Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:toh:xiaomi:ax3000t [2024/02/04 18:17] – [Change to OpenWrt U-Boot] command like a code volenskiinbox:toh:xiaomi:ax3000t [2024/10/05 17:49] – [Table] vladshulakov
Line 1: Line 1:
 ====== Xiaomi AX3000T ====== ====== Xiaomi AX3000T ======
 +
 +<WRAP center round important 60%>
 +**Warning!** Don't brick your router!
 +
 +AX3000T routers come with either ''Winbond'' or ''ESMT'' NAND flash chip. Devices with the ''Winbond'' NAND chip are supported **only** by [[:releases:snapshot|Snapshot]] version, while the ''ESMT'' NAND chip is supported by both the official stable OpenWrt [[:releases:23.05:notes-23.05.5|23.05.5]] image and Snapshot. **Don´t try to flash router without checking your chip!**: [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/1424?u=alexq|details]]. 
 +
 +</WRAP>
 +
 +<WRAP center round important 60%>
 +New AX3000T devices with stock firmware version 1.0.84 or newer have received updated hardware ([[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/1176|AN8855 switch]]) that is temporarily incompatible with the OpenWrt image until support is added. There is no possibility to install OpenWrt on RD03 for such devices, see [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/1143?|link]].
 +
 +</WRAP>
  
 The Xiaomi AX3000T router supports 2 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed. It is based on the MediaTek MT7981 SoC. The Xiaomi AX3000T router supports 2 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed. It is based on the MediaTek MT7981 SoC.
 +
 +There are two versions of the Xiaomi AX3000T router:
 +  * model **RD03**: Chinese version
 +  * model **RD23**: International (Global) version.
 +Both versions have exactly the same hardware, and the only difference is the version of the stock firmware (which is region-locked).
  
 {{media:xiaomi:xiaomi_ax3000t.jpg|AX3000T}} {{media:xiaomi:xiaomi_ax3000t.jpg|AX3000T}}
Line 7: Line 24:
 **Support Forums** https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490 **Support Forums** https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490
  
-===== Supported Versions =====+There are 2 known OpenWrt installation methods for the Xiaomi AX3000T: 
 +  * **API RCE method**: the method involves executing shell commands on the stock router firmware to enable SSH access by exploiting the API RCE, either in ''xqsystem/start_binding'' or ''misystem/arn_switch'', depending on the firmware version. This method is suitable for both **RD23** (International version) and **RD03** (Chinese version) of the Xiaomi AX3000T router. For details, please refer to the [[:inbox:toh:xiaomi:ax3000t#installation|Installation]] section below.  
 +  * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/420?u=alexq|link to owrt forum]].
  
----- datatable ---- +OpenWrt Support Status: 
-cols    : Brand, Model, Versions, Supported Current Rel, OEM device homepage URL_url, Forum Search_search-forums, Device Techdata_pageid +^ Stock Firmware ver.             ^Model  ^ API to exploit     ^ OpenWrt Supported     ^ Stock Firmware URL  ^ 
-headers Brand, Model, Version, Current Release, OEM Info, Forum Search, Technical Data +| 1.0.31 (INT)         | RD23 | ''xqsystem/start_binding''              |   YES*                                                      | 
-align   : c,c,c,c,c,c,c +| 1.0.49 (INT)         | RD23 | ''xqsystem/start_binding''              |   YES*             | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd23/miwifi_rd23_firmware_153e1_1.0.49_INT.bin|miwifi_rd23_firmware_153e1_1.0.49_INT.bin]] | 
-filter  : Brand=Xiaomi +| 1.0.47 (CN)          | RD03 | ''misystem/arn_switch''         YES*              | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin|miwifi_rd03_firmware_ef0ee_1.0.47.bin]] |  
-filter  Model=AX3000T +| 1.0.64 (CN)          | RD03 | ''xqsystem/start_binding''                      |   YES*             | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_14680_1.0.64.bin|miwifi_rd03_firmware_14680_1.0.64.bin]]   
-----+| 1.0.84 (CN)          | RD03 | ''xqsystem/start_binding''              |   **Not yet** (''AN8855'' hardware) | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_f85f9_1.0.84.bin|miwifi_rd03_firmware_f85f9_1.0.84.bin]]| 
  
 +  * *note: devices with the ''Winbond'' NAND chip are supported by [[:releases:snapshot|Snapshot]] version only.
  
