geekman / xqrepack Goto Github PK

patch XiaoQiang images to maintain SSH & UART access

Shell 100.00%

xqrepack's Introduction

xqrepack

These scripts allow you to modify the Xiaomi AX3600 (R3600) and Xiaomi AX1800 (RM1800) firmware image to make sure SSH and UART access is always enabled.

The default root password is password. Please remember to login to the router and change that after the upgrade. Your router settings like IP address and SSIDs are stored in the nvram and should stay the same.

⚠ The script also tries its best to remove or disable phone-home binaries, and also the smart controller (AIoT) parts, leaving you with a (close to) OpenWRT router that you can configure via UCI or /etc/config. Between preserving stock functionality and privacy concerns, I would err on the side of caution and rather that some functionality be sacrificed for a router that I have more confidence to connect to the Internet.

Note that in order to get SSH access to the router initially, you need to downgrade the AX3600 to version 1.0.17 and exploit it first / downgrade the AX1800 to version 1.0.378 (or below) and exploit it first. Once you have SSH, you can use this repacking method to maintain SSH access for newer versions.

Requirements

You will need to install the following tools:

ubi_reader
ubinize
unsquashfs / mksquashfs
fakeroot

Usage

Download the firmware from miwifi.com. It should be something like miwifi_r3600_firmware_xxxx_y.y.yyy.bin or miwifi_rm1800_firmware_xxxx_y.y.yyy.bin.
Use the ubireader_extract_images utility from ubi_reader to unpack the UBI image from the firmware. Technically there's junk at the front, but the script will ignore it:
```
 ubireader_extract_images -w miwifi_r3600_firmware_xxx_yyy.bin
```
The unpacked files will be in the ubifs-root/miwifi_r3600_firmware... directory.
Patch the rootfs using the repack-squashfs.sh script:
```
 fakeroot -- ./repack-squashfs.sh ubifs-root/miwifi_r3600_firmware.../img-264..._vol-ubi_rootfs.ubifs
```
The script will create a new squashfs image with the .new suffix. You will need fakeroot in order to create files and devices as root. You could also run this script as root, but please don't.

Recombine the kernel and patched rootfs with ubinize.sh:

for R3600:

 ./ubinize.sh ubifs-root/miwifi_r3600_firmware.../...kernel.ubifs \
              ubifs-root/miwifi_r3600_firmware.../...ubi_rootfs.ubifs.new

for RM1800:

 ./ubinize.sh ubifs-root/miwifi_rm1800_firmware.../...kernel.ubifs \
              ubifs-root/miwifi_rm1800_firmware.../...ubi_rootfs.ubifs.new \
              --data

Note the use of the .ubifs.new file. The combined output file will be r3600-raw-img.bin, even if you are using a rm1800 image!

Flash this file directly into the router using SSH. You cannot use the web UI because this is a raw image, and more importantly has no signature.

If you are using a recently xqrepack'ed firmware, you can use the xqflash utility on the router to flash an update image:
```
 xqflash /tmp/r3600-raw-img.bin
```
After it completes successfully, you should be able to reboot.

If the xqflash utility is not available, you can manually flash the update image described in the following section.

Manual Flashing

The R3600 firmware uses an A/B partition system, called rootfs and rootfs_1. This corresponds to mtd12 and mtd13. Find the partition that is not the one in use and use ubiformat to write the raw image onto the partition:

ubiformat /dev/mtd12 -f /tmp/r3600-raw-img.bin -s 2048 -O 2048

Set the nvram variable to re-initialize /etc (and I think to switch partitions also):

nvram set flag_ota_reboot=1
nvram commit
reboot

A/B Partitions

You can check the MTD partitions from /proc/mtd:

root@XiaoQiang:~# grep rootfs /proc/mtd
mtd12: 023c0000 00020000 "rootfs"
mtd13: 023c0000 00020000 "rootfs_1"
mtd17: 015cc000 0001f000 "ubi_rootfs"

root@XiaoQiang:~# nvram get flag_boot_rootfs
1

The flag_boot_rootfs nvram variable indicates which partition is booted, 0 or 1. You should pick the partition that is not in use, otherwise ubiformat will complain:

ubiformat: error!: please, first detach mtd13 (/dev/mtd13) from ubi0

License

xqrepack is licensed under the 3-clause ("modified") BSD License.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

xqrepack's People

Contributors

Stargazers

Watchers

xqrepack's Issues

[Question] Editing router settings

Hi,
Since router settings can be edited via various files exposed in ssh, would it be possible for someone to extend this and build a web GUI to edit the router's settings?

I'm asking because the Xiaomi interface exposes very few settings. And the other end of the spectrum is the OpenWRT port which may take a long time.

Fork improvements

Hello @geekman,

Can you look forks?

Example:

@geekman, @alllexx88, @pablocp19, @uamarchuan, @galeksandrp, @cuongnguyen2190, @eifelmicha, @zonko16, @AgustinLorenzo, @BanForFun, @perceival

I think that there are nice PRs...

Ho to get back to full stock

Thanks a lot for this wonderful script!

What do I have to do to transform the router back to full stock?
Is a manual upgrade with the stock firmware image sufficient or do I have to take care of something?

R2350 script.

Hello,

Is there a chance for this script to run on the R2350 router?

Support for Xiaomi AX6000

It's possible to make?
thanks!

Redmi AX5 full nand dump backup?

Hi, does anyone have the full nand dump of Redmi AX5 (Xiaomi AX1800) or at least mtd1 partion? Please help me! Thank you very much.

HW Acceleration and OpenVPN

Sorry, this is more a request for information than a real issue.
I was wondering if this modded firmware preserves the Crypto HW accelerations and allow the installation of OpenVPN ?

repack-squashfs.sh error script

Hi,

I tried to run the script but unfortunately i have an error with the command on my Lubuntu (last version) computer.
It's about this command line :
fakeroot -- ./repack-squashfs.sh ubifs-root/miwifi_r3600_all_6510e_3.0.22_INT.bin/img-1135711824_vol-ubi_rootfs.ubifs

and the result :

/usr/bin/unsquashfs
unpacking squashfs...
Parallel unsquashfs: Using 4 processors
4305 inodes (4011 blocks) to write

[==========================================================================================================================================================================|] 8316/8316 100%

created 3847 files
created 251 directories
created 457 symlinks
created 1 device
created 0 fifos
created 0 sockets
created 0 hardlinks
patching squashfs...
applying patch patches/enable-iot-radio.patch...
1 out of 1 hunk FAILED -- saving rejects to file lib/wifi/qcawificfg80211.sh.rej

I tried to found the folder lib/wifi but it does exist ... i dont understand anything about this error, do you have any idea ?

Thx
Adrien

Firmware Problems AX5 version 1.0.44

Hi. When repack firmware AX5 v 1.0.44, the router does not display the state of the WAN (Internet)port and does not connect to the Mi-Wi-fi application
p.s Sorry about other open and closed issue from other account :-)

[QUESTION] does the script also work for Redmi AX6 ?

Works with Xiaomi AX6000

Following my comment . I have put the modified firmware in to the AX6000 (RA72) perfectly, updating "patch" files with 1.0.55 firmware version (SSH patched previously). In the first burned, I had a odd behaveral of Internet LED (always off), but in the next burned, it works perfectly.
Are you interested in include in to xqrepack?

[QUESTION] does the script also work for Redmi AX5 and Xiaomi AX1800?

If yes, I would like to do it on my AX5

root@XiaoQiang:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00180000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00380000 00020000 "0:QSEE"
mtd3: 00080000 00020000 "0:DEVCFG"
mtd4: 00080000 00020000 "0:RPM"
mtd5: 00080000 00020000 "0:CDT"
mtd6: 00080000 00020000 "0:APPSBLENV"
mtd7: 00180000 00020000 "0:APPSBL"
mtd8: 00080000 00020000 "0:ART"
mtd9: 00080000 00020000 "bdata"
mtd10: 00080000 00020000 "crash"
mtd11: 00080000 00020000 "crash_syslog"
mtd12: 00080000 00020000 "0:BOOTCONFIG"
mtd13: 00080000 00020000 "0:BOOTCONFIG1"
mtd14: 00380000 00020000 "0:QSEE_1"
mtd15: 00080000 00020000 "0:DEVCFG_1"
mtd16: 00080000 00020000 "0:RPM_1"
mtd17: 00080000 00020000 "0:CDT_1"
mtd18: 02400000 00020000 "rootfs"
mtd19: 02400000 00020000 "rootfs_1"
mtd20: 024a0000 00020000 "overlay"
mtd21: 00080000 00020000 "cfg_bak"
mtd22: 003a2000 0001f000 "kernel"
mtd23: 01341000 0001f000 "ubi_rootfs"
mtd24: 00915000 0001f000 "rootfs_data"
mtd25: 02093000 0001f000 "data"
root@XiaoQiang:~# nvram get flag_boot_rootfs
1

Will this work on the Jio Fi?

Recently the Jio Fi 3 had received an unlocked firmware , the firmware seems to be an UBI file but I would like to see if I can use this script maybe? The firmware isn't rooted so I can show the names of the partitions.....

I was able to get this from a tweet of the person who made the firmware:

Not working with newest CN Firmware miwifi_r3600_firmware_02d97_1.1.15.bin

First, thank you very much for your work!
I have tried generating a new image with your script for the latest 1.1.15 version.
It worked, I have flashed that, but afterwards my root access was lost.

It is working great for the version miwifi_r3600_all_f1e60_1.0.424.bin

P.S.: I managed to create a small homeassistant docker addon from your script (if someone is interested): https://github.com/FaserF/hassio-addons/tree/master/xqrepack

Issue with repack-squashfs.sh and AX1800

Hello, I'm trying to run your scripts to patch the latest version of the AX1800 firmware (1.0.394), but the script repack-squashfs.sh fails.

I'm using the following command: fakeroot -- ./repack-squashfs.sh ubifs-root/miwifi_rm1800_firmware_47f08_1.0.394.bin/img-793458279_vol-ubi_rootfs.ubifs

During the script execution, I see this prompt: Reversed (or previously applied) patch detected! Assume -R? [n]. Any option I select will fail.

If I use the default option (No), it will ask me to "Apply anyway". If I chose "No", it would ignore and finish the script.
If I chose "Yes" at the "Apply anyway", I'll see 1 out of 1 hunk FAILED.

If I chose Yes at the first question, I'll see 1 out of 3 hunks FAILED.

I tried to skip this process and continue the tutorial. It generated the firmware, but when I flashed it, the SSH was disabled.

Firmware Problems AX5 version 1.0.44

Hi. When repack firmware AX5 v 1.0.44, the router does not display the state of the WAN (Internet)port and does not connect to the Mi-Wi-fi application

[QUESTION] how to load r3600-raw-img.bin into AX3600

Hello, I'm making my own firmware based on your scripts. The firmware miwifi_r3600_all_6510e_3.0.22_INT.bin was taken as the basis.
I have corrected the qcawificfg80211.sh file to change the Wifi power.

The patch was successful, after rebooting the router, I connected to it via SSH with the old password, which was set when receiving SSH on firmware miwifi_r3600_firmware_5da25_1.0.17.
After doing a factory reset, I get the error
buntu @ ubuntu2010: ~ / Desktop $ ssh [email protected]
ssh: connect to host 192.168.31.1 port 22: Connection refused

ubuntu @ ubuntu2010: ~ / Desktop $ telnet 192.168.31.1
Trying 192.168.31.1 ...
telnet: Unable to connect to remote host: Connection refused

What could be the problem.
I am attaching my patch script.
repack-my.zip

did anyone try to repack firmwares for Redmi AC2100?

I tried to repack a firmware for Redmi AC2100 and flash it, but seems that it doesn't work. The LED is always orange, doesn't even boot into the system. kernel panic...

I tried to ubinize the original rootfs.ubifs file, and the outcome is the same as the original root.ubi, so the ubi configuration is right.

cat <<CFGEND > $UBICFG
[rootfs]
mode=ubi
image=$ROOTFS
vol_id=0
vol_type=dynamic
vol_name=ubi_rootfs
CFGEND

I have already tried the flashing method, worked perfectly with original root.ubi file

The problem must lay in unsquashfs and mksquashfs. I tied to unsquashfs an mksquashfs without changing anything, but still the same, kernel_panic.

Syntax error for repack-squashfs.sh

I'm getting following error and can someone tell me if I need to edit something in the script file.

nitin@lubuntu20:~/Xiaomi_AX3600/Firmware$ fakeroot -- ./repack-squashfs.sh ubifs-root/miwifi_r3600_firmware_f7f3e_1.0.67.bin/img-267845145_vol-ubi_rootfs.ubifs
./repack-squashfs.sh: 8: Syntax error: newline unexpected

Thanks!

Apply patches to only specific models

The current hack for applying patches to all images will cause errors for non-AX3600 models, and has been reported a few times previously: #23, #24. The proper fix would be to only restrict the patches to the correct model, AX3600 in this case, as well as maybe adding a facility for others to do the same.

[QUESTION] Does it removes the access from miwifi APP?

Does that repack script remove the required services for having access from smart miwifi APP?

I have been checking the script code, and it redirects miwif.com resolve to localhost, will this make that the services connected to miwifi its disabled?

Can I enable it again by removing the redirection of *.miwifi.com of the script?

patches-R3600/enable-iot-radio.patch fails to apply on 3.0.22

I was trying to repack miwifi_r3600_all_6510e_3.0.22_INT.bin and patches-R3600/enable-iot-radio.patch fails to apply.

The target script seems to be changed quite a bit and I could not find an obvious fix.

In the end I just removed the patch and followed with the install and nothing seems to be bad, but I don't use the "iot" interface for anything.

[QUESTION] Would this script work with AX9000?

no dual stack

Edit: solved it :)

When IPV6 and IPV4 are selected the firmware sets some stupid "ds-wan_6_4" device up, which caused the trouble for me.

By running "ifconfig ds-wan_6_4 down" the device is turned off and dual stack works!

This is no Issue of your script, but potentially solvable with it.

I can't get dual stack (native IPV6 + native IPV4) working when activating it in the ui.
As soon as I activate it I have no IPV4 access from my computer and only ipv6 works.
While at the same time the router has a IPV6 and IPV4 connection. I assume it has something to do with dhcp or the firewall settings.
As we have SSH access and can modify the network config file I assume that we can enable it somehow.

Do you have any idea how to activate it?

Future firmware updates

After patching the router, can future updates be installed safely?

Also, would installing updates re-enable phone home?