[Success] Mi Router 4A 100M on firmware 3.0.12 (R4AC)
SilentoA opened this issue · 17 comments
Hello! I wanted to thank you very much for OpenWRTInvasion and report back on the success!
Device: MiRouter 4A 100M (non gigabit)
Software version: 3.0.12
The process of getting root:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/OpenWRTInvasion (master) » python3 remote_command_execution_vulnerability.py 130 ↵ liveuser@ctlos
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: 0-)3LJIg|D=Pl=z2(WwI1{-9d
There two options to provide the files needed for invasion:
1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)
****************
router_ip_address: 192.168.31.1
stok: c42bd637f2f363439c19af8b006d6f47
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:47791. root='script_tools'
local file server is getting 'busybox-mipsel' for 192.168.31.1.
local file server is getting 'dropbearStaticMipsel.tar.bz2' for 192.168.31.1.
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OpenWrt installation process:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~ » ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1 liveuser@ctlos
The authenticity of host '192.168.31.1 (192.168.31.1)' can't be established.
RSA key fingerprint is SHA256:cGn3yDg2gfyMoGIh1pKGxWDWZWiHK1vj6/S9iRlljlo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.31.1' (RSA) to the list of known hosts.
root@192.168.31.1's password:
BusyBox v1.19.4 (2020-12-22 12:08:23 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
-----------------------------------------------------
Welcome to XiaoQiang!
-----------------------------------------------------
$$$$$$\ $$$$$$$\ $$$$$$$$\ $$\ $$\ $$$$$$\ $$\ $$\
$$ __$$\ $$ __$$\ $$ _____| $$ | $$ | $$ __$$\ $$ | $$ |
$$ / $$ |$$ | $$ |$$ | $$ | $$ | $$ / $$ |$$ |$$ /
$$$$$$$$ |$$$$$$$ |$$$$$\ $$ | $$ | $$ | $$ |$$$$$ /
$$ __$$ |$$ __$$< $$ __| $$ | $$ | $$ | $$ |$$ $$<
$$ | $$ |$$ | $$ |$$ | $$ | $$ | $$ | $$ |$$ |\$$\
$$ | $$ |$$ | $$ |$$$$$$$$\ $$$$$$$$$ | $$$$$$ |$$ | \$$\
\__| \__|\__| \__|\________| \_________/ \______/ \__| \__|
root@XiaoQiang:~# cat /proc/mtd
dev: size erasesize name
mtd0: 01000000 00010000 "ALL"
mtd1: 00020000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00010000 00010000 "crash"
mtd5: 00010000 00010000 "cfg_bak"
mtd6: 00200000 00010000 "overlay"
mtd7: 00da0000 00010000 "OS1"
mtd8: 00c40000 00010000 "rootfs"
root@XiaoQiang:~# cd /tmp/
root@XiaoQiang:/tmp# curl --insecure https://downloads.openwrt.org/snapshots/targets/ramips/mt76x8/openwrt-ramips-mt76x8-xiaomi_mi-router-4a-100m-intl-squashfs-sysupgra
de.bin --output openwrt.bin
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5632k 100 5632k 0 0 1120k 0 0:00:05 0:00:05 --:--:-- 1728k
root@XiaoQiang:/tmp# ls -la
drwxrwxrwt 27 root root 1420 Jan 26 07:07 .
drwxr-xr-x 19 root root 279 Dec 22 2020 ..
