Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Success] Mi 4a Gigabit firmware 3.10.18 #150

Closed
menubboi opened this issue Sep 29, 2022 · 8 comments
Closed

[Success] Mi 4a Gigabit firmware 3.10.18 #150

menubboi opened this issue Sep 29, 2022 · 8 comments

Comments

@menubboi
Copy link

menubboi commented Sep 29, 2022
edited
Loading

Indian unit, used docker for exploit. But ftp connection was rejected by the router, Used Docker solution in windows for this.
@acecilia
Copy link
Owner

Added to the readme, thanks!

@firefoxOnFire
Copy link

Indian unit, used docker for exploit. But ftp connection was rejected by the router, Used Docker solution in windows for this.

Hey from where did you buy? can i know the version before buying?

@varkey
Copy link

varkey commented May 17, 2023
edited
Loading

@firefoxOnFire I can probably add to this, I purchased the Mi Router 4A Gigabit from Flipkart and received the unit yesterday. The manufacturing date printed on the box was 10/2021 and came with firmware 3.10.18 same as @menubboi.

I initially setup the device and tested if everything is working. I then ran the exploit script from a Ubuntu WSL terminal from Windows. The below is the script output.

varkey@mjolnir:~/OpenWRTInvasion$ python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: <password>
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)1
******
router_ip_address: 192.168.31.1
stok: <stok>
file provider: local file server
******
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:52081. root='script_tools'
Warning: the process has finished, but seems like ssh connection to the router is not working as expected.
* Maybe your firmware version is not supported, please have a look at https://github.com/acecilia/OpenWRTInvasion/blob/master/README.md#unsupported-routers-and-firmware-versions
* Anyway you can try it with: telnet 192.168.31.1

I just had to provide the IP address and admin password. The stok was retrieved automatically. I chose the use local TCP file server option, but only later it occurred to me that the local server running on Ubuntu WSL may not be reachable from the Mi router. Which is probably why SSH didn't work.

Anyway, I was able to telnet into the router, however FTP did not work (similar to @menubboi). I ended up directly downloading the OpenWRT firmware using wget. Note that HTTPS is not supported so you need to use an HTTP link which doesn't auto redirect to HTTPS, I used one of the OpenWRT mirrors.

After that ran the command to write the firmware, which took a few minutes to complete and the device rebooted.

root@XiaoQiang:/tmp# wget http://mirror.0x.sg/openwrt/releases/22.03.5/targets/ramips/mt7621/openwrt-22.03.5-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin
wget http://mirror.0x.sg/openwrt/releases/22.03.5/targets/r
amips/mt7621/openwrt-22.03.5-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-
sysupgrade.bin
Connecting to mirror.0x.sg (118.189.187.101:80)
openwrt-22.03.5-rami 100% |*******************************|  6400k  0:00:00 ETA
root@XiaoQiang:/tmp# ls -l openwrt.bin
ls -l openwrt.bin
-rw-r--r--    1 root     root       6554224 May 17 11:47 openwrt.bin
root@XiaoQiang:/tmp# busybox sha256sum openwrt.bin
busybox sha256sum openwrt.bin
sha256sum: applet not found
root@XiaoQiang:/tmp# md5sum openwrt.bin
md5sum openwrt.bin
5c931d7c5dab8911da8416c5b142fbdf  openwrt.bin
root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1
mtd -e OS1 -r write openwrt.bin OS1
Unlocking OS1 ...
Erasing OS1 ...

Writing from openwrt.bin to OS1 ...
Rebooting ...

The busybox command to check the sha256sum did not work, so I ended up verifying the md5sum as a last resort. This is also probably because I ran the script from WSL Ubuntu and nothing could be fetched from the local file server.

@firefoxOnFire
Copy link

@firefoxOnFire I can probably add to this, I purchased the Mi Router 4A Gigabit from Flipkart and received the unit yesterday. The manufacturing date printed on the box was 10/2021 and came with firmware 3.10.18 same as @menubboi.

