3847 字
19 分钟
从零开始!在红米AX6000路由器上刷入Openwrt
在我前两天搞定TPLINK后,近期跟我聊到路由器的同学买了个红米的AX6000,想自己刷,发现自己搞不定了求助于我,于是我们一起刷这台路由器,就有了这篇教程
准备工作
首先得把小米路由器的系统降级,这位同学拿过来的时候,他降级到了1.0.60,所以降级过程就没有什么教程啦,可以去网上找找旧版的包,然后直接通过路由器管理面板的升级部分刷就行了
打开Telnet(路由器的开发者模式)
我们降级好路由器后,先要打开telnet,才能打开SSH,打开telnet的过程不要联网!!!
{% note danger %}
实测联网会打不开telnet
{% endnote %}
首先我们要登录进路由器的管理面板,在管理面板的地址栏中有我们需要的stok,例如http://192.168.31.1/cgi-bin/luci/;stok=71871cc803318e6f85e9c73d2ed7736c,这个stok=后面的内容就是我们需要的stok,我们复制下来,替换掉下面链接中的{stok},并复制到浏览器访问(访问的结果统一会显示{code: 0},四次访问都是,不再赘述,我使用的是curl)
访问了以后路由器会重启,重启完了以后,我们再登录到路由器管理面板,此时stok会改变,我们复制新的stok,替换下面链接中的{stok},然后丢到浏览器访问
此链接跟第二条一样,都是重启用的
我们打开一个能够支持telnet连接的软件,用户名和密码都是空,就可以连接进去了
自动化脚本
于是我随手撸了一个脚本
import httpx
host = "http://192.168.31.1"
# First timestok = input("请输入第一次的stok: ")
BASE = host + "/cgi-bin/luci/;stok="
MTD_WRITE_ROUTE = "/api/misystem/set_sys_time?timezone=%20%27%20%3B%20zz%3D%24%28dd%20if%3D%2Fdev%2Fzero%20bs%3D1%20count%3D2%202%3E%2Fdev%2Fnull%29%20%3B%20printf%20%27%A5%5A%25c%25c%27%20%24zz%20%24zz%20%7C%20mtd%20write%20-%20crash%20%3B%20"REBOOT_ROUTE = "/api/misystem/set_sys_time?timezone=%20%27%20%3b%20reboot%20%3b%20"ENABLE_TALNET_ROUTE = "/api/misystem/set_sys_time?timezone=%20%27%20%3B%20bdata%20set%20telnet_en%3D1%20%3B%20bdata%20set%20ssh_en%3D1%20%3B%20bdata%20set%20uart_en%3D1%20%3B%20bdata%20commit%20%3B%20"
response = httpx.get(BASE + stok + MTD_WRITE_ROUTE)print(response.json())response = httpx.get(BASE + stok + REBOOT_ROUTE)print(response.json())
# Second timestok = input("请输入第二次的stok: ")response = httpx.get(BASE + stok + ENABLE_TALNET_ROUTE)print(response.json())response = httpx.get(BASE + stok + REBOOT_ROUTE)print(response.json())打开SSH
打开任意telnet客户端通过telnet连接后,我们需要打开SSH
设置root密码
通过下面的命令可以设置root的密码为admin
echo -e 'admin\nadmin' | passwd root
其实就是运行passwd root,然后输入了两次admin而已,你也可以自己改
打开SSH
接着我们运行下面的命令打开SSH
bdata set boot_wait=onbdata commitnvram set ssh_en=1nvram set telnet_en=1nvram set uart_en=1nvram set boot_wait=onnvram commitsed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear/etc/init.d/dropbear restart输入后是不会有任何输出的,此时SSH就已经打开了
设置SSH开机自动启动
接着我们要设置开机开启SSH,要不然重启一下就没了
mkdir -p /data/auto_ssh && cd /data/auto_ssh
cat <<EOF > auto_ssh.sh#!/bin/sh
auto_ssh_dir="/data/auto_ssh"host_key="/etc/dropbear/dropbear_rsa_host_key"host_key_bk="${auto_ssh_dir}/dropbear_rsa_host_key"
unlock() { # Restore the host key. [ -f \$host_key_bk ] && ln -sf \$host_key_bk \$host_key
