Hello,
it is also possible to directly install the openwrt image to the flash image.
Readout the image from flash with:
ch341prog -r readout_image_from_mir3gv2.img
Install OpenWRT with dd on the image:
dd if=openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin of=readout_image_from_mir3gv2.img conv=notrunc bs=1 seek=1572864
Erase flash with:
ch341prog -e
And write the modified image back:
ch341prog -w readout_image_from_mir3gv2.img
That sounds great for me !!!
So I could save a lot of time, because until now I was dumping with flashrom, enabling bootmenu-delay within the dump, reflashed the patched dump, tftp-booted OpenWrt and then did the sysupgrade.
Could you tell me how you found out the right start-position (seek=1572864)?
I analysed the binary with binwalk:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
97696 0x17DA0 U-Boot version string, "U-Boot 1.1.3 (Feb 22 2019 - 06:43:39)"
98248 0x17FC8 CRC32 polynomial table, little endian
524288 0x80000 JFFS2 filesystem, little endian
1572864 0x180000 uImage header, header size: 64 bytes, header CRC: 0x6056EBF4, created: 2019-02-22 06:51:44, image size: 1856070 bytes, Data Address: 0x81001000, Entry Point: 0x813ECCE0, data CRC: 0x1522C879, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.10.14"
1572928 0x180040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5458688 bytes
2705694 0x29491E COBALT boot rom data (Flat boot rom or file system)
3473408 0x350000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11349156 bytes, 2236 inodes, blocksize: 262144 bytes, created: 2019-02-22 06:51:40
15204352 0xE80000 JFFS2 filesystem, little endian
Just tried it out now, and it seems to work well 
I wrote a shell script. I use flashrom instead of ch341prog, but I think its easy to modify for those who want to use ch341prog.
##!/bin/sh
timestamp=`date "+%Y%m%d_%H%M%S"`
start=`date +%s` #for calculating runtime
dir=$(pwd)
function exit_error () {
printf "Error @ line:\t%i\n" "${BASH_LINENO[-2]}"
#removing files
cd "${dir}"; rm -r "bkps/${timestamp}";
show_runtime
exit 1
}
function check_error () {
if [ $? != 0 ]; then #The return value is stored in $?. 0 indicates success, others indicates error.
exit_error
fi
}
function show_runtime () {
end=`date +%s`
runtime=$((end-start))
printf "\nruntime: %s seconds\n\n" ${runtime}
}
#create folders
mkdir -p "bkps/${timestamp}"; cd "bkps/${timestamp}"; file="${timestamp}_dev-dump"
#create dumbs
printf "\n\n\n ***** +++++ ***** creating dump-files ***** +++++ *****\n"
flashrom -p ch341a_spi -c GD25Q127C/GD25Q128C -V -r "${file}Nr01.bin"
check_error
#2nd dump-file
gpio write 2 0; sleep 2; gpio write 2 1; sleep 1 #Powering ON SPI_header-VCC
flashrom -p ch341a_spi -c GD25Q127C/GD25Q128C -V -r "${file}Nr02.bin"
#compare dumps
hash1=$(md5sum "${file}Nr01.bin" | cut -f1 -d" ") # only get the hash value
hash2=$(md5sum "${file}Nr02.bin" | cut -f1 -d" ")
if [ "${hash1}" = "${hash2}" ]; then
printf "hashs are identical - continue\n"
else
printf "hashs are different - please retry reading the flash.\n"
exit_error
fi
#patch file
#enable bootdelay
sed 's/\x62\x6F\x6F\x74\x64\x65\x6C\x61\x79\x00\x00\x00\x6F\x66\x66/\x62\x6F\x6F\x74\x64\x65\x6C\x61\x79\x00\x00\x00\x00\x00\x35/g' "${file}Nr01.bin" > "${file}Nr01.bin.patched"
#write openWrt into dumpfile
wget "https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin"
sysupgrade_file="openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin"
dd if="${sysupgrade_file}" of="${file}Nr01.bin.patched" conv=notrunc bs=1 seek=1572864 status=progress
check_error
rm "$sysupgrade_file"
#flash file
printf "\n\n\n ***** +++++ ***** flashing patched file ... ***** +++++ ***** \n"
flashrom --noverify -p ch341a_spi -c GD25Q127C/GD25Q128C -V -w "${file}Nr01.bin.patched"
check_error
printf "\n\n\n ***** +++++ ***** device succesfully patched! ***** +++++ *****\n"
#print runtime
show_runtime
I could put the script in the wiki, if you think it could be useful?
@acecilia Thanks for the exploit.
I successfully managed to install OpenWrt on 2 new Mi router 4A 100 (Non gigabit version) running firmware 2.18.51
@acecilia Thanks again for the exploit.
