Adding OpenWrt support for Xiaomi AX3600 (Part 1)

It would probably be easier to reflash the NAND with an adaptor than use JTAG

Yes, I saw those adapters for ~30+ EUR. But then I would need also a programmer for like 70+ EUR. On top I have the risk I could fail.
A used unit I can get for ~60 EUR on ebay.

Or sth. like NandLite for ~40 EUR and desoldering the chip. I can solder but not like a god ... More like a butcher. :smiley:

BTW.: How this was happen. For interested and reference.

I've made a new build and used sysupgrade via OpenWrt GUI accidently (did that in the past already ... no big deal I've thought). So I've setup TFTP for recovery. But something went wrong or was wrong already. I have no clue what. The unit was just dead (Bootloader has gone).


I built custom image, based on latest snapshot, that has caused kernel panic.

Jumping to AARCH64 kernel via monitor
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.15.68 (mint@Mint) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 11.3.0 r0-5512efe) 11.3.0, GNU ld (GNU Binutils) 2.37) #0 SMP Sun Sep 18 20:45:49 2022
[    0.000000] Machine model: Dynalink DL-WRX36
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000040000000-0x000000007fffffff]
[    0.000000]   DMA32    empty
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000040000000-0x0000000040ffffff]
[    0.000000]   node   0: [mem 0x0000000041000000-0x000000004a3fffff]
[    0.000000]   node   0: [mem 0x000000004a400000-0x00000000510fffff]
[    0.000000]   node   0: [mem 0x0000000051100000-0x000000007fffffff]
[    9.153356] ath11k c000000.wifi: qmi ignore invalid mem req type 3
[    9.158357] ath11k c000000.wifi: chip_id 0x0 chip_family 0x0 board_id 0xff soc_id 0xffffffff
[    9.163814] ath11k c000000.wifi: fw_version 0x250a04a5 fw_build_timestamp 2021-12-20 07:09 fw_build_id WLAN.HK.
[    9.172866] kmodloader: done loading kernel modules from /etc/modules.d/*
[   11.208204] br-lan: port 1(eth1) entered blocking state
[   11.208242] br-lan: port 1(eth1) entered disabled state
[   11.212535] device eth1 entered promiscuous mode
[   11.236808] br-lan: port 2(eth2) entered blocking state
[   11.236852] br-lan: port 2(eth2) entered disabled state
[   11.241170] device eth2 entered promiscuous mode
[   11.252824] br-lan: port 3(eth3) entered blocking state
[   11.252867] br-lan: port 3(eth3) entered disabled state
[   11.257591] device eth3 entered promiscuous mode
[   11.269059] br-lan: port 4(eth4) entered blocking state
[   11.269103] br-lan: port 4(eth4) entered disabled state
[   11.273499] device eth4 entered promiscuous mode
[   12.043403] br-lan: port 5(wlan0) entered blocking state
[   12.043447] br-lan: port 5(wlan0) entered disabled state
[   12.048170] device wlan0 entered promiscuous mode
[   12.053150] br-lan: port 5(wlan0) entered blocking state
[   12.057701] br-lan: port 5(wlan0) entered forwarding state
[   12.063383] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   12.069036] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan.12: link becomes ready
[   12.075069] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan.13: link becomes ready
[   12.093230] br-lan: port 6(wlan1) entered blocking state
[   12.093278] br-lan: port 6(wlan1) entered disabled state
[   12.097918] device wlan1 entered promiscuous mode
[   12.103030] br-lan: port 6(wlan1) entered blocking state
[   12.107562] br-lan: port 6(wlan1) entered forwarding state
[   12.206129] br-lan: port 5(wlan0) entered disabled state
[   12.206473] br-lan: port 6(wlan1) entered disabled state
[   12.315398] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[   12.315640] br-lan: port 6(wlan1) entered blocking state
[   12.320918] br-lan: port 6(wlan1) entered forwarding state
[   12.480404] br-lan: port 7(wlan1-1) entered blocking state
[   12.480448] br-lan: port 7(wlan1-1) entered disabled state
[   12.485000] device wlan1-1 entered promiscuous mode
[   12.492095] br-lan: port 7(wlan1-1) entered blocking state
[   12.495043] br-lan: port 7(wlan1-1) entered forwarding state
[   12.542016] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1-1: link becomes ready
[   13.227563] Unable to handle kernel paging request at virtual address ffff000000010018
[   13.227608] Mem abort info:
