RADIUSdesk

This is an old revision of the document!


Flash Instructions for Xiaomi Routers

Introduction

  • In the past it used to be quite a mission to get OpenWrt flashed onto Xiaomi Routers.
  • Things however changed drastically recently with the availability of OpenWRTInvasion.
  • The following instructions can be applied to the 4A Gigabit Edition, 4A 100M Edition and 4C models.
  • Since there are still many older instructions floating around on the Internet it can be confusing initially to find a working set of instructions.
  • The instructions on the OpenWrt Wiki for the 4C are the best and to the point.
  • The instructions on this page will be based on them.

Overview

  • Its always good to understand actually what is happening when you do something so that when things do go wrong you will have a better ability to do troubleshooting.
  • With the latest version of OpenWRTInvasion you need to
    • Connect the Xiaomi router to the Internet (Using the WAN port)
    • Connect your computer (ours is running Ubuntu 20.04) to the LAN.
    • The Xiaomi router by default has the following subnet 192.168.31.x on the LAN.
    • The Xiaomi router will listen on 192.168.31.1.
  • The OpenWRTInvasion invade into the standard Xiaomi router and install a few utilities from the Internet onto the router self.
  • This is why the router needs to have Internet access.
  • For this invasion to happen you need to get a special key (called the stok value) from the Xiaomi router.
  • Once the invasion is complete you will be able to ssh or telnet into the Xiaomi router,
  • Then you can download and flash OpenWRT onto the router using the mtd command.
  • If things go wrong there is an easy way to install the original Xiaomi firmware again onto the device and start from scratch.
  • This makes the devices very robust.

Finding the stok code on the router

  • This section will show a couple of screenshots from the Xiaomi 4C router to get to the stok code needed when using OpenWRTInvasion.
  • These routers are easy to source in most countries. I got one from a local online store in South Africa for ~5USD delivered to my door.
  • I connected the WAN port to my TLE router and connected my laptop to the LAN side of the 4C.

  • The very first screen you are met with can be a bit confusing, since your natural reaction is to hit the Try it now button.
  • You however have to first select the country. So click the Click to select link to select the country first.

  • Not all countries are listed in the select, so I choose United Kingdom

  • Once it is selected you can hit the Try in now button again.

  • On the Internet guide screen you can leave the default and click it through

  • Provide a password for the router and Wireless and click next.

  • Setup is now complete and you can log in using the password you just provided.

  • Here we are logged in. As you can see in the URL Address bar the query string has an item called stok which you will use with OpenWRTInvasion
  • Note that this value changes with each session so if you rebooted the router or logged out and then log in agin the value will be different.
  • Only the most recent value will work with OpenWRTInvasion

Invading the Router

  • We assume you are on a working installation of Ubuntu 20.04.
  • Make sure python3-pip and git is installed
sudo apt-get install python3-pip git 
  • Create a working directory where you can checkout OpenWRTInvasion
mkdir xiaomi_flash
cd xiaomi_flash/
git clone https://github.com/acecilia/OpenWRTInvasion.git
  • Install the requirements and run it. You will need Admin rights to run the program else if will not work.
cd OpenWRTInvasion/
#Important to run as superuser
sudo pip3 install -r requirements.txt # Install requirements
sudo python3 remote_command_execution_vulnerability.py
  • This will start the program and ask two questions for it to complete the invasion
Router IP address [press enter for using the default 192.168.31.1]: 
stok: c047480902024ca71370a39eace78b36
****************
router_ip_address: 192.168.31.1
stok: c047480902024ca71370a39eace78b36
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck
  • The invasion is now complete and you should be able to access the router.
  • Note it takes ~2-3 minutes for the invasion to complete.

Flashing the new firmware

  • Please note that the router is fairly robust and things have to go South very badly for the router to be hard bricked.
  • So don't be to nervous when flashing the router as you always restore it again.
  • We will
    • Telnet into the router
    • Download the firmware image we want to install
    • write it to the OS1 flash partition.
  • To download the firmware image we use wget.
  • Unfortunately this version of wget can not download from HTTPS websites.
  • For this reason we also installed NGINX on the Ubuntu machine where we installed OpenWRTInvasion. (Not in these instructions, but easy to get elsewhere)
  • We will then copy the firmware files to the webroot directory where NGINX serves its content from to fetch it locally.
system@one:~/Documents/xiaomi_flash/OpenWRTInvasion$ telnet 192.168.31.1
Trying 192.168.31.1...
Connected to 192.168.31.1.
Escape character is '^]'.
 
XiaoQiang login: root
Password: 
 
 
BusyBox v1.19.4 (2019-06-28 10:13:42 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
 
 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|
 
 
root@XiaoQiang:~# cd /tmp
root@XiaoQiang:/tmp# wget http://192.168.31.152/openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin
Connecting to 192.168.31.152 (192.168.31.152:80)
openwrt-ramips-mt762 100% |*********************************************************************************************************************************************************************************|  7425k  0:00:00 ETA
root@XiaoQiang:/tmp# mv openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin openwrt.bin
root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1
Unlocking OS1 ...
Erasing OS1 ...
  • If all goes well the device will reboot.
  • Keep an eye on the orange LED if it flashes you're in business since it is related to OpenWRT.
  • While it flashes it means OpenWRT is busy creating its working filesystem on the flash chip.
  • Remember that devices with 128M flash will take longer to settle down eventually.
  • Once everything settles down you should have two blue LEDs.
  • Now you can try out your new firmware.
  • If things however did now work according to plan the next section is for you.