Successfuly installed on Xiaomi Router 4A 100M (R4AC) running firmware 2.18.58
@acecilia
Also successfuly installed on Xiaomi Router 4A Gigabit Edition Gigabit (R4A) running firmware 2.28.62
Hi everyone
I sucessfully installed OpenWrt as well on the Xiaomi Router 4A Gigabit Edition but I encounter an issue while installing luci:
root@OpenWrt:~# opkg install luci
Installing luci (git-20.089.25318-f89efcf-1) to root...
Downloading http://downloads.openwrt.org/snapshots/packages/mipsel_24kc/luci/luci_git-20.089.25318-f89efcf-1_all.ipk
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies for luci:
* libiwinfo20181126
* opkg_install_cmd: Cannot install package luci.
Any suggestions?
Thx
Gr
I have the same error.
I connect with putty, the system is not responding,
network does not work
Usb does not work
I connect putty with serial usb, but u-boot (coolterm) not receiving command
please help me
model: mı router3 (mir3)
Latest daily build fixed the issue! Luci up and running
I screwed my router. I flashed the wrong build not for v2 and now my Router4A Gigabit is dead. I get connection with my computer only if i press reset button for a few seconds but there is no packet transfering between computer and router. I tried setting up my PCs Ip adress to 192.168.1.10 and tried pinging 192.168.1.1 but no data exchange. Is there anything that can be done or i can trow it away.
I suggest: grab yourself a flasher (see previous posts, 3 to 5 bucks on AliExpress), dump your flash contents, make a backup of it to another file (in case something goes wrong in the next steps), then use the method a few posts above (dd to the correct offset, use binwalk to find it out) to modify its contents with the correct openwrt version for your router, then finally flash it back. Should get your problem solved.
have the same problem. seem like server down or not stable. it work now.
Hello.
Anyone could share same info on real world performance of Openwrt on this router?
I'm particularly interested stability and throughput in 2.4 GHz band, since I would like to buy and use it in dumb AP configuration for streaming and serving files in a big-walled house.
Thanks
I spoke with acecilia (many thanks for his contribution and help) in slack who recommended me to post this here:
It seems something went wrong during the flashing process and I have a bricked router 
I followed the acecilia (https://openwrt-workspace.slack.com/team/U01057ALMK5) OpenWRTInvasion on my Mi Router 4A Gigabit (Global stock 2.28.132). I finally got access to the root but I had to use legacy version (netcat), I don't know if it's because my network setup was too complicated (I was connecting to it throw the 4a local port attached to my home network - router + switch).
Anyway y followed the steps:
It showed me the message of Unloking OS1 and Erasing OS1 but never got any other message. I left it for a couple of hours in case it was a long process but didn't get any response. No power shortages/disconnections occurred.
Now the router looks like it's bricked: I tried to reboot it manually (unplug power) and using reset button with no luck. The power light in the router blinks at 2-3 seconds pace since you power it on and doesn't stop.
Ethernet pots looks also like they're not powered/work as my switch and computer doesn't detect any attached ethernet cable. I also can't ping the router or figure it's IP (though I don't think it has any since seems like ports are not working).
Any thoughts of what could went wrong or what could I do?
acecilia pointed me into this forum and to try to use TFTP to upload another image but I don't know how since I don't know how to connect to the router using the network (does it have any recovery mode, like pressing resent and powering up?).
My initial thoughts reading this thread is that I either try to connect using TTL/USB or try to dump/flash the chip using a flasher. Can you also point me in the right direction or link some information about this process if it's the one you recommend me? It would be my first time.
Thank you all
you can download latest snapshot for mir3g v2 from here : (xiaomi_mir3g-v2-squashfs-sysupgrade.bin)
http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/
then after download you can upload it to another upload centre like mediafire then flash it.
sha256 online checker :
https://emn178.github.io/online-tools/sha256_checksum.html
for the first time flash you need to use this method :
Writing from openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin to OS1 ...
Rebooting ...
-Done (it will reboot and come back with openwrt)
after first flash you can update to latest openwrt snapshot from luci GUI.
and if luci is not accessible you can update via ssh :
1.cd /tmp/
2.wget http://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin
3.mtd -r write /tmp/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin firmware
Just flashed my Mi Router 4A Gigabit (fw ver. 2.28.132) with the latest snapshot using the exploit. Thanks so much @acecilia.
I just want to add that you can also try to: 1) Download the openwrt images from https using /usr/bin/curl and 2) check the SHA 256 checksum of your downloaded openwrt image by using the below command:
root@XiaoQiang:/tmp# ./busybox sha256sum openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin
8a34191730fe1b81e10f13d446b77b18bc0981e7cf7ad062c458bc6c4086056b openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin
Just to be on the safe side 
.
I use it as a repeater. I am using the 5ghz band only, and I am happy with it (stock firmware).
Thanks @freemyrouter, I updated the readme of https://github.com/acecilia/OpenWRTInvasion to reflect the changes you proposed 