小米路由改私有云
(→打开串口写) |
(→打开串口写) |
||
(未显示1个用户的19个中间版本) | |||
第1行: | 第1行: | ||
− | == | + | |
+ | == 硬件概览 == | ||
[[文件:Xiaomi.r1d.block.diagram.png | thumb | 600px | 小米路由R1D系统框图]] | [[文件:Xiaomi.r1d.block.diagram.png | thumb | 600px | 小米路由R1D系统框图]] | ||
第99行: | 第100行: | ||
==== NFC ==== | ==== NFC ==== | ||
+ | |||
+ | 没有这个设备,只是在外壳的顶端贴了一片 NFC 帖,内含必要信息而已 | ||
<br><br> | <br><br> | ||
第115行: | 第118行: | ||
[[系统基本信息搜集]] | [[系统基本信息搜集]] | ||
+ | |||
+ | [[网络配置状态信息搜集]] | ||
[[openwrt nvram信息搜集]] | [[openwrt nvram信息搜集]] | ||
+ | |||
+ | [[路由提供的网络服务相关信息汇集]] | ||
+ | |||
[[小米路由系统启动过程]] | [[小米路由系统启动过程]] | ||
第129行: | 第137行: | ||
[[小米路由flash备份]] | [[小米路由flash备份]] | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<br><br> | <br><br> | ||
第144行: | 第146行: | ||
来源:[http://bbs.xiaomi.cn/thread-9756897-1-3.html 小米路由论坛] | 来源:[http://bbs.xiaomi.cn/thread-9756897-1-3.html 小米路由论坛] | ||
− | 先Web管理界面里,“路由设置“ -> “高级功能” -> “路由器手动升级” 里选择 0.4.58 | + | 先Web管理界面里,“路由设置“ -> “高级功能” -> “路由器手动升级” 里选择 [http://bigota.miwifi.com/xiaoqiang/rom/brcm4709_all_1635f_0.4.58.bin 0.4.58 版本的固件],上传并安装固件,等待其重启后,通过如下 http api 打开 SSH: |
<pre> | <pre> | ||
第271行: | 第273行: | ||
=== 打开串口写 === | === 打开串口写 === | ||
+ | |||
+ | [[文件:Xiaomi-r1d-serial-pin.jpg | 600px]] | ||
默认的UART可以看到输出,但是不能写。需要修改nvram: | 默认的UART可以看到输出,但是不能写。需要修改nvram: | ||
第317行: | 第321行: | ||
* [http://www.myopenrouter.com/article/56547/How-to-Set-Up-a-Serial-Console-for-NETGEAR-R7000-Nighthawk-Wi-Fi-Router/ Setup Serial Console for NETGEAR R7000] | * [http://www.myopenrouter.com/article/56547/How-to-Set-Up-a-Serial-Console-for-NETGEAR-R7000-Nighthawk-Wi-Fi-Router/ Setup Serial Console for NETGEAR R7000] | ||
* [http://bbs.xiaomi.cn/forum.php?mod=viewthread&tid=9704303 小米路由串口刷机方法] | * [http://bbs.xiaomi.cn/forum.php?mod=viewthread&tid=9704303 小米路由串口刷机方法] | ||
+ | |||
+ | <br><br> | ||
+ | |||
+ | == 核心系统开发 == | ||
+ | |||
+ | 现有核心包在这个页面: http://github.com/comcat/miwifi | ||
+ | |||
+ | [[小米路由相关工具链]] (Toolchain,内核和文件系统编译环境) | ||
+ | |||
+ | [[小米路由内核开发环境搭建]] | ||
+ | |||
+ | [[Xiaomi Router R1D Kernel Developing Notes]] | ||
+ | |||
+ | <br><br> | ||
+ | |||
+ | == Applications == | ||
+ | |||
+ | === Connected devices === | ||
+ | |||
+ | Using the dnsmaq to monitor: | ||
+ | |||
+ | <pre> | ||
+ | /data/dhcp.leases | ||
+ | </pre> | ||
+ | |||
+ | <source lang=bash> | ||
+ | root@Jarvis:~# wl -i wl0 assoclist | ||
+ | root@Jarvis:~# wl -i wl1 assoclist | ||
+ | assoclist 18:FE:34:A2:65:AD | ||
+ | assoclist 18:FE:34:F2:8A:14 | ||
+ | assoclist AC:A2:13:CA:B3:7A | ||
+ | assoclist 5C:CF:7F:82:6B:D8 | ||
+ | assoclist 5C:CF:7F:94:D9:9A | ||
+ | assoclist 5C:CF:7F:94:DC:2C | ||
+ | assoclist AC:A2:13:CA:F0:40 | ||
+ | |||
+ | # Proprietary Atheros (madwifi) | ||
+ | # wlanconfig ath0 list sta | ||
+ | </source> | ||
+ | |||
+ | |||
+ | more info: [[wl usage]] | ||
+ | |||
