SSH-Connecting to Xiaomi router: unlock, setup and security

SSH connection to Xiaomi router provides access to advanced settings that the manufacturer hides in the standard web interface, which allows you to optimize the network, install alternative software (for example, OpenWRT or Padavan), configure VLAN, disable forced updates or even overclock the processor. However, the process requires caution: one error in commands can turn the router into a β€œbrick”.

In this article, we will discuss the unique method of activating SSH through a vulnerability in Xiaomi firmware 2023-2026, which works even on models with blocked Telnet (for example, Xiaomi Router 4A Gigabit or AX3600). You will learn how to circumvent the manufacturer’s limitations, what tools will be needed for Windows, macOS and Linux, and how to avoid typical errors when you first connect.

Why Xiaomi is blocking SSH and how to get around it

Manufacturer shuts down SSH-Access to most router models (e.g. Mi Router) 3G/4/4A/4C, AX1800/AX3000) two-way:

  • πŸ”’ Security: Open security SSH-The port can become a loophole for hackers if the user does not change the standard password.
  • πŸ“¦ Firmware control: Xiaomi forcibly updates routers to the latest versions, where β€œextra” features are removed (for example, support for the router) IPv6 early-assembly).
  • πŸ› οΈ Support: Technical Service is not responsible for problems caused by manual configuration editing.

Bypassing the lock is possible thanks to two methods:

  1. Through Telnet (works on old firmware until 2022).
  2. Through an exploit in the web interface (relevant for new models, for example, Xiaomi Router BE7000).

The second method is more general, but requires a Python or Bash script, and we'll go through both in detail, but first, preparation.

πŸ“Š What kind of Xiaomi router do you have?
Mi Router 4A
AX3600
AX6000
BE7000
Another model

Preparation for connection: what will be needed

Before you start, make sure you have:

Xiaomi router with firmware is not newer than 2026 (check in Settings β†’ Status β†’ Software version)

Windows 10+/macOS/Linux computer (for terminal)

Ethernet cable (Wi-Fi can shut down during setup!)

PuTTY (for Windows) or built-in terminal (macOS/Linux)

Script for activating SSH (link below)

Backup copy of router settings (export to Settings β†’ Additional β†’ Backup)

-->

Download the script to unlock SSH from the official repository:

git clone https://github.com/acecilia/OpenWRTInvade.git

or archives at this link (unless git is installed).

For models AX3600 And the newer one will need an additional file. miwifi_ssh.bin, It's a script that's generated automatically. Don't download it from third-party sources, it could be a virus!

⚠️ Note: If your router has already been stitched with alternative software (e.g. Padavan), standard activation methods are available. SSH Use commands for your custom firmware.

Method 1: Activate SSH over Telnet (for older firmware)

This method works on Mi Router 3G/4/4A routers with firmware older than 2022. Current models (e.g. AX6000) require a different approach.

Steps for connection:

  1. Connect the router to your computer via Ethernet (LAN port).
  2. Open PuTTY (Windows) or the terminal (macOS/Linux) and type: telnet 192.168.31.1 (where 192.168.31.1 β€” IP-router's default address).
  3. Enter the login and password: Login: root Password: admin If not suitable, try the root + password combination from the sticker on the router.
  4. Run the command to turn on SSH: nvram set ssh_en=1 nvram set uart_en=1 nvram commit reboot

After restarting the router, the SSH will be available over the same IP. Connect via:

ssh root@192.168.31.1

πŸ’‘

If Telnet doesn't respond, check if the Windows firewall or antivirus is blocking it. Turn them off while you set them up.

Method 2: Unlock SSH via exploit (for new models)

For AX3600, AX6000, BE7000 and others routers with firmware from 2023-2026, use OpenWRTInvade.It exploits a vulnerability in the web interface, allowing you to enable SSH without physically accessing the UART.

Instructions for Windows:

  1. Unpack the archive with the script in a folder C:\ssh_hack.
  2. Open the Command Prompt on behalf of the administrator and go to the folder: cd C:\ssh_hack
  3. Run the script for your model (example for AX3600): python exploit.py 192.168.31.1 RA67 (model codes: R3G - Mi Router 3G, R4A - 4A Gigabit, RA67 - AX3600).
  4. Wait for the file generation miwifi_ssh.bin and follow the script instructions.

For macOS/Linux, use similar commands in the terminal by pre-installing Python 3:

sudo apt install python3 python3-pip # For Debian/Ubuntu


pip3 install -r requirements.txt

Model routerCode for scriptSupported firmware
Mi Router 4A GigabitR4Aup to 1.0.51
Xiaomi AX3600RA67until 1.1.12.
Xiaomi AX6000RA69before 1.0.23
Xiaomi BE7000RB03up to 1.0.8

⚠️ Note: If the script is producing a Connection refused error, check it out: πŸ”Œ The router is connected to the computer by cable (Wi-Fi disconnect). 🌐 IP-Router address unchanged (by default 192.168.31.1). πŸ”’ Firewall or antivirus does not block ports 80 and 22.

First SSH connection: Basic commands

After successful unlocking, connect to the router:

ssh root@192.168.31.1

The default password is admin (if not changed).

