Almost supported: Xiaomi RA75 aka MiWifi Range Extender AC1200

For Developers
1

Hi.

I have a xiaomi RA75 device, sold as "MiWifi Range Extender AC1200".
See https://fccid.io/2AFZZRA75 for hardware description and photos
These devices are rather cheap for a dual band device. I also like the form factor.

It is similar enough that it runs fine with the MIR4A_100M Firmware, 21.02.3 and 22.03.0-rc6 tested.

Differences, as far as I can see:

  • Only one LAN (maps to WAN-port)
  • Form factor (wall wart)

But the stock firmware is different so there is not easy way to install:

There is a nginx webserver on the device, but no HTML UI. The device needs to be configured by an app. This is annoying. Especially since OpenWRTInvasion does not work, because you can't find a stok, and the rest is also unlikely to work.
I have already put in the time of soldering an UART port, and from there the TFTP install method works (use the chinese, not the international version)
For me, this is good enough. The device won't be very popular until somebody finds a way for a solderless install.
But I am willing to document the hardware and maybe provide a patch to better support it.

Should this even be its own model? Seems a waste of resources to build its own image. The differences from R4A would only be the description and the switch config.

Jo

1 Like
2

I believe so. Additionally, this appears to have a large WPS button on the front that would require to be added to the dts as well.

3

I tried, but I have some problems overwriting led definitions from the base dtsi.

4

Also started the ToH-Page for this

5

I have connected with Putty but i cant wanser, becouse terminal wont stop to get option 2! Any help pls

6

Hi friends,
I have it now also, but the communication over the serial port is not ok.
If I set the 115200,8,N,1, then the first part of the data is not ok (U-Boot), only from the
The part "Linux started".
If I changed tto 115200,7,n,1, the is everything ok. The full protocol, but it's not possible to do anything with the keybord.

7

Hi,

I have tried to flash via TFTP method, I believe I ended up with a bootloop..

Here is my terminal output: https://pastebin.com/WeMzgMS8

What shall I do, do you have any recommendation? I tried initramfs and sys-upgrade images too, no success.

Did I do something wrong?

Thank you!

8

Which version exactly did you try ?
'checksum bad' sounds bad, but I have to check if I see this, too.

1 Like
9

Tried again (with openwrt-22.03.0-ramips-mt76x8-xiaomi_mi-router-4a-100m-squashfs-sysupgrade.bin) and a factory fresh unit. Was able to flash without a problem.
Maybe there are different versions on the market? Where did you buy yours?

1 Like
10

Hi Johannes,

Thank you for trying to help. I bought it from a Hungarian webshop. Once home, I will try to flash again with the file you have mentioned.

I am able to access the bootloader and flash via tftp.. Also, I managed to access the failsafe, so I believe I will be able to recover..

My mistake can be, that I had it configured earlier and did not reset the factory fw settings before flashing..

Any idea I can try in failsafe?

Thanks!

11

I don't recall from the top of my head all the versions, I tried the latest for sure and some older versions too..

Sysupgrade and initramfs as well..

12

On the end I managed to flash and boot the image. The reason I could not in the beginning, is that I did not use the power source of the device, I powered it through the UART.

After connecting the main power source and the GND, RX, TX (Vcc disconnected), I was able to boot openwrt.

Thanks for your help!

Peter

13

Greetings.

i have been able to install the openwrt on the RA75
using the KERNEL and SYSUPDATE image form the technical data page.
but i'm not able to acces it.
via the LAN i got a nginx 403 for luci
and a rejected connection via ssh

i know the device share the firmware with the MIR4A_100M as described
but no coonnection is posible

is there something am i missing to get acces to it?

it has a dhcp server running on wireless and the ethernet port
Wireless 192.168.41.0/24
Ethernet Port 192.168.51.0/24

i tried seting up a 192.168.1.0/24 address on the devices so see if there is a way to acces it via this address pool but no luck, either connecting a wan cable to it will not get an ip or give me internet access.

i am trying to build a new image form source for this devices using the MIR4A_100M profile i'll share any progress,
if u can help me with any config for the build or the problems i'm having please let me know

Thanks

14

Hi,
In the config from the 100m, the only ethernet port is the WAN port, and this is firewalled
You have to change this from the serial console.
Either

  • Disable firewall and connect to the DHCP'ed address
  • Switch the eth Ports in /etc/config/network and access via 192.168.1.1

This is one of the things that should be better in the release version.
If you want to test, please try my patch https://github.com/jdeisenh/openwrt/tree/xiaomi-ra75

Jo

1 Like
15

Hi,
FYI - it is actually possible to get stok. However seems none of currently known exploits work.

Just open that in your browser, and you get stok straight away:

http://192.168.1.241/cgi-bin/luci/api/xqsystem/login?username=admin&password=admin

And you are in:

http://192.168.1.241/cgi-bin/luci/;stok=82dc743947aef975c48d4646c5e12de5/api/misystem
{"hardware":{"channel":"release","sn":"xxx","mac":"xxx","platform":"RA75","version":"1.0.94"},"code":0,"upTime":"4277.62","mem":{"type":"DDR2","usage":0.37,"hz":"800MHz","total":"64MB"},"temperature":0,"cpu":{"load":0,"hz":"580MHz","core":1},"count":{"online":0,"all":0},"dev":,"wan":{"upspeed":"0","devname":"","maxuploadspeed":"0","upload":"0","maxdownloadspeed":"0","download":"0","downspeed":"0"}}

Hopefully there is a chance for non intrusive method some day.

3 Likes
16

I can confirm that using @mindakas instructions: I can get stok, but openwrtinvasion fails to do anything.

Extender IP/cgi-bin/luci/api/xqsystem/login?username=admin&password=admin

{"url":"/cgi-bin/luci/;stok=62c4cc81e1389c0f15142d55cf231f39/web/home","code":0,"token":"62c4cc81e1389c0f15142d55cf231f39"}

Extender IP/cgi-bin/luci/;stok=62c4cc81e1389c0f15142d55cf231f39/api/misystem

{"hardware":{"channel":"release","sn":"x","mac":"x","platform":"RA75","version":"1.0.81"},"code":0,"upTime":"287.85","mem":{"type":"DDR2","usage":0.37,"hz":"800MHz","total":"64MB"},"temperature":0,"cpu":{"load":0,"hz":"580MHz","core":1},"count":{"online":0,"all":0},"dev":[],"wan":{"devname":"","upspeed":"0","maxuploadspeed":"0","upload":"0","maxdownloadspeed":"0","download":"0","downspeed":"0"}}

It's curious that I have a lower firmware version.

1 Like
17

If you see garbage in uboot or you can't select 2 in u boot menu It's bad USB to ttl. I had the same problem with ch340g. I tried an old rs232 to ttl and worked instantly.

18

I guess the owners of RA75 most common use case is as a range extender or dumb AP.

I was trying to configure it after flashing via console to disable firewall and switch ports but didn't succeed.

Is it possible to make a firmware with your patch, that has it initially configured as AP and build it with https://github.com/P3TERX/Actions-OpenWrt ? This will make it a lot easier

19

Hi,
I am optimistic to get my patches merged soon. I'd rather put my effort on this route, but the link looks interesting, I'll keep that in mind.
(BTW: Log in via console and disable the firewall should get you started)

Jo

20

I can only see log when I connect via serial and cannot get the console itself