-===== Hardware Highlights ===== 
----- datatable ---- 
-cols    : Model, Versions, CPU, CPU MHz, CPU Cores_numcores, Flash MB_mbflashs, RAM MB_mbram, WLAN Hardware, WLAN 2.4GHz, WLAN 5.0GHz, Ethernet 100M ports_, Ethernet 1Gbit ports_, Modem, USB ports_ 
-header  : Model, Version,SoC,CPU MHz,CPU Cores,Flash MB,RAM MB,WLAN Hardware,WLAN2.4,WLAN5.0,100M ports,1Gbit ports,Modem,USB 
-align   : c,c,c,c,c,c,c,c,c,c,c,c,c 
-filter  : Brand=Xiaomi 
-filter  : Model=AX3000T 
----- 
  
 +===== Supported Versions =====
  
-===== Installation =====+<!-- ToH: { 
 +  "source": "json", 
 +  "dom": "t", 
 +  "paging": false, 
 +  "rotate": true, 
 +  "shownColumns": ["brand", "model", "version", "supportedcurrentrel", "oemdevicehomepageurl", "forumsearch", "deviceid"], 
 +  "filterColumns": {"brand": "^Xiaomi$", "model": "^AX3000T$"
 +} -->
  
-==== Install Vulnerable Version ==== 
-First, you'll need to grab a vulnerable software version. The table below shows known vulnerable versions. It is recommended to install version 1.0.47. 
-^ Firmware Version      ^ Vulnerable?  ^ Download                                                                                       ^ 
-| 1.0.64                | NO          | https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_14680_1.0.64.bin  | 
-| 1.0.47 (recommended)  | YES          | https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin  | 
  
-**To downgrade**navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the <html>0</html> at the end to a <html>1</html> and press enter. Or change to <html>2</html> if there is already <html>1</html(seen on v1.0.64). The downgrade will proceed.+===== Hardware Highlights ===== 
 +<!-- ToH
 +  "source": "json", 
 +  "dom": "t", 
 +  "paging": false, 
 +  "rotate": true, 
 +  "shownColumns": ["model", "version", "cpu", "cpumhz", "cpucores", "flashmb", "rammb", "wlanhardware", "wlan24ghz", "wlan50ghz", "ethernet100mports", "ethernet1gports", "modem", "usbports"], 
 +  "filterColumns": {"brand": "^Xiaomi$", "model": "^AX3000T$"
 +} --> 
 + 
 + 
 +===== Installation=====
  
 ==== Flash instructions ==== ==== Flash instructions ====
 +<WRAP center round info 60%>
 +Besides the manual steps outlined below, there is the [[https://github.com/openwrt-xiaomi/xmir-patcher|XMiR-Patcher]] tool that can automate the entire process, making the first-time router flashing much simpler with just a few clicks. As always, know what you're doing when executing scripts from the internet!
 +</WRAP>
  
-1. Get ssh access. Supported stock firmware **1.0.47** +1. Get ssh access.  
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A" +  #!/bin/sh 
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20commit%0A" +   
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A" +  if [ $# -ne 2 ]; then 
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A" +  cat <<EOF 
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=********/api/misystem/arn_switch" -d "open=1&model=1&level=%0Apasswd%20-d%20root%0A"+  Usage: $[misystem | xqsystem] [stok] 
 +  e.g. $0 misystem e6ea114ba2cddb0c70fbbc417bb2706c 
 +  Copy the stok-string from a browser's URL-line, while logged to the router 
 +  EOF 
 +  exit 1 
 +  fi 
 +   
 +  [ -z "$2" ] && echo "error: bad stok" && exit 1 
 +   
 +  url="http://192.168.31.1/cgi-bin/luci/;stok=${2}/api
 +   
 +  case "$1" in 
 +      misystem) 
 +          url="$url/misystem/arn_switch" 
 +          pre="open=1&model=1&level=
 +          suf="" 
 +          ;; 
 +      xqsystem) 
 +          url="$url/xqsystem/start_binding" 
 +          pre="uid=1234&key=1234'" 
 +          suf="'" 
 +          ;; 
 +      *) 
 +          echo "error: unknown api" && exit 1 
 +          ;; 
 +  esac 
 +   
 +  curl -X POST "$url" -d "${pre}%0Anvram%20set%20ssh_en%3D1%0A${suf}" 
 +  sleep 1 
 +  curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}" 
 +  sleep 1 
 +  curl -X POST "$url" -d "${pre}%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A${suf}" 
 +  sleep 1 
 +  curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}" 
 +  sleep 1 
 +  curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}"
  
 2. Backup stock partitions 2. Backup stock partitions
 +
 +  ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -v root@192.168.31.1
   nanddump -f /tmp/BL2.bin /dev/mtd1   nanddump -f /tmp/BL2.bin /dev/mtd1
   nanddump -f /tmp/Nvram.bin /dev/mtd2   nanddump -f /tmp/Nvram.bin /dev/mtd2
Line 58: Line 124:
 Then transfer them to your computer in a safe place. Then transfer them to your computer in a safe place.
  
