Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

Albertcp · April 3, 2020, 8:57am

I spoke with acecilia (many thanks for his contribution and help) in slack who recommended me to post this here:

It seems something went wrong during the flashing process and I have a bricked router
I followed the acecilia (https://openwrt-workspace.slack.com/team/U01057ALMK5) OpenWRTInvasion on my Mi Router 4A Gigabit (Global stock 2.28.132). I finally got access to the root but I had to use legacy version (netcat), I don't know if it's because my network setup was too complicated (I was connecting to it throw the 4a local port attached to my home network - router + switch).
Anyway y followed the steps:

cd /tmp/
wget http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin
mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin OS1

It showed me the message of Unloking OS1 and Erasing OS1 but never got any other message. I left it for a couple of hours in case it was a long process but didn't get any response. No power shortages/disconnections occurred.
Now the router looks like it's bricked: I tried to reboot it manually (unplug power) and using reset button with no luck. The power light in the router blinks at 2-3 seconds pace since you power it on and doesn't stop.
Ethernet pots looks also like they're not powered/work as my switch and computer doesn't detect any attached ethernet cable. I also can't ping the router or figure it's IP (though I don't think it has any since seems like ports are not working).
Any thoughts of what could went wrong or what could I do?

acecilia pointed me into this forum and to try to use TFTP to upload another image but I don't know how since I don't know how to connect to the router using the network (does it have any recovery mode, like pressing resent and powering up?).

My initial thoughts reading this thread is that I either try to connect using TTL/USB or try to dump/flash the chip using a flasher. Can you also point me in the right direction or link some information about this process if it's the one you recommend me? It would be my first time.

Thank you all

Zorro · April 3, 2020, 11:49am

you can download latest snapshot for mir3g v2 from here : (xiaomi_mir3g-v2-squashfs-sysupgrade.bin)
http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/

then after download you can upload it to another upload centre like mediafire then flash it.

sha256 online checker :
https://emn178.github.io/online-tools/sha256_checksum.html

for the first time flash you need to use this method :

gain root using OpenWRTInvasion (mine running stock 2.28.132)
you can follow his guide (very clear) or
-download OpenWRTInvasion here
-install requirement (I use pi4 raspbian, python ready)
-open terminal and run "python3 remote_command_execution_vulnerability.py"
-put your mir4a ip
-put your mir4a stok (can be found in your router web url, just type router ip your browser)
the script will upload exploit to your router now you can access using telnet with login "root" without password
Flash openwrt (i used snapshots version of mir3g-v2)
-telnet using your router ip
-login with "root"
-cd /tmp/
-wget http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin
(it will download bin file to router tmp folder (wget not recognize https))
-mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin OS1
It will say:
Unlocking OS1 ...
Erasing OS1 ...

Writing from openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin to OS1 ...
Rebooting ...
-Done (it will reboot and come back with openwrt)

after flash you need to install luci via ssh(use putty) :
1.ssh root@192.168.1.1
2.opkg update && opkg install luci

after first flash you can update to latest openwrt snapshot from luci GUI.

and if luci is not accessible you can update via ssh :
1.cd /tmp/
2.wget http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin
3.mtd -r write /tmp/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin firmware

freemyrouter · April 3, 2020, 2:20pm

Just flashed my Mi Router 4A Gigabit (fw ver. 2.28.132) with the latest snapshot using the exploit. Thanks so much @acecilia.

I just want to add that you can also try to: 1) Download the openwrt images from https using /usr/bin/curl and 2) check the SHA 256 checksum of your downloaded openwrt image by using the below command:

root@XiaoQiang:/tmp# ./busybox sha256sum openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin 
8a34191730fe1b81e10f13d446b77b18bc0981e7cf7ad062c458bc6c4086056b  openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin

Just to be on the safe side .

acecilia · April 3, 2020, 2:43pm

I use it as a repeater. I am using the 5ghz band only, and I am happy with it (stock firmware).

acecilia · April 3, 2020, 2:48pm

Thanks @freemyrouter, I updated the readme of https://github.com/acecilia/OpenWRTInvasion to reflect the changes you proposed

micky0867 · April 3, 2020, 5:38pm

If you have bricked your 4A Gigabit, here's how to get at least a chinese image running.

Connect your PC and your router with ethernet cable. Use port on the right sid (view from backside), not the WAN port!
Disconnect from power, press and hold reset, connect powersocket, still keep pressing.
When the light on the router starts flashing orange, it runs a bootp-request in which you can present one of the official firmware images (unfortunately, they all seem to be chinese).

