Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:toh:xiaomi:ax3000t [2024/09/11 21:47] – Added info block about new installation method alexq | inbox:toh:xiaomi:ax3000t [2024/12/13 04:37] – [LEDs] nachum37 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Xiaomi AX3000T ====== | ====== Xiaomi AX3000T ====== | ||
| - | <WRAP center round important | + | <WRAP center round important |
| **Warning!** Don't brick your router! | **Warning!** Don't brick your router! | ||
| - | Some AX3000T | + | AX3000T |
| - | New AX3000T devices with stock firmware version 1.0.84 or newer have received [[https:// | + | </WRAP> |
| + | <WRAP center round important 70%> | ||
| + | New AX3000T devices with stock firmware version 1.0.84 or newer have received updated hardware ([[https:// | ||
| - | </ | ||
| - | |||
| - | <WRAP center round info 60%> | ||
| - | Both the International (RD23) and Chinese (RD03) versions of the router are supported, but OpenWrt installation is much simpler on the Chinese version. | ||
| </ | </ | ||
| Line 26: | Line 24: | ||
| **Support Forums** https:// | **Support Forums** https:// | ||
| - | <WRAP center round info 60%> | + | There are 2 known OpenWrt installation |
| - | New, much simpler | + | * **API RCE method**: the method involves executing shell commands on the stock router firmware to enable SSH access by exploiting the API RCE, either in '' |
| - | </ | + | * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https:// |
| - | The initial installation of OpenWrt | + | OpenWrt |
| + | ^ Stock Firmware ver. | ||
| + | | 1.0.31 (INT) | RD23 | '' | ||
| + | | 1.0.49 (INT) | RD23 | '' | ||
| + | | 1.0.47 (CN) | RD03 | '' | ||
| + | | 1.0.64 | ||
| + | | 1.0.84 (CN) | RD03 | '' | ||
| - | For the Xiaomi AX3000T | + | |
| - | <WRAP BOX> | + | |
| - | Some additional notes/ | + | |
| - | * [[https:// | + | |
| - | * It's possible to avoid opening the case, as the UART is accessible through holes in the router' | + | |
| - | * Make sure to add the following to / | + | |
| - | * OpenWrt U-Boot was also successfully installed on the international RD23 version | + | |
| - | </ | ||
| ===== Supported Versions ===== | ===== Supported Versions ===== | ||
| Line 65: | Line 62: | ||
| - | ===== Installation | + | ===== Installation===== |
| - | + | ||
| - | ==== Install Vulnerable Version ==== | + | |
| - | First, you'll need to grab a vulnerable software version. The table below shows known vulnerable versions. It is recommended to install version 1.0.47. | + | |
| - | ^ Firmware Version | + | |
| - | | 1.0.64 | + | |
| - | | 1.0.47 (recommended) | + | |
| - | + | ||
| - | **To downgrade**: | + | |
| ==== Flash instructions ==== | ==== Flash instructions ==== | ||
| + | <WRAP center round info 70%> | ||
| + | Besides the manual steps outlined below, there is the [[https:// | ||
| + | </ | ||
| - | 1. Get ssh access. | + | 1. Get ssh access. |
| - | + | #!/bin/sh | |
| - | #!/bin/bash | + | |
| | | ||
| - | if [ "$1" = "" | + | if [ $# -ne 2 ]; then |
| - | echo "Usage: $0 [stok]" | + | cat << |
| - | echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" | + | |
| - | echo "Copy the stok-string from a browser' | + | e.g. $0 xqsystem |
| - | exit 1 | + | Copy the stok-string from a browser' |
| + | EOF | ||
| + | | ||
| fi | fi | ||
| | | ||
| - | | + | |
| + | |||
| + | url=" | ||
| + | |||
| + | case " | ||
| + | misystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="" | ||
| + | ;; | ||
| + | xqsystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="'" | ||
| + | ;; | ||
| + | *) | ||
| + | echo " | ||
| + | ;; | ||
| + | esac | ||
| + | |||
| + | curl -X POST " | ||
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Ased%20-i%20' |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}" |
| 2. Backup stock partitions | 2. Backup stock partitions | ||
| Line 111: | Line 124: | ||
| Then transfer them to your computer in a safe place. | Then transfer them to your computer in a safe place. | ||
| - | To copy you can run netcat on your computer | + | To copy you can run netcat on your computer: |
| $ netcat -l 1234 | tar xvf - | $ netcat -l 1234 | tar xvf - | ||
| Line 117: | Line 130: | ||
| And send the data from the router: | And send the data from the router: | ||
| - | root@XiaoQiang: | + | root@XiaoQiang: |
| + | root@XiaoQiang: | ||
| - | 3. Get firmware information | + | 3. Get firmware information: '' |
| 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | ||
| - | If **firmware=0** | + | * If **firmware=0** |
| ubiformat /dev/mtd9 -y -f / | ubiformat /dev/mtd9 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 136: | Line 151: | ||
| reboot | reboot | ||
| - | If **firmware=1** | + | * If **firmware=1** |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 148: | Line 164: | ||
| reboot | reboot | ||
| - | Then reboot your router, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt' | + | {{ : |
| + | Once the router | ||
