Inclusion SSH-Xiaomi routers offer a wide range of opportunities for fine-tuning the network, installing alternative firmware or automating tasks. However, by default, the manufacturer blocks this protocol for security reasons - and for good reason. SSH This can cause a complete loss of functionality, especially if you are trying to change system files or kernel configurations. SSH on popular models (Mi Router) 4A, 4C, AX3000, AX6000 And others, and also tell you how to minimize the risks when working with the console.
Itβs important to understand that Xiaomi doesnβt provide official documentation for unlocking SSH, so you do all the manipulations at your own risk. However, the enthusiastic community has long developed reliable methods that work on most devices with firmware based on OpenWRT or modified MiWiFi ROM. If youβre a beginner, we recommend that you first learn the basics of working with the Linux command line β this will save you hours to restore the router after unsuccessful experiments.
Why Xiaomi is blocking SSH by default?
The manufacturer disables SSH (Secure Shell) on its routers not out of a desire to complicate the lives of users, but for several objective reasons:
- π Security: Open security SSH-A port (usually 22) is a target for botnets that scan networks for vulnerable devices.
- π οΈ Support: Xiaomi does not want to be responsible for the consequences of unqualified actions of users who SSH Can break the router or violate license agreements.
- π¦ Firmware: Many models run on closed versions of OpenWRT, where access to system files is limited to prevent piracy (for example, bypassing regional locks).
However, for power users, SSH is an indispensable tool, and you can use it to:
- π§ Configure iptables for advanced firewall.
- π‘ Optimize Wi-Fi settings (e.g., change txpower to increase range).
- π₯οΈ Install additional packages (e.g. AdGuard Home or WireGuard).
- π Automate tasks through cron.
β οΈ Attention: Activation SSH Some models may lose warranty. 4A Gigabit Edition) have hardware protection, and an attempt to unlock can block the bootloader.
Preparing for SSH: What to Do in advance
Before proceeding to unlock, follow the mandatory preparatory steps:
- Check the router model. The ways SSH activation is different for devices on the MT7628 (Mi Router 4A/4C) and Qualcomm IPQ6000 (AX6000).
- Update your firmware. Outdated versions of the software may contain vulnerabilities or may not support current unlock methods. Go to Settings β General β Update firmware.
- Back up your settings. In the web interface (192.168.31.1), export the configuration through Settings β Additional β Backup.
- Prepare the PC. You're gonna need it: π₯οΈ Windows computer 10/11 Linux. π Ethernet cable (Wi-Fi may be turned off during the procedure). π οΈ Utility: PuTTY (for Windows) or built-in terminal (for Windows) Linux/macOS).
If you are using the Mi Router AX6000 or the new MiWiFi ROM 3.x firmware, you may need to pre-activate Telnet through a vulnerability in the web interface, which we will discuss in the next section.
Method 1: Enabling SSH via web interface (for firmware until 2023)
On older versions of the software (MiWiFi ROM 2.x), you can turn on SSH without complicated manipulations, which works for Mi Router 4A, 3G/3C and some Mi Router 4C revisions:
- Connect to the router via cable or Wi-Fi.
- Open your browser and go to http://192.168.31.1 (or miwifi.com).
- Sign in under the administrator account.
- Go to Settings β Additional β Developer (on some firmware, the path may differ: Settings β System β For developers).
- Activate the SSH switch and save the settings.
3. Open the terminal at 57600 bp and turn on the router. In the boot logs, find the Hit any key to stop autoboot line β press any key to stop autoboot.
4. Enter commands to download to UBoot:
setenv bootargs "console=ttyS0,57600n8 root=/dev/mtdblock6 init=/bin/sh"
bootm 0x9f0200005. After loading the shell, we mount the file system and edit the config:
mount -t jffs2 /dev/mtdblock6 /mnt
vi /mnt/etc/dropbear/dropbear.confFind a line. DROPBEAR_OPTIONS="-p 22" Save the changes (:wq in vi).
6.Reboot the router:
rebootOnce you reboot, SSH will be available. This method resets the root password on the empty one, so set the new password with the command immediately after you connect:
passwd| Model router | Chipset | Supported method | Notes |
|---|---|---|---|
| Mi Router 4A | MT7628 | Exploit via UART | Requires disassembly of the hull |
| Mi Router 4C | MT7628 | Telnet β SSH | Works on firmware up to 3.0.21 |
| Mi Router AX3000 | Qualcomm IPQ6000 | JSON-exploit | You need to get a stok token. |
| Mi Router AX6000 | Qualcomm IPQ8072 | Telnet + crontab | SSH resets after rebooting |
π‘
If after unlocking SSH router stopped accessing the Internet, check the settings of the firewall with the iptables team -L. The rules may have been reset and you need to manually add the permissive rules to the WAN-interface.
Security settings after SSH is enabled
Open-ended SSH-A port is a potential security hole in your network. To minimize the risks, follow these steps:
- Change the standard port. Edit the file. /etc/dropbear/dropbear.conf and change the line. DROPBEAR_PORT=22 to a non-standard port (e.g, 2222). Then restart the service:
- Turn off the password. Generate. SSH-Keys on your PC and add a public key to your PC /etc/dropbear/authorized_keys. Then install it in dropbear.conf. DROPBEAR_PASSWORD_AUTH=off.
- Restrict access by IP. In the file /etc/firewall.user Add a rule that allows connection only from your local IP:
- Set up fail2ban. Install a package to block brute force attacks:
We also recommend:
- π Regularly update your firmware (even if you use customized software).
- π‘ Shut down. SSH, when he's not needed.
- π Use complex passwords (at least 12 characters with numbers and special characters).
β οΈ Note: If you are planning to open SSH From the Internet (for example, for remote administration), be sure to set up WireGuard or OpenVPN for an encrypted tunnel. Connecting directly through port 22 is a surefire way to fall victim to an attack.
π‘
Even if you change the SSH port, botnet scanners will find it within hours. Always use authentication keys instead of passwords!
Common mistakes and their solutions
When unlocking SSH, users often face typical problems, and here are the most common ones and ways to fix them:
| Mistake. | Possible cause | Decision |
|---|---|---|
| Connection refused at port 22 | SSH not started or blocked by firewall | Check the status of the service: ps | grep dropbear. If not started, run /etc/init.d/dropbear start. |
| Permission denied (publickey) | Incorrect key rights or password-enabled login | Check it out. /etc/dropbear/authorized_keys and settings dropbear.conf. |
| Router not responding after reboot | Damage to configuration or firmware | Restore the firmware via TFTP or UART (disassembly required). |
| Invalid stok token when activating Telnet | Obsolete or incorrect token | Update the token: log in to the web interface and copy the new stok from cookies. |
If the router starts to brake or overheat after switching on SSH, check the CPU load with the top command. Perhaps the system runs unnecessary processes (for example, cron tasks from previous experiments).
crontab -eAnd delete all unnecessary lines.
Another common problem is resetting your settings after updating your firmware, so to avoid this, save the configuration before the update:
tar -czvf /tmp/backup.tar.gz /etcAnd after the update, restore it:
tar -xzvf /tmp/backup.tar.gz -C /