Easiest way is to use a Linux PC with bootp in foreground mode and a tftp-server for this procedure.
During my tests the router changed it's MAC several times! I don't have any clue, how and why that happened. But that's the reason you should run bootp in foreground, so you can see, which MAC is asking for bootp. During my several retries I saw 5 different MAC addresses in bootpd!

Once the chinese image is running, you can again use acecilia's exploit to gain root access.
I was able to restore 2.28.132 english version, because I made a backup of OS1 and overlay partitions using dd before I bricked my router. So I only had to dd them back.

Unfortunately I was not able to install openwrt without bricking that thing. It always ended with all TCP ports closed. No ssh, no telnet, no http, no whatever access at all.

Zorro · April 3, 2020, 6:10pm

if the lan ports does not work then how to debrick the router?

micky0867 · April 3, 2020, 6:20pm

I bricked my router several times.
I was always able to debrick it using the described procedure.
One time it took several attempts.

Best way is to to connect every single port to a PC running tcpdump and to use the press-reset-and-power-on technique like described before.

micky0867 · April 3, 2020, 6:23pm

hi albert, check out my post #391 (Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer)

Zorro · April 3, 2020, 6:29pm

your mac address is changed ? how to bring back original mac address? If we don't have a backup

micky0867 · April 3, 2020, 6:55pm

The WAN port, that one next to the reset button, has "only" 2 different adresses, at least in my case.
They differ only in the last digit. Every time after I tried to flash openwrt, it came up with the "second" address. In "normal" mode it was always what I call the "first" address.

I found the other addresses on the, let's say bootp-port on the right side, and only during bootp/startup.

arthurrmp · April 4, 2020, 2:16am

Hello micky0867.
Thanks for your post.
I am new with OpenWRT and unfortunately screwed my router flashing the wrong firmware.
I am searching for some hours but still can’t find how to do this proceeds, im stuck on making bootp in foreground mode and a tftp-server

I’m trying to start with something like this but can’t progress any longer. https://www.yumpu.com/en/document/read/49788031/how-to-update-firmware-on-thomson-routers

What I have to write on /etc/bootptab?

Here's my tcpdump output when I turn on the router holding the reset button with a cable on LAN Port 2.

ramoxy@ramoxy-PC:~$ sudo tcpdump -i enp34s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp34s0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:19:24.583010 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
01:19:24.583036 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:24.674584 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
01:19:24.687944 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.1.168.192.in-addr.arpa. (210)
01:19:24.903035 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:24.938067 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.1.168.192.in-addr.arpa. (210)
01:19:25.189043 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.1.168.192.in-addr.arpa. (210)
01:19:25.383469 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
01:19:25.383498 IP6 :: > ff02::1:ff97:57d: ICMP6, neighbor solicitation, who has ramoxy-PC, length 32
01:19:25.389411 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.1.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
01:19:25.675647 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
01:19:26.407607 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:26.423018 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:26.452472 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.1.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
01:19:26.452557 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (141)
01:19:26.491014 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:26.919481 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:27.035820 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
01:19:27.675623 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
01:19:27.675693 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)

micky0867 · April 4, 2020, 9:24am

Thats just 3 seconds of traffic....how long did you keep pressing reset?

bootpd -s -d 5
Starts bootp-server in debugging and foreground mode.

I'm using package bootp on ubuntu
root@sz:~# dpkg -s bootp
Package: bootp
Status: install ok installed
Priority: extra
Section: net
Installed-Size: 189
Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com
Architecture: amd64
Version: 2.4.3-18build1
Depends: libc6 (>= 2.15), netbase, update-inetd

arthurrmp · April 4, 2020, 11:40am

Thanks again for helping.
This is the output of keeping pressing reset for more time:

ramoxy@ramoxy-PC:~$ sudo tcpdump -i enp34s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp34s0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:35:55.938661 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
08:35:55.938680 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:56.014664 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
08:35:56.029294 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:56.043658 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.0.168.192.in-addr.arpa. (210)
08:35:56.082686 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:56.293590 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.0.168.192.in-addr.arpa. (210)
08:35:56.544445 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.0.168.192.in-addr.arpa. (210)
08:35:56.745259 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (141)
08:35:56.745407 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.0.10 (82)
08:35:56.818782 IP6 :: > ff02::1:ff97:57d: ICMP6, neighbor solicitation, who has ramoxy-PC, length 32
08:35:57.029336 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:57.811450 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.0.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
08:35:57.842751 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:57.854820 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:57.986659 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:58.035358 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
08:35:58.273611 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:35:58.611077 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:59.029874 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:59.029957 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:59.877810 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.0.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
08:35:59.877895 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (141)
08:36:02.035785 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
08:36:03.033324 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:03.033411 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:06.038042 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
08:36:06.156176 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:11.038842 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:11.038939 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:14.039183 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:21.921368 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:27.055253 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:27.055353 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:29.803953 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:37.928692 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:45.811291 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:53.693908 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:59.066330 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:59.066435 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:37:01.576523 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301

dpkg -s bootp
Package: bootp
Status: install ok installed
Priority: extra
Section: net
Installed-Size: 211
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Version: 2.4.3-18build2
Depends: libc6 (>= 2.15), netbase, update-inetd

EDIT:

Got responses on the sudo bootpd -s -d 5

ramoxy@ramoxy-PC:~$ bootpd: info(6):   recvd pkt from IP addr 0.0.0.0
bootpd: info(6):   bootptab mtime: Sat Apr  4 09:20:33 2020
bootpd: info(6):   request from Ethernet address 00:00:AA:BB:CC:DD
bootpd: info(6):   found 192.168.0.1 (boot3)
bootpd: info(6):   bootfile="/tmp/miwifi_r4a_firmware_72d65_2.28.62.bin"
bootpd: info(6):   vendor magic field is 99.130.83.99
bootpd: info(6):   request message length=301
bootpd: info(6):   request has DHCP msglen=576
bootpd: info(6):   extended reply, length=576, options=340
bootpd: info(6):   Received: DHCPDISCOVER
bootpd: info(6):   Sent: DHCPOFFER
bootpd: info(6):   sending reply (with RFC1048 options)
bootpd: info(6):   setarp 192.168.0.1 - 00:00:AA:BB:CC:DD
bootpd: info(6):   recvd pkt from IP addr 192.168.0.1
bootpd: info(6):   bootptab mtime: Sat Apr  4 09:20:33 2020
bootpd: info(6):   request from Ethernet address 00:00:AA:BB:CC:DD
bootpd: info(6):   found 192.168.0.1 (boot3)
bootpd: info(6):   bootfile="/tmp/miwifi_r4a_firmware_72d65_2.28.62.bin"
bootpd: info(6):   vendor magic field is 99.130.83.99
bootpd: info(6):   request message length=301
bootpd: info(6):   request has DHCP msglen=576
bootpd: info(6):   extended reply, length=576, options=340
bootpd: info(6):   Received: DHCPREQUEST
bootpd: info(6):   Sent: DHCPACK
bootpd: info(6):   sending reply (with RFC1048 options)
bootpd: info(6):   setarp 192.168.0.1 - 00:00:AA:BB:CC:DD

but it doesn't seem to do nothing on my router. Here's how my /etc/bootptab is:

boot3:ha=0000aabbccdd:ip=192.168.0.1:sm=255.255.255.255:bf=/tmp/miwifi_r4a_firmware_72d65_2.28.62.bin

EDIT2:

I did it! My router is unbricked!
Thanks for your help micky0867.

I will stay here, if anyone needs any help.

Zorro · April 4, 2020, 7:45pm

why i can't add new interface in network==>interfaces?

for some strange reason i can't create new interface . it works before but suddenly this issue apears. i re-flash openwrt and did factory reset several times but still have problem.

please help me what should i do?

Zorro · April 5, 2020, 2:22pm

i bricked my router when i try go back to stock firmware please help me to debrick it. i need step by step tutorial thank you

Albertcp · April 5, 2020, 8:17pm

Hello,

Following the advices and steps that @micky0867 (Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer), @acecilia and Arthur Machado said, I’ve managed to unbrick the router and installed the openwrt firmware. Thank you for your help.

I thought of writing a more detailed step by step of what’s been pointed out to make it simpler for beginner like to rescue a bricked router.

I’ve carried out the following steps on windows but I guess it would be easy to adapt it to linux or mac.

Generally speaking I’ve followed the micky0867 procedure of using bootp and tftp-server.

