Please put reboot in the script and see if the rooter reboots. If it happens as you say and the data is uploaded to the router (as I expect), the router will reboot indicating that the exploit succeeded, and thus the problem is in the connection. Problem in the connection can be due to your network configuration, firewall or others.
The other info you asked for:
ROM ver: config core 'version'
# ROM ver
option ROM '2.28.132'
# channel
option CHANNEL 'release'
# hardware platform R1AC or R1N etc.
option HARDWARE 'R4A'
# CFE ver
option UBOOT '1.0.2'
# Linux Kernel ver
option LINUX '0.0.1'
# RAMFS ver
option RAMFS '0.0.1'
# SQUASHFS ver
option SQAFS '0.0.1'
# ROOTFS ver
option ROOTFS '0.0.1'
#build time
option BUILDTIME 'Wed, 08 May 2019 07:39:09 +0000'
#build timestamp
option BUILDTS '1557301149'
#build git tag
option GTAG 'commit 4a0ee0932fbf9b6555ec1a170de7763693d4135e'
Hardware : Ver. A
ROM sum:
System : Dual - 1
KERNEL : console=ttyS1,115200n8 uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9
@acecilia I've already tried to reboot the router. Upload is working, I can see all the files in /tmp when extracting sys_log.
But it looks like nothing is executed.
I found the lua-script, which runs the speedtest in an other rom from some other Xiaomi router and extracted the commands, which execute the wget that leads to root-access. I can confirm, that when lua executes a string like that, one can inject a shell command.
Cann you please report the size, or even better download, this script from your router?
/usr/bin/download_speedtest
From the logs I was even able to see, that the script was executed.
In the file data/usr/log/messages from sys_log you'll find a string like that:
2020-03-20T17:48:12+01:00 mt7621 speedtest[10152]: download using /tmp/speedtest_urls.xml...
2020-03-20T17:48:12+01:00 mt7621 speedtest[10152]: download using nr: 200 nc: 15
But....
I changed the IPs in the xml file, so that every access goes to a not used IP in my network. This should lead to a timeout in wget, so that the execution time of the speedtest should be muuuuuuch longer.
But that doesn't happen. After some secods the script terminates.. Same like before.
I tried the above method and it does work for me. I can get access to the shell.
Before jumping the ship to try to install openwrt, is there any possibility to backup the system and restore in case I mess this up?
@acecilia got it running!
what I changed, was to disable the pihole dns server in my network.
don't understand why this could be the problem, but now it works.
you said that you've tried to emulate a lower firmware version to find a way to download the current version. how did you do that?
I've seen the router checking for a newer rom using a request like http://eu.api.miwifi.com/rs/grayupgrade?countryCode=EU&rom=2.28.132&serialNumber=...
but unfortunately, the request contains some sort of checksum. changing parts of the request make the request invalid.
@acecilia when monitoring the traffic between the router and eu.api.miwifi.com, you can see a request like http://eu.api.miwifi.com/rs/grayupgrade?countryCode=EU&rom=2.28.132&serialNumber=...
and the answer is:
{"code":"0","data":{"needUpgrade":false,"changelogUrl":"","description":""}}
Maybe, when we could pretend a lower rom version, the answer would point to a downloadlink.
But the request seems to contain a checksum and can't be easily manipulated.
Now I'm searching the rom for the program that initiates the request.
deviceID and serialNumber have been modified!
It contains my deviceid and a timestamp.
The field s= seems to contain a md5sum.
When I've changed any parameter (except the token), the request was answered with HTTP-401
Why do you consider this as spamming? This is the purpose of the forum and especially this thread to discuss what's needed in order to support OpenWrt on this router
It is very slow to help people here with the script because developing requires a more fluent conversation. For example, all issues in the last 10-15 messages could have been resolved in 10 to 15 minutes in a fluent conversation in Slack.
Because of that, it is very common during development in many open source projects to have a Slack/IRC channel for developers. You can see OpenWrt already has IRC channels for such purpose: https://openwrt.org/contact#irc_channels. IRC channels do not keep a history of the conversation, that is why I prefer Slack.
Understandable. Still, the conversation was being interesting (speak for myself). Don't forget to announce here if anything new comes from your research please, and if you're stuck don't hesitate to ask here. Good job guys.
@rogerpueyo : I would like to update to openwrt.
Do you think that simply using "mtd write xy.bin OS1" should do the trick?
Which image should I use?
Thanks for your support!
I have not been following the discussion in this thread since I don't have access to the device anymore. The whole OpenWrt flashing process I followed is described in the first posts.
I don't know if your command will work. 10 days ago, user Double-G kindly wrote this:
Could you tell us what was the stock firmware version you performed OpenWRTInvasion successfully on? 2.28.132? Was it the one that came with the device, or did you download it from somewhere else?
I'll be adding it to the ToH in the wiki (or, please, feel free to do it).
