NOTE: FROM VERSION 0.0.2
THE ROUTER NEEDS INTERNET ACCESS. If you require to run the exploit without internet access please try version 0.0.1
. Find the versions here: https://github.com/acecilia/OpenWRTInvasion/releases
pip3 install -r requirements.txt # Install requirements
python3 remote_command_execution_vulnerability.py # Run the script
After that, a letnet server will be up and running on the router. You can connect to it by running:
telnet <router_ip_address>
- User: root
- Password: none (just hit enter)
The script also starts an ftp server at port 21, so you can get access to the filesystem using a GUI (for example cyberduck).
After login to the router through telnet, run:
cd /tmp
curl -O https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin # Download firmware
./busybox sha256sum openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!
mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin OS1 # Install OpenWrt
This will install the snapshot version of OpenWrt (without Luci). You can now use ssh to connect to the router (and install Luci if you prefer it).
- MiRouter 4A Gigabit: user ksc91u claims that this method also works on firmware version
2.28.62
: OpenWrt forum. - MiRouter 4A 100M (non gigabit): user morhimi claims that this method works on firmware version
2.18.51
: OpenWrt forum. User Jeffpeng claims that this method works on firmware version2.18.58
: OpenWrt forum. - MiRouter 4C: user Jeffpeng claims that this method works on firmware version
2.14.81
: OpenWrt forum. - Mi Router 3Gv2: user Massimiliano Mangoni claims that this method also works on firmware version
2.28.8
(message posted in Slack).
User micky0867 has the solution you are looking for here: OpenWrt forum
- Original vulnerabilities and exploit: UltramanGaia
- Instructions to install OpenWrt after exploit execution: rogerpueyo
- Testing and detailed install instructions: hey07