OpenWrt/PandoraBox for International Users
Scroll down for download link
As much as I would prefer to have the stock OpenWrt on Xiaomi WiFi Mini, the wireless networking performance is much better with a Chinese fork of it named PandoraBox. Although most of the stuff under the hood is still OpenWrt, PandoraBox has a heavily customized interface in Chinese, and includes by default numerous packages of limited use, in particular to people outside China.
Using the filesystem unpacking method I posted about before, I patched the latest version of PandoraBox to bring it back to the stock OpenWrt look and feel, which I prefer, while also removing China-specific and other niché packages. On top of that, later I also made some other optimizations. I intended this to be for my own personal use but since there are people interested in it I'd like to share it with the community.
There are two versions, called Minimal and Optimal. The former is essentially reverting as much as possible to the original, vanilla OpenWrt state. The latter builds up on top of that with the changes and additions I made for my own use, excluding any specific configuration files only applicable to my router. The differences are described in more detail below, and for complete information you can have a look at the patch source, which I encourage you to do.
As close as possible and practical to stock OpenWrt installation. Generally without adding any files to the filesystem image:
Removed China-specific and other not widely-used packages, in particular: FTP server, Huawei modem drivers, tunnelling (incl. IPv6), traffic shaping, obsolete VPN technologies. See sources for full list.
Removed Chinese and other non-English translations as well as the LuciXEyE theme.
Kept the more widely-used pre-installed packages, in particular: IP filtering-related and other kernel modules, filesystem and USB-related software, SMB and UPnP support.
Removed PandoraBox branding in places such as login banner, default hostname and Wi-Fi ESSIDs and restored stock OpenWrt Barrier Breaker defaults where possible (in places such as the shell prompt), while retaining PandoraBox authors' text notices for parts they created or significantly modified.
Based on the Minimal Version above, with further optimizations that require changes beyond patching the filesystem image such as adding new packages or other files and replacing existing ones. In particular:
Add LUA module to uhttpd to bypass the CGI interface for improved speed.
Add SSL module to uhttpd and only allow Web administration over HTTPS for improved security.
Add Midnight Commander shell (mc) and GNU Screen (screen) for improved administration through SSH.
Include pre-generated HTTPS certificates since the utility to generate them at run-time is missing from PandoraBox. The CA certificate file, available as a separate download, can be added to your trusted store to switch off any certificate warnings.
Provide optimized configuration defaults for the firewall and network settings. Enable NAT hardware acceleration by default. Disable HTTP CGI and only allow HTTPS traffic. Provide better defaults for DHCP, SMB, SSH, UPnP.
Include an interface alias and a firewall rule to access the private interface of a modem. Default settings are for a modem at 192.168.1.1, if yours has a different address edit it in the file /etc/firewall.user. To use, go to http://modem/.
IP address on local interface changed from 192.168.1.1 to 10.0.0.1 to make the modem private interface accessible.
Remove CGI-specific files from HTTP server web root and change the index page to use the LUA module.
Remove HTML footer version string from Luci for a little more security by obscurity.
Customize the shell prompt, provide optimal default settings for Midnight Commander and GNU Screen.
Rename "hd_idle" to "Hard Disk Idle" in Luci configuration.
Trim the default banner in /etc/banner and include a ridiculous pre-login SSH banner in /etc/banner.ssh to fend off potential infiltrators.
Replace the Luci favicon.
Update 0 (2016-01-08)
Update 1 (2016-01-13)
[Fix] [All] Installation procedure simplified, no longer any need to check for possible JFFS2 issues. Images now include proper padding just like any standard OpenWrt distribution.
[Fix] [All] WPA options now showing correctly in Luci WiFi configuration, wifi.lua and wifi_add.lua restored to compiled PandoraBox version in /usr/lib/lua/luci/model/cbi/admin_network/. Thanks to joaomconde for spotting this bug.
[Fix] [All] Samba NetBIOS name no longer being reverted to "OPENWRT_XXXX" even when hostname was customized.
[Fix] [Opt] Remove unnecessary UCI defaults files as configuration files are already preloaded.
[Fix] [Opt] No longer necessary to manually copy over preloaded config files upon first boot.
[New] [Opt] HTTPS server's default LAN IP address (10.0.0.1) added to SSL certificate DNS names.
[New] [Opt] Another instance of HTTP server now listens on port 80 and redirects traffic to HTTPS.
[Meta] Scripted build environment for patched images. Much simpler to create your own images now for anyone that wishes to do so.
Update 2 (2016-01-16)
[Fix] [Opt] Prevent a likely JFFS2 initialization problem if flashed on top of a larger firmware image without erasing the partition that would prevent the /overlay partition from being mounted correctly. Thanks to FJorgeR for reporting this.
[Fix] [Opt] Prevent a boot loop if JFFS2 filesystem on /overlay not mounted properly on first boot. Thanks to FJorgeR for reporting this.
[Meta] Fix the generation of add_package_log.txt and rm_package_log.txt by patching scripts.
Update 3 (2016-01-19)
[New] [All] Updated PandoraBox base from release 1216 to release 1597 (2015-11-07). This bumps up the kernel version from 3.14.48 to 3.14.56. Still based on OpenWrt Barrier Breaker but apparently some parts were backported from newer branches. Some changes to the Wi-Fi setup suggest that performance might improve.
[New] [All] VFAT and exFAT kernel support modules were removed from the newer PandoraBox base, and they are accordingly not included in the patched versions. For Windows filesystem support through USB add the packages kmod-fs-vfat and kmod-fs-exfat from the repository.
[Fix] [All] Repository archive updated and changed from the original to remove unnecessary dependency of kmod-fs-vfat and kmod-fs-exfat on kmod-nls-cp936 (Simplified Chinese codepage).