+ | <br><br> | ||
+ | |||
+ | === Reset AP === | ||
+ | |||
+ | <source lang=bash> | ||
+ | root@Jarvis:~# wl -i wl0 down && sleep 5 && wl -i wl0 up | ||
+ | root@Jarvis:~# wl -i wl1 down && sleep 5 && wl -i wl1 up | ||
+ | </source> | ||
+ | |||
+ | <br><br> | ||
+ | |||
+ | === Kick up a STA === | ||
+ | |||
+ | <source lang=bash> | ||
+ | root@Jarvis:~# wl -i wl1 deauthenticate MAC_ADDR | ||
+ | </source> | ||
+ | |||
+ | <br><br> | ||
+ | |||
+ | === WiFi Config files === | ||
+ | |||
+ | <source lang=bash> | ||
+ | root@Jarvis:~# cat /etc/config/network | ||
+ | |||
+ | config switch 'eth0' | ||
+ | option enable '1' | ||
+ | |||
+ | config switch_vlan 'eth0_1' | ||
+ | option device 'eth0' | ||
+ | option vlan '1' | ||
+ | option ports '0 2 5*' | ||
+ | |||
+ | config switch_vlan 'eth0_2' | ||
+ | option device 'eth0' | ||
+ | option vlan '2' | ||
+ | option ports '4 5' | ||
+ | |||
+ | config interface 'loopback' | ||
+ | option ifname 'lo' | ||
+ | option proto 'static' | ||
+ | option ipaddr '127.0.0.1' | ||
+ | option netmask '255.0.0.0' | ||
+ | |||
+ | config interface 'lan' | ||
+ | option type 'bridge' | ||
+ | option ifname 'eth0.1' | ||
+ | option proto 'static' | ||
+ | option ipaddr '192.168.31.1' | ||
+ | option netmask '255.255.255.0' | ||
+ | |||
+ | config interface 'wan' | ||
+ | option username '900000563616' | ||
+ | option proto 'pppoe' | ||
+ | option password 'i7k9e7b8' | ||
+ | option ifname 'eth0.2' | ||
+ | |||
+ | </source> | ||
+ | |||
+ | <br><br> | ||
+ | |||
+ | === dnsmasq configuration === | ||
+ | |||
+ | files: | ||
+ | |||
+ | * /etc/init.d/dnsmasq | ||
+ | * /etc/config/dhcp | ||
+ | * /var/etc/dnsmasq.conf | ||
+ | |||
+ | You need to modify the /etc/init.d/dnsmasq to generate the /var/etc/dnsmasq.conf like: | ||
+ | |||
+ | <source lang=bash> | ||
+ | # auto-generated config file from /etc/config/dhcp | ||
+ | conf-dir=/etc/dnsmasq.d/ | ||
+ | address=/workforme.stat.localdomain/127.0.0.1 | ||
+ | address=/apiiot.mjyun.com/192.168.31.10 | ||
+ | dhcp-authoritative | ||
+ | domain-needed | ||
+ | filterwin2k | ||
+ | clear-on-reload | ||
+ | localise-queries | ||
+ | read-ethers | ||
+ | bogus-priv | ||
+ | expand-hosts | ||
+ | neg-ttl=10 | ||
+ | max-ttl=30 | ||
+ | cache-size=3000 | ||
+ | dns-forward-max=1000 | ||
+ | server=/lan/ | ||
+ | dhcp-leasefile=/data/dhcp.leases | ||
+ | resolv-file=/tmp/resolv.conf.auto | ||
+ | local-ttl=0 | ||
+ | addn-hosts=/tmp/hosts | ||
+ | |||
+ | dhcp-range=lan,192.168.31.100,192.168.31.199,255.255.255.0,12h | ||
+ | dhcp-option-force=lan,43,XIAOMI_ROUTER | ||
+ | no-dhcp-interface=pppoe-wan | ||
+ | |||
+ | address=/Jarvis/192.168.31.1 | ||
+ | ptr-record=1.31.168.192.in-addr.arpa,Jarvis | ||
+ | no-dhcp-interface=eth0.2 | ||
+ | </source> | ||
<br><br> | <br><br> | ||
第326行: | 第474行: | ||
