Almost supported: Xiaomi RA75 aka MiWifi Range Extender AC1200

Comi7 · 2024-03-05T17:43:31.286Z

Hi im new at the group. I have Xiaomi extender RC04 can someone please help me with some instructions how to install an openwrt frimware ?
A video video be so amazing or if someone can find a YouTube video with this specific device.
Im asking a lot i know but its because i dont want to make a mistake and brick my device in bootloop

ndrancs · 2024-03-06T00:55:50.392Z

Hi Comi7,

Your device is RC04 same with my device.
We need:

Photos of UART/serial Pin label
Ch341a to dump and Flash firmware with modified boot_wait (Almost supported: Xiaomi RA75 aka MiWifi Range Extender AC1200 - #111 by tinamore)
And an USB to TTL Device to access uart and upload openwrt firmware

But We still need more detail on how to Flash properly with ch341a

ndrancs · 2024-03-06T01:51:58.814Z

Finally I got my ch341a. I'm mod my ch341a from 5volt to fix 3.3volt

Here's my steps try to Flash Openwrt:

I'm use this https://github.com/bigbigmdm/IMSProg
On my voidLinux Os .

Dump the stock firmware from RC04
Mod boot_wait
Do Erase
Flash modded firmware from step two
Verify

All steps is done without any issues.

But when I plug my RC0 to wall socket, After plugging it in, the blue light doesn't come on at all. so I thought it looked like I had made the IC die.

Which step is wrong, please help me.

ndrancs · 2024-03-23T09:50:02.319Z

new update

the eeprom ic is dead, i dont know what is make ic dead.
i change it with winbond w25Q128JV
flash ra75-fullbackup.bin
.
and follow serial steps to flash openwrt firmware

if anyone need more detail in my step, i can share it

Comi7 · 2024-04-08T20:30:26.608Z

hi ndrancs i saw you replied to my post because we have same device i thought to try to flash the openwrt but i have no idea how to do it, i was hoping here would be a tutorial for our device but seems like you tried to flash the new firmware but you had troubles, if you successfully did it can you make a tutorial for me ? i know im asking to much.
if you can contact me would be so amazing if we speak in telegram @whoiscomi.

LZsolt75 · 2024-04-08T22:00:41.373Z

Hi!
Please help me figure out why the firmware is not uploading. The subject is an RA75. I use an ESP32 as a serial interface with usb-ttl. The chip on the esp32 board is a cp2101. I can see the boot on the serial, I can choose the option 1 or 2. If i choose option 1 i can flash the initramf-kernel. I can log into luci, but it warns me that this system is initramfs. From luci i've tried the system upgrade but after that always the original system boots.
If i choose option 2 always the original system is booting.

jdeisenh · 2024-04-09T06:26:02.638Z

Flash the sysupgrade file, not the kernel.

jdeisenh · 2024-04-09T06:29:31.482Z

from left to right in the photo (left is up when plugged in)
3.3V VCC, RX, GNC, TX
Its the same as RA75, just unmarked.
I had much more trouble getting some solder to stick

(corrected: VCC voltage)

jdeisenh · 2024-04-09T06:44:34.518Z

Got a RC04 for analysis. Some notes:

The RC04 is a newer Variant of the RA75. It seems to have replaced it in 2023.
From the outside, they are identical. The model number is listed on the device sticker.
Changes are a newer 5GHz Wifi Chipset, the rest is basically the same.

Unfortunately, flashing these devices is even harder. The timeout for selecting a boot via tft (boot_wait) is set to 0, disallowing to boot from TFTP.
The only known way to flash openwrt on these devices is to change the boot config via a SPI flasher. This is similar to other OpenWRT devices, there is a lot about this in the forum (not tried personally, so I cannot write an HOWTO right now).
Then, its the same as for the RA75, but you will have to add a different module for the WLAN hardware, taking away some memory. This could be fixed with a special built, it there is enough interest, but this probably only makes sense if an easier exploit is found. The 5 people using it otherwise could just compile it themselves.

Find an exploit:

On other Xiaomi devices, some weaknesses have been detected that allow a break in (OpenWrtInvasion). None of these methods seem to work on the RA75/RC04
The reason is that it only communicates to an app via UDP on port 54321 via "Xiaomi MiHome Binary protocol'. The protocol is shared with a lot of other xiaomi devices, like cameras, lightbulbs and vacuum robots. This protocol has been partly reverse engineered, and its possible to get a valid token and call arbitrary commands. This could in theory be used to find an exploit in one of the commands. Not sure if the backend of the router is also written in lua, but its plausible. Thus, it probably can decompiled the same way this is done on other routers.

So the current status on RC04 is

Flashing to OpenWRT is possible, but hard (needs some additional but cheap hardware, and a lot of fiddling). In most cases, buying a slighly more expensive router would be far easier and cheaper. If you have the hardware and feel confident about the process: Please do and if possible contribute a HOWTO. The high voltage in the device is completely shielded, that makes it quite safe to experiment.
there is no exploit currently know to me that would allow flashing without manipulating the hardware from the inside. It is likely that such an explit exist and can be found, it is less likely that somebody is motivated and skilled enough to make it happen.
I can contribute a sysimage for the device with the right WLAN hardware, if there is some interest.

jdeisenh · 2024-04-25T20:49:36.847Z

Got the ROM extracted. No luck with using the test clip, had to get the flash chip off the board.
binwalk extracted it fine, the lua code is JIT compiled, but https://luadec.metaworm.site/ converts it into something quite readable. Not complex, forks a lot of system utilities.
Unfortunately, my RC04 seems not to have survived, so I am kind of stuck here.

jdeisenh · 2024-04-26T17:54:30.199Z

OK, its only my CH341a that was broken. The LDO is not made to backpower the router for longer.

