Note
- Unchecked
Verify
from the programmer settings before flashing it Unprotect
eeprom before flashing..- Dangerous and irreversible actions, set only required options (if may failed buy a new ones and then soldered it unto the board)
- If the programmer fails to read the eeprom sectors all you have to do is read the
SREG or Status Register
andunchecked all
checked area or set all number1
into0
and thenWrite Register
.
-
Available Firmwares: | Stock Firmware | Openwrt | X-WRT | Keenetic | PCWRT | ImmortalWRT | Padavan |
-
Download CH341PAR.EXE & CH341SER.EXE and install
- connect the ch341a clip to Xiaomi 4c router EEPROM, open asprogrammer then
detect
the chip select the specific router IC model, clickread
the IC and make a backup then proceed to erase ic, load the 16mb firmware into it (stock, openwrt, padavan, keenetic, immortal) then clickwrite
IC click yes and wait after it finish finally connect your router to your pc and open 192.168.1.1(3rd party) or 192.168.31.1(stock)
Red wire must be connected to this pin #1 (dot) in chip
sudo apt update && wget -qO- https://raw.githubusercontent.com/xiv3r/Xiaomi-Mi-Router-4C-CH341A-Flasher/refs/heads/main/driver.sh | sudo sh
- Check existing drivers
lsmod | grep ch341
Bus 001 Device 002: ID 1a86:5512 QinHeng Electronics HL-340 USB-Serial adapter
ch341 20480 0
usbserial 45056 1 ch341
Note
- if the EEPROM unable to read by the programmer go to
Imsprog Settings
->CHIP Info
->Read Status Register
and replace all number1
into0
andWrite
then begin flashing the firmware.
-
Available Firmwares: | Stock Firmware | Openwrt | X-WRT | Keenetic | PCWRT | ImmortalWRT | Padavan |
-
Download and install IMSProg
sudo apt update && sudo apt install imsprog -y
- Dependencies
sudo apt install bc build-essential gcc cmake make linux-headers-$(uname -r) cmake g++ libusb-1.0-0-dev qtbase5-dev qttools5-dev pkgconf systemd-dev udev zenity wget -y
- Install from Repo (optional)
wget https://launchpad.net/~bigmdm/+archive/ubuntu/imsprog/+files/imsprog_1.4.4-4_amd64.deb -O imsprog.deb && sudo dpkg -i imsprog.deb && sudo apt --fix-broken install -y && sudo dpkg --configure -a
- Build from Source (optional)
git clone https://github.com/bigbigmdm/IMSProg.git && cd IMSProg
cd IMSProg_programmer
mkdir build
cd build
cmake ..
make -j`nproc`
sudo make install
-
Select IMSProg from the Application Menu
sudo apt update ; sudo apt install flashrom -y
Note
- chip type depends on your EEPROM type detected by flashrom like GD25B128B/'GD25Q128B', GD25Q127C/'GD25Q128C' you may add it to the -c flags before backup or flashing
- To Detect the Flash Chip execute the command below:
flashrom -VV -p ch341a_spi -r backup.bin
- Backup Dump firmware:
flashrom -VV -p ch341a_spi -c GD25B128B/GD25Q128B -r MIR4C-dump.bin
- Flash New Dump firmware:
flashrom -VV -p ch341a_spi -c GD25B128B/GD25Q128B -v -E -w /home/user/Downloads/MIR4C-dump.bin
- Access Point Router/CPE (Wired Bridge) (required) if
ALL
exist in the MTD partition tables - CH341A Programmer (optional) if there's no
ALL
existed in the MTD partition tables - Termux
β’ Dependencies:
apt update && apt upgrade -y && apt install git wget curl python3 python-pip inetutils -y
Note
- To check mtd partitions
cat /proc/mtd
- If mtd
ALL
partition is found you can flash it easily, if not otherwise flash the eeprom with CH341a programmer - MTD
ALL
Partition can flash all 16MB dump firmware from the download section - Keenetic Breed
Programmer Firmware
can Flash all 16MB dump firmware from the download section - All 16MB firmware dump are stable for transitioning
- You can use wget, scp, http fileserver to import firmware into
/tmp
directory and flash
opt 1
cd storage/downloads && scp 16mb_firmware.bin root@192.168.1.1:/tmp
opt 2
cd storage/downloads && python3 -m http.server
(dhcp ip assign):8000 e.g:wget 192.168.1.111:8000/16mb_firmware.bin
opt 3
cd /tmp && wget https://github.com/xiv3r/Xiaomi-Mi-Router-4C-CH341A-Flasher/releases/download/V1/Full-KeeneticOS_4.1.7_MOD.bin
mtd -e ALL -r write /tmp/16mb_firmware.bin ALL
β’ Using my Modified version of openwrt-invasion
termux-setup-storage && pkg update && pkg upgrade && pkg install curl && curl https://raw.githubusercontent.com/xiv3r/termux-openwrt-invasion/refs/heads/main/openwrt-invasion.sh | sh && cd openwrt-invasion
β’ Reset
the Xiaomi 4C Router and configure with a password of 12345678
python3 remote_command_execution_vulnerability.py
β’ Getting root access via Telnet
telnet 192.168.31.1
-
login:
root
-
password:
root
-
Download the firmware from Here!
- e.g
cd /tmp && wget -O Keenetic.bin https://github.com/xiv3r/Xiaomi-Mi-Router-4C-CH341A-Flasher/releases/download/V1/Full-KeeneticOS_4.1.7_MOD.bin
mtd -e ALL -r write /tmp/keenetic.bin ALL
- Wait for 15 minutes until the reboot will prompted
- Goto 192.168.1.1
- Import the Xiaomi_4C_Router_Breed.bin
telnet 192.168.1.1
-
user:
root
-
pass:
your admin password
-
Bootloader breed installation
opkg update && opkg install kmod-mtd-rw && insmod mtd-rw i_want_a_brick=1
cd /tmp && wget -O breed.bin https://github.com/xiv3r/Xiaomi-Mi-Router-4C-CH341A-Flasher/blob/main/Xiaomi_4C_Router_Breed_Env_Variables.bin
mtd -r write /tmp/breed.bin bootloader
- Router will reboot
- Goto π 192.68.1.1 >
upgrade
>Programmer firmware
> importkeenetic 16MB dump
from download
- Unchecked
skip bootloader
- Unchecked
skip eeprom
- Upload
OpenWRT WiFi tx power mod to 30dBm
wget -qO- https://raw.githubusercontent.com/xiv3r/20dBm-30dBm-Xiaomi-Mi-4C-Router-Mod/refs/heads/main/mtd2-mod.sh | sh
- Hold the reset button for 5 seconds while powering on the router
- Goto π192.168.1.1 >
upgrade
>programmer firmware
> importopenwrt 16MB dump
from download
- Unchecked
skip bootloader
- Unchecked
skip eeprom
- Apply
telnet 192.168.1.1
and login your credentials- Import
16mb dump firmware.bin
to/tmp
- e.g
cd /tmp && wget -O keenetic.bin https://github.com/xiv3r/Xiaomi-Mi-Router-4C-CH341A-Flasher/releases/download/V1/Full-KeeneticOS_4.1.7_MOD.bin
mtd -e ALL -r write /tmp/keenetic.bin ALL