| Note that you should configure the computer' | Note that you should configure the computer' | ||
| + | |||
| This command will connect you to the OpenWrt system: | This command will connect you to the OpenWrt system: | ||
| Line 156: | Line 173: | ||
| - | 5. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin | + | 5. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin |
| sysupgrade -n / | sysupgrade -n / | ||
| + | |||
| ==== Change to OpenWrt U-Boot ==== | ==== Change to OpenWrt U-Boot ==== | ||
| - | <WRAP info> Default available router space is **60Mb**. It's possible to increase this size by replacing | + | <WRAP info> Default available router space is **60Mb**. It's possible to increase this size by replacing |
| - | OpenWrt U-Boot | + | OpenWrt U-Boot |
| </ | </ | ||
| Line 172: | Line 190: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 3. Format ubi and create new ubootenv volume | 3. Format ubi and create new ubootenv volume | ||
| Line 202: | Line 220: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 4. Flash stock images from backup | 4. Flash stock images from backup | ||
| Line 211: | Line 229: | ||
| Then reboot your router, waiting it finished rollback in minutes. | Then reboot your router, waiting it finished rollback in minutes. | ||
| - | ==== Go Back to stock from default layout Openwrt | + | ==== Go Back to stock firmware |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| Line 276: | Line 294: | ||
| mtd write / | mtd write / | ||
| </ | </ | ||
| + | |||
| + | ===== Downgrading stock firmware ===== | ||
| + | This section is kept only for historical reference, as it relates to the deprecated OpenWrt installation method that was applicable only to the RD03 (Chinese version) with stock firmware version 1.0.47. Please note that none of the current installation methods require a firmware downgrade to flash OpenWrt. | ||
| + | |||
| + | **To downgrade** a firmware version on your router, navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the < | ||
| + | |||
| ===== Debricking ===== | ===== Debricking ===== | ||
| -> [[docs: | -> [[docs: | ||
| - | Assume that you have installed OpenWrt with stock layout, with original u-boot: | + | Assume that you have installed OpenWrt with stock bootloader, with original u-boot: |
| * Connect to router via UART | * Connect to router via UART | ||
| Line 298: | Line 322: | ||
| Details explained in [[https:// | Details explained in [[https:// | ||
| - | ==== TFTP instructions for the stock layout | + | ==== TFTP instructions for the stock bootloader |
| AX3000T can be recovered from a soft-brick with TFTP. The flow is: | AX3000T can be recovered from a soft-brick with TFTP. The flow is: | ||
| * The router boots and asks for an IP address on the LAN ports via DHCP | * The router boots and asks for an IP address on the LAN ports via DHCP | ||
| Line 340: | Line 364: | ||
| ===== Basic configuration ===== | ===== Basic configuration ===== | ||
| -> [[docs: | -> [[docs: | ||
| - | Set up your Internet connection, configure wireless, configure | + | Set up your Internet connection, configure wireless, configure |
| + | |||
| + | * note: configuration reset issue after 6 reboots sometimes occurs on the AX3000T and is [[https:// | ||
| + | |||
| + | sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' / | ||
| + | |||
| + | **Don' | ||
| ===== Specific Configuration ===== | ===== Specific Configuration ===== | ||
| Line 371: | Line 401: | ||
| | Reset | | Reset | ||
| | Mesh | BTN_9 | | | Mesh | BTN_9 | | ||
| + | |||
| + | ==== LEDs ==== | ||
| + | The Xiaomi AX3000T features a front LED strip that can light up in yellow (actually orange), blue, and white. | ||
| + | |||
| + | The default OpenWRT configuration is as follows: | ||
| + | |||
| + | ^ LED ^ Behavior | ||
| + | | Yellow | ||
| + | | Blue | Solid after boot | | ||
| + | | White | Not in use | | ||
| + | |||
| + | The white LED can be activated by turning on both the yellow and blue LEDs simultaneously. | ||
| + | |||
| + | For example, the following configuration will set the white LED to be solid when the PPPoE connection is established. If the connection is lost, the color will revert to blue. | ||
| + | |||
| + | This can be configured through Luci -> System -> LED Configuration. | ||
| + | |||
| + | config led | ||
| + | option sysfs ' | ||
| + | option trigger ' | ||
| + | option dev ' | ||
| + | list mode ' | ||
| + | | ||
| + | config led | ||
| + | option sysfs ' | ||
| + | option trigger ' | ||
| + | option dev ' | ||
| + | list mode ' | ||
| + | | ||
| + | config led | ||
| + | option sysfs ' | ||
| + | option trigger ' | ||
| + | |||
| + | |||
| Line 419: | Line 483: | ||
| How to connect to the Serial Port of this specific device:\\ | How to connect to the Serial Port of this specific device:\\ | ||
| {{: | {{: | ||
| - | ^ Serial connection parameters\\ for Xiaomi AX3000T | 115200, 8N1, 3.3V | | + | ^ Serial connection parameters\\ for Xiaomi AX3000T |
| ==== JTAG ==== | ==== JTAG ==== | ||