【教程】Redmi AX6 解锁 SSH

降级 AX6 固件版本

操作前请确保路由固件版本为官方 1.0.16，下载地址: https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/ra69/miwifi_ra69_firmware_a7244_1.0.16.bin

解锁 SSH（利用小米换机漏洞）

【教程】VMware 安装 OpenWrt

配置 OpenWrt

使用 SSH 链接前面设置好的 OpenWrt

创建 luci 的控制文件夹

vim /root/wireless.sh

#!/bin/bash
# SPDX-License-Identifier: GPL-3.0-only
#
# Copyright (C) 2020 yyjdelete
# Copyright (C) 2021 Robert Marko <robimarko@gmail.com>
# Copyright (C) 2021 Tianling Shen <cnsztl@immortalwrt.org>
#
# Original threads:
# Redmi AX6 AX3000: https://www.right.com.cn/forum/thread-4060726-1-1.html
# Xiaomi AX6000/AX9000: https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax9000/98908/34

info_font="\033[36m[Info]\033[0m"
success_font="\033[32m[Success]\033[0m"
warning_font="\033[33m[Warning]\033[0m"

echo -e "${warning_font} Please make sure your router has wireless support!"
echo -e "${warning_font} Please make sure your router is restored to factory settings (not configured)!"
echo -e "${warning_font} Please make sure you've backed up the network and wireless settings!"
echo -e "${warning_font} Please make sure you've connected the router via *wired ethernet*!"
echo -e "${warning_font} Running this script will change your *network* settings!"
read -p "Use Ctrl+C to exit or press enter key to continue..."

echo -e ""
echo -e "${info_font} Adding xqsystem controller..."
cat > "/usr/lib/lua/luci/controller/admin/xqsystem.lua" <<EOF
module("luci.controller.admin.xqsystem", package.seeall)


function index()
    local page   = node("api")
    page.target  = firstchild()
    page.title   = ("")
    page.order   = 100
    page.index = true
    page   = node("api","xqsystem")
    page.target  = firstchild()
    page.title   = ("")
    page.order   = 100
    page.index = true
    entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08)
end

local LuciHttp = require("luci.http")

function getToken()
    local result = {}
    result["code"] = 0
    result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"
    LuciHttp.write_json(result)
end
EOF

echo -e "${info_font} Changing network settings..."
set -x
# /etc/config/dhcp
uci set dhcp.lan.ra_management='1'
uci del dhcp.lan.start
uci del dhcp.lan.limit
uci del dhcp.lan.leasetime
uci set dhcp.lan.ignore='1'
# /etc/config/network
uci set network.lan.ipaddr='169.254.31.1'
uci -q commit
set +x

echo -e "${success_font} All settings are applied.\n"
echo -e "${info_font} Please now disconnect from this router, and connect to your Xiaomi/Redmi router."
echo -e ""
echo -e "${info_font} For Xiaomi AX3000/AX6000/AX9000:"
echo -e "       Open your browser, access the following URL:"
echo -e "         http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK&admin_username=root&admin_password=admin&admin_nonce=xxx"
echo -e ""


echo -e ""
echo -e "${warning_font} Restarting network..."
wifi reload >"/dev/null" 2>&1
/etc/init.d/network restart >"/dev/null" 2>&1

sh /root/wireless.sh

按回车

开启 Windows 移动热点

Window 设置-移动热点

• 关闭节能选项
• 设置网络频率为 2.4G

控制面板\网络和Internet\网络连接

关闭 IPV4 协议

调整 VMware 的桥接模式（将原本作为 wan 口的那张网卡的桥接对象改为 WIFI 的那张网卡）

解锁 SSH

打开我们要刷机的那个 AX6 控制面板，将其中的 stok 复制出来

• stok： 小米路由器 token
• ssid ：移动热点的名称

• password ：移动热点的密码

• admin_username：Openwrt 的用户名

• admin_password： Openwrt 的密码

http://192.168.31.1/cgi-bin/luci/;stok=7f7e3a880d45d3edb43e64476d218416/api/misystem/extendwifi_connect?ssid=op&password=12345678

http://192.168.31.1/cgi-bin/luci/;stok=7f7e3a880d45d3edb43e64476d218416/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx

http://192.168.31.1/cgi-bin/luci/;stok=7f7e3a880d45d3edb43e64476d218416/api/xqsystem/extendwifi_connect_inited_router?ssid=op&password=12345678&encryption=WPA2PSKenctype=CCMP&band=2g&admin_username=root&admin_password=password&admin_nonce=xxx

成功会返回一个code为 0 的json值{"token":"..........","code":0}。

此时，路由器的sshd已经成功开启，但是还没有固化，因此不要断掉连接也不要重启路由器。

解锁 SSH（硬解版）

详情参考：https://github.com/mphin/miwifi_tools

真的好用！！！

如果遇到Unable to negotiate with 192.168.31.1 port 22: no matching host key type found. Their offer: ssh-rsa

请使用下列命令进行连接：

ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.31.1

设置 SSH

获取 SSH 密码

访问： https://miwifi.dev/ssh

固化 SSH

连接上 SSH 后执行

nvram set flag_last_success=0
nvram set flag_boot_rootfs=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram set boot_wait=on
nvram set uart_en=1
nvram set telnet_en=1
nvram set ssh_en=1
nvram commit

参考资料

• 红米 Redmi AX6 刷机记录
• CR6608刷集客AP及ESXi安装集客软AC（特别感谢）
• 红米AX6完美刷机，刷uboot无线测速，处理器ipq8071A六核企业级