[Success] Mi Router 4A 100M on firmware 3.0.12 (R4AC)

[SilentoA]

Hello! I wanted to thank you very much for OpenWRTInvasion and report back on the success!

Device: MiRouter 4A 100M (non gigabit) Software version: 3.0.12

The process of getting root:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/OpenWRTInvasion (master) » python3 remote_command_execution_vulnerability.py                                                                     130 ↵ liveuser@ctlos
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1           
Enter router admin password: 0-)3LJIg|D=Pl=z2(WwI1{-9d
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)
****************
router_ip_address: 192.168.31.1
stok: c42bd637f2f363439c19af8b006d6f47
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:47791. root='script_tools'
local file server is getting 'busybox-mipsel' for 192.168.31.1.
local file server is getting 'dropbearStaticMipsel.tar.bz2' for 192.168.31.1.
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

OpenWrt installation process:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~ » ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1           liveuser@ctlos
The authenticity of host '192.168.31.1 (192.168.31.1)' can't be established.
RSA key fingerprint is SHA256:cGn3yDg2gfyMoGIh1pKGxWDWZWiHK1vj6/S9iRlljlo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.31.1' (RSA) to the list of known hosts.
root@192.168.31.1's password: 

BusyBox v1.19.4 (2020-12-22 12:08:23 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|

