My friend helps dumped it , I dont really know the process .
He tried to rewrite bdata to enable telnet or uart , but it couldn`t boot .
Is there any method to enable telnet or uart ?
I actually got it cleaned up with a script I found online and slightly modified: gist Original source: pdf
The syntax to use it is python3 script.py original_dump.bin arbitrary_name_for_cleaned_dump.bin. It'll basically just remove 64 bytes after every 2048 bytes. You're left with a clean image afterwards, which can be extracted with ubireader_extract_images and unsquashfs. Anyways, here's the cleaned up bin.
1 Like
This depends if secure boot is enabled. If it is, it probably won't boot when you make changes as it seems you've discovered. Anyways, there's a file in usr/share/xiaoqiang/xiaoqiang-defaults.txt. Here are the contents:
bootcmd=bootxq
ipaddr=192.168.31.1
serverip=192.168.31.100
netmask=255.255.255.0
uart_en=0
telnet_en=0
boot_wait=off
restore_defaults=0
wl0_ssid=Xiaomi_5G
wl1_ssid=Xiaomi
wl0_radio=1
wl1_radio=1
model=RB06
flag_boot_type=2
mode=Router
no_wifi_dev_times=0
arch=arm
baudrate=115200
boot_auto=bootxq
boot_fw0=run boot_rd_img;bootm
boot_fw1=run boot_rd_img2;bootm
boot_rd_img=nand read ${loadaddr} 0x2C0000 2000;image_blks 2048;nand read ${loadaddr} 0x2C0000 ${img_align_size}
boot_rd_img2=nand read ${loadaddr} 0x20C0000 2000;image_blks 2048;nand read ${loadaddr} 0x20C0000 ${img_align_size}
bootmenu_0=Startup system (Default)=mtkboardboot
bootmenu_1=Upgrade firmware=mtkupgrade fw
bootmenu_2=Upgrade ATF BL2=mtkupgrade bl2
bootmenu_3=Upgrade ATF FIP=mtkupgrade fip
bootmenu_4=Upgrade single image=mtkupgrade simg
bootmenu_5=Load image=mtkload
bootmenu_delay=5
bootdelay=2
ethaddr=00:0C:E7:11:22:33
fdt_high=0x6c000000
invaild_env=no
loadaddr=0x46000000
fdtcontroladdr=5ffc7600
stderr=serial@11002000
stdin=serial@11002000
stdout=serial@11002000
Perhaps if you could set uart_en to 1 or telnet_en to 1 you could get in (again if it boots).
Thank you ,I will try it later
1 Like
I have changed the bdata (set ssh_en=1 telnet_en=1 uart_en=1) and flash it back ,the secure boot passed and it boots normally,but unfortunately, the telnet and uart still keeps disabled.
The same method works on earlier Xiaomi Routers ,such as Xiaomi AX9000,Xiaomi AX6000,Xiaomi AX3600,Redmi AX3200
But it dosen`t work on Redmi AX6000 , perhaps Xiaomi has changed the firmware to avoid users hacking it
1 Like
If I try to edit usr/share/xiaoqiang/xiaoqiang-defaults.txt , that means I need to unpack the dumped rom ,and pack it back to 128M , then add obb data back ,the file would up to 132M , then flash it back.
But I dont really know how to do with it.
Here is clean bin (bdata_edited 128M):
https://drive.google.com/file/d/1nJaRqWmatBSU7VPxUn0LBKVbXBsrBP7X/view?usp=sharing
Here is nand flash bin (bdata_edited 132M):
https://drive.google.com/file/d/1t7GtRLpuiKNQFHONU5xdFOhwDbsxXaQ8/view?usp=sharing
2 Likes
Did you check SSH after this? Also, it looks like there is a boot script that resets the bdata after boot -- that might be why it didn't work. See /lib/preinit/31_restore_nvram and preinit documentation for more info on that. Looks like that script runs right after the kernel loads.
If you look at /etc/init.d/dropbear at the start_service routine, you'll see it checks /usr/share/xiaoqiang/xiaoqiang_version for the channel (aka dev/beta/release) that the build is. If it is release, it will not enable ssh. Otherwise, it will (I believe in conjunction with bdata having it enabled? and hopefully nothing else) enable ssh.
1 Like
you can try to restore factory.
辛苦大神了,期待~~~~
期待Openwrt尽早适配Redmi AX6000 
The preferred language in the OpenWrt forum is english.
When writing in your native language, please always provide an english translation.
This way other users all around the world can take part in the discussion and possibly benefit from the outcome, without having to use a translator.
Thanks! 
2 Likes
It seems he/she can’t wait to get open wrt adapted to that router.
If that happens, his/her message is not a big technical help anyway.
1 Like
I have the test version of firmware here. Is it helpful?Version for 1.2.7.
It was found on a user test group in China.
Just upload it here, I think someone will be interested and it might be a breakthrough.
This is my first time to use this forum, May I ask how to upload?
upload to a netdrive (google drive, mega, etc...) and send the link here, or baidu pan if youre from china, I will reupload to some place and hope these test firmware will help
I am not good at soldering ,my friend helps add a WSON chip-holder on the router
I would keep trying after I getting the router from him.
He has already tried to restore it to factory , but still didnt work.
1 Like
This is the latest official beta firmware
https://drive.google.com/file/d/1z16gO0sykEallne3MwRwlYXrQ3MAMgSA/view?usp=sharing