Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:toh:xiaomi:ax3000t [2024/09/27 21:40] – Firmware support clarification for Winbond and ESMT alexq | inbox:toh:xiaomi:ax3000t [2024/10/05 17:49] – [Table] vladshulakov | ||
|---|---|---|---|
| Line 24: | Line 24: | ||
| **Support Forums** https:// | **Support Forums** https:// | ||
| - | There are 3 known OpenWrt installation methods for the Xiaomi AX3000T: | + | There are 2 known OpenWrt installation methods for the Xiaomi AX3000T: |
| - | * **SSH exploit | + | * **API RCE method**: the method involves executing |
| - | * note: //this method is not supported by stock firmware version 1.0.47 (CN).// | + | |
| * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https:// | * **UART flash method**: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: [[https:// | ||
| - | * **Firmware downgrade method** (legacy): the method requires installing a vulnerable version of the stock firmware, which allows to proceed with commands to enable SSH access in a way similar to the "SSH exploit method" | ||
| - | Stock firmware compatibility and OpenWrt | + | OpenWrt |
| - | ^ Stock Firmware ver. | + | ^ Stock Firmware ver. |
| - | | 1.0.31 (INT) | RD23 | SSH exploit | + | | 1.0.31 (INT) | RD23 | '' |
| - | | 1.0.49 (INT) | RD23 | SSH exploit | + | | 1.0.49 (INT) | RD23 | '' |
| - | | 1.0.47 (CN) | RD03 | Firmware downgrade | + | | 1.0.47 (CN) | RD03 | '' |
| - | | 1.0.64 (CN) | RD03 | Any | + | | 1.0.64 (CN) | RD03 | '' |
| - | | 1.0.84 (CN) | RD03 |SSH exploit | + | | 1.0.84 (CN) | RD03 | '' |
| * *note: devices with the '' | * *note: devices with the '' | ||
| Line 67: | Line 65: | ||
| ==== Flash instructions ==== | ==== Flash instructions ==== | ||
| + | <WRAP center round info 60%> | ||
| + | Besides the manual steps outlined below, there is the [[https:// | ||
| + | </ | ||
| 1. Get ssh access. | 1. Get ssh access. | ||
| - | + | | |
| - | | + | |
| | | ||
| - | if [ "$1" = "" | + | if [ $# -ne 2 ]; then |
| - | echo "Usage: $0 [stok]" | + | cat << |
| - | echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" | + | |
| - | echo "Copy the stok-string from a browser' | + | e.g. $0 misystem |
| - | exit 1 | + | Copy the stok-string from a browser' |
| + | EOF | ||
| + | | ||
| fi | fi | ||
| | | ||
| - | | + | |
| + | |||
| + | url=" | ||
| + | |||
| + | case " | ||
| + | misystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="" | ||
| + | ;; | ||
| + | xqsystem) | ||
| + | url=" | ||
| + | pre=" | ||
| + | suf="'" | ||
| + | ;; | ||
| + | *) | ||
| + | echo " | ||
| + | ;; | ||
| + | esac | ||
| + | |||
| + | curl -X POST " | ||
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Ased%20-i%20' |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}" |
| sleep 1 | sleep 1 | ||
| - | curl -X POST "http:// | + | curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}" |
| 2. Backup stock partitions | 2. Backup stock partitions | ||
| Line 111: | Line 133: | ||
| - | 3. Get firmware information | + | 3. Get firmware information: '' |
| 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | 4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash | ||
| - | If **firmware=0** | + | * If **firmware=0** |
| ubiformat /dev/mtd9 -y -f / | ubiformat /dev/mtd9 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 127: | Line 150: | ||
| reboot | reboot | ||
| - | If **firmware=1** | + | * If **firmware=1** |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| nvram set boot_wait=on | nvram set boot_wait=on | ||
| Line 139: | Line 163: | ||
| reboot | reboot | ||
| - | Then reboot your router, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt' | + | Once the router |
| Note that you should configure the computer' | Note that you should configure the computer' | ||
| Line 150: | Line 174: | ||
| sysupgrade -n / | sysupgrade -n / | ||
