RADIUSdesk

Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
2021:xiaomi_flash [2021/07/31 17:28] – [Invading the Router] admin2021:xiaomi_flash [2021/11/03 15:43] (current) – [Flashing the new firmware] admin
Line 11: Line 11:
 ==== Overview ==== ==== Overview ====
   * Its always good to understand actually what is happening when you do something so that when things do go wrong you will have a better ability to do troubleshooting.   * Its always good to understand actually what is happening when you do something so that when things do go wrong you will have a better ability to do troubleshooting.
-  * With the latest version of OpenWRTInvasion you need will need to+  * With the latest version of OpenWRTInvasion you need to
         *  Connect the Xiaomi router to the Internet (Using the WAN port)         *  Connect the Xiaomi router to the Internet (Using the WAN port)
         * Connect your computer (ours is running Ubuntu 20.04) to the LAN.         * Connect your computer (ours is running Ubuntu 20.04) to the LAN.
Line 23: Line 23:
   * If things go wrong there is an easy way to install the original Xiaomi firmware again onto the device and start from scratch.   * If things go wrong there is an easy way to install the original Xiaomi firmware again onto the device and start from scratch.
   * This makes the devices very robust.   * This makes the devices very robust.
 +
 +===== Finding the stok code on the router =====
 +  * This section will show a couple of screenshots from the Xiaomi 4C router to get to the **stok** code needed when using **OpenWRTInvasion**.
 +  * These routers are easy to source in most countries. I got one from a local online store in South Africa for ~15USD delivered to my door.
 +  * I connected the WAN port to my TLE router and connected my laptop to the LAN side of the 4C.
 +
 +{{ :2021:xiaomi_w1.png?nolink |}}
 +
 +  * The very first screen you are met with can be a bit confusing, since your natural reaction is to hit the **Try it now** button.
 +  * You however have to first select the country. So click the **Click to select** link to select the country first.
 +
 +{{ :2021:xiaomi_w2.png?nolink |}}
 +
 +  * Not all countries are listed in the select, so I choose **United Kingdom**
 +
 +{{ :2021:xiaomi_w3.png?nolink |}}
 +
 +  * Once it is selected you can hit the **Try it now** button again.
 +
 +{{ :2021:xiaomi_w4.png?nolink |}}
 +
 +  * On the **Internet guide** screen you can leave the default and click it through
 +
 +{{ :2021:xiaomi_w5.png?nolink |}}
 +
 +  * Provide a password for the router and Wireless and click next.
 +
 +{{ :2021:xiaomi_w6.png?nolink |}}
 +
 +  * Setup is now complete and you can log in using the password you just provided.
 +
 +{{ :2021:xiaomi_w7.png?nolink |}}
 +
 +  * Here we are logged in.
 +  * As you can see in the URL Address bar there is a query string with an item called **stok** which you will use with **OpenWRTInvasion**
 +  * Note that this value changes with each session so if you rebooted the router or logged out and then log in again the value will be different.
 +  * Only the most recent value will work with **OpenWRTInvasion**
 +
  
  
 ===== Invading the Router ===== ===== Invading the Router =====
-  * We assume you are on a working installation of Ubuntu 20.04.+  * We assume you have an installation of Ubuntu 20.04.
   * Make sure python3-pip and git is installed   * Make sure python3-pip and git is installed
 <code bash> <code bash>
Line 37: Line 75:
 git clone https://github.com/acecilia/OpenWRTInvasion.git git clone https://github.com/acecilia/OpenWRTInvasion.git
 </code> </code>
-  * Install the requirements and run it. You will need Admin rights to run the program else if will not work.+  * Install the requirements and run it. You will need Admin rights to run the program else it will not work.
 <code bash> <code bash>
 cd OpenWRTInvasion/ cd OpenWRTInvasion/
Line 45: Line 83:
 </code> </code>
   * This will start the program and ask two questions for it to complete the invasion   * This will start the program and ask two questions for it to complete the invasion
-        * Router IP address. The default as stated and specified will be 192.168.31.1. +        * **Router IP address**. The default as stated and specified will be 192.168.31.1. 
-        * Stok value. This is the value shown after you went through the initial setup wizard of the router.+        * **Stok value**. This is the value shown after you went through the initial setup wizard of the router.
         * Mine was http://192.168.31.1/cgi-bin/luci/;stok=c047480902024ca71370a39eace78b36/web/home#router.         * Mine was http://192.168.31.1/cgi-bin/luci/;stok=c047480902024ca71370a39eace78b36/web/home#router.
         * Note that this value is generated on the fly and changes next time the router boots again.         * Note that this value is generated on the fly and changes next time the router boots again.
- 
  