-3. Get firmware information `cat /proc/cmdline`+To copy you can run netcat on your computer (in this case the computer's IP is 192.168.31.55): 
 + 
 +  $ netcat -l 1234 | tar xvf - 
 + 
 +And send the data from the router: 
 + 
 +  root@XiaoQiang:~# tar cf - /tmp/*.bin | nc 192.168.31.55 1234 
 + 
 + 
 +3. Get firmware information: ''cat /proc/cmdline''
  
 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash
  
-If **firmware=0**+  * If **firmware=0** 
   ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi   ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
   nvram set boot_wait=on   nvram set boot_wait=on
Line 74: Line 150:
   reboot   reboot
  
-If **firmware=1**+  * If **firmware=1** 
   ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi   ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
   nvram set boot_wait=on   nvram set boot_wait=on
Line 86: Line 163:
   reboot   reboot
  
-Then reboot your router, it should boot to the OpenWrt initramfs system now.+Once the router is rebooted, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt's LAN ports (not WAN port), plug the ethernet cable into one of the middle ports, if the cable is not already plugged there (original FW dynamically assigns LAN/WAN).
  
-5. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin+Note that you should configure the computer's network to use DHCP. You can use wireshark if things don't work. 
 +This command will connect you to the OpenWrt system: 
 + 
 +  ssh root@192.168.1.1 
 + 
 + 
 +5. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin to **/tmp** and flash:
   sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin   sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
  
-<WRAP info> Default available space is **60Mb**.  
-OpenWrt U-Boot provide faster boot loading and more space: **75Mb** (with recovery) or **85Mb** (without recovery). 
-</WRAP> 
  
 ==== Change to OpenWrt U-Boot ==== ==== Change to OpenWrt U-Boot ====
 +<WRAP info> Default available router space is **60Mb**. It's possible to increase this size by replacing stock bootloader with the OpenWrt U-Boot bootloader. Please [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/721|understand]] the benefits and risks involved. 
 +OpenWrt U-Boot provides faster boot loading and more space: **75Mb** (with recovery) or **85Mb** (without recovery).
 +</WRAP>
  
 1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi 1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi
Line 105: Line 188:
   opkg update && opkg install kmod-mtd-rw   opkg update && opkg install kmod-mtd-rw
  
-  insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1+  insmod mtd-rw i_want_a_brick=1
  
 3. Format ubi and create new ubootenv volume 3. Format ubi and create new ubootenv volume
Line 135: Line 218:
   opkg update && opkg install kmod-mtd-rw   opkg update && opkg install kmod-mtd-rw
  
-  insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1+  insmod mtd-rw i_want_a_brick=1
  
 4. Flash stock images from backup 4. Flash stock images from backup
Line 144: Line 227:
 Then reboot your router, waiting it finished rollback in minutes. Then reboot your router, waiting it finished rollback in minutes.
  
-====  Go Back to stock from default layout Openwrt ====  +====  Go Back to stock firmware from stock bootloader ====  
-  ubiformat /dev/mtd7 -y -f /tmp/ubi.bin+  ubiformat /dev/mtd8 -y -f /tmp/ubi.bin
  
 Then reboot your router, waiting it finished rollback in minutes. Then reboot your router, waiting it finished rollback in minutes.
Line 174: Line 257:
 ==== LuCI Web Upgrade Process ==== ==== LuCI Web Upgrade Process ====
  
-  * Browse to ''<nowiki>http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/</nowiki>'' LuCI Upgrade URL+  * Browse to ''<nowiki>http://192.168.1.1/cgi-bin/luci/admin/system/flash</nowiki>'' LuCI Upgrade URL
   * Upload image file for sysupgrade to LuCI   * Upload image file for sysupgrade to LuCI
   * Wait for reboot   * Wait for reboot
Line 209: Line 292:
 mtd write /tmp/xxx.abc linux && reboot mtd write /tmp/xxx.abc linux && reboot
 </code> </code>
 +
 +===== Downgrading stock firmware =====
 +This section is kept only for historical reference, as it relates to the deprecated OpenWrt installation method that was applicable only to the RD03 (Chinese version) with stock firmware version 1.0.47. Please note that none of the current installation methods require a firmware downgrade to flash OpenWrt.
 +
 +**To downgrade** a firmware version on your router, navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the <html>0</html> at the end to a <html>1</html> and press enter. Or change to <html>2</html> if there is already <html>1</html> (seen on v1.0.64). The downgrade will proceed.
 +
 ===== Debricking ===== ===== Debricking =====
 -> [[docs:guide-user:troubleshooting:generic.debrick]] -> [[docs:guide-user:troubleshooting:generic.debrick]]
  
