Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:toh:xiaomi:ax3000t [2024/04/30 06:45] – RD23 warning added frollic | inbox:toh:xiaomi:ax3000t [2024/10/05 17:49] – [Table] vladshulakov | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| <WRAP center round important 60%> | <WRAP center round important 60%> | ||
| + | **Warning!** Don't brick your router! | ||
| - | Unsupported International RD23 version. | + | AX3000T routers come with either '' |
| + | |||
| + | </ | ||
| + | |||
| + | <WRAP center round important 60%> | ||
| + | New AX3000T devices with stock firmware version 1.0.84 or newer have received updated hardware ([[https:// | ||
| - | If you own a RD23 device, do not attempt to flash it. | ||
| </ | </ | ||
| The Xiaomi AX3000T router supports 2 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed. It is based on the MediaTek MT7981 SoC. | The Xiaomi AX3000T router supports 2 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed. It is based on the MediaTek MT7981 SoC. | ||
| + | |||
| + | There are two versions of the Xiaomi AX3000T router: | ||
| + | * model **RD03**: Chinese version | ||
| + | * model **RD23**: International (Global) version. | ||
| + | Both versions have exactly the same hardware, and the only difference is the version of the stock firmware (which is region-locked). | ||
| {{media: | {{media: | ||
| **Support Forums** https:// | **Support Forums** https:// | ||
| + | |||
| + | There are 2 known OpenWrt installation methods for the Xiaomi AX3000T: | ||
| + | * **API RCE method**: the method involves executing shell commands on the stock router firmware to enable SSH access by exploiting the API RCE, either in '' | ||
| + | * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https:// | ||
| + | |||
| + | OpenWrt Support Status: | ||
| + | ^ Stock Firmware ver. | ||
| + | | 1.0.31 (INT) | RD23 | '' | ||
| + | | 1.0.49 (INT) | RD23 | '' | ||
| + | | 1.0.47 (CN) | RD03 | '' | ||
| + | | 1.0.64 (CN) | RD03 | '' | ||
| + | | 1.0.84 (CN) | RD03 | '' | ||
| + | |||
| + | * *note: devices with the '' | ||
| + | |||
| ===== Supported Versions ===== | ===== Supported Versions ===== | ||
| Line 37: | Line 62: | ||
| - | ===== Installation ===== | + | ===== Installation===== |
| - | + | ||
| - | ==== Install Vulnerable Version ==== | + | |
| - | First, you'll need to grab a vulnerable software version. The table below shows known vulnerable versions. It is recommended to install version 1.0.47. | + | |
| - | ^ Firmware Version | + | |
| - | | 1.0.64 | + | |
| - | | 1.0.47 (recommended) | + | |
| - | + | ||
| - | **To downgrade**: | + | |
| ==== Flash instructions ==== | ==== Flash instructions ==== | ||
| + | <WRAP center round info 60%> | ||
| + | Besides the manual steps outlined below, there is the [[https:// | ||
| + | </ | ||
| - | 1. Get ssh access. | + | 1. Get ssh access. |
| - | + | #!/bin/sh | |
| - | #!/bin/bash | + | |
| | | ||
| - | if [ "$1" = "" | + | if [ $# -ne 2 ]; then |
| - | echo "Usage: $0 [stok]" | + | cat << |
| - | echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" | + | |
| - | echo "Copy the stok-string from a browser' | + | e.g. $0 misystem |
| - | exit 1 | + | Copy the stok-string from a browser' |
| + | EOF | ||
| + | | ||
| fi | fi | ||
| | | ||
| - | | + | |
| + | |||
| + | url=" | ||
| + | |||
| + | case " | ||
| + | misystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="" | ||
| + | ;; | ||
| + | xqsystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="'" | ||
| + | ;; | ||
| + | *) | ||
| + | echo " | ||
| + | ;; | ||
| + | esac | ||
| + | |||
| + | curl -X POST " | ||
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Ased%20-i%20' |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}" |
| 2. Backup stock partitions | 2. Backup stock partitions | ||
| + | |||
| + | ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -v root@192.168.31.1 | ||
| nanddump -f / | nanddump -f / | ||
| nanddump -f / | nanddump -f / | ||
| Line 81: | Line 124: | ||
| Then transfer them to your computer in a safe place. | Then transfer them to your computer in a safe place. | ||
| - | 3. Get firmware information | + | To copy you can run netcat on your computer (in this case the computer' |
| + | |||
| + | $ netcat -l 1234 | tar xvf - | ||
| + | |||
| + | And send the data from the router: | ||
| + | |||
| + | root@XiaoQiang: | ||
| + | |||
| + | |||
| + | 3. Get firmware information: '' | ||
| 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | ||
| - | If **firmware=0** | + | * If **firmware=0** |
| ubiformat /dev/mtd9 -y -f / | ubiformat /dev/mtd9 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 97: | Line 150: | ||
| reboot | reboot | ||
| - | If **firmware=1** | + | * If **firmware=1** |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 109: | Line 163: | ||
| reboot | reboot | ||
| - | Then reboot your router, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt' | + | Once the router |
| - | 5. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin | + | Note that you should configure the computer' |
| + | This command will connect you to the OpenWrt system: | ||
| + | |||
| + | ssh root@192.168.1.1 | ||
| + | |||
| + | |||
| + | 5. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin | ||
| sysupgrade -n / | sysupgrade -n / | ||
| - | <WRAP info> Default available space is **60Mb**. | ||
| - | OpenWrt U-Boot provide faster boot loading and more space: **75Mb** (with recovery) or **85Mb** (without recovery). | ||
| - | </ | ||
| ==== Change to OpenWrt U-Boot ==== | ==== Change to OpenWrt U-Boot ==== | ||
| + | <WRAP info> Default available router space is **60Mb**. It's possible to increase this size by replacing stock bootloader with the OpenWrt U-Boot bootloader. Please [[https:// | ||
| + | OpenWrt U-Boot provides faster boot loading and more space: **75Mb** (with recovery) or **85Mb** (without recovery). | ||
| + | </ | ||
| 1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi | 1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi | ||
| Line 128: | Line 188: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 3. Format ubi and create new ubootenv volume | 3. Format ubi and create new ubootenv volume | ||
| Line 158: | Line 218: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 4. Flash stock images from backup | 4. Flash stock images from backup | ||
| Line 167: | Line 227: | ||
| Then reboot your router, waiting it finished rollback in minutes. | Then reboot your router, waiting it finished rollback in minutes. | ||
| - | ==== Go Back to stock from default layout Openwrt | + | ==== Go Back to stock firmware |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| Line 197: | Line 257: | ||
| ==== LuCI Web Upgrade Process ==== | ==== LuCI Web Upgrade Process ==== | ||
| - | * Browse to ''< | + | * Browse to ''< |
| * Upload image file for sysupgrade to LuCI | * Upload image file for sysupgrade to LuCI | ||
| * Wait for reboot | * Wait for reboot | ||
| Line 232: | Line 292: | ||
| mtd write / | mtd write / | ||
| </ | </ | ||
| + | |||
| + | ===== Downgrading stock firmware ===== | ||
| + | This section is kept only for historical reference, as it relates to the deprecated OpenWrt installation method that was applicable only to the RD03 (Chinese version) with stock firmware version 1.0.47. Please note that none of the current installation methods require a firmware downgrade to flash OpenWrt. | ||
| + | |||
| + | **To downgrade** a firmware version on your router, navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the < | ||
| + | |||
| ===== Debricking ===== | ===== Debricking ===== | ||
| -> [[docs: | -> [[docs: | ||
| - | Assume that you have installed OpenWrt with stock layout, with original u-boot: | + | Assume that you have installed OpenWrt with stock bootloader, with original u-boot: |
| * Connect to router via UART | * Connect to router via UART | ||
| Line 247: | Line 313: | ||
| - | ==== TFTP instructions for the stock layout | + | |
| + | ==== Recover bricked bootloader ==== | ||
| + | |||
| + | If your bootloader is bricked you can use the Mediateks ability to load a bootloader directly over UART with a tool called mtk_uartboot. | ||
| + | |||
| + | Details explained in [[https:// | ||
| + | |||
| + | ==== TFTP instructions for the stock bootloader | ||
| AX3000T can be recovered from a soft-brick with TFTP. The flow is: | AX3000T can be recovered from a soft-brick with TFTP. The flow is: | ||
| * The router boots and asks for an IP address on the LAN ports via DHCP | * The router boots and asks for an IP address on the LAN ports via DHCP | ||
| Line 290: | Line 363: | ||
| -> [[docs: | -> [[docs: | ||
| Set up your Internet connection, configure wireless, configure USB port, etc. | Set up your Internet connection, configure wireless, configure USB port, etc. | ||
| + | |||
| + | * note: configuration reset issue after 6 reboots sometimes occurs on the AX3000T and is [[https:// | ||
| + | |||
| + | sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' / | ||
| + | |||
| + | **Don' | ||
| ===== Specific Configuration ===== | ===== Specific Configuration ===== | ||
| Line 368: | Line 447: | ||
| How to connect to the Serial Port of this specific device:\\ | How to connect to the Serial Port of this specific device:\\ | ||
| {{: | {{: | ||
| - | ^ Serial connection parameters\\ for Xiaomi AX3000T | 115200, 8N1, 3.3V | | + | ^ Serial connection. parameters\\ for Xiaomi AX3000T |
| ==== JTAG ==== | ==== JTAG ==== | ||