0 4436/dnsmasq
    tcp        0      0 fe80::6664:4aff:fe72:3202:53 :::*          LISTEN     0 0 4436/dnsmasq
    udp        0      0 0.0.0.0:1701            0.0.0.0:*                     0 0 5997/xl2tpd
    udp        0      0 0.0.0.0:514             0.0.0.0:*                     0 0 5702/syslog-ng
    udp        0      0 127.0.0.1:53            0.0.0.0:*                     0 0 4436/dnsmasq
    udp        0      0 192.168.31.1:53         0.0.0.0:*                     0 0 4436/dnsmasq
    udp        0      0 0.0.0.0:67              0.0.0.0:*                     0 0 4436/dnsmasq
    udp        0      0 :::547                  :::*                          0 0 3168/odhcpd
    udp        0      0 fe80::6664:4aff:fea9:a8d9:53 :::*                     0 0 4436/dnsmasq
    udp        0      0 fe80::6664:4aff:fea9:a8d8:53 :::*                     0 0 4436/dnsmasq
    udp        0      0 ::1:53                  :::*                          0 0 4436/dnsmasq
    udp        0      0 fe80::6664:4aff:fe72:3202:53 :::*                     0 0 4436/dnsmasq

感谢！

小米 AX1800 执行 unlock 失败提示 line 2: syntax error: unterminated quoted string

在 xiaomi AX1800 上下载使用最新版本的 mitool：

https://github.com/paldier/ax3600_tool/releases/tag/20210814

mitool unlock 报错提示 line 2: syntax error: unterminated quoted string 固化 ssh 失败：

root@XiaoQiang:~# chmod 755 /tmp/mitool

root@XiaoQiang:~# ls -lh /tmp/mitool
-rwxr-xr-x    1 root     root       73.5K Jun 16 14:00 /tmp/mitool

root@XiaoQiang:~# md5sum /tmp/mitool
cd3cf51883746d9d98d1bafbef6e8466  /tmp/mitool

root@XiaoQiang:~# /tmp/mitool unlock
/tmp/mitool: line 2: syntax error: unterminated quoted string

root@XiaoQiang:~# /tmp/mitool model
/tmp/mitool: line 2: syntax error: unterminated quoted string

root@XiaoQiang:~# /tmp/mitool password
/tmp/mitool: line 2: syntax error: unterminated quoted string

/tmp/mitool.sh: line 30: /tmp/mitool_arm: not found

mitool_arm 去哪里下载

paldier总，小米ax3000能用吗？

20210826的release版本可以提供下编译好的二进制文件吗

Is this tool available for Redmi AX3000?

paldier总,增加个unhack功能吧

rt :XD:XD:XD

AX3600 跑完 /data/mitool.sh unlock 之后变砖

我从 https://www.right.com.cn/forum/forum.php?mod=viewthread&tid=4046020 这个链接来的，然后跟着连接的教程一直做，到 /data/mitool.sh unlock 之后，机器直接重启，并且再也无法起来，指示灯亮橙色，初步推测已经变砖，固件版本是 1.0.17

请问有什么解决方案么，不行就只能返厂。。

unlock 后机子费了

ax9000 运行/tmp/mitool.sh unlock 后直接关机，而且无法开机

这插件支不支持AX9000的固化啊

看历史记录也没看到作者进行支持。。。

Fork contributions?

@paldier: It will be nice to add fork contributions, no?

Happy New Year 2022 to all!

paldier / ax3600_tool Goto Github PK

ax3600_tool's Introduction

xiaomi/redmi ax router tool

ax3600_tool's People

Contributors

Stargazers

Watchers

Forkers

ax3600_tool's Issues

Recommend Projects

Recommend Topics

Recommend Org