Comments (7)
看起来ax1800并不支持这么开启ssh,我一会加个写sn吧
from ax3600_tool.
发一下
cat /etc/init.d/dropbear
from ax3600_tool.
@paldier 请问 hack
之后 dump 出的 mtd9
分区 bdata
会包含 telnet_en=1.ssh_en=1.uart_en=1
信息么?
论坛里的 分享下自己操作的 AX1800 永久开启 telnet-ssh 手动修改 bdata
可以看到对应 16 进制的 ANSC 编码:
hack
之后 /etc/init.d/dropbear
的配置:
root@XiaoQiang:~# grep channel /etc/init.d/dropbear
channel="debug"
if [ "$flg_ssh" != "1" -o "$channel" = "release" ]; then
root@XiaoQiang:~# cat /etc/init.d/dropbear
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2006 Carlos Sobrinho
START=19
STOP=50
USE_PROCD=1
PROG=/usr/sbin/dropbear
NAME=dropbear
PIDCOUNT=0
EXTRA_COMMANDS="killclients"
EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself"
append_ports()
{
local ipaddrs="$1"
local port="$2"
[ -z "$ipaddrs" ] && {
procd_append_param command -p "$port"
return
}
for addr in $ipaddrs; do
procd_append_param command -p "$addr:$port"
done
}
validate_section_dropbear()
{
uci_validate_section dropbear dropbear "${1}" \
'PasswordAuth:bool:1' \
'enable:bool:1' \
'Interface:string' \
'GatewayPorts:bool:0' \
'RootPasswordAuth:bool:1' \
'RootLogin:bool:1' \
'rsakeyfile:file' \
'BannerFile:file' \
'Port:list(port):22' \
'SSHKeepAlive:uinteger:300' \
'IdleTimeout:uinteger:0' \
'MaxAuthTries:uinteger:3' \
'RecvWindowSize:uinteger:0' \
'mdns:bool:1'
}
dropbear_instance()
{
local PasswordAuth enable Interface GatewayPorts \
RootPasswordAuth RootLogin rsakeyfile \
BannerFile Port SSHKeepAlive IdleTimeout \
MaxAuthTries RecvWindowSize mdns ipaddrs
validate_section_dropbear "${1}" || {
echo "validation failed"
return 1
}
[ -n "${Interface}" ] && {
[ -n "${BOOT}" ] && return 0
network_get_ipaddrs_all ipaddrs "${Interface}" || {
echo "interface ${Interface} has no physdev or physdev has no suitable ip"
return 1
}
}
[ "${enable}" = "0" ] && return 1
PIDCOUNT="$(( ${PIDCOUNT} + 1))"
local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
procd_open_instance
procd_set_param command "$PROG" -F -P "$pid_file"
[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
[ "${RootLogin}" -eq 0 ] && procd_append_param command -w
[ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}"
[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
append_ports "${ipaddrs}" "${Port}"
[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
[ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
[ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
[ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
procd_append_param command -W "${RecvWindowSize}"
[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
procd_set_param respawn
procd_close_instance
}
keygen()
{
for keytype in rsa; do
# check for keys
key=dropbear/dropbear_${keytype}_host_key
[ -f /tmp/$key -o -s /etc/$key ] || {
# generate missing keys
mkdir -p /tmp/dropbear
[ -x /usr/bin/dropbearkey ] && {
/usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start
} &
exit 0
}
done
lock /tmp/.switch2jffs
mkdir -p /etc/dropbear
mv /tmp/dropbear/dropbear_* /etc/dropbear/
lock -u /tmp/.switch2jffs
chown root /etc/dropbear
chmod 0700 /etc/dropbear
}
load_interfaces()
{
config_get interface "$1" Interface
config_get enable "$1" enable 1
[ "${enable}" = "1" ] && interfaces=" ${interface} ${interfaces}"
}
boot()
{
BOOT=1
start "$@"
}
start_service()
{
# 稳定版不能打开ssh服务
flg_ssh=`nvram get ssh_en`
channel="debug"
if [ "$flg_ssh" != "1" -o "$channel" = "release" ]; then
return 0
fi
[ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen
. /lib/functions.sh
. /lib/functions/network.sh
config_load "${NAME}"
config_foreach dropbear_instance dropbear
}
service_triggers()
{
local interfaces
procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload
config_load "${NAME}"
config_foreach load_interfaces dropbear
[ -n "${interfaces}" ] && {
for n in $interfaces ; do
procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
done
}
procd_add_validation validate_section_dropbear
}
shutdown() {
# close all open connections
killall dropbear
}
killclients()
{
local ignore=''
local server
local pid
# if this script is run from inside a client session, then ignore that session
pid="$$"
while [ "${pid}" -ne 0 ]
do
# get parent process id
pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"`
[ "${pid}" -eq 0 ] && break
# check if client connection
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
append ignore "${pid}"
break
}
done
# get all server pids that should be ignored
for server in `cat /var/run/${NAME}.*.pid`
do
append ignore "${server}"
done
# get all running pids and kill client connections
local skip
for pid in `pidof "${NAME}"`
do
# check if correct program, otherwise process next pid
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
continue
}
# check if pid should be ignored (servers, ourself)
skip=0
for server in ${ignore}
do
if [ "${pid}" = "${server}" ]
then
skip=1
break
fi
done
[ "${skip}" -ne 0 ] && continue
# kill process
echo "${initscript}: Killing ${pid}..."
