小米路由器3的設定與測試

如何將取得 SSH 登入權限、功能安裝 (opkg) 以及一些無線網路功能的測試

取得 SSH 登入權限

小米路由器原生不支援 SSH 登入,官方的作法是先和小米帳號綁定之後,給予一組密碼並重刷作業系統,以取得 SSH 的登入權限。如果想要照做的話,可以參考: http://tw.miui.com/thread-13641-1-1.html 。不過,我一開始在綁定時就一直無法成功,因此,就使用後門取得登入的權限,原始文章在: https://wiki.openwrt.org/toh/xiaomi/mir3 以及 http://www.right.com.cn/forum/thread-185797-1-1.html。此後門的想法主要是利用開發版的 ROM 支援 SSH,並透過 API 的方式賦予登入的密碼,操作過程如下:

(1) 下載並將小米路由器3刷成開發版的 ROM,更新韌體方法如下圖。 下載地址: http://bigota.miwifi.com/xiaoqiang/rom/r3/miwifi_r3_all_55ac7_2.11.20.bin

(2) 透過 API 對小米路由器3進行設定,這裡有一個每個機器專屬的 token 要視情況修改。在登入小米路由器3後,我們可以看到網址列大概長得像: 

http://192.168.31.1/cgi-bin/luci/;stok=40fce86d28a6eedecfc7e72f28c63921/web/home#router

其中,40fce86d28a6eedecfc7e72f28c63921就是該機器的 token。取得 token 後,就可以透過後台的 API 進行進一步的修改。輸入下列指令:

http://192.168.31.1/cgi-bin/luci/;stok=[token]/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit
http://192.168.31.1/cgi-bin/luci/;stok=[token]/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3Bsed%20%2Di%20%22%3Ax%3AN%3As%2Fif%20%5C%5B%2E%2A%5C%3B%20then%5Cn%2E%2Areturn%200%5Cn%2E%2Afi%2F%23tb%2F%3Bb%20x%22%20%2Fetc%2Finit.d%2Fdropbear
http://192.168.31.1/cgi-bin/luci/;stok=[token]/api/xqnetwork/set_wifi_ap?ssid=Xiaomi&encryption=NONE&enctype=NONE&channel=1%3B%2Fetc%2Finit.d%2Fdropbear%20start
http://192.168.31.1/cgi-bin/luci/;stok=[token]/api/xqsystem/set_name_password?oldPwd=[old passwd]&newPwd=[new passwd]

由於指令並沒有加密,我們大概可以看出來第一行和 nvram 中的 SSH 設定相關,第二行則是透過 sed 來更改/etc/init.d/dropbear的數值,第三行啟動 dropbear,也就是 SSH 伺服器,最後一行則是更改密碼,其中 [old passwd] 是原本當入網頁的密碼, [new passwd] 則是 SSH 的設定密碼。

當執行前三行時,網頁會顯示: {"msg":"未能连接到指定WiFi(Probe timeout)","code":1616},而執行最後一行則顯示: {"code":0}。之後,只要重新開機就可以了。

功能安裝 (opkg)

由於小米路由器3本身不支援 opkg 的軟體安裝器,在添加 OpenWRT 功能時,很不方便,因此,我們參考此篇的教學 (https://www.ywlib.com/archives/102.html),讓小米路由器3能夠擁有 opkg 的功能。

(1) 從其他支援 opkg 的裝置下,取出 okpg,並複製到/data之下。在此,我是直接下載該網站的資源,如附檔所示。

(2) 修改/etc/opkg.conf,替換為以下內容:

src/gz attitude_adjustment_base http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/base
src/gz attitude_adjustment_packages http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/packages/
src/gz attitude_adjustment_luci http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/luci/
src/gz attitude_adjustment_management http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/management/
src/gz attitude_adjustment_oldpackages http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/oldpackages/
src/gz attitude_adjustment_routing http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/routing/
src/gz openwrt_dist http://openwrt-dist.sourceforge.net/releases/ramips/packages
src/gz openwrt_dist_luci http://openwrt-dist.sourceforge.net/releases/luci/packages
dest root /data
dest ram /tmp
lists_dir ext /data/var/opkg-lists
option overlay_root /data
arch all 100
arch ramips 200
arch ramips_24kec 300

(3) 更改環境變數 (/etc/profile),首先,先改變 PATH 的變數,如下:

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/data/usr/sbin:/data/usr/bin

並在該文件下方加入一行新的設定:

export LD_LIBRARY_PATH=/data/usr/lib

(4) 重新開機,或是執行:

export PATH=$PATH:/data/usr/bin:/data/usr/sbin
export LD_LIBRARY_PATH=LD_LIBRARY_PATH:/data/usr/lib

