tested on the AC2350 AIOT

Question

tested on the AC2350 AIOT

Closed this issue 4 years ago · 8 comments

Unfortunately this did not work on the AC2350 AIOT https://www.mi.com/global/mi-aiot-router-ac2350/

prime@ubuntu:/tmp/OpenWRTInvasion$ python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 192.168.31.1]: 192.168.1.131
stok: XXXXX
****************
router_ip_address: 192.168.1.131
stok: XXXXX
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.1.131
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.1.131
* ftp: using a program like cyberduck
prime@ubuntu:/tmp/OpenWRTInvasion$ telnet 192.168.1.131
Trying 192.168.1.131...
telnet: Unable to connect to remote host: Connection refused
prime@ubuntu:/tmp/OpenWRTInvasion$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.1.131
ssh: connect to host 192.168.1.131 port 22: Connection refused
prime@ubuntu:/tmp/OpenWRTInvasion$

Answer 1 · 2020-11-26T13:23:32.000Z

FW version "version":"3.0.36"

Answer 2 · 2020-11-28T00:31:33.000Z

Thanks for reporting it 👍 I will update the readme

Answer 3 · 2021-01-03T18:30:00.000Z

Unfortunately, so far on this model, the only working method requires a second access point with the ability to respond to an http request. I used what was at hand: a very old ASUS WL-500gP with Entware firmware and nginx. But on a router with OpenWRT, this is even easier. See details here: https://forum.openwrt.org/t/adding-openwrt-support-for-xiaomi-ax3600/55049/766
I used a slightly different API, but the principle is the same:

api/xqsystem/extendwifi_connect_inited_router?
ssid=apssid&password=RealPassword&encryption=WPA2PSK&enctype=AES&channel=11&band=2g&admin_username=user&admin_password=pwd&admin_nonce=xxx

The values of the parameters starting with admin_ are not important, and the remaining parameters must correspond to the settings of the second access point.

Answer 4 · 2021-01-08T20:54:45.000Z

Good evening
I also have a Xiaomi AIoT AC2350 router and I'm trying to connect via SSH to upload the Padavan software. I tried to start by connecting through the DAP-1635 extedner but I don't know what I'm doing wrong because it still doesn't work. Can I count on a more detailed instruction what to do?

Answer 5 · 2021-01-09T08:53:49.000Z

@dobosz23, I am not sure that this discussion is appropriate here, because the methods that I will describe cannot be implemented in OpenWRTInvasion, because they require physical manipulation. I suggest moving the discussion of methods to a topic on the OpenWRT forum: https://forum.openwrt.org/t/support-aiot-ac2350-xiaomi/70451/26

Answer 6 · 2021-01-09T09:09:42.000Z

Of course, thank you for the quick reply

Answer 7 · 2021-02-07T23:02:27.000Z

I run on the firmware 1.3.8 CN an succesfully open SSH connection:

I run command as root and connect not a:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.0.171
but:
ssh root@192.168.0.171

Answer 8 · 2021-11-02T05:31:21.000Z

I run on the firmware 1.3.8 CN an succesfully open SSH connection:

I run command as root and connect not a: ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.0.171 but: ssh root@192.168.0.171

It was a mistake. SSH access was obtained by a different method. Reproducing using OpenWRTInvasion failed:
https://forum.openwrt.org/t/support-aiot-ac2350-xiaomi/70451/86