Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:toh:xiaomi:ax3000t [2024/09/16 17:33] – step 6 from Flash instructions has been hidden due to reported router brick alexq | inbox:toh:xiaomi:ax3000t [2024/12/13 04:37] – [LEDs] nachum37 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Xiaomi AX3000T ====== | ====== Xiaomi AX3000T ====== | ||
| - | <WRAP center round important | + | <WRAP center round important |
| **Warning!** Don't brick your router! | **Warning!** Don't brick your router! | ||
| - | Some AX3000T | + | AX3000T |
| - | New AX3000T devices with stock firmware version 1.0.84 or newer have received [[https:// | + | </WRAP> |
| + | <WRAP center round important 70%> | ||
| + | New AX3000T devices with stock firmware version 1.0.84 or newer have received updated hardware ([[https:// | ||
| </ | </ | ||
| Line 22: | Line 24: | ||
| **Support Forums** https:// | **Support Forums** https:// | ||
| - | As of September 2024, there are 3 known OpenWrt installation methods for the Xiaomi AX3000T: | + | There are 2 known OpenWrt installation methods for the Xiaomi AX3000T: |
| - | * **SSH exploit | + | * **API RCE method**: the method involves executing |
| - | * note: //this method is not supported by stock firmware version 1.0.47 (CN).// | + | |
| * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https:// | * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https:// | ||
| - | * **Firmware downgrade method** (legacy): the method requires installing a vulnerable version of the stock firmware, which allows to proceed with commands to enable SSH access in a way similar to the "SSH exploit method" | ||
| - | Firmware Compatibility and Installation Methods: | + | OpenWrt Support Status: |
| - | ^ Firmware | + | ^ Stock Firmware |
| - | | 1.0.31 (INT) | SSH exploit | + | | 1.0.31 (INT) |
| - | | 1.0.47 (CN) | + | | 1.0.49 (INT) |
| - | | 1.0.64 (CN) | + | | 1.0.47 (CN) | RD03 | '' |
| - | | 1.0.84+ (CN) | SSH exploit | + | | 1.0.64 |
| + | | 1.0.84 (CN) | RD03 | '' | ||
| + | * *note: devices with the '' | ||
| Line 63: | Line 65: | ||
| ==== Flash instructions ==== | ==== Flash instructions ==== | ||
| + | <WRAP center round info 70%> | ||
| + | Besides the manual steps outlined below, there is the [[https:// | ||
| + | </ | ||
| 1. Get ssh access. | 1. Get ssh access. | ||
| - | + | | |
| - | | + | |
| | | ||
| - | if [ "$1" = "" | + | if [ $# -ne 2 ]; then |
| - | echo "Usage: $0 [stok]" | + | cat << |
| - | echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" | + | |
| - | echo "Copy the stok-string from a browser' | + | e.g. $0 xqsystem |
| - | exit 1 | + | Copy the stok-string from a browser' |
| + | EOF | ||
| + | | ||
| fi | fi | ||
| | | ||
| - | | + | |
| + | |||
| + | url=" | ||
| + | |||
| + | case " | ||
| + | misystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="" | ||
| + | ;; | ||
| + | xqsystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="'" | ||
| + | ;; | ||
| + | *) | ||
| + | echo " | ||
| + | ;; | ||
| + | esac | ||
| + | |||
| + | curl -X POST " | ||
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Ased%20-i%20' |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}" |
| 2. Backup stock partitions | 2. Backup stock partitions | ||
| Line 98: | Line 124: | ||
| Then transfer them to your computer in a safe place. | Then transfer them to your computer in a safe place. | ||
| - | To copy you can run netcat on your computer | + | To copy you can run netcat on your computer: |
| $ netcat -l 1234 | tar xvf - | $ netcat -l 1234 | tar xvf - | ||
| Line 104: | Line 130: | ||
| And send the data from the router: | And send the data from the router: | ||
| - | root@XiaoQiang: | + | root@XiaoQiang: |
| + | root@XiaoQiang: | ||
| - | 3. Get firmware information | + | 3. Get firmware information: '' |
| 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | ||
| - | If **firmware=0** | + | * If **firmware=0** |
| ubiformat /dev/mtd9 -y -f / | ubiformat /dev/mtd9 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 123: | Line 151: | ||
| reboot | reboot | ||
| - | If **firmware=1** | + | * If **firmware=1** |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 135: | Line 164: | ||
| reboot | reboot | ||
| - | Then reboot your router, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt' | + | {{ : |
| + | Once the router | ||
| Note that you should configure the computer' | Note that you should configure the computer' | ||
| + | |||
| This command will connect you to the OpenWrt system: | This command will connect you to the OpenWrt system: | ||
| Line 146: | Line 176: | ||
| sysupgrade -n / | sysupgrade -n / | ||
| - | < | ||
| - | |||
| - | 6. Add nvram settings into / | ||
| - | sed -i '/exit 0/i fw_setenv flag_boot_rootfs 0\nfw_setenv flag_last_success 0\nfw_setenv flag_boot_success 1\nfw_setenv flag_try_sys1_failed 0\nfw_setenv flag_try_sys2_failed 0' / | ||
| - | </ | ||
| ==== Change to OpenWrt U-Boot ==== | ==== Change to OpenWrt U-Boot ==== | ||
