小米路由器 4C 烧录 OpenWRT 方法及变砖问题的解决

2022-12-22 update
添加修改后生成的bin文件 https://github.com/chou-o-ning/mi_router_4c/

注意！！！请先看完这篇文字的所有文字后再操作，否则 4C 可能会变砖！！！

我是按照 OpenWRT 的官方教程给小米路由器 4C 进行烧录的。地址在这里：https://openwrt.org/toh/xiaomi/xiaomi_mi_router_4c。
具体的操作方式是：
先安装 python3 环境，下载 OpenWRTInvasion 软件

git clone https://github.com/acecilia/OpenWRTInvasion
cd OpenWRTInvasion

运行 python 脚本
按照提示操作（需要输入路由器的ip地址和管理密码）

MBP:OpenWRTInvasion ning$ python3 remote_command_execution_vulnerability.py 
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1 (路由器的ip地址)
Enter router admin password: XXXXXXXX (管理员密码)

接下来会需要将一些脚本上传到路由器上，我用方法2（家中有支持梯子的路由器）

There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)2
****************
router_ip_address: 192.168.31.1
stok: 347d98137cc0b94228151f1915367363
file provider: remote github repository
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck

ssh 登陆进路由器

MBP:OpenWRTInvasion ning$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
The authenticity of host '192.168.31.1 (192.168.31.1)' can't be established.
RSA key fingerprint is SHA256:sPMvHhnmAdF0l4gui46gyp3Gzd3Fzaz8WjnvgTrbocM.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.31.1' (RSA) to the list of known hosts.
root@192.168.31.1's password: 


BusyBox v1.19.4 (2019-04-23 07:12:12 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


root@XiaoQiang:~# 

另外再开一个ftp的窗口，上载 OpenWRT 的 firmware。（注意要上载到tmp目录）

MBP:Downloads ning$ ftp 192.168.31.1
Connected to 192.168.31.1.
220 Operation successful
Name (192.168.31.1:ning): root
331 Specify password
Password: 
230 Operation successful
ftp> cd tmp
250 Operation successful
ftp> bin
200 Operation successful
ftp> put openwrt-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin 
200 Operation successful
150 Ok to send data
226 Operation successful
5243691 bytes sent in 0.429 seconds (11.6 Mbytes/s)
ftp> bye
221 Operation successful

烧录之

root@XiaoQiang:/tmp# mtd -r write openwrt-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin OS1
Unlocking OS1 ...

Writing from openwrt-ramips-mt76x8-xiaomi_mi-router-4c-squashfs-sysupgrade.bin to OS1 ...     
Rebooting ...

然后，路由器就开始不断重启，变砖了。
其实官网页面上有 Warning 的，我没有仔细看。（这个问题 OpenWRT 官方估计会很快解决）。
变砖的原因是，新版的 4C 用了 EON的 Flash 芯片，而该 OpenWRT 的 Linux 内核还不支持该芯片。我把路由器拆开拍了张照，见下图，红框中的就是 EON 的 Flash 芯片。

EON Flash 芯片
小米提供了解决变砖的方法的网址http://www1.miwifi.com/miwifi_download.html，下载小米路由器修复工具即可，原理是 bootloader 通过 tftp 下载 firmware 重新烧录恢复，具体操作这里就不再阐述。

解决这个不断重启的问题，需要修改代码，在 Linux 内核中添加新芯片的驱动，过程如下（这里我选取的是 openWRT v21.02.3 版本）：

git clone https://github.com/openwrt/openwrt
cd openwrt
git checkout v21.02.3
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig 

选择：
Target System: MediaTek Ralink MIPS
Subtarget: MT76x8 based boards
Target Profile: Xiaomi Mi Router 4C
另外添加 luci （否则会没有 Web UI）
编译

make V=99

编译完成后，在 build_dir 中查找 spi-nor.c

ning@bay:~/project/github/openwrt$ cd build_dir/
ning@bay:~/project/github/openwrt/build_dir$ find . -name spi-nor.c
./target-mipsel_24kc_musl/linux-ramips_mt76x8/linux-5.4.188/drivers/mtd/spi-nor/spi-nor.c
./toolchain-mipsel_24kc_gcc-8.4.0_musl/linux-5.4.188/drivers/mtd/spi-nor/spi-nor.c

在2236行添加 EON 的新芯片（下面的黑体字）
/* EON -- en25xxx */
{ "en25f32", INFO(0x1c3116, 0, 64 * 1024, 64, SECT_4K) },
{ "en25p32", INFO(0x1c2016, 0, 64 * 1024, 64, 0) },
{ "en25q32b", INFO(0x1c3016, 0, 64 * 1024, 64, 0) },
{ "en25p64", INFO(0x1c2017, 0, 64 * 1024, 128, 0) },
{ "en25q64", INFO(0x1c3017, 0, 64 * 1024, 128, SECT_4K) },
{ "en25q128", INFO(0x1c3018, 0, 64 * 1024, 256, SECT_4K) },
{ "en25q80a", INFO(0x1c3014, 0, 64 * 1024, 16,
SECT_4K | SPI_NOR_DUAL_READ) },
{ "en25qh32", INFO(0x1c7016, 0, 64 * 1024, 64, 0) },
{ "en25qh64", INFO(0x1c7017, 0, 64 * 1024, 128,
SECT_4K | SPI_NOR_DUAL_READ) },
{ "en25q128", INFO(0x1c3018, 0, 64 * 1024, 256, SECT_4K) },
{ "en25qx128a", INFO(0x1c7118, 0, 64 * 1024, 256, SECT_4K) },
{ "en25qh128", INFO(0x1c7018, 0, 64 * 1024, 256, 0) },
{ "en25qh256", INFO(0x1c7019, 0, 64 * 1024, 512, 0) },
{ "en25s64", INFO(0x1c3817, 0, 64 * 1024, 128, SECT_4K) },
重新编译并烧录即可

make V=99