2022-12-22 update
添加修改后生成的bin文件 https://github.com/chou-o-ning/mi_router_4c/
注意!!!请先看完这篇文字的所有文字后再操作,否则 4C 可能会变砖!!!
我是按照 OpenWRT 的官方教程给小米路由器 4C 进行烧录的。地址在这里:https://openwrt.org/toh/xiaomi/xiaomi_mi_router_4c。
具体的操作方式是:
先安装 python3 环境,下载 OpenWRTInvasion 软件
git clone https://github.com/acecilia/OpenWRTInvasion
cd OpenWRTInvasion
运行 python 脚本
按照提示操作(需要输入路由器的ip地址和管理密码)
MBP:OpenWRTInvasion ning$ python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1 (路由器的ip地址)
Enter router admin password: XXXXXXXX (管理员密码)
接下来会需要将一些脚本上传到路由器上,我用方法2(家中有支持梯子的路由器)
There two options to provide the files needed for invasion:
1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)2
****************
router_ip_address: 192.168.31.1
stok: 347d98137cc0b94228151f1915367363
file provider: remote github repository
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck
ssh 登陆进路由器
MBP:OpenWRTInvasion ning$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
The authenticity of host '192.168.31.1 (192.168.31.1)' can't be established.
RSA key fingerprint is SHA256:sPMvHhnmAdF0l4gui46gyp3Gzd3Fzaz8WjnvgTrbocM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.31.1' (RSA) to the list of known hosts.
root@192.168.31.1's password:
BusyBox v1.19.4 (2019-04-23 07:12:12 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
-----------------------------------------------------
Welcome to XiaoQiang!
-----------------------------------------------------
$$$$$$\ $$$$$$$\ $$$$$$$$\ $$\ $$\ $$$$$$\ $$\ $$\
$$ __$$\ $$ __$$\ $$ _____| $$ | $$ | $$ __$$\ $$ | $$ |
$$ / $$ |$$ | $$ |$$ | $$ | $$ | $$ / $$ |$$ |$$ /
$$$$$$$$ |$$$$$$$ |$$$$$\ $$ | $$ | $$ | $$ |$$$$$ /
$$ __$$ |$$ __$$< $$ __| $$ | $$ | $$ | $$ |$$ $$<
$$ | $$ |$$ | $$ |$$ | $$ | $$ | $$ | $$ |$$ |\$$\
$$ | $$ |$$ | $$ |$$$$$$$$\ $$$$$$$$$ | $$$$$$ |$$ | \$$\
\__| \__|\__| \__|\________| \_________/ \______/ \__| \__|
root@XiaoQiang:~#
另外再开一个ftp的窗口,上载 OpenWRT 的 firmware。(注意要上载到tmp目录)
MBP:Downloads ning$ ftp 192.168.31.1
Connected to 192.168.31.1.
220 Operation successful
Name (192.168.31.1:ning): root
331 Specify password
Password:
230 Operation successful
ftp> cd tmp
250 Operation successful
ftp> bin
200 Operation successful
ftp> put openwrt-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin
200 Operation successful
150 Ok to send data
226 Operation successful
5243691 bytes sent in 0.429 seconds (11.6 Mbytes/s)
ftp> bye
221 Operation successful
烧录之
root@XiaoQiang:/tmp# mtd -r write openwrt-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin OS1
Unlocking OS1 ...
Writing from openwrt-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin to OS1 ...
Rebooting ...
然后,路由器就开始不断重启,变砖了。
其实官网页面上有 Warning 的,我没有仔细看。(这个问题 OpenWRT 官方估计会很快解决)。
变砖的原因是,新版的 4C 用了 EON的 Flash 芯片,而该 OpenWRT 的 Linux 内核还不支持该芯片。我把路由器拆开拍了张照,见下图,红框中的就是 EON 的 Flash 芯片。
小米提供了解决变砖的方法的网址http://www1.miwifi.com/miwifi_download.html,下载小米路由器修复工具即可,原理是 bootloader 通过 tftp 下载 firmware 重新烧录恢复,具体操作这里就不再阐述。
解决这个不断重启的问题,需要修改代码,在 Linux 内核中添加新芯片的驱动,过程如下(这里我选取的是 openWRT v21.02.3 版本):
git clone https://github.com/openwrt/openwrt
cd openwrt
git checkout v21.02.3
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig
选择:
Target System: MediaTek Ralink MIPS
Subtarget: MT76x8 based boards
Target Profile: Xiaomi Mi Router 4C
另外添加 luci (否则会没有 Web UI)
编译
make V=99
编译完成后,在 build_dir 中查找 spi-nor.c
ning@bay:~/project/github/openwrt$ cd build_dir/
ning@bay:~/project/github/openwrt/build_dir$ find . -name spi-nor.c
./target-mipsel_24kc_musl/linux-ramips_mt76x8/linux-5.4.188/drivers/mtd/spi-nor/spi-nor.c
./toolchain-mipsel_24kc_gcc-8.4.0_musl/linux-5.4.188/drivers/mtd/spi-nor/spi-nor.c
在2236行添加 EON 的新芯片(下面的黑体字)
/* EON -- en25xxx */
{ "en25f32", INFO(0x1c3116, 0, 64 * 1024, 64, SECT_4K) },
{ "en25p32", INFO(0x1c2016, 0, 64 * 1024, 64, 0) },
{ "en25q32b", INFO(0x1c3016, 0, 64 * 1024, 64, 0) },
{ "en25p64", INFO(0x1c2017, 0, 64 * 1024, 128, 0) },
{ "en25q64", INFO(0x1c3017, 0, 64 * 1024, 128, SECT_4K) },
{ "en25q128", INFO(0x1c3018, 0, 64 * 1024, 256, SECT_4K) },
{ "en25q80a", INFO(0x1c3014, 0, 64 * 1024, 16,
SECT_4K | SPI_NOR_DUAL_READ) },
{ "en25qh32", INFO(0x1c7016, 0, 64 * 1024, 64, 0) },
{ "en25qh64", INFO(0x1c7017, 0, 64 * 1024, 128,
SECT_4K | SPI_NOR_DUAL_READ) },
{ "en25q128", INFO(0x1c3018, 0, 64 * 1024, 256, SECT_4K) },
{ "en25qx128a", INFO(0x1c7118, 0, 64 * 1024, 256, SECT_4K) },
{ "en25qh128", INFO(0x1c7018, 0, 64 * 1024, 256, 0) },
{ "en25qh256", INFO(0x1c7019, 0, 64 * 1024, 512, 0) },
{ "en25s64", INFO(0x1c3817, 0, 64 * 1024, 128, SECT_4K) },
重新编译并烧录即可
make V=99
网友评论