{"id":15032232,"url":"https://github.com/acecilia/openwrtinvasion","last_synced_at":"2025-10-07T03:29:47.871Z","repository":{"id":37395106,"uuid":"248380503","full_name":"acecilia/OpenWRTInvasion","owner":"acecilia","description":"Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4, 4C, 3Gv2, 4Q, miWifi 3C...","archived":false,"fork":false,"pushed_at":"2023-12-10T23:27:41.000Z","size":68362,"stargazers_count":1635,"open_issues_count":29,"forks_count":286,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-05-22T16:07:23.092Z","etag":null,"topics":["4a-gigabit","firmware","miwifi-3c","openwrt","router","routers","xiaomi","xiaomi-routers"],"latest_commit_sha":null,"homepage":"","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/acecilia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-19T01:16:18.000Z","updated_at":"2025-05-21T06:03:29.000Z","dependencies_parsed_at":"2024-12-14T17:01:41.958Z","dependency_job_id":"4e5a6d83-359a-437d-a370-5652d529432d","html_url":"https://github.com/acecilia/OpenWRTInvasion","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/acecilia/OpenWRTInvasion","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acecilia%2FOpenWRTInvasion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acecilia%2FOpenWRTInvasion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acecilia%2FOpenWRTInvasion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acecilia%2FOpenWRTInvasion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/acecilia","download_url":"https://codeload.github.com/acecilia/OpenWRTInvasion/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/acecilia%2FOpenWRTInvasion/sbom","scorecard":{"id":162559,"data":{"date":"2025-08-11","repo":{"name":"github.com/acecilia/OpenWRTInvasion","commit":"fcec03a49d78d700d62f7be82093bd8e349d9a55"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.2,"checks":[{"name":"Code-Review","score":4,"reason":"Found 13/30 approved changesets -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: script_tools/busybox-mipsel:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating docker.io/library/python:3-alpine to docker.io/library/python:3-alpine@sha256:f196fd275fdad7287ccb4b0a85c2e402bb8c794d205cf6158909041c1ee9f38d","Warn: pipCommand not pinned by hash: Dockerfile:7","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 13 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T13:55:04.992Z","repository_id":37395106,"created_at":"2025-08-16T13:55:04.992Z","updated_at":"2025-08-16T13:55:04.992Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278715508,"owners_count":26033296,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["4a-gigabit","firmware","miwifi-3c","openwrt","router","routers","xiaomi","xiaomi-routers"],"created_at":"2024-09-24T20:17:47.982Z","updated_at":"2025-10-07T03:29:47.848Z","avatar_url":"https://github.com/acecilia.png","language":"Lua","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4C, 3Gv2, 4Q, miWifi 3C...\n\n## How to run\n\n**NOTE: FROM VERSION `0.0.2` THE ROUTER NEEDS INTERNET ACCESS**. If you require to run the exploit without internet access please try version `0.0.1`. Find the versions here: https://github.com/acecilia/OpenWRTInvasion/releases\n\n**NOTE: THERE ARE REPORTED ISSUES WITH ROUTER IN AP MODE**. If you're not able to succeed in the AP mode, try to switch to some other (WiFi Repeater or Gateway)\n\n**NOTE: THERE ARE COMPATIBILITY ISSUES REPORTED WHEN USING WINDOWS**. This script only runs on Mac or Linux. If you run from Windows, please use docker (explained below)\n\n### Using Docker (also works on Windows)\n\n```console\ndocker build -t openwrtinvasion https://github.com/acecilia/OpenWRTInvasion.git\ndocker run --network host -it openwrtinvasion\n```\n\n### Using the command line\n\n```shell\npip3 install -r requirements.txt # Install requirements\npython3 remote_command_execution_vulnerability.py # Run the script\n```\n\nYou will be asked for the router IP address and for the `stok`. You can grab the `stok` from the router URL after you log in to the admin interface:\n\n![](readme/readme-001.png)\n\nNote that [the script must be run from the same IP address used when login into the router](https://github.com/acecilia/OpenWRTInvasion/issues/97).