Xiaomi Mi Router 4

(Do not confuse with Mi Router 4A 100m/Gigabit edition routers)

The Xiaomi Mi Router 4 is an indoor wireless router based on the MediaTek MT7621 SoC, with three 10/100/1000 Ethernet ports (2xLAN + 1xWAN), dual band 802.11bgn+ac (dual radio) WiFi, 128 MB of DDR3 RAM, 128 MB of SLC NAND storage and four external non-detachable antennae. It is intended for sale in domestic China market, so offered only with Chinese firmware.

There are the following methods to install OpenWrt:

• Using a firmware exploit (Does not require extra hardware): for instructions follow the OpenWRTInvasion repository and the guide below. At the time of writing this article guaranteed to work on firmware version 2.26.175. Might also work on other versions listed in the project readme, as they seem to be pretty much the same for all Xiaomi routers supported by the exploit. This method uses the same idea as the one for Mi Router 4A Gigabit Edition, but the flashing process is different, because Mi Router 4 has a different mtd partition layout. Warning: snapshot build might break your router. Use a stable one.

• Using a chip programmer (Requires extra hardware): to be written. It is possible, because a person on the russian technical forum 4pda did that, but he also changed bootloader in process, and I (the initial author of this article) used firmware exploit method, so I'm not really competent here.

It is recommended to perform this method under Linux.

• Get the stok:
  • Connect the router to the internet via the WAN port.
  • Connect your PC using cable in the LAN port.
  • Enter 192.168.31.1.
  • Configure the device:
    • Accept the terms.
    • Firstly, enter the admin password.
    • Next, enter the WiFi password.
    • Go to 192.168.31.1 and enter the admin password.
  • When you are in, your link has changed and now it has a part with something similar to stok=3700b146c87e45fea51170f87f47d34c
  • Copy the stok (the key that goes after the equal sign).
  • Launch a terminal on your PC.
  • git clone https://github.com/acecilia/OpenWRTInvasion
  • cd OpenWRTInvasion
  • git checkout 0.0.7
  • Just in case check for exploit requirements and install them, if necessary: pip3 install -r requirements.txt
  • Run the script: python3 remote_command_execution_vulnerability.py
  • Put there the IP and your stok, wait for completion.
• Download your OpenWrt image. At this point, use kernel1 and rootfs0 images.
• Download and open FileZilla or any other suitable FTP client. Open it.
• Connect to the router using IP 192.168.31.1, user root and password root.
• Open /tmp folder.
• Transfer there kernel1 and rootfs0 images.
• You may close FTP client at this point.
• Similarly, telnet session with the default IP, user root and password root
  • telnet 192.168.31.1
  • cd /tmp
  • Check images checksums:
    • ./busybox sha256sum name_of_your_kernel1_image_here.bin
    • ./busybox sha256sum name_of_your_rootfs0_image_here.bin
    • Compare checksums with the ones on the hardware selector page, where you have downloaded OpenWrt images previously. They should be the same. If they are, we are ready for flashing. If not, download and transfer them on the router once again.
  • mtd write name_of_your_kernel1_image_here.bin kernel1
  • mtd write name_of_your_rootfs0_image_here.bin rootfs0
  • Reboot the router: reboot. It might take a little bit longer than usual.
  • After reboot, enter 192.168.1.1 in your browser. You should get to the LuCI page.
  • Log in LuCI, go into System → Backup / Flash Firmware page.
  • Download sysupgrade OpenWrt image.
  • Click Flash image, upload sysupgrade image, check the checksum.
  • Remove the Keep the settings checkbox. Thus, all presented checkboxes should be clear.
  • Flash the image and set up OpenWrt as usual.

OpenWrt Factory Firmware: kernel, kernel1 and rootfs0 images. Use this files the first time you flash OpenWrt onto the router - i.e. use with the above mentioned exploit / install method.
OpenWrt Sysupgrade Firmware: Use this file to complete OpenWrt installation or upgrade an OpenWrt “system” to a newer version.

There is a screw on the bottom of the case covered by the product label, remove the edges for access. There are also clips around the edge of the case you will need to open, using, for example, a plastic card.

How to add tags