Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

rogerpueyo · June 21, 2019, 2:50pm

@Singman33, may we see the pics?

guifipedro · July 2, 2019, 5:25pm

Xiaomi Mi WiFi Router 3G [1] looks very similar to Xiaomi Mi Router 4A Gigabit Edition [2]

Would they share the same procedure to install openwrt? [3]

[1] https://www.aliexpress.com/item/32923946559.html
[2] https://www.aliexpress.com/item/33001460205.html
[3] https://openwrt.org/toh/xiaomi/mir3g#installation

rogerpueyo · July 2, 2019, 5:44pm

Please look at the specs. They differ in the type of memory they use (MiR3G has NAND flash, Mi4A GbE has SPI flash).

No, so far. None of the methods for the former can be applied to the latter:

There is no such "development" image with SSH enabled for the Mi4A GbE
The Mi4A GbE has no USB
The UART is read-only on the Mi4A GbE

ChachMan · July 4, 2019, 10:57am

Hi. I have new router with global firmware (english language). (example https://ru.aliexpress.com/item/33043866005.html)
How can I copy the global firmware to the Chinese version of the router?

frahe · July 17, 2019, 5:33pm

Would IT be possible to use this approach: https://d13ht01.tk/engineering/20190601/hacking-mi-router-4/
Seems Like the router allows to access the uboot console on the first boot (after reset to factory settings). Then uboot can be flashed and we schould be ready to install openwrt. My mi4a router ist on the way, so no possibility to test at the moment.

araujorm · July 17, 2019, 9:09pm

I've tried that approach but had no success. Pressed the reset button and watched the boot process connected with UART adapter but no chance to interact. Still I might have missed something, would be great if others could confirm.

frahe · July 20, 2019, 3:19pm

Unfortunately I also wasn't able to interrupt boot process. Maybe nothing new: Holding reset button during power on let the router obtain an IP and search for a boot image (see log below). Could that help?

U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)

Board: Ralink APSoC DRAM:  128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000

Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xXXXXXXX
***************************
Board power on Occurred
***************************
flash manufacture id: XX, device id XX XX
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019  Time:07:46:43
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 880 MHZ ####
 estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW

restore_defaults:0


 NetTxPacket = 0xXXXXXXX

 KSEG1ADDR(NetTxPacket) = 0xXXXXXXX

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
BOOTP broadcast 1
DHCPHandler: got packet: (src=XXXXX, dst=XXXX, len=174) state: 3
Filtering pkt = -1

 NetOurIP
....

Crtl-C will interrupt the process. So interaction works, but no possibility to interact further or during boot. Pretty sad...

araujorm · July 20, 2019, 7:24pm

Yes, pretty much what Roger described. That process is to flash an official firmware image, that must be in a proprietary format and RSA signed with a private key that only Xiaomi has. I confirm you can use it to downgrade the firmware, but not to a custom one like openwrt. So it's basically useless for us at the moment.

I'm waiting for a SPI flasher to arrive to use Roger's method, but may still take some weeks until I can say if I'm successful installing openwrt on mine. On the positive side, these flashers are pretty cheap... unless I bought the wrong one... let's see later.

frahe · July 20, 2019, 10:04pm

I'll also try to write directly the SPI flash. Just ordered a programmer. But here my experince ends. Wouldn't it possible to write a complete basic image with the right uboot and openwrt with the SPI programmer. Would be really great to have that with the right instructions.
Even with a dumped original image shouldn't it be possible to 'debrick' the router in case of problems?
I think I'm missing that the mac adress is stored in flash. Could that be a problem?

araujorm · July 20, 2019, 10:31pm

I believe that with the original dump one will always be able to debrick if needed, but this will be my first experiment with a flasher.

Anyway, once you "unlock" the bootloader, by setting it to be possible to interact, from then on you won't need to flash it again using the hardware flasher. From then on, you'll only flash the system partition where your custom ROM (e.g. openwrt) will be. So, unless something unlikely happens to the bootloader, all you'll need to debrick will be to connect to the console via TTL UART and have a TFTP server with your openwrt image at hand. That's trivial if you're comfortable with Linux and have it on your PC (a VM will also do).

