SSH connection to Xiaomi router provides access to advanced settings that the manufacturer hides in the standard web interface, which allows you to optimize the network, install alternative software (for example, OpenWRT or Padavan), configure VLAN, disable forced updates or even overclock the processor. However, the process requires caution: one error in commands can turn the router into a βbrickβ.
In this article, we will discuss the unique method of activating SSH through a vulnerability in Xiaomi firmware 2023-2026, which works even on models with blocked Telnet (for example, Xiaomi Router 4A Gigabit or AX3600). You will learn how to circumvent the manufacturerβs limitations, what tools will be needed for Windows, macOS and Linux, and how to avoid typical errors when you first connect.
Why Xiaomi is blocking SSH and how to get around it
Manufacturer shuts down SSH-Access to most router models (e.g. Mi Router) 3G/4/4A/4C, AX1800/AX3000) two-way:
- π Security: Open security SSH-The port can become a loophole for hackers if the user does not change the standard password.
- π¦ Firmware control: Xiaomi forcibly updates routers to the latest versions, where βextraβ features are removed (for example, support for the router) IPv6 early-assembly).
- π οΈ Support: Technical Service is not responsible for problems caused by manual configuration editing.
Bypassing the lock is possible thanks to two methods:
- Through Telnet (works on old firmware until 2022).
- Through an exploit in the web interface (relevant for new models, for example, Xiaomi Router BE7000).
The second method is more general, but requires a Python or Bash script, and we'll go through both in detail, but first, preparation.
Preparation for connection: what will be needed
Before you start, make sure you have:
Xiaomi router with firmware is not newer than 2026 (check in Settings β Status β Software version)
Windows 10+/macOS/Linux computer (for terminal)
Ethernet cable (Wi-Fi can shut down during setup!)
PuTTY (for Windows) or built-in terminal (macOS/Linux)
Script for activating SSH (link below)
Backup copy of router settings (export to Settings β Additional β Backup)
-->
Download the script to unlock SSH from the official repository:
git clone https://github.com/acecilia/OpenWRTInvade.gitor archives at this link (unless git is installed).
For models AX3600 And the newer one will need an additional file. miwifi_ssh.bin, It's a script that's generated automatically. Don't download it from third-party sources, it could be a virus!
β οΈ Note: If your router has already been stitched with alternative software (e.g. Padavan), standard activation methods are available. SSH Use commands for your custom firmware.
Method 1: Activate SSH over Telnet (for older firmware)
This method works on Mi Router 3G/4/4A routers with firmware older than 2022. Current models (e.g. AX6000) require a different approach.
Steps for connection:
- Connect the router to your computer via Ethernet (LAN port).
- Open PuTTY (Windows) or the terminal (macOS/Linux) and type: telnet 192.168.31.1 (where 192.168.31.1 β IP-router's default address).
- Enter the login and password: Login: root Password: admin If not suitable, try the root + password combination from the sticker on the router.
- Run the command to turn on SSH: nvram set ssh_en=1 nvram set uart_en=1 nvram commit reboot
After restarting the router, the SSH will be available over the same IP. Connect via:
ssh root@192.168.31.1π‘
If Telnet doesn't respond, check if the Windows firewall or antivirus is blocking it. Turn them off while you set them up.
Method 2: Unlock SSH via exploit (for new models)
For AX3600, AX6000, BE7000 and others routers with firmware from 2023-2026, use OpenWRTInvade.It exploits a vulnerability in the web interface, allowing you to enable SSH without physically accessing the UART.
Instructions for Windows:
- Unpack the archive with the script in a folder C:\ssh_hack.
- Open the Command Prompt on behalf of the administrator and go to the folder: cd C:\ssh_hack
- Run the script for your model (example for AX3600): python exploit.py 192.168.31.1 RA67 (model codes: R3G - Mi Router 3G, R4A - 4A Gigabit, RA67 - AX3600).
- Wait for the file generation miwifi_ssh.bin and follow the script instructions.
For macOS/Linux, use similar commands in the terminal by pre-installing Python 3:
sudo apt install python3 python3-pip # For Debian/Ubuntu
pip3 install -r requirements.txt| Model router | Code for script | Supported firmware |
|---|---|---|
| Mi Router 4A Gigabit | R4A | up to 1.0.51 |
| Xiaomi AX3600 | RA67 | until 1.1.12. |
| Xiaomi AX6000 | RA69 | before 1.0.23 |
| Xiaomi BE7000 | RB03 | up to 1.0.8 |
β οΈ Note: If the script is producing a Connection refused error, check it out: π The router is connected to the computer by cable (Wi-Fi disconnect). π IP-Router address unchanged (by default 192.168.31.1). π Firewall or antivirus does not block ports 80 and 22.
First SSH connection: Basic commands
After successful unlocking, connect to the router:
ssh root@192.168.31.1The default password is admin (if not changed).
The main commands for diagnosis:
- π‘ Viewing system information: uname -a cat /proc/cpuinfo
- π Viewing the workload of the processor: top
- π Checking Connected Devices: Cat /proc/net/arp
- π¦ Packet management (if opkg is installed): opkg update opkg install nano
To change the SSH password (required!), do:
passwdand follow the instructions.
How to roll back changes if the router stops working?
Expanded Opportunities: What You Can Do With SSH
SSH-access:
- π Install alternative firmware (OpenWRT, Padavan) for advanced features (e.g. WireGuard) VPN AdGuard Home).
- π§ Disable Forced Updates: Nvram Set auto_upgrade=0 nvram commit
- πΆ Configure Wi-Fi power (increase range or reduce interference): iwpriv ra0 set TxPower=100 # Maximum power (cautionary!)
- π Blocking Advertising at Level DNS: uci set dhcp.@dnsmasq[0].address='/doubleclick.net/0.0.0.0' uci commit
To install OpenWRT, download the firmware for your model from the official website and download it via SCP:
scp openwrt-xiaomi-ax3600.squashfs root@192.168.31.1:/tmpThen run through the command:
mtd write /tmp/openwrt-xiaomi-ax3600.squashfs OS1π‘
Before running the alternative software, be sure to check the compatibility of the router model! Incorrect firmware can bring the device down.
Security: How to Protect Your Router After Unlocking SSH
Open-ended SSH-Port is a potential threat. Follow the rules:
- Change the standard password: passwd Use a combination of 12+ characters with numbers and special signs.
- Disable password access by setting the authorization key: ssh-keygen -t ed25519 # On your PC, ssh-copy-id root@192.168.31.1 Then edit. /etc/ssh/sshd_config, Installation: PasswordAuthentication No
- Change the SSH port (default 22): uci set dropbear.@dropbear[0].Port=222222 uci commit
- Limit access by IP (if you have a static address): iptables -A INPUT -p tcp --dport 2222 -s 192.168.1.100 -j ACCEPT iptables -A INPUT -p tcp --dport 2222 -j DROP
For complete isolation, turn off SSH after setting up:
nvram set ssh_en=0
nvram commit
rebootπ‘
Regularly update your firmware via SSH, even if you have disabled automatic updates. Check the current versions on the official Xiaomi website.