They sanitise the values through cmdformat on the first available firmware image that I could find for the AX9000, so that's not going to work anymore.
There's a fork of unluac on github that'll handle these files just fine. Of course the .luac that Xiaomi have made are debug stripped, so the output is a little hard on the eyes. (But otherwise more than good enough for analysis)
My understanding is that the AX6 method of connecting to another xiaomi router using the extender API and injecting commands into the token in the json payload may still work. I don't think I saw any new sanitisation added into the methods that eventually feed into write_t_v in XQExtendWifi.lua
Then we will simply add the node for it as well as it looks like a regular QUP I2C controller.
There should actually be 6 HW QUP I2C controllers inside of the SoC according to the docs, clocks, and pin controllers.
But QCA being QCA just added the ones they use on the reference boards.
I will finally have time to open the AX9000 up to solder the UART header today, but we gotta find a way to enable UART or SSH first.
I built 'e9bc0586f1e782d56a785417881b7a09b3610aa6' version and have it working.
I'm wondering: is special configuration needed in order to have a working bridge between WLAN and LAN? Or is it supposed to work at the current stage of development?
I haven't changed anything in my build and set up my router as an access point.
In my configuration I disabled 'firewall' service, when I was struggling to have my router working.
This is a leak for sure. With disabled wifi, the leak is not there. And the AX6 is identical to the AX3600 both in terms of radios and memory. On my build, ath10k-ct firmware and ath10k drivers are also removed, as the AX6 has no IoT radio.
I bricked my AX3600 and wanted to do a tftp recovery. I figured out that I had to rename the firmware file to "C0A80202.img" instead of "C0A80B0A.img" like stated in the Wiki. Just in case someone struggles to do the recovery....
Edit: System is still just giving the blinking blue. The firmware was uploaded according to Wireshark but I guess the router is still bricked
Thank you for the hint, I am sure that knowing that filename will save quite a lot of headaches and going through captures (the wiki should be updated to give that hint).
Did you by any chance run one of the QSDK builds that were going around? (i.e., have you confirmed beforehand that you had the same partition layout as the stock firmware?)
TFTP only copies the image to RAM. You have to write it to the flash after the transfer. You can use the initramfs version to TFTP it to the device, then use "bootm" to boot it. This does not writes anything, and you can try if the device works or not. The initramfs image can be build from robimarko's source .
I found this file: board-2.bin at Kalle's repo. If you look at it, it contains a lot of board ids in that same file. I also found the one for AX3600/AX6. I wonder, is it possible that for those firmwares we need to compile a board file with the matching id from that file he published? I checked the content and it is slightly different compared to what we extracted from the devices.