Xiaomi AX3000T

The Xiaomi AX3000T router is based on the MediaTek Filogic 820 SoC (MediaTek MT7981B). It supports two 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed.

There are three versions of the Xiaomi AX3000T router:

• model RD03: Chinese version
• model RD23: International (Global) version.

• model RD03v2: Version with a different architecture, unsupported.

Both RD03 and RD23 versions have exactly the same hardware, and the only difference is the version of the stock firmware (which is region-locked).

Support Forums https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490

There are 2 known OpenWrt installation methods for the Xiaomi AX3000T:

• API RCE method: the method involves executing shell commands on the stock router firmware to enable SSH access by exploiting the API RCE, either in xqsystem/start_binding, misystem/arn_switch or xqsystem/get_icon, depending on the firmware version. This method is suitable for both RD23 (International version) and RD03 (Chinese version) of the Xiaomi AX3000T router. For details, please refer to the Installation section below.
• UART flash method: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: link to owrt forum.

• _{* note 1: although firmware downgrading is supported on the AX3000T, it is not required in most cases for OpenWrt installation, as all known stock versions are exploitable.}
• _{* note 2: the method is not described yet in the wiki. Please refer to the forum post.}

• _{For guidance on detecting router hardware, please refer to the forum post.}

1. Get ssh access.

#!/bin/sh

if [ $# -ne 2 ]; then
cat <<EOF
Usage: $0 [misystem | xqsystem] [stok]
e.g. $0 xqsystem e6ea114ba2cddb0c70fbbc417bb2706c
Copy the stok-string from a browser's URL-line, while logged to the router
EOF
exit 1
fi

[ -z "$2" ] && echo "error: bad stok" && exit 1

url="http://192.168.31.1/cgi-bin/luci/;stok=${2}/api"

case "$1" in
    misystem)
        url="$url/misystem/arn_switch"
        pre="open=1&model=1&level="
        suf=""
        ;;
    xqsystem)
        url="$url/xqsystem/start_binding"
        pre="uid=1234&key=1234'"
        suf="'"
        ;;
    *)
        echo "error: unknown api" && exit 1
        ;;
esac

curl -X POST "$url" -d "${pre}%0Anvram%20set%20ssh_en%3D1%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}"
sleep 1
curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}"

curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Anvram%20set%20ssh_en%3D1'"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Anvram%20commit'"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear'"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0A%2Fetc%2Finit.d%2Fdropbear%20start'"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Apasswd%20-d%20root%0A'"
ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa root@192.168.31.1

2. Backup stock partitions

ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -v root@192.168.31.1
nanddump -f /tmp/BL2.bin /dev/mtd1
nanddump -f /tmp/Nvram.bin /dev/mtd2
nanddump -f /tmp/Bdata.bin /dev/mtd3
nanddump -f /tmp/Factory.bin /dev/mtd4
nanddump -f /tmp/FIP.bin /dev/mtd5
nanddump -f /tmp/ubi.bin /dev/mtd8
nanddump -f /tmp/KF.bin /dev/mtd12

Then transfer them to your computer in a safe place.

$ netcat -lp 1234 | tar xvf -

root@XiaoQiang:~# cd /tmp/
root@XiaoQiang:~# tar cf - *.bin | nc 192.168.31.<computer-IP> 1234

mkdir C:\AX3000T_backup
scp -O -o HostKeyAlgorithms=+ssh-rsa -o StrictHostKeyChecking=no root@192.168.31.1:/tmp/*.bin C:/AX3000T_Backup/
ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa root@192.168.31.1

3. Get firmware information: cat /proc/cmdline

4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to /tmp and flash

• If firmware=0

ubiformat /dev/mtd9 -y -f /tmp/*mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=1
nvram set flag_last_success=1
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot

• If firmware=1

ubiformat /dev/mtd8 -y -f /tmp/*mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=0
nvram set flag_last_success=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot

Once the router is rebooted, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt's LAN ports (not WAN port), plug the ethernet cable into one of the middle ports, if the cable is not already plugged there (original FW dynamically assigns LAN/WAN). Note that you should configure the computer's network to use DHCP. You can use wireshark if things don't work.

This command will connect you to the OpenWrt system:

ssh root@192.168.1.1

5. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin to /tmp and flash:

sysupgrade -n /tmp/*mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

Once the router is rebooted after sysupgrade, proceed with a Basic configuration.

