Add OpenWrt support for Xiaomi "Redmi AX6000"

This is the latest official beta firmware,From the official test group chat,Redmi AX6000 1.2.8
https://drive.google.com/file/d/1z16gO0sykEallne3MwRwlYXrQ3MAMgSA/view?usp=sharing

1 Like

I checked a few places in the FW, looks like SSH/UART still disabled but I'll install tonight/this week and test on a real system to verify.

As far as I know, the redmi ax6000 firmware released by Xiaomi will not enable SSH, even the internal version. Therefore, the only way will be cracked.

I checked the files you dumped. You modified was the nvram,not the bdata.You can try to mod the raw bin at 0x5AC000 as A5 5A 00 00 .Check whether the factory mode is turned on! In the factory mode ssh telnet uart are forced enable.Finally, hope success!

I have already made telnet and ssh enable now !

Here is the hole process:
1、Dump the flash with CH341A (128mb)

2、Edit "telnet_en=0 ssh_en=0 uart_en=0" to "telnet_en=1 ssh_en=1 uart_en=1" at 140690-140691

3、Then select 140004-14FFFF ,make CRC32 verify ,I get verify code 3A353E50

4、Edit 140000 - 140003 with 50 3E 35 3A (reverse order of the CRC32 verify code)

5、Flash it back with CH341A ,if it boots normally ,restore the system to factory.

6、You would get TELNET after restarting,type this with telnet to enable SSH:
sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear start

11 Likes

Awesome!! I guess this means that secure boot is not enabled. Now we need to see about getting a build for this.

Are you capable of getting the full UART logs?

Secure boot is enabled , it would check CRC32 code at the first 4 digit of bdata

Here is the full UART logs :
https://drive.google.com/file/d/1A6HaJcQ3blJGNQlNaT2rx3FtcQcZ6s7p/view?usp=sharing

2 Likes

If we get ssh , we could use nvram command to set boot order

We could boot openwrt directly if we flash it to the backup rootfs , then set boot order to the backup one

Redmi AX3200 (AX6S) could boot openwrt with this method

2 Likes

If we get ssh , we could use nvram command to set boot order

Are you saying this in the context of a stock device without having to write back the flash chip? Otherwise seems like you already have it.

I'm not super familiar with secure boot, but AFAIK CRC32 != secure boot. CRC32 is to make sure the data is not corrupted. Secure boot validates an image based on a signature/hash. If the signature can't be validated, it won't boot.

Will also likely need to wait until next LTS kernel is brought over. 22.03 release candidates are on 5.10. Most MT7986 work is on 5.17+ https://lore.kernel.org/lkml/?q=mt7986https://lore.kernel.org/lkml/?q=mt7986

Probably wouldn't be worth backporting everything...

1 Like

MT7896 is supported by this source code:

May be you could have a try!

Actully SSH is already enough for me ,for xiaomi`s firmware is based on openwrt

2 Likes

My CH341A just came in the other day, I'll try to carve out some time this week!

Looks like MT7986 was actually backported! https://github.com/openwrt/openwrt/commit/a96382c1bb204698cd43e82193877c10e4b63027

I've started prepping some changes locally to hopefully test soon. I also caved and ordered a WSON-8 clip as the Fly-By-Wire board isn't working too great. Hopefully it works.

Do not use this yet. Looking for feedback from those with experience here.

I was able to produce an image from this, would need to prep a few more things and shakes test it.

2 Likes

That's just the uboot checksum. It exists basically everywhere there's a env partition.

You appear to have defined DEVICE_ALT0_VENDOR and DEVICE_ALT0_MODEL. Those are just to spit out images with different model name when you have multiple models that are basically identical in implementation and just need a model rename. Since I believe they don't make any other similar hardware, this shouldn't be needed.

I haven't looked too closely at the rest of it + the dts, so there's probably things you need to iron out once you get uboot tftp boot working in order to test images.

I also vaguely remember there being an RGB light bar or similar. That'll most likely need some looking at later.

2 Likes

Thanks for the feedback!

I'll remove the ALT defines.

Working on the dts now based on your AX6S commit, the bpi-r3 commit and what I can find online. Will need to debug GPIO when I can unlock mine (any may need some assistance with that).

Yep, there's an RGB bar on the top of it. I've only ever seen it be 2 colors: blue or amber. Think I got those right now. Will push my changes in a bit.

2 Likes

There are a few different colours defined in the stock dts. I'm not entirely sure if those were just presets or it's just a bar with a select few colours. It's on the SPI bus so, I have little experience there. Either dig out the oscilloscope or reverse engineer whatever driver they have for it in the stock image.

2 Likes

Will likely have to be the latter, don't have an o-scope atm.

Here's a question for you though, the AX6S uses snfi: https://github.com/openwrt/openwrt/blob/a96382c1bb204698cd43e82193877c10e4b63027/target/linux/mediatek/dts/mt7622-xiaomi-redmi-router-ax6s.dts#L218-L315

Whereas the AX6000 uses spim: https://github.com/soxrok2212/openwrt/blob/master/target/linux/mediatek/dts/mt7986a-xiaomi-redmi-router-ax6000.dts#L872-L936

How about would one go about that? Simple as

&spim {
 ...
};

?

Not too many references online, only in MT7986 docs but there's also no other dts to reference.

2 Likes

I found the ZyXEL NWA50AX which appears to also use NMBM. The node used there is just &nand with a few options. I'm not sure which exactly to set.

Otherwise, I began creating the flash layout based on the OEM layout from @lostinfever's bootlog.

I based this on the AX6S OEM Flash Layout did similar things like squashing down ubi and overlay partitions (like so on the AX6S).

Not sure if this is even right, but also wondering where the Nvram partition goes to if its replaced by u-boot-env.

They don't make this part easy! (and I don't expect it to be). Looking for more feedback from experienced members again!

1 Like

I have a Redmi AX5400 how can I contribute? I really want to install openwrt on it.

Right now it’s a matter of building a device tree source for it. MT7986a looks to be supported in OpenWrt master. I have a colleague teaching me a little about that.

Best step someone could tackle would be trying to find a way that doesn’t involve overwriting flash to unlock UART.

FYI this is for the Redmi AX6000. Not the same as a 5400