Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

If you have bricked your 4A Gigabit, here's how to get at least a chinese image running.

Connect your PC and your router with ethernet cable. Use port on the right sid (view from backside), not the WAN port!
Disconnect from power, press and hold reset, connect powersocket, still keep pressing.
When the light on the router starts flashing orange, it runs a bootp-request in which you can present one of the official firmware images (unfortunately, they all seem to be chinese).

Easiest way is to use a Linux PC with bootp in foreground mode and a tftp-server for this procedure.
During my tests the router changed it's MAC several times! I don't have any clue, how and why that happened. But that's the reason you should run bootp in foreground, so you can see, which MAC is asking for bootp. During my several retries I saw 5 different MAC addresses in bootpd!

Once the chinese image is running, you can again use acecilia's exploit to gain root access.
I was able to restore 2.28.132 english version, because I made a backup of OS1 and overlay partitions using dd before I bricked my router. So I only had to dd them back.

Unfortunately I was not able to install openwrt without bricking that thing. It always ended with all TCP ports closed. No ssh, no telnet, no http, no whatever access at all.

if the lan ports does not work then how to debrick the router?

I bricked my router several times.
I was always able to debrick it using the described procedure.
One time it took several attempts.

Best way is to to connect every single port to a PC running tcpdump and to use the press-reset-and-power-on technique like described before.

hi albert, check out my post #391 (Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer)

your mac address is changed ? how to bring back original mac address? If we don't have a backup

The WAN port, that one next to the reset button, has "only" 2 different adresses, at least in my case.
They differ only in the last digit. Every time after I tried to flash openwrt, it came up with the "second" address. In "normal" mode it was always what I call the "first" address.

I found the other addresses on the, let's say bootp-port on the right side, and only during bootp/startup.

Hello micky0867.
Thanks for your post.
I am new with OpenWRT and unfortunately screwed my router flashing the wrong firmware.
I am searching for some hours but still can’t find how to do this proceeds, im stuck on making bootp in foreground mode and a tftp-server

I’m trying to start with something like this but can’t progress any longer. https://www.yumpu.com/en/document/read/49788031/how-to-update-firmware-on-thomson-routers

What I have to write on /etc/bootptab?

Here's my tcpdump output when I turn on the router holding the reset button with a cable on LAN Port 2.

ramoxy@ramoxy-PC:~$ sudo tcpdump -i enp34s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp34s0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:19:24.583010 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
01:19:24.583036 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:24.674584 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
01:19:24.687944 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.1.168.192.in-addr.arpa. (210)
01:19:24.903035 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:24.938067 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.1.168.192.in-addr.arpa. (210)
01:19:25.189043 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.1.168.192.in-addr.arpa. (210)
01:19:25.383469 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
01:19:25.383498 IP6 :: > ff02::1:ff97:57d: ICMP6, neighbor solicitation, who has ramoxy-PC, length 32
01:19:25.389411 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.1.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
01:19:25.675647 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
01:19:26.407607 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:26.423018 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:26.452472 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.1.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
01:19:26.452557 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (141)
01:19:26.491014 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:26.919481 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
01:19:27.035820 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
01:19:27.675623 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
01:19:27.675693 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)

Thats just 3 seconds of traffic....how long did you keep pressing reset?

bootpd -s -d 5
Starts bootp-server in debugging and foreground mode.

I'm using package bootp on ubuntu
root@sz:~# dpkg -s bootp
Package: bootp
Status: install ok installed
Priority: extra
Section: net
Installed-Size: 189
Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com
Architecture: amd64
Version: 2.4.3-18build1
Depends: libc6 (>= 2.15), netbase, update-inetd

Thanks again for helping.
This is the output of keeping pressing reset for more time:

