Xiaomi AX3000T

Warning! Don't brick your router!

Some AX3000T devices come with a new NAND flash chip: Winbond 25n01kvzeir. This chip is incompatible with the official stable OpenWrt 23.05.4 image and uboot! Don´t try to flash it without checking your chip! However SNAPSHOT build is fully compatible and tested with both flash chips since Aug.13: commit

New AX3000T devices with stock firmware version 1.0.84 or newer have received updated hardware that is temporarily incompatible with the OpenWrt image until support is added. There is no possibility to install OpenWrt on RD03 for such devices, see link.

The Xiaomi AX3000T router supports 2 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed. It is based on the MediaTek MT7981 SoC.

There are two versions of the Xiaomi AX3000T router:

  • model RD03: Chinese version
  • model RD23: International (Global) version.

Both versions have exactly the same hardware, and the only difference is the version of the stock firmware (which is region-locked).

AX3000T

Support Forums https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490

As of September 2024, there are 3 known OpenWrt installation methods for the Xiaomi AX3000T:

  • SSH exploit method: the method involves executing cURL commands on the stock router firmware to get SSH access, thus making OpenWrt installation possible. This method is suitable for both RD23 (International version) and RD03 (Chinese version) of the Xiaomi AX3000T router. For details, please refer to the Installation section below.
    • note: this method is not supported by stock firmware version 1.0.47 (CN).
  • UART flash method: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: link to owrt forum.
  • Firmware downgrade method (legacy): the method requires installing a vulnerable version of the stock firmware, which allows to proceed with commands to enable SSH access in a way similar to the “SSH exploit method”. This method is applicable only for RD03 (Chinese version). For details, please refer to the Downgrading stock firmware section.

Firmware Compatibility and Installation Methods:

Firmware Installation Method OpenWrt Supported
1.0.31 (INT) SSH exploit YES
1.0.47 (CN) Firmware downgrade YES
1.0.64 (CN) Any YES* (Snapshot only for Winbond chip)
1.0.84+ (CN) SSH exploit Not yet (AN8855 hardware)

1. Get ssh access.

#!/bin/bash

if [ "$1" = "" ]; then
  echo "Usage: $0 [stok]"
  echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c"
  echo "Copy the stok-string from a browser's URL-line, while being logged in to the router"
  exit 1
fi

curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Anvram%20set%20ssh_en%3D1'"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Anvram%20commit'"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear'"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0A%2Fetc%2Finit.d%2Fdropbear%20start'"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/xqsystem/start_binding" -d "uid=1234&key=1234'%0Apasswd%20-d%20root%0A'"

2. Backup stock partitions

ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -v root@192.168.31.1
nanddump -f /tmp/BL2.bin /dev/mtd1
nanddump -f /tmp/Nvram.bin /dev/mtd2
nanddump -f /tmp/Bdata.bin /dev/mtd3
nanddump -f /tmp/Factory.bin /dev/mtd4
nanddump -f /tmp/FIP.bin /dev/mtd5
nanddump -f /tmp/ubi.bin /dev/mtd8
nanddump -f /tmp/KF.bin /dev/mtd12

Then transfer them to your computer in a safe place.

To copy you can run netcat on your computer (in this case the computer's IP is 192.168.31.55):

$ netcat -l 1234 | tar xvf -

And send the data from the router:

root@XiaoQiang:~# tar cf - /tmp/*.bin | nc 192.168.31.55 1234

3. Get firmware information `cat /proc/cmdline`

4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to /tmp and flash

If firmware=0

ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=1
nvram set flag_last_success=1
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot

If firmware=1

ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=0
nvram set flag_last_success=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot

Then reboot your router, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt's LAN ports (not WAN port), plug the ethernet cable into one of the middle ports, if the cable is not already plugged there (original FW dynamically assigns LAN/WAN).

Note that you should configure the computer's network to use DHCP. You can use wireshark if things don't work. This command will connect you to the OpenWrt system:

ssh root@192.168.1.1

5. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

Default available router space is 60Mb. It's possible to increase this size by replacing the default bootloader with the OpenWrt U-Boot bootloader. Please understand the benefits and risks involved. OpenWrt U-Boot provide faster boot loading and more space: 75Mb (with recovery) or 85Mb (without recovery).

