It works without problems (my own build), thank you for the instructions!
The holes for goldpins are covered with some strange mask - it is difficult to solder on my pcb.
1 Like
strange no idea what was causing this
i managed to buil my first own build and all works perfect 
1 Like
5G:
~ # iperf3 -R -c 192.168.1.153
Connecting to host 192.168.1.153, port 5201
Reverse mode, remote host 192.168.1.153 is sending
[ 4] local 192.168.1.163 port 56942 connected to 192.168.1.153 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 58.9 MBytes 494 Mbits/sec
[ 4] 1.00-2.00 sec 66.9 MBytes 561 Mbits/sec
[ 4] 2.00-3.00 sec 66.0 MBytes 554 Mbits/sec
[ 4] 3.00-4.00 sec 65.0 MBytes 545 Mbits/sec
[ 4] 4.00-5.00 sec 57.5 MBytes 482 Mbits/sec
[ 4] 5.00-6.00 sec 59.6 MBytes 500 Mbits/sec
[ 4] 6.00-7.00 sec 64.6 MBytes 542 Mbits/sec
[ 4] 7.00-8.00 sec 64.4 MBytes 540 Mbits/sec
[ 4] 8.00-9.00 sec 58.8 MBytes 493 Mbits/sec
[ 4] 9.00-10.00 sec 63.5 MBytes 532 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 628 MBytes 527 Mbits/sec 4 sender
[ 4] 0.00-10.00 sec 627 MBytes 526 Mbits/sec receiver
1 Like
Hi rysss, unfortunately I get the jffs2 error even with your build.
I compiled mine and no solution yet.
I'll rollback to the old firmware. 
1 Like
Still no luck
Below the log
Thanks
===================================================================
MT7621 stage1 code done
CPU=500000000 HZ BUS=166666666 HZ
===================================================================
U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
Board: Ralink APSoC DRAM: 128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xc0030004
******************************
Software System Reset Occurred
******************************
flash manufacture id: c8, device id 40 18
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019 Time:07:46:43
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW
restore_defaults:1
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP. 0
n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc180000 ...
Image Name: MIPS OpenWrt Linux-4.14.172
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 2022798 Bytes = 1.9 MB
Load Address: 80001000
Entry Point: 80001000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
commandline uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9
No initrd
## Transferring control to Linux (at address 80001000) ...
## Giving linux memsize in MB, 128
Starting kernel ...
[ 0.000000] Linux version 4.14.172 (toor@toorbuild) (gcc version 8.3.0 (OpenWrt GCC 8.3.0 r12138-1e3bfbafd3)) #0 SMP Thu Mar 12 20:31:17 2020
[ 0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[ 0.000000] MIPS: machine is Xiaomi Mi Router 3G v2
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] VPE topology {2,2} total 4
[ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] HighMem empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x9c/0x4d8 with crng_init=0
[ 0.000000] percpu: Embedded 14 pages/cpu s26064 r8192 d23088 u57344
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00002840
[ 0.000000] Readback ErrCtl register=00002840
[ 0.000000] Memory: 121872K/131072K available (4814K kernel code, 245K rwdata, 1052K rodata, 1236K init, 253K bss, 9200K reserved, 0K cma-reserved, 0K highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] NR_IRQS: 256
[ 0.000000] CPU Clock: 880MHz
[ 0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[ 0.000008] sched_clock: 32 bits at 440MHz, resolution 2ns, wraps every 4880645118ns
[ 0.007809] Calibrating delay loop... 586.13 BogoMIPS (lpj=2930688)
[ 0.073982] pid_max: default: 32768 minimum: 301
[ 0.078792] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.085301] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.094421] Hierarchical SRCU implementation.
[ 0.099620] smp: Bringing up secondary CPUs ...
[ 0.105780] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.105789] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.105800] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.105935] CPU1 revision is: 0001992f (MIPS 1004Kc)
[ 0.164367] Synchronize counters for CPU 1: done.
