Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion

It is easy. or you can follow my summary below. Please thanks @acecilia for his root access script. and flash command by @rogerpueyo

  1. gain root using OpenWRTInvasion (mine running stock 2.28.132)
    you can follow his guide (very clear) or
    -download OpenWRTInvasion here
    -install requirement (I use pi4 raspbian, python ready)
    -open terminal and run "python3 remote_command_execution_vulnerability.py"
    -put your mir4a ip
    -put your mir4a stok (can be found in your router web url, just type router ip your browser)
    the script will upload exploit to your router now you can access using telnet with login "root" without password

  2. Flash openwrt (i used snapshots version of mir3g-v2)
    -telnet using your router ip
    -login with "root"
    -cd /tmp/
    -wget http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin
    (it will download bin file to router tmp folder (wget not recognize https))
    -mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin OS1
    It will say:
    Unlocking OS1 ...
    Erasing OS1 ...

Writing from openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin to OS1 ...
Rebooting ...
-Done (it will reboot and come back with openwrt)

6 Likes

thank you i flashed openwrt after reboot i can't access router gui what should i do ?

edit :i can confirm it works on my router with firmware 2.28.132

but when i connect to 2.4G WIFI it show me no internet connection !!

edit:after flash it again 2.4 ghz wifi works

2 Likes

Hello does anyone have to share original firmware 4th gigabit global ROM: 2.28.132. PLEASE PLEASE.

1 Like

Not that I know, firmware has not been released

1 Like

you can dump your firmware using a ch341a programmer but i didnt backup my original firmware and running openwrt now i dont need stock firmware anymore i'm enjoying openwrt thanks to @acecilia

1 Like

I got a bunch of dumps right here, because I flashed 20+ devices this way. So it should be no problem, to send you one of them.

But the problem could be, that the mac-address of your device would change to that one in the dump.
Also I don´t know, if there is some kind of device-specific calibration data in the dump of if calibration processes are done while booting the device (I think I read something about calibration in the console while the device was booting...).

2 Likes

Can you upload a dump somewhere please? :slight_smile: or even better, two or three dumps, so we can compare them and check what you are saying about the mac address.

1 Like

Of course - any suggestions for a hoster to choose?

1 Like

MEGA
media fire

Ok ... just used that one... I think it should not matter :stuck_out_tongue_winking_eye:

https://anonfile.com/n8P8Tajfo2/R4AG_R4A_spi-flsh_dumps_zip

It includes 10 dumps, as I said I got some more if you need them. (Could not access them right now.)

4 Likes

I can run the exploit on firmware 2.28.26 (sorry it is 2.28.62)

https://pastebin.com/kgLUpKPn

after flash openwrt, wifi not activated,

connect lan port, ssh to machine, opkg install luci and done.

2 Likes

Firmware 2.28.26 is the only one officially released by Xiaomi, right? The one that is in Chinese?

EDIT: also I see in your log that the version you are running is 2.28.62, not 2.28.26.

3 Likes

thank you mirror link to your file:

http://www.mediafire.com/file/ueyz7zd7q6ys1ex/R4AG%26R4A_spi-flsh_dumps.zip/file

2 Likes

I am realising now that the exploit may be useful to install OpenWrt in other Xiaomi routers and firmware versions

3 Likes

yes yes yes and Y E S !!!!!

Thanks @acecilia and your team

Question: Is there any newer/stable version that we can use ?

3 Likes

The snapshot image is daily built from the latest code, so it is the newest out there. For a stable version you will need to wait for the next OpenWrt release

1 Like

I added a mention to the new method in the wiki, in https://openwrt.org/toh/xiaomi/mir3g#xiaomi_mi_wifi_r3g_mi_wifi_router_3gmir3gmi3gr4a_gigabit/

I also added it in https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition.

I am a bit confused about why the information for this router is spread around two different wiki pages.

Thanks all for your help! :rocket:

4 Likes

Very strange .... again.
It's not working for me.
Yes, I get root access
Yes, I can overwrite OS1

But: after rebooting, the router changed it's MAC address (only the last digit differs from the previous MAC)
I can ping, but there are no open ports (checked with nmap) and also there is no wifi.
I had to bootp and flash 2.28.62 image with chinese UI.
Fortunately I made a backup of OS1- and overlay-partitions, so I was able to restore it to 2.28.132 with english UI.
I tried several things, including factory reset before flashing openwrt, but always the same. The router comes up with a different MAC and not access at all.

Any ideas?

1 Like

download latest snapshot for mir3g-v2 from here : ( xiaomi_mir3g-v2-squashfs-sysupgrade.bin)

http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/

after flashing openwrt you need to ssh to router and install luci then enable wifi from settings.

1.ssh root@192.168.1.1
2.opkg update
3.opkg install luci

1 Like

Hello,
it is also possible to directly install the openwrt image to the flash image.

Readout the image from flash with:
ch341prog -r readout_image_from_mir3gv2.img

Install OpenWRT with dd on the image:
dd if=openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin of=readout_image_from_mir3gv2.img conv=notrunc bs=1 seek=1572864

Erase flash with:
ch341prog -e

And write the modified image back:
ch341prog -w readout_image_from_mir3gv2.img

5 Likes