# Install requirements
# pip3 install -r requirements.txt
# Run the script
# python3 remote_command_execution_vulnerability.py
After that, a letnet server will be up and running on the router. You can connect to it by running:
telnet <router_ip_address>
- User: root
- Password: none (just hit enter)
The script also starts an ftp server at port 21, so you can get access to the filesystem using a GUI (for example cyberduck).
After login to the router through telnet, run:
cd /tmp
curl -O https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin # Download firmware
./busybox sha256sum openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!
mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin OS1
This will install the snapshot version of OpenWrt (without Luci). You can now use ssh to connect to the router (and install Luci if you prefer it).
- OpenWrt forum thread
- Slack workspace
- User ksc91u claims that this method also works on firmware version
2.28.62
: OpenWrt forum - MiRouter 4A 100M (non gigabit): user morhimi claims that this method works on firmware version
2.18.51
: OpenWrt forum. User Jeffpeng claims that this method works on firmware version2.18.58
: OpenWrt forum. - MiRouter 4C: user Jeffpeng claims that this method works on firmware version
2.14.81
: OpenWrt forum. - User Massimiliano Mangoni claims that this method also works on firmware version
2.28.8
for the router Mi Router 3G v2 (message posted in Slack).
- Original vulnerabilities and exploit: UltramanGaia
- Instructions to install OpenWrt after exploit execution: rogerpueyo
- Testing and detailed install instructions: hey07