root@XiaoQiang:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00020000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00010000 00010000 "crash"
mtd5: 00010000 00010000 "cfg_bak"
mtd6: 00200000 00010000 "overlay"
mtd7: 00da0000 00010000 "OS1"
mtd8: 00c40000 00010000 "rootfs"
root@XiaoQiang:~# cd /tmp/
root@XiaoQiang:/tmp# curl --insecure https://downloads.openwrt.org/snapshots/targets/ramips/mt76x8/openwrt-ramips-mt76x8-xiaomi_mi-router-4a-100m-intl-squashfs-sysupgra
de.bin --output openwrt.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5632k  100 5632k    0     0  1120k      0  0:00:05  0:00:05 --:--:-- 1728k
root@XiaoQiang:/tmp# ls -la
drwxrwxrwt   27 root     root          1420 Jan 26 07:07 .
drwxr-xr-x   19 root     root           279 Dec 22  2020 ..
-rwx------    1 root     root             5 Dec 22  2020 .switch2jffs
drwx------    2 root     root           140 Jan 26 06:14 .uci
-rw-r--r--    1 root     root             0 Dec 22  2020 3307.bootcheck.log
-rw-r--r--    1 root     root             6 Dec 22  2020 TZ
drwxr-xr-x    9 root     root           180 Jan 23 08:46 arrays
-rwxr-xr-x    1 root     root       1629080 Jan 26 06:13 busybox
drwxr-xr-x    3 root     root            60 Dec 22  2020 daemon
drwxr-xr-x    2 root     root            40 Jan 23 08:47 datalist
-rw-r--r--    1 root     root           199 Jan 26 07:03 dhcp.eth0.2.after_bound.log
-rw-r--r--    1 root     root           130 Jan 26 07:03 dhcp.eth0.2.befor_bound.log
-rw-r--r--    1 root     root           165 Jan 26 06:02 dhcp.leases
-rw-r--r--    1 root     root           108 Jan 26 07:02 diag_net_spd
drwxr-xr-x    2 root     root           220 Jan 26 06:13 dropbear
-rw-r--r--    1 root     root        324739 Jan 26 06:13 dropbear.tar.bz2
drwxr-xr-x    4 root     root           160 Jan 23 08:46 etc
lrwxrwxrwx    1 root     root             7 Jan 26 06:13 ftpd -> busybox
drwxr-xr-x    2 root     root           260 Dec 22  2020 hosts
drwxr-xr-x    2 root     root            40 Dec 22  2020 http_info
-rw-r--r--    1 root     root             0 Jan 26 06:53 ip6neighbor
drwxr-xr-x    2 root     root            80 Dec 22  2020 lock
drwxr-xr-x    2 root     root            80 Dec 22  2020 log
drwxr-xr-x    2 root     root            40 Dec 22  2020 logexec
-rw-------    1 root     root        147519 Jan 23 08:46 luci-indexcache
drwx------    2 root     root            80 Jan 26 06:07 luci-nonce
drwx------    2 root     root           100 Jan 26 07:02 luci-sessions
-rw-------    1 root     root          2195 Jan 26 07:03 messages
-rw-r--r--    1 root     root             4 Jan 26 07:03 mi_ip_conflict_pid
-rw-r--r--    1 root     root             0 Jan 26 06:14 miqos.lock
drwxr-xr-x    2 root     root            40 Dec 22  2020 mnt
-rw-r--r--    1 root     root           176 Dec 22  2020 mt76xx2.sh.log
-rw-r--r--    1 root     root           177 Dec 22  2020 mt76xx5.sh.log
-rw-r--r--    1 root     root           424 Jan 25 19:35 netdig_tmp
-rw-r--r--    1 root     root           231 Jan 26 07:03 network.env
-rw-r--r--    1 root     root           885 Jan 26 03:00 nginx_check.log
-rw-r--r--    1 root     root            18 Jan 23 08:46 ntp.status
-rw-r--r--    1 root     root       5767527 Jan 26 07:07 openwrt.bin
-rw-r--r--    1 root     root             5 Jan 26 05:10 ota_predownload_pid
-rw-rw-r--    1 1000     1000        195433 Feb 11  2019 oui
drwxr-xr-x    2 root     root            80 Jan 23 09:00 quark
-rw-r--r--    1 root     root            17 Jan 23 08:46 rc.done
-rw-r--r--    1 root     root          3024 Jan 23 08:46 rc.timing
-rw-r--r--    1 root     root            21 Dec 22  2020 resolv.conf
-rw-r--r--    1 root     root            59 Dec 22  2020 resolv.conf.auto
drwxr-xr-x    2 root     root            40 Dec 22  2020 root
-rw-r--r--    1 root     root             2 Jan 23 08:53 router_in_xiaomi
drwxr-xr-x    2 root     root            40 Dec 22  2020 rr
drwxr-xr-x    2 root     root           320 Jan 26 06:14 run
-rw-r--r--    1 1000     985           3352 Jan 26 06:09 script.sh
-rw-r--r--    1 root     root             2 Dec 22  2020 smart_force_wifi_down
-rw-r--r--    1 1000     985           1864 Jan 26 06:13 speedtest_urls.xml
drwxr-xr-x    3 root     root            60 Dec 22  2020 spool
-rw-r--r--    1 root     root             4 Jan 26 07:07 startscene_crontab.lua.PID
-rw-------    1 root     root          1152 Jan 26 06:57 stat_points_privacy.log
-rw-------    1 root     root           145 Jan 26 06:46 stat_points_rom.log
-rw-r--r--    1 root     root             0 Jan 26 06:38 stat_points_web.log
drwxr-xrwx    2 root     root           120 Jan 23 08:46 state
drwxrwxrwx   13 root     root           260 Dec 22  2020 sysapihttpd
drwxr-xr-x    3 root     root           360 Jan 26 03:00 sysapihttpdconf
drwxr-xr-x    2 root     root            80 Jan  1  1970 sysinfo
srwxr-xr-x    1 root     root             0 Dec 22  2020 syslog-ng.ctl
-rw-r--r--    1 root     root             4 Dec 22  2020 syslog-ng.pid
drwxr-xr-x    2 root     root            80 Dec 22  2020 taskmonitor
-rw-r--r--    1 root     root         19387 Dec 22  2020 uci2dat_mt7612.log
-rw-r--r--    1 root     root         20555 Dec 22  2020 uci2dat_mt7628.log
drwxrwxrwx    2 root     root            40 Jan 26 03:00 uploadfiles
-rw-r--r--    1 root     root             0 Jan 25 11:59 upnp.leases
-rw-r--r--    1 root     root             0 Jan 23 08:47 web_config_list
prw-------    1 root     root             0 Jan 26 06:12 web_filter_list
-rw-------    1 root     root         55153 Jan 26 06:01 wifi_analysis.log
root@XiaoQiang:/tmp# mtd -r write openwrt.bin OS1
Unlocking OS1 ...

