Table of Contents

OpenWrt

机型:小米路由器4A


思路

  1. 破解路由器,可以使用SSH登录到路由器
  2. 把OpenWrt镜像刷入

下载

C:\Users\Zhonghui\Desktop>set https_proxy=127.0.0.1:7890

# 使用的是Github上的这个项目
C:\Users\Zhonghui\Desktop>git clone https://github.com/acecilia/OpenWRTInvasion --depth 1
Cloning into 'OpenWRTInvasion'...
remote: Enumerating objects: 51, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 51 (delta 2), reused 44 (delta 2), pack-reused 0
Receiving objects: 100% (51/51), 60.90 MiB | 2.15 MiB/s, done.
Resolving deltas: 100% (2/2), done.

# 需要使用Python,先安装好Python配置好环境
(Daily39) C:\Users\Zhonghui\Desktop\OpenWRTInvasion>pip3 install -r requirements.txt
Requirement already satisfied: requests in c:\python\envs\daily39\lib\site-packages (from -r requirements.txt (line 1)) (2.28.1)
Requirement already satisfied: idna<4,>=2.5 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (3.3)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (1.26.12)
Requirement already satisfied: certifi>=2017.4.17 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (2022.6.15)
Requirement already satisfied: charset-normalizer<3,>=2 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (2.1.1)

破解

# 说明:
# 破解这一步需要使用到某些文件,这个项目提供了2种方式将文件传输到路由器
# 通过本地开启一个TCP连接进行传输,测试失败
# 通过Github下载,使用这样方式要求路由器可以连接到Github,或者在代码中把下载的Url换成自己的服务器直链
# 如果需要使用stok值,在浏览器中打开路由器页面,在地址栏中可以找到stok值
(Daily39) C:\Users\Zhonghui\Desktop\OpenWRTInvasion>python remote_command_execution_vulnerability.py
Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1
Enter router admin password: # 这里手动打码
There two options to provide the files needed for invasion:
   1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`.
   2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.)
Which option do you prefer? (default: 1)2
****************
router_ip_address: 192.168.31.1
stok: # 这里手动打码
file provider: remote github repository
****************
start uploading config file...
start exec command...
done! Now you can connect to the router using several options: (user: root, password: root)
* telnet 192.168.31.1
* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1
* ftp: using a program like cyberduck

刷入

# 可以通过SSH登录到路由器了,默认用户名和密码都是root
BusyBox v1.19.4 (2021-09-30 03:16:53 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
 
 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|
 
 
root@XiaoQiang:~# cd /tmp/
root@XiaoQiang:/tmp# wget -O firmware.bin http://mirror.nju.edu.cn/openwrt/releases/21.02.0/targets/ramips/mt7621/openwrt-21.02.0-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin # 下载官方的镜像
Connecting to mirror.nju.edu.cn (210.28.130.3:80)
firmware.bin         100% |***********************************************************************|  5632k  0:00:00 ETA
root@XiaoQiang:/tmp# mtd -e OS1 -r write firmware.bin OS1 # 刷入
Unlocking OS1 ...
Erasing OS1 ...
 
Writing from firmware.bin to OS1 ...
Rebooting ...
client_loop: send disconnect: Connection reset

换源

使用南京大学的源,登录到路由器,并编辑/etc/opkg/distfeeds.conf文件,将其中的downloads.openwrt.org替换为mirror.nju.edu.cn/openwrt。 OpenWrt使用的包管理器是opkg

总结(见注释)