Requirements:

Bootp/dhcp server: https://bootp-dhcp-server.software.informer.com/2.3/ (used to assign an IP to the router)
Tftdp32: http://tftpd32.jounin.net/tftpd32_download.html (used to transfer the new image to flash)
The official firmware image (unfortunately only in Chinese): http://miwifi.com/miwifi_download.html (select the “ROM” category and choose your router model, in case of xiaomi 4a gigabite, here’s the link http://bigota.miwifi.com/xiaoqiang/rom/r4a/miwifi_r4a_firmware_72d65_2.28.62.bin). At the time of writing this, the available version is Chinese 2.28.62. It might be a good idea to save this image so if in future firmware updates they patch the acecilia exploit you could downgrade it and install easily openwrt.

***IMPORTANT EDIT: In my original post I linked a wrong firmware. It was for the 4A, not for the 4A Gigabit. I corrected it but please, before download any firmware version, double check it's the right one for your router. Thank you @acecilia for warning me.

Procedure:

Download the Chinese firmware in a directory.
Install Bootp/dhcp server and Tftdp32.
Connect the Ethernet cable from your pc to the local lan Ethernet port of the router (the one on the right side if you look the router from behind)
Power off/unplug the power cord from the router.
Set your IP network card parameters of your computer to static. Choose any IP (192.168.1.XXX), set 255.255.255.0 submask and leave gateway blank.
Open Bootp/dchp server. If you have multiple network cards select the one configured previously. It will ask for network configuration. Just set the submask net to 255.255.255.0. Leave the rest to default.
Press the reset button of your router and plug the power cord while you keep pressing the reset button. Hold it for 5 seconds or so, until yellow light starts to blink fast (once every second). This means that router is trying to load the image. If that doesn’t happen, try again.
After a few seconds a new MAC entry should appear in the list. It should say “bootp” in the type column. Double click it and add an IP address in the “192.168.1.XXX” range. And click OK.
A new item should appear in the bottom list, select it and Click on Disable Bootp/DHCP. This sets the IP of the router. You may receive a warning or error messages but the address should be setted fine. You may want to press the button and wait a couple of times since It may or may not succeed in telling the router to set the IP (there’s no return message that inform that the operation was successful).
Open Tftdp32 server and select the network interface we are working with. Then select “Log viewer” tab. You should see the router repeatedly trying to get a file. The name of that file is specified in the log. In my case was “test.bin”.
Rename de downloaded firmware to the name of the file router is looking for (“test.bin” in my case). Click on the “browse” button and select the directory that contains the renamed image.
You should see in the log that router successfully finds the file it is looking for and loads it up. Now be patient, the router is flashing the new image. It might take a while. It think that when it has finished a blue light will blink, but I’m not entirely sure that this light means itis done.
Set the IP to dynamic / DHCP.
Reboot the router (unplug/plug). You should have the router working again. Probably the whole UI will be in Chinese, have google translator at hand
You may now try to flash it again using acecilia described method. If you do, download the image again and be sure to check for the integrity of the new downloaded openwrt image (I think he added a checksum step verification in his git guide, don’t miss that step) and that the version you’re using is suitable for you router model.

Further references:

In case you may need further details of the procedure it may be useful these two youtube links that shows how to work with:

Bootp/dhcp server: https://www.youtube.com/watch?v=wf1yySl9ZfQ (relevant info can be found between 0:00 and 4:50 minutes).
Tftdp32: https://www.youtube.com/watch?v=ZW5fpOWpI0I (relevant info can be found between 11:00 and 20:30 minutes).

Thank you everyone in this forum. You’ve helped me a lot.

Arianismmm · April 5, 2020, 9:30pm

Thank you so much.
i have 2 problems with this method:

when i connect ethernet cable to my pc and then unplug my router, and then open Bootp/dhcp server, it says no valid ip found or somthing like that. but i did changed my ipv4 of network card in settings of my pc to static.
and then i when i turn on my router, it will appear in Bootp/dhcp server app but type is not BOOTP, it's DHCP.
i continued your method and uplodaded test.bin to my router and blue light is on but i can't still use my router still no wifi and even my pc shows an ip address which is weird:
something like 167.254.172.49
which part i'm doing wrong?

Zorro · April 5, 2020, 10:58pm

thank you very much i have same problem like @Arianismmm said what should we do ?

Arianismmm · April 6, 2020, 12:50am

i've found what was our problem.
after selecting test.bin file, wait for transfer to be completed. then, wait another 5-10 minutes. the image is installing it takes a while. after that it's totaly fine.
thank you

Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

after flash you need to install luci via ssh(use putty) : 1.ssh root@192.168.1.1 2.opkg update && opkg install luci

after flash you need to install luci via ssh(use putty) :
1.ssh root@192.168.1.1
2.opkg update && opkg install luci