[ 0.205857] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.205865] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.205873] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.205950] CPU2 revision is: 0001992f (MIPS 1004Kc)
[ 0.255543] Synchronize counters for CPU 2: done.
[ 0.286930] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.286938] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.286946] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.287021] CPU3 revision is: 0001992f (MIPS 1004Kc)
[ 0.340722] Synchronize counters for CPU 3: done.
[ 0.370575] smp: Brought up 1 node, 4 CPUs
[ 0.378881] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.388678] futex hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.395078] pinctrl core: initialized pinctrl subsystem
[ 0.401694] NET: Registered protocol family 16
[ 0.416110] pull PCIe RST: RALINK_RSTCTRL = 4000000
[ 0.721349] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.726382] ***** Xtal 40MHz *****
[ 0.729752] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.734865] Port 0 N_FTS = 1b105000
[ 0.738304] Port 1 N_FTS = 1b105000
[ 0.741764] Port 2 N_FTS = 1b102800
[ 1.896982] PCIE2 no card, disable it(RST&CLK)
[ 1.901328] -> 21007f2
[ 1.903747] PCIE0 enabled
[ 1.906360] PCIE1 enabled
[ 1.908940] PCI host bridge /pcie@1e140000 ranges:
[ 1.913701] MEM 0x0000000060000000..0x000000006fffffff
[ 1.918886] IO 0x000000001e160000..0x000000001e16ffff
[ 1.924059] PCI coherence region base: 0xbfbf8000, mask/settings: 0x60000000
[ 1.940202] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.946022] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.951749] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.958877] PCI host bridge to bus 0000:00
[ 1.962912] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
[ 1.969749] pci_bus 0000:00: root bus resource [io 0xffffffff]
[ 1.975598] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 1.982350] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 1.992109] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[ 1.998643] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.005541] pci 0000:00:01.0: BAR 0: no space for [mem size 0x80000000]
[ 2.012114] pci 0000:00:01.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.019015] pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
[ 2.025771] pci 0000:00:00.0: BAR 9: assigned [mem 0x60100000-0x601fffff pref]
[ 2.032919] pci 0000:00:01.0: BAR 8: assigned [mem 0x60200000-0x602fffff]
[ 2.039680] pci 0000:00:00.0: BAR 1: assigned [mem 0x60300000-0x6030ffff]
[ 2.046412] pci 0000:00:01.0: BAR 1: assigned [mem 0x60310000-0x6031ffff]
[ 2.053168] pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff 64bit]
[ 2.060411] pci 0000:01:00.0: BAR 6: assigned [mem 0x60100000-0x6010ffff pref]
[ 2.067586] pci 0000:00:00.0: PCI bridge to [bus 01]
[ 2.072493] pci 0000:00:00.0: bridge window [mem 0x60000000-0x600fffff]
[ 2.079244] pci 0000:00:00.0: bridge window [mem 0x60100000-0x601fffff pref]
[ 2.086414] pci 0000:02:00.0: BAR 0: assigned [mem 0x60200000-0x602fffff]
[ 2.093162] pci 0000:00:01.0: PCI bridge to [bus 02]
[ 2.098069] pci 0000:00:01.0: bridge window [mem 0x60200000-0x602fffff]
[ 2.106170] clocksource: Switched to clocksource GIC
[ 2.112673] NET: Registered protocol family 2
[ 2.117725] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 2.124598] TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
[ 2.130963] TCP: Hash tables configured (established 1024 bind 1024)