1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi

ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi
reboot

2. Install kmod-mtd-rw

opkg update && opkg install kmod-mtd-rw
insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1

3. Format ubi and create new ubootenv volume

ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB
ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB

4. *(Optional -10Mb free space) Add recovery boot feature.*

ubimkvol /dev/ubi0 -n 2 -N recovery -s 10MiB
ubiupdatevol /dev/ubi0_2 /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

5. Flash Openwrt U-Boot

mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin BL2
mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip FIP

6. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb

sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb

1. Force flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

sysupgrade -F -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb

2. Format ubi and Nvram

ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
mtd erase Nvram

3. Install kmod-mtd-rw

opkg update && opkg install kmod-mtd-rw
insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1

4. Flash stock images from backup

mtd write /tmp/BL2.bin BL2
mtd write /tmp/FIP.bin FIP
mtd write /tmp/ubi.bin ubi

Then reboot your router, waiting it finished rollback in minutes.

ubiformat /dev/mtd8 -y -f /tmp/ubi.bin

Then reboot your router, waiting it finished rollback in minutes.

Specific values needed for tftp

FIXME Enter values for “FILL-IN” below

Bootloader tftp server IPv4 address FILL-IN
Bootloader MAC address (special) FILL-IN
Firmware tftp image Latest OpenWrt release (NOTE: Name must contain “tftp”)
TFTP transfer window FILL-IN seconds
TFTP window start approximately FILL-IN seconds after power on
TFTP client required IP address FILL-IN
  • Browse to http://192.168.1.1/cgi-bin/luci/admin/system/flash LuCI Upgrade URL
  • Upload image file for sysupgrade to LuCI
  • Wait for reboot

If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading:

  • sysupgrade
  • mtd

Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.

sysupgrade

  • Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp
wget https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
sysupgrade /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

mtd

If sysupgrade does not support this router, use mtd.

  • Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp
wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc
mtd write /tmp/xxx.abc linux && reboot

This is a legacy OpenWrt installation method and applicable only to the RD03 (Chinese version), and is required only for installing OpenWrt via the “Firmware downgrade method”.

1. Install Vulnerable Version:

First, you'll need to grab a vulnerable software version. The table below shows known vulnerable versions. It is recommended to install version 1.0.47.

To downgrade: navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the <html>0</html> at the end to a <html>1</html> and press enter. Or change to <html>2</html> if there is already <html>1</html> (seen on v1.0.64). The downgrade will proceed.

2. Get ssh access (supported only stock firmware 1.0.47):

#!/bin/bash

if [ "$1" = "" ]; then
  echo "Usage: $0 [stok]"
  echo "e.g. $0 e6ea114ba2cddb0c70fbbc417bb2706c"
  echo "Copy the stok-string from a browser's URL-line, while being logged in to the router"
  exit 1
fi

curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20commit%0A"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A"
sleep 1
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=${1}/api/misystem/arn_switch" -d "open=1&model=1&level=%0Apasswd%20-d%20root%0A"

After that, proceed from step 2 in the main Installation section.

generic.debrick

Assume that you have installed OpenWrt with stock layout, with original u-boot:

  • Connect to router via UART
  • Select Load Image in the u-boot
  • Set start address to 0x48000000, then set TFTP parameters to load the initramfs-kernel.bin.
  • Start the loaded kernel, then perform sysupgrade on OpenWrt.

If you have installed OpenWrt with u-boot mode layout, you can still use above UART recovery procedure, but u-boot will also look for a file called openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb in a tftp server at IP address 192.168.1.254

If you provide that file in a tftp server, it'll be automatically loaded and run, so system can be recovered without using a UART connection.

If your bootloader is bricked you can use the Mediateks ability to load a bootloader directly over UART with a tool called mtk_uartboot.