[   13.234367]   ESR = 0x96000004
[   13.237160]   EC = 0x25: DABT (current EL), IL = 32 bits
[   13.240191]   SET = 0, FnV = 0
[   13.245653]   EA = 0, S1PTW = 0
[   13.248562]   FSC = 0x04: level 0 translation fault
[   13.251560] Data abort info:
[   13.256435]   ISV = 0, ISS = 0x00000004
[   13.259544]   CM = 0, WnR = 0
[   13.263103] [ffff000000010018] address between user and kernel address ranges
[   13.266266] Internal error: Oops: 96000004 [#1] SMP
[   13.273351] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 nf_flow_table_inet ath11k_ahb ath11k wireguard pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject_bridge nft_reject nft_redir nft_quota nft_objref nft_numgen nft_nat nft_meta_bridge nft_masq nft_log nft_limit nft_hash nft_fwd_netdev nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_dup_netdev nft_ct nft_counter nft_compat nft_chain_nat nf_tables mac80211 libchacha20poly1305 iptable_raw iptable_nat iptable_mangle iptable_filter ipt_REJECT ipt_ECN ip_tables chacha_neon cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_MASQUERADE xt_LOG xt_HL xt_DSCP xt_CT xt_CLASSIFY x_tables ts_fsm ts_bm slhc sch_cake qrtr_smd qrtr qmi_helpers poly1305_neon ns nfnetlink nf_reject_ipv6
[   13.273487]  nf_reject_ipv4 nf_nat_tftp nf_nat_snmp_basic nf_nat_sip nf_nat_pptp nf_nat_irc nf_nat_h323 nf_nat_ftp nf_nat_amanda nf_nat nf_log_syslog nf_flow_table nf_dup_netdev nf_conntrack_tftp nf_conntrack_snmp nf_conntrack_sip nf_conntrack_pptp nf_conntrack_irc nf_conntrack_h323 nf_conntrack_ftp nf_conntrack_broadcast nf_conntrack_bridge ts_kmp nf_conntrack_amanda nf_conncount netatop libcurve25519_generic libchacha hwmon crc_ccitt compat asn1_decoder sch_teql sch_sfq sch_multiq sch_gred sch_fq sch_dsmark sch_codel em_text em_nbyte em_meta em_cmp act_simple act_pedit act_csum libcrc32c act_connmark nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_tcindex cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred act_gact ifb ip6_udp_tunnel udp_tunnel autofs4 seqiv jitterentropy_rng drbg michael_mic hmac cmac leds_gpio xhci_plat_hcd xhci_pci xhci_hcd dwc3 dwc3_qcom qca_nss_dp qca_ssdk gpio_button_hotplug crc32c_generic
[   13.429761] CPU: 2 PID: 3733 Comm: modprobe Not tainted 5.15.68 #0
[   13.451997] Hardware name: Dynalink DL-WRX36 (DT)
[   13.458158] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   13.462935] pc : string+0x54/0x104
[   13.469698] lr : vsnprintf+0x180/0x780
[   13.473171] sp : ffffffc00eaebaf0
[   13.476904] x29: ffffffc00eaebaf0 x28: 0000000000000d8b x27: 00000000ffffffd8
[   13.480296] x26: ffffffc008814078 x25: ffffffc00eaebc30 x24: ffffff800332f275
[   13.487413] x23: ffffff8003330000 x22: ffffffc00894d44a x21: 0000000000000002
[   13.494531] x20: ffffff800332f275 x19: ffffffc00894d44a x18: 0000000000000020
[   13.501650] x17: 0000000000000000 x16: 0000000000000000 x15: ffffff8003330000
[   13.508769] x14: 0000000000000000 x13: ffffffc00eaebc30 x12: ffffffc00eaebc30
[   13.515887] x11: 00000000ffffffd0 x10: ffffffc00eaebc00 x9 : ffffffc00eaebc30
[   13.523005] x8 : 00000000ffffffff x7 : 0000000000000064 x6 : ffffff8003330000
[   13.530123] x5 : ffffffffffffffff x4 : 0000000000000000 x3 : ffff0a00ffffff04
[   13.537240] x2 : ffff000000010018 x1 : 0000000000000000 x0 : ffffff800332f275
[   13.544360] Call trace:
[   13.551468]  string+0x54/0x104
[   13.553724]  vsnprintf+0x180/0x780
[   13.556850]  seq_printf+0x94/0xc0
[   13.560236]  m_show+0xa4/0x220
[   13.563621]  seq_read_iter+0x3a0/0x4a0
[   13.566575]  seq_read+0xc4/0x100
[   13.570306]  proc_reg_read+0x30/0x100
[   13.573692]  vfs_read+0x90/0x1ac
[   13.577249]  ksys_read+0x58/0xe0
[   13.580548]  __arm64_sys_read+0x1c/0x30
[   13.583761]  invoke_syscall.constprop.0+0x5c/0x104
[   13.587323]  do_el0_svc+0x74/0x16c
[   13.592181]  el0_svc+0x18/0x54
[   13.595566]  el0t_64_sync_handler+0xa4/0x130
[   13.598606]  el0t_64_sync+0x184/0x188
[   13.603035] Code: 91000400 110004e1 eb08009f 540000c0 (38646845)
[   13.606598] ---[ end trace ef18441dc2e14cf3 ]---
[   13.612671] Kernel panic - not syncing: Oops: Fatal exception
[   13.617359] SMP: stopping secondary CPUs
[   13.623004] Kernel Offset: disabled
[   13.626990] CPU features: 0x00000000,00000802
[   13.630205] Memory Limit: none
[   13.634717] Rebooting in 3 seconds..

