Add OpenWrt support for Xiaomi "Redmi AX6000"

For Developers
190

Bootlooped again. Here's what I see once out of ATF:

Init_DRAM:2480: init PCDDR4 dram End
EMI: complex real chip dram calibration
Verify pattern 1 (0x00~0xff)...
EMI: mem8_base[0] = pattern8 = 0x0
Verify pattern 2 (0x00~0xffff)...
EMI: mem16_base[0] = pattern16 = 0x0
Verify pattern 3 (0x00~0xffffffff)...
detect button reset released!
Reading from 0x0 to 0x5f7fdd8c, size 0x4 ... OK
Boot failure detected on both systems
Reading from 0x0 to 0x5f7fdd8c, size 0x4 ... OK
Saving Environment to MTD... Erasing on MTD device 'nmbm0'... OK
Writing to MTD device 'nmbm0'... OK
OK
Booting System 1
resetting ...

Lemme reset a few more things

191

setenv boot_fw1 run boot_rd_img\;bootm
and
setenv boot_rd_img2 nand read \$\{loadaddr\} 0x2C0000 2000\;image_blks 2048\;nand read \$\{loadaddr\} 0x2C0000 \$\{img_align_size\}

reset counters:
setenv flag_try_sys1_failed 0
setenv flag_try_sys2_failed 0

Dunno if this will hold though, because setting boot_fw1 and boot_rd_img2 as above didn't kick it out of boot loop. U-boot replacement might be a better option.

1 Like
192

This vulnerability is very useful, it can be exploited and ssh is enabled, thanks for this constructive discovery

1 Like
193

Look this: https://pastebin.com/xzRXCbzU (Xiaomi RB03 bootloader boot algo)

1 Like
194

Getting a kernel panic running aiamadeus branch.

[   19.242444] ------------[ cut here ]------------                             
[   19.247061] WARNING: CPU: 0 PID: 352 at airtime_link_metric_get+0xd0/0x720 []
[   19.254914] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipc
[   19.255046]  em_u32 cls_u32 cls_tcindex cls_route cls_matchall cls_fw cls_flg
[   19.361160] CPU: 0 PID: 352 Comm: kworker/u8:4 Not tainted 5.15.67 #0        
[   19.367581] Hardware name: Xiaomi Redmi Router AX6000 (DT)                   
[   19.373046] Workqueue: phy1 ieee80211_ibss_leave [mac80211]                  
[   19.378617] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)  
[   19.385557] pc : airtime_link_metric_get+0xd0/0x720 [mac80211]               
[   19.391385] lr : airtime_link_metric_get+0x3c/0x720 [mac80211]               
[   19.397212] sp : ffffffc009853990                                            
[   19.400509] x29: ffffffc009853990 x28: 0000000000000000 x27: ffffff80028e4842
[   19.407625] x26: 000000000000008c x25: 0000000000000000 x24: ffffffc000b15d60
[   19.414740] x23: ffffff8001e21080 x22: ffffff80028e4838 x21: ffffff800395e8c0
[   19.421855] x20: 0000000000000000 x19: ffffff8000b15000 x18: ffffffc008db5450
[   19.428970] x17: 00000000ffffffff x16: 000000000000000c x15: 0000b03c9b486ad0
[   19.436085] x14: 0000000000000000 x13: 0000000000000020 x12: 0101010101010101
[   19.443201] x11: 7f7f7f7f7f7f7f7f x10: fefefefefefefeff x9 : 0000000000000000
[   19.450315] x8 : ffffffc009853cf8 x7 : 0000000000000000 x6 : 0000000000000000
[   19.457430] x5 : 000000000000000c x4 : ffffff80028e4842 x3 : 0000000000000000
[   19.464544] x2 : ffffff8001e21080 x1 : 0000000000000000 x0 : 0000000000000000
[   19.471660] Call trace:                                                      
[   19.474092]  airtime_link_metric_get+0xd0/0x720 [mac80211]                   
[   19.479572]  airtime_link_metric_get+0x134/0x720 [mac80211]                  
[   19.485140]  mesh_rx_path_sel_frame+0xf0/0xb30 [mac80211]                    
[   19.490534]  ieee80211_mesh_rx_queued_mgmt+0xec/0x110 [mac80211]             
[   19.496535]  ieee80211_ibss_leave+0xcf8/0x1aa4 [mac80211]                    
[   19.501929]  process_one_work+0x200/0x3b4                                    
[   19.505924]  worker_thread+0x17c/0x4dc                                       
[   19.509656]  kthread+0x11c/0x130                                             
[   19.512871]  ret_from_fork+0x10/0x20                                         
[   19.516433] ---[ end trace c0b320743ed897fe ]---                             
[   19.521450] ------------[ cut here ]------------                             
[   19.524516] mt7530 mdio-bus:1f lan1: Link is Up - 1Gbps/Full - flow control x
[   19.526054] WARNING: CPU: 2 PID: 352 at airtime_link_metric_get+0xd0/0x720 []
[   19.533538] br-lan: port 1(lan1) entered blocking state                      
[   19.541312] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipc
[   19.546527] br-lan: port 1(lan1) entered forwarding state                    
[   19.546528]  nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject_bridb
[   19.564096]  sha1_generic seqiv md5 des_generic libdes authencesn authenc leg
[   19.659619] CPU: 2 PID: 352 Comm: kworker/u8:4 Tainted: G        W         50
[   19.667427] Hardware name: Xiaomi Redmi Router AX6000 (DT)                   
[   19.672893] Workqueue: phy1 ieee80211_ibss_leave [mac80211]                  
[   19.678475] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)  
[   19.685416] pc : airtime_link_metric_get+0xd0/0x720 [mac80211]               
[   19.691244] lr : airtime_link_metric_get+0x3c/0x720 [mac80211]               
[   19.697071] sp : ffffffc009853990                                            
[   19.700369] x29: ffffffc009853990 x28: 0000000000000000 x27: ffffff80028e1842
[   19.707485] x26: 000000000000008c x25: 0000000000000000 x24: ffffffc000b15d60
[   19.714600] x23: ffffff8001e21080 x22: ffffff80028e1838 x21: ffffff800395e8c0
[   19.721714] x20: 0000000000000001 x19: ffffff8000b15000 x18: 0000000000000000
[   19.728830] x17: 0000000000000000 x16: 0000000000000002 x15: ffffffc008837660
[   19.735945] x14: 0000000000000000 x13: 0000000000000020 x12: 0101010101010101
[   19.743061] x11: 7f7f7f7f7f7f7f7f x10: 0000000000000001 x9 : 0000000000000000
[   19.750176] x8 : ffffffc009853cf8 x7 : 0000000000000000 x6 : 0000000000000000
[   19.757291] x5 : 000000000000000c x4 : ffffff80028e1842 x3 : 0000000000000000
[   19.764406] x2 : ffffff8001e21080 x1 : 0000000000000000 x0 : 0000000000000000
[   19.771522] Call trace:                                                      
[   19.773954]  airtime_link_metric_get+0xd0/0x720 [mac80211]                   
[   19.779436]  airtime_link_metric_get+0x134/0x720 [mac80211]                  
[   19.785004]  mesh_rx_path_sel_frame+0xf0/0xb30 [mac80211]                    
[   19.790398]  ieee80211_mesh_rx_queued_mgmt+0xec/0x110 [mac80211]             
[   19.796398]  ieee80211_ibss_leave+0xcf8/0x1aa4 [mac80211]                    
[   19.801792]  process_one_work+0x200/0x3b4                                    
[   19.805789]  worker_thread+0x17c/0x4dc                                       
[   19.809522]  kthread+0x11c/0x130                                             
[   19.812737]  ret_from_fork+0x10/0x20                                         
[   19.816298] ---[ end trace c0b320743ed897ff ]---

I have this as a mesh node.

1 Like
195

Looks like a mac80211 or mt76 issue.

196

Hi , can I have a question ? If it works with openwrt at last , can this router have two wan port ?

197

Most likely yes as this is usually not really hardware device specific.

1 Like
198

Hello, everyone. Have you all gone to the festival? Why is nobody discussing this project?

199

There’s preliminary support in a pull request up on OpenWrt GitHub. I think anyone who is willing to build it themselves and test it are simply still testing it.

I myself have been testing it and have found a few issues that don’t have a perfect solution yet, but it’s being worked on. Some of the discussion is in the PR.

1 Like
201

OK ,You did great

202

Okay seems like this is working perfectly now. Just pending approval to get merged in. Awesome job @remittor finding that bug and everyone else involved!

3 Likes
203

This sounds great, thanks everyone for their hard work on this. By "working perfectly" do you mean to say that OpenWrt is working with all features (subject to the usual disclaimers regarding the very bleeding edge nature and limited testing of the current builds course), or just that the basics are working well, but there's still additional known issues/features that will need to be fixed before OpenWrt is running well on this router?

I ask because I need to order a new router quite soon and am now very tempted by this one, assuming there doesn't appear to be any big/obvious hurdles preventing a release OpenWrt build from appearing in the next few months or so. I came close to ordering an AX3200 but was put off by the slow AX performance as well as the longstanding squashfs bug.

Note that I'm new to OpenWrt but am a software dev with reverse engineering experience so aren't afraid to get my hands dirty with gaining ssh, compiling test/beta builds, appreciate there's still likely to be bugs etc.

204

Yes the only issues I'm aware of are:

  1. LED on top doesn't work, just stays solid blue as theres no driver for it.
  2. 802.11ax performance on Apple (maybe more generally Broadcom devices) still sucks, but I don't think it's specific to MT76. See 802.11ax worse than 802.11ac with mt76 driver? - #110 by soxrok2212
    For reference, I did a iperf3 test between my Q-Hora 301w and a Redmi AX6000 connected via WDS and achieved just over 1gbit/s. I did also send Apple a bug report but it's not likely they're going to do anything about it.

Otherwise, yes outside of bleeding edge nature all appears to work well.

1 Like
205

Brilliant, that was about what I thought, thanks for confirming. I'll go ahead and order one then :grinning:

1 Like
206

Be sure to follow the flash instructions here very precisely https://github.com/openwrt/openwrt/pull/10690

I haven't tried the SSH flashing method, only UART/tftpboot but the u-boot env options are very important so u-boot doesn't randomly break itself and require you to open up the case.

Some change may come later on to move the partitions around and keep Xiaomi scheme for easy reverting, but I don't plan on going back to a firmware that calls back home so I reclaimed all that space for myself. :wink:

207

Thanks, will do, I'm keeping an eye on that pull request already quite closely. I'm ordering from AliExpress to the UK so by the time it finally arrives the install process no doubt will have changed a bit anyway :laughing: Like you I'm unlikely to want to revert to stock firmware.

208

Which chip controls the LEDs?

209

For the second point, I have seen a similar low performance problem with the updated firmware of TP-link 6088 with the same chip, but they are finally solved (not sure, I do not have the machine)

210

Updated firmware as in proprietary mediatek drivers?