# Enable telnet, ssh, uart and boot_wait. [ "\$(nvram get telnet_en)" = 0 ] && nvram set telnet_en=1 && nvram commit [ "\$(nvram get ssh_en)" = 0 ] && nvram set ssh_en=1 && nvram commit [ "\$(nvram get uart_en)" = 0 ] && nvram set uart_en=1 && nvram commit [ "\$(nvram get boot_wait)" = "off" ] && nvram set boot_wait=on && nvram commit
[ "\$(uci -c /usr/share/xiaoqiang get xiaoqiang_version.version.CHANNEL)" != 'stable' ] && { uci -c /usr/share/xiaoqiang set xiaoqiang_version.version.CHANNEL='stable' uci -c /usr/share/xiaoqiang commit xiaoqiang_version.version 2>/dev/null }
channel=\$(/sbin/uci get /usr/share/xiaoqiang/xiaoqiang_version.version.CHANNEL) if [ "\$channel" = "release" ]; then sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear fi
if [ -z "\$(pidof dropbear)" -o -z "\$(netstat -ntul | grep :22)" ]; then /etc/init.d/dropbear restart 2>/dev/null /etc/init.d/dropbear enable fi}
install() { # unlock SSH. unlock
# host key is empty, restart dropbear to generate the host key. [ -s \$host_key ] || /etc/init.d/dropbear restart 2>/dev/null
# Backup the host key. if [ ! -s \$host_key_bk ]; then i=0 while [ \$i -le 30 ] do if [ -s \$host_key ]; then cp -f \$host_key \$host_key_bk 2>/dev/null break fi let i++ sleep 1s done fi
# Add script to system autostart uci set firewall.auto_ssh=include uci set firewall.auto_ssh.type='script' uci set firewall.auto_ssh.path="\${auto_ssh_dir}/auto_ssh.sh" uci set firewall.auto_ssh.enabled='1' uci commit firewall echo -e "\033[32m SSH unlock complete. \033[0m"}
uninstall() { # Remove scripts from system autostart uci delete firewall.auto_ssh uci commit firewall echo -e "\033[33m SSH unlock has been removed. \033[0m"}
main() { [ -z "\$1" ] && unlock && return case "\$1" in install) install ;; uninstall) uninstall ;; *) echo -e "\033[31m Unknown parameter: \$1 \033[0m" return 1 ;; esac}
main "\$@"EOF
chmod +x auto_ssh.sh
# 设置自动启动uci set firewall.auto_ssh=includeuci set firewall.auto_ssh.type='script'uci set firewall.auto_ssh.path='/data/auto_ssh/auto_ssh.sh'uci set firewall.auto_ssh.enabled='1'uci commit firewall这个文件你也可以放在别的位置,自己修改上面脚本里面的文件位置就行,不过要注意重启是否会消失,有些路由器重启会自动清除文件的(例如我前阵子弄的WAR308)
设置时区
最后一步是设置时区,使用下面的命令设置时区
uci set system.@system[0].timezone='CST-8'uci set system.@system[0].webtimezone='CST-8'uci set system.@system[0].timezoneindex='2.84'uci commit关闭开发者模式
使用下面的命令关闭开发者模式
mtd erase crash最后是重启,直接打reboot就行了
通过SSH刷入uboot
当我们通过SSH连接进路由器后,我们需要保证路由器可以联网,然后运行下面的命令
cd /tmp && curl --silent -O https://fastly.jsdelivr.net/gh/miaoermua/unlock-redmi-ax6000@main/uboot.sh && chmod +x uboot.sh && ./uboot.sh运行了以后,脚本会帮你备份你的分区文件,记得把它们弄出来,要不然没办法恢复原厂系统,分别是/tmp/mtd5_FIP.bin和/tmp/mtd4_Factory.bin
拿出来以后,再运行下面的命令来刷入uboot,最后会弹出一行success,就说明完成了
mtd erase FIPmtd write /tmp/mt7986_redmi_ax6000-fip-fixed-parts.bin FIPmtd verify /tmp/mt7986_redmi_ax6000-fip-fixed-parts.bin FIP进入uboot,刷入openwrt系统
进入uboot模式
先拔掉电源,然后用牙签/卡针之类的尖锐的东西,戳着reset键,然后插上电源等待15秒以上,就可以松开了,这个就可以用电脑访问uboot了
uboot模式下,路由器的灯不会亮
电脑访问uboot
在进入uboot之前,请先把自己的电脑的ip地址修改一下,因为uboot模式下没有DHCP
然后访问http://192.168.31.1进入uboot,界面应该是像下面这样的
我们尝试了下面的两个系统~~(因为我这个同学记错路由器的空间大小以为CatWrt的分区大小给小了于是刷了ImmortalWrt)~~
{% note info %}
- CatWrt:https://github.com/miaoermua/CatWrt/releases/tag/v23.2-Wireless-mt7986a
- 来自恩山论坛的闭源ImmortalWrt:https://www.right.com.cn/forum/thread-8261104-1-1.html
{% endnote %}
刷入系统
下载好你需要的系统包后,直接在uboot里面上传,上传后会读条,这个时候路由器在校验系统包和计算md5,直接点击update就可以了
第一次刷可能会出现下图这样的fail提示,我们返回重新上传刷一次就行了
刷好了访问系统包对应的ip地址就可以进入openwrt了
其他
进入openwrt后,发现这个机子的存储应该是256MB(图片是CatWrt的终端)
内存为512MB左右
END
怎么说呢,这次应该是我第一次真正去刷品牌路由器成功的,我以前刷过小米的AX3000T但是刷炸了;讲真,品牌路由器的内存和存储还是给得太小了
当然这次成功也离不开下面这些参考文档(注:里面有些链接是过期的,所以为什么我会综合起来写一篇文,就是避免其他人做到一半发现链接404不知道怎么做了)
ALL IN ALL,刷路由器还是很好玩的
Ref:
https://docs.qq.com/doc/DS1RlUVhUYXp3YnhL
https://www.right.com.cn/forum/thread-8261104-1-1.html
https://blog.csdn.net/sxf1061700625/article/details/130328437
真正的END
因为我发现我们学校会BAN我的MAC地址,于是我顺带放出我写的MAC地址更换脚本(可以设置计划任务)
MAC备份还原脚本
避免你需要还原你路由器真正的mac的时候找不到mac,建议你用这个先备份一下你路由器的mac
{% note danger %}
如果你的网口不是eth0,请先更换一下网口!!!
{% endnote %}
#!/bin/sh
MAC_FILE="/root/mac"
# 获取当前MAC地址并保存到文件save_mac() { CURRENT_MAC=$(ip link show eth0 | grep ether | awk '{print $2}') echo "当前的MAC地址是: $CURRENT_MAC" echo "$CURRENT_MAC" > "$MAC_FILE" echo "已保存当前MAC地址到 $MAC_FILE"}
# 从文件中恢复MAC地址restore_mac() { if [ -f "$MAC_FILE" ]; then SAVED_MAC=$(cat "$MAC_FILE") echo "从文件恢复MAC地址: $SAVED_MAC" ip link set dev eth0 down ip link set dev eth0 address "$SAVED_MAC" ip link set dev eth0 up echo "已恢复MAC地址到eth0" else echo "MAC文件不存在,无法恢复MAC地址" fi}
# 检查参数并执行对应的操作if [ "$1" = "save" ]; then save_macelif [ "$1" = "restore" ]; then restore_macelse echo "用法: $0 {save|restore}" echo "save: 保存当前的MAC地址" echo "restore: 恢复之前保存的MAC地址"fiMac生成替换脚本
我这里设置了固定的前缀,是因为我路由器的MAC地址带了这三个,建议改成自己的
{% note danger %}
如果你的网口不是eth0,请先更换一下网口!!!