 <code bash> <code bash>
Line 70: Line 107:
 ===== Flashing the new firmware ===== ===== Flashing the new firmware =====
  
-  * Please note that the router is fairly robust and things have to go South very badly for the router to be hard bricked+  * As you can see from the snippet above there are a couple ways of reaching the invaded router. 
-  * So don't be to nervous when flashing the router as you always restore it again.+  * Please note that the router is fairly robust making it almost impossible hard brick the router. 
 +  * //Don't be to nervous when flashing the router as you always restore it again.//
   * We will    * We will 
-        * Telnet into the router +        * SCP the firmware image onto the router 
-        * Download the firmware image we want to install +        * SSH into the router 
-        * write it to the OS1 flash partition+        * Write the firmware to the OS1 flash partition using the **mtd** program
-  * To download the firmware image we use **wget**.  +  * Copy the firmware file to the router.  
-  * Unfortunately this version of wget can not download from HTTPS websites+ 
-  For this reason we also installed **NGINX** on the Ubuntu machine where we installed OpenWRTInvasion. (Not in these instructions, but easy to get elsewhere) + 
-  * We will then copy the firmware files to the webroot directory where **NGINX** serves its content from to fetch it locally.+<wrap em>**!! Please change the name of the firmware file to match yours !!**</wrap> 
 <code bash> <code bash>
-sudo python3 remote_command_execution_vulnerability.py +scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin  root@192.168.31.1:/tmp 
-Router IP address [press enter for using the default 192.168.31.1]:  +</code> 
-stok: c047480902024ca71370a39eace78b36 +  * SSH into the device 
-**************** +
-router_ip_address: 192.168.31.1 +
-stok: c047480902024ca71370a39eace78b36 +
-**************** +
-start uploading config file... +
-start exec command... +
-done! Now you can connect to the router using several options: (user: root, password: root) +
-* telnet 192.168.31.1 +
-* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1 +
-* ftpusing a program like cyberduck +
-system@system-Lenovo-IdeaPad-Y510P:~/Documents/xiaomi_flash/OpenWRTInvasion$ telnet 192.168.31.1 +
-Trying 192.168.31.1... +
-Connected to 192.168.31.1. +
-Escape character is '^]'.+
  
-XiaoQiang login: root +<wrap em>**!! Here also change the name of the firmware file to match yours !!**</wrap>
-Password: +
  
 +<code bash>
 +ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
  
 BusyBox v1.19.4 (2019-06-28 10:13:42 UTC) built-in shell (ash) BusyBox v1.19.4 (2019-06-28 10:13:42 UTC) built-in shell (ash)
Line 120: Line 146:
  
 root@XiaoQiang:~# cd /tmp root@XiaoQiang:~# cd /tmp
-root@XiaoQiang:/tmp# wget http://192.168.31.152/openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin 
-Connecting to 192.168.31.152 (192.168.31.152:80) 
-openwrt-ramips-mt762 100% |*********************************************************************************************************************************************************************************|  7425k  0:00:00 ETA 
 root@XiaoQiang:/tmp# mv openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin openwrt.bin root@XiaoQiang:/tmp# mv openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin openwrt.bin
 root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1 root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1
 Unlocking OS1 ... Unlocking OS1 ...
 Erasing OS1 ... Erasing OS1 ...
 +</code> 
 +  * If all goes well the device will reboot.
 +  * Keep an eye on the orange LED if it flashes you're in business since it is related to OpenWRT.
 +  * While it flashes it means OpenWRT is busy creating its working filesystem on the flash chip.
 +  * Remember that devices with 128M flash will take longer to settle down eventually.
 +  * Once everything settles down you should have two blue LEDs.
 +  * Now you can try out your new firmware.
 +  * If things however did now work according to plan the next section is for you.
 +
 +===== De-Bricking The Xiaomi Router =====
 +  * There is an awesome write-up with some YouTube videos on how to de-brick and restore the router's original firmware.
 +  * https://hoddysguides.com/xiaomi-debrick-tools-all/
 +  * One point if interest is if you run a Linux environment you can simply install **Wine** and run the **pxesrv.exe** program as root.
 +<code bash>
 +sudo wine pxesrv.exe
 </code> </code>
 +
  
  
Last modified: 2021/07/31 17:28