Flashing Xiaomi AX3000T

· / , ·

187

reads·

likes

AI TranslationSimplified ChineseEnglish

Key Insights

AI · GEN

Step 1: Obtain the Stok variable

Open the Chrome browser.
Log in to the router's management page, usually at http://192.168.31.1/.
Find the value of the Stok variable in the browser's address bar. This value will be used for the SSH unlock commands later.

For example:

http://192.168.31.1/cgi-bin/luci/;stok=030b24d39b1a4a549aa12dac23c52313/web/home#router

Then Stok=030b24d39b1a4a549aa12dac23c52313

Note: every time the router restarts, the stok value will change.

Step 2: Unlock SSH

Open Command Prompt (cmd), and enter the following commands in order. Replace token with the actual Stok value obtained in step 1:

curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=token/api/misystem/arn_switch -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A"

CodeBlock Loading...

Step 3: Obtain the SSH password

Visit https://miwifi.dev/ssh
Enter your router's serial number (SN). The serial number can be found on the back of the router, or viewed through the router's management interface.
The system will display the SSH password.

Step 4: Soft-persist SSH

After connecting to the router's ssh via MobaXterm, execute the following commands (after execution, the ssh password will automatically be changed to admin):

CodeBlock Loading...

After the router restarts, the dropbear file will revert to its original unmodified state, so you need to add an autostart script. Each time the router starts, it will automatically execute the script to modify the dropbear file and enable ssh. There are two methods for this step: one is to obtain the script online, and the other is to create the script manually offline. Just choose one.

Online method

CodeBlock Loading...

Offline method

CodeBlock Loading...

At this point you have entered the vi editor. First copy the script content below to the clipboard:

CodeBlock Loading...

After copying, return to the vi editing screen, press i to enter edit mode, then press CTRL+SHIFT+V to paste. After pasting, press ESC, then type :wq and press Enter. Note that it must be in English:

After confirming there are no issues, execute the following commands:

CodeBlock Loading...

Step 5: Hard-persist SSH

After connecting to the router's ssh via MobaXterm, execute the following commands (the router will restart automatically after execution):

CodeBlock Loading...

After waiting for the router to restart, reconnect to ssh and execute the following commands (the router will restart automatically after execution):

CodeBlock Loading...

After waiting for the router to restart, reconnect to ssh and execute the following commands (the router will restart automatically after execution):

CodeBlock Loading...

After waiting for the router to restart, reconnect to ssh. Persistence is now complete.

Notes

After each firmware upgrade or firmware reset, you need to use telnet first, and then enable ssh from within telnet.

The specific method is:

Use MobaXterm to connect to the router via telnet. The username is root, and the password is the initial password. After entering them, you can log in to the router's telnet backend.
Enable ssh via telnet, and change the root password to admin:

CodeBlock Loading...

Use MobaXterm to connect to the router via ssh. The username is root, and the password is admin. After entering them, you can log in to the router's ssh backend. After logging in, repeat step 4 for soft persistence.
Custom password:

CodeBlock Loading...

器，用户名为

2. 通过 telnet 开启 ssh，并修改 root 密码为 admin：

sh sed -i '/flgssh=`nvram get sshen/{:loop; N; /\n.*channel=/sbin/uci get /usr/share/xiao /xiao _version.version.CHANNEL`\n.return 0\n.fi/!b loop; d}' /etc/init.d/dropbear /etc/init.d/dropbear restart echo -e 'admin\nadmin' | passwd root

CodeBlock Loading...

sh echo -e '你的密码\n你的密码' | passwd root

CodeBlock Loading...

Step 1: Obtain the Stok variable

Open the Chrome browser.
Log in to the router's management page, usually at http://192.168.31.1/.
Find the value of the Stok variable in the browser's address bar. This value will be used for the SSH unlock commands later.

For example:

http://192.168.31.1/cgi-bin/luci/;stok=030b24d39b1a4a549aa12dac23c52313/web/home#router

Then Stok=030b24d39b1a4a549aa12dac23c52313

Note: every time the router restarts, the stok value will change.

Step 2: Unlock SSH

Open Command Prompt (cmd), and enter the following commands in order. Replace token with the actual Stok value obtained in step 1:

curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=token/api/misystem/arn_switch -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A"

curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=token/api/misystem/arn_switch -d "open=1&model=1&level=%0Anvram%20commit%0A"

CodeBlock Loading...

curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=token/api/misystem/arn_switch -d "open=1&model=1&level=%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A"

CodeBlock Loading...

curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=token/api/misystem/arn_switch -d "open=1&model=1&level=%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A"

CodeBlock Loading...

Step 3: Obtain the SSH password

Visit https://miwifi.dev/ssh
Enter your router's serial number (SN). The serial number can be found on the back of the router, or viewed through the router's management interface.
The system will display the SSH password.

Step 4: Soft-persist SSH

After connecting to the router's ssh via MobaXterm, execute the following commands (after execution, the ssh password will automatically be changed to admin):

nvram set ssh_en=1
nvram set telnet_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram commit
sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear restart
echo -e 'admin\nadmin' | passwd root

CodeBlock Loading...

Online method

mkdir /data/auto_ssh && cd /data/auto_ssh
curl -O [文件下载链接]
chmod +x auto_ssh.sh
./auto_ssh.sh install

CodeBlock Loading...

Offline method

mkdir /data/auto_ssh && cd /data/auto_ssh
vi auto_ssh.sh

CodeBlock Loading...

