-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not working R4A (Xiaomi 4a Gigabit) 2.30.20 #141
Comments
Seems your machine cannot connect to the router. I cant help much, as this depends on your network setup. My suggestion would be that you try to simplify your setup as much as possible |
This is not the issue, because I have no problem connecting to the router with DHCP or manual IP (192.168.31.2). The network is also working perfectly with modem connected to WAN. I also tried power cycling the router several times and doing the script immediately upon bootup, no difference. I also tried in Windows 10 with Docker, no difference. My 4a Gigabit is manufactured 07/2022. Is there something I can check for you on the router itself? |
Not really :( I do not have access to a router to test it out, I do not think I can help |
same situation, all works well until connecting to the router with telnet or ssh, any solution? thx |
same situation, i tried to invade in several versions of this tool, but none of them could allow me to connect through telnet. i spent hours trying different version, other guys don't waste time on it, it won't work. i think i would got refund on the router i bought, it disappointed me. |
Version 3.0.10 is reported to work: #145 |
Added information to readme, thanks! |
Maybe the security issue has been fixed officially, I uncomment the result of upload code, and got the following error: Means "Couldn't unzip, the file is corrupt" |
I've dumped the chip and will reverse engineer the differences and look for the reason and maybe a way to hack it again. The cgi-bin/upload file is the same, now I have to look which file will be executed for the c_upload api endpoint. The hack is pretty simple, as long we get a few files on the router |
any update |
I am afraid it's not about c_upload, maybe testing net speed will not evaluate the command in the url anymore, so it will be hard, or even impossible. Anyway, it's my opinion, good luck. |
I will see what happens. If everything fails, we have to programm the chip the hardcore way and downgrade it to a vulnerable firmware or openwrt directly |
So, I looked up what the vulnerable script was. Its /usr/bin/upload_speedtest, or was. The upload saved a file in /tmp/ named speedtest_urls.xml with the script and /usr/bin/speedtest would execute the wget command and that, loaded the script. Sadly, the code changed: 2.28.69 and ` local filename = "" To the new 2.30.20: local filename = "" And that's the reason the attack is not working anymore. (For noncoders, they did not load the /tmp file, they use the internal file that is in the firmware, and we can't change that) I upload the bindump of 2.30.20, and we could look for another bug, but atm, our best solution would be downgrading the router to a vulnerable version or directly install OpenWRT with a programmer. Extracted dump with Binwalk (on Linux, you need root or sudo -s) Direct Bin dump from the chip I also tried to activate the serial console, but it refused the new parameters, here is the serial console output Changed uboot code: |
Thanks for your efforts, and I can't make it work for serial console, so the boot delay won't let you download file from tftp? |
Sadly no. First: `U-Boot 2018.09 (Feb 22 2022 - 03:57:56 +0000), Build: jenkins-common_router_openwrt_bash_ota_publish-73 CPU: MediaTek MT7621AT ver 1, eco 3 In: uartlite0@1e000c00 restore_defaults: You see the "Warning - bad crc", this happens when I modify the bin dump and flash it onto the router and it boots. I've tried to downgrade the firmware to various versions, everytime, the router downloads the img from my PC and then says "nope, magic hex number wrong" and stops there. I did not try a squash or root fs of OpenWRT though, but I guess it's the same issue. ATM, I'm searching for some bugs. I found something about the config backup, it's encrypted with AES, but the key in /squash-fs/etc/config/cfgbackup is just a hint, I need the cipher and if a key is somewhere or a salt. The LUA files may have it, but I didn't find anything there yet. My hope is, I can inject code via the upload of a config. But this will take some time. I'm unhappy myself, it's the second router in 2 weeks I can't get running with OpenWRT :( |
I almost come here every day to see if there is any update. Waiting for your progress, my friend 👍 |
Me too |
To anyone who is interested, here is my last thought about this, and maybe it's wrong, just for advise: The problem is not only about hacking into the system, but the 5g chip has changed(now mt7613ben), so the Openwrt firmware is not suitable anymore. We not only need the new hacking way, but also new firmware. |
That would suck tbh. If the chip is not supported by the Linux Kernel. We could ask in the OpenWrt Forum for it, but so far, I found no way around it. But I have more projects running, I can't put that much time into this. Making a 21.x image with the Kernel Driver would be something, V3 need. But that's maybe the reason why downgrading the firmware did not work. |
where I can download the 2.30.20 factory firmware? |
So far, I didn't find a binary of it anywhere. I dumped my chip and that's it. But with the hardware changes, I guess you can't flash it back onto your chip. |
Then 2.30.20 cannot downgrade to the 2.28.69? |
I guess no, because I couldn't do it with any method I found. I tried the tftp debricking version too. The box loads the image, but then stops and says "the magic number is wrong". Changing the binary image is not working btw, I tried and it recovered the default config. The bootloader is the problem here. |
then, could we re-flash the bootloader from serial connection? |
I don't know, I have a chip programmer to do it, you can also test my dump on your chip, but you can also put a chip dump somewhere for me, I'll try it. |
I just flash my 4AG from openwrt back to factory image via TFTP server, failed on v3.0.24 (File too large! / Header check error! / but success on v2.28.69, then use OpenWRTInvasion OK! |
This breed broken ur leds, so that it's always faint blue light, but do not worry, just try 192.168.1.1 to enter breed gui. |
@mark4z @fengjiaqi927 R4AGv2 working openwrt bin file (except LED lights) @fengjiaqi927, mark4z is right, BREED gui is at 192.168.1.1, Openwrt gui is at 192.168.31.1, You are confused with addresses. . |
Xiaomi R4AGv2 router seems working with Openwrt bin, but LED lights are not working properly. Always blue faint lights turned on..... Anyone know how to fix this issue? |
Thanks! @MrTaiKe and @mark4z. You saved my life !!!! The gateway changed from 192.168.31.1 to 192.168.1.1 ! By the way, the password of the new image openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-v2-squashfs-sysupgrade.bin is I want to download uci-app-bypass for the .bin you provided, but the kernel version is mismatched, can you build one for me if this problem is eassy to you? I did not know how to build ...... @MrTaiKe Installing luci-app-bypass (git-23.303.44828-ba42a9a) to root...
