Xiaomi AX3000T
Announcement!
All known hardware variants of AX3000T are supported.
Warning! Don't brick your router!
To ensure compatibility with all existing AX3000T hardware types, OpenWrt version 24.10.0 is recommended.
→ Don’t try to flash other versions without checking your router hardware!: details.
The Xiaomi AX3000T router supports 2 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 3000Mbps wireless speed. It is based on the MediaTek MT7981 SoC.
There are two versions of the Xiaomi AX3000T router:
- model RD03: Chinese version
- model RD23: International (Global) version.
Both versions have exactly the same hardware, and the only difference is the version of the stock firmware (which is region-locked).
Support Forums https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax3000t/180490
There are 2 known OpenWrt installation methods for the Xiaomi AX3000T:
- API RCE method: the method involves executing shell commands on the stock router firmware to enable SSH access by exploiting the API RCE, either in
xqsystem/start_binding
ormisystem/arn_switch
, depending on the firmware version. This method is suitable for both RD23 (International version) and RD03 (Chinese version) of the Xiaomi AX3000T router. For details, please refer to the Installation section below. - UART flash method: the method which requires opening the device, connecting a UART cable, and following a specific set of steps. This process is recommended only for advanced users and may soft brick your device. The instructions for this process are available in this post: link to owrt forum.
API RCE support status
Stock Firmware | Model | API to exploit | Stock Firmware URL |
---|---|---|---|
1.0.31 (INT) | RD23 | xqsystem/start_binding | not released to the public *¹ |
1.0.49 (INT) | RD23 | xqsystem/start_binding | miwifi_rd23_firmware_153e1_1.0.49_INT.bin |
1.0.90 (INT) | RD23 | none *² | miwifi_rd23_firmware_99b0f_1.0.90_INT.bin |
1.0.91 (INT) | RD23 | none *² | miwifi_rd23_firmware_8d757_1.0.91_INT.bin |
1.0.47 (CN) | RD03 | misystem/arn_switch | miwifi_rd03_firmware_ef0ee_1.0.47.bin |
1.0.64 (CN) | RD03 | xqsystem/start_binding | miwifi_rd03_firmware_14680_1.0.64.bin |
1.0.84 (CN) | RD03 | xqsystem/start_binding | miwifi_rd03_firmware_f85f9_1.0.84.bin |
1.0.90 (CN) | RD03 | xqsystem/start_binding | not released to the public |
1.0.91 (CN) | RD03 | xqsystem/start_binding | miwifi_rd03_firmware_7df60_1.0.91.bin |
- * note 1: 1.0.31 RD23 might fail to recover via TFTP, updating to 1.0.49 before installing OpenWrt could help (unconfirmed).
- * note 2: RD23 with MT7531AE switch can be downgraded to the exploitable 1.0.49 version (forum post). RD23 with AN8855 switch cannot be downgraded to 1.0.49 as this version does not contain drivers for AN8855 switch, until a new exploit is disclosed, UART flash method is required.
Hardware support status
NAND Flash | Support | OpenWrt Version | Pull Request |
---|---|---|---|
ESMT F50L1G41LB | Yes | 23.05.4 or newer | #14054 |
Winbond W25N01KV | Yes | 24.10.0-rc1 or newer | #16088 |
Foresee F35SQA001G | Yes | 24.10.0-rc3 or newer | #16915 |
Switch | Support | OpenWrt Version | Pull Request |
---|---|---|---|
MediaTek MT7531AE | Yes | 23.05.4 or newer | #14054 |
Airoha AN8855 | Yes | 24.10.0-rc7 or newer | #16709 |
- For guidance on detecting router hardware, please refer to the forum post.
Supported Versions
Hardware Highlights
Installation
Flash instructions
Besides the manual steps outlined below, there is the XMiR-Patcher tool that can automate the entire process, making the first-time router flashing much simpler with just a few clicks. As always, know what you're doing when executing scripts from the internet!
