Installing OpenWrt on the Xiaomi 4A, 4C, 3Gv2, 4Q, miWifi 3C and debrick method


##Update: I created a newer video with a more up-to-date guide that you can find by clicking here!##

I bought the Xiaomi 4A router a while back because it’s quite cheap when considering the specifications of the router, it really is good value for money. Though the performance of the stock firmware was ok, I personally had a few concerns about how it runs, for instance checking my PiHole you could see the 4A polls home to a Xiaomi address every few seconds, in fact, it was one of the highest traffic devices on my network with this polling alone. Also, although having an App that I could change setting from anywhere is good but triggers my internal security worries, if I can access this and make changes anywhere so could someone else if hacked or leaked, I prefer something I can fully trust and fully configure… Enter OpenWrt, open-source firmware for any router that will take it.

I had originally ordered a CH341A to install OpenWrt but found that while waiting for it to be delivered another method had been found named “OpenWrtInvasion” a clever little exploit that works by uploading a backup file that can be tricked to be placed in any directory, with that it changes a speed test script with its own that removes the root password and starts a telnet server allowing us to login and upload our own firmware and flash it. OpenWrtInvasion doesn’t only work for the 4A, it also works for the 4C, 3Gv2, 4Q, miWifi 3C and no doubt other Xiaomi routers.

In the video, I run the exploit from a Ubuntu VM, personally I find Linux more stable for these of things but I will do a Win version eventually. It’s important to note the STOK code is generated for whatever machine is connected, so for me, if I was to login to the router with my windows PC (running the VM) take the code and try to run the exploit in the Ubuntu VM it wouldn’t work, I have to login via Ubuntu and have it generate its own code for this to work. I noticed this when people were SSH’ing to RPI’s remotely and failing to run the exploit, also if you reboot the router a new STOK will need to be generated.

Some firmware images are better than others, unfortunately at the time of writing the most current version of OpenWrt isn’t working but if you search the OpenWrt forum there are plenty of builds that are working well, currently, I’m using is version DB260179 that works perfectly as far as I can tell, some tweaking of the WiFi settings can be needed to make it as almost as good the stock firmware these are my current settings for both 2.4 and 5GHz:

As part of the guide we also added a quick and easy way to debrick the router, with testing of lots of new firmware images, comes the risk of bricking the router, thankfully its trivial (TFTP pun!) to repair the router. If the router is booted with the reset button pushed it starts in safe mode which looks for a firmware image named “test.bin”, if it finds it it will install it and overwrite any other firmware on the device, unfortunately, we can’t use this to install OpenWrt (because the header of the file is checked) but we can reinstall the stock firmware and then reattempt the OpenWrt install. We have made a download page for debrick tools that you can find here, it’s a preconfigured TFTP server and DHCP server and has the 4A Gigabyte firmware (and other routers) already in the file (named test.bin) if you are using one of the other routers supported by this method make sure you have the correct stock firmware image, other images can be found here (google translate is your friend!) and have put it in the folder and renamed it to test.bin before attempting to repair the router.

Troubleshooting

To use open invasion the router will need access to the internet via the WAN port.

The debrick tool sometimes takes a few attempts, ensure you have nothing else connected, that you have set your IP correctly and that you leave it plenty of time to work, if you see something about test.bin in the log it has done what it should.

If you can’t access the web interface, most likely the version you installed has no web interface (Luci) follow these steps to install it:

Login via SSH (command line in windows or terminal in linux or mac):

ssh [email protected]

#Change the IP if you’ve changed it from the default

Now we need to get the latest infomation on our installed software:

opkg update

If you have any issues with the previous step ensure you have an internet connection and that it’s not being firewalled. Next, we issue the upgrade command to install the newer versions:

opkg upgrade

opkg install luci

This may take a few minutes to complete, then reboot:

reboot

You should now be able to access the web interface.

The opkg tool used above and be really useful, although you can achieve this in luci from the software tab, you can use opkg to install software as well, it’s very much like apt for ubuntu. To install a software package:

opkg install package-name

#Where package name is the name of the software you wish to install, don’t forget pressing tab can help to auto-complete the name if you don’t know the full name of the package.

Let me know how you get on in the comments here or on youtube!

,

18 responses to “Installing OpenWrt on the Xiaomi 4A, 4C, 3Gv2, 4Q, miWifi 3C and debrick method”

  1. Thanks for your guides Mr. Hoddys, i successfully installed openwrt to my xiaomi 4A gigabit, i’am new to openwrt.
    But I get some error when activating 5G as AP (master) and client at the same time, client mode become inactive.
    If i turn off 5G ‘master’ mode, ‘client’ mode will active again.
    This error not happened at 2.4G, i can activate both modes simultaneously.
    Can you help me with this problem? Thank you in advance.