* [http://www.anandtech.com/show/5925/broadcom-announces-bcm4708x-and-bcm5301x-socs-for-80211ac-routers bcm4708x and bcm5301 SoC] | * [http://www.anandtech.com/show/5925/broadcom-announces-bcm4708x-and-bcm5301x-socs-for-80211ac-routers bcm4708x and bcm5301 SoC] | ||
− | * http://www.wooyun.org/bugs/wooyun-2014-058818 | + | * [http://www.wooyun.org/bugs/wooyun-2014-058818 小米路由默认密码漏洞] |
− | * http://blog.csdn.net/r7ronalshun/article/details/26544921 | + | * [http://blog.csdn.net/r7ronalshun/article/details/26544921 小米路由启动日志] |
<br><br> | <br><br> |
2018年8月7日 (二) 13:42的最后版本
目录 |
[编辑] 1 硬件概览
[编辑] 1.1 主核心
主核心是一颗 BCM4709 SoC,片内含有:
- > ARM Cortex-A9 Dual-Core
- 32 KB I-cache and 32 KB D-cache per core
- 256 KB L2 Cache (shared)
- 128-entry TLB
- SMP and AMP capable
- Boot ROM
- > DDR3 接口
- > NOR/NAND 接口
- > 5个 10/100/1000 PHY 口
- > USB 3.0/PCIe 口
- > 2个 PCIe 1x 口
- > USB2.0/SDIO3/MDIO/UART/I2C/SPI/GPIO/PWM/WDT ...
[编辑] 1.2 WiFi 芯片
2.4G 用的一片 BCM43217,标称能到 300Mbps (与 Netgear R6250 一致;高端 Netgear R7000 2.4GHz 用的一片 BCM4360,600Mbps)
5G 用的一片 BCM4352,标称能到 867Mbps (Netgear R7000 用的一片 BCM4360, 1300Mbps)
- BCM43217: 2.4G WiFi 802.11b/g/n Transceiver,PCIe 2.0 接口,射频+基带+MAC一片解决,300Mbps 参考:此页
- BCM4352: 5G WiFi 2-Stream 802.11ac Transceiver(支持802.11a/b/g/n)PCIe 2.0 接口,射频+基带+MAC一片解决,867 Mbps 参考:此页
WiFi 部分与 ASUS RT-AC56U 一致
高端路由如 Netgear R7000 / ASUS RT-AC68U 在 2.4G 和 5G 皆选用性能更强劲的 BCM4360
- BCM4360: 5G WiFi 3-Stream 802.11ac Gigabit Transceiver(支持802.11a/b/g/n)PCIe 2.0 接口,射频+基带+MAC一片解决,802.11n 600Mbps, 802.11ac 1300Mbps 参考: 此页
从WiFi的缩水(300Mbsps/2.4G+867Mbps/5G)可以推测其性能较 Netgear R7000 (600Mbps/2.4GHz*+1300Mbps/5GHz) 要差
Netgear R7000 和 ASUS RT-AC68U 对比测试
[编辑] 1.3 Flash
一片 MXIC 25L12835F
128MBit (16MB) 大小的 SPI Flash
SOP8 宽体封装
[编辑] 1.4 内存
内存为 256MB DDR3-1600,直接接在 SoC 上 (大小与 Netgear R7000 一致)
[编辑] 1.5 硬盘
内置 1TB SATA 硬盘,因为 BCM4709 不像更高端的 BCM5862x 直接带 SATA 3.0 控制器,其额外用了一片 PCIe 接口的 SATA 控制芯片 ASMedia ASM1062
硬盘出厂分为 4 个 primary 分区:
- 1 分区为系统,64MB
- 2 分区也是备份系统区,64MB,从 1 区启动失败会自动尝试挂载2区
- 3 分区为系统配置备份区
- 4 分区为用户数据区
[编辑] 1.6 MISC
[编辑] 1.6.1 TMP75
主板温度传感器,I2C 接口
[编辑] 1.6.2 NFC
没有这个设备,只是在外壳的顶端贴了一片 NFC 帖,内含必要信息而已
总体参考了 ASUS RT-AC56U、Netgear R7000 以及 ASUS RT-AC68U 的设计
[编辑] 2 基础 Hack
小米路由固件解包打包 (米厂自己改了个trx,叫:mkxqimage)
小米路由固件格式 (TRX格式增强)
小米路由vmlinuz.trx格式解析 (Kernel + initramfs)
[编辑] 2.1 打开 SSH
[编辑] 2.1.1 不拆机法
来源:小米路由论坛
先Web管理界面里,“路由设置“ -> “高级功能” -> “路由器手动升级” 里选择 0.4.58 版本的固件,上传并安装固件,等待其重启后,通过如下 http api 打开 SSH:
在小米路由的web控制台中,将URL链接中的 /web/home 替换成 /api/xqsystem/upgrade_rom?url=%3Bnvram+set+ssh_en%3D1%3Bnvram+commit%3B%2Fetc%2Finit.d%2Fdropbear+start%3B
执行后,返回:{"code":0}
ssh root@192.168.31.1 密码 admin
[编辑] 2.1.2 拆机法
官方给出的打开 SSH 的方法还要通过云端的小米帐号,既愚蠢又鸡贼
其实 openwrt 系统已经内置 dropbear 服务(嵌入式环境下的 SSH 服务),在 /etc/init.d/ 下有 dropbear 的启动脚本,/etc/rc.d 下也有 dropbear 的链接
只是 openwrt 在 nvram 里放了一些参数,然后 /etc/init.d/dropbear 启动脚本会检查这些参数,关键参数 'ssh_en' 在 nvram 里默认为零,因此 dropbear 是启动不了的