kill -KILL ${pid}
done
}
from ax3600_tool.
看来ax1800要手动补全才行了
from ax3600_tool.
看来ax1800要手动补全才行了
@paldier 是指手动修改 bdata
么,请问 hack
命令执行后 get
的是 bdata
里面的数据么?
root@XiaoQiang:~# ./mitool_arm hack
model=AX1800
get ssh_en=1 telnet_en=1 uart_en=1 <-- get 参数
set ssh_en=1 telnet_en=1 uart_en=1
from ax3600_tool.
https://github.com/paldier/ax3600_tool/releases/tag/20210815v2
试一下新的吧
from ax3600_tool.
https://github.com/paldier/ax3600_tool/releases/tag/20210815v2
试一下新的吧
@paldier 非常感谢!
使用之前备份的 bdata
还原 mtd9
分区后,使用您刚更新的 mitool
测试 ssh 固化成功。
SN 没有 被修改 telnet 服务也起来了。
但是 默认密码 不知道为何还是之前 hack
修改 SN 之后计算生成的密码 b8edd250
root@XiaoQiang:~# ./mitool_arm sn
model=AX1800
get SN=27450/F0Q372279
root@XiaoQiang:~# ./mitool_arm password
ssh/telnet default usesrname:root password:533249c5
root@XiaoQiang:~# netstat -lntpu|grep 23
tcp 0 0 :::23 :::* LISTEN 0 0 3825/telnetd
00000000: a3ce 68c8 534e 3d32 3734 3530 2f46 3051 ..h.SN=27450/F0Q
00000010: 3337 3232 3739 0063 6f6c 6f72 3d31 3031 372279.color=101
00000020: 006d 6f64 656c 3d52 4d31 3830 3000 436f .model=RM1800.Co
00000030: 756e 7472 7943 6f64 653d 434e 006d 696f untryCode=CN.mio
00000040: 745f 6469 643d 3434 3632 3931 3939 3800 t_did=446291998.
00000050: 6d69 6f74 5f6b 6579 3d77 6276 765a 486a miot_key=wbvvZHj
00000060: 6169 4479 6952 5a76 4b00 776c 305f 7373 aiDyiRZvK.wl0_ss
00000070: 6964 3d58 6961 6f6d 695f 3332 3032 5f35 id=Xiaomi_3202_5
00000080: 4700 776c 315f 7373 6964 3d58 6961 6f6d G.wl1_ssid=Xiaom
00000090: 695f 3332 3032 0073 7368 5f65 6e3d 3100 i_3202.ssh_en=1.
000000a0: 7465 6c6e 6574 5f65 6e3d 3100 7561 7274 telnet_en=1.uart
000000b0: 5f65 6e3d 3100 0000 0000 0000 0000 0000 _en=1...........
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
from ax3600_tool.
Related Issues (17)
- /tmp/fuckax3600 unlock HOT 1
- paldier总,增加个unhack功能吧
- 20210826的release版本可以提供下编译好的二进制文件吗 HOT 1
- AX3600 跑完 /data/mitool.sh unlock 之后变砖
- paldier总,小米ax3000能用吗? HOT 1
- Fork contributions? HOT 3
- /tmp/mitool.sh: line 30: /tmp/mitool_arm: not found HOT 1
- 这插件支不支持AX9000的固化啊
- Is this tool available for Redmi AX3000?
- Getting error when running commands
- 最新的源码编译之后用不了
- 小米 AX1800 执行 unlock 失败提示 line 2: syntax error: unterminated quoted string HOT 3
- /tmp/mitool.sh unlock 执行这个后WiFi信号丢失,已尝试恢复备份和恢复出厂设置还是没有WiFi信号 HOT 1
- unlock 后机子费了 HOT 1
- 最新版本ax3600无法解锁 HOT 2
- AX3600 hack ssh 固化失败 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ax3600_tool.