# Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4C, 3Gv2, 4Q, miWifi 3C...
## How to run
**NOTE: FROM VERSION `0.0.2` THE ROUTER NEEDS INTERNET ACCESS**. If you require to run the exploit without internet access please try version `0.0.1`. Find the versions here: https://github.com/acecilia/OpenWRTInvasion/releases
### Using Docker (also works on Windows)
```console
$ docker build -t openwrtinvasion https://github.com/acecilia/OpenWRTInvasion.git
$ docker run --network host -it openwrtinvasion
```
### Using the command line
```shell
pip3 install -r requirements.txt # Install requirements
python3 remote_command_execution_vulnerability.py # Run the script
```
You will be asked for the router IP address and for the `stok`. You can grab the `stok` from the router URL after you log in to the admin interface:
![](readme/readme-001.png)
Note that [the script must be run from the same IP address used when login into the router](https://github.com/acecilia/OpenWRTInvasion/issues/97).
After that, a telnet server will be up and running. You can connect to it by running:
```
telnet <router_ip_address>
```
* User: `root`
* Password: `root`
The script also starts an ftp server at port 21, so you can get access to the filesystem using a GUI (for example [cyberduck](https://cyberduck.io)).
## Supported routers and firmware versions
* MiRouter 4A Gigabit: user [ksc91u](https://forum.openwrt.org/u/ksc91u) claims that this method also works on firmware version `2.28.62`, `2.28.65` and `2.28.132`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/359). It is also working on the latest `3.0.24` firmware: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-and-flashable-with-openwrtinvasion/36685/1135).
* MiRouter 4A 100M (non gigabit): user [morhimi](https://forum.openwrt.org/u/morhimi) claims that this method works on firmware version `2.18.51`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/372). User [Jeffpeng](https://forum.openwrt.org/u/jeffpeng) claims that this method works on firmware version `2.18.58`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/373). Find a troubleshooting guide [here](https://github.com/acecilia/OpenWRTInvasion/issues/92).
* MiRouter 4C: user [Jeffpeng](https://forum.openwrt.org/u/jeffpeng) claims that this method works on firmware version `2.14.81`: [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-mi-router-4c-r4cm/36418/31). User [AddaxSoft](https://github.com/acecilia/OpenWRTInvasion/issues/73) claims that exploit version `0.0.1` works on firmware version `2.14.87`. Find [here](https://github.com/acecilia/OpenWRTInvasion/issues/89) a troubleshooting guide for this router
* Mi Router 3Gv2: user [Massimiliano Mangoni](massimiliano.mangoni@gmail.com) claims that this method also works on firmware version `2.28.8` (message posted in Slack).
* Mi Router 4Q (aka R4C): user cadaverous claims that this method also works on firmware version `2.28.48` (message posted in Slack), but because the router is mips architecture (not mipsel), he needed to use version `0.0.1` of the script (the other versions use a busybox binary built for the mipsel architecture that is used to start a telnet sever).
* MiWifi 3C: works on firmware versions `2.9.217`, `2.14.45` and `2.8.51_INT`: [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/23), [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/17).
* [Mi Router 4](https://www.mi.com/miwifi4): user [Firef0x](https://github.com/acecilia/OpenWRTInvasion/issues/21#issuecomment-748619870) claims that exploit version `0.0.1` works on firmware version `2.26.175`. User [AddaxSoft](https://github.com/acecilia/OpenWRTInvasion/issues/73) claims that exploit version `0.0.1` works on firmware version `2.18.62`.
* Xiaomi Mi R3P: user [lukasz1992](https://github.com/acecilia/OpenWRTInvasion/issues/58) claims that the exploit works with the Xiaomi Dev firmware.
* [Xiaomi 3Gv1](https://openwrt.org/toh/hwdata/xiaomi/xiaomi_miwifi_3g): user [krumelmonster](https://github.com/acecilia/OpenWRTInvasion/issues/68#issue-814768067) claims that exploit works with the stock firmware coming with the router.