| - | <WRAP info> Default available router space is **60Mb**. It's possible to increase this size by replacing | + | <WRAP info> Default available router space is **60Mb**. It's possible to increase this size by replacing |
| - | OpenWrt U-Boot | + | OpenWrt U-Boot |
| </ | </ | ||
| Line 165: | Line 190: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 3. Format ubi and create new ubootenv volume | 3. Format ubi and create new ubootenv volume | ||
| Line 195: | Line 220: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 4. Flash stock images from backup | 4. Flash stock images from backup | ||
| Line 204: | Line 229: | ||
| Then reboot your router, waiting it finished rollback in minutes. | Then reboot your router, waiting it finished rollback in minutes. | ||
| - | ==== Go Back to stock from default layout Openwrt | + | ==== Go Back to stock firmware |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| Line 271: | Line 296: | ||
| ===== Downgrading stock firmware ===== | ===== Downgrading stock firmware ===== | ||
| - | <WRAP center round important 60%> | + | This section |
| - | This is a legacy | + | |
| - | </ | + | |
| - | + | ||
| - | 1. Install Vulnerable Version: | + | |
| - | + | ||
| - | First, you'll need to grab a vulnerable software version. The table below shows known vulnerable versions. It is recommended to install | + | |
| - | ^ Firmware Version | + | |
| - | | 1.0.64 | + | |
| - | | 1.0.47 (recommended) | + | |
| - | + | ||
| - | **To downgrade**: | + | |
| - | + | ||
| - | 2. Get ssh access (supported only stock firmware **1.0.47**): | + | |
| - | + | ||
| - | # | + | |
| - | + | ||
| - | if [ " | + | |
| - | echo " | + | |
| - | echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" | + | |
| - | echo "Copy the stok-string from a browser' | + | |
| - | exit 1 | + | |
| - | fi | + | |
| - | + | ||
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | After that, proceed from step 2 in the main [[: | + | **To downgrade** a firmware version on your router, navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the < |
| ===== Debricking ===== | ===== Debricking ===== | ||
| -> [[docs: | -> [[docs: | ||
| - | Assume that you have installed OpenWrt with stock layout, with original u-boot: | + | Assume that you have installed OpenWrt with stock bootloader, with original u-boot: |
| * Connect to router via UART | * Connect to router via UART | ||
| Line 329: | Line 322: | ||
| Details explained in [[https:// | Details explained in [[https:// | ||
| - | ==== TFTP instructions for the stock layout | + | ==== TFTP instructions for the stock bootloader |
| AX3000T can be recovered from a soft-brick with TFTP. The flow is: | AX3000T can be recovered from a soft-brick with TFTP. The flow is: | ||
| * The router boots and asks for an IP address on the LAN ports via DHCP | * The router boots and asks for an IP address on the LAN ports via DHCP | ||
| Line 371: | Line 364: | ||
| ===== Basic configuration ===== | ===== Basic configuration ===== | ||
| -> [[docs: | -> [[docs: | ||
| - | Set up your Internet connection, configure wireless, configure | + | Set up your Internet connection, configure wireless, configure |
| + | |||
| + | * note: configuration reset issue after 6 reboots sometimes occurs on the AX3000T and is [[https:// | ||
| + | |||
| + | sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' / | ||
| + | |||
| + | **Don' | ||
| ===== Specific Configuration ===== | ===== Specific Configuration ===== | ||
| Line 402: | Line 401: | ||
| | Reset | | Reset | ||
| | Mesh | BTN_9 | | | Mesh | BTN_9 | | ||
| + | |||
| + | ==== LEDs ==== | ||
| + | The Xiaomi AX3000T features a front LED strip that can light up in yellow (actually orange), blue, and white. | ||
| + | |||
| + | The default OpenWRT configuration is as follows: | ||
| + | |||
| + | ^ LED ^ Behavior | ||
| + | | Yellow | ||
| + | | Blue | Solid after boot | | ||
| + | | White | Not in use | | ||
| + | |||
| + | The white LED can be activated by turning on both the yellow and blue LEDs simultaneously. | ||
| + | |||
| + | For example, the following configuration will set the white LED to be solid when the PPPoE connection is established. If the connection is lost, the color will revert to blue. | ||
| + | |||
| + | This can be configured through Luci -> System -> LED Configuration. | ||
| + | |||
| + | config led | ||
| + | option sysfs ' | ||
| + | option trigger ' | ||
| + | option dev ' | ||
| + | list mode ' | ||
| + | | ||
| + | config led | ||
| + | option sysfs ' | ||
| + | option trigger ' | ||
| + | option dev ' | ||
| + | list mode ' | ||
| + | | ||
| + | config led | ||
| + | option sysfs ' | ||
| + | option trigger ' | ||
| + | |||
| + | |||
| Line 450: | Line 483: | ||
| How to connect to the Serial Port of this specific device:\\ | How to connect to the Serial Port of this specific device:\\ | ||
| {{: | {{: | ||
| - | ^ Serial connection parameters\\ for Xiaomi AX3000T | 115200, 8N1, 3.3V | | + | ^ Serial connection parameters\\ for Xiaomi AX3000T |
| ==== JTAG ==== | ==== JTAG ==== | ||