-rwx------ 1 root root 5 Dec 22 2020 .switch2jffs
drwx------ 2 root root 140 Jan 26 06:14 .uci
-rw-r--r-- 1 root root 0 Dec 22 2020 3307.bootcheck.log
-rw-r--r-- 1 root root 6 Dec 22 2020 TZ
drwxr-xr-x 9 root root 180 Jan 23 08:46 arrays
-rwxr-xr-x 1 root root 1629080 Jan 26 06:13 busybox
drwxr-xr-x 3 root root 60 Dec 22 2020 daemon
drwxr-xr-x 2 root root 40 Jan 23 08:47 datalist
-rw-r--r-- 1 root root 199 Jan 26 07:03 dhcp.eth0.2.after_bound.log
-rw-r--r-- 1 root root 130 Jan 26 07:03 dhcp.eth0.2.befor_bound.log
-rw-r--r-- 1 root root 165 Jan 26 06:02 dhcp.leases
-rw-r--r-- 1 root root 108 Jan 26 07:02 diag_net_spd
drwxr-xr-x 2 root root 220 Jan 26 06:13 dropbear
-rw-r--r-- 1 root root 324739 Jan 26 06:13 dropbear.tar.bz2
drwxr-xr-x 4 root root 160 Jan 23 08:46 etc
lrwxrwxrwx 1 root root 7 Jan 26 06:13 ftpd -> busybox
drwxr-xr-x 2 root root 260 Dec 22 2020 hosts
drwxr-xr-x 2 root root 40 Dec 22 2020 http_info
-rw-r--r-- 1 root root 0 Jan 26 06:53 ip6neighbor
drwxr-xr-x 2 root root 80 Dec 22 2020 lock
drwxr-xr-x 2 root root 80 Dec 22 2020 log
drwxr-xr-x 2 root root 40 Dec 22 2020 logexec
-rw------- 1 root root 147519 Jan 23 08:46 luci-indexcache
drwx------ 2 root root 80 Jan 26 06:07 luci-nonce
drwx------ 2 root root 100 Jan 26 07:02 luci-sessions
-rw------- 1 root root 2195 Jan 26 07:03 messages
-rw-r--r-- 1 root root 4 Jan 26 07:03 mi_ip_conflict_pid
-rw-r--r-- 1 root root 0 Jan 26 06:14 miqos.lock
drwxr-xr-x 2 root root 40 Dec 22 2020 mnt
-rw-r--r-- 1 root root 176 Dec 22 2020 mt76xx2.sh.log
-rw-r--r-- 1 root root 177 Dec 22 2020 mt76xx5.sh.log
-rw-r--r-- 1 root root 424 Jan 25 19:35 netdig_tmp
-rw-r--r-- 1 root root 231 Jan 26 07:03 network.env
-rw-r--r-- 1 root root 885 Jan 26 03:00 nginx_check.log
-rw-r--r-- 1 root root 18 Jan 23 08:46 ntp.status
-rw-r--r-- 1 root root 5767527 Jan 26 07:07 openwrt.bin
-rw-r--r-- 1 root root 5 Jan 26 05:10 ota_predownload_pid
-rw-rw-r-- 1 1000 1000 195433 Feb 11 2019 oui
drwxr-xr-x 2 root root 80 Jan 23 09:00 quark
-rw-r--r-- 1 root root 17 Jan 23 08:46 rc.done
-rw-r--r-- 1 root root 3024 Jan 23 08:46 rc.timing
-rw-r--r-- 1 root root 21 Dec 22 2020 resolv.conf
-rw-r--r-- 1 root root 59 Dec 22 2020 resolv.conf.auto
drwxr-xr-x 2 root root 40 Dec 22 2020 root
-rw-r--r-- 1 root root 2 Jan 23 08:53 router_in_xiaomi
drwxr-xr-x 2 root root 40 Dec 22 2020 rr
drwxr-xr-x 2 root root 320 Jan 26 06:14 run
-rw-r--r-- 1 1000 985 3352 Jan 26 06:09 script.sh
-rw-r--r-- 1 root root 2 Dec 22 2020 smart_force_wifi_down
-rw-r--r-- 1 1000 985 1864 Jan 26 06:13 speedtest_urls.xml
drwxr-xr-x 3 root root 60 Dec 22 2020 spool
-rw-r--r-- 1 root root 4 Jan 26 07:07 startscene_crontab.lua.PID
-rw------- 1 root root 1152 Jan 26 06:57 stat_points_privacy.log
-rw------- 1 root root 145 Jan 26 06:46 stat_points_rom.log
-rw-r--r-- 1 root root 0 Jan 26 06:38 stat_points_web.log
drwxr-xrwx 2 root root 120 Jan 23 08:46 state
drwxrwxrwx 13 root root 260 Dec 22 2020 sysapihttpd
drwxr-xr-x 3 root root 360 Jan 26 03:00 sysapihttpdconf
drwxr-xr-x 2 root root 80 Jan 1 1970 sysinfo
srwxr-xr-x 1 root root 0 Dec 22 2020 syslog-ng.ctl
-rw-r--r-- 1 root root 4 Dec 22 2020 syslog-ng.pid
drwxr-xr-x 2 root root 80 Dec 22 2020 taskmonitor
-rw-r--r-- 1 root root 19387 Dec 22 2020 uci2dat_mt7612.log
-rw-r--r-- 1 root root 20555 Dec 22 2020 uci2dat_mt7628.log
drwxrwxrwx 2 root root 40 Jan 26 03:00 uploadfiles
-rw-r--r-- 1 root root 0 Jan 25 11:59 upnp.leases
-rw-r--r-- 1 root root 0 Jan 23 08:47 web_config_list
prw------- 1 root root 0 Jan 26 06:12 web_filter_list
-rw------- 1 root root 55153 Jan 26 06:01 wifi_analysis.log
root@XiaoQiang:/tmp# mtd -r write openwrt.bin OS1
Unlocking OS1 ...
