Support for Xiaomi Router AC1200 (RB02)

baconbao · April 10, 2022, 6:01pm

There is a lack of information about Xiaomi Router AC1200 (model: RB02), and there is no recommended OpenWrt firmware on the Internet.
So some information, guidelines and problems are shared here.

Spec and information

Item page (Chinese Traditional): https://buy.mi.com/tw/item/3220100013
Item page (English): https://www.mi.com/pk/product/xiaomi-router-ac1200/

Name: Xiaomi Router AC1200
Model: RB02
SoC: MediaTek MT7621
CPU MHz: 880Mhz
ROM: 16 MB
RAM: 128 MB DDR3
WLAN Hardware: MediaTek MT7603E, MediaTek MT7663
2.4GHz Wi-Fi: 2x2 (Supports IEEE 802.11n protocol, up to a maximum speed of 300Mbps)
5GHz Wi-Fi: 2x2 (Supports IEEE 802.11ac protocol, up to a maximum speed of 867Mbps)
Gbit ports: 3 (1x WAN, 2x LAN)
Protocol standards: IEEE 802.11a/b/g/n/ac, IEEE 802.3/3u/3ab
Modulation: 11b:DSSS: DBPSK (1Mbps), DQPSK (2Mbps), CCK(5.5/11Mbps) 11a/g:OFDM: BPSK (6/9Mbps), QPSK (12/18Mbps), 16QAM (24/36Mbps), 64QAM (48/54Mbps) 11n:MIMO-OFDM:BPSK, QPSK, 16QAM, 64QAM. Rate set: MCS0-MCS15, 11ac:MIMO-OFDM:BPSK, QPSK, 16QAM, 64QAM, 256QAM. Rate set: MCS0 to MCS9 (supports 2 streams)

root@XiaoQiang:~# uname -a
Linux XiaoQiang 4.4.198.mt7621 #0 SMP Thu Nov 25 02:42:10 2021 mips GNU/Linux

root@XiaoQiang:~# cat /proc/version
Linux version 4.4.198.mt7621 (jenkins@aed0fefaa6c7) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 unknown) ) #0 SMP Thu Nov 25 02:42:10 2021

root@XiaoQiang:~# bootinfo
ROM    ver: config core 'version'
        # ROM ver
        option ROM '3.2.49'
        # channel
        option CHANNEL 'release'
        # hardware platform R1AC or R1N etc.
        option HARDWARE 'RB02'
        # CFE ver
        option UBOOT '1.0.2'
        # Linux Kernel ver
        option LINUX '0.0.1'
        # RAMFS ver
        option RAMFS '0.0.1'
        # SQUASHFS ver
        option SQAFS '0.0.1'
        # ROOTFS ver
        option ROOTFS '0.0.1'
  #build time
  option BUILDTIME 'Thu, 25 Nov 2021 03:05:51 +0000'
  #build timestamp
  option BUILDTS '1637809551'
  #build git tag
   option GTAG 'commit cf5c1b3bbf3632215c47e03b8e541d03fa7dab35'
Hardware  : Ver. A
ROM    sum:
System    : Dual - 1
KERNEL    : console=ttyS0,115200 uart_en=0 factory_mode=0 mem=128m  rootfstype=squashfs,jffs2

MTD  table:
dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Null"
mtd3: 00010000 00010000 "Bdata"
mtd4: 00010000 00010000 "Factory"
mtd5: 00010000 00010000 "crash"
mtd6: 00010000 00010000 "cfg_bak"
mtd7: 00100000 00010000 "overlay"
mtd8: 00e70000 00010000 "OS1"
mtd9: 001c0000 00010000 "kernel"
mtd10: 00cb0000 00010000 "rootfs"
mtd11: 00010000 00010000 "Config"

root@XiaoQiang:~# cat /etc/wireless/l1profile.dat
Default
INDEX0=MT7603
INDEX0_profile_path=/etc/Wireless/mt7603e/mt7603e.dat
INDEX0_init_script=/lib/wifi/mt7603e.lua
INDEX0_init_compatible=mt7603e
INDEX0_EEPROM_offset=0x0
INDEX0_EEPROM_size=0x200
INDEX0_EEPROM_name=e2p
INDEX0_main_ifname=wl1
INDEX0_ext_ifname=wl
INDEX0_wds_ifname=wds
INDEX0_apcli_ifname=apcli
INDEX0_mesh_ifname=mesh
INDEX0_nvram_zone=dev1
INDEX0_single_sku_path=/etc/Wireless/mt7603e/SingleSKU.dat
INDEX0_bf_sku_path=/etc/Wireless/mt7603e/mt7603e-sku-bf.dat
INDEX1=MT7663
INDEX1_profile_path=/etc/Wireless/mt7663/mt7663.dat
INDEX1_init_script=/lib/wifi/mt7663.lua
INDEX1_init_compatible=mt7663
INDEX1_EEPROM_offset=0x8000
INDEX1_EEPROM_size=0x600
INDEX1_EEPROM_name=e2p
INDEX1_main_ifname=rai0
INDEX1_ext_ifname=rai
INDEX1_wds_ifname=wdsi
INDEX1_apcli_ifname=apclii
INDEX1_mesh_ifname=meshi
INDEX1_nvram_zone=dev2
INDEX1_single_sku_path=/etc/Wireless/mt7663/SingleSKU.dat
INDEX1_bf_sku_path=/etc/wireless/mediatek/mt7663/mt7663-sku-bf.dat

Enable SSH login
Follow method of Redmi Router AC2100. Browse and edit the links below:

http://<RouterIP>/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20%27s%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg%27%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B
http://<RouterIP>/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20%27admin%5Cnadmin%27%20%7C%20passwd%20root%3B

If the responses are both shown with "code: 0", then you can start logging in by command

ssh root@<RouterIP>

password is admin.

Different from Xiaomi Router 4A Gigabit Edition
Although the design and hardware of the RB02 are similar to the Xiaomi Router 4A Gigabit Edition (R4A or R4AG), there are still differences:

RB02 uses MT7663 chip for 5Ghz wifi.
RB02's ROM is different from Xiaomi Router 4A Gigabit's, the message "Couldn't verify file" will be shown after uploading by WebUI. (Tested ROMs: miwifi_r4a_all_cddf4_2.28.69.bin and miwifi_r4a_all_03233_3.0.24_INT.bin)

Problem: Cannot find OEM ROM
I can't find the OEM ROM on the Internet. Does anyone know how to get it?
Can I extract the ROM from the device?

Problem: No OpenWrt Firmware
I'm not good at compiling an OpenWrt firmware. However if more ssh reachable information can help with development, please let me know.

namidairo · April 11, 2022, 4:31am

Seems weird that a firmware image with 25/11/2021 build date would have that vulnerability still.

It's a different model, it would be a bigger problem if it did accept it.

The EU update servers don't have a firmware image for this device yet.

Nothing that you could use to flash, since they only use signed images.

All in all, should be fairly simple for someone to port, but it's risky since there's no stock image to restore to. Users would have to backup the stock firmware first.

Additionally, some Xiaomi units are shipping with some less-common SPI-NOR chips of late. Not much of an issue once identified, but can stop images from booting. Can we see a boot log?

baconbao · April 16, 2022, 9:19pm

Thanks for your reply.

Here is:
https://gist.githubusercontent.com/baconbao/11f8ffd7c21dfe0570b9186e6dbdee9f/raw/26533cbd51172c5468fcea7aa5f94c3ccdca6800/xaiomi-router-ac1200_rb02_bootlog.log
(The default mac addresses have been replaced as 00:11:22:33:44:**)

Other info:

root@XiaoQiang:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06-SNAPSHOT'
DISTRIB_REVISION='unknown'
DISTRIB_TARGET='ramips/mt7621'
DISTRIB_ARCH='mipsel_24kc'
DISTRIB_DESCRIPTION='OpenWrt 18.06-SNAPSHOT unknown'
DISTRIB_TAINTS='no-all busybox'

root@XiaoQiang:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                12.5M     12.5M         0 100% /
devtmpfs                512.0K         0    512.0K   0% /dev
tmpfs                    60.5M         0     60.5M   0% /sys/fs/cgroup
tmpfs                    60.5M    648.0K     59.9M   1% /tmp
/dev/mtdblock7            1.0M    768.0K    256.0K  75% /data
/dev/mtdblock7            1.0M    768.0K    256.0K  75% /etc
tmpfs                   512.0K         0    512.0K   0% /dev

remittor · September 20, 2022, 8:30am

RB02 = INT fw version (Global)
R4AV2 = CN fw version

For this router, they began to produce firmware in HDR2 format.
File xiaoqiang_version:

config core 'version'
	# ROM ver
	option ROM '2.30.20'
	# channel
	option CHANNEL 'release'
	# hardware platform R1AC or R1N etc.
	option HARDWARE 'R4AV2'
	# CFE ver
	option UBOOT '1.0.2'
	# Linux Kernel ver
	option LINUX '0.0.1'
	# RAMFS ver
	option RAMFS '0.0.1'
	# SQUASHFS ver
	option SQAFS '0.0.1'
	# ROOTFS ver
	option ROOTFS '0.0.1'
  #build time
  option BUILDTIME 'Tue, 22 Feb 2022 07:02:09 +0000'
  #build timestamp
  option BUILDTS '1645513329'
  #build git tag
   option GTAG 'commit a1bd4e74fb6a75ebeb039e33d8465bcbf2e9378d'

