Adding OpenWrt support for Xiaomi AX3600 (Part 1)

Don't know where beagleboys bought it but in aliexpress the price is about 105€ with free shipping:

Here, in Spain, is quite rare to pay the VAT because the customs office does not inspect the parcels.

I got one. it is indeed running openwrt already, although heavily modified (called MiWiFi). UI seems based on LuCI. But it's all in Chinese and configuration options are minimal. So I'd really like an actual stock openwrt running there.

So when do we see a serial boot log?

When someone figure out how to edit boot parameters I guess.
Currently the console is disabled.

If someone is desperate enough they might be able to dump/flash the nand with a teensy or something.

Does it have SPI-NOR or only NAND?

Because if it has a SPI-NOR they U-boot and its env will be there and the env can be easily edited.

NAND on the other hand is much more complex to dump

It's NAND only.
No idea if there's a SPI header unpopulated.

Well, without UART or root shell its pretty much no go for development.
Does the PPP vulnerability for reverse shell maybe work?

Apparently not.
It also seems to have more advanced security features enabled, like ASLR.

Not very sure about these though.

Can anyone make some high res pics of the mainboard?

Highest I can find
There appears to be an SPI header after all. Whether usable or not, no idea.


Yeah, that unpopulated 8 pin header above NAND suspiciously looks like a traditional place for SPI-NOR.
I would bet that its fully connected since they most likely developed the SW with it in place and have not bothered to respin the board.

But, even if its connected we would still need to find the bootstrap resistors to force SPI as boot media instead.
Having a summary datasheet would really help here.

Maybe it's marked somewhere on the board hah

Well, it would not be the first time.
Usually there is a lot of development time stuff left on the boards

Do previous QC SoCs also use a resistor for boot device selection?

Well, they dont use resistors directly.
All they care about is whether there is a 0 or 1 at power on.
So you would use resistors to pull the pins high or low.
They have been doing it like that forever maybe refer this? but you still only get GPIOxx is for bootstrapping

Yeah, at least summary datasheet is needed

well, vendor is claiming that firmware is OpenWRT based

Intelligent router operating system MiWiFi ROM based on OpenWRT deep customization

Well, of of QCA products run their QSDK which is an old fork of 15.05.1, that has not so much resemblance of OpenWrt

1 Like