Skip to content

Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4, 4C, 3Gv2, 4Q, miWifi 3C...

Notifications You must be signed in to change notification settings

acecilia/OpenWRTInvasion

Repository files navigation

Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4C, 3Gv2, 4Q, miWifi 3C...

How to run

NOTE: FROM VERSION 0.0.2 THE ROUTER NEEDS INTERNET ACCESS. If you require to run the exploit without internet access please try version 0.0.1. Find the versions here: https://github.com/acecilia/OpenWRTInvasion/releases

NOTE: THERE ARE REPORTED ISSUES WITH ROUTER IN AP MODE. If you're not able to succeed in the AP mode, try to switch to some other (WiFi Repeater or Gateway)

NOTE: THERE ARE COMPATIBILITY ISSUES REPORTED WHEN USING WINDOWS. This script only runs on Mac or Linux. If you run from Windows, please use docker (explained below)

Using Docker (also works on Windows)

docker build -t openwrtinvasion https://github.com/acecilia/OpenWRTInvasion.git
docker run --network host -it openwrtinvasion

Using the command line

pip3 install -r requirements.txt # Install requirements
python3 remote_command_execution_vulnerability.py # Run the script

You will be asked for the router IP address and for the stok. You can grab the stok from the router URL after you log in to the admin interface:

Note that the script must be run from the same IP address used when login into the router.

After that, a telnet server will be up and running. You can connect to it by running:

telnet <router_ip_address>
  • User: root
  • Password: root

The script also starts an ftp server at port 21, so you can get access to the filesystem using a GUI (for example cyberduck).

Supported routers and firmware versions

Unsupported routers and firmware versions

  • MiRouter 4A Gigabit:
    • 2.30.20: see details here
    • 3.2.26: see details and alternatives here
  • Mi Extender AC1200 (RA75): see here

Xiaomi 4A Gigabit Global Edition

Find here a very complete introductory video to the router and the OpenWrt installation

Firmwares

This repository contains the following firmwares:

If you have a pending update in your Xiaomi stock firmware, you can check its md5 hash and the download url by navigating to:

http://192.168.31.1/cgi-bin/luci/;stok=<stok>/api/xqsystem/check_rom_update

Install OpenWrt

When installing OpenWrt on the Xiaomi 4A Gigabit, there are several options:

  • [PREFERRED OPTION]: use the latest supported stable release of OpenWrt. Find it in the official OpenWrt wiki page

  • Build your own image with imagebuilder, using the latest source code on master:

    docker pull openwrtorg/imagebuilder:ramips-mt7621-master
    docker run --rm -v "$(pwd)"/bin/:/home/build/openwrt/bin -it openwrtorg/imagebuilder:ramips-mt7621-master
    make PROFILE=xiaomi_mir3g-v2 image
    

If after reading above text you still want to proceed, after login to the router through telnet run the following commands:

cd /tmp
curl https://raw.githubusercontent.com/acecilia/OpenWRTInvasion/master/firmwares/OpenWrt/06-06-2020/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin --output firmware.bin # Put here the URL you want to use to download the firmware
./busybox sha256sum firmware.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!
mtd -e OS1 -r write firmware.bin OS1 # Install OpenWrt

This will install the snapshot version of OpenWrt (without Luci). You can now use ssh to connect to the router (and install Luci if you prefer it).

Performance:

Please see here for a complete performance analysis

For more info and support go to:

If you brick your device

You can find solutions in the following links:

Acknowledgments

  • Original vulnerabilities and exploit: UltramanGaia
  • Instructions to install OpenWrt after exploit execution: rogerpueyo
  • Testing and detailed install instructions: hey07
  • Checking the URL of pending updates: sicklesareterrible

Demo

Version 0.0.2 and higher: telnet

Alt Text

Version 0.0.1: netcat (legacy)

Alt Text