Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

May not work with firmware 3.2.26 #140

Closed
arihid opened this issue Aug 17, 2022 · 21 comments
Closed

May not work with firmware 3.2.26 #140

arihid opened this issue Aug 17, 2022 · 21 comments

Comments

@arihid
Copy link

arihid commented Aug 17, 2022
edited
Loading

Log shown success, but I can't ssh/telnet/ftp to this.
Device details:
Xiaomi Mi Router 4A Gigabit Edition (Global)
Firmware: 3.2.26
Production date: 05/21

Here is the log:

Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: 12345678
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)1
****************
router_ip_address: 192.168.31.1
stok: <cleaned>
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:61653. root='script_tools'
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null [email protected]
* ftp: using a program like cyberduck
@acecilia
Copy link
Owner

acecilia commented Sep 8, 2022

Version 3.0.10 is reported to work: #145

@arihid
Copy link
Author

arihid commented Sep 8, 2022
edited
Loading

I tried to downgrade, but it won't accept downgrade, unlike AX6S that accepts downgrade to internal beta.
I went with flash programmer route and it succeeded, but I will leave this open for future reference.

@acecilia
Copy link
Owner

acecilia commented Sep 8, 2022

Did you manage to make it work then?

@arihid
Copy link
Author

arihid commented Sep 8, 2022

Yes, it's running the current stable version of OpenWrt.

@acecilia
Copy link
Owner

acecilia commented Sep 8, 2022

If you explain in detail how you did it, I can add it to the readme and close this issue (I do not know what "flash programmer" is)

@acecilia
Copy link
Owner

acecilia commented Sep 8, 2022

Also, which operating system did you use?

@arihid
Copy link
Author

arihid commented Sep 9, 2022

This post here described how to read the firmware, edit the necessary value and flash it back using an spi flash programmer, as firstly discovered and described in this post.
It is reported that reading the flash content in Windows tend to yield corrupted image, so I used Ubuntu 22 on VM and it worked.
The chip is supposed to "GD25Q127C/GD25Q128C", not "GD25Q128C" for this particular device.

@ElclarkKuhu
Copy link

ElclarkKuhu commented Sep 9, 2022
edited
Loading

Anyone Have 3.2.26 Firmware File? I had access to the shell but I accidentally flash corrupted file. and I tried to flash with Global 3.0.24 and Chinese 2.28.62 both fail using either MIWIFIRepairTool or PXE Server.

@acecilia
Copy link
Owner

acecilia commented Sep 9, 2022

Added a mention to the readme, thanks!

@acecilia acecilia closed this as completed Sep 9, 2022
@tangmingxing1988
Copy link
Contributor

Sorry to bother you, Should I use TTL to USB adapter to interact with UART?

This is not listed in the post but in the referenced post.

@arihid
Copy link
Author

arihid commented Sep 17, 2022

Sorry to bother you, Should I use TTL to USB adapter to interact with UART?

This is not listed in the post but in the referenced post.

Yes, use USB to TTL to interact with UART.

Anyone Have 3.2.26 Firmware File? I had access to the shell but I accidentally flash corrupted file. and I tried to flash with Global 3.0.24 and Chinese 2.28.62 both fail using either MIWIFIRepairTool or PXE Server.

I only have my dump, but I won't recommend using it.

@arihid
Copy link
Author

arihid commented Oct 11, 2022 via email

@yonkyunior
Copy link

I just knew after I bought, with OpenWRTInvasion isn't able to open telnet.
but somehow the R3GV2 patches could open the telnet, and what I did was flash to padavan, and cant unbrick it to the original firmware again.

@awannawa
Copy link

awannawa commented Dec 7, 2022

Log shown success, but I can't ssh/telnet/ftp to this. Device details: Xiaomi Mi Router 4A Gigabit Edition (Global) Firmware: 3.2.26 Production date: 05/21

Here is the log:

Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: 12345678
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)1
****************
router_ip_address: 192.168.31.1
stok: <cleaned>
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:61653. root='script_tools'
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null [email protected]
* ftp: using a program like cyberduck

Hello Sir do you still have backup stock frimware 3.2.26? Can i get it?

@arihid
Copy link
Author

arihid commented Dec 8, 2022
edited
Loading

For everyone who need 3.2.26 firmware dump. I will attach my dumped firmware. These following values has been purged, thus you will need to edit the values prior flashing. Flash this firmware with SPI flash programmer after adjusting the values accordingly.
DO NOT FLASH THE FILE AS IS, YOUR DEVICE INFORMATION WILL BE OVERWRITTEN!!

Current modified NVRAM values:

bootdelay=0
ethaddr="00:AA:BB:CC:DD:10"
SN=12345/A1RQ01234
wl0_ssid=Xiaomi_AABB_CCDD_5G
wl1_ssid=Xiaomi_AABB_CCDD
nv_wifi_pwd=12345678
CountryCode=ID

bootdelay is timer to delay boot process in seconds. 0 means it will not wait for user interactions. Change this value to >0.
I left normal_firmware_md5 and nv_sys_pwd as is. I guess normal_firmware_md5 value would be required to verify the firmware, and nv_sys_pwd is encrypted password string upon setup (usually same as WiFi Password). WebUI password shall be 12345678. If you can't login to the WebUI, try resetting the router once.

@ElclarkKuhu sorry if this took a long time. Back then I decided not to share my dumped firmware for reasons. Idk either this might work or not on your device.

r4a.zip

@awannawa
Copy link

awannawa commented Dec 8, 2022

For everyone who need 3.2.26 firmware dump. I will attach my dumped firmware. These following values has been purged, thus you will need to edit the values prior flashing. Flash this firmware with SPI flash programmer after adjusting the values accordingly. DO NOT FLASH THE FILE AS IS, YOUR DEVICE INFORMATION WILL BE OVERWRITTEN!!

Current modified NVRAM values:

bootdelay=0
ethaddr="00:AA:BB:CC:DD:10"
SN=12345/A1RQ01234
wl0_ssid=Xiaomi_AABB_CCDD_5G
wl1_ssid=Xiaomi_AABB_CCDD
nv_wifi_pwd=12345678
CountryCode=ID

bootdelay is timer to delay boot process in seconds. 0 means it will not wait for user interactions. Change this value to >0. I left normal_firmware_md5 and nv_sys_pwd as is. I guess normal_firmware_md5 value would be required to verify the firmware, and nv_sys_pwd is encrypted password string upon setup (usually same as WiFi Password). WebUI password shall be 12345678. If you can't login to the WebUI, try resetting the router once.

@ElclarkKuhu sorry if this took a long time. Back then I decided not to share my dumped firmware for reasons. Idk either this might work or not on your device.

r4a.zip

thankyou for dumped fw 3.2.26 sir, can i just flash with this bin file with Tiny PXE Server 1.0.0.23?

@arihid
Copy link
Author

arihid commented Dec 8, 2022

thankyou for dumped fw 3.2.26 sir, can i just flash with this bin file with Tiny PXE Server 1.0.0.23?

I don't know, can't recommend

@awannawa
Copy link

awannawa commented Dec 8, 2022

thankyou for dumped fw 3.2.26 sir, can i just flash with this bin file with Tiny PXE Server 1.0.0.23?

I don't know, can't recommend

thankyou sir for fw dump...
stil finding best solution without spi hehehe

@yonathanarya
Copy link

This post here described how to read the firmware, edit the necessary value and flash it back using an spi flash programmer, as firstly discovered and described in this post. It is reported that reading the flash content in Windows tend to yield corrupted image, so I used Ubuntu 22 on VM and it worked. The chip is supposed to "GD25Q127C/GD25Q128C", not "GD25Q128C" for this particular device.

How did you manage to install OpenWRT on this firmware version? I got the same router, but still can't find how to install it. I already flash the SPI chip and can control UART, but I can't flash it from there, either. Did I miss something?

@yonathanarya
Copy link

Forget it, i manage to install OpenWRT successfully now. Since I can access the UART, I also can flash the file from there by downloading the binary using wget and flash using mtd.

@NaufalF22
Copy link

image
Just try myself and i can access telnet without flashing the SPI chip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@tangmingxing1988 @acecilia @yonkyunior @yonathanarya @awannawa @ElclarkKuhu @NaufalF22 @arihid