ramoxy@ramoxy-PC:~$ sudo tcpdump -i enp34s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp34s0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:35:55.938661 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
08:35:55.938680 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:56.014664 IP ramoxy-PC > 224.0.0.22: igmp v3 report, 1 group record(s)
08:35:56.029294 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:56.043658 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.0.168.192.in-addr.arpa. (210)
08:35:56.082686 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:56.293590 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.0.168.192.in-addr.arpa. (210)
08:35:56.544445 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [3q] [4n] ANY (QM)? d.7.5.0.7.9.8.5.7.5.9.f.a.d.e.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. ANY (QM)? ramoxy-PC.local. ANY (QM)? 10.0.168.192.in-addr.arpa. (210)
08:35:56.745259 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (141)
08:35:56.745407 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.0.10 (82)
08:35:56.818782 IP6 :: > ff02::1:ff97:57d: ICMP6, neighbor solicitation, who has ramoxy-PC, length 32
08:35:57.029336 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:57.811450 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.0.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
08:35:57.842751 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:57.854820 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:57.986659 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:58.035358 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
08:35:58.273611 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:35:58.611077 IP6 ramoxy-PC > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
08:35:59.029874 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:59.029957 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:35:59.877810 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0*- [0q] 4/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) A 192.168.0.10, (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (192)
08:35:59.877895 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR ramoxy-PC.local., (Cache flush) AAAA fe80::9eda:f957:5897:57d (141)
08:36:02.035785 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
08:36:03.033324 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:03.033411 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:06.038042 IP6 ramoxy-PC > ip6-allrouters: ICMP6, router solicitation, length 8
08:36:06.156176 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:11.038842 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:11.038939 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:14.039183 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:21.921368 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:27.055253 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:27.055353 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:29.803953 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:37.928692 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:45.811291 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:53.693908 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301
08:36:59.066330 IP6 ramoxy-PC.mdns > ff02::fb.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:36:59.066435 IP ramoxy-PC.mdns > 224.0.0.251.mdns: 0 [10q] PTR (QM)? _pgpkey-hkp._tcp.local. PTR (QM)? _ipp._tcp.local. PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webdavs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. (159)
08:37:01.576523 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:aa:bb:cc:dd (oui Unknown), length 301

dpkg -s bootp
Package: bootp
Status: install ok installed
Priority: extra
Section: net
Installed-Size: 211
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Version: 2.4.3-18build2
Depends: libc6 (>= 2.15), netbase, update-inetd

EDIT:

Got responses on the sudo bootpd -s -d 5

ramoxy@ramoxy-PC:~$ bootpd: info(6):   recvd pkt from IP addr 0.0.0.0
bootpd: info(6):   bootptab mtime: Sat Apr  4 09:20:33 2020
bootpd: info(6):   request from Ethernet address 00:00:AA:BB:CC:DD
bootpd: info(6):   found 192.168.0.1 (boot3)
bootpd: info(6):   bootfile="/tmp/miwifi_r4a_firmware_72d65_2.28.62.bin"
bootpd: info(6):   vendor magic field is 99.130.83.99
bootpd: info(6):   request message length=301
bootpd: info(6):   request has DHCP msglen=576
bootpd: info(6):   extended reply, length=576, options=340
bootpd: info(6):   Received: DHCPDISCOVER
bootpd: info(6):   Sent: DHCPOFFER
bootpd: info(6):   sending reply (with RFC1048 options)
bootpd: info(6):   setarp 192.168.0.1 - 00:00:AA:BB:CC:DD
bootpd: info(6):   recvd pkt from IP addr 192.168.0.1
bootpd: info(6):   bootptab mtime: Sat Apr  4 09:20:33 2020
bootpd: info(6):   request from Ethernet address 00:00:AA:BB:CC:DD
bootpd: info(6):   found 192.168.0.1 (boot3)
bootpd: info(6):   bootfile="/tmp/miwifi_r4a_firmware_72d65_2.28.62.bin"
bootpd: info(6):   vendor magic field is 99.130.83.99
bootpd: info(6):   request message length=301
bootpd: info(6):   request has DHCP msglen=576
bootpd: info(6):   extended reply, length=576, options=340
bootpd: info(6):   Received: DHCPREQUEST
bootpd: info(6):   Sent: DHCPACK
bootpd: info(6):   sending reply (with RFC1048 options)
bootpd: info(6):   setarp 192.168.0.1 - 00:00:AA:BB:CC:DD

but it doesn't seem to do nothing on my router. Here's how my /etc/bootptab is:

boot3:ha=0000aabbccdd:ip=192.168.0.1:sm=255.255.255.255:bf=/tmp/miwifi_r4a_firmware_72d65_2.28.62.bin

EDIT2:

I did it! My router is unbricked!
Thanks for your help micky0867.

I will stay here, if anyone needs any help.

why i can't add new interface in network==>interfaces?

for some strange reason i can't create new interface . it works before but suddenly this issue apears. i re-flash openwrt and did factory reset several times but still have problem.