1. Get ssh access.
#!/bin/sh if [ $# -ne 2 ]; then cat <<EOF Usage: $0 [misystem | xqsystem] [stok] e.g. $0 xqsystem e6ea114ba2cddb0c70fbbc417bb2706c Copy the stok-string from a browser's URL-line, while logged to the router EOF exit 1 fi [ -z "$2" ] && echo "error: bad stok" && exit 1 url="http://192.168.31.1/cgi-bin/luci/;stok=${2}/api" case "$1" in misystem) url="$url/misystem/arn_switch" pre="open=1&model=1&level=" suf="" ;; xqsystem) url="$url/xqsystem/start_binding" pre="uid=1234&key=1234'" suf="'" ;; *) echo "error: unknown api" && exit 1 ;; esac curl -X POST "$url" -d "${pre}%0Anvram%20set%20ssh_en%3D1%0A${suf}" sleep 1 curl -X POST "$url" -d "${pre}%0Anvram%20commit%0A${suf}" sleep 1 curl -X POST "$url" -d "${pre}%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A${suf}" sleep 1 curl -X POST "$url" -d "${pre}%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A${suf}" sleep 1 curl -X POST "$url" -d "${pre}%0Apasswd%20-d%20root%0A${suf}"
2. Backup stock partitions
ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -v root@192.168.31.1 nanddump -f /tmp/BL2.bin /dev/mtd1 nanddump -f /tmp/Nvram.bin /dev/mtd2 nanddump -f /tmp/Bdata.bin /dev/mtd3 nanddump -f /tmp/Factory.bin /dev/mtd4 nanddump -f /tmp/FIP.bin /dev/mtd5 nanddump -f /tmp/ubi.bin /dev/mtd8 nanddump -f /tmp/KF.bin /dev/mtd12
Then transfer them to your computer in a safe place.
To copy you can run netcat on your computer:
$ netcat -lp 1234 | tar xvf -
And send the data from the router:
root@XiaoQiang:~# cd /tmp/ root@XiaoQiang:~# tar cf - *.bin | nc 192.168.31.<computer-IP> 1234
3. Get firmware information: cat /proc/cmdline
4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to /tmp and flash
- If firmware=0
ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi nvram set boot_wait=on nvram set uart_en=1 nvram set flag_boot_rootfs=1 nvram set flag_last_success=1 nvram set flag_boot_success=1 nvram set flag_try_sys1_failed=0 nvram set flag_try_sys2_failed=0 nvram commit reboot
- If firmware=1
ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi nvram set boot_wait=on nvram set uart_en=1 nvram set flag_boot_rootfs=0 nvram set flag_last_success=0 nvram set flag_boot_success=1 nvram set flag_try_sys1_failed=0 nvram set flag_try_sys2_failed=0 nvram commit reboot
Once the router is rebooted, it should boot to the OpenWrt initramfs system now. To be sure to use one of OpenWrt's LAN ports (not WAN port), plug the ethernet cable into one of the middle ports, if the cable is not already plugged there (original FW dynamically assigns LAN/WAN).
Note that you should configure the computer's network to use DHCP. You can use wireshark if things don't work.
This command will connect you to the OpenWrt system:
ssh root@192.168.1.1
5. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin to /tmp and flash:
sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
Once the router is rebooted after sysupgrade, proceed with a Basic configuration.
Change to OpenWrt U-Boot
Default available router space is 60Mb. It's possible to increase this size by replacing stock bootloader with the OpenWrt U-Boot bootloader. Please understand the benefits and risks involved. OpenWrt U-Boot provides faster boot loading and more space: 75Mb (with recovery) or 85Mb (without recovery).
Warning! AN8855, Winbond and Foresee are compatible with OpenWrt U-Boot loader BL2 and FIP only in Snapshot build. Meanwhile ubootmod sysupgrade is fully compatible with AN8855, Winbond and Foresee starting from 24.10.0 version. You can use together Snapshot U-Boot loader with 24.10.0 ubootmod version.
1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi
ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory.ubi
reboot
2. Install kmod-mtd-rw
opkg update && opkg install kmod-mtd-rw
insmod mtd-rw i_want_a_brick=1
3. Format ubi and create new ubootenv volume
ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8 ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB
4. *(Optional -10Mb free space) Add recovery boot feature.*
ubimkvol /dev/ubi0 -n 2 -N recovery -s 10MiB ubiupdatevol /dev/ubi0_2 /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb
5. Flash Openwrt U-Boot
mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin BL2 mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip FIP
6. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb
sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb
Go Back to stock from Openwrt U-Boot
1. Force flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb
sysupgrade -F -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb
2. Format ubi and Nvram
ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8 mtd erase Nvram
3. Install kmod-mtd-rw
opkg update && opkg install kmod-mtd-rw
insmod mtd-rw i_want_a_brick=1
4. Flash stock images from backup
mtd write /tmp/BL2.bin BL2 mtd write /tmp/FIP.bin FIP mtd write /tmp/ubi.bin ubi
Then reboot your router, waiting it finished rollback in minutes.
