Here are my latest snapshot compile:
1 Like
Still no luck 
Below the log
Thanks
===================================================================
MT7621 stage1 code done
CPU=500000000 HZ BUS=166666666 HZ
===================================================================
U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
Board: Ralink APSoC DRAM: 128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xc0030004
******************************
Software System Reset Occurred
******************************
flash manufacture id: c8, device id 40 18
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019 Time:07:46:43
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW
restore_defaults:1
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP. 0
n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc180000 ...
Image Name: MIPS OpenWrt Linux-4.14.172
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 2022798 Bytes = 1.9 MB
Load Address: 80001000
Entry Point: 80001000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
commandline uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9
No initrd
## Transferring control to Linux (at address 80001000) ...
## Giving linux memsize in MB, 128
Starting kernel ...
[ 0.000000] Linux version 4.14.172 (toor@toorbuild) (gcc version 8.3.0 (OpenWrt GCC 8.3.0 r12138-1e3bfbafd3)) #0 SMP Thu Mar 12 20:31:17 2020
[ 0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[ 0.000000] MIPS: machine is Xiaomi Mi Router 3G v2
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] VPE topology {2,2} total 4
[ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] HighMem empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x9c/0x4d8 with crng_init=0
[ 0.000000] percpu: Embedded 14 pages/cpu s26064 r8192 d23088 u57344
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00002840
[ 0.000000] Readback ErrCtl register=00002840
[ 0.000000] Memory: 121872K/131072K available (4814K kernel code, 245K rwdata, 1052K rodata, 1236K init, 253K bss, 9200K reserved, 0K cma-reserved, 0K highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] NR_IRQS: 256
[ 0.000000] CPU Clock: 880MHz
[ 0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[ 0.000008] sched_clock: 32 bits at 440MHz, resolution 2ns, wraps every 4880645118ns
[ 0.007809] Calibrating delay loop... 586.13 BogoMIPS (lpj=2930688)
[ 0.073982] pid_max: default: 32768 minimum: 301
[ 0.078792] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.085301] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.094421] Hierarchical SRCU implementation.
[ 0.099620] smp: Bringing up secondary CPUs ...
[ 0.105780] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.105789] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.105800] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.105935] CPU1 revision is: 0001992f (MIPS 1004Kc)
[ 0.164367] Synchronize counters for CPU 1: done.
[ 0.205857] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.205865] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.205873] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.205950] CPU2 revision is: 0001992f (MIPS 1004Kc)
[ 0.255543] Synchronize counters for CPU 2: done.
[ 0.286930] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.286938] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.286946] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.287021] CPU3 revision is: 0001992f (MIPS 1004Kc)
[ 0.340722] Synchronize counters for CPU 3: done.
[ 0.370575] smp: Brought up 1 node, 4 CPUs
[ 0.378881] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.388678] futex hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.395078] pinctrl core: initialized pinctrl subsystem
[ 0.401694] NET: Registered protocol family 16
[ 0.416110] pull PCIe RST: RALINK_RSTCTRL = 4000000
[ 0.721349] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.726382] ***** Xtal 40MHz *****
[ 0.729752] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.734865] Port 0 N_FTS = 1b105000
[ 0.738304] Port 1 N_FTS = 1b105000
[ 0.741764] Port 2 N_FTS = 1b102800
[ 1.896982] PCIE2 no card, disable it(RST&CLK)
[ 1.901328] -> 21007f2
[ 1.903747] PCIE0 enabled
[ 1.906360] PCIE1 enabled
[ 1.908940] PCI host bridge /pcie@1e140000 ranges:
[ 1.913701] MEM 0x0000000060000000..0x000000006fffffff
[ 1.918886] IO 0x000000001e160000..0x000000001e16ffff
[ 1.924059] PCI coherence region base: 0xbfbf8000, mask/settings: 0x60000000
