Xiaomi AX1800 (AX5/RA67)

Under Construction!
This page is currently under construction. You can edit the article to help completing it.

Xiaomi AX1800 - AX5 (RA67)

Not supported.

Describe if there are any ongoing activities that might lead to OpenWrt support.

CPU Ram Flash WLAN2.4 WLAN5.0
Qualcomm Atheros IPQ6000 quad-core A53 @ 1.2 GHz 256 Mib 128 MiB b/g/n an/ac/ax
Architecture ARMv8
Vendor Qualcomm
Bootloader U-Boot (R3600)
System-On-Chip Qualcomm IPQ8071A
CPU/Speed firmware up to 1.4GHz
Flash-Chip W29N02GZSIBA
Flash size 256 MiB
RAM 512 MiB
Wireless QCN5024 2.4GHz 802.11bgn
Ethernet 10/100/1000 Mbit/s w/ vlan support
Switch Qualcomm Atheros IPQ8075
Serial Yes

Flash layout in Original FW:

root@XiaoQiang:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00300000 00020000 "0:QSEE"
mtd3: 00080000 00020000 "0:DEVCFG"
mtd4: 00080000 00020000 "0:RPM"
mtd5: 00080000 00020000 "0:CDT"
mtd6: 00080000 00020000 "0:APPSBLENV"
mtd7: 00100000 00020000 "0:APPSBL"
mtd8: 00080000 00020000 "0:ART"
mtd9: 00080000 00020000 "bdata"
mtd10: 00080000 00020000 "crash"
mtd11: 00080000 00020000 "crash_syslog"
mtd12: 023c0000 00020000 "rootfs"
mtd13: 023c0000 00020000 "rootfs_1"
mtd14: 01ec0000 00020000 "overlay"
mtd15: 00080000 00020000 "rsvd0"
mtd16: 0041e000 0001f000 "kernel"
mtd17: 0160a000 0001f000 "ubi_rootfs"
mtd18: 01876000 0001f000 "data"

Flash layout in QSDK FW:

root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00300000 00020000 "0:QSEE"
mtd3: 00080000 00020000 "0:DEVCFG"
mtd4: 00080000 00020000 "0:RPM"
mtd5: 00080000 00020000 "0:CDT"
mtd6: 00080000 00020000 "0:APPSBLENV"
mtd7: 00100000 00020000 "0:APPSBL"
mtd8: 00080000 00020000 "0:ART"
mtd9: 00080000 00020000 "bdata"
mtd10: 00080000 00020000 "crash"
mtd11: 00080000 00020000 "crash_syslog"
mtd12: 023c0000 00020000 "rootfs"
mtd13: 08000000 00020000 "rootfs_1"
mtd14: 01ec0000 00020000 "overlay"
mtd15: 00080000 00020000 "rsvd0"
mtd16: 00900000 00020000 "0:WIFIFW"
mtd17: 00554000 0001f000 "kernel"
mtd18: 019cb000 0001f000 "ubi_rootfs"
mtd19: 0578d000 0001f000 "rootfs_data"
mtd20: 0022e000 0001f000 "wifi_fw"
  1. Setup the router admin password (quick way is using the mobile setup app)
  2. Login to the router web interface using the password set using the app and get the value of “stok=” from the URL
  3. Think of a password for SSH logins (8+ chars long, no special chars)

Now you need to use the following URL(s) in order to enable SSH access after modifying them with you values for :

  • Replace <STOK> with the stok value gaind above
  • Replace <PASSWORD> with the password generated above

nvram set ssh_en=1; nvram commit;

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit%3B

sed -i 's/channel=.*/channel=\“debug\”/g' /etc/init.d/dropbear;

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bsed%20-i%20%27s/channel=.*/channel=%5C"debug%5C"/g%27%20/etc/init.d/dropbear%3B

/etc/init.d/dropbear start

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20start%3B

/etc/init.d/dropbear enable

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20enable%3B

echo -e “<PASSWORD>/n<PASSWORD>” | passwd root

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=ssid=-h%0Aecho%20-e%20%27<PASSWORD>%5Cn<PASSWORD>%27%20%7C%20passwd%20root%0A

Now you should be able to login using ssh root@192.168.31.1 using the password above.

