• In the past it used to be quite a mission to get OpenWrt flashed onto Xiaomi Routers.
• Things however changed drastically recently with the availability of OpenWRTInvasion.
• The following instructions can be applied to the 4A Gigabit Edition, 4A 100M Edition and 4C models.
• Since there are still many older instructions floating around on the Internet it can be confusing initially to find a working set of instructions.
• The instructions on the OpenWrt Wiki for the 4C are the best and to the point.
• https://openwrt.org/toh/xiaomi/xiaomi_mi_router_4c
• The instructions on this page will be based on them.

• Its always good to understand actually what is happening when you do something so that when things do go wrong you will have a better ability to do troubleshooting.
• With the latest version of OpenWRTInvasion you need will need to
  • Connect the Xiaomi router to the Internet (Using the WAN port)
  • Connect your computer (ours is running Ubuntu 20.04) to the LAN.
  • The Xiaomi router by default has the following subnet 192.168.31.x on the LAN.
  • The Xiaomi router will listen on 192.168.31.1.
• The OpenWRTInvasion invade into the standard Xiaomi router and install a few utilities from the Internet onto the router self.
• This is why the router needs to have Internet access.
• For this invasion to happen you need to get a special key (called the stok value) from the Xiaomi router.
• Once the invasion is complete you will be able to ssh or telnet into the Xiaomi router,
• Then you can download and flash OpenWRT onto the router using the mtd command.
• If things go wrong there is an easy way to install the original Xiaomi firmware again onto the device and start from scratch.
• This makes the devices very robust.

• We assume you are on a working installation of Ubuntu 20.04.
• Make sure python3-pip and git is installed

sudo apt-get install python3-pip git 

• Create a working directory where you can checkout OpenWRTInvasion

mkdir xiaomi_flash
cd xiaomi_flash/
git clone https://github.com/acecilia/OpenWRTInvasion.git

• Install the requirements and run it. You will need Admin rights to run the program else if will not work.

cd OpenWRTInvasion/
#Important to run as superuser
sudo pip3 install -r requirements.txt # Install requirements
sudo python3 remote_command_execution_vulnerability.py

• This will start the program and ask two questions for it to complete the invasion
  • Router IP address. The default as stated and specified will be 192.168.31.1.
  • Stok value. This is the value shown after you went through the initial setup wizard of the router.
  • Mine was http://192.168.31.1/cgi-bin/luci/;stok=c047480902024ca71370a39eace78b36/web/home#router.
  • Note that this value is generated on the fly and changes next time the router boots again.

Router IP address [press enter for using the default 192.168.31.1]: 
stok: c047480902024ca71370a39eace78b36
****************
router_ip_address: 192.168.31.1
stok: c047480902024ca71370a39eace78b36
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck

• The invasion is now complete and you should be able to access the router.
• Note it takes ~2-3 minutes for the invasion to complete.