Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

Please put reboot in the script and see if the rooter reboots. If it happens as you say and the data is uploaded to the router (as I expect), the router will reboot indicating that the exploit succeeded, and thus the problem is in the connection. Problem in the connection can be due to your network configuration, firewall or others.

The other info you asked for:

ROM    ver: config core 'version'
	# ROM ver
	option ROM '2.28.132'
	# channel
	option CHANNEL 'release'
	# hardware platform R1AC or R1N etc.
	option HARDWARE 'R4A'
	# CFE ver
	option UBOOT '1.0.2'
	# Linux Kernel ver
	option LINUX '0.0.1'
	# RAMFS ver
	option RAMFS '0.0.1'
	# SQUASHFS ver
	option SQAFS '0.0.1'
	# ROOTFS ver
	option ROOTFS '0.0.1'
	#build time
	option BUILDTIME 'Wed, 08 May 2019 07:39:09 +0000'
	#build timestamp
	option BUILDTS '1557301149'
	#build git tag
	option GTAG 'commit 4a0ee0932fbf9b6555ec1a170de7763693d4135e'
Hardware  : Ver. A
ROM    sum: 
System    : Dual - 1
KERNEL    : console=ttyS1,115200n8 uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9
1 Like

@acecilia I've already tried to reboot the router. Upload is working, I can see all the files in /tmp when extracting sys_log.
But it looks like nothing is executed.
I found the lua-script, which runs the speedtest in an other rom from some other Xiaomi router and extracted the commands, which execute the wget that leads to root-access. I can confirm, that when lua executes a string like that, one can inject a shell command.
Cann you please report the size, or even better download, this script from your router?
/usr/bin/download_speedtest

From the logs I was even able to see, that the script was executed.
In the file data/usr/log/messages from sys_log you'll find a string like that:

2020-03-20T17:48:12+01:00 mt7621 speedtest[10152]: download using /tmp/speedtest_urls.xml...
2020-03-20T17:48:12+01:00 mt7621 speedtest[10152]: download using nr: 200  nc: 15

But....
I changed the IPs in the xml file, so that every access goes to a not used IP in my network. This should lead to a timeout in wget, so that the execution time of the speedtest should be muuuuuuch longer.
But that doesn't happen. After some secods the script terminates.. Same like before.

1 Like

So, putting reboot on the script does not reboot the router, so the command is not running. No idea..

Try to reset the router maybe.

I added a gif showing it running in the README of the repo, so it is more clear.

1 Like

I tried the above method and it does work for me. I can get access to the shell.
Before jumping the ship to try to install openwrt, is there any possibility to backup the system and restore in case I mess this up?

1 Like

I'm eager to try but limit in knowledge. Can someone writes a dummy guide to install it?

1 Like

@acecilia got it running!
what I changed, was to disable the pihole dns server in my network.
don't understand why this could be the problem, but now it works.

you said that you've tried to emulate a lower firmware version to find a way to download the current version. how did you do that?
I've seen the router checking for a newer rom using a request like
http://eu.api.miwifi.com/rs/grayupgrade?countryCode=EU&rom=2.28.132&serialNumber=...
but unfortunately, the request contains some sort of checksum. changing parts of the request make the request invalid.

2 Likes

@rrg @micky0867 Im glad you managed. @hey07 check https://github.com/acecilia/OpenWRTInvasion and Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer

Let's stop spamming the forum, I think we need a more continuous communication. I created a slack workspace, join here and use the channel #mirouter-4a-gigabit : https://join.slack.com/t/openwrt-workspace/shared_invite/zt-cz2m5uf4-Q8wbP_LKggOy9B7IQyaqfA

1 Like

@micky0867 please send me a message when you join, I would like to know how you got that url for downloading the firmware :slight_smile:

1 Like

@acecilia when monitoring the traffic between the router and eu.api.miwifi.com, you can see a request like
http://eu.api.miwifi.com/rs/grayupgrade?countryCode=EU&rom=2.28.132&serialNumber=...
and the answer is:
{"code":"0","data":{"needUpgrade":false,"changelogUrl":"","description":""}}
Maybe, when we could pretend a lower rom version, the answer would point to a downloadlink.
But the request seems to contain a checksum and can't be easily manipulated.
Now I'm searching the rom for the program that initiates the request.

2 Likes

@micky0867 can you post the checksum if you can see that in the request

1 Like

Here is the modified url (sorry, I'm not allowed to post a functional link here:
http://#ip-of-eu.api.miwifi.com#/rs/grayupgrade?countryCode=EU&rom=2.28.132&serialNumber=12345%2C20009910&rootfs=0.0.1&cfe=1.0.2&deviceID=53662a45-0fa5-3278-637b-4575a6eb2b31&ispCode=&linux=0.0.1&sqafs=0.0.1&hardware=R4A&locale=en_US&ramfs=0.0.1&channel=release&s=0b6118b2342546d44f2ccbb65cebd796&time=2020-03-14--18:24:08&token=8001233f-a1d6-4827-ac81-449395ad6a65

deviceID and serialNumber have been modified!
It contains my deviceid and a timestamp.
The field s= seems to contain a md5sum.
When I've changed any parameter (except the token), the request was answered with HTTP-401

1 Like

@micky0867 can you please join slack to stop spamming the forum

1 Like

Why do you consider this as spamming? This is the purpose of the forum and especially this thread to discuss what's needed in order to support OpenWrt on this router

1 Like

It is very slow to help people here with the script because developing requires a more fluent conversation. For example, all issues in the last 10-15 messages could have been resolved in 10 to 15 minutes in a fluent conversation in Slack.

Because of that, it is very common during development in many open source projects to have a Slack/IRC channel for developers. You can see OpenWrt already has IRC channels for such purpose: https://openwrt.org/contact#irc_channels. IRC channels do not keep a history of the conversation, that is why I prefer Slack.

I am not proposing anything new.

2 Likes

Understandable. Still, the conversation was being interesting :slight_smile: (speak for myself). Don't forget to announce here if anything new comes from your research please, and if you're stuck don't hesitate to ask here. Good job guys.

3 Likes

@rogerpueyo : I would like to update to openwrt.
Do you think that simply using "mtd write xy.bin OS1" should do the trick?
Which image should I use?
Thanks for your support!

1 Like

I have not been following the discussion in this thread since I don't have access to the device anymore. The whole OpenWrt flashing process I followed is described in the first posts.

I don't know if your command will work. 10 days ago, user Double-G kindly wrote this:

1 Like

Guys, I got openwrt install and work properly (without SPI flashing) using OnperWRTInvasion by @acecilia to gain root access; and flash snapshots version of mir3g-v2-squashfs-sysupgrade.bin using @rogerpueyo method found here. after auto reboot, openwrt.

9 Likes

thank you , please make a youtube video Tutorial how you flash openwrt on mi4a gigabit edition ,special thanks to all ppl made this happen great news.

That's super good news, @hey07!

Could you tell us what was the stock firmware version you performed OpenWRTInvasion successfully on? 2.28.132? Was it the one that came with the device, or did you download it from somewhere else?

I'll be adding it to the ToH in the wiki (or, please, feel free to do it).

2 Likes