Index Fuckhack3600

METHOD TO UNLOCK SSH (AND POWER) TO A GLOBAL OR CHINESE AX3600

(Last edition on 06/02/2023)

(Method fuckax3600 V3.0). Tutorial conducted by PITXANEGRA and edited by @JuanMa_89 of forocoches: (Link)

IMPORTANT REQUIREMENTS:

You must have the VIRGIN router. Without any configuration. Therefore:
- You must have the router with the IP, the SSID that comes from the factory.
- You must have the router with the default administration password (root), unique for each router.
- The router MUST HAVE ACCESS TO THE INTERNET VIA ETHERNET TO APPLY THIS METHOD, that is, we must connect by cable the WAN port of the AX3600 with 1 LAN port of your operator's router.
It cannot be applied offline.

To do this, we reset it before starting (with the back button) and we will not make any configuration in it, except those necessary to be able to enter the configuration web environment.

These are the steps to follow, which will be explained in depth later:
- Locate the administration password (root) of our AX3600 router.
- Reset our AX3600 router to factory settings (rear button).
- Configure only what is necessary to be able to enter the router settings web environment. Flash and downgrade the router via the web to the vulnerable Chinese firmware 1.0.17.
- Configure again, only what is necessary to be able to enter the router settings web environment. Use the xiaohack.es pass as your administrator and wifi password.
- Get permanent SSH with the sucked 2.0 method (with CN in bdata, or without it. This is optional).
- Flash again, via the web, to the Chinese firmware 1.1.12, the global 3.0.22, or whatever you want (or wait for the OTA update).
- We will wake up SSH, which has fallen asleep when flashing with the new firmware.

TOOLS NEEDED:

• Root Password: through the web https://xiaohack.es
• Chinese Firmware 1.0.17 Hackable
• Putty
• WinSCP
• fuckax3600 script

You can download all the necessary Tools from here: https://xiaohack.es

STEP 1. (We are going to find out the root password of your router, and Flash/domwgrade via web.)

• We need the root password of your router, unknown and unique for each device. To find out which one corresponds to your router, visit the website: https://xiaohack.es

• Enter the SN (serial number) of your AX3600 to generate the root user password. Example: 266XX/E0P80XXXX

• Open NotePad or Notepad and save the password generated on the web

• With the AX3600 router turned on, press the back button for a few seconds, until the blue lights on the front disappear (hard-reset). With this we eliminate any strange configuration that may bother us later.

• After the reboot (it takes a couple of minutes), with the AX3600 turned on again, connect to the router's web environment via: http ://192.168.31.1, and configure the access password to the router configuration with the root password obtained on the website http://xiaohack.es

• Now it asks you to configure the Wi-Fi network. Do not change the SSID of the Wi-Fi network (leave them as default), and Wi-Fi password, return to the one from the website http://xiaohack .es

• Now, we are going to manually Downgrade to the Firmware, Version 1.0.17 Hackable that we have previously downloaded, and we have it safely on the hard drive of our PC.

  To do this, go to:

  Settings > Status > Activate manually

  Select the Firmware file, Version 1.0.17 that you have previously downloaded to your PC's hard drive.

  The process will take a few minutes and the router will reboot automatically. Do not turn off the power during the process.

  Once restarted, connect again to the router's web environment via: http://192.168.31.1, and you will see Now everything is in Chinese. Don't worry.

  Configure the access password to the router again with the password from the website http://xiaohack.es< /p>

  Now it asks you to configure the Wi-Fi network. Do not change the SSID of the Wi-Fi network (leave them as default), and Wi-Fi password, return to the one from the website http://xiaohack .es

  You should have the router working, but in Chinese, but with internet and wifi available.

STEP 2. (Get temporary SSH with a single command)

Important notes:

• The AX3600 router must have access to the internet to apply this method. Connect the WAN port of the AX3600 via network cable to any LAN port on your operator's router.

• Copy the text from the TEMPORARY SSH file WE HAVE PREVIOUSLY DOWNLOADED.

• Go to http://192.168.31.1 and log in.

• Press (F12) to open the console in the right window.

• Inside the console, press Ctrl + V to paste the copied text.

• Press Enter and a window will open to enter the root password obtained previously in Xiaohack.es.

