Xiaomi Mi Router 4
(Do not confuse with Mi Router 4A 100m/Gigabit edition routers)
The Xiaomi Mi Router 4 is an indoor wireless router based on the MediaTek MT7621 SoC, with three 10/100/1000 Ethernet ports (2xLAN + 1xWAN), dual band 802.11bgn+ac (dual radio) WiFi, 128 MB of DDR3 RAM, 128 MB of SLC NAND storage and four external non-detachable antennae. It is intended for sale in domestic China market, so offered only with Chinese firmware.
OpenWrt support
There are the following methods to install OpenWrt:
- Using a firmware exploit (Does not require extra hardware): for instructions follow the OpenWRTInvasion repository and the guide below. At the time of writing this article guaranteed to work on firmware version
2.26.175. Might also work on other versions listed in the project readme, as they seem to be pretty much the same for all Xiaomi routers supported by the exploit. This method uses the same idea as the one for Mi Router 4A Gigabit Edition, but the flashing process is different, because Mi Router 4 has a different mtd partition layout. Warning: snapshot build might break your router. Use a stable one.
- Using a chip programmer (Requires extra hardware): to be written. It is possible, because a person on the russian technical forum 4pda did that, but he also changed bootloader in process, and I (the initial author of this article) used firmware exploit method, so I'm not really competent here.
How to perform firmware exploit method
It is recommended to perform this method under Linux.
- Get the stok:
- Connect the router to the internet via the WAN port.
- Connect your PC using cable in the LAN port.
- Enter 192.168.31.1.
- Configure the device:
- Accept the terms.
- Firstly, enter the admin password.
- Next, enter the WiFi password.
- Go to 192.168.31.1 and enter the admin password.
- When you are in, your link has changed and now it has a part with something similar to
stok=3700b146c87e45fea51170f87f47d34c - Copy the stok (the key that goes after the equal sign).
- Launch a terminal on your PC.
cd OpenWRTInvasiongit checkout 0.0.7- Just in case check for exploit requirements and install them, if necessary:
pip3 install -r requirements.txt - Run the script:
python3 remote_command_execution_vulnerability.py - Put there the IP and your stok, wait for completion.
- Download your OpenWrt image. At this point, use kernel1 and rootfs0 images.
- Download and open FileZilla or any other suitable FTP client. Open it.
- Connect to the router using IP
192.168.31.1, userrootand passwordroot. - Open
/tmpfolder. - Transfer there kernel1 and rootfs0 images.
- You may close FTP client at this point.
- Similarly, telnet session with the default IP, user
rootand passwordroottelnet 192.168.31.1cd /tmp- Check images checksums:
./busybox sha256sum name_of_your_kernel1_image_here.bin./busybox sha256sum name_of_your_rootfs0_image_here.bin- Compare checksums with the ones on the hardware selector page, where you have downloaded OpenWrt images previously. They should be the same. If they are, we are ready for flashing. If not, download and transfer them on the router once again.
mtd write name_of_your_kernel1_image_here.bin kernel1mtd write name_of_your_rootfs0_image_here.bin rootfs0- Reboot the router:
reboot. It might take a little bit longer than usual. - After reboot, enter
192.168.1.1in your browser. You should get to the LuCI page. - Log in LuCI, go into
System→Backup / Flash Firmwarepage. - Download sysupgrade OpenWrt image.
- Click
Flash image, upload sysupgrade image, check the checksum. - Remove the
Keep the settingscheckbox. Thus, all presented checkboxes should be clear. - Flash the image and set up OpenWrt as usual.
Installation
OpenWrt Factory Firmware: kernel, kernel1 and rootfs0 images. Use this files the first time you flash OpenWrt onto the router - i.e. use with the above mentioned exploit / install method.
OpenWrt Sysupgrade Firmware: Use this file to complete OpenWrt installation or upgrade an OpenWrt “system” to a newer version.
Hardware Highlights
Hardware
Info
| Architecture | MIPS |
|---|---|
| Vendor | Mediatek |
| bootloader | U-Boot |
| System-On-Chip | Mediatek MT7621 |
| CPU/Speed | mipsel_24kc @ 880MHz |
| Flash size | 128 MB |
| RAM | 128 MB |
| Wireless 2.4 GHz | Mediatek MT7603, b/g/n |
| Wireless 5 GHz | Mediatek MT7612, a/n/ac |
| Ethernet | 3x 10/100/1000 BASE-TX Ethernet Interface (1x WAN, 2x LAN) |
| Serial | Yes |
Opening the case
There is a screw on the bottom of the case covered by the product label, remove the edges for access. There are also clips around the edge of the case you will need to open, using, for example, a plastic card.