I initially setup the device and tested if everything is working. I then ran the exploit script from a Ubuntu WSL terminal from Windows. The below is the script output.

varkey@mjolnir:~/OpenWRTInvasion$ python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: <password>
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)1
******
router_ip_address: 192.168.31.1
stok: <stok>
file provider: local file server
******
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:52081. root='script_tools'
Warning: the process has finished, but seems like ssh connection to the router is not working as expected.
* Maybe your firmware version is not supported, please have a look at https://github.com/acecilia/OpenWRTInvasion/blob/master/README.md#unsupported-routers-and-firmware-versions
* Anyway you can try it with: telnet 192.168.31.1

I just had to provide the IP address and admin password. The stok was retrieved automatically. I chose the use local TCP file server option, but only later it occurred to me that the local server running on Ubuntu WSL may not be reachable from the Mi router. Which is probably why SSH didn't work.

Anyway, I was able to telnet into the router, however FTP did not work (similar to @menubboi). I ended up directly downloading the OpenWRT firmware using wget. Note that HTTPS is not supported so you need to use an HTTP link which doesn't auto redirect to HTTPS, I used one of the OpenWRT mirrors.

After that ran the command to write the firmware, which took a few minutes to complete and the device rebooted.

root@XiaoQiang:/tmp# wget http://mirror.0x.sg/openwrt/releases/22.03.5/targets/ramips/mt7621/openwrt-22.03.5-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin
wget http://mirror.0x.sg/openwrt/releases/22.03.5/targets/r
amips/mt7621/openwrt-22.03.5-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-
sysupgrade.bin
Connecting to mirror.0x.sg (118.189.187.101:80)
openwrt-22.03.5-rami 100% |*******************************|  6400k  0:00:00 ETA
root@XiaoQiang:/tmp# ls -l openwrt.bin
ls -l openwrt.bin
-rw-r--r--    1 root     root       6554224 May 17 11:47 openwrt.bin
root@XiaoQiang:/tmp# busybox sha256sum openwrt.bin
busybox sha256sum openwrt.bin
sha256sum: applet not found
root@XiaoQiang:/tmp# md5sum openwrt.bin
md5sum openwrt.bin
5c931d7c5dab8911da8416c5b142fbdf  openwrt.bin
root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1
mtd -e OS1 -r write openwrt.bin OS1
Unlocking OS1 ...
Erasing OS1 ...

Writing from openwrt.bin to OS1 ...
Rebooting ...

The busybox command to check the sha256sum did not work, so I ended up verifying the md5sum as a last resort. This is also probably because I ran the script from WSL Ubuntu and nothing could be fetched from the local file server.

Finally booted to openwrt?? what is the space left after installing openwrt??

@varkey
Copy link

varkey commented May 17, 2023

@firefoxOnFire Yep, after that it booted into OpenWRT. Space left is 8MiB.

Screenshot 2023-05-17 at 1 22 28 PM

@varkey varkey mentioned this issue May 17, 2023
Open
@firefoxOnFire
Copy link

@firefoxOnFire Yep, after that it booted into OpenWRT. Space left is 8MiB.
Screenshot 2023-05-17 at 1 22 28 PM

Space left is 8MiB.

Thanks.

@iqs99
Copy link

iqs99 commented Oct 14, 2023

Can someone help me! I'm using the same 3.10.18 firmware. I want to connect my router with WISP. I tried connecting it through Wireless repeater mode but DHCP server is disabled and their is no setting provided to enable DHCP server in the router, while using it in Wireless repeater mode. My WISP requires router's DHCP server should be set Enable to use the service. Let me know if someone have solution. Thanks

@Zaratussstra
Copy link

It turned out to flash openwrt-23.05.4. First, I installed firmware 3.0.24 using TinyPXE, then flashed scripts with https://4pda.to/forum/index.php?showtopic=905966&view=findpost&p=95240419.
It was not possible to download the firmware via telnet, as it says here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@varkey @acecilia @iqs99 @Zaratussstra @menubboi @firefoxOnFire