Skip to content
/ OpenWRTInvasion Public

Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4, 4C, 3Gv2, 4Q, miWifi 3C...

1.5k stars 259 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

acecilia/OpenWRTInvasion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
extras
extras
 
 
readme
readme
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
remote_command_execution_vulnerability.py
remote_command_execution_vulnerability.py
 
 
requirements.txt
requirements.txt
 
 
script.sh
script.sh
 
 
set_english.py
set_english.py
 
 
speedtest_urls_template.xml
speedtest_urls_template.xml
 
 

Repository files navigation

Root shell exploit for the router Xiaomi 4A Gigabit Global Edition, firmware version 2.28.132

How to run

NOTE: FROM VERSION 0.0.2 THE ROUTER NEEDS INTERNET ACCESS. If you require to run the exploit without internet access please try version 0.0.1. Find the versions here: https://github.com/acecilia/OpenWRTInvasion/releases

pip3 install -r requirements.txt # Install requirements
python3 remote_command_execution_vulnerability.py # Run the script

After that, a letnet server will be up and running on the router. You can connect to it by running:

telnet <router_ip_address>
  • User: root
  • Password: none (just hit enter)

The script also starts an ftp server at port 21, so you can get access to the filesystem using a GUI (for example cyberduck).

Install OpenWrt

After login to the router through telnet, run:

cd /tmp
curl -O https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin # Download firmware
./busybox sha256sum openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!
mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin OS1 # Install OpenWrt

This will install the snapshot version of OpenWrt (without Luci). You can now use ssh to connect to the router (and install Luci if you prefer it).

Other supported routers or firmware versions

  • MiRouter 4A Gigabit: user ksc91u claims that this method also works on firmware version 2.28.62: OpenWrt forum.
  • MiRouter 4A 100M (non gigabit): user morhimi claims that this method works on firmware version 2.18.51: OpenWrt forum. User Jeffpeng claims that this method works on firmware version 2.18.58: OpenWrt forum.
  • MiRouter 4C: user Jeffpeng claims that this method works on firmware version 2.14.81: OpenWrt forum.
  • Mi Router 3Gv2: user Massimiliano Mangoni claims that this method also works on firmware version 2.28.8 (message posted in Slack).

For more info and support go to:

If you brick your device

User micky0867 has the solution you are looking for here: OpenWrt forum

Acknowledgments

  • Original vulnerabilities and exploit: UltramanGaia
  • Instructions to install OpenWrt after exploit execution: rogerpueyo
  • Testing and detailed install instructions: hey07

Demo

Version 0.0.2 and higher: telnet

Alt Text

Version 0.0.1: netcat (legacy)

Alt Text

About

Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4, 4C, 3Gv2, 4Q, miWifi 3C...

Topics

router firmware openwrt xiaomi routers 4a-gigabit xiaomi-routers miwifi-3c

Resources

Readme
Activity

Stars

1.5k stars

Watchers

31 watching

Forks

259 forks
Report repository

Releases 10

NoConfusion Latest
Sep 22, 2022
+ 9 releases

Packages

 
 
 

Contributors 17

+ 3 contributors

Languages