\n\nAfter that, a telnet server will be up and running. You can connect to it by running:\n\n```\ntelnet \u003crouter_ip_address\u003e\n```\n\n* User: `root`\n* Password: `root`\n\nThe script also starts an ftp server at port 21, so you can get access to the filesystem using a GUI (for example [cyberduck](https://cyberduck.io)).\n\n## Supported routers and firmware versions\n\n* MiRouter 4A Gigabit: \n  * `2.28.62`: user [ksc91u](https://forum.openwrt.org/u/ksc91u) claims that this method works \n  * `2.28.65`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/359)\n  * `2.28.132`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/359)\n  * `3.0.10`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/145)\n  * `3.0.24`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-and-flashable-with-openwrtinvasion/36685/1135)\n  * `3.0.27`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/156)\n  * `3.2.30`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/160)\n  * `3.10.18`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/150)\n* MiRouter 4A 100M (non gigabit): \n  * `2.18.51`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/372)\n  * `2.18.58`: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/373)\n  * `3.0.12`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/165)\n  * Find a troubleshooting guide [here](https://github.com/acecilia/OpenWRTInvasion/issues/92)\n* MiRouter 4C: \n  * `2.14.81`: [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-mi-router-4c-r4cm/36418/31)\n  * `2.14.87`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/73) \n  * `2.14.92`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/162) \n  * Find [here](https://github.com/acecilia/OpenWRTInvasion/issues/89) a troubleshooting guide for this router\n* Mi Router 3Gv2: \n  * `2.28.8`: user [Massimiliano Mangoni](massimiliano.mangoni@gmail.com) claims that this method works (message posted in Slack)\n* Mi Router 4Q (aka R4C): \n  * `2.28.48`: user cadaverous claims that this method works (message posted in Slack), but because the router is mips architecture (not mipsel), he needed to use version `0.0.1` of the script (the other versions use a busybox binary built for the mipsel architecture that is used to start a telnet sever)\n* MiWifi 3C:\n  * `2.8.51_INT`: [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/23), [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/17)\n  * `2.9.217`: [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/23), [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/17)\n  * `2.14.45`: [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/23), [OpenWrt forum](https://forum.openwrt.org/t/support-for-xiaomi-miwifi-3c/11643/17)\n* [Mi Router 4](https://www.mi.com/miwifi4):\n  * `2.18.62`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/73)\n  * `2.26.175`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/21#issuecomment-748619870) \n* Xiaomi Mi R3P: \n  * Xiaomi Dev firmware: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/58)\n* [Xiaomi 3Gv1](https://openwrt.org/toh/hwdata/xiaomi/xiaomi_miwifi_3g): \n  * The stock firmware coming with the router: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/68#issue-814768067)\n* [AC2350 AIOT](https://www.mi.com/global/mi-aiot-router-ac2350/): \n  * `1.3.8CN`: see [here](https://github.com/acecilia/OpenWRTInvasion/issues/46#issuecomment-774784301)\n\n## Unsupported routers and firmware versions\n\n* MiRouter 4A Gigabit:\n  * `2.30.20`: see details [here](https://github.com/acecilia/OpenWRTInvasion/issues/141)\n  * `3.2.26`: see details and alternatives [here](https://github.com/acecilia/OpenWRTInvasion/issues/140)\n* Mi Extender AC1200 (RA75): see [here](https://github.com/acecilia/OpenWRTInvasion/issues/159)\n\n## Xiaomi 4A Gigabit Global Edition\n\nFind [here](https://www.youtube.com/watch?v=a4fDwG3aEb8) a very complete introductory