Replace XiaoMi Mini Router (R1CM) from stock firmware to OpenWrt

Most of my reference is from:
1. https://wiki.openwrt.org/toh/xiaomi/mini
2. http://oxmini.blogspot.hk

I have summarized my steps below:

  1. Enable SSH
    1. By using official XiaoMi method; OR
      1. Flash your router to development version
        1. Go to http://miwifi.com/miwifi_download.html
        2. Click "ROM"
        3. Download  "ROM for Mini 开发版"
        4. Copy the ROM into your USB.  Rename the file as "miwifi.bin"
        5. Power off your router.  Insert your USB into your router.
        6. Press the reset button (at the back of the router).  Power on your router.  Wait until the router LED turn yellow then flash.  Then you can release your reset button.  
        7. The router will install the latest version and then reboot again.  It will turn yellow, then blue after all booting completed.
        8. If the LED turn red, then there is some problem on patching.  Please remove the USB and reboot again.
        9. Then you can access your router again in default IP: 192.168.31.1
      2. Register the router with your XiaoMi account
        1. Register a Xiaomi account (if you haven't).
        2. Download Android mobile apps at http://miwifi.com/miwifi_download.html.
        3. Open the App, setup the router and pair the router with your Xiaomi account.
      3. Enable SSH
        1. Login to Xiaomi account at https://d.miwifi.com/rom/ssh
        2. Then you will see your XiaoMi router listed here with your SSH password.
        3. Download the SSH patch (next to the password).  Please note the SSH patch is only applicable to the device you specify.
        4. Save the patch to your USB (You must remove the firmware we used earlier in your USB stick).  Please ensure the filename is miwifi_ssh.bin.
        5. Power off your router.  Insert your USB stick.  Then press and hold the reset button (at the back of the router).  Power on the router.  The LED will turn yellow, then flashing in yellow.  At this time, you can release the reset button.
    2. By exploiting the Admin Screen Bug (reference: OpenWRT)
      1. Latest ROM has patched this bug.  Therefore, you need to downgrade your firmware.  I have tested with "v2.7.11 developer version".  Somebody say v2.11.20 is also OK.
      2. Login to admin screen at http://192.168.31.1
      3. Grab the stok value at URL parameter (for instance: "9c2428de4d17e2db7e5a6a337e6f57a3")
      4. Replace the below URL with your stok value, and then copy to your browser URL:
        http://192.168.31.1/cgi-bin/luci/;stok=/api/xqnetwork/set_wifi_ap?ssid=tianbao&encryption=NONE&enctype=NONE&channel=1%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit

        http://192.168.31.1/cgi-bin/luci/;stok=        /api/xqnetwork/set_wifi_ap?ssid=tianbao&encryption=NONE&enctype=NONE&channel=1%3Bsed%20%2Di%20%22%3Ax%3AN%3As%2Fif%20%5C%5B%2E%2A%5C%3B%20then%5Cn%2E%2Areturn%200%5Cn%2E%2Afi%2F%23tb%2F%3Bb%20x%22%20%2Fetc%2Finit.d%2Fdropbear

        http://192.168.31.1/cgi-bin/luci/;stok=        /api/xqnetwork/set_wifi_ap?ssid=tianbao&encryption=NONE&enctype=NONE&channel=1%3B%2Fetc%2Finit.d%2Fdropbear%20start 
      5.  At the below step, replace the below URL with your stok.  Replace with your existing router password.  Replace with a new password.
        http://192.168.31.1/cgi-bin/luci/;stok=/api/xqsystem/set_name_password?oldPwd=&newPwd=
      6.  Then you should be able to access your router via Putty
  2. Download and copy OpenWRT firmware
    1. Download openwrt http://downloads.openwrt.org/chaos_calmer/15.05/ramips/mt7620/openwrt-15.05-ramips-mt7620-xiaomi-miwifi-mini-squashfs-sysupgrade.bin into your USB.
    2. Insert your USB into your router.  Your USB should be mounted automatically.
    3. Login into your router using SSH.  Your username is root and the password is what you see under your Xiaomi account.
    4. Then copy your firmware to /tmp:
      #cp /extdisks/sda1/openwrt-15.05-ramips-mt7620-xiaomi-miwifi-minifs-sysupgrade.bin /tmp
  3. Flash your router
    1. Double check your MTD status before flashing:
      root@XiaoQiang:~# cat /proc/mtd
      dev:    size   erasesize  name
      mtd0: 01000000 00010000 "ALL"
      mtd1: 00030000 00010000 "Bootloader"
      mtd2: 00010000 00010000 "Config"
      mtd3: 00010000 00010000 "Factory"
      mtd4: 00c80000 00010000 "OS1"
      mtd5: 00b11e68 00010000 "rootfs"
      mtd6: 00200000 00010000 "OS2"
      mtd7: 00100000 00010000 "overlay"
      mtd8: 00010000 00010000 "crash"
      mtd9: 00010000 00010000 "reserved"
      mtd10: 00010000 00010000 "Bdata"
      root@XiaoQiang:~# df -h
      Filesystem                Size      Used Available Use% Mounted on
      rootfs                   10.8M     10.8M         0 100% /
      /dev/root                10.8M     10.8M         0 100% /
      tmpfs                    60.9M      2.0M     59.0M   3% /tmp
      tmpfs                   512.0K         0    512.0K   0% /dev
      tmpfs                    60.9M      2.0M     59.0M   3% /extdisks
      /dev/mtdblock7            1.0M    724.0K    300.0K  71% /data
      /dev/mtdblock7            1.0M    724.0K    300.0K  71% /etc
      tmpfs                    60.9M      2.0M     59.0M   3% /userdisk/sysapihttpd
      /dev/root                 1.0M    724.0K    300.0K  71% /mnt
      /dev/mtdblock7            1.0M    724.0K    300.0K  71% /mnt
    2. Check if there is a MTD called "firmware".  In newer verion of Xiaomi Mini, there is no "firmware", so we will flash into OS1:
    3. root@XiaoQiang:/tmp# mtd -r write openwrt-15.05-ramips-mt7620-xiaomi-miwifi-mini-squashfs-sysupgrade.bin OS1
      Unlocking OS1 ...

      Writing from openwrt-15.05-ramips-mt7620-xiaomi-miwifi-mini-squashfs-sysupgrade.bin to OS1 ...
      Rebooting ...
       
    4. After reboot, the default IP is 192.168.1.1.  The default username is root, no password.  You can access via http://192.168.1.1 
Common packages to be installed:
  • htop
  • tcpdump
  • iperf
  • ethtool



Email Post

Comments

Post a Comment

Popular Posts