How to turn on SSH on Xiaomi router: a complete guide with security teams and tips

Inclusion SSH-Xiaomi routers offer a wide range of opportunities for fine-tuning the network, installing alternative firmware or automating tasks. However, by default, the manufacturer blocks this protocol for security reasons - and for good reason. SSH This can cause a complete loss of functionality, especially if you are trying to change system files or kernel configurations. SSH on popular models (Mi Router) 4A, 4C, AX3000, AX6000 And others, and also tell you how to minimize the risks when working with the console.

It’s important to understand that Xiaomi doesn’t provide official documentation for unlocking SSH, so you do all the manipulations at your own risk. However, the enthusiastic community has long developed reliable methods that work on most devices with firmware based on OpenWRT or modified MiWiFi ROM. If you’re a beginner, we recommend that you first learn the basics of working with the Linux command line – this will save you hours to restore the router after unsuccessful experiments.

Why Xiaomi is blocking SSH by default?

The manufacturer disables SSH (Secure Shell) on its routers not out of a desire to complicate the lives of users, but for several objective reasons:

  • πŸ”’ Security: Open security SSH-A port (usually 22) is a target for botnets that scan networks for vulnerable devices.
  • πŸ› οΈ Support: Xiaomi does not want to be responsible for the consequences of unqualified actions of users who SSH Can break the router or violate license agreements.
  • πŸ“¦ Firmware: Many models run on closed versions of OpenWRT, where access to system files is limited to prevent piracy (for example, bypassing regional locks).

However, for power users, SSH is an indispensable tool, and you can use it to:

  • πŸ”§ Configure iptables for advanced firewall.
  • πŸ“‘ Optimize Wi-Fi settings (e.g., change txpower to increase range).
  • πŸ–₯️ Install additional packages (e.g. AdGuard Home or WireGuard).
  • πŸ”„ Automate tasks through cron.

⚠️ Attention: Activation SSH Some models may lose warranty. 4A Gigabit Edition) have hardware protection, and an attempt to unlock can block the bootloader.

Preparing for SSH: What to Do in advance

Before proceeding to unlock, follow the mandatory preparatory steps:

  1. Check the router model. The ways SSH activation is different for devices on the MT7628 (Mi Router 4A/4C) and Qualcomm IPQ6000 (AX6000).
  2. Update your firmware. Outdated versions of the software may contain vulnerabilities or may not support current unlock methods. Go to Settings β†’ General β†’ Update firmware.
  3. Back up your settings. In the web interface (192.168.31.1), export the configuration through Settings β†’ Additional β†’ Backup.
  4. Prepare the PC. You're gonna need it: πŸ–₯️ Windows computer 10/11 Linux. πŸ”Œ Ethernet cable (Wi-Fi may be turned off during the procedure). πŸ› οΈ Utility: PuTTY (for Windows) or built-in terminal (for Windows) Linux/macOS).

If you are using the Mi Router AX6000 or the new MiWiFi ROM 3.x firmware, you may need to pre-activate Telnet through a vulnerability in the web interface, which we will discuss in the next section.

πŸ“Š What model of Xiaomi router you use?
Mi Router 4A
Mi Router 4C
Mi Router AX3000
Mi Router AX6000
Another model

Method 1: Enabling SSH via web interface (for firmware until 2023)

On older versions of the software (MiWiFi ROM 2.x), you can turn on SSH without complicated manipulations, which works for Mi Router 4A, 3G/3C and some Mi Router 4C revisions:

  1. Connect to the router via cable or Wi-Fi.
  2. Open your browser and go to http://192.168.31.1 (or miwifi.com).
  3. Sign in under the administrator account.
  4. Go to Settings β†’ Additional β†’ Developer (on some firmware, the path may differ: Settings β†’ System β†’ For developers).
  5. Activate the SSH switch and save the settings.

3. Open the terminal at 57600 bp and turn on the router. In the boot logs, find the Hit any key to stop autoboot line β€” press any key to stop autoboot.

4. Enter commands to download to UBoot:

setenv bootargs "console=ttyS0,57600n8 root=/dev/mtdblock6 init=/bin/sh"


bootm 0x9f020000

5. After loading the shell, we mount the file system and edit the config:

mount -t jffs2 /dev/mtdblock6 /mnt


vi /mnt/etc/dropbear/dropbear.conf

Find a line. DROPBEAR_OPTIONS="-p 22" Save the changes (:wq in vi).

6.Reboot the router:

reboot

Once you reboot, SSH will be available. This method resets the root password on the empty one, so set the new password with the command immediately after you connect:

passwd
Model routerChipsetSupported methodNotes
Mi Router 4AMT7628Exploit via UARTRequires disassembly of the hull
Mi Router 4CMT7628Telnet β†’ SSHWorks on firmware up to 3.0.21
Mi Router AX3000Qualcomm IPQ6000JSON-exploitYou need to get a stok token.
Mi Router AX6000Qualcomm IPQ8072Telnet + crontabSSH resets after rebooting

πŸ’‘

If after unlocking SSH router stopped accessing the Internet, check the settings of the firewall with the iptables team -L. The rules may have been reset and you need to manually add the permissive rules to the WAN-interface.

Security settings after SSH is enabled

Open-ended SSH-A port is a potential security hole in your network. To minimize the risks, follow these steps:

  1. Change the standard port. Edit the file. /etc/dropbear/dropbear.conf and change the line. DROPBEAR_PORT=22 to a non-standard port (e.g, 2222). Then restart the service:
  2. Turn off the password. Generate. SSH-Keys on your PC and add a public key to your PC /etc/dropbear/authorized_keys. Then install it in dropbear.conf. DROPBEAR_PASSWORD_AUTH=off.
  3. Restrict access by IP. In the file /etc/firewall.user Add a rule that allows connection only from your local IP:
  4. Set up fail2ban. Install a package to block brute force attacks:

We also recommend:

  • πŸ”„ Regularly update your firmware (even if you use customized software).
  • πŸ“‘ Shut down. SSH, when he's not needed.
  • πŸ” Use complex passwords (at least 12 characters with numbers and special characters).

⚠️ Note: If you are planning to open SSH From the Internet (for example, for remote administration), be sure to set up WireGuard or OpenVPN for an encrypted tunnel. Connecting directly through port 22 is a surefire way to fall victim to an attack.

πŸ’‘

Even if you change the SSH port, botnet scanners will find it within hours. Always use authentication keys instead of passwords!

Common mistakes and their solutions

When unlocking SSH, users often face typical problems, and here are the most common ones and ways to fix them:

Mistake.Possible causeDecision
Connection refused at port 22SSH not started or blocked by firewallCheck the status of the service: ps | grep dropbear. If not started, run /etc/init.d/dropbear start.
Permission denied (publickey)Incorrect key rights or password-enabled loginCheck it out. /etc/dropbear/authorized_keys and settings dropbear.conf.
Router not responding after rebootDamage to configuration or firmwareRestore the firmware via TFTP or UART (disassembly required).
Invalid stok token when activating TelnetObsolete or incorrect tokenUpdate the token: log in to the web interface and copy the new stok from cookies.

If the router starts to brake or overheat after switching on SSH, check the CPU load with the top command. Perhaps the system runs unnecessary processes (for example, cron tasks from previous experiments).

crontab -e

And delete all unnecessary lines.

Another common problem is resetting your settings after updating your firmware, so to avoid this, save the configuration before the update:

tar -czvf /tmp/backup.tar.gz /etc

And after the update, restore it:

tar -xzvf /tmp/backup.tar.gz -C /

FAQ: Frequent questions about SSH on Xiaomi routers

Can I turn on SSH on the Xiaomi router without disassembling the case?
Yes, on most models (Mi Router 4A/4C/AX3000), SSH is enabled via a web interface or exploit from Telnet. Disassembly is only required for devices with a locked bootloader or on custom firmware where standard methods do not work.
What is the default password for SSH after unlocking?
On most firmware, the username/password matches the data from the web interface. If you used exploit over UART, the password may be empty – immediately after you connect, set a new one through the passwd command.
Why does SSH shut down again after the reboot?
This is a feature of the MiWiFi ROM 3.x firmware. To save SSH after a reboot, add /etc/init.d/dropbear start to autoload via crontab -e or edit the /etc/rc.local script.
Can I turn on SSH on a Xiaomi router connected to the provider via PPPoE?
Yes, unlocking methods don’t depend on the type of Internet connection, but if the provider blocks outbound connections to port 22, you’ll have to use a non-standard port or VPN.
How to turn off SSH if it is no longer needed?
Follow the commands: uci set dropbear.@dropbear[0].enable='0' uci commit /etc/init.d/dropbear stop Or disable the service via the web interface (if the option is available).