This was a quick video, I just really wanted to show everyone what i had learned about the Netgear GS110TP and how you could get to the command-line interface (CLI) even though its an unadvertised or hidden feature. As I say in the video I stumbled upon the port while conducting a routine port scan of my network and wanted to learn more. I found a blog post that gave me all the info I needed to access the CLI so I decided to make this quick video to show the steps involved. Enjoy!
This guide comes off the back of the Xiaomi OpenWrt Guide, a few people asked me to create a Windows version of that guide and I tried, I tried for about 4 hours to get the exploit to work on windows and when I finally managed to get it to work I had no idea how many steps would be needed to reproduce what I’d done, either way, it’s still a lot simpler to do on Linux (Ubuntu in this case). So I decided instead of dragging people through a 4-hour video that I’m not confident in, why not make a quick simple guide to setting up a VM (Virtual Machine) in Windows to give users all the advantages of Linux without having to deal with dual booting and the slightly more complicated side of Linux (By the way, all these things have got a lot easier in the last few years!)
I wrote the Guide for the latest LTS (Long term support) of Ubuntu 20.04, however, you could follow this guide for almost any Linux flavour (except Arch, but if you were using Arch you would have told us already!)
I use Virtual box in this example, works perfectly well for what most people need and best of all it’s free! All we need then is a Ubuntu image which is also free to download. A lot of different Linux flavours provide VM images that you can just import into Virtual Box, however, I looked quickly and couldn’t find one for Ubuntu, and even if I did I normally install for myself in the process outlined, that way you have all your own usernames and passwords out of the box, the main disadvantage is they sometimes come with additional software installed that allows for a little bit more compatibility, for instance being able to share a clipboard between Windows and Linux. To overcome this you simply need to click the Devices tab > Insert Guest Additions CD Image… > And follow the instructions to install the additional software.
If you find after the initial install and reboot you find yourself back in the Ubuntu installer you may need to remove the virtual disc by right-clicking the CD icon in the lower corner and deselecting Ubuntu.iso.
In most of our other guides, you will see us use the terminal, you can search for this using the boxes icon in the lower-left corner and then type “terminal” or a quicker way is to press Ctrl + Alt + T. Some other beginner tips, If you need to run a command as Administrator you start the command with sudo, (short for superuser do) you will need to type your password to do this and it catches a lot of people out but your password isn’t displayed when typed in the terminal (for obvious reasons!).
Some simple commands to get you started on linux are:
sudo apt update
sudo apt upgrade
These two commands will install the latest updates for your OS.
Although I’ve mentioned the terminal, most people could use Ubuntu without ever needing to open the terminal, my wife for instance has been using it for 10 years and never needed it once!
I bought the Xiaomi 4A router a while back because it’s quite cheap when considering the specifications of the router, it really is good value for money. Though the performance of the stock firmware was ok, I personally had a few concerns about how it runs, for instance checking my PiHole you could see the 4A polls home to a Xiaomi address every few seconds, in fact, it was one of the highest traffic devices on my network with this polling alone. Also, although having an App that I could change setting from anywhere is good but triggers my internal security worries, if I can access this and make changes anywhere so could someone else if hacked or leaked, I prefer something I can fully trust and fully configure… Enter OpenWrt, open-source firmware for any router that will take it.
I had originally ordered a CH341A to install OpenWrt but found that while waiting for it to be delivered another method had been found named “OpenWrtInvasion” a clever little exploit that works by uploading a backup file that can be tricked to be placed in any directory, with that it changes a speed test script with its own that removes the root password and starts a telnet server allowing us to login and upload our own firmware and flash it. OpenWrtInvasion doesn’t only work for the 4A, it also works for the 4C, 3Gv2, 4Q, miWifi 3C and no doubt other Xiaomi routers.
In the video, I run the exploit from a Ubuntu VM, personally I find Linux more stable for these of things but I will do a Win version eventually. It’s important to note the STOK code is generated for whatever machine is connected, so for me, if I was to login to the router with my windows PC (running the VM) take the code and try to run the exploit in the Ubuntu VM it wouldn’t work, I have to login via Ubuntu and have it generate its own code for this to work. I noticed this when people were SSH’ing to RPI’s remotely and failing to run the exploit, also if you reboot the router a new STOK will need to be generated.
Some firmware images are better than others, unfortunately at the time of writing the most current version of OpenWrt isn’t working but if you search the OpenWrt forum there are plenty of builds that are working well, currently, I’m using is version DB260179 that works perfectly as far as I can tell, some tweaking of the WiFi settings can be needed to make it as almost as good the stock firmware these are my current settings for both 2.4 and 5GHz:
As part of the guide we also added a quick and easy way to debrick the router, with testing of lots of new firmware images, comes the risk of bricking the router, thankfully its trivial (TFTP pun!) to repair the router. If the router is booted with the reset button pushed it starts in safe mode which looks for a firmware image named “test.bin”, if it finds it it will install it and overwrite any other firmware on the device, unfortunately, we can’t use this to install OpenWrt (because the header of the file is checked) but we can reinstall the stock firmware and then reattempt the OpenWrt install. We have made a download page for debrick tools that you can find here, it’s a preconfigured TFTP server and DHCP server and has the 4A Gigabyte firmware (and other routers) already in the file (named test.bin) if you are using one of the other routers supported by this method make sure you have the correct stock firmware image, other images can be found here (google translate is your friend!) and have put it in the folder and renamed it to test.bin before attempting to repair the router.
To use open invasion the router will need access to the internet via the WAN port.
The debrick tool sometimes takes a few attempts, ensure you have nothing else connected, that you have set your IP correctly and that you leave it plenty of time to work, if you see something about test.bin in the log it has done what it should.
If you can’t access the web interface, most likely the version you installed has no web interface (Luci) follow these steps to install it:
Login via SSH (command line in windows or terminal in linux or mac):
Now we need to get the latest infomation on our installed software:
If you have any issues with the previous step ensure you have an internet connection and that it’s not being firewalled. Next, we issue the upgrade command to install the newer versions:
opkg install luci
This may take a few minutes to complete, then reboot:
You should now be able to access the web interface.
The opkg tool used above and be really useful, although you can achieve this in luci from the software tab, you can use opkg to install software as well, it’s very much like apt for ubuntu. To install a software package:
opkg install package-name#Where package name is the name of the software you wish to install, don’t forget pressing tab can help to auto-complete the name if you don’t know the full name of the package.
Let me know how you get on in the comments here or on youtube!