This is an old revision of the document!
Flash Instructions for Xiaomi Routers
Introduction
In the past it used to be quite a mission to get OpenWrt flashed onto Xiaomi Routers.
Things however changed drastically recently with the availability of OpenWRTInvasion.
The following instructions can be applied to the 4A Gigabit Edition, 4A 100M Edition and 4C models.
Since there are still many older instructions floating around on the Internet it can be confusing initially to find a working set of instructions.
The instructions on the OpenWrt Wiki for the 4C are the best and to the point.
-
The instructions on this page will be based on them.
Overview
Its always good to understand actually what is happening when you do something so that when things do go wrong you will have a better ability to do troubleshooting.
With the latest version of OpenWRTInvasion you need to
The OpenWRTInvasion invade into the standard Xiaomi router and install a few utilities from the Internet onto the router self.
This is why the router needs to have Internet access.
For this invasion to happen you need to get a special key (called the stok value) from the Xiaomi router.
Once the invasion is complete you will be able to ssh or telnet into the Xiaomi router,
Then you can download and flash OpenWRT onto the router using the mtd command.
If things go wrong there is an easy way to install the original Xiaomi firmware again onto the device and start from scratch.
This makes the devices very robust.
Finding the stok code on the router
This section will show a couple of screenshots from the Xiaomi 4C router to get to the stok code needed when using OpenWRTInvasion.
These routers are easy to source in most countries. I got one from a local online store in South Africa for ~5USD delivered to my door.
I connected the WAN port to my TLE router and connected my laptop to the
LAN side of the 4C.
The very first screen you are met with can be a bit confusing, since your natural reaction is to hit the Try it now button.
You however have to first select the country. So click the Click to select link to select the country first.
Invading the Router
sudo apt-get install python3-pip git
mkdir xiaomi_flash
cd xiaomi_flash/
git clone https://github.com/acecilia/OpenWRTInvasion.git
cd OpenWRTInvasion/
#Important to run as superuser
sudo pip3 install -r requirements.txt # Install requirements
sudo python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 192.168.31.1]:
stok: c047480902024ca71370a39eace78b36
****************
router_ip_address: 192.168.31.1
stok: c047480902024ca71370a39eace78b36
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck
Flashing the new firmware
Please note that the router is fairly robust and things have to go South very badly for the router to be hard bricked.
So don't be to nervous when flashing the router as you always restore it again.
We will
To download the firmware image we use wget.
Unfortunately this version of wget can not download from HTTPS websites.
For this reason we also installed NGINX on the Ubuntu machine where we installed OpenWRTInvasion. (Not in these instructions, but easy to get elsewhere)
We will then copy the firmware files to the webroot directory where NGINX serves its content from to fetch it locally.
system@one:~/Documents/xiaomi_flash/OpenWRTInvasion$ telnet 192.168.31.1
Trying 192.168.31.1...
Connected to 192.168.31.1.
Escape character is '^]'.
XiaoQiang login: root
Password:
BusyBox v1.19.4 (2019-06-28 10:13:42 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
-----------------------------------------------------
Welcome to XiaoQiang!
-----------------------------------------------------
$$$$$$\ $$$$$$$\ $$$$$$$$\ $$\ $$\ $$$$$$\ $$\ $$\
$$ __$$\ $$ __$$\ $$ _____| $$ | $$ | $$ __$$\ $$ | $$ |
$$ / $$ |$$ | $$ |$$ | $$ | $$ | $$ / $$ |$$ |$$ /
$$$$$$$$ |$$$$$$$ |$$$$$\ $$ | $$ | $$ | $$ |$$$$$ /
$$ __$$ |$$ __$$< $$ __| $$ | $$ | $$ | $$ |$$ $$<
$$ | $$ |$$ | $$ |$$ | $$ | $$ | $$ | $$ |$$ |\$$\
$$ | $$ |$$ | $$ |$$$$$$$$\ $$$$$$$$$ | $$$$$$ |$$ | \$$\
\__| \__|\__| \__|\________| \_________/ \______/ \__| \__|
root@XiaoQiang:~# cd /tmp
root@XiaoQiang:/tmp# wget http://192.168.31.152/openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin
Connecting to 192.168.31.152 (192.168.31.152:80)
openwrt-ramips-mt762 100% |*********************************************************************************************************************************************************************************| 7425k 0:00:00 ETA
root@XiaoQiang:/tmp# mv openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin openwrt.bin
root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1
Unlocking OS1 ...
Erasing OS1 ...
If all goes well the device will reboot.
Keep an eye on the orange LED if it flashes you're in business since it is related to OpenWRT.
While it flashes it means OpenWRT is busy creating its working filesystem on the flash chip.
Remember that devices with 128M flash will take longer to settle down eventually.
Once everything settles down you should have two blue LEDs.
Now you can try out your new firmware.
If things however did now work according to plan the next section is for you.