[ 2.137381] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 2.143139] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 2.149628] NET: Registered protocol family 1
[ 2.386116] 4 CPUs re-calibrate udelay(lpj = 2924544)
[ 2.392377] Crashlog allocated RAM at address 0x3f00000
[ 2.398038] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 2.411906] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 2.417698] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 2.430795] io scheduler noop registered
[ 2.434635] io scheduler deadline registered (default)
[ 2.439872] random: fast init done
[ 2.444027] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
[ 2.451545] console [ttyS0] disabled
[ 2.455087] 1e000c00.uartlite: ttyS0 at MMIO 0x1e000c00 (irq = 19, base_baud = 3125000) is a 16550A
[ 2.464130] console [ttyS0] enabled
[ 2.464130] console [ttyS0] enabled
[ 2.471066] bootconsole [early0] disabled
[ 2.471066] bootconsole [early0] disabled
[ 2.481033] MediaTek Nand driver init, version v2.1 Fix AHB virt2phys error
[ 2.488415] spi-mt7621 1e000b00.spi: sys_freq: 220000000
[ 2.496236] m25p80 spi0.0: gd25q128 (16384 Kbytes)
[ 2.501087] 8 fixed-partitions partitions found on MTD device spi0.0
[ 2.507446] Creating 8 MTD partitions on "spi0.0":
[ 2.512223] 0x000000000000-0x000000030000 : "u-boot"
[ 2.518182] 0x000000030000-0x000000040000 : "u-boot-env"
[ 2.524357] 0x000000040000-0x000000050000 : "Bdata"
[ 2.530177] 0x000000050000-0x000000060000 : "factory"
[ 2.536230] 0x000000060000-0x000000070000 : "crash"
[ 2.542030] 0x000000070000-0x000000080000 : "cfg_bak"
[ 2.548031] 0x000000080000-0x000000180000 : "overlay"
[ 2.553953] 0x000000180000-0x000001000000 : "firmware"
[ 2.560189] 2 uimage-fw partitions found on MTD device firmware
[ 2.566092] Creating 2 MTD partitions on "firmware":
[ 2.571079] 0x000000000000-0x0000001eddce : "kernel"
[ 2.577306] 0x0000001eddce-0x000000e80000 : "rootfs"
[ 2.583318] mtd: device 9 (rootfs) set to be root filesystem
[ 2.589068] 1 squashfs-split partitions found on MTD device rootfs
[ 2.595231] 0x0000005f0000-0x000000e80000 : "rootfs_data"
[ 2.602504] libphy: Fixed MDIO Bus: probed
[ 2.678182] libphy: mdio: probed
[ 4.083172] mtk_soc_eth 1e100000.ethernet: loaded mt7530 driver
[ 4.089853] mtk_soc_eth 1e100000.ethernet eth0: mediatek frame engine at 0xbe100000, irq 21
[ 4.101035] NET: Registered protocol family 10
[ 4.107128] Segment Routing with IPv6
[ 4.110869] NET: Registered protocol family 17
[ 4.115360] 8021q: 802.1Q VLAN Support v1.8
[ 4.122051] hctosys: unable to open rtc device (rtc0)
[ 4.130266] VFS: Mounted root (squashfs filesystem) readonly on device 31:9.
[ 4.141407] Freeing unused kernel memory: 1236K
[ 4.145930] This architecture does not have kernel memory protection.
[ 4.246829] SQUASHFS error: xz decompression failed, data probably corrupt
[ 4.253694] SQUASHFS error: squashfs_read_data failed to read block 0x9665a
[ 4.262408] SQUASHFS error: xz decompression failed, data probably corrupt
[ 4.269269] SQUASHFS error: squashfs_read_data failed to read block 0x9665a
[ 4.276355] Starting init: /sbin/init exists but couldn't execute it (error -5)
[ 4.414386] SQUASHFS error: xz decompression failed, data probably corrupt
[ 4.421306] SQUASHFS error: squashfs_read_data failed to read block 0x9665a
[ 4.428396] Starting init: /bin/sh exists but couldn't execute it (error -5)
[ 4.435415] Kernel panic - not syncing: No working init found. Try passing init= option to kernel. See Linux Documentation/admin-guide/init.rst for guidance.
[ 4.451365] Rebooting in 1 seconds..
