Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

Just reading the code, and I've not tested this at all but:

" # In the attacking machine (macos), run the following before executing this script: /usr/bin/nc -l 4444"

Might very well be an alternative to telnet, if you run netcat (nc) and leave it waiting and repeated hit the exploit until it gets a successful connection? Might be worth a try seems to be how it works but I'd need to look a little deeper to make sure if it would work

1 Like

hey man i appreciate all your efforts for our device but would you consider making your custom fork for r4ag public?
i want to try and add proprietary mtk wifi drivers to the Package using this repo
or if you could do it yourself it would be great.

Hi all,

First I would like to thank you all about the work you do on that device. Really appreciated. Thanks all.

Is there any chance that support that release ? Reading change log, I don't think so.
It is not a problem of course but do we have any idea about an approximate release date for 20.x.x.x?

Thank you all

My mistake, this is for an older version. howerver if you wanted to reimpliment it you could add nc to to script.sh, if that makes it easier for people to batch attack?

If you're still having issues it might be worth changing to firmware versions 2.18.51 or 2.18.58 i just noticed these are the only two confirmed versions on your router (my bad you did ask). If not let the forum know that you got it working on your version too.

Thanks to @morhimi and @hoddy I found the solution.
Activating the "print" in the script shown me that there was a "token error" while the script was saying it worked.
The stock is linked to the browser or event the session. Reload the page with only will ask you to login in and the stok will be different each time.

While I was retrieving the stok with my Windows computer, I was using a rpi to hack the router. The stok is not the same and was refused!

Installing the rpi with a deskop OS allowed me to retrieve the stock for the rpi and thus hack the router.

Now I need to check the flashing worked

Thank you for your help


I think I've bricked my 4A 100M :cry:

I'm trying the unbrick found at the end in this video, but it doesn't work for me.
I've followed all the steps (configure wired network on laptop as and and no gateway, connect the eth cable to first right port (no WAN) looking from behind, press reset and the power cord until yellow flashes).

Since I have 4A non-gigabit I've downloaded the firmware from miwifi and placed in the same folder as Tiny PXE Server and selected before pressing online.

After some time the yellow flash light turn in blue and flashing faster.
I left the router more than 10 minutes, but after, when reconnecting normally, the yellow light flash very slow and it's not seen from the computer (I've removed the fixed IP, but tried also with it).

What else I can do?


Did you rename the firmware "test.bin"?

Chinese Xiaomi Mi Router 4A (R4AC)
2.28 ----> 2.58 or 2.18.51 ----> 2.18.58
Revision for China> DVB4222CN

Global version Xiaomi Mi Router 4A (R4AC) 100m
2.18.215 to ----> 3.0.5 Revision for global> DVB4230GL

1 Like

I've tried both way renaming to test.bin (first two or three times) and leaving same name

mine had global fw exactly 2.18.215, but since I was unable to find it, I tried with the chines one, 2.18.58

Where I can find the global to download?


1 Like

From here:
You will probably need Google translate to help you, click the ROM tab at the top and then select your router

1 Like

Correct, that is the page where I've downloaded and used as test.bin
Schermata 2020-05-18 alle 22.39.22

I thought this was chinese version, not global since is 2.18.58

1 Like

well, if you have R4AC global version story is different . try this method :

1-download MIWIFIRepairTool from xiaomi:
2-download chinese firmware 2.18.28:
3-set static ip to your computer
2020-05-19 01_11_45-Internet Protocol Version 4 (TCP_IPv4) Properties
4-Run MIWIFIRepairTool.x86.exe

2020-05-19 01_05_12-СÃ×·ÓÉÆ÷ÐÞ¸´¹¤¾ß

2020-05-19 01_06_56-Settings

2020-05-19 01_07_45-Settings
hold down the Reset button and power on the router then release it after 8 sec and wait for the router to flash the firmware.

After that you can update to 2.18.58 via web interface.


Thanks @Zorro

Just doing this procedure.

Should I wait some specific times after what I see in last image or wait for something after blue fast led flashing?

1 Like

What about Padavan?I found this Russian Forum @https://4pda.ru/forum/index.php?showtopic=988197&st=0
It's quite easy to flash using Zorro's method but all the download links are error 404.It would be nice if anyone could extract those files out of there and upload them in a different directory.Thanks to everyone for there efforts.

1 Like

if you see blue light flashes fast it's done power off your router then power on it. did this method worked for you?

1 Like


You made may day, @Zorro

Recovered the router with original fw, upgraded manually to 2.18.58 via web UI

Tried again the OpenWRTInvasion to get telnet access and now it works.

Now, what is the correct fw to upload to the 4A 100M?

Is this the correct page where to download?
The snapshot or the other one?

And then

cd /tmp
curl http://downloads.openwrt.org/releases/19.07.2/targets/ramips/mt76x8/openwrt-19.07.2-ramips-mt76x8-xiaomi_mir4a-100m-squashfs-sysupgrade.bin --output firmware.bin # Is this the correct fw??
./busybox sha256sum firmware.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!
mtd -e OS1 -r write firmware.bin OS1 # Install OpenWrt

After flashing should I do this?

After flashing openwrt FW you need to ssh to router and install luci then enable wifi from settings.

1.ssh root@
2.opkg update
3.opkg install luci

Thanks again!!

1 Like

There are stable and snapshot release for R4AC 100M:




Do you suggest stable?

While you were replying I added something to my previous message, so

After flashing should I do this?

After flashing openwrt FW you need to ssh to router and install luci then enable wifi from settings.

1.ssh root@
2.opkg update
3.opkg install luci

I imagine I have to reboot before doing SSH


if you are using snapshot you need to install luci and enable wifi from settings.Do you suggest stable? i don't know it depends on you

1 Like