| - | 6. Run command to modify / | ||
| - | sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' / | ||
| ==== Change to OpenWrt U-Boot ==== | ==== Change to OpenWrt U-Boot ==== | ||
| Line 166: | Line 188: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 3. Format ubi and create new ubootenv volume | 3. Format ubi and create new ubootenv volume | ||
| Line 196: | Line 218: | ||
| opkg update && opkg install kmod-mtd-rw | opkg update && opkg install kmod-mtd-rw | ||
| - | insmod | + | insmod mtd-rw i_want_a_brick=1 |
| 4. Flash stock images from backup | 4. Flash stock images from backup | ||
| Line 205: | Line 227: | ||
| Then reboot your router, waiting it finished rollback in minutes. | Then reboot your router, waiting it finished rollback in minutes. | ||
| - | ==== Go Back to stock from default layout Openwrt | + | ==== Go Back to stock firmware |
| ubiformat /dev/mtd8 -y -f / | ubiformat /dev/mtd8 -y -f / | ||
| Line 272: | Line 294: | ||
| ===== Downgrading stock firmware ===== | ===== Downgrading stock firmware ===== | ||
| - | <WRAP center round important 60%> | + | This section |
| - | This is a legacy | + | |
| - | </ | + | |
| - | + | ||
| - | 1. Install Vulnerable Version: | + | |
| - | + | ||
| - | First, you'll need to grab a vulnerable software version. The table below shows known vulnerable versions. It is recommended to install | + | |
| - | ^ Firmware Version | + | |
| - | | 1.0.64 | + | |
| - | | 1.0.47 (recommended) | + | |
| - | + | ||
| - | **To downgrade**: | + | |
| - | + | ||
| - | 2. Get ssh access (supported only stock firmware **1.0.47**): | + | |
| - | + | ||
| - | # | + | |
| - | + | ||
| - | if [ " | + | |
| - | echo " | + | |
| - | echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c" | + | |
| - | echo "Copy the stok-string from a browser' | + | |
| - | exit 1 | + | |
| - | fi | + | |
| - | + | ||
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | sleep 1 | + | |
| - | curl -X POST " | + | |
| - | After that, proceed from step 2 in the main [[: | + | **To downgrade** a firmware version on your router, navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the < |
| ===== Debricking ===== | ===== Debricking ===== | ||
| -> [[docs: | -> [[docs: | ||
| - | Assume that you have installed OpenWrt with stock layout, with original u-boot: | + | Assume that you have installed OpenWrt with stock bootloader, with original u-boot: |
| * Connect to router via UART | * Connect to router via UART | ||
| Line 330: | Line 320: | ||
| Details explained in [[https:// | Details explained in [[https:// | ||
| - | ==== TFTP instructions for the stock layout | + | ==== TFTP instructions for the stock bootloader |
| AX3000T can be recovered from a soft-brick with TFTP. The flow is: | AX3000T can be recovered from a soft-brick with TFTP. The flow is: | ||
| * The router boots and asks for an IP address on the LAN ports via DHCP | * The router boots and asks for an IP address on the LAN ports via DHCP | ||
| Line 373: | Line 363: | ||
| -> [[docs: | -> [[docs: | ||
| Set up your Internet connection, configure wireless, configure USB port, etc. | Set up your Internet connection, configure wireless, configure USB port, etc. | ||
| + | |||
| + | * note: configuration reset issue after 6 reboots sometimes occurs on the AX3000T and is [[https:// | ||
| + | |||
| + | sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' / | ||
| + | |||
| + | **Don' | ||
| ===== Specific Configuration ===== | ===== Specific Configuration ===== | ||
| Line 451: | Line 447: | ||
| How to connect to the Serial Port of this specific device:\\ | How to connect to the Serial Port of this specific device:\\ | ||
| {{: | {{: | ||
| - | ^ Serial connection parameters\\ for Xiaomi AX3000T | 115200, 8N1, 3.3V | | + | ^ Serial connection. parameters\\ for Xiaomi AX3000T |
| ==== JTAG ==== | ==== JTAG ==== | ||