(5) 此時,opkg 就可以使用了。

root@XiaoQiang:~# /data/opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/base/Packages.gz.
Updated list of available packages in /data/var/opkg-lists/attitude_adjustment_base.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/packages//Packages.gz.
Updated list of available packages in /data/var/opkg-lists/attitude_adjustment_packages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/luci//Packages.gz.
Updated list of available packages in /data/var/opkg-lists/attitude_adjustment_luci.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/management//Packages.gz.
Updated list of available packages in /data/var/opkg-lists/attitude_adjustment_management.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/oldpackages//Packages.gz.
Updated list of available packages in /data/var/opkg-lists/attitude_adjustment_oldpackages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/routing//Packages.gz.
Updated list of available packages in /data/var/opkg-lists/attitude_adjustment_routing.
Downloading http://openwrt-dist.sourceforge.net/releases/ramips/packages/Packages.gz.
Updated list of available packages in /data/var/opkg-lists/openwrt_dist.
Downloading http://openwrt-dist.sourceforge.net/releases/luci/packages/Packages.gz.
Updated list of available packages in /data/var/opkg-lists/openwrt_dist_luci.

(6) 假如安裝文件有缺少,也可以直接下載後,透過 opkg 來安裝,下載網址為: https://archive.openwrt.org/barrier_breaker/14.07/ramips/mt7620a/packages/base/

同時,我們也可以從這份文件中發現,小米路由器3的 OpenWRT 版本為 barrier breaker,不過,真實的版本仍然沒有想到方法驗證。

無線網路功能測試

為了進行我們的測試,我重做了兩個測試,第一個是 iw 的指令支援。這個測試也就是用 opkg 安裝 iw,若有缺少任何功能,就會有提示出現。但在最後執行時,卻出現了錯誤,如下所示:

root@XiaoQiang:~# iw list
nl80211 not found.

根據查詢之後,這是由於驅動程式不支援 iw 的功能。錯誤訊息中的nl80211是無線網卡的驅動程式,但是,MTK的方案並不支援此驅動程式。

第二個測試則是加入監聽模式的無線網路介面,以下為所編輯的/etc/config/wireless檔案。

config wifi-device 'mt7612'
        option type 'mt7612'
        option vendor 'ralink'
        option channel '0'
        option bw '0'
        option autoch '2'
        option radio '1'
        option hwband '5G'
        option hwmode '11ac'
        option disabled '0'
        option txpwr 'max'

config wifi-iface
        option device 'mt7612'
        option ifname 'wl0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Xiaomi_2F1C_5G'
        option encryption 'mixed-psk'
        option key 'aabb1122'

config wifi-iface 'monitor5G'
        option device 'mt7612'
        option ifname 'wl0-1'
        option mode 'monitor'

config wifi-device 'mt7620'
        option type 'mt7620'
        option vendor 'ralink'
        option channel '0'
        option bw '0'
        option autoch '2'
        option radio '1'
        option hwband '2_4G'
        option hwmode '11ng'
        option disabled '0'
        option txpwr 'max'

config wifi-iface
        option device 'mt7620'
        option ifname 'wl1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Xiaomi_2F1C'
        option encryption 'mixed-psk'
        option key 'aabb1122'

config wifi-iface 'monitor2G'
        option device 'mt7620'
        option ifname 'wl1-1'
        option mode 'monitor'

輸入 wifi 重啟網路後,我們有以下的結果:

root@XiaoQiang:~# wifi
/sbin/wifi: CALLER: -ash
/sbin/wifi: ==========device=mt7612========
/sbin/wifi: ...mt7612.type=mt7612...
/sbin/wifi: run1 eval type enable_mt7612
/sbin/wifi: run2 eval enable_mt7612 'mt7612'
Interface doesn't accept private ioctl...
set (8BE2): Network is down
wl0-1     no private ioctls.

ifconfig: SIOCGIFFLAGS: No such device
/sbin/wifi: ==========device=mt7620========
/sbin/wifi: ...mt7620.type=mt7620...
/sbin/wifi: run1 eval type enable_mt7620
/sbin/wifi: run2 eval enable_mt7620 'mt7620'
Interface doesn't accept private ioctl...
set (8BE2): Network is down
wl1-1     no private ioctls.

ifconfig: SIOCGIFFLAGS: No such device
/sbin/wifi: eval: line 1: rk_start.sh: not found
Waiting for Wireless Events from interfaces...
/sbin/wifi: mt7620(mt7620): enable failed
root@XiaoQiang:~# IWEVBSD: Error event param: Success
IWEVBSD: Error event param: Resource temporarily unavailable
IWEVBSD: Error event param: Resource temporarily unavailable

OpenWRT 論壇上也有類似的問題: https://forum.archive.openwrt.org/viewtopic.php?id=51608,可能是因為 MTK 網卡不支援 monitor 模式 (mt7620 drivers from mtk/ralink does not support monitor mode.)

Previous測試硬體與功能列表NextOPKG Package Manager

Last updated