Almost supported: Xiaomi RA75 aka MiWifi Range Extender AC1200

Hi im new at the group. I have Xiaomi extender RC04 can someone please help me with some instructions how to install an openwrt frimware ?
A video video be so amazing or if someone can find a YouTube video with this specific device.
Im asking a lot i know but its because i dont want to make a mistake and brick my device in bootloop

Hi Comi7,

Your device is RC04 same with my device.
We need:

  1. Photos of UART/serial Pin label
  2. Ch341a to dump and Flash firmware with modified boot_wait (Almost supported: Xiaomi RA75 aka MiWifi Range Extender AC1200 - #111 by tinamore)
  3. And an USB to TTL Device to access uart and upload openwrt firmware

But We still need more detail on how to Flash properly with ch341a

Finally I got my ch341a. I'm mod my ch341a from 5volt to fix 3.3volt

Here's my steps try to Flash Openwrt:

I'm use this https://github.com/bigbigmdm/IMSProg
On my voidLinux Os .

  1. Dump the stock firmware from RC04
  2. Mod boot_wait
  3. Do Erase
  4. Flash modded firmware from step two
  5. Verify

All steps is done without any issues.

But when I plug my RC0 to wall socket, After plugging it in, the blue light doesn't come on at all. so I thought it looked like I had made the IC die.

Which step is wrong, please help me.

new update

the eeprom ic is dead, i dont know what is make ic dead.
i change it with winbond w25Q128JV
flash ra75-fullbackup.bin
.
and follow serial steps to flash openwrt firmware

if anyone need more detail in my step, i can share it

hi ndrancs i saw you replied to my post because we have same device i thought to try to flash the openwrt but i have no idea how to do it, i was hoping here would be a tutorial for our device but seems like you tried to flash the new firmware but you had troubles, if you successfully did it can you make a tutorial for me ? i know im asking to much.
if you can contact me would be so amazing if we speak in telegram @whoiscomi.

Hi!
Please help me figure out why the firmware is not uploading. The subject is an RA75. I use an ESP32 as a serial interface with usb-ttl. The chip on the esp32 board is a cp2101. I can see the boot on the serial, I can choose the option 1 or 2. If i choose option 1 i can flash the initramf-kernel. I can log into luci, but it warns me that this system is initramfs. From luci i've tried the system upgrade but after that always the original system boots.
If i choose option 2 always the original system is booting.

Flash the sysupgrade file, not the kernel.

from left to right in the photo (left is up when plugged in)
3.3V VCC, RX, GNC, TX
Its the same as RA75, just unmarked.
I had much more trouble getting some solder to stick
image

(corrected: VCC voltage)

Got a RC04 for analysis. Some notes:

The RC04 is a newer Variant of the RA75. It seems to have replaced it in 2023.
From the outside, they are identical. The model number is listed on the device sticker.
Changes are a newer 5GHz Wifi Chipset, the rest is basically the same.

Unfortunately, flashing these devices is even harder. The timeout for selecting a boot via tft (boot_wait) is set to 0, disallowing to boot from TFTP.
The only known way to flash openwrt on these devices is to change the boot config via a SPI flasher. This is similar to other OpenWRT devices, there is a lot about this in the forum (not tried personally, so I cannot write an HOWTO right now).
Then, its the same as for the RA75, but you will have to add a different module for the WLAN hardware, taking away some memory. This could be fixed with a special built, it there is enough interest, but this probably only makes sense if an easier exploit is found. The 5 people using it otherwise could just compile it themselves.

Find an exploit:

On other Xiaomi devices, some weaknesses have been detected that allow a break in (OpenWrtInvasion). None of these methods seem to work on the RA75/RC04
The reason is that it only communicates to an app via UDP on port 54321 via "Xiaomi MiHome Binary protocol'. The protocol is shared with a lot of other xiaomi devices, like cameras, lightbulbs and vacuum robots. This protocol has been partly reverse engineered, and its possible to get a valid token and call arbitrary commands. This could in theory be used to find an exploit in one of the commands. Not sure if the backend of the router is also written in lua, but its plausible. Thus, it probably can decompiled the same way this is done on other routers.

So the current status on RC04 is

  • Flashing to OpenWRT is possible, but hard (needs some additional but cheap hardware, and a lot of fiddling). In most cases, buying a slighly more expensive router would be far easier and cheaper. If you have the hardware and feel confident about the process: Please do and if possible contribute a HOWTO. The high voltage in the device is completely shielded, that makes it quite safe to experiment.
  • there is no exploit currently know to me that would allow flashing without manipulating the hardware from the inside. It is likely that such an explit exist and can be found, it is less likely that somebody is motivated and skilled enough to make it happen.
    I can contribute a sysimage for the device with the right WLAN hardware, if there is some interest.
1 Like