the kernel information of the firmware is shown as below:
|
@fengjiaqi927, the world should be better when people can help each other! 👍 I am new to Openwrt and I spent a lot of time trying to figure things out. That is painful. 讓台客幫點忙小意思 😊 . Best Luck to you! |
@fengjiaqi927 I compiled a minimal version with luci-app-bypass. it took almost 3 hours. I am not sure why there is no sysupgrade bin, but there is also a ipk of luci-app-bypass. Perhaps, you still can find it useful for now. Give it a try and let me know. https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2/actions/runs/3435975079 Hope it helps! (NOTE: I guess that I loaded too many themes causing the image too big to produce sysupgrade.bin) |
I open the Internet Information Services in my windows10. And put the packages you provided in the wwwroot dir.
Then I use
(The mirror source does not have this file, but it seems to have no effect, ignore the error) Then I use
I search the dependency packages in the local source you provided, the kernel version is 5.4.223, which is mismatch with the needed kernel version 5.10.153. I have no idea how to solve this error. I will try to build a firmware myself. could you teach me how to build a R4AGv2 with passwall.ipk ? |
@fengjiaqi927 |
It seems that I still have a long way to go. And the video is tend to teach how to install software on openwrt. But I want to learn how to build the ipk for the specified kernel and platform with the source code. or learn how to build a new sysupgrade.bin on xiaomi 4AGv2 with the specified kernel(then I can use the bypass with kernel 5.10.146-1-1 https://op.supes.top/packages/mipsel_24kc/kiddin9/luci-app-bypass_git-23.303.44828-ba42a9a_all.ipk) |
@fengjiaqi927 Meanwhile, Check this out, there are ipk files for passwall1, passwall2, bypass, built with Kernel Version 5.4.216. I also built a minimal version of Kernel 5.4.216, which contains a syssugrade.bin that you can flash onto your router. You probably could try something out from these two built(s). Perhaps, first flash syssugrade.bin from 3447034491, and manually add ipks from 3449151089. Probably have to watch out the ROM space limitation.... You probably can not have all ipks install, or you will have to buy a device with larger ROM. BEST LUCK to you |
@MrTaiKe It seems that the supported protocols are limited due to space constraints , eg : v2ray Anyway, Let's put an end to this for now ~ , I can use SSR node alternatively |
@fengjiaqi927 |
I reboot my 4AGv2 and flash the 3447034491.bin at first. Then I download the packages in 3449151089 and try to install by follow step : A simple tutorial for installing packages locally:
|
hello! can you please also build ipk openvpn (openvpn-openssl and luci-app-openvpn) for kernel version 5.4.216? |
@ivan-semkin-gismart , I tried to build one for you for kernel 5.4.216, but failed a few times. was able to built one with 5.4.224, you can browse the folder "Luci" to find ipks etc... Hope that this could help you anyway. |
@fengjiaqi927 , 👍 Great!! Glad it all worked out smoothly! |
@MrTaiKe I don't think that it will work due to kernel version mismatch. Can you maybe try to build wireguard-tools then? And luci-app-wireguard |
@ivan-semkin-gismart , did you look into the zip file? It also has the sysupgrade.bin. It was a base system built ONLY with openvpn-openssl and luci-app-openvpn, a very slim bin (image). Perhaps, you could use this bin to start with other ipk(s). Btw, I also wonder if you still could install them onto any kernel version with 5.4.xx ? what do you think? If none of them works, let me know. I will try |
@MrTaiKe thank you for the help, I was able to get openvpn working |
@ivan-semkin-gismart, I am glad to hear it works. Here is a also link for wireguard ipk(s) with Kernel 5.4.224 |
@MrTaiKe I was able to install it on 5.4.xx, I guess only kernel modules are completely incompatible (kmod-*) |
i launch telnet up, use your way。。 Nice Russia guy!👍👍👍 but telnet login fail.. this is the telnet output copy so what is your telnet root password , the words i wana |
I've broke 3 Routers with the script without problem, so please try it and give me a feedback. Maybe I have the time to reimplement the script a bit better, include the old attack, make it a bit more modular if they patch the backdoor one day and we have to use another approach. |
tks, i have pass. now i can "drive car" every where |
tks |
thx |
Script appears to work, but ftp/ssh/telnet can not connect.
However it gets stok automatically.
This is Ubuntu 20.04.3 completely stock.
I also tried with option 2 to download needed files from remote github repository, no difference.
*Please note the Docker would not build correctly with either docker or sudo docker, so I git cloned OpenWRTInvasion and put my OpenWRT firmware in there.
Then I try
telnet 192.168.31.1
But I get
telnet: connect to address 192.168.31.1: Connection refused
same with ssh and ftp.
I assume this person had success with this version 2.30.20, but their advice isn't clear.
#135 (comment)
The text was updated successfully, but these errors were encountered: