NOTE: FROM VERSION
0.0.2
THE ROUTER NEEDS INTERNET ACCESS
. If you require to run the exploit without internet access please try version
0.0.1
. Find the versions here:
https://github.com/acecilia/OpenWRTInvasion/releases
NOTE: THERE ARE REPORTED ISSUES WITH ROUTER IN AP MODE . If you're not able to succeed in the AP mode, try to switch to some other (WiFi Repeater or Gateway)
NOTE: THERE ARE COMPATIBILITY ISSUES REPORTED WHEN USING WINDOWS . This script only runs on Mac or Linux. If you run from Windows, please use docker (explained below)
docker build -t openwrtinvasion https://github.com/acecilia/OpenWRTInvasion.git
docker run --network host -it openwrtinvasion
pip3 install -r requirements.txt # Install requirements
python3 remote_command_execution_vulnerability.py # Run the script
You will be asked for the router IP address and for the
stok
. You can grab the
stok
from the router URL after you log in to the admin interface:
Note that the script must be run from the same IP address used when login into the router .
After that, a telnet server will be up and running. You can connect to it by running:
telnet <router_ip_address>
User: root
Password: root
The script also starts an ftp server at port 21, so you can get access to the filesystem using a GUI (for example cyberduck).
MiRouter 4A Gigabit:
2.28.62: user ksc91u claims that this method works2.28.65: OpenWrt forum2.28.132: OpenWrt forum3.0.10: see here3.0.24: OpenWrt forum3.0.27: see here3.2.30: see here3.10.18: see hereMiRouter 4A 100M (non gigabit):
2.18.51: OpenWrt forum2.18.58: OpenWrt forum3.0.12: see hereFind a troubleshooting guide here
MiRouter 4C:
2.14.81: OpenWrt forum2.14.87: see here2.14.92: see hereFind here a troubleshooting guide for this router
Mi Router 3Gv2:
2.28.8: user Massimiliano Mangoni claims that this method works (message posted in Slack)Mi Router 4Q (aka R4C):
2.28.48: user cadaverous claims that this method works (message posted in Slack), but because the router is mips architecture (not mipsel), he needed to use version 0.0.1 of the script (the other versions use a busybox binary built for the mipsel architecture that is used to start a telnet sever)MiWifi 3C:
2.8.51_INT: OpenWrt forum, OpenWrt forum2.9.217: OpenWrt forum, OpenWrt forum2.14.45: OpenWrt forum, OpenWrt forumMi Router 4:
2.18.62: see here2.26.175: see hereXiaomi Mi R3P:
Xiaomi Dev firmware: see here
Xiaomi 3Gv1:
The stock firmware coming with the router: see here
AC2350 AIOT:
1.3.8CN: see hereMiRouter 4A Gigabit:
2.30.20: see details here3.2.26: see details and alternatives hereMi Extender AC1200 (RA75): see here
Find here a very complete introductory video to the router and the OpenWrt installation
This repository contains the following firmwares:
Official Xiaomi - 2.28.62 - in Chinese. SHA256: a3db7f937d279cf38c2a3bec09772d65
URL in this repository: https://github.com/acecilia/OpenWRTInvasion/raw/master/firmwares/stock/miwifi_r4a_firmware_72d65_2.28.62.bin
Official Xiaomi - 3.0.24 - in English. MD5: 9c4a60addaad76dc13b6df6b4ac03233
URL in this repository: https://github.com/acecilia/OpenWRTInvasion/raw/master/firmwares/stock/miwifi_r4a_all_03233_3.0.24_INT.bin
URL in the official Xiaomi site: http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r4a/miwifi_r4a_all_03233_3.0.24_INT.bin
If you have a pending update in your Xiaomi stock firmware, you can check its md5 hash and the download url by navigating to:
http://192.168.31.1/cgi-bin/luci/;stok=<stok>/api/xqsystem/check_rom_update
When installing OpenWrt on the Xiaomi 4A Gigabit, there are several options:
[PREFERRED OPTION]: use the latest supported stable release of OpenWrt. Find it in the official OpenWrt wiki page
Build your own image with imagebuilder, using the latest source code on master:
docker pull openwrtorg/imagebuilder:ramips-mt7621-master
docker run --rm -v "$(pwd)"/bin/:/home/build/openwrt/bin -it openwrtorg/imagebuilder:ramips-mt7621-master
make PROFILE=xiaomi_mir3g-v2 image
If after reading above text you still want to proceed, after login to the router through telnet run the following commands:
cd /tmp
curl https://raw.githubusercontent.com/acecilia/OpenWRTInvasion/master/firmwares/OpenWrt/06-06-2020/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin --output firmware.bin # Put here the URL you want to use to download the firmware
./busybox sha256sum firmware.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!
mtd -e OS1 -r write firmware.bin OS1 # Install OpenWrt
This will install the snapshot version of OpenWrt (without Luci). You can now use ssh to connect to the router (and install Luci if you prefer it).
Please see here for a complete performance analysis
OpenWrt forum thread
You can find solutions in the following links:
User albertcp posted a very detailed guide: OpenWrt forum
User micky0867 has some more comments about the topic: OpenWrt forum
User hoddy created a video tutorial
Original vulnerabilities and exploit: UltramanGaia
Instructions to install OpenWrt after exploit execution: rogerpueyo
Testing and detailed install instructions: hey07
Checking the URL of pending updates: sicklesareterrible
Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4, 4C, 3Gv2, 4Q, miWifi 3C...
Topics
router
firmware
openwrt
xiaomi
routers
4a-gigabit
xiaomi-routers
miwifi-3c