RADIUSdesk

Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
2021:xiaomi_flash [2021/10/20 09:24] – [Finding the stok code on the router] admin2021:xiaomi_flash [2021/11/03 15:43] (current) – [Flashing the new firmware] admin
Line 26: Line 26:
 ===== Finding the stok code on the router ===== ===== Finding the stok code on the router =====
   * This section will show a couple of screenshots from the Xiaomi 4C router to get to the **stok** code needed when using **OpenWRTInvasion**.   * This section will show a couple of screenshots from the Xiaomi 4C router to get to the **stok** code needed when using **OpenWRTInvasion**.
-  * These routers are easy to source in most countries. I got one from a local online store in South Africa for ~5USD delivered to my door.+  * These routers are easy to source in most countries. I got one from a local online store in South Africa for ~15USD delivered to my door.
   * I connected the WAN port to my TLE router and connected my laptop to the LAN side of the 4C.   * I connected the WAN port to my TLE router and connected my laptop to the LAN side of the 4C.
  
Line 40: Line 40:
 {{ :2021:xiaomi_w3.png?nolink |}} {{ :2021:xiaomi_w3.png?nolink |}}
  
-  * Once it is selected you can hit the **Try in now** button again.+  * Once it is selected you can hit the **Try it now** button again.
  
 {{ :2021:xiaomi_w4.png?nolink |}} {{ :2021:xiaomi_w4.png?nolink |}}
Line 56: Line 56:
 {{ :2021:xiaomi_w7.png?nolink |}} {{ :2021:xiaomi_w7.png?nolink |}}
  
-  * Here we are logged in. As you can see in the URL Address bar the query string has an item called **stok** which you will use with **OpenWRTInvasion** +  * Here we are logged in. 
-  * Note that this value changes with each session so if you rebooted the router or logged out and then log in agin the value will be different.+  * As you can see in the URL Address bar there is a query string with an item called **stok** which you will use with **OpenWRTInvasion** 
 +  * Note that this value changes with each session so if you rebooted the router or logged out and then log in again the value will be different.
   * Only the most recent value will work with **OpenWRTInvasion**   * Only the most recent value will work with **OpenWRTInvasion**
  
Line 63: Line 64:
  
 ===== Invading the Router ===== ===== Invading the Router =====
-  * We assume you are on a working installation of Ubuntu 20.04.+  * We assume you have an installation of Ubuntu 20.04.
   * Make sure python3-pip and git is installed   * Make sure python3-pip and git is installed
 <code bash> <code bash>
Line 74: Line 75:
 git clone https://github.com/acecilia/OpenWRTInvasion.git git clone https://github.com/acecilia/OpenWRTInvasion.git
 </code> </code>
-  * Install the requirements and run it. You will need Admin rights to run the program else if will not work.+  * Install the requirements and run it. You will need Admin rights to run the program else it will not work.
 <code bash> <code bash>
 cd OpenWRTInvasion/ cd OpenWRTInvasion/
Line 82: Line 83:
 </code> </code>
   * This will start the program and ask two questions for it to complete the invasion   * This will start the program and ask two questions for it to complete the invasion
-        * Router IP address. The default as stated and specified will be 192.168.31.1. +        * **Router IP address**. The default as stated and specified will be 192.168.31.1. 
-        * Stok value. This is the value shown after you went through the initial setup wizard of the router.+        * **Stok value**. This is the value shown after you went through the initial setup wizard of the router.
         * Mine was http://192.168.31.1/cgi-bin/luci/;stok=c047480902024ca71370a39eace78b36/web/home#router.         * Mine was http://192.168.31.1/cgi-bin/luci/;stok=c047480902024ca71370a39eace78b36/web/home#router.
         * Note that this value is generated on the fly and changes next time the router boots again.         * Note that this value is generated on the fly and changes next time the router boots again.
- 
  
 <code bash> <code bash>
Line 107: Line 107:
 ===== Flashing the new firmware ===== ===== Flashing the new firmware =====
  
-  * Please note that the router is fairly robust and things have to go South very badly for the router to be hard bricked+  * As you can see from the snippet above there are a couple ways of reaching the invaded router. 
-  * So don't be to nervous when flashing the router as you always restore it again.+  * Please note that the router is fairly robust making it almost impossible hard brick the router. 
 +  * //Don't be to nervous when flashing the router as you always restore it again.//
   * We will    * We will 
-        * Telnet into the router +        * SCP the firmware image onto the router 
-        * Download the firmware image we want to install +        * SSH into the router 
-        * write it to the OS1 flash partition+        * Write the firmware to the OS1 flash partition using the **mtd** program
-  * To download the firmware image we use **wget**.  +  * Copy the firmware file to the router.  
-  * Unfortunately this version of wget can not download from HTTPS websites+ 
-  For this reason we also installed **NGINX** on the Ubuntu machine where we installed OpenWRTInvasion. (Not in these instructions, but easy to get elsewhere) + 
-  * We will then copy the firmware files to the webroot directory where **NGINX** serves its content from to fetch it locally.+<wrap em>**!! Please change the name of the firmware file to match yours !!**</wrap> 
 <code bash> <code bash>
-system@one:~/Documents/xiaomi_flash/OpenWRTInvasion$ telnet 192.168.31.1 +scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin  root@192.168.31.1:/tmp 
-Trying 192.168.31.1... +</code> 
-Connected to 192.168.31.1. +  * SSH into the device 
-Escape character is '^]'.+
  
-XiaoQiang login: root +<wrap em>**!! Here also change the name of the firmware file to match yours !!**</wrap>
-Password: +
  
 +<code bash>
 +ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
  
 BusyBox v1.19.4 (2019-06-28 10:13:42 UTC) built-in shell (ash) BusyBox v1.19.4 (2019-06-28 10:13:42 UTC) built-in shell (ash)
Line 144: Line 146:
  
 root@XiaoQiang:~# cd /tmp root@XiaoQiang:~# cd /tmp
-root@XiaoQiang:/tmp# wget http://192.168.31.152/openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin 
-Connecting to 192.168.31.152 (192.168.31.152:80) 
-openwrt-ramips-mt762 100% |*********************************************************************************************************************************************************************************|  7425k  0:00:00 ETA 
 root@XiaoQiang:/tmp# mv openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin openwrt.bin root@XiaoQiang:/tmp# mv openwrt-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin openwrt.bin
 root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1 root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt.bin OS1
Line 159: Line 158:
   * Now you can try out your new firmware.   * Now you can try out your new firmware.
   * If things however did now work according to plan the next section is for you.   * If things however did now work according to plan the next section is for you.
 +
 +===== De-Bricking The Xiaomi Router =====
 +  * There is an awesome write-up with some YouTube videos on how to de-brick and restore the router's original firmware.
 +  * https://hoddysguides.com/xiaomi-debrick-tools-all/
 +  * One point if interest is if you run a Linux environment you can simply install **Wine** and run the **pxesrv.exe** program as root.
 +<code bash>
 +sudo wine pxesrv.exe
 +</code>
 +
  
  
Last modified: 2021/10/20 09:24