{% endnote %}
#!/bin/sh
# 生成一个随机的MAC地址generate_mac() { PREFIX="c6:1f:d8" # 使用 /dev/urandom 获取随机数 HEX1=$(hexdump -n 1 -e '1/1 "%02X"' /dev/urandom) HEX2=$(hexdump -n 1 -e '1/1 "%02X"' /dev/urandom) HEX3=$(hexdump -n 1 -e '1/1 "%02X"' /dev/urandom) echo "$PREFIX:$HEX1:$HEX2:$HEX3"}
# 获取新的MAC地址NEW_MAC=$(generate_mac)echo "生成的新MAC地址为: $NEW_MAC"
# 使用新的MAC地址修改eth0的MAC地址ip link set dev eth0 downip link set dev eth0 address $NEW_MACip link set dev eth0 up
# 验证修改是否成功ip link show eth0 | grep etherOpenwrt备份备份恢复脚本
{% note danger %}
注意修改前两行
# 定义备份目录BACKUP_DIR="/mnt/usb1-1"
# 定义 OpenWrt 系统路径OPENWRT_MMC="/dev/mmcblk0"{% endnote %}
#!/bin/ash
# OpenWrt 备份与恢复管理脚本# 支持命令行参数快速备份:--owrt-backup --config-backup --iptables-backup --firewall-backup --all-backup
# 定义备份目录BACKUP_DIR="/mnt/usb1-1"
# 系统参数OPENWRT_MMC="/dev/mmcblk0"FIREWALL_CONFIG="/etc/config/firewall"
# 备份子目录OPENWRT_BACKUP_DIR="$BACKUP_DIR/openwrt-backup"OPENWRT_CONFIG_BACKUP_DIR="$BACKUP_DIR/openwrt-config-backup"IPTABLES_BACKUP_DIR="$BACKUP_DIR/iptables-backup"FIREWALL_BACKUP_DIR="$BACKUP_DIR/firewall-backup"
# 初始化目录mkdir -p $OPENWRT_BACKUP_DIR $OPENWRT_CONFIG_BACKUP_DIR $IPTABLES_BACKUP_DIR $FIREWALL_BACKUP_DIR
# 获取当前日期CURRENT_DATE=$(date +%Y%m%d)
# 定义颜色代码RED='\033[31m'GREEN='\033[32m'YELLOW='\033[33m'BLUE='\033[34m'RESET='\033[0m'
######################################## 核心备份功能函数#######################################
backup_full_image() { echo -e "${BLUE}[1/4] 开始备份系统镜像...${RESET}" local temp_bin="$OPENWRT_BACKUP_DIR/temp_${CURRENT_DATE}.bin" local backup_file="$OPENWRT_BACKUP_DIR/openwrt-backup-${CURRENT_DATE}.tar.gz"
# 创建磁盘镜像 if ! dd if="$OPENWRT_MMC" of="$temp_bin" bs=1M; then echo -e "${RED}错误:磁盘镜像创建失败!${RESET}" return 1 fi
# 压缩备份 if tar -czf "$backup_file" -C "$OPENWRT_BACKUP_DIR" $(basename $temp_bin); then md5sum $backup_file > ${backup_file}.md5 echo -e "${GREEN}系统镜像备份成功:${backup_file}${RESET}" else echo -e "${RED}错误:压缩备份失败!${RESET}" fi rm -f $temp_bin}
restore_full_image() { echo -e "${BLUE}[系统恢复] 请选择备份文件:${RESET}" ls -lh $OPENWRT_BACKUP_DIR/openwrt-backup-*.tar.gz 2>/dev/null || { echo -e "${RED}未找到备份文件!${RESET}"; return; }
read -p "请输入要恢复的文件名: " backup_file local full_path="$OPENWRT_BACKUP_DIR/$backup_file"
# 验证文件 [ ! -f "$full_path" ] && echo -e "${RED}文件不存在!${RESET}" && return [ ! -f "${full_path}.md5" ] && echo -e "${YELLOW}警告:未找到MD5校验文件${RESET}" || (md5sum -c "${full_path}.md5" || { echo -e "${RED}MD5校验失败!${RESET}"; return; })
# 确认操作 read -p "确定要恢复系统镜像吗?此操作不可逆![y/N]: " confirm [[ "$confirm" != "y" && "$confirm" != "Y" ]] && return
# 解压并恢复 echo -e "${BLUE}正在解压镜像文件...${RESET}" local temp_bin="${full_path%.tar.gz}.bin" tar -xzf "$full_path" -C "$OPENWRT_BACKUP_DIR" || { echo -e "${RED}解压失败!${RESET}"; return; }
echo -e "${BLUE}正在写入系统镜像...${RESET}" if dd if="$temp_bin" of="$OPENWRT_MMC" bs=1M; then echo -e "${GREEN}系统恢复成功,请重启设备!${RESET}" else echo -e "${RED}镜像写入失败!${RESET}" fi rm -f $temp_bin}