Go Back to stock firmware from stock bootloader
ubiformat /dev/mtd8 -y -f /tmp/ubi.bin
Then reboot your router, waiting it finished rollback in minutes.
OEM installation using the TFTP method
Specific values needed for tftp
Enter values for “FILL-IN” below
Bootloader tftp server IPv4 address | FILL-IN |
---|---|
Bootloader MAC address (special) | FILL-IN |
Firmware tftp image | Latest OpenWrt release (NOTE: Name must contain “tftp”) |
TFTP transfer window | FILL-IN seconds |
TFTP window start | approximately FILL-IN seconds after power on |
TFTP client required IP address | FILL-IN |
Upgrading OpenWrt
LuCI Web Upgrade Process
- Browse to
http://192.168.1.1/cgi-bin/luci/admin/system/flash
LuCI Upgrade URL - Upload image file for sysupgrade to LuCI
- Wait for reboot
Terminal Upgrade Process
If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. There are two command line methods for upgrading:
sysupgrade
mtd
Note: It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.
sysupgrade
- Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp wget https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin sysupgrade /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
mtd
If sysupgrade
does not support this router, use mtd
.
- Login as root via SSH on 192.168.1.1, then enter the following commands:
cd /tmp wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc mtd write /tmp/xxx.abc linux && reboot
Downgrading stock firmware
This section is kept only for historical reference, as it relates to the deprecated OpenWrt installation method that was applicable only to the RD03 (Chinese version) with stock firmware version 1.0.47. Please note that none of the current installation methods require a firmware downgrade to flash OpenWrt.
To downgrade a firmware version on your router, navigate to the upload firmware page and select the appropriate software version. It will complain about the downgrade. Edit the url and change the <html>0</html> at the end to a <html>1</html> and press enter. Or change to <html>2</html> if there is already <html>1</html> (seen on v1.0.64). The downgrade will proceed.
Debricking
Assume that you have installed OpenWrt with stock bootloader, with original u-boot:
- Connect to router via UART
- Select Load Image in the u-boot
- Set start address to 0x48000000, then set TFTP parameters to load the initramfs-kernel.bin.
- Start the loaded kernel, then perform sysupgrade on OpenWrt.
If you have installed OpenWrt with u-boot mode layout, you can still use above UART recovery procedure, but u-boot will also look for a file called openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb
in a tftp server at IP address 192.168.1.254
If you provide that file in a tftp server, it'll be automatically loaded and run, so system can be recovered without using a UART connection.
Recover bricked bootloader
If your bootloader is bricked you can use the Mediateks ability to load a bootloader directly over UART with a tool called mtk_uartboot.
Details explained in this forum post
TFTP instructions for the stock bootloader
AX3000T can be recovered from a soft-brick with TFTP. The flow is:
- The router boots and asks for an IP address on the LAN ports via DHCP
- The TFTP server assigns an IP address to the router
- The router then connects to the TFTP server (where your DHCP server listen, e.g.: 192.168.31.100) and tries to download a file named with the IP address given by the DHCP server converted to hexadecimal.
Because of this quirk we will have to configure the tftp server to assign only one IP and we will set the file name to the only IP address it can receive.
For Windows you can use tftpd64 and on Linux you can use dnsmasq. These are the steps to do it for Linux (this can be adapted to the tftpd64's graphical interface very easily):
- Create a folder somewhere to place your firmware for the tftp server and download the OEM firmware (the file name is a very important part; depending on the previously installed Xiaomi firmware version, you may need to adjust the name of the .img file to a different one. The router will be looking for a specific file name on the tftp server – if the requested file in the terminal does not match the one you have in the tmp folder, rename it accordingly and proceed again):
mkdir -p /tmp/tftp wget https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rd03/miwifi_rd03_firmware_ef0ee_1.0.47.bin -O /tmp/tftp/C0A81F02.img
- To ensure that the TFTP server has access to the firmware, set the privileges:
sudo chmod -R 755 /tmp/tftp sudo chown -R nobody:nogroup /tmp/tftp
- Obtain the name of the ethernet adapter (to be used in further steps):
ip link
- The result will loke something like (in this case, the name of the ethernet adapter is enp2s0):
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000 link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff
- Set a static address on your PC to serve the firmware from:
sudo ip address flush dev <adapter name> sudo ip address add 192.168.31.100/24 dev <adapter name>
- Run the server with the following command:
sudo dnsmasq --no-daemon --listen-address=192.168.31.100 --bind-interfaces --dhcp-range=192.168.31.2,192.168.31.254 --enable-tftp --tftp-root=/tmp/tftp --log-dhcp --log-facility=-
- Unplug the power, press and hold the reset button, plug the power back while still holding the button.
