I’m very fond of Xiaomi products. They sell pleasing design at an affordable price. One example is their Xiaomi Router 4C. It’s a 2.4Ghz, 100M-only router that costs only around P500.00.
While I like the hardware, I don’t feel secure using the default firmware. Fortunately, OpenWRT supports this router. It’s an open-source, community-driven firmware.
My use case for this router is for a dedicated access point for our IP cameras. I discovered that using the same access point as our main network causes bottlenecks for other devices. With 6 cameras, each pushing 2MB/s of data, the airwaves get congested quickly.
Why OpenWRT?
It’s open and highly flexible. One feature I use is the ability to assign an SSID to a VLAN that has no internet access. This limits access of IP Cameras to local-only.
How to flash OpenWRT?
The stock firmware does not allow uploading unsigned firmwares. To flash OpenWRT, the process looks like:
- Downgrade to a vulnerable firmware
- Exploit vulnerability to gain root access
- Once we have root access, flash the firmware
Steps
Downgrading to a vulnerable firmware
Download exploitable firmware at Mi Router 4C firmware download: MIWIFI R4CM ROM (miuirom.org): China 2.14.80
Flash the firmware to the router http://192.168.31.1
To confirm a successful flash, the admin page must now be in Chinese
Gain root access
Download or clone OpenWRTInvasion
Install Python 3
Open Terminal and change directory to where OpenWRTInvasion is, then pip3 install -r requirements.txt
Run the exploit python3 remote_command_execution_vulnerability.py
If successful, router will be accessible via SSH.
Download latest OpenWRT firmware for 4C.
At this stage, my router still doesn’t have internet access. I need to upload the OpenWRT firmware to the device, which I did using FTP.
ftp 192.168.31.1
cd /tmp
put C:\path\to\firmware.bin
# Flash the firmware to the NAND
mtd -r write /tmp/firmware.bin OS1
After a few minutes, check if OpenWRT is booting up.
Resources:
- https://openwrt.org/toh/xiaomi/xiaomi_mi_router_4c
Leave a Reply