Details explained in this forum post

AX3000T can be recovered from a soft-brick with TFTP. The flow is:

  • The router boots and asks for an IP address on the LAN ports via DHCP
  • The TFTP server assigns an IP address to the router
  • The router then connects to the TFTP server (where your DHCP server listen, e.g.: 192.168.31.100) and tries to download a file named with the IP address given by the DHCP server converted to hexadecimal.

Because of this quirk we will have to configure the tftp server to assign only one IP and we will set the file name to the only IP address it can receive.

For Windows you can use tftpd64 and on Linux you can use dnsmasq. These are the steps to do it for Linux (this can be adapted to the tftpd64's graphical interface very easily):

  • Create a folder somewhere to place your firmware for the tftp server and download the OEM firmware (the file name is a very important part; depending on the previously installed Xiaomi firmware version, you may need to adjust the name of the .img file to a different one. The router will be looking for a specific file name on the tftp server – if the requested file in the terminal does not match the one you have in the tmp folder, rename it accordingly and proceed again):
    mkdir -p /tmp/tftp
    wget https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin -O /tmp/tftp/C0A81F02.img
  • To ensure that the TFTP server has access to the firmware, set the privileges:
    sudo chmod -R 755 /tmp/tftp
    sudo chown -R nobody:nogroup /tmp/tftp
  • Obtain the name of the ethernet adapter (to be used in further steps):
    ip link
  • The result will loke something like (in this case, the name of the ethernet adapter is enp2s0):
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
        link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
        link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff
  • Set a static address on your PC to serve the firmware from:
    sudo ip address flush dev <adapter name>
    sudo ip address add 192.168.31.100/24 dev <adapter name>
  • Run the server with the following command:
    sudo dnsmasq --no-daemon --listen-address=192.168.31.100 --bind-interfaces --dhcp-range=192.168.31.2,192.168.31.254 --enable-tftp --tftp-root=/tmp/tftp --log-dhcp --log-facility=-
  • Unplug the power, press and hold the reset button, plug the power back while still holding the button.
    • Hold the reset button until the router's LED starts flashing orange.
    • then it goes solid orange again, release the button.
    • If in the terminal, you see that the router requests a different firmware file (different name), rename the .img file in the tmp folder accordingly and repeat the procedures from the IP flush again.
  • When the device finished loading the firmware, the led starts flashing with orange (amber) light. Wait for until blue led to goes solid!
    • It might take some time for the led to go solid blue
    • If the recovery doesn't accept the downloaded file the led switches to solid white - if this is the case, restart the recovery process with other file
    • If the led is blinking blue led it means the device was flashed successfully and can be restarted
  • Put your interface back to DHCP mode and start again with breaking your device

Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

The default network configuration is:

Interface Name Description Default configuration
br-lan LAN & WiFi 192.168.1.1/24
lanX (eth0) LAN ports (2 to 4) None
wan (eth0) WAN port DHCP
phy0-ap0 WiFi 2.4G Disabled
phy1-ap0 WiFi 5G Disabled

Numbers 2-4 are Ports 1-3 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 0 is the internal connection to the router itself.

Port Switch port
Internet (WAN) 1
LAN 2 2
LAN 3 3
LAN 4 4

hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto.

The Xiaomi AX3000T has the following buttons:

BUTTON Event
Reset reset
Mesh BTN_9

Front:
Insert photo of front of the casing

Back:
Insert photo of back of the casing

Backside label:
Insert photo of backside label

Note: This will void your warranty!

  1. Remove 4 rubber feet on the bottom of the device
  2. Use a Phillips screwdriver to remove the 4 screws
  3. A tiny flathead or plastic pry tool can be wedged in between the bottom case by the antennas. Gently push and slide it along the groove and it will pop open.

Main PCB:
Insert photo of PCB

port.serial general information about the serial port, serial port cable, etc.

How to connect to the Serial Port of this specific device:

Serial connection parameters
for Xiaomi AX3000T
115200, 8N1, 3.3V

port.jtag general information about the JTAG port, JTAG cable, etc.

How to connect to the JTAG Port of this specific device:
Insert photo of PCB with markings for JTAG port

  • DC power barrel plug dimensions 4.0mm x 1.7mm.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/09/13 20:02
  • by alexq