It is easy. or you can follow my summary below. Please thanks @acecilia for his root access script. and flash command by @rogerpueyo
gain root using OpenWRTInvasion (mine running stock 2.28.132)
you can follow his guide (very clear) or
-download OpenWRTInvasion here
-install requirement (I use pi4 raspbian, python ready)
-open terminal and run "python3 remote_command_execution_vulnerability.py"
-put your mir4a ip
-put your mir4a stok (can be found in your router web url, just type router ip your browser)
the script will upload exploit to your router now you can access using telnet with login "root" without password
you can dump your firmware using a ch341a programmer but i didnt backup my original firmware and running openwrt now i dont need stock firmware anymore i'm enjoying openwrt thanks to @acecilia
I got a bunch of dumps right here, because I flashed 20+ devices this way. So it should be no problem, to send you one of them.
But the problem could be, that the mac-address of your device would change to that one in the dump.
Also I don´t know, if there is some kind of device-specific calibration data in the dump of if calibration processes are done while booting the device (I think I read something about calibration in the console while the device was booting...).
Can you upload a dump somewhere please? or even better, two or three dumps, so we can compare them and check what you are saying about the mac address.
The snapshot image is daily built from the latest code, so it is the newest out there. For a stable version you will need to wait for the next OpenWrt release
Very strange .... again.
It's not working for me.
Yes, I get root access
Yes, I can overwrite OS1
But: after rebooting, the router changed it's MAC address (only the last digit differs from the previous MAC)
I can ping, but there are no open ports (checked with nmap) and also there is no wifi.
I had to bootp and flash 2.28.62 image with chinese UI.
Fortunately I made a backup of OS1- and overlay-partitions, so I was able to restore it to 2.28.132 with english UI.
I tried several things, including factory reset before flashing openwrt, but always the same. The router comes up with a different MAC and not access at all.
Hello,
it is also possible to directly install the openwrt image to the flash image.
Readout the image from flash with:
ch341prog -r readout_image_from_mir3gv2.img
Install OpenWRT with dd on the image:
dd if=openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin of=readout_image_from_mir3gv2.img conv=notrunc bs=1 seek=1572864
Erase flash with:
ch341prog -e
And write the modified image back:
ch341prog -w readout_image_from_mir3gv2.img