The official firmware of Xiaomi routers is in a custom format, and the RSA signature must be verified when flashing, so it is almost impossible to flash the modified Firmware
Through the analysis of the firmware tool mkxqimage, the process of packaging and unpacking the firmware is basically clarified. If you use your own RSA private key to package the firmware, and then replace /usr/share/xiaoqiang/public.pem with your own RSA public key, then It is possible to flash self-made firmware through the web interface.
I. Unpack Firmware
The firmware tool mkxqimage completes the unpacking of the firmware. Before unpacking, check whether the checksum is correct, and then use the RSA public key /usr/share/xiaoqiang/public.pem to check the RSA signature. After these two steps pass, according to [0x0C], the firmware type and the 4 offsets of [0x10], [0x14], [0x18] and [0x1C] split the firmware. Items that may be included in the firmware include:
brcm4709_fac_update_nor.bin brcm4709_nor.bin fac_mode.bin nvram_fac.bin ramfsz root.ext4.lzma root.squashfs upsetting.sh upsetting_fac1.sh upsetting_fac2.sh upsetting_fac3.sh vmlinuz.trx
II. Firmware Packaging
First, create a pair of RSA private key and public key.
The following takes the stable version 0.4.85 as an example to introduce the firmware modification and packaging method.
- Unpack the firmware
Got 2 files:
- Firmware modification
- for EXT4 img:
mount -o loop -t ext4 root.ext4 /mnt
- for Squashfs:
- for EXT4 img:
Next, replace the RSA public key first, and then open SSH
Restore some shut down web interfaces
Modify by your own…
Save the above modification back to the hard disk firmware image file:
- Firmware packaging
Compress the modified hard disk image:
./lzma e -a0 root.ext4 root.ext4.lzma
mksquashfs path/to/squashfs_rootfs_folder ... newrootfs.squashfs
III. Upgrade Preparation
- Public key replacement
Before upgrading the self-made firmware generated in the previous step, you need to replace the RSA public key of the current router. The specific method is as follows:
- Homemade firmware test
Test with the following command:
If there is no error message in the process of decompressing the firmware, and 2 files are listed at the end, it means that the self-made firmware is packaged without any problem.
Note: The size of the brcm4709_nor.bin file must be 16646144.
Verify that root.ext4.lzma is correct:
After the above command is executed, you should be able to see some information (the time information will be different):
Backup homebrew firmware
Enter in the computer resource manager: \192.168.31.1\XiaoMi\xqimage , you can see brcm4709_hdr_00000_0.4.85 in the directory list, and copy the self-made firmware to the computer.
IV. Upgrade Homemade Firmware
Log in to the Xiaomi router management page, select brcm4709_hdr_00000_0.4.85 in the Routing Settings - Advanced Features - Manual Router Upgrade interface, click the Upload and Install Firmware button, and wait for a few minutes.
After installing the firmware, SSH may not start. This is because the nvram item ssh_en is cleared to 0 when the firmware is upgraded, and the action of setting ssh_en to 1 through the defaults setting at the first startup is after the dropbear is started. Just restart the router and you can log in with SSH.
- Special reminder
Due to the replacement of the RSA public key in the router, the official firmware of the router cannot be upgraded. If you want to restore the official firmware, you only need to replace the original public key. The method is as follows: