Xiaomi AX3000T

The Xiaomi AX3000T router supports 2 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed. It is based on the MediaTek MT7981 SoC.

There are two versions of the Xiaomi AX3000T router:

• model RD03: Chinese version
• model RD23: International (Global) version.

Both versions have exactly the same hardware, and the only difference is the version of the stock firmware (which is region-locked).

Support Forums https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490

There are 2 known OpenWrt installation methods for the Xiaomi AX3000T:

• API RCE method: the method involves executing shell commands on the stock router firmware to enable SSH access by exploiting the API RCE, either in xqsystem/start_binding or misystem/arn_switch, depending on the firmware version. This method is suitable for both RD23 (International version) and RD03 (Chinese version) of the Xiaomi AX3000T router. For details, please refer to the Installation section below.
• UART flash method: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: link to owrt forum.

OpenWrt Support Status:

• *note: devices with the Winbond NAND chip are supported by Snapshot version only.

1. Get ssh access.

#!/bin/sh

if [ $# -ne 2 ]; then
cat <<EOF
Usage: $0 [misystem | xqsystem] [stok]
e.g. $0 misystem e6ea114ba2cddb0c70fbbc417bb2706c
Copy the stok-string from a browser's URL-line, while logged to the router
EOF
exit 1
fi

[ -z "$2" ] && echo "error: bad stok" && exit 1

url="http://192.168.31.1/cgi-bin/luci/;stok=${2}/api"

case "$1" in
    misystem)
        url="$url/misystem/arn_switch"
        pre="open=1&model=1&level="
        suf=""
        ;;
    xqsystem)
        url="$url/xqsystem/start_binding"
        pre="uid=1234&key=1234'"
        suf="'"
        ;;
    *)
        echo "error: unknown api" && exit 1
        ;;
esac

curl -X POST "$url" -d "${pre}%0Anvram%20set%20ssh_en%3D1%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}"

2. Backup stock partitions

ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -v root@192.168.31.1
nanddump -f /tmp/BL2.bin /dev/mtd1
nanddump -f /tmp/Nvram.bin /dev/mtd2
nanddump -f /tmp/Bdata.bin /dev/mtd3
nanddump -f /tmp/Factory.bin /dev/mtd4
nanddump -f /tmp/FIP.bin /dev/mtd5
nanddump -f /tmp/ubi.bin /dev/mtd8
nanddump -f /tmp/KF.bin /dev/mtd12

Then transfer them to your computer in a safe place.

To copy you can run netcat on your computer (in this case the computer's IP is 192.168.31.55):

$ netcat -l 1234 | tar xvf -

And send the data from the router:

root@XiaoQiang:~# tar cf - /tmp/*.bin | nc 192.168.31.55 1234

3. Get firmware information: cat /proc/cmdline

4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to /tmp and flash

• If firmware=0

ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=1
nvram set flag_last_success=1
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot

• If firmware=1

ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=0
nvram set flag_last_success=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot

Once the router is rebooted, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt's LAN ports (not WAN port), plug the ethernet cable into one of the middle ports, if the cable is not already plugged there (original FW dynamically assigns LAN/WAN).

Note that you should configure the computer's network to use DHCP. You can use wireshark if things don't work. This command will connect you to the OpenWrt system:

ssh root@192.168.1.1

5. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin to /tmp and flash:

sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi

ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi

reboot

2. Install kmod-mtd-rw

opkg update && opkg install kmod-mtd-rw

insmod mtd-rw i_want_a_brick=1

3. Format ubi and create new ubootenv volume

ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB
ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB

4. *(Optional -10Mb free space) Add recovery boot feature.*

ubimkvol /dev/ubi0 -n 2 -N recovery -s 10MiB
ubiupdatevol /dev/ubi0_2 /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

5. Flash Openwrt U-Boot

mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin BL2
mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip FIP

6. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb

sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb

1. Force flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

sysupgrade -F -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

2. Format ubi and Nvram

ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
mtd erase Nvram

3. Install kmod-mtd-rw

opkg update && opkg install kmod-mtd-rw

insmod mtd-rw i_want_a_brick=1

4. Flash stock images from backup

mtd write /tmp/BL2.bin BL2
mtd write /tmp/FIP.bin FIP
mtd write /tmp/ubi.bin ubi

Then reboot your router, waiting it finished rollback in minutes.

ubiformat /dev/mtd8 -y -f /tmp/ubi.bin

Then reboot your router, waiting it finished rollback in minutes.

→ generic.flashing.tftp

→ generic.sysupgrade

• Browse to http://192.168.1.1/cgi-bin/luci/admin/system/flash LuCI Upgrade URL
• Upload image file for sysupgrade to LuCI
• Wait for reboot

If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading:

• sysupgrade
• mtd

Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

• Login as root via SSH on 192.168.1.1, then enter the following commands:

cd /tmp
wget https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
sysupgrade /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

If sysupgrade does not support this router, use mtd.