其实只要把硬盘拆下来,挂载在 PC 机上,挂载上第三个分区,替换 etc/init.d/dropbear etc/shadow 并在 etc/dropbear/ 加入两个 key 文件即可打开 SSH 服务
etc/init.d/dropbear 修改:
--- old/etc/init.d/dropbear 2014-05-22 22:40:08.000000000 +0800 +++ new/etc/init.d/dropbear 2014-06-02 20:21:46.000000000 +0800 @@ -41,7 +41,7 @@ # check if section is enabled (default) local enabled config_get_bool enabled "${section}" enable 1 - [ "${enabled}" -eq 0 ] && return 1 + #[ "${enabled}" -eq 0 ] && return 1 # verbose parameter local verbosed @@ -56,7 +56,7 @@ local val # A) password authentication config_get_bool val "${section}" PasswordAuth 1 - [ "${val}" -eq 0 ] && append args "-s" + #[ "${val}" -eq 0 ] && append args "-s" # B) listen interface and port local port local interface @@ -72,10 +72,10 @@ [ "${val}" -eq 1 ] && append args "-a" # E) root password authentication config_get_bool val "${section}" RootPasswordAuth 1 - [ "${val}" -eq 0 ] && append args "-g" + #[ "${val}" -eq 0 ] && append args "-g" # F) root login config_get_bool val "${section}" RootLogin 1 - [ "${val}" -eq 0 ] && append args "-w" + #[ "${val}" -eq 0 ] && append args "-w" # G) host keys config_get val "${section}" rsakeyfile [ -f "${val}" ] && append args "-r ${val}" @@ -118,11 +118,12 @@ include /lib/network scan_interfaces config_load "${NAME}" - flag_ssh=`nvram get ssh_en` - if [ "$flag_ssh" == "1" ]; - then + #flag_ssh=`nvram get ssh_en` + #flag_ssh=1 + #if [ "$flag_ssh" == "1" ]; + #then config_foreach dropbear_start dropbear - fi + #fi } stop()
etc/shadow 则是把 root 密码改为 'admin'
root:$1$mGrY9Gpt$vT7nVZg7fYnJ3rI5.UvJP0:16205:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7:::
etc/dropbear/dropbear_dss_host_key 和 etc/dropbear/dropbear_rsa_host_key 则是 dropbear 运行所必须
把他们打成一个包 enable_xiaomi_router_ssh-jackslab.tgz,放在:http://pan.baidu.com/s/1nt2sb9J
用法:
# dmesg|tail [365314.453954] ata3: EH complete [365314.454059] scsi 2:0:0:0: Direct-Access ATA ST1000LM024 HN-M 2BA3 PQ: 0 ANSI: 5 [365314.454321] sd 2:0:0:0: Attached scsi generic sg1 type 0 [365314.454341] sd 2:0:0:0: [sdb] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB) [365314.454346] sd 2:0:0:0: [sdb] 4096-byte physical blocks [365314.454639] sd 2:0:0:0: [sdb] Write Protect is off [365314.454644] sd 2:0:0:0: [sdb] Mode Sense: 00 3a 00 00 [365314.454747] sd 2:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [365314.474876] sdb: sdb1 sdb2 sdb3 sdb4 [365314.476042] sd 2:0:0:0: [sdb] Attached SCSI disk # mount /dev/sdb3 /mnt # ls /mnt/ dhcp.leases etc lost+found sysapi sysapihttpd usr # tar zxf enable_xiaomi_router_ssh-jackslab.tgz -C /mnt/ # sync # umount /mnt/
拔开,重新插入小米路由,启动后 ssh root@192.168.31.1 密码为 admin
[编辑] 2.1.3 官方开SSH原理
[编辑] 2.2 打开串口写
默认的UART可以看到输出,但是不能写。需要修改nvram:
打开 SSH 后,root 登录:
# ssh root@192.168.31.1 root@192.168.31.1's password: root@XiaoQiang:~# nvram get uart_en 0 root@XiaoQiang:~# nvram set uart_en=1 root@XiaoQiang:~# nvram commit
或者:
