小米路由改私有云
(→打开串口写) |
(→打开 SSH) |
||
| 第76行: | 第76行: | ||
=== 打开 SSH === | === 打开 SSH === | ||
| + | |||
| + | 官方给出的打开 SSH 的方法还要通过云端的小米帐号,既愚蠢又鸡贼 | ||
| + | |||
| + | 其实 openwrt 系统已经内置 dropbear 服务(嵌入式环境下的 SSH 服务),在 /etc/init.d/ 下有 dropbear 的启动脚本,/etc/rc.d 下也有 dropbear 的链接 | ||
| + | |||
| + | 只是 openwrt 在 nvram 里放了一些参数,然后 /etc/init.d/dropbear 启动脚本会检查这些参数,关键参数 'ssh_en' 在 nvram 里默认为零,因此 dropbear 是启动不了的 | ||
| + | |||
| + | 其实只要把硬盘拆下来,挂载在 PC 机上,挂载上第三个分区,替换 etc/init.d/dropbear etc/shadow 并在 etc/dropbear/ 加入两个 key 文件即可打开 SSH 服务 | ||
| + | |||
| + | etc/init.d/dropbear 修改: | ||
| + | |||
| + | <source lang=bash> | ||
| + | --- old/etc/init.d/dropbear 2014-05-22 22:40:08.000000000 +0800 | ||
| + | +++ new/etc/init.d/dropbear 2014-06-02 20:21:46.000000000 +0800 | ||
| + | @@ -41,7 +41,7 @@ | ||
| + | # check if section is enabled (default) | ||
| + | local enabled | ||
| + | config_get_bool enabled "${section}" enable 1 | ||
| + | - [ "${enabled}" -eq 0 ] && return 1 | ||
| + | + #[ "${enabled}" -eq 0 ] && return 1 | ||
| + | |||
| + | # verbose parameter | ||
| + | local verbosed | ||
| + | @@ -56,7 +56,7 @@ | ||
| + | local val | ||
| + | # A) password authentication | ||
| + | config_get_bool val "${section}" PasswordAuth 1 | ||
| + | - [ "${val}" -eq 0 ] && append args "-s" | ||
| + | + #[ "${val}" -eq 0 ] && append args "-s" | ||
| + | # B) listen interface and port | ||
| + | local port | ||
| + | local interface | ||
| + | @@ -72,10 +72,10 @@ | ||
| + | [ "${val}" -eq 1 ] && append args "-a" | ||
| + | # E) root password authentication | ||
| + | config_get_bool val "${section}" RootPasswordAuth 1 | ||
| + | - [ "${val}" -eq 0 ] && append args "-g" | ||
| + | + #[ "${val}" -eq 0 ] && append args "-g" | ||
| + | # F) root login | ||
| + | config_get_bool val "${section}" RootLogin 1 | ||
| + | - [ "${val}" -eq 0 ] && append args "-w" | ||
| + | + #[ "${val}" -eq 0 ] && append args "-w" | ||
| + | # G) host keys | ||
| + | config_get val "${section}" rsakeyfile | ||
| + | [ -f "${val}" ] && append args "-r ${val}" | ||
| + | @@ -118,11 +118,12 @@ | ||
| + | include /lib/network | ||
| + | scan_interfaces | ||
| + | config_load "${NAME}" | ||
| + | - flag_ssh=`nvram get ssh_en` | ||
| + | - if [ "$flag_ssh" == "1" ]; | ||
| + | - then | ||
| + | + #flag_ssh=`nvram get ssh_en` | ||
| + | + #flag_ssh=1 | ||
| + | + #if [ "$flag_ssh" == "1" ]; | ||
| + | + #then | ||
| + | config_foreach dropbear_start dropbear | ||
| + | - fi | ||
| + | + #fi | ||
| + | } | ||
| + | |||
| + | stop() | ||
| + | </source> | ||
| + | |||
| + | etc/shadow 则是把 root 密码改为 'admin' | ||
| + | |||
| + | <source lang=bash> | ||
| + | root:$1$mGrY9Gpt$vT7nVZg7fYnJ3rI5.UvJP0:16205:0:99999:7::: | ||
| + | daemon:*:0:0:99999:7::: | ||
| + | ftp:*:0:0:99999:7::: | ||
| + | network:*:0:0:99999:7::: | ||
| + | nobody:*:0:0:99999:7::: | ||
| + | </source> | ||
| + | |||
| + | etc/dropbear/dropbear_dss_host_key 和 etc/dropbear/dropbear_rsa_host_key 则是 dropbear 运行所必须 | ||
<br><br> | <br><br> | ||
2014年6月2日 (一) 20:22的版本
目录 |
1 小米路由硬件概览
主核心是一颗 BCM4709 SoC,片内含有:
- > ARM Cortex-A9 Dual-Core
- 32 KB I-cache and 32 KB D-cache per core
- 256 KB L2 Cache (shared)
- 128-entry TLB
- SMP and AMP capable
- Boot ROM
- > DDR3 接口
- > NOR/NAND 接口
- > 5个 10/100/1000 PHY 口
- > USB 3.0/PCIe 口
- > 2个 PCIe 1x 口
- > USB2.0/SDIO3/MDIO/UART/I2C/SPI/GPIO/PWM/WDT ...
