Xiaomi Mi Router 4

Under Construction!
This page is currently under construction. You can edit the article to help completing it.

Xiaomi Mi Router 4

(Do not confuse with Mi Router 4A 100m/Gigabit edition routers)

The Xiaomi Mi Router 4 is an indoor wireless router based on the MediaTek MT7621 SoC, with three 10/100/1000 Ethernet ports (2xLAN + 1xWAN), dual band 802.11bgn+ac (dual radio) WiFi, 128 MB of DDR3 RAM, 128 MB of SLC NAND storage and four external non-detachable antennae. It is intended for sale in domestic China market, so offered only with Chinese firmware.

For installing OpenWrt there are the following methods:

  • Using a firmware exploit (Does not require extra hardware): for instructions follow the OpenWRTInvasion repository and the guide below. At the time of writing this article guaranteed to work on firmware version 2.26.175. Might also work on other versions listed in the project readme, as they seem to be pretty much the same for all Xiaomi routers supported by the exploit. This method uses the same idea as the one for Mi Router 4A Gigabit Edition, but the flashing process is different, because Mi Router 4 has a different mtd partition layout. Warning: snapshot build might break your router. Use a stable one.
  • Using a chip programmer (Requires extra hardware): to be written. It is possible, because a person on the russian technical forum 4pda did that, but he also changed bootloader in process, and I (the initial author of this article) used firmware exploit method, so I'm not really competent here.

It is recommended to perform this method under Linux.

  • Get the stok:
    • Connect the router to the internet via the WAN port.
    • Connect your PC using cable in the LAN port.
    • Enter 192.168.31.1.
    • Configure the device:
      • Accept the terms.
      • Firstly, enter the admin password.
      • Next, enter the WiFi password.
      • Go to 192.168.31.1 and enter the admin password.
    • When you are in, your link changed and now it have a part with something similar to stok=3700b146c87e45fea51170f87f47d34c
    • Copy the stok (the key that goes after the equal sign).
    • Launch a terminal on your PC.
    • cd OpenWRTInvasion
    • Just in case check for exploit requirements and install them, if necessary: pip3 install -r requirements.txt
    • Run the script: python3 remote_command_execution_vulnerability.py
    • Put there the IP and your stok, wait for completion.
  • Download your OpenWrt image. At this point, use kernel1 and rootfs0 images.
  • Download and open FileZilla or any other suitable FTP client. Open it.
  • Connect to the router using IP 192.168.31.1, user root and password root.
  • Open /tmp folder.
  • Transfer there kernel1 and rootfs0 images.
  • You may close FTP client at this point.
  • Similarly, telnet session with the default IP, user root and password root
    • telnet 192.168.31.1
    • cd /tmp
    • Check for images checksums:
      • ./busybox sha256sum name_of_your_kernel1_image_here.bin
      • ./busybox sha256sum name_of_your_rootfs0_image_here.bin
      • Compare checksums with ones on the hardware selector page, where you have downloaded OpenWrt images previosly. They should be the same. If they are, we are ready for flashing. If not, download and transfer them on the router once again.
    • mtd write name_of_your_kernel1_image_here.bin kernel1
    • mtd write name_of_your_rootfs0_image_here.bin rootfs0
    • Reboot the router: reboot. It might take a little bit longer than usual.
    • After reboot, enter 192.168.1.1 in your browser. You should get to the LuCI page.
    • Log in LuCI, go into SystemBackup / Flash Firmware page.
    • Download sysupgrade OpenWrt image.
    • Click Flash image, upload sysupgrade image, check the checksum.
    • Remove the Keep the settings checkbox. Thus, all presented checkboxes should be clear.
    • Flash the image and set up OpenWrt as usual.
ModelVersionSoCCPU MHzCPU CoresFlash MBRAM MBWLAN HardwareWLAN2.4WLAN5.0100M portsGbit portsModemUSB
MiWiFi R4v1MediaTek MT7621A8802128NAND128MediaTek MT7603EN, MediaTek MT7612ENb/g/na/n/ac-3--
Architecture MIPS
Vendor Mediatek
bootloader U-Boot
System-On-Chip Mediatek MT7621
CPU/Speed mipsel_24kc @ 880MHz
Flash size 128 MB
RAM 128 MB
Wireless 2.4 GHz Mediatek MT7603, b/g/n
Wireless 5 GHz Mediatek MT7612, a/n/ac
Ethernet 3x 10/100/1000 BASE-TX Ethernet Interface (1x WAN, 2x LAN)
Serial Yes

There is a screw on the bottom of the case covered by the product label, remove the edges for access. There are also clips around the edge of the case you will need to prize open, using, for example, a plastic card.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/07/17 07:51
  • by tmomas