1 Like
Hi guys,
great work!
I'm still trying to trick the system without touching the HW.
Here's something maybe useful. This link leads you to a download link where you get lot's of information from the running system.
http://routers-ip/luci/;stok=your-stokid/api/misystem/sys_log
Regards
Micky
1 Like
Hey guys, good news!
I got root access to the router (firmware version 2.28.132) using an existing vulnerability, and tweaking a bit the exploit.
Find the exploit ready to run here (I am running it from MacOS): https://github.com/acecilia/OpenWRTInvasion
I tried to get an image of the current firmware (which is unreleased). My idea was that, if I get the router to report a low version of the firmware, the server would send me the .bin file. That was not the case: whatever the reported version, the server considers it updated and returns nothing. I will keep digging.
Meanwhile, maybe some of you manage to get other cool stuff done now that root shell is available 
4 Likes
Well, if you get a root shel, it should be enough to do what says here to get OpenWRT up and running: Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer
Won't test it myself because I don't want to put the official firmware back on mine, but anyone with a new router can try
2 Likes
@araujorm yes, I am aware. But I do not want to loose the stock firmware, so far works very well for me. I would like to get the stock firmware .bin before flashing OpenWRT. The only available firmware for this router at the moment is in chinese 
1 Like
Not working here:
{"code":1629,"msg":"Unzip error, file is not intack"}
and...by the way...
wouldn't it be easier to start /etc/init.d/telnet instead of a script with a remote pipe with a.....????
1 Like
@micky0867 If you do not provide more information I cant help much.
By the way... You can try to start telnet when you manage to get root. I tried and did not succeed.
1 Like
I'm using python3 on Linux.
Also tried to upload the file using curl, with the same error.
1 Like
@micky0867 Version of firmware? You can replace the content of the script_template.sh file for just reboot to see if you manage to get command execution.
Didn't try this on linux, only MacOS.
1 Like
Firmware is stock, 2.28.132
The problem occurs when uploading payload.tar.gz, so changes to script_template.sh may not help.
Maybe.....
Mine is running as a wired repeater...
When I start the bandwidth-test, reply is always
{"download":0,"bandwidth":0,"code":0}
1 Like
@micky0867 mine is running as a wifi extender, but I do not see why that would make a difference. I am out of ideas
1 Like
If both of you (@micky0867 @acecilia) can capture the traffic using Wireshark (or tcpdump) we can try to compare the requests
1 Like
@acecilia can you pls remove comment from line #82 in your py-script and post the output?
Also: what is you attackers- and routers-ip and the md5sum of your payload.tar.gz, so I can check if my payload.tar.gz has the same md5sum?
Since it's a binary file and it's not platform related, I think they should produce the same md5sum.
Using the url from above (.../api/misystem/sys_log), I was able to verify that my files at least got uploaded to /tmp.
1 Like
@micky0867 I just updated the repo with a payload.tar.gz example for you to use, hope it helps.
The payload.tar.gz is not a binary, is a normal compressed file that you can compress/decompress easily.
Ah! I uncommented line #82 in my py-script and the output is the following:
{"code":1629,"msg":"Unzip error, file is not intack"}
Despite that, the files are getting copied to /tmp and I am getting the root shell correctly
1 Like
@acecilia tar.gz is a binary format, because it's not human readable like a textfile. It doesn't matter, if the file is execuable or not.
I've checked the everything several times, but couldn't find something wrong.
I also changed to attacker ip to some other system, where I was simply running tcpdump to check for connections on port 4444. no luck....nothing happens
ok, what more?
between "start exec command" and "done!" there are just a few seconds...I would assume that this should block if it's connected to my netcat.
one more thing:
once the file is uploaded, what is the reply, when you open the url
http://router-ip/cgi-bin/luci/;stok=your-stok-id/api/xqnetdetect/netspeed
and do you also get root access when nc is listening on port 4444 meanwhile?
1 Like