Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MI Router 4A (Gigabytes) Version 2.30.500 is not supported #178

Open
LinYKen opened this issue Jun 19, 2023 · 6 comments
Open

MI Router 4A (Gigabytes) Version 2.30.500 is not supported #178

LinYKen opened this issue Jun 19, 2023 · 6 comments

Comments

@LinYKen
Copy link

LinYKen commented Jun 19, 2023

OpenWRTInvasion % python3 remote_command_execution_vulnerability.py
/Users/xxx/Library/Python/3.9/lib/python/site-packages/urllib3/init.py:34: NotOpenSSLWarning: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: urllib3/urllib3#3020
warnings.warn(
Router IP address [press enter for using the default 'miwifi.com']:
Enter router admin password: xxxxxxxxx
There two options to provide the files needed for invasion:

  1. Use a local TCP file server runing on random port to provide files in local directory script_tools.
  2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
    Which option do you prefer? (default: 1)1

router_ip_address: miwifi.com
stok: xxxxxxxxxxxxxxxxxxxxxxxxx
file provider: local file server


start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:57270. root='script_tools'
Warning: the process has finished, but seems like ssh connection to the router is not working as expected.

@pvtmp
Copy link

pvtmp commented Dec 10, 2023

Same issue here ;( did you fix it??

@Mike-Wei
Copy link

You can check out #141. Follow the guide on how to use nc to get a busybox with telnetd support to the system. Then you can open telnetd to access the shell.

Basically, the problem with the stock firmware is that it has dropbear removed. Though the stock busybox has telnetd packaged in, it is difficult to get it to run (at least in my case). So the solution is to get a newer version of busybox with telnetd properly set up already.

A few tips and caveats:

  1. The device with 2.30.x is r4av2. Differentiate it with the 2.28.x version.
  2. The isa is mips32r2. The busybox in Not working R4A (Xiaomi 4a Gigabit) 2.30.20 #141 doesn't work for me. I had to compile my own busybox with several tries and errors.
  3. You can always use wget or curl to download things, instead of having to split busybox and using nc.

@webysther
Copy link

webysther commented Apr 8, 2024

Works, please go to: #155 (comment)

Change the DHCP to use lower port or just restore the settings using this backup:

2024-04-09--06_02_14.tar.gz

@Earls1996
Copy link

Same issue, r4ag v2 chinese edition, updated to 2.3.500 from 2.30.28 but script won't work on ubuntu (booted on separate pc) Tried URL execution https://github.com/acecilia/OpenWRTInvasion/issues/141#issuecomment-1465561959 , but busybox presented in post won't seem to start after executing 'chmod a+x /tmp/split/$$/tmp/split telnetd` cause telnet won't accept connection.

@DmitryBLKV
Copy link

Issue: SSH connection not working after script execution

Hi,

I’m experiencing issues when trying to run the OpenWRT Invasion script on my Xiaomi Mi Router 4A Gigabit Edition (Firmware version 2.30.500).

After executing the script, I receive the following message:

`dmitrybelyakov@dmitry-5 OpenWRTInvasion % python3 remote_command_execution_vulnerability.py
/Users/dmitrybelyakov/Library/Python/3.9/lib/python/site-packages/urllib3/init.py:35: NotOpenSSLWarning: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: urllib3/urllib3#3020
warnings.warn(
Router IP address [press enter for using the default 'miwifi.com']:
Enter router admin password:
There two options to provide the files needed for invasion:

  1. Use a local TCP file server runing on random port to provide files in local directory script_tools.
  2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
    Which option do you prefer? (default: 1)

router_ip_address: miwifi.com
stok: 58c52d49be63014309e89ba7c3104bb4
file provider: local file server


start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:61529. root='script_tools'
Warning: the process has finished, but seems like ssh connection to the router is not working as expected.

I've tried using Telnet, but I'm getting "Connection refused".

Does anyone have any advice on how to resolve this, or is there something specific I should check with my router's firmware version?

Thanks for your help!

image

@licryle
Copy link

licryle commented Sep 3, 2024

@DmitryBLKV the router firmware version can be found at the bottom of the admin once logged in, it's in the form of 2.30.XX indicating it's a RAGv2.

Once you've hit that stage of the exploit, you need some more extra steps.
I just went through the steps in the mentioned thread but found them too complicated.

So created a much easier shell script for 2.30.28 and documented the commands to send, check out #141 (comment).

I also completed the openWRT installation after and updated the post above, though it totally is a simpler rewrite of https://github.com/MrTaiKe/Action_OpenWrt_Xiaomi_R4AGv2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants