Add OpenWrt support for Xiaomi "Redmi AX6000"

On sale on April 6, Value 499 RMB.

Chinese Teardown review: https://www.acwifi.net/19676.html

Chinese purchase and introduction page: https://www.mi.com/buy/detail?product_id=15820
(Not sure if there will be a global version)

First firmware: https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rb06/miwifi_rb06_firmware_847e9_1.0.48.bin

Specifications:

  • SoC : MediaTek MT7986A
  • RAM : DDR4 512MiB (K4A4G165WF-BCWE)
  • Flash : SPI-NAND 128 MiB (ESMT F50L1G41LB)
  • WLAN :
    • 2.4G : MediaTek MT7976GN (FEM : RTC66266)
    • 5G : MediaTek MT7976AN (FEM : RTC66568)
  • Ethernet :
    • Switch : MediaTek MT7531A
  • Power : 12 VDC, 2 A

I'm not quite used to the usage of the editor of the openwrt forum, so I'm probably very bad at writing, please forgive me

12 Likes

A few observations that I made earlier when I was looking at this firmware image earlier today (I probably won't end up getting one though, for those reading)

  • Wowee Mediatek, is that a 5.4 kernel in the vendor sdk? That's probably the newest kernel version I've seen in a shipping product... (They still use swconfig though. Probably don't have the time or desire to port their acceleration modules to DSA)
  • Oooooh, they're building the Arm Trusted Firmware (ATF) in their build system too...
  • I have no idea if this uses secure boot. The secboot upgrade script has return 0 hardcoded as usual, so there might not be any. On the other hand, I see an efuse node in the dtb.
  • Uses the new mediatek bad block management thing nmbm. OpenWrt master already has support.
  • There's no support for this in the current testing kernel we have at the moment. You would have to have to backport a few things.
  • Hooray a MTK platform with AX on both bands without having to stick in a MT7915D...
  • Xiaomi casually leaking the existence of a MT7981 in their kernel config. (Although there are references on the internet to the demo board + MT7976C anyway)

RB04 I think was the AX5400 gaming edition, RB08 is an unannounced (I think) one called HomeWiFi (I'm guessing a mesh by the name), soooo I guess that leaves... RB05 and RB07? They have too many 11ax models, it makes my head hurt.

Partitions from dtb:

partition@0 {
                                label = "BL2";
                                reg = <0x00 0x100000>;
                                read-only;
                        };

                        partition@100000 {
                                label = "Nvram";
                                reg = <0x100000 0x40000>;
                        };

                        partition@140000 {
                                label = "Bdata";
                                reg = <0x140000 0x40000>;
                        };

                        partition@180000 {
                                label = "Factory";
                                reg = <0x180000 0x200000>;
                                phandle = <0x15>;
                        };

                        partition@380000 {
                                label = "FIP";
                                reg = <0x380000 0x200000>;
                        };

                        partition@580000 {
                                label = "crash";
                                reg = <0x580000 0x40000>;
                        };

                        partition@5c0000 {
                                label = "crash_log";
                                reg = <0x5c0000 0x40000>;
                        };

                        partition@600000 {
                                label = "ubi";
                                reg = <0x600000 0x1e00000>;
                        };

                        partition@2400000 {
                                label = "ubi1";
                                reg = <0x2400000 0x1e00000>;
                        };

                        partition@4200000 {
                                label = "overlay";
                                reg = <0x4200000 0x3200000>;
                        };

FIP is u-boot I believe. The image header seems to suggest it's forked from 2022.01-rc1 from December.

The lack of 2.5G port(s) is a bit of a letdown, all things considered. Just one would have been nice. Not sure if this chipset had the dual HSGMII that would have made it viable.

1 Like

According to a speculation in the review of the disassembly site, it is very likely to sell products that are "still available", and if the 2.5G network port is added, those products may lag.
According to my guess, this is actually a counterpart to the XDR6020, which debuted at 499RMB.
But if added, the competitor is not yet on sale XDR6088, then the price may also have to be much more.

Then I am more concerned that mt7986 was not added until 5.17 kernel, I wonder if it can be added as a bunch of patches and then added to openwrt for 5.10/5.15 kernel?

https://lore.kernel.org/lkml/?q=mt7986

It looks like it's still in progress, but it may have to wait until the next linux kernel with LTS or even later?

So cool. How did you crack the image of Redmi AX6000?

You can use ubireader to decompress the image.
After that you can use extract-dtb to get dtb, and then use dtc to convert dtb to dts and/or decompressing rootfs with unsquashfs.

1 Like

so, how feasible is support for this and how is availability in europe?