[Fix] [All] No longer including plain-text replacement for *.lua files due to potential errors this may introduce, except /usr/lib/lua/luci/controller/admin/status.lua, which is necessary to remove the ip-bandwidth menu entry.
[Fix] [All] Workaround Samba fatal error due to confusion caused by the overlay filesystem over the file /etc/samba/secrets.tdb. Replaced this file with a symbolic link to /tmp/secrets.tdb. If you want it to persist between reboots, it also works when stored directly under /overlay.
[Fix] [Opt] Resolved the issue of double slashes appearing in self-referring URLs by patching /usr/lib/lua/luci/view/themes/bootstrap/header.htm. There was a similar issue in OpenWrt trunk but the file from trunk could not be ported as it breaks per-interface real-time graphs.
[Fix] [Opt] Additional restart after first boot no longer necessary to apply preloaded configuration settings. As a result, the time from flashing to login readiness is shortened for the Optimal version. Note though that on first boot server keys need to be generated before you can login through SSH, so if your connection is refused initially it's due to this.
[Fix] [Opt] Fixed Midnight Commander "Cannot load codepage list" warning message upon startup.
[New] [Opt] Separately including the certificate files (HTTPS and CA) that can be added to your local trusted store to make any SSL warnings disappear when connecting to OpenWrt. The private key for this certification authority has been deleted, which means no further certificates can be signed with it, so it's safe to add it (if you trust my word on this one).
[Meta] Significant changes to patch source scripts.
Update 4 (2016-01-27)
[New] [All] Since PandoraBox keeps evolving to include more and more packages, as an experiment I have adjusted my approach this time and decided to keep most of them, only removing those that are China-specific, as well as non-English translations (because they were incomplete anyway), and also the MWAN functionality and FTP server.
[New] [All] This means that the current version now includes in particular: Aria2 Downloader, ARP Bind, CPU Limit, IP Bandwidth (traffic accounting), NGrok Client, SQM, Transmission BitTorrent Client, Wake-on-LAN, as well as all the kernel modules that were originally provided, except the Simplified Chinese codepage. Hopefully this change is in line with what (at least the most vocal) people wanted.
[New] [All] Original PandoraBox version also adds the Material theme and defaults to it. I have kept it and made it the default in the Optimal version too. You can still switch back to the default Bootstrap theme if you want to.
[Fix] [All] Fixed double slashes in self-generated URLs in the Material theme; while there, also removed the "Loading..." label, keeping only the animated circle, which is already self-explanatory.
[Fix] [All] Disable NAT hardware acceleration by default, identified as a potential source of problems.
[Fix] [Opt] Changed "aria2" to "Aria2 Downloader", "cpulimit" to "CPU Limit" and "ipbandwidth" to "IP Bandwidth" in the Web interface menu.
[Fix] [Opt] Improved the descriptive text on the "IP Bandwidth" page in the Web interface menu.
[New] [Opt] Since PandoraBox now includes OpenSSL command-line tools, include the OpenSSL configuration file I previously posted separately as the default /etc/ssl/openssl.cnf.
[Meta] Changed the name of edit and patch source script archives to Custom-Edit and Custom-Patch respectively for better clarity.
[Meta] Case adjustments to filenames in the downloads folder.
Before downloading, please make sure you understand that all this comes with no warranty whatsoever. While it works for me, I will not be responsible for any damage caused or assumed to be caused by whatever you decide to do with those files. If anything goes wrong you are on your own to fix it. Please make sure you are comfortable with this before proceeding. Thank you.
<Version> is either "Minimal" or "Optimal"
Un is an update identifier, where n is a number that increases with every update.
rnnnn is the PandoraBox release identifier, which points to the version of the binary image this patch is based on.
Firmware image. This is the flashable file you most likely want.
Filesystem image. Use with the script below to make your own custom version based on this firmware.
Use this to make any changes you want to the filesystem, and rebuild it into a flashable firmware. More information.
Full sources to re-create all the patched files, starting from the original PandoraBox firmware. More information.
Complete mirror of PandoraBox package repository in case it ever goes offline.
Mirror of a great bootloader for Xiaomi MiWiFi Mini. More information.
Makes it easier to generate SSL certificates with OpenSSL for use with OpenWrt. More information.
Server (HTTPS) and CA certificates that can be added on your system to make the certificate warning go away. With Chrome or IE on Windows, properly installing the second one should be enough.
Use the information from this file to verify if the other files that you downloaded are intact.
The downloads are currently hosted at Mega.NZ. If you have a better idea where to put those files, feel free to let me know.
Flash from within any existing OpenWrt or PandoraBox installation through the Web interface or from the shell:
sysupgrade -n <filename>.bin
Or flash directly from the original Xiaomi firmware:
mtd -r write <filename>.bin OS1
Or use Breed bootloader.
Connect to Wifi network OpenWrt-2.4GHz-XXXX or OpenWrt-5.0GHz-XXXX.
SSH to hostname openwrt or point your browser to http://openwrt/.
(You will be redirected to https://openwrt/ in the Optimal version.)
Log in with username root and the default password admin.
For easy navigation around the filesystem over SSH, after logging in type mc and press Enter (Optimal version only).
When flashing the Optimal version your settings will not be retained. Please back them up manually if you wish to keep them.
Recent PandoraBox versions include Wi-Fi client separation by default. If you want to enable communication between clients on the same interface, please add the following two lines to /etc/rc.local:
iwpriv ra0 set NoForwarding=0
iwpriv rai0 set NoForwarding=0
(Last edited by StrangeOrange on 26 Jan 2016, 18:38)