-Assume that you have installed OpenWrt with stock layout, with original u-boot:+Assume that you have installed OpenWrt with stock bootloader, with original u-boot:
  
   * Connect to router via UART   * Connect to router via UART
Line 224: Line 313:
  
  
-==== TFTP instructions for the stock layout ====+ 
 +==== Recover bricked bootloader ==== 
 + 
 +If your bootloader is bricked you can use the Mediateks ability to load a bootloader directly over UART with a tool called mtk_uartboot. 
 + 
 +Details explained in [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/860|this forum post]] 
 + 
 +==== TFTP instructions for the stock bootloader ====
 AX3000T can be recovered from a soft-brick with TFTP. The flow is: AX3000T can be recovered from a soft-brick with TFTP. The flow is:
   * The router boots and asks for an IP address on the LAN ports via DHCP   * The router boots and asks for an IP address on the LAN ports via DHCP
Line 267: Line 363:
 -> [[docs:guide-user:base-system:start|Basic configuration]] After flashing, proceed with this.\\ -> [[docs:guide-user:base-system:start|Basic configuration]] After flashing, proceed with this.\\
 Set up your Internet connection, configure wireless, configure USB port, etc. Set up your Internet connection, configure wireless, configure USB port, etc.
 +
 +  * note: configuration reset issue after 6 reboots sometimes occurs on the AX3000T and is [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/452?u=alexq|caused]] by the stock Xiaomi bootloader logic. To address this, run the command to modify the /etc/rc.local file with nvram settings:
 +
 +  sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' /etc/rc.local
 +
 +**Don't run** this command if the issue doesn't affect you, and your router keeps its settings after 6 reboots! 
  
 ===== Specific Configuration ===== ===== Specific Configuration =====
Line 303: Line 405:
  
  
----- datatemplatelist dttpllist ---- +<!-- ToH: { 
-templatemeta:template_datatemplatelist +  "source""json", 
-cols    BrandModelVersionsDevice TypeAvailabilitySupported Since Commit_gitSupported since RelSupported current RelUnsupportedBootloaderCPUTargetCPU MHzFlash MBsRAM MBSwitchEthernet 100M ports_Ethernet Gbit ports_Comments network ports_ModemVLANWLAN 2.4GHzWLAN 5.0GHzWLAN HardwaresWLAN Comments_Detachable Antennas_USB ports_SATA ports_Comments USB SATA ports_SerialJTAGLED countButton countPower supplyDevice Techdata_pageidForum topic URL_urlwikidevi URL_urlOEM Device Homepage URL_urlFirmware OEM Stock URL_urlFirmware OpenWrt Install URL_urlFirmware OpenWrt Upgrade URL_urlComments_ +  "dom""t", 
-filter  : Brand=Xiaomi +  "paging"false, 
-filter  Model=AX3000T +  "rotate": true, 
-----+  "shownColumns": ["brand""model""version""devicetype""availability""supportedsincecommit""supportedsincerel""supportedcurrentrel""unsupported_functions""bootloader""cpu""target""cpumhz""flashmb""rammb""switch""ethernet100mports""ethernet1gports""commentsnetworkports""modem""vlan""wlan24ghz""wlan50ghz""wlanhardware""wlancomments""detachableantennas""usbports""sataports""commentsusbsataports""serial""jtag""ledcount""buttoncount""powersupply""deviceid""owrt_forum_topic_url""wikideviurl""oemdevicehomepageurl""firmwareoemstockurl", "firmwareopenwrtinstallurl", "firmwareopenwrtupgradeurl", "comments"]
 +  "filterColumns": {"brand""^Xiaomi$", "model""^AX3000T$"} 
 +-->
  
 ==== Photos ==== ==== Photos ====
Line 343: Line 447:
 How to connect to the Serial Port of this specific device:\\ How to connect to the Serial Port of this specific device:\\
 {{:media:xiaomi:xiaomi_ax3000t_uart.jpg?direct&600|}} {{:media:xiaomi:xiaomi_ax3000t_uart.jpg?direct&600|}}
-^ Serial connection parameters\\ for Xiaomi AX3000T | 115200, 8N1, 3.3V |+^ Serial connectionparameters\\ for Xiaomi AX3000T  | 115200, 8N1, 3.3V  |
  
 ==== JTAG ==== ==== JTAG ====
Line 362: Line 466:
  
 ===== Notes ===== ===== Notes =====
 +
 +  * DC power barrel plug dimensions 4.0mm x 1.7mm.
  
  
  • Last modified: 2024/12/19 08:57
  • by lessload