At this point you have entered the vi editor. First copy the script content below to the clipboard:

#!/bin/sh

auto_ssh_dir="/data/auto_ssh"
host_key="/etc/dropbear/dropbear_rsa_host_key"
host_key_bk="${auto_ssh_dir}/dropbear_rsa_host_key"

unlock() {
    # Restore the host key.
    [ -f $host_key_bk ] && ln -sf $host_key_bk $host_key

    # Enable telnet, ssh, uart and boot_wait.
    [ "$(nvram get telnet_en)" = 0 ] && nvram set telnet_en=1 && nvram commit
    [ "$(nvram get ssh_en)" = 0 ] && nvram set ssh_en=1 && nvram commit
    [ "$(nvram get uart_en)" = 0 ] && nvram set uart_en=1 && nvram commit
    [ "$(nvram get boot_wait)" = "off" ]  && nvram set boot_wait=on && nvram commit

    [ "`uci -c /usr/share/xiao **  get xiao ** _version.version.CHANNEL`" != 'stable' ] && {
        uci -c /usr/share/xiao **  set xiao ** _version.version.CHANNEL='stable' 
        uci -c /usr/share/xiao **  commit xiao ** _version.version 2>/dev/null
    }

    channel=`/sbin/uci get /usr/share/xiao ** /xiao ** _version.version.CHANNEL`
    if [ "$channel" = "release" ]; then
        sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
    fi

    if [ -z "$(pidof dropbear)" -o -z "$(netstat -ntul | grep :22)" ]; then
        /etc/init.d/dropbear restart 2>/dev/null
        /etc/init.d/dropbear enable
    fi
}

install() {
    # unlock SSH.
    unlock

    # host key is empty, restart dropbear to generate the host key.
    [ -s $host_key ] || /etc/init.d/dropbear restart 2>/dev/null

    # Backup the host key.
    if [ ! -s $host_key_bk ]; then
        i=0
        while [ $i -le 30 ]
        do
            if [ -s $host_key ]; then
                cp -f $host_key $host_key_bk 2>/dev/null
                break
            fi
            let i++
            sleep 1s
        done
    fi

    # Add script to system autostart
    uci set firewall.auto_ssh=include
    uci set firewall.auto_ssh.type='script'
    uci set firewall.auto_ssh.path="${auto_ssh_dir}/auto_ssh.sh"
    uci set firewall.auto_ssh.enabled='1'
    uci commit firewall
    echo -e "\033[32m SSH unlock complete. \033[0m"
}

uninstall() {
    # Remove scripts from system autostart
    uci delete firewall.auto_ssh
    uci commit firewall
    echo -e "\033[33m SSH unlock has been removed. \033[0m"
}

main() {
    [ -z "$1" ] && unlock && return
    case "$1" in
    install)
        install
        ;;
    uninstall)
        uninstall
        ;;
    *)
        echo -e "\033[31m Unknown parameter: $1 \033[0m"
        return 1
        ;;
    esac
}

main "$@"

CodeBlock Loading...

After confirming there are no issues, execute the following commands:

chmod +x auto_ssh.sh
./auto_ssh.sh install

CodeBlock Loading...

Step 5: Hard-persist SSH

After connecting to the router's ssh via MobaXterm, execute the following commands (the router will restart automatically after execution):

zz=$(dd if=/dev/zero bs=1 count=2 2>/dev/null) ; printf '\xA5\x5A%c%c' $zz $zz | mtd write - crash
reboot

CodeBlock Loading...

After waiting for the router to restart, reconnect to ssh and execute the following commands (the router will restart automatically after execution):

nvram set ssh_en=1
nvram set telnet_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram commit
bdata set ssh_en=1
bdata set telnet_en=1
bdata set uart_en=1
bdata set boot_wait=on
bdata commit
reboot

CodeBlock Loading...

After waiting for the router to restart, reconnect to ssh and execute the following commands (the router will restart automatically after execution):

mtd erase crash
reboot

CodeBlock Loading...

After waiting for the router to restart, reconnect to ssh. Persistence is now complete.

Notes

After each firmware upgrade or firmware reset, you need to use telnet first, and then enable ssh from within telnet.

The specific method is:

Use MobaXterm to connect to the router via telnet. The username is root, and the password is the initial password. After entering them, you can log in to the router's telnet backend.
Enable ssh via telnet, and change the root password to admin:

sed -i '/flg_ssh=`nvram get ssh_en`/{:loop; N; /\n.*channel=`\/sbin\/uci get \/usr\/share\/xiao ** \/xiao ** _version.version.CHANNEL`\n.*return 0\n.*fi/!b loop; d}' /etc/init.d/dropbear
/etc/init.d/dropbear restart
echo -e 'admin\nadmin' | passwd root

CodeBlock Loading...

Use MobaXterm to connect to the router via ssh. The username is root, and the password is admin. After entering them, you can log in to the router's ssh backend. After logging in, repeat step 4 for soft persistence.
Custom password:

echo -e '你的密码\n你的密码' | passwd root

CodeBlock Loading...

器，用户名为

2. 通过 telnet 开启 ssh，并修改 root 密码为 admin：


3. 使用 MobaXterm 通过 ssh 连接路由器，用户名为 root，密码为 admin，输入后即可登入路由器 ssh 后台，登入后再做一遍步骤 4 软固化即可。
4. 自定义密码：

CodeBlock Loading...

sh echo -e '你的密码\n你的密码' | passwd root

CodeBlock Loading...