[ 1.940202] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.946022] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.951749] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.958877] PCI host bridge to bus 0000:00
[ 1.962912] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
[ 1.969749] pci_bus 0000:00: root bus resource [io 0xffffffff]
[ 1.975598] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 1.982350] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 1.992109] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[ 1.998643] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.005541] pci 0000:00:01.0: BAR 0: no space for [mem size 0x80000000]
[ 2.012114] pci 0000:00:01.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.019015] pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
[ 2.025771] pci 0000:00:00.0: BAR 9: assigned [mem 0x60100000-0x601fffff pref]
[ 2.032919] pci 0000:00:01.0: BAR 8: assigned [mem 0x60200000-0x602fffff]
[ 2.039680] pci 0000:00:00.0: BAR 1: assigned [mem 0x60300000-0x6030ffff]
[ 2.046412] pci 0000:00:01.0: BAR 1: assigned [mem 0x60310000-0x6031ffff]
[ 2.053168] pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff 64bit]
[ 2.060411] pci 0000:01:00.0: BAR 6: assigned [mem 0x60100000-0x6010ffff pref]
[ 2.067586] pci 0000:00:00.0: PCI bridge to [bus 01]
[ 2.072493] pci 0000:00:00.0: bridge window [mem 0x60000000-0x600fffff]
[ 2.079244] pci 0000:00:00.0: bridge window [mem 0x60100000-0x601fffff pref]
[ 2.086414] pci 0000:02:00.0: BAR 0: assigned [mem 0x60200000-0x602fffff]
[ 2.093162] pci 0000:00:01.0: PCI bridge to [bus 02]
[ 2.098069] pci 0000:00:01.0: bridge window [mem 0x60200000-0x602fffff]
[ 2.106170] clocksource: Switched to clocksource GIC
[ 2.112673] NET: Registered protocol family 2
[ 2.117725] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 2.124598] TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
[ 2.130963] TCP: Hash tables configured (established 1024 bind 1024)
[ 2.137381] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 2.143139] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 2.149628] NET: Registered protocol family 1
[ 2.386116] 4 CPUs re-calibrate udelay(lpj = 2924544)
[ 2.392377] Crashlog allocated RAM at address 0x3f00000
[ 2.398038] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 2.411906] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 2.417698] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 2.430795] io scheduler noop registered
[ 2.434635] io scheduler deadline registered (default)
[ 2.439872] random: fast init done
[ 2.444027] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
[ 2.451545] console [ttyS0] disabled
[ 2.455087] 1e000c00.uartlite: ttyS0 at MMIO 0x1e000c00 (irq = 19, base_baud = 3125000) is a 16550A
[ 2.464130] console [ttyS0] enabled
[ 2.464130] console [ttyS0] enabled
[ 2.471066] bootconsole [early0] disabled
[ 2.471066] bootconsole [early0] disabled
[ 2.481033] MediaTek Nand driver init, version v2.1 Fix AHB virt2phys error
[ 2.488415] spi-mt7621 1e000b00.spi: sys_freq: 220000000
[ 2.496236] m25p80 spi0.0: gd25q128 (16384 Kbytes)
[ 2.501087] 8 fixed-partitions partitions found on MTD device spi0.0
[ 2.507446] Creating 8 MTD partitions on "spi0.0":
[ 2.512223] 0x000000000000-0x000000030000 : "u-boot"
[ 2.518182] 0x000000030000-0x000000040000 : "u-boot-env"
[ 2.524357] 0x000000040000-0x000000050000 : "Bdata"
[ 2.530177] 0x000000050000-0x000000060000 : "factory"
[ 2.536230] 0x000000060000-0x000000070000 : "crash"
[ 2.542030] 0x000000070000-0x000000080000 : "cfg_bak"
[ 2.548031] 0x000000080000-0x000000180000 : "overlay"
[ 2.553953] 0x000000180000-0x000001000000 : "firmware"
[ 2.560189] 2 uimage-fw partitions found on MTD device firmware
[ 2.566092] Creating 2 MTD partitions on "firmware":
[ 2.571079] 0x000000000000-0x0000001eddce : "kernel"
[ 2.577306] 0x0000001eddce-0x000000e80000 : "rootfs"
[ 2.583318] mtd: device 9 (rootfs) set to be root filesystem
[ 2.589068] 1 squashfs-split partitions found on MTD device rootfs
[ 2.595231] 0x0000005f0000-0x000000e80000 : "rootfs_data"
[ 2.602504] libphy: Fixed MDIO Bus: probed
[ 2.678182] libphy: mdio: probed
[ 4.083172] mtk_soc_eth 1e100000.ethernet: loaded mt7530 driver
[ 4.089853] mtk_soc_eth 1e100000.ethernet eth0: mediatek frame engine at 0xbe100000, irq 21
[ 4.101035] NET: Registered protocol family 10
[ 4.107128] Segment Routing with IPv6
[ 4.110869] NET: Registered protocol family 17
[ 4.115360] 8021q: 802.1Q VLAN Support v1.8
[ 4.122051] hctosys: unable to open rtc device (rtc0)
[ 4.130266] VFS: Mounted root (squashfs filesystem) readonly on device 31:9.
[ 4.141407] Freeing unused kernel memory: 1236K
[ 4.145930] This architecture does not have kernel memory protection.
[ 4.246829] SQUASHFS error: xz decompression failed, data probably corrupt
[ 4.253694] SQUASHFS error: squashfs_read_data failed to read block 0x9665a
[ 4.262408] SQUASHFS error: xz decompression failed, data probably corrupt
[ 4.269269] SQUASHFS error: squashfs_read_data failed to read block 0x9665a
[ 4.276355] Starting init: /sbin/init exists but couldn't execute it (error -5)
[ 4.414386] SQUASHFS error: xz decompression failed, data probably corrupt
[ 4.421306] SQUASHFS error: squashfs_read_data failed to read block 0x9665a
[ 4.428396] Starting init: /bin/sh exists but couldn't execute it (error -5)
[ 4.435415] Kernel panic - not syncing: No working init found. Try passing init= option to kernel. See Linux Documentation/admin-guide/init.rst for guidance.
[ 4.451365] Rebooting in 1 seconds..
1 Like
Hi guys,
great work!
I'm still trying to trick the system without touching the HW.
Here's something maybe useful. This link leads you to a download link where you get lot's of information from the running system.
http://routers-ip/luci/;stok=your-stokid/api/misystem/sys_log
Regards
Micky
1 Like
Hey guys, good news!
I got root access to the router (firmware version 2.28.132) using an existing vulnerability, and tweaking a bit the exploit.
Find the exploit ready to run here (I am running it from MacOS): https://github.com/acecilia/OpenWRTInvasion
I tried to get an image of the current firmware (which is unreleased). My idea was that, if I get the router to report a low version of the firmware, the server would send me the .bin file. That was not the case: whatever the reported version, the server considers it updated and returns nothing. I will keep digging.
Meanwhile, maybe some of you manage to get other cool stuff done now that root shell is available 
4 Likes
Well, if you get a root shel, it should be enough to do what says here to get OpenWRT up and running: Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer
Won't test it myself because I don't want to put the official firmware back on mine, but anyone with a new router can try
2 Likes
@araujorm yes, I am aware. But I do not want to loose the stock firmware, so far works very well for me. I would like to get the stock firmware .bin before flashing OpenWRT. The only available firmware for this router at the moment is in chinese 
1 Like
Not working here:
{"code":1629,"msg":"Unzip error, file is not intack"}
and...by the way...
wouldn't it be easier to start /etc/init.d/telnet instead of a script with a remote pipe with a.....????
1 Like
@micky0867 If you do not provide more information I cant help much.
By the way... You can try to start telnet when you manage to get root. I tried and did not succeed.
1 Like
I'm using python3 on Linux.
Also tried to upload the file using curl, with the same error.
1 Like
@micky0867 Version of firmware? You can replace the content of the script_template.sh file for just reboot to see if you manage to get command execution.
Didn't try this on linux, only MacOS.