Wifi chip on RC04 is MT7663, replacing the MT7662. Needs additional driver modules

kmod-mt7615e
kmod-mt7663-firmware-ap (or -sta)

This gives you a perfectly usable router. If only installing would be easier. I could use some help finding an exploit. Please contact me if you have some experience with that.

Full process for RC04 was:

Opening the device
Soldering a header for the serial port
Unsolder the flash rom (if test clip does not work)
Change the boot variable as describe by tinamore above
Resolder the Flash
Boot via serial console, choose 2
Feed it the sysupgrade file for RA75 via tftp
login after install and reboot,
Install two additional kernel modules

It can only get easier from here.

Jane1 · 2024-04-27T11:28:48.931Z

Im super new in this, But I really wanted to know how to install openwrt on this Xiaomi mi wifi range entender ac1200

I have the uart usb, and I alreay soldered the wires and the driver for windows

Now how to flash it?, I know it has video with xiaomi router 3, because it almost same but I watched that and I dont understand anything on that

So Please Im really noob on this

I want a clear and easy to understand explanation

sadafa12 · 2024-06-06T02:15:06.828Z

fist thing fist look for your mi extender does it is ra75 or rc04 if it is ra75 u can flash it super easy with connect uart to the board use putty to control the board to loading the factory firmware through tftp sever
about rc04 i'm not very sure what he said but u need more electricity skill to flash the firmware to board

Comi7 · 2024-06-14T07:20:39.106Z

I installed the 'rc75.bin' firmware on my device, which I obtained from hhere someone shared it with drive link. However, my device is actually 'rc04'. I did this in order to access uBoot, because after backing up device memory

photo_2024-06-14_09-14-131280×960 84.7 KB

and editing the 'boot_wait' parameter with ImHex Editor and reflashing it, I couldn't access uBoot.

Now that I'm in uBoot, I'm encountering a 'checksum bad' error. I've also tried redownloading the firmware from the OpenWrt website, but I keep encountering this error. Does anyone know of a solution for this?

jdeisenh · 2024-06-17T09:31:56.326Z

Don't worry about the "checksum bad".
You seem to have a problem when fetching the firmware from your TFTP server 192.168.41.100.
Not started/firewalled/wrong IP?

Comi7 · 2024-06-17T13:32:15.004Z

I've attempted to use both the TFTPD64 server IP (192.168.31.100) and the router IP (192.168.31.1), but I'm consistently encountering a checksum error message. My Windows system is running a light version without Defender or firewall enabled. Since I'm still receiving this error, could this issue possibly be specific to TFTPD64? Or should I consider trying this software on a fresh Windows installation?

jdeisenh · 2024-06-17T16:44:34.848Z

Please look again at the output you posted.
"TFTP from server 192.168.41.100".
It tries to fetch TFTP from 192.168.41.100, not 192.168.31.100. Typo in dhcp config? That wrong IP adress must come from somewhere...

Comi7 · 2024-08-02T22:08:33.056Z

Hi

I have an RC04 device, and I recently erased and flashed it with the RC75 firmware that was posted above in this forum post. Before flashing, I couldn't access the ramdisk uboot because it was set to 0. I installed the RC75 firmware, which had a default timeout of 5 seconds compared to the RC04’s 0 seconds.

After flashing the RC75 firmware, Now, every time I attempt to enter uboot, the timeout is still set to 0.

Is there a way to fix this issue, or do I need to change the bootloader? Does the RC75 firmware come with its own bootloader, or should I take additional steps?
If someone have their firmware.bin backup can you share via a link?

Any help would be greatly appreciated!

jdeisenh · 2024-08-06T08:12:35.945Z

Hi,
you sure that flashing worked? Full flash with a clip or something else?
RC75 should always give you the countdown. What exactly did you flash?

Comi7 · 2024-08-08T11:30:40.371Z

Hi Joannes,

I downloaded the firmware from @xabolcs using the following link:

Firmware Download
After using the raw firmware and still having countdown 0.

So after editing the firmware to set boot_delay to 5, I’m still encountering issues. The countdown in PuTTY remains at 0.

Edited Firmware

Here is the edited firmware:

Edited Firmware

Edit Details

I’ve also uploaded a photo of the part I edited:

Edit Photo

PuTTY Output

For reference, here are the PuTTY outputs:

Output 1
Output 2

Previous Attempts

Previously, I managed to set the countdown to 5 with firmware from @tinamore , who had the same device. Unfortunately, his firmware has been removed from Google Drive, and I had to reinstall the stock firmware out of frustration of the checksum error i got back then because I didn't disable the defender firmware.

When I tried selecting "Load the system code to SDRAM via TFTP" during the countdown, I encountered a checksum error because I only disabled Windows Defender’s antivirus, not the firewall. This caused communication issues between Tftpd64 and PuTTY.

Here is the old checksum error I encountered:

Checksum Error

If you have a firmware for the RC75 or RC04 with the countdown set to 5 by default, could you please share it with me? I’d like to give flashing OpenWrt another try.

I apologize if I’ve been bothering you with my questions about this issue. Thank you very much for your help and for your patience in responding.