Writing from openwrt.bin to OS1 ...
Rebooting ...
The next step was to install luci:
ssh root@192.168.1.1
opkg update
opkg install luci
Then you can get into the web interface.
Please update information about supported firmware for MiRouter 4A 100M (non gigabit). Thanks again!
Awesome thanks!
I had the exact input parameters: MiRouter 4A 100M (R4AC) International, Software version: 3.0.12, didn't work.
Evironment:
- MiRouter 4A 100M (R4AC) International
- Firmware version: 3.0.12
- Windows 10
I tried to getting things done using
- docker solution with different combinations of options (local files / remote files)
- python host solutions with different combinations (local files / remote files)
and it doesn't works
Log
(base) PS C:\workspace\docker\OpenWRTInvasion> docker run --network host -it openwrtinvasion
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: myAwesomPassword
There two options to provide the files needed for invasion:
1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)
****************
router_ip_address: 192.168.31.1
stok: 737fd60b3febe56cf92d2c52359763f4
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:60383. root='script_tools'
Warning: the process has finished, but seems like ssh connection to the router is not working as expected.
* Maybe your firmware version is not supported, please have a look at https://github.com/acecilia/OpenWRTInvasion/blob/master/README.md#unsupported-routers-and-firmware-versions
I switched to last Fedora and all works as expected.
So the issue only reproduced in Windows
Thank you! Successfully flashed.
Where can i get the global firmware?
Where can i get the global firmware?
By global, you mean international?
Here is a snapshot for R4AC >> https://openwrt.org/inbox/toh/xiaomi/r4ac
Here is the latest release (I haven't tested it) >> https://downloads.openwrt.org/releases/23.05.0/targets/ramips/mt76x8/
Yeah, international but i need stock that is on english, not chinese.
Yeah, international but i need stock that is on english, not chinese.
Sorry, but you couldn’t specify what you need, otherwise I don’t quite understand you...
Yeah, international but i need stock that is on english, not chinese.
Sorry, but you couldn’t specify what you need, otherwise I don’t quite understand you...
He is asking for stock firmware in English. 3.xx.xx
He is asking for stock firmware in English. 3.xx.xx
Now it's clear, thank you.
@EndermanchFan2100 I found 3.0.5 and 3.0.10 global. Be careful.
He is asking for stock firmware in English. 3.xx.xx
Now it's clear, thank you.
@EndermanchFan2100 I found 3.0.5 and 3.0.10 global. Be careful.
I have also found both of those links but both of them are expired.
I have also found both of those links but both of them are expired.
I had to register to download the firmware for you from the second link.
miwifi_r4ac_firmware_0942f_3.0.10_INT.zip
Also read this comment before you start converting the Chinese version into a global one. Good luck.
I have also found both of those links but both of them are expired.
I had to register to download the firmware for you from the second link. miwifi_r4ac_firmware_0942f_3.0.10_INT.zip
Also read this comment before you start converting the Chinese version into a global one. Good luck.
Thank you.
I have also found both of those links but both of them are expired.
I had to register to download the firmware for you from the second link. miwifi_r4ac_firmware_0942f_3.0.10_INT.zip
Also read this comment before you start converting the Chinese version into a global one. Good luck.
Hey sir , kind regards . I have r4ac (non gigabit) DVB4230GL international on version 3.0.10 , can i install openwrt without break my device if i do everything step by step via a guide?
Just yes or no
but the menu is English
yes, you can install OpenWrt.
but the menu is English
yes, you can install OpenWrt.
Thank you so much , i really appreciate it .
is there any youtube guide ?