1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi

ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi

reboot

2. Install kmod-mtd-rw

opkg update && opkg install kmod-mtd-rw

insmod mtd-rw i_want_a_brick=1

3. Format ubi and create new ubootenv volume

ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB
ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB

4. *(Optional -10Mb free space) Add recovery boot feature.*

ubimkvol /dev/ubi0 -n 2 -N recovery -s 10MiB
ubiupdatevol /dev/ubi0_2 /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

5. Flash Openwrt U-Boot

mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin BL2
mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip FIP

6. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb

sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb

1. Force flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

sysupgrade -F -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

2. Format ubi and Nvram

ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
mtd erase Nvram

3. Install kmod-mtd-rw

opkg update && opkg install kmod-mtd-rw

insmod mtd-rw i_want_a_brick=1

4. Flash stock images from backup

mtd write /tmp/BL2.bin BL2
mtd write /tmp/FIP.bin FIP
mtd write /tmp/ubi.bin ubi

Then reboot your router, waiting it finished rollback in minutes.

ubiformat /dev/mtd8 -y -f /tmp/ubi.bin

Then reboot your router, waiting it finished rollback in minutes.

→ generic.flashing.tftp

→ generic.sysupgrade

• Browse to http://192.168.1.1/cgi-bin/luci/admin/system/flash LuCI Upgrade URL
• Upload image file for sysupgrade to LuCI
• Wait for reboot

If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading:

• sysupgrade
• mtd

Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

• Login as root via SSH on 192.168.1.1, then enter the following commands:

cd /tmp
wget https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
sysupgrade /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

If sysupgrade does not support this router, use mtd.

• Login as root via SSH on 192.168.1.1, then enter the following commands:

cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc
mtd write /tmp/xxx.abc linux && reboot

In most cases, downgrading stock firmware on the AX3000T to install OpenWrt isn't necessary, as most stock firmware versions are exploitable (see the API RCE support status table for details).

To downgrade a stock firmware version on a router, use either the TFTP method or the Xiaomi MiWiFi Repair Tool (simple instructions with screenshots from another Xiaomi router for using the MiWiFi Repair Tool can be found here).

→ generic.debrick

Assume that you have installed OpenWrt with stock bootloader, with original u-boot:

• Connect to router via UART
• Select Load Image in the u-boot
• Set start address to 0x48000000, then set TFTP parameters to load the initramfs-kernel.bin.
• Start the loaded kernel, then perform sysupgrade on OpenWrt.

If you have installed OpenWrt with u-boot mode layout, you can still use above UART recovery procedure, but u-boot will also look for a file called openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb in a tftp server at IP address 192.168.1.254

If you provide that file in a tftp server, it'll be automatically loaded and run, so system can be recovered without using a UART connection.

If your bootloader is bricked you can use the Mediateks ability to load a bootloader directly over UART with a tool called mtk_uartboot.

Details explained in this forum post

AX3000T can be recovered from a soft-brick with TFTP. The flow is:

• The router boots and asks for an IP address on the LAN ports via DHCP
• The TFTP server assigns an IP address to the router
• The router then connects to the TFTP server (where your DHCP server listen, e.g.: 192.168.31.100) and tries to download a file named with the IP address given by the DHCP server converted to hexadecimal (for example, 192.168.31.2 = C0.A8.1F.02, so the router will ask for a file named C0A81F02.img).

Because of this quirk we will have to configure the tftp server to assign only one IP and we will set the file name to the only IP address it can receive.

For Windows you can use tftpd64 and on Linux you can use dnsmasq.

• Power off the router if you haven't done so already.
• Press and hold the reset button, then power on the router while still holding the button.
• Keep holding the reset button until the router's LED starts flashing orange.
• Then release the reset button.
• The device will start loading the firmware after several seconds.

  • If in the terminal, you see that the router requests a different firmware file (different name), rename the .img file in the tmp folder accordingly and repeat the procedures from the IP flush again.
• When the device finished loading the firmware, the led starts flashing with orange (amber) light. → Wait until the blue led starts flashing!
• Then unplug the router's power, wait a moment, and plug it back in to restart.

  • It might take some time for the led to go blue flashing.
  • If the recovery doesn't accept the downloaded file the led switches to solid white - if this is the case, restart the recovery process with other file.
  • If the led is blinking blue led it means the device was flashed successfully and can be restarted.
• Put your interface back to DHCP mode and start again with breaking your device

Restoring stock partitions on the AX3000T to their initial factory state is possible only if a backup of stock partitions was made before the router was bricked.

In order to recover router by restoring stock partitions from backup, connect a UART adapter to the router and use the mtk_uartboot tool to perform recovery.

The following instructions are intended for Windows users, but can be easily adapted for Linux or Mac users:

1. Perform steps 1 to 6 from the UART flash method.
2. Press Esc (or Ctrl+C) in PuTTY to stop the system from trying to retrieve the *.itb file. At the U-Boot console, the command prompt should appear: MT7981>
3. Download Kernel *initramfs-kernel.bin file.
4. Place downloaded *initramfs-kernel.bin file and the router's backup files in the folder with unzipped 'tftpd64.exe' (TFTP server).
5. Set static IP 192.168.1.254 on your PC.
6. Start TFTP server, and select Server Interface 192.168.1.254 (see step7 from the UART flash method).
7. At the MT7981> prompt console, prepare the tftp environment:

   setenv ipaddr 192.168.1.1
   setenv serverip 192.168.1.254

8. Test tftp setup/network by attempting to load BL2.bin file into RAM (dry-run). Note: you should see something like Bytes transferred = xxxxxx (xxxxxx hex). If this fails, double‑check your PC's IP, the TFTP server interface, and firewall settings. Proceed to the next steps only after this succeeds:

   tftpboot 0x46000000 BL2.bin

9. At the MT7981> prompt console, execute each command one by one (separately), paying attention to the terminal output after each execution:

• erase NAND flash chip completely

  nand erase.force 0x0 0x8000000

• load backup for BL2 and write it to NAND:

  tftpboot 0x46000000 BL2.bin
  nand write 0x46000000 0x0 0x100000

• load backup for FIP and write it to NAND:

  tftpboot 0x46000000 FIP.bin
  nand write 0x46000000 0x380000 0x200000

• load backup for Nvram and write it to NAND:

  tftpboot 0x46000000 Nvram.bin
  nand write 0x46000000 0x100000 0x40000

• load backup for Bdata and write it to NAND:

  tftpboot 0x46000000 Bdata.bin
  nand write 0x46000000 0x140000 0x40000

• load backup for Factory and write it to NAND:

  tftpboot 0x46000000 Factory.bin
  nand write 0x46000000 0x180000 0x200000

• upload OpenWrt *initramfs-kernel.bin to the router's RAM:

  tftpboot 0x46000000 openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-kernel.bin

• run OpenWrt in the initramfs system mode:

  bootm 0x46000000

Now, log in to 192.168.1.1 and flash Sysupgrade *sysupgrade.bin file either from command console or via LuCI.

→ failsafe_and_factory_reset

→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure network settings, etc.

note: configuration reset issue after 6 reboots, caused by the stock Xiaomi bootloader logic, has been addressed since 24.10.0 release.

To enable correct operation of Wi-Fi radios, choose the country code corresponding to your country prior to setting up and enabling SSIDs.

• see country code for Wi-Fi operation.

Beamforming and BSS Coloring are already enabled by default on the AX3000T running OpenWrt as per this commit.

• Beamforming (explicit beamforming is part of the 802.11ac standard) improves data rates and extends range by directing signals toward specific clients instead of broadcasting in every direction at once.
• Basic Service Set (BSS) Coloring marks shared frequencies to allow 802.11ax access points to determine whether simultaneous use of spectrum is permissible, reducing interference and improving service in high-density environment.

WED is not yet available in LuCI and might be manually enabled on the AX3000T running OpenWrt (if needed).

• Wireless Ethernet Dispatch (WED) is an extension of hardware flow offloading which can reduce CPU loads/increase routing throughput when wireless clients are active. To enable it, proceed with the following:

1. Edit: /etc/modules.conf
2. Append: options mt7915e wed_enable=Y
3. Save and reboot

→ note: to use WED on a dumb access point, the bridger package is required.

To check whether WED is enabled, run the following command that will return either Y (yes) or N (no): cat /sys/module/mt7915e/parameters/wed_enable

The default network configuration is:

Numbers 2-4 are Ports 1-3 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 0 is the internal connection to the router itself.

→ hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto.

The Xiaomi AX3000T has the following buttons:

The Xiaomi AX3000T features a front LED strip that can light up in yellow (actually orange), blue, and white.

The default OpenWRT configuration is as follows:

For example, the following configuration will set the white LED to be solid when the PPPoE connection is established. If the connection is lost, the color will revert to blue.

This can be configured through Luci → System → LED Configuration.

config led
option sysfs 'yellow:status'
option trigger 'netdev'
option dev 'pppoe-wan'
list mode 'link'

config led
option sysfs 'blue:status'
option trigger 'netdev'
option dev 'pppoe-wan'
list mode 'link'

config led
option sysfs 'blue:status'
option trigger 'default-on'

Front:
Insert photo of front of the casing

Back:
Insert photo of back of the casing

Backside label:
Insert photo of backside label

→ Warranty

Main PCB:
Insert photo of PCB

→ port.serial general information about the serial port, serial port cable, etc.

How to connect to the Serial Port of this specific device:

→ port.jtag general information about the JTAG port, JTAG cable, etc.

How to connect to the JTAG Port of this specific device:
Insert photo of PCB with markings for JTAG port

→ bootloader

See also information on custom bootloader bl-mt798x

• DC power barrel plug dimensions 4.0mm x 1.7mm.