Writing from openwrt.bin to OS1 ...     
Rebooting ...

The next step was to install luci:

ssh root@192.168.1.1
opkg update
opkg install luci

Then you can get into the web interface.

Please update information about supported firmware for MiRouter 4A 100M (non gigabit). Thanks again!

[acecilia]

Awesome thanks!

[AsoTora]

I had the exact input parameters: MiRouter 4A 100M (R4AC) International, Software version: 3.0.12, didn't work.

[DanilBorchevkin]

Evironment:

1. MiRouter 4A 100M (R4AC) International
2. Firmware version: 3.0.12
3. Windows 10

I tried to getting things done using

1. docker solution with different combinations of options (local files / remote files)
2. python host solutions with different combinations (local files / remote files)

and it doesn't works

Log

(base) PS C:\workspace\docker\OpenWRTInvasion> docker run --network host -it openwrtinvasion
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: myAwesomPassword
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)
****************
router_ip_address: 192.168.31.1
stok: 737fd60b3febe56cf92d2c52359763f4
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:60383. root='script_tools'
Warning: the process has finished, but seems like ssh connection to the router is not working as expected.
* Maybe your firmware version is not supported, please have a look at https://github.com/acecilia/OpenWRTInvasion/blob/master/README.md#unsupported-routers-and-firmware-versions

---

I switched to last Fedora and all works as expected.

So the issue only reproduced in Windows

[ghost]

Thank you! Successfully flashed.

[EndermanchFan2100]

Where can i get the global firmware?

[ghost]

Where can i get the global firmware?

By global, you mean international?

Here is a snapshot for R4AC >> https://openwrt.org/inbox/toh/xiaomi/r4ac

Here is the latest release (I haven't tested it) >> https://downloads.openwrt.org/releases/23.05.0/targets/ramips/mt76x8/

[EndermanchFan2100]

Yeah, international but i need stock that is on english, not chinese.

[ghost]

Yeah, international but i need stock that is on english, not chinese.

Sorry, but you couldn’t specify what you need, otherwise I don’t quite understand you...

[anupdebnath]

Yeah, international but i need stock that is on english, not chinese.

Sorry, but you couldn’t specify what you need, otherwise I don’t quite understand you...

He is asking for stock firmware in English. 3.xx.xx

[ghost]

He is asking for stock firmware in English. 3.xx.xx

Now it's clear, thank you.

@EndermanchFan2100 I found 3.0.5 and 3.0.10 global. Be careful.

[EndermanchFan2100]

He is asking for stock firmware in English. 3.xx.xx

Now it's clear, thank you.

@EndermanchFan2100 I found 3.0.5 and 3.0.10 global. Be careful.

I have also found both of those links but both of them are expired.

[ghost]

I have also found both of those links but both of them are expired.

I had to register to download the firmware for you from the second link. miwifi_r4ac_firmware_0942f_3.0.10_INT.zip

Also read this comment before you start converting the Chinese version into a global one. Good luck.

[EndermanchFan2100]

I have also found both of those links but both of them are expired.

I had to register to download the firmware for you from the second link. miwifi_r4ac_firmware_0942f_3.0.10_INT.zip

Also read this comment before you start converting the Chinese version into a global one. Good luck.

Thank you.

[gnssefa]

I NEED A HELP PLEASE !

[sepehr-72]

I have also found both of those links but both of them are expired.

I had to register to download the firmware for you from the second link. miwifi_r4ac_firmware_0942f_3.0.10_INT.zip

Also read this comment before you start converting the Chinese version into a global one. Good luck.

Hey sir , kind regards . I have r4ac (non gigabit) DVB4230GL international on version 3.0.10 , can i install openwrt without break my device if i do everything step by step via a guide?

Just yes or no

[anupdebnath]

but the menu is English

yes, you can install OpenWrt.

[sepehr-72]

but the menu is English

yes, you can install OpenWrt.

Thank you so much , i really appreciate it .

is there any youtube guide ?

[ankhanh56]

Is there a way to install with firmware R4AC 3.0.129?

[testmanavr]

Hello, I need help I have Xiaomi Mi Router 4A v2 (R4ACv2) as well. I firstly installed openwrt from mi firmware version 3.0.129. I then installed openwrt for the 100m international (v1 i guess) then I found a version compiled version for v2 and now it's blinking orange. Please help recovering it. Thanks a lot

[dharenkamp]

Have successfully flashed openwrt snapshot to R4ACv2. Device comes with fw version 3.0.129.

invasion was successful:

(venv) xxxxxxxxx@xxxxxxxxxxxx:~/temp/penv/OpenWRTInvasion$ python3 remote_command_execution_vulnerability.py Router IP address [press enter for using the default 'miwifi.com']: Enter router admin password: 123456789 There two options to provide the files needed for invasion:

1. Use a local TCP file server runing on random port to provide files in local directory script_tools.
2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.) Which option do you prefer? (default: 1)

   ---

   router_ip_address: miwifi.com stok: 8991b8a2a300b366ebeef79ef4a035bf file provider: local file server

   ---

   start uploading config file... start exec command... local file server is runing on 0.0.0.0:49509. root='script_tools' local file server is getting 'busybox-mipsel' for 192.168.31.1. local file server is getting 'dropbearStaticMipsel.tar.bz2' for 192.168.31.1. done! Now you can connect to the router using several options: (user: root, password: root)

   • telnet miwifi.com
   • ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@miwifi.com
   • ftp: using a program like cyberduck

WIth Openwrt FIrmware Selector https://firmware-selector.openwrt.org i´ve get the image from snapshot for the "Xiaomi Mi Router 4A 100M International Edition V2" device.

(venv) xxxxxxxxx@xxxxxxxxxxxx:~/temp/penv/OpenWRTInvasion$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@miwifi.com The authenticity of host 'miwifi.com (192.168.31.1)' can't be established. RSA key fingerprint is SHA256:lyxLvDJy+Dqh6fEqgSj0xXIXWPbHUW35oJf5e4cUsuc. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'miwifi.com' (RSA) to the list of known hosts. root@miwifi.com's password:

BusyBox v1.19.4 (2022-09-14 13:16:45 UTC) built-in shell (ash) Enter 'help' for a list of built-in commands.

---

   Welcome to XiaoQiang!

---

$$$$$$\ $$$$$$$\ $$$$$$$$\ $$\ $$\ $$$$$$\ $$\ $$\ $$ $$\ $$ $$\ $$ | $$ | $$ | $$ $$\ $$ | $$ | $$ / $$ |$$ | $$ |$$ | $$ | $$ | $$ / $$ |$$ |$$ / $$$$$$$$ |$$$$$$$ |$$$$$\ $$ | $$ | $$ | $$ |$$$$$ / $$ $$ |$$ $$< $$ | $$ | $$ | $$ | $$ |$$ $$< $$ | $$ |$$ | $$ |$$ | $$ | $$ | $$ | $$ |$$ |\$$\ $$ | $$ |$$ | $$ |$$$$$$$$\ $$$$$$$$$ | $$$$$$ |$$ | \$$\ _| _|_| _|____| ____/ ____/ \| __|

root@XiaoQiang:~# cd /tmp/ root@XiaoQiang:/tmp# mv openwrt-236a0ee5829b-ramips-mt76x8-xiaomi_mi-router-4a-100m-intl-v2-squashfs-sysupgrade.bin firmware.bin root@XiaoQiang:/tmp# mtd -e OS1 -r write firmware.bin OS1 Unlocking OS1 ... Erasing OS1 ...

Writing from firmware.bin to OS1 ...
Rebooting ...

So openwrt install was successful.

[ankhanh56]

My router currently has a yellow light on, then it turns off after a few seconds and keeps repeating this. I've tried searching for firmware version 3.0.129 but couldn't find any results, can anyone help me?

[aymenmed0001]

you can get into the web interface for xiaomi 4a v2 with openwrt and thankyou @(dharenkamp)