AX3600 - Post #0

hacking
, ,

Wow. last time I wrote anything was ~2 years ago. I actually spent a whole day on getting the blog to working state!
Anyhow, I’m back and I’ve got some cool stuff to share. Hopefully I’ll keep posting things regularly…

So… what are we going to talk about today? A router! and not just any router - Mi AIoT Router AX3600!

I have at least three posts for this topic:

  1. Why I bought it & my journey into getting persistent ssh on the device
  2. All the weird stuff that Xiaomi put on the router and how to disable them
  3. How to turn off all wierd stuff Xiaomi put on it

Let’s get this started, shall we?

The Good

AX3600 is, to the best of my knowledge, the most affordable router with carrier-grade hardware. The AX3600 runs on Qualcomms’s Networking Pro 600 (IPQ8071 SoC) which would be quite expensive if bought from other reputable manufacturers.

Xiaomi did something incredible: they packaged all this power into a nice housing and priced it undress 100$. Yes, you read that correctly - a carrier-grade, WiFi 6 router that costs under 100$. I actually bought it from AliExpress for 130$, including shipping!

The Bad

Xiaomi didn’t have a global version of the router so the whole interface would be in chinese. That’s a bummer, but I hoped that the guys at OpenWRT would work on porting that beautiful platform to the AX3600. There was a lot of work being done on the router a few months ago so I thought that a port is around the corner. Fast forwardt to November 2020 and it looks like it might take a while.

On the flip side, Xiaomi forked OpenWRT and the guys there found a command injection vulnerability that allowed them to start an ssh server (dropbear) and gain root on the device.

The Ugly

I guess most of you heard that some chinese manufacturers spy on you. right? There was a lot of talk about Huawei which got eventually banned from being used by any U.S federal authority. The verge actually wrote a piece about that a few months ago.

I initially thought this is BS and that Xiaomi wouldn’t do that. After dissecting the firmware for the last few weeks I can honestly say that I’m not so sure anymore.

Now What?

I wrote a few tools (odedlaz/ax3600-files) to help me customize the router’s firmware. I’ll write about them and the steps needed to gain persistent ssh in the first technical post in the series.

Stay tuned!