- Hold the reset button until the router's LED starts flashing orange.
- then it goes solid orange again, release the button.
- If in the terminal, you see that the router requests a different firmware file (different name), rename the .img file in the tmp folder accordingly and repeat the procedures from the IP flush again.
- When the device finished loading the firmware, the led starts flashing with orange (amber) light. Wait for until blue led to goes solid!
- It might take some time for the led to go solid blue
- If the recovery doesn't accept the downloaded file the led switches to solid white - if this is the case, restart the recovery process with other file
- If the led is blinking blue led it means the device was flashed successfully and can be restarted
- Put your interface back to DHCP mode and start again with breaking your device
Failsafe mode
Basic configuration
→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure network settings, etc.
→ note: configuration reset issue after 6 reboots, caused by the stock Xiaomi bootloader logic, has been addressed since 24.10.0 release.
- Don't run the
sed -i '/exit 0/i sleep 5\nfw_setenv flag_try_sys1_failed 0' /etc/rc.local
command if you're running version 24.10.0 or newer, or if the issue doesn't affect you and your router keeps its settings after 6 reboots!
Specific Configuration
Network interfaces
The default network configuration is:
Interface Name | Description | Default configuration |
---|---|---|
br-lan | LAN & WiFi | 192.168.1.1/24 |
lanX (eth0) | LAN ports (2 to 4) | None |
wan (eth0) | WAN port | DHCP |
phy0-ap0 | WiFi 2.4G | Disabled |
phy1-ap0 | WiFi 5G | Disabled |
Switch Ports (for VLANs)
Numbers 2-4 are Ports 1-3 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 0 is the internal connection to the router itself.
Port | Switch port |
---|---|
Internet (WAN) | 1 |
LAN 2 | 2 |
LAN 3 | 3 |
LAN 4 | 4 |
Buttons
→ hardware.button on howto use and configure the hardware button(s). Here, we merely name the buttons, so we can use them in the above Howto.
The Xiaomi AX3000T has the following buttons:
BUTTON | Event |
---|---|
Reset | reset |
Mesh | BTN_9 |
LEDs
The Xiaomi AX3000T features a front LED strip that can light up in yellow (actually orange), blue, and white.
The default OpenWRT configuration is as follows:
LED | Behavior |
---|---|
Yellow | Blinks during boot |
Blue | Solid after boot |
White | Not in use |
The white LED can be activated by turning on both the yellow and blue LEDs simultaneously.
For example, the following configuration will set the white LED to be solid when the PPPoE connection is established. If the connection is lost, the color will revert to blue.
This can be configured through Luci → System → LED Configuration.
config led option sysfs 'yellow:status' option trigger 'netdev' option dev 'pppoe-wan' list mode 'link' config led option sysfs 'blue:status' option trigger 'netdev' option dev 'pppoe-wan' list mode 'link' config led option sysfs 'blue:status' option trigger 'default-on'
Hardware
Info
Photos
Front:
Insert photo of front of the casing
Back:
Insert photo of back of the casing
Backside label:
Insert photo of backside label
Opening the case
Note: This will void your warranty!
- Remove 4 rubber feet on the bottom of the device
- Use a Phillips screwdriver to remove the 4 screws
- A tiny flathead or plastic pry tool can be wedged in between the bottom case by the antennas. Gently push and slide it along the groove and it will pop open.
Main PCB:
Insert photo of PCB
Serial
→ port.serial general information about the serial port, serial port cable, etc.
How to connect to the Serial Port of this specific device:
Serial connection parameters for Xiaomi AX3000T | 115200, 8N1, 3.3V |
---|
JTAG
→ port.jtag general information about the JTAG port, JTAG cable, etc.
How to connect to the JTAG Port of this specific device:
Insert photo of PCB with markings for JTAG port
Bootloader mods
Hardware mods
Bootlogs
Notes
- DC power barrel plug dimensions 4.0mm x 1.7mm.