* [AC2350 AIOT](https://www.mi.com/global/mi-aiot-router-ac2350/): user [dobosz23](https://github.com/acecilia/OpenWRTInvasion/issues/46#issuecomment-774784301) claims that exploit version `0.0.6` works on firmware version `1.3.8CN`.
## Xiaomi 4A Gigabit Global Edition
### Firmwares
This repository contains the following firmwares:
* Official Xiaomi - `2.28.62` - in Chinese. SHA256: `a3db7f937d279cf38c2a3bec09772d65`
* URL in this repository: https://github.com/acecilia/OpenWRTInvasion/raw/master/firmwares/stock/miwifi_r4a_firmware_72d65_2.28.62.bin
* Official Xiaomi - `3.0.24` - in English. MD5: `9c4a60addaad76dc13b6df6b4ac03233`
* URL in this repository: https://github.com/acecilia/OpenWRTInvasion/raw/master/firmwares/stock/miwifi_r4a_all_03233_3.0.24_INT.bin
* URL in the official Xiaomi site: http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r4a/miwifi_r4a_all_03233_3.0.24_INT.bin
If you have a pending update in your Xiaomi stock firmware, you can check its md5 hash and the download url by navigating to:
```
http://192.168.31.1/cgi-bin/luci/;stok=<stok>/api/xqsystem/check_rom_update
```
### Install OpenWrt
When installing OpenWrt on the Xiaomi 4A Gigabit, there are several options. **Note that there isn't a stable release for it yet, which means that the firmware may be unstable**:
* One of the images listed in the [official OpenWrt wiki page](https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition)
* Build your own image with `imagebuilder`, using the latest source code on `master`:
```
docker pull openwrtorg/imagebuilder:ramips-mt7621-master
docker run --rm -v "$(pwd)"/bin/:/home/build/openwrt/bin -it openwrtorg/imagebuilder:ramips-mt7621-master
make PROFILE=xiaomi_mir3g-v2 image
```
* Wait until there is a stable release of OpenWrt
If **after reading above text** you still want to proceed, after login to the router through telnet run the following commands:
```shell
cd /tmp
curl https://raw.githubusercontent.com/acecilia/OpenWRTInvasion/master/firmwares/OpenWrt/06-06-2020/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin --output firmware.bin # Put here the URL you want to use to download the firmware
./busybox sha256sum firmware.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!
mtd -e OS1 -r write firmware.bin OS1 # Install OpenWrt
```
This will install the snapshot version of OpenWrt (without Luci). You can now use ssh to connect to the router (and install Luci if you prefer it).
### Performance:
Some users have reported worse WIFI performance in OpenWrt than in the stock firmware. See the following links:
* [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/430)
* [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/431)
* [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/451)
## For more info and support go to:
* [OpenWrt forum thread](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-re
没有合适的资源?快使用搜索试试~ 我知道了~
小米4a百兆版openwrt刷机工具、固件、telnet执行文件及必要备份文件
共120个文件
pyd:18个
bin:12个
txt:10个
5星 · 超过95%的资源 1 下载量 195 浏览量
2023-01-18
11:01:51
上传
评论 2
收藏 190.72MB ZIP 举报
温馨提示
