Winse Blog

走走停停都是风景, 熙熙攘攘都向最好, 忙忙碌碌都为明朝, 何畏之.

Xiaomi R4a Install Padavan

最近换了个小米的路由,想着登录ssh,能在路由上跑一些小的定时任务。但是无奈,绑定不通过,那就直接刷机了。

一开始是按照csdn上的文章刷opewrt的,但是都不成功,最后换成 老毛子Padavan 了。

参考

步骤描述

获取root权限

使用 WSL Ubuntu 进行访问,python3已经安装了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

winse@LAPTOP-I9ECVAQ4:OpenWRTInvasion-master$ python3 --version
Python 3.8.5

# https://github.com/acecilia/OpenWRTInvasion
winse@LAPTOP-I9ECVAQ4:OpenWRTInvasion-master$ ls
Dockerfile  readme                                     requirements.txt  set_english.py
extras      README.md                                  script.sh         speedtest_urls_template.xml
firmwares   remote_command_execution_vulnerability.py  script_tools      tcp_file_server.py

winse@LAPTOP-I9ECVAQ4:OpenWRTInvasion-master$ sudo apt install python3-pip

winse@LAPTOP-I9ECVAQ4:OpenWRTInvasion-master$ pip3 install -r requirements.txt
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.22.0)

# stok获取:登录web访问后,浏览器的地址上就有stok的参数。
# 详情可查看参考的文章
winse@LAPTOP-I9ECVAQ4:OpenWRTInvasion-master$ python3 remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 'miwifi.com']:
Enter router admin password: __xxx__
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)
****************
router_ip_address: miwifi.com
stok: __xxx__
file provider: local file server
****************
start uploading config file...
start exec command...
local file server is runing on 0.0.0.0:1135. root='script_tools'
local file server is getting 'busybox-mipsel' for 192.168.31.1.
local file server is getting 'dropbearStaticMipsel.tar.bz2' for 192.168.31.1.
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet miwifi.com
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@miwifi.com
* ftp: using a program like cyberduck

winse@LAPTOP-I9ECVAQ4:OpenWRTInvasion-master$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@miwifi.com
The authenticity of host 'miwifi.com (192.168.31.1)' can't be established.
RSA key fingerprint is SHA256:AT91yqVuqPnmOO5wmke6V0Hl67GKXdkb48W/FU3WfEM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'miwifi.com,192.168.31.1' (RSA) to the list of known hosts.
root@miwifi.com's password:

BusyBox v1.19.4 (2021-09-30 03:16:53 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


root@XiaoQiang:~#

安装breed

用WinSCP登入路由,使用 ftp协议 ,ip地址 miwifi.com ,账号 root,把 breed-mt7621-pbr-m1.bin 文件上传到tmp文件夹内,之后执行如下命令:

1
2
3
4
5
6
7
8
9

root@XiaoQiang:~# cd /tmp
root@XiaoQiang:/tmp# ls breed-mt7621-pbr-*
breed-mt7621-pbr-m1.bin

root@XiaoQiang:/tmp# mtd -r write breed-mt7621-pbr-m1.bin Bootloader
Unlocking Bootloader ...

Writing from breed-mt7621-pbr-m1.bin to Bootloader ...
Rebooting ...

接上网线,再等一阵子(1,2分钟),然后访问 http://192.168.1.1/

刷padavan

下载r4a版本的padavan: https://opt.cn2qq.com/padavan/

1

MI-R4A_3.4.3.9-099.trx

访问 192.168.1.1 ,备份eeprom和固件(重要),然后勾选固件,然后将小米4A的trx固件文件进行上传,然后完成固件更新流程。

更新过程请不要切断路由电源!更新完成后, 页面并不会自动刷新, 自己尝试能否进入路由配置页面。。

刷完后,这里需要多等待一点时间,耐心一点。

访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

http://192.168.123.1/
admin/admin

在 [系统管理 - 服务] 页签开启ssh公钥登录。

[MI-R4A /home/root]# uname -a
Linux MI-R4A 3.4.113 #3 SMP Sun Apr 3 14:26:03 CST 2022 mips GNU/Linux
[MI-R4A /home/root]# uname -r
3.4.113
[MI-R4A /home/root]# uname -m
mips

#CPU/Memory information
$ cat /proc/cpuinfo

#Version
$ cat /proc/version

#SCSI/Sata devices
$ cat /proc/scsi/scsi

#Partitions
$ cat /proc/partitions

#安装 okpg , 进入 Shell 后,在根目录安装,输入如下:
[MI-R4A /home/root]# opkg.sh

# 升级:
[MI-R4A /home/root]# opkg update
Downloading http://bin.entware.net/mipselsf-k3.4/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware

[MI-R4A /home/root]# opkg install jq
Installing jq (1.6-2) to root...
Downloading http://bin.entware.net/mipselsf-k3.4/jq_1.6-2_mipsel-3.4.ipk
Configuring jq.

# opkg list

–END

Comments