Xiaomi Mi Router 4C
Warning 03/2022 OpenWrt will not work on units fitted with Eon EN25QX128 16MB flash chip at this time. Link for owrt forum Same issue affecting some R4A Gigabit models.
Supported Versions
Hardware Highlights
Installation
→ Install OpenWrt (generic explanation)
As of the time of this edit (2019-06-19), some users have reported Wi-Fi to be unstable. Do not attempt to perform firmware updates via Wi-Fi in order to avoid damage to your device.
- Download or clone OpenWRTInvasion
- Install python3 and and to PATH if not installed.
- Install requirements:
pip3 install -r requirements.txt
- Login to Web panel of your router and copy the stok URL parameter out of the address field of your browser.
- Execute the exploit:
python3 remote_command_execution_vulnerability.py
- Enter stok and router's IP to command line when it asks to.
- Now you have access to telnet.
- Login to your router via telnet. (User: root - No password)
- Use this command to enter tmp directory:
cd /tmp
- Copy OpenWrt download link.
- Download OpenWrt to tmp directory:
wget <Download Link>
- Install OpenWrt to OS1:
mtd -r write /tmp/openwrt.bin OS1
- It will take couple of minutes and will be restarted to OpenWrt.
Hardware
Info
Photos
PCB
PCB (Close Up)
Flash layout
Stock /proc/mtd
dev: size erasesize name mtd0: 01000000 00010000 "ALL" mtd1: 00020000 00010000 "Bootloader" mtd2: 00010000 00010000 "Config" mtd3: 00010000 00010000 "Factory" mtd4: 00010000 00010000 "crash" mtd5: 00010000 00010000 "cfg_bak" mtd6: 00100000 00010000 "overlay" mtd7: 00c60000 00010000 "OS1" mtd8: 00af0000 00010000 "rootfs" mtd9: 00200000 00010000 "disk"
OpenWrt snapshot /proc/mtd
dev: size erasesize name mtd0: 00020000 00010000 "bootloader" mtd1: 00010000 00010000 "config" mtd2: 00010000 00010000 "factory" mtd3: 00010000 00010000 "crash" mtd4: 00010000 00010000 "cfg_bak" mtd5: 00100000 00010000 "overlay" mtd6: 00ea0000 00010000 "firmware" mtd7: 002052ab 00010000 "kernel" mtd8: 00c9ad55 00010000 "rootfs" mtd9: 00a10000 00010000 "rootfs_data"
OpenWrt back to STOCK
0. Consider OpenWrt factory reset first
firstboot && reboot
1. Download STOCK firmware
2. Copy to router
scp miwifi_r4cm_firmware 3.0.16_ENG.bin root@192.168.1.1:/tmp/
3. Write to “firmware” block
mtd -r write /tmp/miwifi_r4cm_firmware 3.0.16_ENG.bin firmware
4. Router will reboot and after few minutes will boot into stock firmware with IP address 192.168.31.1
Debricking
Using Mi Wifi Repair tool:
Mi Wifi download
PDF guide (written for R4A gigabit edition)
Numerous antivirus tools report Mi Wifi Repair Tool (files date stamped January 2019) identify it as a 'Potentially Unwanted App'. Unclear whether there is a genuine threat or it is a 'false positive'.
Hardware Mod - USB Port
See the photos for break down of where to solder etc. On picture are shown all soldier points for desired pins with markings. Also you must connect 15kOhm resistors to ground from D+ and D- lines.
Software mod
Simple hardware mod does not enable USB, you must enable OHCI and AHCI in board description file and compile appropriate firmware. Board description file is on location
/{your openwrt source location}/openwrt/target/linux/ramips/dts/mt7628an_xiaomi_mi-router-4c.dts
In this file change:
&ehci {
status = "disabled";
};
&ohci {
status = "disabled";
};
to
&ehci {
status = "okay";
};
&ohci {
status = "okay";
};
Enable usb kernel module support in “make menuconfig”, compile firmware file and flash it.
You can use 5V power supply from router for powering on USB, but take care because its only 1A of current charge if you connect some power hungry USB peripheral it will make router unstable.