2020-04-05 15_13_57-Window1366×654 29.9 KB

please help me what should i do?

i bricked my router when i try go back to stock firmware please help me to debrick it. i need step by step tutorial thank you

Hello,

Following the advices and steps that @micky0867 (Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer), @acecilia and Arthur Machado said, I’ve managed to unbrick the router and installed the openwrt firmware. Thank you for your help.

I thought of writing a more detailed step by step of what’s been pointed out to make it simpler for beginner like to rescue a bricked router.

I’ve carried out the following steps on windows but I guess it would be easy to adapt it to linux or mac.

Generally speaking I’ve followed the micky0867 procedure of using bootp and tftp-server.

Requirements:

• Bootp/dhcp server: https://bootp-dhcp-server.software.informer.com/2.3/ (used to assign an IP to the router)
• Tftdp32: http://tftpd32.jounin.net/tftpd32_download.html (used to transfer the new image to flash)
• The official firmware image (unfortunately only in Chinese): http://miwifi.com/miwifi_download.html (select the “ROM” category and choose your router model, in case of xiaomi 4a gigabite, here’s the link http://bigota.miwifi.com/xiaoqiang/rom/r4a/miwifi_r4a_firmware_72d65_2.28.62.bin). At the time of writing this, the available version is Chinese 2.28.62. It might be a good idea to save this image so if in future firmware updates they patch the acecilia exploit you could downgrade it and install easily openwrt.

***IMPORTANT EDIT: In my original post I linked a wrong firmware. It was for the 4A, not for the 4A Gigabit. I corrected it but please, before download any firmware version, double check it's the right one for your router. Thank you @acecilia for warning me.

Procedure:

• Download the Chinese firmware in a directory.
• Install Bootp/dhcp server and Tftdp32.
• Connect the Ethernet cable from your pc to the local lan Ethernet port of the router (the one on the right side if you look the router from behind)
• Power off/unplug the power cord from the router.
• Set your IP network card parameters of your computer to static. Choose any IP (192.168.1.XXX), set 255.255.255.0 submask and leave gateway blank.
• Open Bootp/dchp server. If you have multiple network cards select the one configured previously. It will ask for network configuration. Just set the submask net to 255.255.255.0. Leave the rest to default.
• Press the reset button of your router and plug the power cord while you keep pressing the reset button. Hold it for 5 seconds or so, until yellow light starts to blink fast (once every second). This means that router is trying to load the image. If that doesn’t happen, try again.
• After a few seconds a new MAC entry should appear in the list. It should say “bootp” in the type column. Double click it and add an IP address in the “192.168.1.XXX” range. And click OK.
• A new item should appear in the bottom list, select it and Click on Disable Bootp/DHCP. This sets the IP of the router. You may receive a warning or error messages but the address should be setted fine. You may want to press the button and wait a couple of times since It may or may not succeed in telling the router to set the IP (there’s no return message that inform that the operation was successful).
• Open Tftdp32 server and select the network interface we are working with. Then select “Log viewer” tab. You should see the router repeatedly trying to get a file. The name of that file is specified in the log. In my case was “test.bin”.
• Rename de downloaded firmware to the name of the file router is looking for (“test.bin” in my case). Click on the “browse” button and select the directory that contains the renamed image.
• You should see in the log that router successfully finds the file it is looking for and loads it up. Now be patient, the router is flashing the new image. It might take a while. It think that when it has finished a blue light will blink, but I’m not entirely sure that this light means itis done.
• Set the IP to dynamic / DHCP.
• Reboot the router (unplug/plug). You should have the router working again. Probably the whole UI will be in Chinese, have google translator at hand
• You may now try to flash it again using acecilia described method. If you do, download the image again and be sure to check for the integrity of the new downloaded openwrt image (I think he added a checksum step verification in his git guide, don’t miss that step) and that the version you’re using is suitable for you router model.

Further references:

In case you may need further details of the procedure it may be useful these two youtube links that shows how to work with:

• Bootp/dhcp server: https://www.youtube.com/watch?v=wf1yySl9ZfQ (relevant info can be found between 0:00 and 4:50 minutes).
• Tftdp32: https://www.youtube.com/watch?v=ZW5fpOWpI0I (relevant info can be found between 11:00 and 20:30 minutes).

Thank you everyone in this forum. You’ve helped me a lot.

