Mi 4Q installation

Installing and Using OpenWrt
1

I want to note down installing openwrt into a Mi 4Q for future reference as online literature is sparse. The Mi 4Q comes in a garish blue color case however it looks OK when placed next to a small japanese banyan tree or an equally garish blue picture frame.

I tried OpenWRTinvasion. The reverse shell exploit works but after writing the squashfs image file to rootfs partition the router bricked. There is no OS1 partition to talk of. This left me with using the trusty uart interface to boot an initramfs image from memory.

  1. crack open the case. There are 2 screws hidden under the label. Just feel for the screw holes with the tip of your screwdriver and poke through the sticker and unscrew the screws then pry open the plastic cover which is easy enough to do. The board is already labelled GND/TX/RX. Don't bother soldering the jumper posts. Just place the jumper posts into the uart cable first and thenn insert the posts into the holes on the board and use some tape to hold into place. This makes it easy to remove after you have finished. If you tape the posts at an angle it will make a good reliable connection with the board's tracers.

  2. download 4Q initramfs and squashfsupgrade firmware. Copy initramfs to /home/user/tftp directory and rename it 4q.bin just to make it easier.

  3. add an ip address to ethernet adapter 192.168.31.x (anything will except .1)
    note down the IP address (in this case I used 192.168.31.99) and connect ethernet cable to port 1 of the router and the other to your computer ethernet port.

  4. run sudo dnsmasq --port=0 --enable-tftp --tftp-root=/home/user/tftp --tftp-no-blocksize --user=root --group=root

  5. Execute minicom -s and set the baud to 115200 8N1 if not already set.

  6. Turn on the router and you should see garbage on your screen at first. This is because uboot is using 115200 7N1. Once uboot finishes you will then see router's firmware boot and legible.

  7. Turn off the router then press ctrl-a p to bring up minicom settings. Set the bits to 7 and then turn on the router again. You can this time see the uboot clearly. Wait for the message to interrupt the boot process and press enter. This will dump you into the prompt. Entering anything at the prompt will not work because your input gets garbled at 7 bits. Instead press ctrl-a p to bring up minicom settings again and switch back to 8 bits. Now anything you type will not be garbled but the echo to screen is garbled so you can't see what you are typing so just take care when you type.

  8. enter blindly and carefully the following:

    setenv serverip 192.168.31.99
    tftpboot 0x81000000 4q.bin

wait a few seconds and you should see a stream of hashes ###### race across your screen. This is the firmware being downloaded. If you see a slow trail of TTTTT then it is failing to connect to your tftp server.

After the stream of hashes ###### ends the initramfs firmware has been transferred. Enter the following:

bootm 0x81000000

Wait about 2 mins for openwrt to boot in memory. Openwrt is now running but only from memory. Open Luci by launching your web browser and going to 192.168.1.1 and then flash with initramfs first to create the layout then reboot the router and reflash with squashfsupgrade to install a usable openwrt image.