Recently we bought a few units for the 2025 project in AUCOOP. We did a short workshop for the new students and documented the entire process here for future reference.
This is a summary of the workshop btw :)
Device: Xiaomi Mi Router 4C (Model: R4CM) Production Date: 03/2024 CPU: MediaTek MT7628DA RAM: 64MB
Get Root Access#
We first need to gain root access in the router with the xiaomi firmware. We use the OpenWRTInvasion tool. We used the Docker method to avoid Python dependency issues on the host machine.
- Clone & Build:
docker build -t openwrtinvasion https://github.com/acecilia/OpenWRTInvasion.git
docker run --network host -it openwrtinvasion
- Run Exploit:
docker run --network host -it openwrtinvasion
- IP:
192.168.31.1(default Xiaomi router IP) - Stok: Log in to the router web interface, look at the URL
http://192.168.31.1/cgi-bin/luci/;stok=<THIS_STRING>/...(note that this might be detected automatically by the tool, so this step might not be necessary to be done manually) - Password:
root.
Make Backups!#
Do not skip this. 2024 units have unique calibration data. If you lose mtd3, your WiFi signal will be weak/dead.
- SSH into Router:
- Note: We must use legacy encryption flags because the stock SSH server is old.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa [email protected]
- Create Dumps (Run inside Router):
dd if=/dev/mtd0 of=/tmp/ALL_backup.bin
dd if=/dev/mtd1 of=/tmp/Bootloader_backup.bin
dd if=/dev/mtd3 of=/tmp/Factory_eeprom.bin
- Download to PC (Run on PC):
# Run from your local terminal
scp -O -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa [email protected]:/tmp/*_backup.bin .
scp -O -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa [email protected]:/tmp/Factory_eeprom.bin .
Install OpenWrt#
We decided to use version 23.05.5 because the 4C has only 64MB RAM. Newer versions (24.x) are heavier. So just in case, we are using OpenWrt 23.05.5. This might be unnecessary, but I don’t know, better safe than sorry.
- Download Firmware:
- Target:
ramips/mt76x8 - File:
openwrt-23.05.5-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin
Search for tt
- Upload to Router (Run on PC):
scp -O -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa openwrt-23.05.5-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin [email protected]:/tmp/firmware.bin
- Flash (Run inside Router):
# Verify partition name is OS1 (usually mtd7)
cat /proc/mtd
# Write firmware
mtd -r write /tmp/firmware.bin OS1
Post-Install#
The router will reboot. The LED will start in orange color. If eventually changes to blue, that means OpenWrt is running. If after a few minutes it is still orange, that means the firmware flash failed. You have a bricked router now…
Now you can access with your PC to OpenWrt at http://192.168.1.1.
Next Step#
Since you have successfully flashed the device, you should now **store those backup files (ALL_backup.bin, Factory_eeprom.bin). If you ever mistakenly erase the router’s calibration data in the future, those files are the only way to restore your WiFi signal strength.