Finally! A true Wi-Fi 6 MediaTek-based device! Hoping we can get more info on support sooner than later.

1 Like

FWIW, I've ordered one of these. Should be here in ~1 month. Never ported OpenWrt to a new device but am willing to learn and help if anyone is interested. I've got sufficient knowledge that it won't be too difficult.

2 Likes
  • I also bought Redmi AX6000, looking forward to your adaptation
1 Like

For best experience FPS gaming should use wired (and not wireless) connection.

With that said, and using a wired connection, any modern router (dual core CPU or better) will (should) not impact your internet latency. Your route between your ISP and the game server will likely to have a bigger impact in latency than your router.

On the other hand you may be experiencing increased latency due to buffer bloat. If this is the case, research buffer bloat and configure SQM in your router to minimize this issue.

I don't think any vendor does any offload for cake, so that kind of applies to basically... everything. (Minus the platforms where you can just throw CPU at the problem like X86 and many of the SBC platforms with Cortex A72 or better)

This will probably top out at around 600mbit like the MT7622, which is a respectable amount. You may squeeze a little more out of fq_codel. Some on gigabit connections won't even bother with the downstream shaper at all.

The manner in which they're delivered matters not, since we have source for both. For any critical ethernet/wifi bug you'd just end up flashing a new image and kernel anyway. (Both mt76 and the mt753x switch driver are open source. While the wireless chipsets do use firmware blobs loaded by the driver, fixes to those would come from mediatek anyway, since they're not terrible people and send things upstream regularly)

Probably just stay on wired where humanly possible, while AQL should smooth things over in wireless, it remains shared medium.

2 Likes

Sorry if I missed something, but how did you get to install OpenWrt on the Redmi AX6000?

You can’t yet and reading above, support likely won’t even be available until the master branch moves up to kernel 5.20. Glad to see it’s gaining traction though.

My device should be in in a couple days. Wondering where/how you found the link for this firmware. I'd like to be able to grab them in the future. I don't speak Chinese to find it easily.

Here's the full dts. https://gist.github.com/soxrok2212/f922c93ec8a09738cb8bd64d6eb0cb3f

For those wondering, my process was something like the following:

  1. Download the firmware from OP's link
  2. Binwalk it and look for where the ubifs header is (680)
$ binwalk miwifi_rb06_firmware_847e9_1.0.48.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
680           0x2A8           UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000
  1. Use ubireader to dump ubifs.
ubireader_extract_images -s 680 miwifi_rb06_firmware_847e9_1.0.48.bin

You'll be greeted with two images, one is the kernel and one is the rootfs.

$ ls ubifs-root/miwifi_rb06_firmware_847e9_1.0.48.bin/
img-548035754_vol-kernel.ubifs  img-548035754_vol-rootfs.ubifs
  1. Use extract-dtb to pull out dtb file.
$ extract-dtb img-548035754_vol-kernel.ubifs
Dumped 00_kernel, start=0 end=0
Dumped 01_dtbdump_\bC:=.dtb, start=0 end=3160028
Dumped 02_dtbdump_mediatek,mt7986a-spim-snand-rfb.dtb, start=3160028 end=3301376
Extracted 2 appended dtbs + kernel to dtb
  1. Convert dtb to dts
$ dtc -I dtb -O dts dtb/02_dtbdump_mediatek,mt7986a-spim-snand-rfb.dtb -o dtb/02_dtbdump_mediatek,mt7986a-spim-snand-rfb.dts
... 
snip bunch of warnings
...

And their OpenWrt config: https://gist.github.com/soxrok2212/14bddacbf3d08232da755af41ccc031c

1 Like

Xiaomi has its feedback QQ group, you can get the firmware under test from there.

You can also try using deepl to translate what you want to say.

Due to the previous redmi ax6s internal test firmware leak, now the group owner can only feedback without any greater access.

2 Likes

The firmware goes up on the update servers a little while before showing up on the miwifi site.

It's a release channel image anyway, so usual restrictions apply.

You can still get uart access without beta images, so not too big a deal.

I'm not entirely sure what exactly causes a bungled recovery flash to get U-Boot menu working, probably a combination of them saving boot_wait=on before flash, in addition to bootdelay=3 in inbuilt defaults without specifying boot_wait=off as well. I just wonder if the same bug is present in this U-Boot version. (I don't have a dump of that since it wasn't in the image, and I've only remember seeing it included in AX9000 developer images.)

image

And no, I don't believe they build with CONFIG_IP_DEFRAG on either, for those who read the writeup of CVE-2022-30790 :frowning: As fun as it would have been to use to patch instructions directly.

But it has 12 snaps, disassembly may permanently damage the snaps