May not work with firmware 3.2.26
arihid opened this issue · 21 comments
Log shown success, but I can't ssh/telnet/ftp to this.
Device details:
Xiaomi Mi Router 4A Gigabit Edition (Global)
Firmware: 3.2.26
Production date: 05/21
Here is the log:
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: 12345678
There two options to provide the files needed for invasion:
1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)1
****************
router_ip_address: 192.168.31.1
stok: <cleaned>
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:61653. root='script_tools'
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck
I tried to downgrade, but it won't accept downgrade, unlike AX6S that accepts downgrade to internal beta.
I went with flash programmer route and it succeeded, but I will leave this open for future reference.
Did you manage to make it work then?
Yes, it's running the current stable version of OpenWrt.
If you explain in detail how you did it, I can add it to the readme and close this issue (I do not know what "flash programmer" is)
Also, which operating system did you use?
This post here described how to read the firmware, edit the necessary value and flash it back using an spi flash programmer, as firstly discovered and described in this post.
It is reported that reading the flash content in Windows tend to yield corrupted image, so I used Ubuntu 22 on VM and it worked.
The chip is supposed to "GD25Q127C/GD25Q128C", not "GD25Q128C" for this particular device.
Anyone Have 3.2.26 Firmware File? I had access to the shell but I accidentally flash corrupted file. and I tried to flash with Global 3.0.24 and Chinese 2.28.62 both fail using either MIWIFIRepairTool or PXE Server.
Added a mention to the readme, thanks!
Sorry to bother you, Should I use TTL to USB adapter to interact with UART?
This is not listed in the post but in the referenced post.
Sorry to bother you, Should I use TTL to USB adapter to interact with UART?
This is not listed in the post but in the referenced post.
Yes, use USB to TTL to interact with UART.
Anyone Have 3.2.26 Firmware File? I had access to the shell but I accidentally flash corrupted file. and I tried to flash with Global 3.0.24 and Chinese 2.28.62 both fail using either MIWIFIRepairTool or PXE Server.
I only have my dump, but I won't recommend using it.
I just knew after I bought, with OpenWRTInvasion isn't able to open telnet.
but somehow the R3GV2 patches could open the telnet, and what I did was flash to padavan, and cant unbrick it to the original firmware again.
Log shown success, but I can't ssh/telnet/ftp to this. Device details: Xiaomi Mi Router 4A Gigabit Edition (Global) Firmware: 3.2.26 Production date: 05/21
Here is the log:
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1 Enter router admin password: 12345678 There two options to provide the files needed for invasion: 1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`. 2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.) Which option do you prefer? (default: 1)1 **************** router_ip_address: 192.168.31.1 stok: <cleaned> file provider: local file server **************** start uploading config file... start exec command... local file server is runing on 0.0.0.0:61653. root='script_tools' done! Now you can connect to the router using several options: (user: root, password: root) * telnet 192.168.31.1 * ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1 * ftp: using a program like cyberduck
Hello Sir do you still have backup stock frimware 3.2.26? Can i get it?
For everyone who need 3.2.26 firmware dump. I will attach my dumped firmware. These following values has been purged, thus you will need to edit the values prior flashing. Flash this firmware with SPI flash programmer after adjusting the values accordingly.
DO NOT FLASH THE FILE AS IS, YOUR DEVICE INFORMATION WILL BE OVERWRITTEN!!
Current modified NVRAM values:
bootdelay=0
ethaddr="00:AA:BB:CC:DD:10"
SN=12345/A1RQ01234
wl0_ssid=Xiaomi_AABB_CCDD_5G
wl1_ssid=Xiaomi_AABB_CCDD
nv_wifi_pwd=12345678
CountryCode=ID
bootdelay is timer to delay boot process in seconds. 0 means it will not wait for user interactions. Change this value to >0.
I left normal_firmware_md5 and nv_sys_pwd as is. I guess normal_firmware_md5 value would be required to verify the firmware, and nv_sys_pwd is encrypted password string upon setup (usually same as WiFi Password). WebUI password shall be 12345678. If you can't login to the WebUI, try resetting the router once.
@ElclarkKuhu sorry if this took a long time. Back then I decided not to share my dumped firmware for reasons. Idk either this might work or not on your device.
For everyone who need 3.2.26 firmware dump. I will attach my dumped firmware. These following values has been purged, thus you will need to edit the values prior flashing. Flash this firmware with SPI flash programmer after adjusting the values accordingly. DO NOT FLASH THE FILE AS IS, YOUR DEVICE INFORMATION WILL BE OVERWRITTEN!!
Current modified NVRAM values:
bootdelay=0 ethaddr="00:AA:BB:CC:DD:10" SN=12345/A1RQ01234 wl0_ssid=Xiaomi_AABB_CCDD_5G wl1_ssid=Xiaomi_AABB_CCDD nv_wifi_pwd=12345678 CountryCode=ID
bootdelayis timer to delay boot process in seconds. 0 means it will not wait for user interactions. Change this value to >0. I leftnormal_firmware_md5andnv_sys_pwdas is. I guessnormal_firmware_md5value would be required to verify the firmware, andnv_sys_pwdis encrypted password string upon setup (usually same as WiFi Password). WebUI password shall be 12345678. If you can't login to the WebUI, try resetting the router once.@ElclarkKuhu sorry if this took a long time. Back then I decided not to share my dumped firmware for reasons. Idk either this might work or not on your device.
thankyou for dumped fw 3.2.26 sir, can i just flash with this bin file with Tiny PXE Server 1.0.0.23?
thankyou for dumped fw 3.2.26 sir, can i just flash with this bin file with Tiny PXE Server 1.0.0.23?
I don't know, can't recommend
thankyou for dumped fw 3.2.26 sir, can i just flash with this bin file with Tiny PXE Server 1.0.0.23?
I don't know, can't recommend
thankyou sir for fw dump...
stil finding best solution without spi hehehe
This post here described how to read the firmware, edit the necessary value and flash it back using an spi flash programmer, as firstly discovered and described in this post. It is reported that reading the flash content in Windows tend to yield corrupted image, so I used Ubuntu 22 on VM and it worked. The chip is supposed to "GD25Q127C/GD25Q128C", not "GD25Q128C" for this particular device.
How did you manage to install OpenWRT on this firmware version? I got the same router, but still can't find how to install it. I already flash the SPI chip and can control UART, but I can't flash it from there, either. Did I miss something?
Forget it, i manage to install OpenWRT successfully now. Since I can access the UART, I also can flash the file from there by downloading the binary using wget and flash using mtd.
Just try myself and i can access telnet without flashing the SPI chip