The main commands for diagnosis:

  • πŸ“‘ Viewing system information: uname -a cat /proc/cpuinfo
  • πŸ“Š Viewing the workload of the processor: top
  • πŸ”Œ Checking Connected Devices: Cat /proc/net/arp
  • πŸ“¦ Packet management (if opkg is installed): opkg update opkg install nano

To change the SSH password (required!), do:

passwd

and follow the instructions.

How to roll back changes if the router stops working?
If the router does not load after adjusting configurations, try resetting: 1. Press the Reset button for 10 seconds (until the indicator flashes). 2. Connect via Telnet (if SSH does not respond) and execute: firstboot reboot 3. If it does not help, swipe the original firmware through TFTP (instructions in the FAQ below).

Expanded Opportunities: What You Can Do With SSH

SSH-access:

  • πŸš€ Install alternative firmware (OpenWRT, Padavan) for advanced features (e.g. WireGuard) VPN AdGuard Home).
  • πŸ”§ Disable Forced Updates: Nvram Set auto_upgrade=0 nvram commit
  • πŸ“Ά Configure Wi-Fi power (increase range or reduce interference): iwpriv ra0 set TxPower=100 # Maximum power (cautionary!)
  • πŸ”’ Blocking Advertising at Level DNS: uci set dhcp.@dnsmasq[0].address='/doubleclick.net/0.0.0.0' uci commit

To install OpenWRT, download the firmware for your model from the official website and download it via SCP:

scp openwrt-xiaomi-ax3600.squashfs root@192.168.31.1:/tmp

Then run through the command:

mtd write /tmp/openwrt-xiaomi-ax3600.squashfs OS1

πŸ’‘

Before running the alternative software, be sure to check the compatibility of the router model! Incorrect firmware can bring the device down.

Security: How to Protect Your Router After Unlocking SSH

Open-ended SSH-Port is a potential threat. Follow the rules:

  1. Change the standard password: passwd Use a combination of 12+ characters with numbers and special signs.
  2. Disable password access by setting the authorization key: ssh-keygen -t ed25519 # On your PC, ssh-copy-id root@192.168.31.1 Then edit. /etc/ssh/sshd_config, Installation: PasswordAuthentication No
  3. Change the SSH port (default 22): uci set dropbear.@dropbear[0].Port=222222 uci commit
  4. Limit access by IP (if you have a static address): iptables -A INPUT -p tcp --dport 2222 -s 192.168.1.100 -j ACCEPT iptables -A INPUT -p tcp --dport 2222 -j DROP

For complete isolation, turn off SSH after setting up:

nvram set ssh_en=0


nvram commit




reboot

πŸ’‘

Regularly update your firmware via SSH, even if you have disabled automatic updates. Check the current versions on the official Xiaomi website.

FAQ: Frequent Questions and Problem Solutions

❓ SSH It's connected, but when you enter the password, it says "Permission denied?
The problem could be: Wrong password (try admin or sticker password) disabled SSH on the router (check through nvram get) ssh_en β€” must have 1). Blocking the port 22 Firewall router (open in the /etc/config/firewall). If nothing helps, reset the router to factory settings and repeat the unlocking procedure.
❓ Can I connect to the SSH Wi-Fi, not cable?
Technically yes, but: Make sure to use the cable when you first set up - Wi-Fi can shut down after you restart. If SSH is already activated, connect to the router's network and use its local IP (e.g. 192.168.31.1).
❓ The router turned into a brick after the firmware?
If the router doesn’t turn on or flashes orange, try: Emergency reset: pinch Reset on 30 (until the indicator flashes quickly) Firmware through TFTP: Connect the router to the PC with a cable. Set it up on the PC with a static one. IP 192.168.31.2/24. Launch it. TFTP-server, tftpd64) And put the original firmware (.bin file) in its folder. Turn on the router with the Reset button pressed, and it automatically downloads the firmware. UART-Connection (for advanced users): a soldering iron and USB-TTL If it doesn't work, contact Xiaomi Service Center with a check to buy it.
❓ How to roll back alternative firmware to stock?
To return to the original firmware Xiaomi: Download the stock firmware for your model from the official website. SSH and do: cd /tmp wget http://bigota.miwifi.com/xiaoqiuang/rom/miwifi_r4a_firmware_XXXX_2.XX.X.bin # Replace the current link with mtd write miwifi_r4a_firmware_XXXX_2.XX.X.bin OS1 Wait for the reboot (5–10 If the router does not load after firmware, use the recovery method through TFTP (see above).
❓ Can I include? SSH on Xiaomi routers with firmware newer than 2026?
At the moment (2026) for models with firmware newer than 1.1.15 (for example, AX3600 version 1.1.16+) No official exploits. Possible options: πŸ•’ Wait for the OpenWRTInvade script update (watch the repository). πŸ”§ Use it. UART-connection (requires dismantling of router and soldering iron). πŸ“¦ Buy a router with support for alternative firmware (for example, Xiaomi Router) 4A Don't use unofficial patches from questionable forums - they may contain malicious code.