先Web管理界面里,“路由设置“ -> “高级功能” -> “路由器手动升级” 里选择 0.4.58 版本的固件,上传并安装固件,等待其重启后,通过如下 http api 打开串口写:
在小米路由的web控制台中,将URL链接中的 /web/home 替换成 /api/xqsystem/upgrade_rom?url=%3Bnvram+set+uart_en%3D1%3Bnvram+commit%3B
执行成功后,服务器返回:{"code":0}
串口默认配置为 115200 8n1
如果重启后自动进入 ramfs,而没有挂载 /dev/sda1 或者 squashfs,查一下 flag_package_update 这个 nvram 参数,如果是5,将其改为 0,重启后即恢复正常:
BusyBox v1.17.1 (2014-04-26 02:54:05 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. $ nvram get flag_package_update 5 $ nvram set flag_package_update=0 $ nvram commit $ reboot
[编辑] 3 核心系统开发
现有核心包在这个页面: http://github.com/comcat/miwifi
小米路由相关工具链 (Toolchain,内核和文件系统编译环境)
Xiaomi Router R1D Kernel Developing Notes
[编辑] 4 Applications
[编辑] 4.1 Connected devices
Using the dnsmaq to monitor:
/data/dhcp.leases
root@Jarvis:~# wl -i wl0 assoclist root@Jarvis:~# wl -i wl1 assoclist assoclist 18:FE:34:A2:65:AD assoclist 18:FE:34:F2:8A:14 assoclist AC:A2:13:CA:B3:7A assoclist 5C:CF:7F:82:6B:D8 assoclist 5C:CF:7F:94:D9:9A assoclist 5C:CF:7F:94:DC:2C assoclist AC:A2:13:CA:F0:40 # Proprietary Atheros (madwifi) # wlanconfig ath0 list sta
more info: wl usage
[编辑] 4.2 Reset AP
root@Jarvis:~# wl -i wl0 down && sleep 5 && wl -i wl0 up root@Jarvis:~# wl -i wl1 down && sleep 5 && wl -i wl1 up
[编辑] 4.3 Kick up a STA
root@Jarvis:~# wl -i wl1 deauthenticate MAC_ADDR
[编辑] 4.4 WiFi Config files
root@Jarvis:~# cat /etc/config/network config switch 'eth0' option enable '1' config switch_vlan 'eth0_1' option device 'eth0' option vlan '1' option ports '0 2 5*' config switch_vlan 'eth0_2' option device 'eth0' option vlan '2' option ports '4 5' config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'lan' option type 'bridge' option ifname 'eth0.1' option proto 'static' option ipaddr '192.168.31.1' option netmask '255.255.255.0' config interface 'wan' option username '900000563616' option proto 'pppoe' option password 'i7k9e7b8' option ifname 'eth0.2'
[编辑] 4.5 dnsmasq configuration
files:
- /etc/init.d/dnsmasq
- /etc/config/dhcp
- /var/etc/dnsmasq.conf
You need to modify the /etc/init.d/dnsmasq to generate the /var/etc/dnsmasq.conf like:
# auto-generated config file from /etc/config/dhcp conf-dir=/etc/dnsmasq.d/ address=/workforme.stat.localdomain/127.0.0.1 address=/apiiot.mjyun.com/192.168.31.10 dhcp-authoritative domain-needed filterwin2k clear-on-reload localise-queries read-ethers bogus-priv expand-hosts neg-ttl=10 max-ttl=30 cache-size=3000 dns-forward-max=1000 server=/lan/ dhcp-leasefile=/data/dhcp.leases resolv-file=/tmp/resolv.conf.auto local-ttl=0 addn-hosts=/tmp/hosts dhcp-range=lan,192.168.31.100,192.168.31.199,255.255.255.0,12h dhcp-option-force=lan,43,XIAOMI_ROUTER no-dhcp-interface=pppoe-wan address=/Jarvis/192.168.31.1 ptr-record=1.31.168.192.in-addr.arpa,Jarvis no-dhcp-interface=eth0.2
[编辑] 5 参考