As I have mentioned in the review, the stock firmware on the Xiaomi AX3600 wireless router is extremely limiting. On top of that, the firmware is also locked to install only authorized updates from the manufacturer. If you have been following the blog, you will know that I like the flexibility that ASUSWRT provides for customizing my router.
While there is currently an on-going effort to try and port vanilla OpenWRT for this router, I suspect that might take some time. In this post, I describe how to workaround the lousy firmware and configure the router with the advanced features I need.
It is recommended to have UART access handy, in case something bad happens and you need to recover your router, or if you want access to U-Boot, the bootloader. This would require you to crack open your router, so you might only want to do this if necessary. Feel free to skip this section if you are not interested in the hardware, or don’t need low-level access.
You need to unscrew 5 screws, 4 of which are hidden under the rubber feet, and one under the center sticker label. In the disassembled top view photo here, you can see the screw holes at the corners, as well as a missing chunk in the center of the heatsink for the mating screw post, directly aligned with the AIoT antenna and indicator LEDs.
I recently bought the Xiaomi AIoT AX3600 wireless router to experience WiFi 6 (or 802.11ax). This WiFi 6 router has been touted as having very good hardware specs for under US$100. After checking out a few reviews, it looked like you could achieve close to Gigabit speeds over a wireless link, which was pretty exciting. It reminded me of the time I upgraded my home network to Gigabit and could finally copy large files over the network quickly. I decided to get my hands on one and evaluate it with some speed tests around the house.
I don’t have any compatible WiFi 6 devices yet, so I ordered an Intel AX200NGW wireless card to replace the one in my laptop. These cards typically go for US$15 on AliExpress or eBay.
It is easy to script analysis steps with IDAPython, but now we want to automate this analysis over, let’s say, 10,000 files. I did a quick Google and I couldn’t find a guide on how to perform batch binary analysis tasks by automating IDA Pro 7.x.
Unfamiliar with this, I was constantly guessing whether it was the command-line arguments, the script, or a combination of both that was not working. I’m sharing my experience here so you won’t have to be fumbling around like I was.
I will be using IDA Pro for Windows here, but it should be applicable to any of their supported platforms like Mac or Linux.
Simple Binary Analysis
Let’s write some simple IDAPython analysis script and run it within the IDA Pro console. This script loops through all functions in the executable and prints out its address and name:
print 'count %d' % len(list(idautils.Functions()))
for ea in idautils.Functions():
print hex(ea), idc.get_func_name(ea)
idautils module contains higher-level functionality like getting a list of functions, or finding code & data references to addresses. If you are familiar with IDC scripting, most of the functions by the same name can be found within the
idc module. This is not really meant to be an IDAPython or IDC scripting tutorial, so you will need to look elsewhere for that.
I’ve recently seen some shell script that tries to test for your OS architecture by running executables encoded within. There’s one for i386 (x86 platforms) and a few for ARM variants.
cat << EOF | $_base64 > /tmp/archtest && chmod a+x /tmp/archtest
. . .
/tmp/archtest > /dev/null 2>&1 && arch=i386
What is terrible (well, to me at least) is that these executables are huge:
$ ls -l *.bin
-rwxrwx--- 1 root root 4832 Jul 17 06:58 archtest-armv6.bin
-rwxrwx--- 1 root root 4820 Jul 17 06:59 archtest-armv7.bin
-rwxrwx--- 1 root root 4992 Jul 17 06:59 archtest-armv8.bin
-rwxrwx--- 1 root root 4824 Jul 17 06:57 archtest-x86.bin
For one, I’m not sure why inspecting
uname -a is not really sufficient for their needs. And also, why such large binaries are required.
After all, what you want to do is just to check that it executes successfully. Were they trying to test for the presence of a working libc? Nope, because the binaries are statically-linked:
$ file ./archtest-x86.bin
./archtest-x86.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
I think this just adds unnecessary bloat.
There are ways to make smaller binaries.
Now, I am not talking about crazy techniques like using assembly language instead of C, or making a weird ELF that might load only on Linux, but just using normal C and the standard
Let’s get started.
collectd has always been able to grab interface traffic statistics from Linux. But what if we want to collect data about individual WiFi clients that connect to it? How much bandwidth is each of the clients using?
That information is already being recorded by the wireless driver; all we need to do is to query it. Turns out you can do that with the
wl utility. This is Broadcom’s proprietary tool to control and query the wireless interfaces.
To do this, first use
wl to get associated stations:
wl -i eth2 assoclist
Given a particular MAC address that is associated to the AP, query its info using
# wl -i eth2 sta_info d4:a3:00:aa:bb:cc
rateset [ 6 9 12 18 24 36 48 54 ]
idle 0 seconds
in network 16 seconds
state: AUTHENTICATED ASSOCIATED AUTHORIZED
flags 0x11e03b: BRCM WME N_CAP VHT_CAP AMPDU AMSDU
HT caps 0x6f: LDPC 40MHz SGI20 SGI40
VHT caps 0x43: LDPC SGI80 SU-BFE
tx data pkts: 663916
tx data bytes: 68730715
tx ucast pkts: 155
tx ucast bytes: 42699
tx mcast/bcast pkts: 663761
tx mcast/bcast bytes: 68688016
tx failures: 0
rx data pkts: 234
rx data bytes: 73557
rx ucast pkts: 192
rx ucast bytes: 62971
rx mcast/bcast pkts: 42
rx mcast/bcast bytes: 10586
rate of last tx pkt: 866667 kbps
rate of last rx pkt: 780000 kbps
rx decrypt succeeds: 195
rx decrypt failures: 1
tx data pkts retried: 19
tx data pkts retry exhausted: 0
per antenna rssi of last rx data frame: -61 -56 -59 0
per antenna average rssi of rx data frames: -61 -56 -57 0
per antenna noise floor: -104 -98 -98 0
The “easy way” is probably to write a shell script, invoked via the Exec plugin that calls
wl multiple times (once per interface, and once for each WiFi client) and uses
awk to get the information we need. This won’t be performant, of course.
wl itself does have quite a fair bit of overhead. It does some verification of the provided interface name. It checks for the Broadcom driver magic to ensure that the interface is a Broadcom device. It then needs to convert the MAC address from the argument string to binary, and vice-versa. Sure, that’s not really much “these days”, but we can definitely do better.
Instead, let’s short-circuit the process and write a plugin that directly collects the data, without going through
wl. This way, we avoid creating several new processes for every query.