File openwrt.config:

CONFIG_TARGET_ramips_mt7621_R4AV2=y
CONFIG_TARGET_PROFILE="R4AV2"
CONFIG_R4AV2=y
CONFIG_SQUASHFS_XZ=y
CONFIG_XQVER=2
CONFIG_XQ_BOARD="R4AV2"

Function setConfigIotDev not fixed!!!

remittor · September 28, 2022, 7:27pm

Are you sure that the RB02 firmware contains the dropbear utility?

baconbao · October 4, 2022, 12:55pm

It seems to work.

wbs306 · October 8, 2022, 1:20pm

Hi, it seems that the Xiaomi 4A Gigabit V2 (R4AGV2) uses the same hardware with RB02. I compiled a firmware for R4AGV2, and everything works fine except the leds.

vanyasem · October 30, 2022, 12:50am

hello! I managed to get telnet access to R4AV2 without a chip programmer (it lacks dropbear in the firmware)

Here's a link to my GitHub comment: https://github.com/acecilia/OpenWRTInvasion/issues/141#issuecomment-1296033775

I decided to post it here, as the Wiki page for Xiaomi 4A Gigabit v2 links to this thread.

Ser9ei · December 2, 2022, 1:30pm

@baconbao could you please upload stock firmware (or fulldump) for the rb02?

joaopna · December 2, 2022, 6:02pm

Could you share the firmware you used or instructions to compile this version and the exploit you used to flash it?

Ser9ei · December 3, 2022, 12:45am

Try patch from that repository:

joaopna · December 4, 2022, 11:03am

Thank you a lot! After some time learning everything, I was finally able to compile the image (which took much longer than I expected) and get the exploit working (it took some time before I realized I had to disable the Windows firewall, lol).

But the problem now is flashing. Is the final command still this?
mtd -e OS1 -r write firmware.bin OS1

When I run it, the router hangs with the power led orange indefinitely (over 20 minutes at least). I even tried flashing the official 2.30.25 firmware, which I used to recover from brick, with no success, it behaves the same way as when I flash a firmware I compiled.

I also tried flashing another pre-compiled version for this router I found ( https://github.com/acecilia/OpenWRTInvasion/pull/155#issuecomment-1313042473 ), and with this firmware the behavior is different, the orange light slowly blinks after some minutes.

What am I doing wrong? Could I have ended up with an even different router?

joaopna · December 6, 2022, 3:24pm

OK, after some more trying I successfully got it working. Thank you all!

jimmy6584 · January 17, 2023, 8:55pm

I have the same problem.
How did you do fix it?

joaopna · January 17, 2023, 9:16pm

I eventually got a working firmware. I think it was this one (just uploaded), but I'm not sure. Got it by compiling myself, I guess.

jimmy6584 · January 18, 2023, 6:09pm

You have the source code of this firmware?

joaopna · January 18, 2023, 6:50pm

@Ser9ei posted the link:

Ser9ei · January 18, 2023, 8:24pm

Guys, there is my patch for r4av2/rb02

This patch inlclude correct code for the leds

openrouterman · February 14, 2023, 8:35am

Hi guys i just bought a router and want to use it only with openwrt i find now xiaomi is providing a v2 which may or maynot be supported but there is no way i can tell what version it comes with what is the status how can i flash i it comes with RB02 or R4AV2 i think you guys can tell me a proper answer thanks.

I have some time left for delivery so i need urgent help. What is the status. I am in india right now hopefully i get a global variant.

Need information asap.
I think exploit has also been patched for v2 https://github.com/acecilia/OpenWRTInvasion/pull/155#issuecomment-1313042473
But still have doubts about.

jimmy6584 · February 24, 2023, 6:40pm

I've used this patch in the latest version of WRT with some config file that I find and optimizing it for my prefrences and it works fine without any problems.
Even the LEDs are working fine.
Thank you very much!