• With this you will have TEMPORARY SSH.

STEP 3. (Permanent SSH)

Important notes:

• The AX3600 router must have access to the Internet to apply this method, connect the WAN of the AX3600 by network cable to any LAN port of your operator's router.
• With temporary SSH activated, we open Putty and log in to http://192.168.31.1 and it will ask us for login and password.
• We go to 192.168.31.1 and log in.
• Login: root
• Password: (the one from the website https://xiaohack.es)
• We make a backup copy of the bdata partition in case we screw up. To do this, with Putty, run the command:
  nanddump -f /tmp/bdata_mtd9.img /dev/mtd9
• We save the generated backup. To do this, we open the WinSCP application, connect to the router with the login and password written down (SCP Protocol, be careful) and save the generated Backup file to a folder on your PC. The file is located in the path:
  /tmp/bdata_mtd9.img
• From WinSCP, we upload the script-file "fuckax3600" (copy and paste) to the path:
  /tmp
• With Putty, we execute the previous script, with the following commands 1 at a time (this unprotects the bdata partition):
chmod +x /tmp/fuckax3600
/tmp/fuckax3600 unlock
• The router will reboot itself. Wait a few seconds.
• Once restarted, and from WinSCP, we upload the "fuckax3600" script again to the path:
  /tmp
• In PuTTY, we execute the previous script, with the following hack commands, execute 1 at a time:
chmod +x /tmp/fuckax3600
/tmp/fuckax3600 hack

(this does the automatic hacking of activating SSH, UART and TELNET)

ANNEX-1

VERY IMPORTANT: After running the previous fuckax3600 script, the Putty screen should return a few lines of text. The last line should say something like username: password: xxxxxx where the "xxxxxx" should be your password, the one from https://xiaohack.es

With the following command (lock), we leave bdata as it was, read-only, and recover wifi. To do this in Puty we execute the following commands:

/tmp/fuckax3600 lock

Once the last command is executed, it should say "Password OK".

The router will reboot itself. Wait a few seconds.

Once restarted, you're done! Wi-Fi will be restored. It is normal that there is no wifi in the bdata checkout process.

STEP 4.

• Flash to a modern firmware.

  If you have come this far and everything has gone well (you have Telnet), it is time to flash, via web, to the Chinese firmware 1.1.19 or global 3.0.22:

  Access the AX3600 via the web at the address http://192.168.31.1. p>

  Upgrade manually to the firmware you prefer (Global or Chinese).

STEP 5. (We will wake up SSH, which has fallen asleep when flashing or hard-resetting)

When performing the "upgrade" to the latest firmware (CN or GLOBAL) or if we have to do a hard-reset (back button press), we momentarily lose the "permanent SSH" (it really falls asleep).

IMPORTANT: Before waking up SSH with Putty and Telnet, we must configure the router with the password https:/ /xiaohack.es both for Wi-Fi and router administrator and do not touch anything else.

To wake it up, we open Putty and log in via Telnet (Login: root and Password the one on the website: xiaohack.es).

I insist. Session via TELNET, port 23. Not via SSH, which we have lost.

• Execute the following commands 1 at a time with Putty:

  sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear start

• Check that you can log in again via SSH with WinScp or Putty.

POSSIBLE SOLUTION FOR ROBE ROUTERS THAT DO NOT ACTIVATE TELNET AFTER THIS METHOD.

Some users continue to report that their AX3600, after doing the entire process described above, does not have Telnet available to carry out the process to wake up permanent SSH.

The first thing is to check if we have put the https://xiaohack.es key in the first configuration of the router when reboot for both Wi-Fi and router administration after a hard reset or firmware flash. See previous image. If so and telnet is not activated, then continue reading:

The script used (fuckAX3600) is a bit harsh and critical. If there is something you don't like... "casca".

But what many users report (that the above method does not work for them), seems to be something common, and that is that the root password that the fuckax3600 Script considers good, does not match the one on the https website: //xiaohack.es and that is when the process "crashes".

And therefore... telnet, SSH or anything is not activated.

We are going to try to solve the problem, and do a series of checks to see if you are a candidate for a rogue router.