• Login as root via SSH on 192.168.1.1, then enter the following commands:

cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc
mtd write /tmp/xxx.abc linux && reboot

This section is kept only for historical reference, as it relates to the deprecated OpenWrt installation method that was applicable only to the RD03 (Chinese version) with stock firmware version 1.0.47. Please note that none of the current installation methods require a firmware downgrade to flash OpenWrt.

To downgrade a firmware version on your router, navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the <html>0</html> at the end to a <html>1</html> and press enter. Or change to <html>2</html> if there is already <html>1</html> (seen on v1.0.64). The downgrade will proceed.

→ generic.debrick

Assume that you have installed OpenWrt with stock bootloader, with original u-boot:

• Connect to router via UART
• Select Load Image in the u-boot
• Set start address to 0x48000000, then set TFTP parameters to load the initramfs-kernel.bin.
• Start the loaded kernel, then perform sysupgrade on OpenWrt.

If you have installed OpenWrt with u-boot mode layout, you can still use above UART recovery procedure, but u-boot will also look for a file called openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb in a tftp server at IP address 192.168.1.254

If you provide that file in a tftp server, it'll be automatically loaded and run, so system can be recovered without using a UART connection.

If your bootloader is bricked you can use the Mediateks ability to load a bootloader directly over UART with a tool called mtk_uartboot.

Details explained in this forum post

AX3000T can be recovered from a soft-brick with TFTP. The flow is:

• The router boots and asks for an IP address on the LAN ports via DHCP
• The TFTP server assigns an IP address to the router
• The router then connects to the TFTP server (where your DHCP server listen, e.g.: 192.168.31.100) and tries to download a file named with the IP address given by the DHCP server converted to hexadecimal.

Because of this quirk we will have to configure the tftp server to assign only one IP and we will set the file name to the only IP address it can receive.

For Windows you can use tftpd64 and on Linux you can use dnsmasq. These are the steps to do it for Linux (this can be adapted to the tftpd64's graphical interface very easily):

• Create a folder somewhere to place your firmware for the tftp server and download the OEM firmware (the file name is a very important part; depending on the previously installed Xiaomi firmware version, you may need to adjust the name of the .img file to a different one. The router will be looking for a specific file name on the tftp server – if the requested file in the terminal does not match the one you have in the tmp folder, rename it accordingly and proceed again):

  mkdir -p /tmp/tftp
  wget https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin -O /tmp/tftp/C0A81F02.img

• To ensure that the TFTP server has access to the firmware, set the privileges:

  sudo chmod -R 755 /tmp/tftp
  sudo chown -R nobody:nogroup /tmp/tftp

• Obtain the name of the ethernet adapter (to be used in further steps):

  ip link

• The result will loke something like (in this case, the name of the ethernet adapter is enp2s0):

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
      link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
  3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
      link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff

• Set a static address on your PC to serve the firmware from:

  sudo ip address flush dev <adapter name>
  sudo ip address add 192.168.31.100/24 dev <adapter name>

• Run the server with the following command:

  sudo dnsmasq --no-daemon --listen-address=192.168.31.100 --bind-interfaces --dhcp-range=192.168.31.2,192.168.31.254 --enable-tftp --tftp-root=/tmp/tftp --log-dhcp --log-facility=-

• Unplug the power, press and hold the reset button, plug the power back while still holding the button.

  • Hold the reset button until the router's LED starts flashing orange.
  • then it goes solid orange again, release the button.
  • If in the terminal, you see that the router requests a different firmware file (different name), rename the .img file in the tmp folder accordingly and repeat the procedures from the IP flush again.
• When the device finished loading the firmware, the led starts flashing with orange (amber) light. Wait for until blue led to goes solid!

  • It might take some time for the led to go solid blue
  • If the recovery doesn't accept the downloaded file the led switches to solid white - if this is the case, restart the recovery process with other file
  • If the led is blinking blue led it means the device was flashed successfully and can be restarted
• Put your interface back to DHCP mode and start again with breaking your device

→ failsafe_and_factory_reset

→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

• note: configuration reset issue after 6 reboots sometimes occurs on the AX3000T and is caused by the stock Xiaomi bootloader logic. To address this, run the command to modify the /etc/rc.local file with nvram settings:

sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' /etc/rc.local

Don't run this command if the issue doesn't affect you, and your router keeps its settings after 6 reboots!

The default network configuration is:

Numbers 2-4 are Ports 1-3 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 0 is the internal connection to the router itself.

→ hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto.

The Xiaomi AX3000T has the following buttons:

Front:
Insert photo of front of the casing

Back:
Insert photo of back of the casing

Backside label:
Insert photo of backside label

Note: This will void your warranty!

Main PCB:
Insert photo of PCB

→ port.serial general information about the serial port, serial port cable, etc.

How to connect to the Serial Port of this specific device:

→ port.jtag general information about the JTAG port, JTAG cable, etc.

How to connect to the JTAG Port of this specific device:
Insert photo of PCB with markings for JTAG port

→ bootloader

• DC power barrel plug dimensions 4.0mm x 1.7mm.