And for normal sysupgrades, after the first openwrt install, you'll be able to do it from the web interface.

And just for the record, I was able to connect to the TTL UART without soldering anything. Just place 3 dupont 2.5mm connectors on the little holes (for TX, GND and RX), and as long as they make contact, it does the trick.

frahe · July 22, 2019, 7:40pm

Thaks for the trick. I used something similar. Taking a three pin header and bending the central pin a little. The header than clamps itself in the holes. Makes a relatively safe contact. On the pins you can use whatever you want.

araujorm · July 22, 2019, 8:29pm

Use Roger's repo/branch, and instead of "Default Profile", select "Xiaomi Mi Router 4A Gigabit Edition". Be mindful that the official repo does not have that option (yet). The link to Roger's repo/branch is above on this thread.

The rest of the defaults should be enough for starters, but until I'm able to unlock my router, I can't advise much more.

After building, there should be a sysupgrade image somewhere inside the "bin" subfolder.

Good luck

frahe · July 23, 2019, 6:44pm

Thanks a lot for the quick reply. In the first attempt I didn't download the right version, so there were no menu items for the xiaomi R4A. After downloading the right version everything is ok (therefore deleted the post).
I'm able to generate the image, so far it looks good. Now just waiting for the flash writer.... It will arrive in 4 weeks...

rogerpueyo · July 25, 2019, 8:57am

Flashing OpenWrt from the stock firmware's CLI

I rebased my xiaomi-mi-router-4a-1000m-gigabit-edition_wip branch with the current master (as of 24th July 2019), you may want to give it a try. Still I haven't found any way to access the router other than modifying the bootloader and overwriting the SPI flash, though.

Anyway, once you can enter the router using the UART port, on the CLI, this is the simplest way I found to flash OpenWrt:

root@XiaoQiang:/# cd /tmp/
root@XiaoQiang:/tmp# wget http://your_server_address/openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin
root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin OS1
Unlocking OS1 ...
Erasing OS1 ...

Writing from openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin to OS1 ...     
Rebooting ...

and you are good to go. But, yes, still you have to unlock the serial login by overwriting the bootloader.

npr · July 25, 2019, 9:35am

This is a complete shot in the dark, but on the Phillips Hue bridge we shorted the NOR enable pin to ground, disabling it while uboot was still booting. This halted uboot, and we were able to change the bootdelay and just saveenv. Maybe this trick would work here? (For reference : https://blog.andreibanaru.ro/2018/03/27/philips-hue-2-1-enabling-wifi/ )

frahe · July 25, 2019, 7:21pm

That's an interesting idea. But we should know, which pins we should use. Some more background can be found found here:
https://carvesystems.com/news/pin2pwn-how-to-root-an-embedded-linux-box-with-a-sewing-needle/
So we need to interrupt uboot from loading the final image (by disabling the flash after uboot load). An advise for serial flash devices from the page linked above:

Short between pins 1 (chip select) and 2 (data out)

Since the pins of the flash chip seem to be accessible it would be worth a try. But not this evening for me. Maybe one should look if that are the right pins, not to brick the device completely.

npr · July 25, 2019, 10:31pm

I dug it out for you, bridge Data Out and GND (source: https://forum.archive.openwrt.org/viewtopic.php?id=66346 4nd post by Pepe2k)

araujorm · July 25, 2019, 11:17pm

You mean pins 2 and 4? Or am I mistaken?

frahe · July 26, 2019, 6:56am

We're playing with generating a hardware failure to force uboot to fall back to console (if it really does?). This in generally can cause other hardware failures.
Be careful. The pins stated in that post were not mentioned in the original post. Always be careful when connecting pins, not to draw too much current and damage a chip.
In general putting a communication pin of the flash to ground should do it. Maybe with a resistor to limit current, but it has to be small enough to pull down the signal at the pin.

araujorm · July 26, 2019, 6:33pm

I think I'll wait for my flasher to arrive, I won't take the chance to damage the flash chip...