backup_config() { echo -e "${BLUE}[2/4] 备份系统配置...${RESET}" local backup_file="$OPENWRT_CONFIG_BACKUP_DIR/openwrt-config-backup-${CURRENT_DATE}.bak" if sysupgrade -b $backup_file; then md5sum $backup_file > ${backup_file}.md5 echo -e "${GREEN}系统配置备份成功:${backup_file}${RESET}" else echo -e "${RED}错误:配置备份失败!${RESET}" fi}
restore_config() { echo -e "${BLUE}[配置恢复] 请选择备份文件:${RESET}" ls -lh $OPENWRT_CONFIG_BACKUP_DIR/openwrt-config-backup-*.bak 2>/dev/null || { echo -e "${RED}未找到备份文件!${RESET}"; return; }
read -p "请输入要恢复的文件名: " backup_file local full_path="$OPENWRT_CONFIG_BACKUP_DIR/$backup_file"
# 验证文件 [ ! -f "$full_path" ] && echo -e "${RED}文件不存在!${RESET}" && return [ ! -f "${full_path}.md5" ] && echo -e "${YELLOW}警告:未找到MD5校验文件${RESET}" || (md5sum -c "${full_path}.md5" || { echo -e "${RED}MD5校验失败!${RESET}"; return; })
# 确认操作 read -p "确定要恢复系统配置吗?[y/N]: " confirm [[ "$confirm" != "y" && "$confirm" != "Y" ]] && return
# 创建临时备份 local current_backup="$OPENWRT_CONFIG_BACKUP_DIR/current_config_$(date +%H%M%S).bak" sysupgrade -b $current_backup || { echo -e "${RED}当前配置备份失败,已中止恢复!${RESET}"; return; }
# 执行恢复 if sysupgrade -r $full_path; then echo -e "${GREEN}配置恢复成功,正在重启网络服务...${RESET}" /etc/init.d/network restart else echo -e "${RED}配置恢复失败!${RESET}" fi}
backup_iptables() { echo -e "${BLUE}[3/4] 备份iptables规则...${RESET}" local backup_file="$IPTABLES_BACKUP_DIR/iptables-backup-${CURRENT_DATE}.bak" if iptables-save > $backup_file; then md5sum $backup_file > ${backup_file}.md5 echo -e "${GREEN}iptables备份成功:${backup_file}${RESET}" else echo -e "${RED}错误:iptables备份失败!${RESET}" fi}
restore_iptables() { echo -e "${BLUE}[iptables恢复] 请选择备份文件:${RESET}" ls -lh $IPTABLES_BACKUP_DIR/iptables-backup-*.bak 2>/dev/null || { echo -e "${RED}未找到备份文件!${RESET}"; return; }
read -p "请输入要恢复的文件名: " backup_file local full_path="$IPTABLES_BACKUP_DIR/$backup_file"
# 验证文件 [ ! -f "$full_path" ] && echo -e "${RED}文件不存在!${RESET}" && return [ ! -f "${full_path}.md5" ] && echo -e "${YELLOW}警告:未找到MD5校验文件${RESET}" || (md5sum -c "${full_path}.md5" || { echo -e "${RED}MD5校验失败!${RESET}"; return; })
# 确认操作 read -p "确定要恢复iptables规则吗?[y/N]: " confirm [[ "$confirm" != "y" && "$confirm" != "Y" ]] && return
if iptables-restore < $full_path; then echo -e "${GREEN}iptables规则恢复成功!${RESET}" else echo -e "${RED}规则恢复失败,请检查文件格式!${RESET}" fi}
backup_firewall() { echo -e "${BLUE}[4/4] 备份防火墙配置...${RESET}" local backup_file="$FIREWALL_BACKUP_DIR/firewall-backup-${CURRENT_DATE}.bak" if cp $FIREWALL_CONFIG $backup_file; then md5sum $backup_file > ${backup_file}.md5 echo -e "${GREEN}防火墙配置备份成功:${backup_file}${RESET}" else echo -e "${RED}错误:防火墙配置备份失败!${RESET}" fi}
restore_firewall() { echo -e "${BLUE}[防火墙恢复] 请选择备份文件:${RESET}" ls -lh $FIREWALL_BACKUP_DIR/firewall-backup-*.bak 2>/dev/null || { echo -e "${RED}未找到备份文件!${RESET}"; return; }
read -p "请输入要恢复的文件名: " backup_file local full_path="$FIREWALL_BACKUP_DIR/$backup_file"
