The official firmware of Xiaomi routers is in a custom format, and the RSA signature must be verified when flashing, so it is almost impossible to flash the modified Firmware

Through the analysis of the firmware tool mkxqimage, the process of packaging and unpacking the firmware is basically clarified. If you use your own RSA private key to package the firmware, and then replace /usr/share/xiaoqiang/public.pem with your own RSA public key, then It is possible to flash self-made firmware through the web interface.

I. Unpack Firmware

The firmware tool mkxqimage completes the unpacking of the firmware. Before unpacking, check whether the checksum is correct, and then use the RSA public key /usr/share/xiaoqiang/public.pem to check the RSA signature. After these two steps pass, according to [0x0C], the firmware type and the 4 offsets of [0x10], [0x14], [0x18] and [0x1C] split the firmware. Items that may be included in the firmware include:

brcm4709_fac_update_nor.bin
brcm4709_nor.bin
fac_mode.bin
nvram_fac.bin
ramfsz
root.ext4.lzma
root.squashfs
upsetting.sh
upsetting_fac1.sh
upsetting_fac2.sh
upsetting_fac3.sh
vmlinuz.trx

II. Firmware Packaging

First, create a pair of RSA private key and public key.

The following takes the stable version 0.4.85 as an example to introduce the firmware modification and packaging method.

• Unpack the firmware

1
2
3
4

cd /userdisk/data
mkdir xqimage
cd xqimage
mkxqimage -x brcm4709_hdr_039ef_0.4.85.bin

Got 2 files:

1
2
3

ls
-rw-r--r-- 1 root root 16646144 May 30 08:14 brcm4709_nor.bin
-rw-r--r-- 1 root root 34853955 May 30 08:14 root.ext4.lzma

• Firmware modification
  • for EXT4 img: mount -o loop -t ext4 root.ext4 /mnt
  • for Squashfs: unsquashfs rootfs.squashfs

Next, replace the RSA public key first, and then open SSH

1
2
3
4
5

cd /mnt/usr/share/xiaoqiang
mv public.pem public.pem.orig
cp /userdisk/data/xqimage/public.pem public.pem.new
ln -s public.pem.new public.pem
sed -i 's/ssh_en=0/ssh_en=1/g' xiaoqiang-defaults.txt

Restore some shut down web interfaces

1
2

cd /mnt/usr/lib/lua/luci/controller/web
sed -i 's/--entry/entry/g' index.lua

Modify by your own…

Save the above modification back to the hard disk firmware image file:

1
2
3
4

cd /userdisk/data/xqimage
umount /mnt
sleep 30
# Be sure to wait a while before compressing the image

• Firmware packaging

Compress the modified hard disk image:

EXT4 img: ./lzma e -a0 root.ext4 root.ext4.lzma
SquashFS: mksquashfs path/to/squashfs_rootfs_folder ... newrootfs.squashfs

1

./mkxqimage -o brcm4709_hdr_00000_0.4.85.bin -p ./private.pem -t 5 -f brcm4709_nor.bin -f root.ext4.lzma

III. Upgrade Preparation

• Public key replacement

Before upgrading the self-made firmware generated in the previous step, you need to replace the RSA public key of the current router. The specific method is as follows:

1
2
3
4
5
6

mount -o rw,remount /
cd /usr/share/xiaoqiang
mv public.pem public.pem.orig
cp /userdisk/data/xqimage/public.pem public.pem.new
ln -s public.pem.new public.pem
mount -o ro,remount /

• Homemade firmware test

Test with the following command:

1
2
3
4
5

cd /userdisk/data/xqimage
mkdir test
cd test
mkxqimage -x ../brcm4709_hdr_00000_0.4.85.bin
ls -l

If there is no error message in the process of decompressing the firmware, and 2 files are listed at the end, it means that the self-made firmware is packaged without any problem.

1
2

-rw-r--r-- 1 root root 16646144 Jun 1 12:00 brcm4709_nor.bin
-rw-r--r-- 1 root root 33188560 Jun 1 12:00 root.ext4.lzma

Note: The size of the brcm4709_nor.bin file must be 16646144.

Verify that root.ext4.lzma is correct:

1
2
3
4
5
6

cd /userdisk/data/xqimage/test
unlzma root.ext4.lzma
mount -o loop -t ext4 root.ext4 /mnt
ls -l /mnt/usr/share/xiaoqiang/public.pem*
grep ssh_en /mnt/usr/share/xiaoqiang/xiaoqiang-defaults.txt
umount /mnt

After the above command is executed, you should be able to see some information (the time information will be different):

1
2
3
4
5

lrwxrwxrwx 1 root root 14 Jun 1 11:30 /mnt/usr/share/xiaoqiang/public.pem -> public.pem.new 
-rw-r--r-- 1 root root 451 Jun 1 11:30 /mnt/ usr/share/xiaoqiang/public.pem.new 
-rwxr-xr-x 1 root root 451 May 27 11:33 /mnt/usr/share/xiaoqiang/public.pem.orig 

ssh_en=1

Backup homebrew firmware

Enter in the computer resource manager: \192.168.31.1\XiaoMi\xqimage , you can see brcm4709_hdr_00000_0.4.85 in the directory list, and copy the self-made firmware to the computer.

IV. Upgrade Homemade Firmware

Log in to the Xiaomi router management page, select brcm4709_hdr_00000_0.4.85 in the Routing Settings - Advanced Features - Manual Router Upgrade interface, click the Upload and Install Firmware button, and wait for a few minutes.

After installing the firmware, SSH may not start. This is because the nvram item ssh_en is cleared to 0 when the firmware is upgraded, and the action of setting ssh_en to 1 through the defaults setting at the first startup is after the dropbear is started. Just restart the router and you can log in with SSH.

• Special reminder

Due to the replacement of the RSA public key in the router, the official firmware of the router cannot be upgraded. If you want to restore the official firmware, you only need to replace the original public key. The method is as follows:

1
2
3
4

mount -o rw,remount / 
cd /usr/share/xiaoqiang 
cp public.pem.orig public.pem 
mount -o ro,remount /

Source: https://www.openwrt.pro/post-415.html