Thank you so much.
i have 2 problems with this method:

1. when i connect ethernet cable to my pc and then unplug my router, and then open Bootp/dhcp server, it says no valid ip found or somthing like that. but i did changed my ipv4 of network card in settings of my pc to static.
2. and then i when i turn on my router, it will appear in Bootp/dhcp server app but type is not BOOTP, it's DHCP.
   i continued your method and uplodaded test.bin to my router and blue light is on but i can't still use my router still no wifi and even my pc shows an ip address which is weird:
   something like 167.254.172.49
   which part i'm doing wrong?

thank you very much i have same problem like @Arianismmm said what should we do ?

i've found what was our problem.
after selecting test.bin file, wait for transfer to be completed. then, wait another 5-10 minutes. the image is installing it takes a while. after that it's totaly fine.
thank you

thank you very much everyone finally i debricked my router using your guides.

@Arianismmm, @Zorro, can you please confirm me that you've successfully unbricked your routers?

Did you managed to do it following the steps I posted or did you have to do anything different? What happened with the errors you were experiencing and de DHCP protocol type (instead of Bootp) you were getting?

I didn't know if it happened to just me but I had only managed to launch "bootp/dhcp server" once per session (If I closed it and open it again I was having an error message and I just had to restart my computer). My guess would be that some service wasn't properly terminated but I didn't dig into it much and just went the easy way and restart my PC.

yes i can confirm it works without any problem but some steps need to be changed !

when you press reset button and yellow light start blinking fast then open Bootp/dhcp server After a few seconds a new MAC entry should appear in the list. It should say “bootp”(in my case dhcp) in the type.Double click it and add an IP address in the “192.168.1.XXX” range. And click OK
A new item should appear in the bottom list, select it and Click on Disable Bootp/DHCP( if it show you failed message don't worry just continue to next step) .
open tftpd32 then give it the path you stored test.bin file and transfer message will apears.after that don't touch anything .after 5-10 minutes blue light will blink and you recovered your router successfully.

i debricked my router several times using this method and everytime it works like a charm .thanks very much everyone .

here is putty log :

BOOTP broadcast 1
DHCPHandler: got packet: (src=67, dst=68, len=358) state: 3
Filtering pkt = 0
DHCPHandler: got DHCP packet: (src=67, dst=68, len=358) state: 3
DHCP: state=SELECTING bp_file: ""
TRANSITIONING TO REQUESTING STATE
Bootfile:
DhcpSendRequestPkt: Sending DHCPREQUEST
Transmitting DHCPREQUEST packet: len = 343
DHCPHandler: got packet: (src=67, dst=68, len=358) state: 4
Filtering pkt = 0
DHCPHandler: got DHCP packet: (src=67, dst=68, len=358) state: 4
DHCP State: REQUESTING
Bootfile:
DHCP client bound to address 192.168.1.10
*** Warning: no boot file name; using 'test.bin'
TFTP from server 192.168.1.9; our IP address is 192.168.1.10
Filename 'test.bin'.

 TIMEOUT_COUNT=10,Load address: 0x82000000
Loading: Got ARP REPLY, set server/gtwy eth addr (90:2b:34:a0:a0:ad)
Got it
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ############
done
Bytes transferred = 13370296 (cc03b8 hex)
LoadAddr=82000000 NetBootFileXferSize= 00cc03b8
CRC verify success!
RSA signature verify success!
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
Offset[0]: Invalid flash address, skip upgrade...
Upgrade firmware.bin...
Start=0x180000, Len=0xcc0004...
raspi_erase_write: offs:180000, count:cc0004
raspi_erase: offs:180000 len:cc0000
............................................................................................................................................................................................................
............................................................................................................................................................................................................
raspi_erase: offs:e40000 len:10000
.
.
Done!
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
========Upgrade success!========
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done

latest openwrt snapshot does not work for me (Mon Apr 6 01:57:19 2020)it will brick my router i tried several times by using @acecilia method but no success router won't boot. does any one have an older version compilation (kernel 4.14.172) with openvpn-wireguard-sqm qos package included? thanks

Hello community i wanted to ask you if is anything i could do to manage installing the openwrt. I succeed to upload the image but the router bricks each time when i do:

I can unbrick it each time so i can try the process all over again with @acecilia method but seems something somewhere errors out. Would somebody have an idea what else i could try?

i reverted to ROM 2.28.62 Chinese language version