Xiaomi Mi Router 4C

Warning 03/2022 OpenWrt will not work on units fitted with Eon EN25QX128 16MB flash chip at this time. Link for owrt forum Same issue affecting some R4A Gigabit models.

Install OpenWrt (generic explanation)

As of the time of this edit (2019-06-19), some users have reported Wi-Fi to be unstable. Do not attempt to perform firmware updates via Wi-Fi in order to avoid damage to your device.

  1. Download or clone OpenWRTInvasion
  2. Install python3 and and to PATH if not installed.
  3. Install requirements:
    pip3 install -r requirements.txt
  4. Login to Web panel of your router and copy the stok URL parameter out of the address field of your browser.
  5. Execute the exploit:
    python3 remote_command_execution_vulnerability.py
  6. Enter stok and router's IP to command line when it asks to.
  7. Now you have access to telnet.
  8. Login to your router via telnet. (User: root - No password)
  9. Use this command to enter tmp directory:
    cd /tmp
  10. Copy OpenWrt download link.
  11. Download OpenWrt to tmp directory:
    wget <Download Link> 
  12. Install OpenWrt to OS1:
    mtd -r write /tmp/openwrt.bin OS1
  13. It will take couple of minutes and will be restarted to OpenWrt.

PCB

xiaomi-4c-pcb.jpg

PCB (Close Up)

xiaomi-4c-pcb-closeup.jpg

dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00020000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00010000 00010000 "crash"
mtd5: 00010000 00010000 "cfg_bak"
mtd6: 00100000 00010000 "overlay"
mtd7: 00c60000 00010000 "OS1"
mtd8: 00af0000 00010000 "rootfs"
mtd9: 00200000 00010000 "disk"
dev:    size   erasesize  name
mtd0: 00020000 00010000 "bootloader"
mtd1: 00010000 00010000 "config"
mtd2: 00010000 00010000 "factory"
mtd3: 00010000 00010000 "crash"
mtd4: 00010000 00010000 "cfg_bak"
mtd5: 00100000 00010000 "overlay"
mtd6: 00ea0000 00010000 "firmware"
mtd7: 002052ab 00010000 "kernel"
mtd8: 00c9ad55 00010000 "rootfs"
mtd9: 00a10000 00010000 "rootfs_data"

0. Consider OpenWrt factory reset first

firstboot && reboot

1. Download STOCK firmware

2. Copy to router

scp miwifi_r4cm_firmware 3.0.16_ENG.bin root@192.168.1.1:/tmp/

3. Write to “firmware” block

mtd -r write /tmp/miwifi_r4cm_firmware 3.0.16_ENG.bin firmware

4. Router will reboot and after few minutes will boot into stock firmware with IP address 192.168.31.1

See the photos for break down of where to solder etc. On picture are shown all soldier points for desired pins with markings. Also you must connect 15kOhm resistors to ground from D+ and D- lines.

Software mod

Simple hardware mod does not enable USB, you must enable OHCI and AHCI in board description file and compile appropriate firmware. Board description file is on location

/{your openwrt source location}/openwrt/target/linux/ramips/dts/mt7628an_xiaomi_mi-router-4c.dts

In this file change:

&ehci {
	status = "disabled";
};
&ohci {
	status = "disabled";
};

to

&ehci {
status = "okay";
};
&ohci {
status = "okay";
};

Enable usb kernel module support in “make menuconfig”, compile firmware file and flash it.

You can use 5V power supply from router for powering on USB, but take care because its only 1A of current charge if you connect some power hungry USB peripheral it will make router unstable.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/12 11:13
  • by 127.0.0.1