Adding OpenWrt support for Xiaomi AX3600

LonGDikE,

Thanks for the tips to lead to getting SSH. On the unit I just received and downgraded to 1.0.17 - none of your commands as written worked. This appears to be due to the fact that this firmware performs some auto-filtering of characters that could lead to escape. Specifically ; & $ appear to not be permitted. After searching around a bit I came across this article:

In there it details that you can use newlines (%0A) [percent zero capital-A] instead of semicolons with some Xiaomi routers. With that, I was able to confirm escape via the following URL:

http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=%0Areboot%0A

Which, happily, rebooted the router. From there I was able to enable nvram SSH and then deleted the IF in /etc/init.d/dropbear by piping the dropbear contents to sed '135d' three times (which deleted the IF, the return 0, and the FI to stop the init file from keeping SSH off). I then used your command to change admin password, however, there is a password length requirement (8 characters seemed to do the trick).

I have confirmed that the %0Areboot%0A does not work on the 1.0.50 firmware (which is the latest as of this post).

Let me know if anyone would like more specifics or details. Happy to help to bring OpenWRT to this puppy.

You can take a look here: Xiaomi AX3600 DTS
Someone is already trying to gather the necessary information (slh and efsg).

I gave the AX3600 to zhiping, soon...

1 Like

esfg,

As you have serial port access, do you need anything from a persistent SSH perspective?

I do not know...
(MiWiFi/HiWiFi)Xiaomi can block at any time

Correct - the exploit I leveraged only works via downgrading to 1.0.17. As of 1.0.50 - it cannot be used as the method has been patched.

Yes, but we could still use 1.0.17 as a vector to get in the router and flash openwrt. Even as an install instruction it shouldn't be something difficult to do(as long as Xiaomi doesn't release firmwares that blocks downgrade-ing to 1.0.17).

What we need now is a openwrt build for this device, right?

Hello new in openwrt because following this router as i see movement for a posible future openwrt firmware i buyed today one!

Hope can we get this ax3600 router!!

we can win!

3 Likes

Alex - as has been mentioned before it's risky as Xiaomi could patch to prevent downgrade (and then users would be stuck with having to wire up to the serial port). I think with the amount of product out there currently - we are likely safe for now. I've also seen some other research going on around decoding the Xiaomi FW update bin's which could lead being able to craft a Xiaomi compliant update bin.

From an exploit perspective - I think the next step would be to figure out how to modify the uboot config in order to enable RW access to all the partitions. At that point you would have similar access as to what efsg has with his serial port access. It seems to me like you could potentially do a sysupgrade to patch the currently writable partitions to get OpenWRT on there (the ax3600 does a custom process pulling various images out of the uploaded bin and then deploying directly to partitions). However, that would still require all the drivers to be in place and from my reading would only put you in a one off hack jobbed OpenWRT.

1 Like

A big thank you to the people posting great information in this thread and the ax3600 DTS thread. I've ordered one and with the info posted here should get root access.

If any developers want to get one for less than 90 EUR, see https://www.aliexpress.com/item/4000869725283.html with coupon 20SS10.

Looking forward to a OpenWRT port, or at least English translated interface.

1 Like

Hm, for me 20SS10 is not working.
Its complaining about order amount being below the limit.
Order needs to be 100 USD excluding shipping

Just tested and it seems to be working for me.

image

Then it does not work for Croatia as I get:
The order amount (excluding shipping fee) is under the minimum spend of this promo code.

esfg - are you leverage the work done on the 8074 reference kit? I stumbled across this pastebin showing the bootlog of an IPQ8074-HK01:
https://pastebin.com/j43AhxAh

But I can't seem to dig up the snapshot that is listed in the release further down in the pastebin:

  1. root@OpenWrt:/# cat /etc/openwrt_release

  2. DISTRIB_ID='OpenWrt'

  3. DISTRIB_RELEASE='SNAPSHOT'

  4. DISTRIB_REVISION='r11690-ca7ed17'

  5. DISTRIB_TARGET='ipq807x/ipq807x_64'

  6. DISTRIB_ARCH='aarch64_cortex-a53'

  7. DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r11690-ca7ed17'

I lives in China, and maybe I can help to ship it for you as you have a really good reputation. :laughing:

The text behind rxxxxxx- is the shortened commit hash, so this is the latest commit of the used snapshot version:

Thanks for the offer, but the shipping prices are really high so there would be no difference in the price.
I finally caved and ordered one for 98 EUR

3 Likes

Oh I checked online and it really costs lots of money to ship it (even higher than the AliExpress)
:sob::sob::sob::sob:

Yeah, shipping prices are insane even for light things like routers