1 Like
Firmware is stock, 2.28.132
The problem occurs when uploading payload.tar.gz, so changes to script_template.sh may not help.
Maybe.....
Mine is running as a wired repeater...
When I start the bandwidth-test, reply is always
{"download":0,"bandwidth":0,"code":0}
1 Like
@micky0867 mine is running as a wifi extender, but I do not see why that would make a difference. I am out of ideas
1 Like
If both of you (@micky0867 @acecilia) can capture the traffic using Wireshark (or tcpdump) we can try to compare the requests
1 Like
@acecilia can you pls remove comment from line #82 in your py-script and post the output?
Also: what is you attackers- and routers-ip and the md5sum of your payload.tar.gz, so I can check if my payload.tar.gz has the same md5sum?
Since it's a binary file and it's not platform related, I think they should produce the same md5sum.
Using the url from above (.../api/misystem/sys_log), I was able to verify that my files at least got uploaded to /tmp.
1 Like
@micky0867 I just updated the repo with a payload.tar.gz example for you to use, hope it helps.
The payload.tar.gz is not a binary, is a normal compressed file that you can compress/decompress easily.
Ah! I uncommented line #82 in my py-script and the output is the following:
{"code":1629,"msg":"Unzip error, file is not intack"}
Despite that, the files are getting copied to /tmp and I am getting the root shell correctly
1 Like
@acecilia tar.gz is a binary format, because it's not human readable like a textfile. It doesn't matter, if the file is execuable or not.
I've checked the everything several times, but couldn't find something wrong.
I also changed to attacker ip to some other system, where I was simply running tcpdump to check for connections on port 4444. no luck....nothing happens
ok, what more?
between "start exec command" and "done!" there are just a few seconds...I would assume that this should block if it's connected to my netcat.
one more thing:
once the file is uploaded, what is the reply, when you open the url
http://router-ip/cgi-bin/luci/;stok=your-stok-id/api/xqnetdetect/netspeed
and do you also get root access when nc is listening on port 4444 meanwhile?
1 Like
Between "start exec command" and "done!" my terminal gets blocked for around 20sec, then it prints "done!". The opened shell appears after half a second of the command being executed, and is alive after "done!" is printed (until you close it).
The reply for the request you asked is {"download":0,"bandwidth":0,"code":0}, after the exploit is executed.
You have to execute /usr/bin/nc -l 4444 before python3 remote_command_execution_vulnerability.py.
1 Like
@micky0867 besides what has been said, can you confirm you don't have your system firewall (e.g. firewalld) blocking port 4444 on your linux machine? In doubt try doing this first on your linux machine:
iptables -I INPUT -s <your_routers_ip> -p tcp --dport 4444 -j ACCEPT
(assuming your machine's firewall uses iptables and not nftables)
1 Like
IIRC: Even if my firewall was up, tcpdump should show the incoming packet, before it's blocked.
But just to be sure:
root@sz:~# iptables --list -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@sz:~#
1 Like
@acecilia can you pls got to URL .../api/misystem/sys_log (see above) and download the logfile?
Inside the logfile you'll find a file called tmp/xiaoqiang.log, which contains information about the rom.
Here's my info:
ROM ver: config core 'version'
# ROM ver
option ROM '2.28.132'
# channel
option CHANNEL 'release'
# hardware platform R1AC or R1N etc.
option HARDWARE 'R4A'
# CFE ver
option UBOOT '1.0.2'
# Linux Kernel ver
option LINUX '0.0.1'
# RAMFS ver
option RAMFS '0.0.1'
# SQUASHFS ver
option SQAFS '0.0.1'
# ROOTFS ver
option ROOTFS '0.0.1'
#build time
option BUILDTIME 'Wed, 08 May 2019 07:39:09 +0000'
#build timestamp
option BUILDTS '1557301149'
#build git tag
option GTAG 'commit 4a0ee0932fbf9b6555ec1a170de7763693d4135e'
Hardware : Ver. A
ROM sum:
System : Dual - 1
KERNEL : console=ttyS1,115200n8 uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9
1 Like