WiFi 芯片
2.4G 用的一片 BCM43217,标称能到 300Mbps (与 Netgear R6250 一致;高端 Netgear R7000 2.4GHz 用的一片 BCM4360,600Mbps)
5G 用的一片 BCM4352,标称能到 867Mbps (Netgear R7000 用的一片 BCM4360, 1300Mbps)
Netgear R7000 和 ASUS RT-AC68U 在 2.4G 和 5G 都用了 BCM4360
- BCM43217: 2.4G WiFi 802.11b/g/n Transceiver,PCIe 2.0 接口,射频+基带+MAC一片解决,300Mbps 参考:https://wikidevi.com/wiki/Broadcom
- BCM4352: 5G WiFi 2-Stream 802.11ac Transceiver(支持802.11a/b/g/n)PCIe 2.0 接口,射频+基带+MAC一片解决,867 Mbps 参考:http://www.broadcom.com/products/Wireless-LAN/802.11-Wireless-LAN-Solutions/BCM4352
- BCM4360: 5G WiFi 3-Stream 802.11ac Gigabit Transceiver(支持802.11a/b/g/n)PCIe 2.0 接口,射频+基带+MAC一片解决,1300Mbps 参考: http://www.broadcom.com/products/Wireless-LAN/802.11-Wireless-LAN-Solutions/BCM4360
内存为 256MB DDR3-1600,直接接在 SoC 上 (大小与 Netgear R7000 一致)
内置 1TB SATA 硬盘,因为 BCM4709 不像更高端的 BCM5862x 直接带 SATA 3.0 控制器,其应该是用了一片 PCIe 1x 接口的 SATA 控制芯片
总体应该参考了 Netgear R7000 和 ASUS RT-AC68U 的 设计
从WiFi的缩水(300Mbsps/2.4G+867Mbps/5G)可以推测其性能较 Netgear R7000 (600Mbps/2.4GHz*+1300Mbps/5GHz) 要差
Netgear R7000 和 ASUS RT-AC68U 对比测试: http://www.smallnetbuilder.com/wireless/wireless-reviews/32239-ac1900-first-look-netgear-r7000-a-asus-rt-ac68u
2 基础 Hack
2.1 打开 SSH
官方给出的打开 SSH 的方法还要通过云端的小米帐号,既愚蠢又鸡贼
其实 openwrt 系统已经内置 dropbear 服务(嵌入式环境下的 SSH 服务),在 /etc/init.d/ 下有 dropbear 的启动脚本,/etc/rc.d 下也有 dropbear 的链接
只是 openwrt 在 nvram 里放了一些参数,然后 /etc/init.d/dropbear 启动脚本会检查这些参数,关键参数 'ssh_en' 在 nvram 里默认为零,因此 dropbear 是启动不了的
其实只要把硬盘拆下来,挂载在 PC 机上,挂载上第三个分区,替换 etc/init.d/dropbear etc/shadow 并在 etc/dropbear/ 加入两个 key 文件即可打开 SSH 服务
etc/init.d/dropbear 修改:
--- old/etc/init.d/dropbear 2014-05-22 22:40:08.000000000 +0800
+++ new/etc/init.d/dropbear 2014-06-02 20:21:46.000000000 +0800
@@ -41,7 +41,7 @@
# check if section is enabled (default)
local enabled
config_get_bool enabled "${section}" enable 1
- [ "${enabled}" -eq 0 ] && return 1
+ #[ "${enabled}" -eq 0 ] && return 1
# verbose parameter
local verbosed
@@ -56,7 +56,7 @@
local val
# A) password authentication
config_get_bool val "${section}" PasswordAuth 1
- [ "${val}" -eq 0 ] && append args "-s"
+ #[ "${val}" -eq 0 ] && append args "-s"
# B) listen interface and port
local port
local interface
@@ -72,10 +72,10 @@
[ "${val}" -eq 1 ] && append args "-a"
# E) root password authentication
config_get_bool val "${section}" RootPasswordAuth 1
- [ "${val}" -eq 0 ] && append args "-g"
+ #[ "${val}" -eq 0 ] && append args "-g"
# F) root login
config_get_bool val "${section}" RootLogin 1
- [ "${val}" -eq 0 ] && append args "-w"
+ #[ "${val}" -eq 0 ] && append args "-w"
# G) host keys
config_get val "${section}" rsakeyfile
[ -f "${val}" ] && append args "-r ${val}"
@@ -118,11 +118,12 @@
include /lib/network
scan_interfaces
config_load "${NAME}"
- flag_ssh=`nvram get ssh_en`
- if [ "$flag_ssh" == "1" ];
- then
+ #flag_ssh=`nvram get ssh_en`
+ #flag_ssh=1
+ #if [ "$flag_ssh" == "1" ];
+ #then
config_foreach dropbear_start dropbear
- fi
+ #fi
}
stop()
etc/shadow 则是把 root 密码改为 'admin'
root:$1$mGrY9Gpt$vT7nVZg7fYnJ3rI5.UvJP0:16205:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7:::
etc/dropbear/dropbear_dss_host_key 和 etc/dropbear/dropbear_rsa_host_key 则是 dropbear 运行所必须
2.2 打开串口写
默认的UART可以看到输出,但是不能写。需要修改nvram:
root@XiaoQiang:~# nvram get uart_en 0 root@XiaoQiang:~# nvram set uart_en=1 root@XiaoQiang:~# nvram commit
或者:
root@XiaoQiang:~# bdata get uart_en root@XiaoQiang:~# bdata set uart_en=1 root@XiaoQiang:~# bdata sync && bdata commit root@XiaoQiang:~# bdata get uart_en root@XiaoQiang:~# bdata show pci/1/1/macaddr=8C:BE:BE:20:B7:4A pci/2/1/macaddr=8C:BE:BE:20:B7:49 et0macaddr=8C:BE:BE:20:B7:48 wl0_ssid=Xiaomi_B748_5G wl1_ssid=Xiaomi_B748 SN=561000015739 model=R1D
3 参考
- http://www.anandtech.com/show/5925/broadcom-announces-bcm4708x-and-bcm5301x-socs-for-80211ac-routers