# 验证文件 [ ! -f "$full_path" ] && echo -e "${RED}文件不存在!${RESET}" && return [ ! -f "${full_path}.md5" ] && echo -e "${YELLOW}警告:未找到MD5校验文件${RESET}" || (md5sum -c "${full_path}.md5" || { echo -e "${RED}MD5校验失败!${RESET}"; return; })
# 确认操作 read -p "确定要恢复防火墙配置吗?[y/N]: " confirm [[ "$confirm" != "y" && "$confirm" != "Y" ]] && return
# 备份当前配置 local current_backup="$FIREWALL_BACKUP_DIR/current_firewall_$(date +%H%M%S).bak" cp $FIREWALL_CONFIG $current_backup || { echo -e "${RED}当前配置备份失败,已中止恢复!${RESET}"; return; }
if cp $full_path $FIREWALL_CONFIG; then echo -e "${GREEN}防火墙配置恢复成功,正在重启服务...${RESET}" /etc/init.d/firewall restart else echo -e "${RED}配置恢复失败!${RESET}" fi}
######################################## 命令行参数处理#######################################
print_banner() { echo -e "${YELLOW}" echo " _ _ _ _ _" echo " _____ ___ __| |_ _ _| |_(_) | ___| |__" echo " / _ \ \ /\ / / '__| __|____| | | | __| | | / __| '_ \\" echo "| (_) \ V V /| | | ||_____| |_| | |_| | |_\__ \ | | |" echo " \___/ \_/\_/ |_| \__| \__,_|\__|_|_(_)___/_| |_|" echo -e "${RESET}" echo -e "${BLUE} —— OpenWrt备份工具 @GamerNoTitle${RESET}" echo -e "${BLUE} https://bili33.top${RESET}\n"}
if [ $# -gt 0 ]; then print_banner echo -e "${GREEN}检测到命令行参数,进入快速备份模式...${RESET}"
# 处理多个参数 for param in "$@"; do case $param in --owrt-backup) backup_full_image ;; --config-backup) backup_config ;; --iptables-backup) backup_iptables ;; --firewall-backup) backup_firewall ;; --all-backup) backup_full_image backup_config backup_iptables backup_firewall ;; *) echo -e "${RED}错误:未知参数 $param${RESET}"; exit 1 ;; esac done exit 0fi
######################################## 交互式菜单系统#######################################
show_menu() { clear print_banner echo -e "${YELLOW}======================= owrt-util.sh ========================${RESET}" echo -e "${YELLOW} OpenWrt 备份与恢复管理脚本 ${RESET}" echo -e "${YELLOW} https://bili33.top ${RESET}" echo -e "${YELLOW}=============================================================${RESET}" echo "1. 完整系统备份 (磁盘镜像)" echo "2. 系统配置备份" echo "3. iptables规则备份" echo "4. 防火墙配置备份" echo "5. 一键全量备份" echo -e "${YELLOW}-------------------------------------------------------------${RESET}" echo "6. 恢复系统镜像" echo "7. 恢复系统配置" echo "8. 恢复iptables规则" echo "9. 恢复防火墙配置" echo -e "${YELLOW}-------------------------------------------------------------${RESET}" echo "0. 退出" echo -e "${YELLOW}=============================================================${RESET}" echo -n "请输入选择: "}
while true; do show_menu read choice case $choice in 1) backup_full_image ;; 2) backup_config ;; 3) backup_iptables ;; 4) backup_firewall ;; 5) backup_full_image backup_config backup_iptables backup_firewall ;; 6) restore_full_image ;; 7) restore_config ;; 8) restore_iptables ;; 9) restore_firewall ;; 0) exit 0 ;; *) echo -e "${RED}无效输入,请重新选择!${RESET}" ;; esac echo -e "\n${BLUE}按回车返回菜单...${RESET}" readdone 从零开始!在红米AX6000路由器上刷入Openwrt
https://bili33.top/posts/flashing-openwrt-on-redmi-ax6000/