mir3c router firmware

disassembled source code for the Xiaomi Router 3C

binwalk details

672           0x2A0           uImage header, header size: 64 bytes, header CRC: 0x7916E8DD, created: 2017-05-11 09:08:16, image size: 1410980 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0xCC31F951, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.10.14"
736           0x2E0           LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4083808 bytes
1442464       0x1602A0        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6125436 bytes, 1832 inodes, blocksize: 262144 bytes, created: 2017-05-11 09:08:13

Note that the device runs OpenWRT, albeit modified.

Things to try

  • Download the firmware from the device via serial headers
  • Diff the various firmware versions from the mi website
  • Upgrade the firmware on the device
  • See if the ssh password on the device can be reset
  • Figure out how to turn on ssh on the device
  • Get the /data/ directory (it has the aes encryption key for backups)
  • See if the firmware upgrade process can be hacked to upload openwrt