It seems to work.
Hi, it seems that the Xiaomi 4A Gigabit V2 (R4AGV2) uses the same hardware with RB02. I compiled a firmware for R4AGV2, and everything works fine except the leds.
3 Likes
hello! I managed to get telnet access to R4AV2 without a chip programmer (it lacks dropbear in the firmware)
Here's a link to my GitHub comment: https://github.com/acecilia/OpenWRTInvasion/issues/141#issuecomment-1296033775
I decided to post it here, as the Wiki page for Xiaomi 4A Gigabit v2 links to this thread.
2 Likes
Could you share the firmware you used or instructions to compile this version and the exploit you used to flash it?
Try patch from that repository:
1 Like
Thank you a lot! After some time learning everything, I was finally able to compile the image (which took much longer than I expected) and get the exploit working (it took some time before I realized I had to disable the Windows firewall, lol).
But the problem now is flashing. Is the final command still this?
mtd -e OS1 -r write firmware.bin OS1
When I run it, the router hangs with the power led orange indefinitely (over 20 minutes at least). I even tried flashing the official 2.30.25 firmware, which I used to recover from brick, with no success, it behaves the same way as when I flash a firmware I compiled.
I also tried flashing another pre-compiled version for this router I found ( https://github.com/acecilia/OpenWRTInvasion/pull/155#issuecomment-1313042473 ), and with this firmware the behavior is different, the orange light slowly blinks after some minutes.
What am I doing wrong? Could I have ended up with an even different router?
OK, after some more trying I successfully got it working. Thank you all!
1 Like
I have the same problem.
How did you do fix it?
I eventually got a working firmware. I think it was this one (just uploaded), but I'm not sure. Got it by compiling myself, I guess.
1 Like
You have the source code of this firmware?
Guys, there is my patch for r4av2/rb02
This patch inlclude correct code for the leds
3 Likes
Hi guys i just bought a router and want to use it only with openwrt i find now xiaomi is providing a v2 which may or maynot be supported but there is no way i can tell what version it comes with what is the status how can i flash i it comes with RB02 or R4AV2 i think you guys can tell me a proper answer thanks.
I have some time left for delivery so i need urgent help. What is the status. I am in india right now hopefully i get a global variant.
Need information asap.
I think exploit has also been patched for v2 https://github.com/acecilia/OpenWRTInvasion/pull/155#issuecomment-1313042473
But still have doubts about.
I've used this patch in the latest version of WRT with some config file that I find and optimizing it for my prefrences and it works fine without any problems.
Even the LEDs are working fine.
Thank you very much!
Hi. I'm hoping someone can help me with this. I spent almost an entire day reading and learning about this. Finally got Docker going and then ssh fails. I then realised I had V2 and found this page.
I have the openwrt bin file from TaiKe's page. I have completed the step to enable SSH but then when I go the Docker route. It is still failing to connect.
Any advice or maybe baby steps to do this? Or should I be learning Ubuntu on VM instead of trying Docker? Thank you
Latest ROM are available here :
The vendor version can be found following link at https://www1.miwifi.com/wap_download.html
https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin
2.30.500 at May 28 2023
Telnet login can be enabled using Invasion script avalable here :
If you use the std r4a image, no wifi, and wan don't work
In fact lan is on wan port
1 Like
Finaly everything seems to work including LEDs with snapshot version :
https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-v2-squashfs-sysupgrade.bin
You can then install luci:
opkg update
opgk install luci
reboot
and voila
R4A-V2 version :
root@OpenWrt:~# lsmod | grep ^mt
mt76 51477 4 mt7615e,mt7615_common,mt7603e,mt76_connac_lib
mt76_connac_lib 40978 2 mt7615e,mt7615_common
mt7603e 40252 0
mt7615_common 70108 1 mt7615e
mt7615e 10277 0
R4A-V1 version
lsmod | grep ^mt
mt76 45120 4 mt76x2e,mt76x2_common,mt76x02_lib,mt7603e
mt7603e 38560 0
mt76x02_lib 40640 2 mt76x2e,mt76x2_common
mt76x2_common 11744 1 mt76x2e
mt76x2e 10208 0
The router was delivered with a firmware 2.30.28
I unbricked using 2.30.500
1 Like
hey can you give me details on how you got telnet access, mine is always denied. fw 2.30.500
Hello,
First you need to setup a password for the Router interface (this requires an internet connection)
I checkout lhe LordPinhead/OpenWRTInvasion form github
I launch
python3 remote_command_execution_vulnerability.py
It ask for Server IP and Local IP, then password you set in the interface
It happens that I had to close opened browser and sometime (often) launch the hack twice
You should be able to telnet the router then enter login and password (user: root, password: root)
For ssh you need some options like this:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -o UserKnownHostsFile=/dev/null root@192.168.31.1
Only tested this on linux
Hope this helps, let me know 
2 Likes