It's not exploitable on the AX3600 to the extent of RCE. Or if it is, it's beyond my level.
You'll probably have to do some horrible nand reprogramming, and that's assuming the IPQ8071A does not possess some form of verified boot chain enabled.
I doubt that secure boot is enabled, last time I checked QCA U-boot fork did not have support for it at all.
Yeah, since there is no SPI-NOR onboard, its a pain since if U-boot UART is disabled then you are only left with the parallel NAND.
I would love to get one of these to start on IPQ807x support, but they are not available in Europe and there is no GPL
Do you think it'll be possible to use the separate IoT antenna of this router in a way the stock firmware does? As in using it to span a second wifi network for IoT devices?
Guess it would work if it's exposed as 2 additional radios for 2.4 and 5 GHz.
Yes, since "IOT" is just a QCA9889 as the third radio.
Are you sure it's just exposed as one radio? Asking because it's a dual band chip.
By radio I meant physical radio, if its configured for concurrent dual band then it will be exposed as 2 interfaces.
So.. Is there any possible way to get the ssh on this router now?
I'm just curious what functionality (services) you use from OpenWRT to have external 'router' (OrangePi)
instead of just use such powerful CPU in this Xiaomi?
Uhm it's mostly for some split-tunneling VPN service. The stock Xiaomi firmware does support VPN, but no extended functionality (such as changing server or using shadowsocks).
1 Like
got one on order!
here is the instruction set for this SOC: https://openwrt.org/docs/techref/instructionset/aarch64_cortex-a53
if it's helpful this is the marketing material for the SOC from Qualcomm: https://www.qualcomm.com/media/documents/files/qualcomm-networking-pro-600-platform-product-brief.pdf
And this leads us to question- If and when OpenWrt can support Qualcomm IPQ8071A?
That mostly depends on getting boards to work on as there is upstream support for a decent amount of the IPQ807x series including the wireless driver.
But, as long as boards cost 300+ EUR nobody is gonna be buying those.
And this Xiaomi board is unavailable anywhere else then China
Anywhere else then known chinese portals. True, it is more expensive, but you can get one for about 120$.
Yeah, its 120 USD + 20-30 USD for shipping, then its at best couple of weeks of waiting.
And then I have to pay 25% VAT on it because its over 22 EUR, so in the end its more like 185 USD.
3 Likes
Still the cheapest AX3600 routher on the planet! 
1 Like
I'm very tempted to buy this. However the uncertainty of BL lock status is really holding me back, if it's locked then that would greatly reduce its usefulness.
There isn't much progress getting 3rd party firmware on it it seems.
actually bought with shipping to Europe with a total of 100 eur
I found some internal pictures on a chinese blog:
The pin header in the left side can be a serial port, the quality of the photos is not very good.
Can you share where from?
Thats about the limit I can pay
Interesting they are using an ath10k radio in addition to the ath11k targets.
I've reached the same conclusion with my rt-ax89x ; best to have a seperate .ac only device mopping up old n and ac devices rather than put them onto the ax radio.