    • I can’t say I’ve had this problem but I’ve not used it in this mode before. I will test it on mine in a hours and see if I can help you, can I ask which firmware image you’re using? Is it the one from the description?

      • Yes i’am using firmware from the link above, build 19.07.3 by Zorro.
        OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363

        • I think I’m having the same issue as you, I’ve got a lot running on my network today so I can’t fully test it right now but it seemed to drop the AP when trying to connect, I’m also on a slightly newer Zorro build. We’re still not 100% sure where the drivers in Zorros build come from, they may proprietory so that might be why. I think the best move is to system upgrade to the version by Byte (Link here) something ive been meaning to do myself. Source is known for that version, hopefully it will be more stable. Let me know if this helps!

          • I tried that version (by Byte) but i got same errors, can’t activate both modes simultaneously and i have been unable to access luci from firefox but i can still access luci from chrome.
            I want to thank you for taking the time to answer my questions. I am sure that you are busy, and so I greatly appreciate your personal response. Thank you again.

          • It’s no problem! normally to fix the login issue you need to clear cache in firefox usually pressing CTRL+F5 will do the trick, it’s just holding some data from the last version. Thinking about it, do you need to connect both 2.4 and 5Ghz in client mode? If for instance, you’re connecting to make a repeater you would only need to connect 1 to have it function as a repeater, ideally, that would be the 5Ghz because it’s faster. So what I’m thinking have you tried setting the 2.4 as AP only then setting the 5 as AP and client and see if that works?

    • Sir can you help me about installing oppenwrt to my xiaomi 4a gigabit device? we can use teamviewer.

      • Hi Sillo100, unfortunately I’m not able to do that. Feel free to follow my guide and I will help if I can but I can’t/won’t do it for you. From a security standing, you really should offer people you don’t know access to your systems via TeamViewer, especially when installing something as powerful as OpenWrt, they could easily leave a backdoor when installing so I’d really advise against this.

  2. My internet source is from WISP (2.4GHz & 5GHz), these days 2.4GHz is getting more and more crowded in my neighborhood. That’s the reason I bought a new 5GHz router. Unfortunately I can’t use my openwrt router as a 5GHz client and master simultaneously. I am currently use 5Ghz as client and 2.4GHz as master (AP). I hope one day I can use both modes in 5GHz. 🙂
    Thanks Hoddy.

    • Ok, I got it to work but you have to enable it in a certain order (I have no idea why!)Set up your AP first and enable it and make sure it’s running. Now click the “scan” button on your 5Ghz radio and search for your other AP and select it, input its password (I did also set the channel to auto) and save it. Enable the client and give a few seconds and hopefully, you will have both working together! This is using the firmware version by byte but it may work on others.

      • Hi Hoddy,
        After trying Byte’s build, I decided to go back to using Zorro’s build.
        Zorro’s build doesn’t have any problems with https firefox and i can use mwan3 on his build without uncompatible kernel error etc. It’s running well so far.

          • No Hoddy, it didn’t worked.
            I still getting the same problem, cannot ativate 5GHz as AP and STA at the same time.
            I got some error messages from system log, wpad error or something.
            Just for information, i’am using WPA2-EAP Encryption to connect to my WiFi ISP. So i replaced wpad-basic with wpad.

          • I managed to get it to work as both AP and client using the method I mentioned before so I’m guessing its either Zorro’s build that’s causing you an issue or you have an issue with your WPA2-EAP setup, might be worth testing with a hotspot on your mobile with standard WPA2-PSK and see if you can run both. If the only reason you’re not using Bytes version is the login issue it’s an easy fix by clearing your cache I’m making it part of a later video but I’ve uploaded a quick clip to show you how here.

          • Thanks for the videos.
            I didn’t use Bytes build because uncompatible kernel with mwan3.

            After doing some tests I think i found the problem. The problem is in the mac address clone. I have to change the mac address to connect to my ISP. So I changed it manually in the etc / config / wireless file by adding the option macaddr ‘xx: xx: xx: xx’ because Interface/wwan/Override MAC address doesn’t work. Are there other ways to change it?
            On my other router, I changed the mac address through breedweb mac address option, and that works fine.

          • Once you’ve made changes to that file you need to refresh the service, easiest way is to reboot the router for it to take effect. Another option is to install the macchanger software and manually set it, I haven’t used that software for a long time and I think the change is temporary so you might need to read up on it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.