First of all, we start at the beginning, Reset button, and get the "TEMPORARY SSH" again with the vulnerable Chinese firmware.

Secondly, we change the password "password" again (which the previous "temporary SSH" method changes for us), to that of the https://xiaohack.es website

Thirdly, we are going to check that the "serial number" of both partitions of your router is correct, and corresponds to the one on the box (and obviously with the one we have used on the https:// website xiaohack.es to calculate our password.

• To do this, we execute the following commands with Putty, separately (first one, and then the other):

  nvram get SN
bdata get SN
  

  By running these two commands, we should get the same "serial number" in the format XXXXX/AXXX123XXX.

  Check that this serial number corresponds with the one on the box, and with the one you used on the http:// xiaohack.es

  If not... you already know where the shots are going, and why the method described has not worked for you.

  If the serial numbers do not match, or even the serial number of the bdata appears "blank", we will have to put these numbers "by hand".

  And since bdata is a locked partition, we need to unlock it again by following the method described above.

• Once bdata is unlocked, we will write the serial number correctly with the following commands:

  bdata set SN=$(nvram get SN)
bdata commit
  

  And since we are here, with bdata unlocked, we are going to activate all the necessary parameters in bdata, since, in some tests, the fuckax3600 script has continued to give problems.

• And to do this, we enter these commands, one by one (with putty, obviously):

  bdata set ssh_en=1
bdata set telnet_en=1
bdata set uart_en=1
bdata commit
  

• Finally, we run the "fuckax3600" hack script again that we previously copied to the /tmp folder with WinSCP:

  chmod +x /tmp/fuckax3600
/tmp/fuckax3600 hack
  

  now it should correctly give us the password for http://xiaohack.es, and keep Telnet open.

• Then we must lock the script with the following command:

  /tmp/fuckax3600 lock
  

INCREASE POWER OF THE AX3600 GLOBAL

• Once we have SSH enabled (temporary or permanent) you mess with WinSCP in the following path:

  /etc/rc.local

• You open the rc.local file and before the last line (exit 0) you insert this line, as is (copy and paste as it is here):

  (sleep 60;iwconfig wl0 txpower 30;iwconfig wl1 txpower 30)&

  Save, restart the router, and you now have all the power of the Chinese 30db version, but with a Christian firmware.

  The best thing is that even if you restart the router, it is not lost.

  To see how powerful you are transmitting, and to see that the previous method really works, enter these commands, one by one, with Putty:

• For the 5Ghz band:

  iwlist wl0 txpower

• and then, for the 2.4 Ghz band:

  iwlist wl1 txpower

Putty will tell you the power in dBm with which you are transmitting. In theory, it should give you 30 dBm on both bands.

You can adjust the power to taste, because for many users, 30db is too much. There is no reason to stay at 30dbm (1W).

EXAMPLE:

• If we want to go down to 26dbm (400mW) we would have to insert the following line (as in the previous explanation, in the penultimate line, before "exit 0"):

  (sleep 60;iwconfig wl0 txpower 26;iwconfig wl1 txpower 26)&
  

  The power will automatically adjust to 26dbm every time we start the router.

• If we change the "30" of that line (or the "26") for another value, the router will broadcast with the power according to this conversion table:
• 0 dBm (1 mW)
• 6 dBm (3 mW)
• 10 dBm (10 mW)
• 14 dBm (25 mW)
• 18 dBm (63 mW)
• 22 dBm (158 mW)
• 26 dBm (398 mW)
• 30 dBm (1000 mW)

Add:

• As you see, on that line, there is a wl0 (which corresponds to the 5 Ghz band) and a wl1 (which corresponds to the 2.4 Ghz band)

  The value in wl0 and wl1, by default, is the same in both bands, but they can be different, that is, you can set wl0 to 30 and wl1 to 26, and in this way we would emit with different powers depending on what band (2.4 or 5 Ghz)

  Example:

  Suppose we want to broadcast in 5Ghz at 30 dBm (1W) and in 2.4 Ghz at 26 dBm (400mW). We would insert this line:

  (sleep 60;iwconfig wl0 txpower 30;iwconfig wl1 txpower 26)&

  In this way we would have the router emitting with 30dBm in 5Ghz and with 26dBm in 2.4 Ghz