EDIT: I had made to many changes to figure out what triggered it so I reverted back, successfully, to image built using robimarko's basic .config.

EDIT2: is it possible to expand rootfs on Dynalink WRX36 as it's done on AX3600/AX6 with @Ansuel patch?

FYI, just another data point, I have tried to sysupgrade through luci many times (unsuccessfully) w/o messing up anything (Dynalink WRX-36).

I applied single partition via UART. Is it sure it's applied correctly?
Why remain mtd13:rootfs_1?

OpenWrt SNAPSHOT, r20752-19d9c887b9

root@OpenWrt:~# cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00020000 "0:sbl1"
mtd1: 00100000 00020000 "0:mibib"
mtd2: 00300000 00020000 "0:qsee"
mtd3: 00080000 00020000 "0:devcfg"
mtd4: 00080000 00020000 "0:rpm"
mtd5: 00080000 00020000 "0:cdt"
mtd6: 00080000 00020000 "0:appsblenv"
mtd7: 00100000 00020000 "0:appsbl"
mtd8: 00080000 00020000 "0:art"
mtd9: 00080000 00020000 "bdata"
mtd10: 00080000 00020000 "crash"
mtd11: 00080000 00020000 "crash_syslog"
mtd12: 023c0000 00020000 "rootfs"
mtd13: 023c0000 00020000 "rootfs_1"
mtd14: 01ec0000 00020000 "overlay"
mtd15: 00080000 00020000 "rsvd0"

I'm curious where everyone got the board-2.bin to compile the latest for AX3600? I poked around and found a couple that I tried and with both the router appeared to boot all the way into openwrt but was completely inaccessible via all network mechanisms. I had to boot into failsafe mode and delete it to get the device to be accessible, but then the ath11k doesn't work.

As the BDF is only needed for WIFI, so even with an incorrect or missing BDF your wired connectivity should work. You can even upload it later if it is missing or incorrect, or you just want to try other BDFs (for whatever reason).

Well I have not really a clue. Every time I made a sysupgrade through LuCI GUI the router didn't came up again. I had to use TFTP recovery every single time. You would imply that this was/is not normal? I just thought it is not implemented yet and didn't investigate further. But that was not an issue at all. TFTP was working every time reliable and I'm sure I didn't something wrong with this "oneliner".

EDIT: Well, now I understand why I had to use TFTP recovery every time.

Is telling:

  • Use ubiformat to flash the UBI image:
    ubiformat /dev/mtd12 -y -f /tmp/openwrt-ipq807x-generic-xiaomi_ax3600-squashfs-nand-factory.ubi
    ubiformat /dev/mtd13 -y -f /tmp/openwrt-ipq807x-generic-xiaomi_ax3600-squashfs-nand-factory.ubi

Please confirm that mtd12 and mtd13 are the correct indexes.

  • reboot

After that regular sysupgrade can be used.

Well, I've missed that part. :confused:

My best guess for the current situation is that I had a power issue during TFTP recovery. The wires in this house are old and I didn't pay attention after pressing reset button (left the room for some coffee :smiley: ). Anyway ... the device is dead. I don't want to waste more time on this.

I have taken some pictures. In case someone want them to add to the wiki. Due to link limitations in posting ... Just quoted ...

Kind regards.












1 Like

Hi there,

I'm hoping somebody can help me here.
I installed a modified original firmware on ax3600 a year ago or so. It's been modified to have persistent ssh.
Now I want to install openwrt but sadly I forgot my ssh password, and because of persistent patch factory reset doesn't reset it.
Does someone knows how I can reset/recover ssh access to flash openwrt?

Have you tried the method to gain ssh access again to see if it changes the password? Or the tftp recovery? Both methods are in the wiki.


You also could just flash the original firmware and exploit ssh again. Remember it has to be fw v1.0.17 to exploit ssh.

If you have used xqrepack/geekman and you didn't modify the script just reset your device. root password is: "password" (without quotes).


I installed on one partition. However, when I did sysupgrade, the router bricked. below link openwrt.

Is it possible sysupgrade?

never done that since there are 2 partitions - one for kernel, second for roots. I've upgraded (in my case) both partitions by:

ubiformat /dev/mtd11 -f /tmp/openwrt-ipq807x-generic-xiaomi_ax3600-squashfs-nand-factory-kernel.ubi
ubiformat /dev/mtd12 -f /tmp/openwrt-ipq807x-generic-xiaomi_ax3600-squashfs-nand-factory-rootfs.ubi
1 Like

Downgrading and enabling ssh again did the trick, thanks!

Applied Ansuel's single rootfs several months ago and sysupgrading every week based on robimarko repo but you need to apply Ansuel´s patch on top of it. You cannot just do single rootfs and then sysupgrade to others repo's without patch to enlarge rootfs. You will softbrick device.


thank you for your rply.

then, it is impossible using other's repo.

Ansuel's build not include kmod-tune, I can't install openvpn and wireguard vpn.

thank you for reply.

I had been applied new partition.
Is it other patch?
I had been applied ipq807x-2022-09-05-1907.

 OpenWrt SNAPSHOT, r0-86c0161
root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "0:sbl1"
mtd1: 00100000 00020000 "0:mibib"
mtd2: 00300000 00020000 "0:qsee"
mtd3: 00080000 00020000 "0:devcfg"
mtd4: 00080000 00020000 "0:rpm"
mtd5: 00080000 00020000 "0:cdt"
mtd6: 00080000 00020000 "0:appsblenv"
mtd7: 00100000 00020000 "0:appsbl"
mtd8: 00080000 00020000 "0:art"
mtd9: 00080000 00020000 "bdata"
mtd10: 00100000 00020000 "pstore"
mtd11: 023c0000 00020000 "kernel"
mtd12: 0d220000 00020000 "rootfs"

root@OpenWrt:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 6.8M      6.8M         0 100% /rom
tmpfs                   203.7M      1.1M    202.6M   1% /tmp
/dev/ubi0_1             175.1M    660.0K    169.7M   0% /overlay
overlayfs:/overlay      175.1M    660.0K    169.7M   0% /
tmpfs                   512.0K         0    512.0K   0% /dev

Is there no way to get back to the factory partition? My ax3600 is currently single-partitioned by Ansuel. because softbrick, single partition can't sysupgrade.

1 Like