video to the router and the OpenWrt installation\n\n### Firmwares\n\nThis repository contains the following firmwares:\n\n* Official Xiaomi - `2.28.62` - in Chinese. SHA256: `a3db7f937d279cf38c2a3bec09772d65`\n  * URL in this repository: https://github.com/acecilia/OpenWRTInvasion/raw/master/firmwares/stock/miwifi_r4a_firmware_72d65_2.28.62.bin\n* Official Xiaomi - `3.0.24` - in English. MD5: `9c4a60addaad76dc13b6df6b4ac03233`\n  * URL in this repository: https://github.com/acecilia/OpenWRTInvasion/raw/master/firmwares/stock/miwifi_r4a_all_03233_3.0.24_INT.bin\n  * URL in the official Xiaomi site: http://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r4a/miwifi_r4a_all_03233_3.0.24_INT.bin\n\nIf you have a pending update in your Xiaomi stock firmware, you can check its md5 hash and the download url by navigating to:\n\n```\nhttp://192.168.31.1/cgi-bin/luci/;stok=\u003cstok\u003e/api/xqsystem/check_rom_update\n```\n\n### Install OpenWrt\n\nWhen installing OpenWrt on the Xiaomi 4A Gigabit, there are several options:\n\n* **[PREFERRED OPTION]**: use the latest supported stable release of OpenWrt. Find it in the [official OpenWrt wiki page](https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition)\n\n* Build your own image with `imagebuilder`, using the latest source code on `master`:\n\n  ```\n  docker pull openwrtorg/imagebuilder:ramips-mt7621-master\n  docker run --rm -v \"$(pwd)\"/bin/:/home/build/openwrt/bin -it openwrtorg/imagebuilder:ramips-mt7621-master\n  make PROFILE=xiaomi_mir3g-v2 image\n  ```\n\nIf **after reading above text** you still want to proceed, after login to the router through telnet run the following commands:\n\n```shell\ncd /tmp\ncurl https://raw.githubusercontent.com/acecilia/OpenWRTInvasion/master/firmwares/OpenWrt/06-06-2020/openwrt-ramips-mt7621-xiaomi_mir3g-v2-squashfs-sysupgrade.bin --output firmware.bin # Put here the URL you want to use to download the firmware\n./busybox sha256sum firmware.bin # Verify the firmware checksum before flashing, very important to avoid bricking your device!\nmtd -e OS1 -r write firmware.bin OS1 # Install OpenWrt\n```\n\nThis will install the snapshot version of OpenWrt (without Luci). You can now use ssh to connect to the router (and install Luci if you prefer it).\n\n### Performance:\n\nPlease see [here](https://www.youtube.com/watch?v=a4fDwG3aEb8) for a complete performance analysis\n\n## For more info and support go to:\n\n* [OpenWrt forum thread](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685)\n\n## If you brick your device\n\nYou can find solutions in the following links:\n\n* User [albertcp](https://forum.openwrt.org/u/albertcp) posted a very detailed guide: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/402)\n* User [micky0867](https://forum.openwrt.org/u/micky0867) has some more comments about the topic: [OpenWrt forum](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/391)\n* User [hoddy](https://forum.openwrt.org/u/hoddy) created a [video tutorial](https://youtu.be/SLbkce-M2nE)\n\n## Acknowledgments\n\n* Original vulnerabilities and exploit: [UltramanGaia](https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC)\n* Instructions to install OpenWrt after exploit execution: [rogerpueyo](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/21)\n* Testing and detailed install instructions: [hey07](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-but-requires-overwriting-spi-flash-with-programmer/36685/349)\n* Checking the URL of pending updates: [sicklesareterrible](https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-and-flashable-with-openwrtinvasion/36685/1114?u=acecilia)\n\n## Demo\n\n### Version 0.0.2 and higher: telnet\n\n![Alt Text](readme/exploit-002.gif)\n\n### Version 0.0.1: netcat (legacy)\n\n![Alt Text](readme/exploit-001.gif)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facecilia%2Fopenwrtinvasion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Facecilia%2Fopenwrtinvasion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Facecilia%2Fopenwrtinvasion/lists"}