Adding OpenWrt support for Xiaomi AX3600

They sanitise the values through cmdformat on the first available firmware image that I could find for the AX9000, so that's not going to work anymore. :slight_smile:

There's a fork of unluac on github that'll handle these files just fine. Of course the .luac that Xiaomi have made are debug stripped, so the output is a little hard on the eyes. (But otherwise more than good enough for analysis)

My understanding is that the AX6 method of connecting to another xiaomi router using the extender API and injecting commands into the token in the json payload may still work. I don't think I saw any new sanitisation added into the methods that eventually feed into write_t_v in XQExtendWifi.lua

3 Likes

Thanks, I'm gonna try that ax6 method at the weekend.

Xiaomi is also using i2c@78ba000 on the AX9000 for the fan controller:

i2c@78ba000 {
			compatible = "qcom,i2c-qup-v2.2.1";
			#address-cells = <0x01>;
			#size-cells = <0x00>;
			reg = <0x78ba000 0x600>;
			interrupts = <0x00 0x12c 0x04>;
			clocks = <0x0b 0x54 0x0b 0x5f>;
			clock-names = "iface\0core";
			clock-frequency = <0x61a80>;
			dmas = <0x0e 0x17 0x0e 0x16>;
			dma-names = "rx\0tx";
			pinctrl-0 = <0x59>;
			pinctrl-names = "default";
			status = "ok";

			emc2301@2E {
				compatible = "smsc,emc2301";
				reg = <0x2e>;
				#address-cells = <0x01>;
				#size-cells = <0x00>;
			};

			emc2305@2F {
				compatible = "smsc,emc2305";
				reg = <0x2f>;
				#address-cells = <0x01>;
				#size-cells = <0x00>;
			};

			emc2302@2C {
				compatible = "smsc,emc2302";
				reg = <0x2c>;
				#address-cells = <0x01>;
				#size-cells = <0x00>;
			};

			emc2303@2D {
				compatible = "smsc,emc2303";
				reg = <0x2d>;
				#address-cells = <0x01>;
				#size-cells = <0x00>;
			};

			emc2304@4C {
				compatible = "smsc,emc2304";
				reg = <0x4c>;
				#address-cells = <0x01>;
				#size-cells = <0x00>;
			};

			emc2306@4D {
				compatible = "smsc,emc2306";
				reg = <0x4d>;
				#address-cells = <0x01>;
				#size-cells = <0x00>;
			};
		};

Then we will simply add the node for it as well as it looks like a regular QUP I2C controller.
There should actually be 6 HW QUP I2C controllers inside of the SoC according to the docs, clocks, and pin controllers.
But QCA being QCA just added the ones they use on the reference boards.

I will finally have time to open the AX9000 up to solder the UART header today, but we gotta find a way to enable UART or SSH first.

btw
I think he should open a new thread for the AX9000

2 Likes

Sure, we can make a new thread.

5 Likes

Hello,

I built 'e9bc0586f1e782d56a785417881b7a09b3610aa6' version and have it working.
I'm wondering: is special configuration needed in order to have a working bridge between WLAN and LAN? Or is it supposed to work at the current stage of development?

WLAN is bridged to LAN bridge by default.
That should be working for a while now

Ok, it seems I got it working. In case if someone's interested, there are my stats:

root@OpenWrt:~# free
              total        used        free      shared  buff/cache   available
Mem:         375880      155248      186512         304       34120      178844
Swap:             0           0           0
root@OpenWrt:~# uptime
 16:02:39 up 1 day,  8:19,  load average: 0.00, 0.00, 0.00
root@OpenWrt:~#

P.S. The issue seems to be appearing when bridging LAN and WAN ports is enabled.

Who except dchard has mem issues? Is it maybe only the AX6?
Who is running openwrt for now on a ax3600?

@k1x0r What do you mean by bridging?

@rossini I have the leak as soon as AP is started, I am using the default WAN+3 LAN ports.

1 Like

@robimarko I mean having LAN and WAN ports in the same 'bridge'. Such as:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

Ok, but I have the leak without them all being bridged.
So, even with NAT it leaks

I haven't changed anything in my build and set up my router as an access point.
In my configuration I disabled 'firewall' service, when I was struggling to have my router working.

This is a leak for sure. With disabled wifi, the leak is not there. And the AX6 is identical to the AX3600 both in terms of radios and memory. On my build, ath10k-ct firmware and ath10k drivers are also removed, as the AX6 has no IoT radio.

I bricked my AX3600 and wanted to do a tftp recovery. I figured out that I had to rename the firmware file to "C0A80202.img" instead of "C0A80B0A.img" like stated in the Wiki. Just in case someone struggles to do the recovery....

Edit: System is still just giving the blinking blue. The firmware was uploaded according to Wireshark but I guess the router is still bricked :frowning:

Thank you for the hint, I am sure that knowing that filename will save quite a lot of headaches and going through captures (the wiki should be updated to give that hint).

Did you by any chance run one of the QSDK builds that were going around? (i.e., have you confirmed beforehand that you had the same partition layout as the stock firmware?)

Nope, I was on stock with enabled SSH, I played with xqrepack and at some point the router didn't start any longer ...

TFTP only copies the image to RAM. You have to write it to the flash after the transfer. You can use the initramfs version to TFTP it to the device, then use "bootm" to boot it. This does not writes anything, and you can try if the device works or not. The initramfs image can be build from robimarko's source .

@robimarko

I found this file: board-2.bin at Kalle's repo. If you look at it, it contains a lot of board ids in that same file. I also found the one for AX3600/AX6. I wonder, is it possible that for those firmwares we need to compile a board file with the matching id from that file he published? I checked the content and it is slightly different compared to what we extracted from the devices.