Here is a bash script helper:

rawurlencode() {
  local string="${1}"
  local strlen=${#string}
  local encoded=""
  local pos c o

  for (( pos=0 ; pos<strlen ; pos++ )); do
     c=${string:$pos:1}
     case "$c" in
        [-_.~a-zA-Z0-9] ) o="${c}" ;;
        * )               printf -v o '%%%02x' "'$c"
     esac
     encoded+="${o}"
  done
  echo "${encoded}"    # You can either set a return variable (FASTER) 
  REPLY="${encoded}"   #+or echo the result (EASIER)... or both... :p
}

xiaomiCmd() {
    parsed=$(rawurlencode "$1")
    url="http://192.168.31.1/cgi-bin/luci/;stok=$stok/api/misystem/set_config_iotdev?bssid=redmi&user_id=doctor&ssid=-h%0A$parsed%0A"
    echo $url
    curl "$url"
    echo
}

enableSsh() {
    xiaomiCmd "nvram set ssh_en=1;nvram commit"
    xiaomiCmd "sed -i '/flg_ssh.*release/ { :a; N; /fi/! ba };/return 0/d' /etc/init.d/dropbear"
    xiaomiCmd "echo -e '$password\n$password' | passwd root"
    xiaomiCmd "/etc/init.d/dropbear enable;/etc/init.d/dropbear start"
}
echo your have to enter stok and password variables before running enableSsh:
echo 'stok=<STOK>'
echo 'password=<PASSWORD>'
echo enableSsh

Here is a JavaScript to do the same thing, use in browser console (Press F12)

function getSTOK() {
    let match = location.href.match(/;stok=(.*?)\//);
    if (!match) {
        return null;
    }
    return match[1];
}

function execute(stok, command) {
    command = encodeURIComponent(command);
    let path = `/cgi-bin/luci/;stok=${stok}/api/misystem/set_config_iotdev?bssid=SteelyWing&user_id=SteelyWing&ssid=-h%0A${command}%0A`;
    console.log(path);
    return fetch(new Request(location.origin + path));
}

function enableSSH() {
    stok = getSTOK();
    if (!stok) {
        console.error('stok not found in URL');
        return;
    }
    console.log(`stok = "${stok}"`);

    password = prompt('Input new SSH password');
    if (!password) {
        console.error('You must input password');
        return;
    }

    execute(stok, 
`
nvram set ssh_en=1
nvram commit
sed -i 's/channel=.*/channel=\\"debug\\"/g' /etc/init.d/dropbear
/etc/init.d/dropbear start
`
    )
        .then((response) => response.text())
        .then((text) => console.log(text));
    console.log('New SSH password: ' + password);
    execute(stok, `echo -e "${password}\\n${password}" | passwd root`)
        .then((response) => response.text())
        .then((text) => console.log(text));
}

enableSSH();

COPY HERE THE BOOTLOG


COPY HERE THE BOOTLOG ONCE OPENWRT IS INSTALLED AND RUNNING


Secure boot is not enabled, TX Locked, to unlock execute on shell(get ssh)

nvram set uart_en=1
nvram set boot_wait=on
nvram commit

Now, autoboot stop is available and TX is available!

Write a5 5a 00 00 into crash partition to factory mode

- Downlaod tftpd64 https://bitbucket.org/phjounin/tftpd64/downloads/tftpd64.464.zip and firmare http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_firmware_5da25_1.0.17.bin

- set fixed IP to your PC (I used 192.168.11.1)

- rename firmware to C0A80B0A.img and put in tftp64 folder

- enable tftpd and DHCP server in tftpd64 on your interface

- keep reset button pressed and power on your ax3600

- when tftpd64 finished loading the firmware file release reset butten and wait for a long time until blue led get solid

- put your interface back to DHCP and start again with breaking your device

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/05/27 16:59
  • by mohalisad