内容包括Python安装文件,官方固件,openwrt固件,telnet执行文件,原厂备份文件,部分相关操作说明。
资源推荐
资源详情
资源评论
收起资源包目录
小米4a百兆版openwrt刷机工具、固件、telnet执行文件及必要备份文件 (120个子文件)
python37._pth 79B
2.start_write_uboot_R4AGE.bat 45B
5.start_download_openwrt.bat 45B
9.start_restore_backup.bat 43B
1.start_create_backup.bat 42B
4.start_add_english.bat 40B
start_ftp_server.bat 39B
5.start_write_OS.bat 37B
0.start_main.bat 33B
backup.bin 16MB
【Lean】2021-3-17openwrt-ramips-mt76x8-xiaomi_mir4a-100m-squashfs-sysupgrade.bin 14.5MB
miwifi_r4a_all_03233_3.0.24_INT.bin 14.14MB
miwifi_r4a_firmware_72d65_2.28.62.bin 12.75MB
EN.2.28.132.bin 12.56MB
miwifi_r4ac_firmware_e9eec_2.18.58.bin 10MB
openwrt-22.03.3-ramips-mt76x8-xiaomi_mi-router-4a-100m-intl-initramfs-kernel.bin 5.39MB
openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin 3.75MB
ubootR4AGE.bin 140KB
bootloader.bin 128KB
breed.bin 88KB
eeprom.bin 64KB
busybox-mipsel 1.55MB
dropbearStaticMipsel.tar.bz2 317KB
WinSCP.com.baiduyun.downloading.cfg 0B
license.txt.baiduyun.downloading.cfg 0B
WinSCP.ini.baiduyun.downloading.cfg 0B
WinSCP.chs.baiduyun.downloading.cfg 0B
WinSCP.exe.baiduyun.downloading.cfg 0B
WinSCP.chs 1.37MB
WinSCP.com 279KB
python37.dll 3.58MB
libcrypto-1_1.dll 3.23MB
sqlite3.dll 1.21MB
libssl-1_1.dll 670KB
python3.dll 58KB
Dockerfile 165B
.dockerignore 44B
WinSCP.exe.baiduyun.downloading 25.6MB
WinSCP.chs.baiduyun.downloading 1.37MB
WinSCP.com.baiduyun.downloading 279KB
license.txt.baiduyun.downloading 37KB
WinSCP.ini.baiduyun.downloading 18KB
python-3.6.2.exe 29.09MB
WinSCP.exe 25.6MB
python.exe 98KB
pythonw.exe 97KB
exploit-001.gif 1.1MB
exploit-002.gif 866KB
.gitignore 7B
main.tar.gz 96KB
payload.tar.gz 2KB
payload.tar.gz 617B
WinSCP.ini 18KB
profiles.json 558B
base.en.lmo 60KB
base.en.lmo 60KB
base.ko-kr.lmo 47KB
base.zh-hk.lmo 20KB
base.zh-tw.lmo 20KB
firewall.zh-hk.lmo 6KB
firewall.zh-cn.lmo 6KB
firewall.zh-tw.lmo 6KB
luci 781B
openwrt-ramips-mt7621-xiaomi_mir3g-v2-xiaomi_mir3g-v2.manifest 2KB
README.md 10KB
README.md 230B
README.md 159B
otapredownload 10KB
readme-001.png 108KB
remote_command_execution_vulnerability.py 3KB
main.py 2KB
writeOS.py 2KB
restorebackup.py 1KB
createbackup.py 1KB
addenglish.py 1016B
writeubootR4AGE.py 955B
set_english.py 838B
ftpserver.py 350B
downloadopenwrt.py 253B
unicodedata.pyd 1.02MB
_decimal.pyd 265KB
_lzma.pyd 249KB
_elementtree.pyd 203KB
pyexpat.pyd 198KB
_ctypes.pyd 130KB
_ssl.pyd 118KB
_bz2.pyd 93KB
_sqlite3.pyd 87KB
_socket.pyd 75KB
_asyncio.pyd 72KB
_overlapped.pyd 45KB
_msi.pyd 39KB
_hashlib.pyd 38KB
_multiprocessing.pyd 29KB
_queue.pyd 28KB
winsound.pyd 28KB
select.pyd 27KB
script.sh 3KB
flashos.sh 1KB
flashall.sh 1KB
共 120 条
- 1
- 2
资源评论
skwovo
- 粉丝: 0
- 资源: 5
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 三菱PLC(Mitsubishi)通讯协议的C#实现,支持FX、Q系列的ASCII-3E、BIN-3E、FX串口格式
- 五一建模20242024
- rainy-day.jpg
- IMG_20240501_171218.jpg
- Swift-内购封装swift版本
- 经典CNN网络之ResNet 图像分类网络实战项目:7种小麦叶片病害分类(迁移学习)
- Java毕设之ssm010基于ssm的新能源汽车在线租赁管理系统+vue.rar
- Java毕设之ssm009毕业生就业信息统计系统+vue.rar
- Java毕设之ssm008医院门诊挂号系统+jsp.rar
- Java毕设之ssm007亚盛汽车配件销售业绩管理统+jsp.rar
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功