Adding OpenWrt support for Xiaomi AX3600 (Part 1)

hugomon · June 9, 2021, 12:11pm

Yes, it was working with the shady, shitty, f**king QSDK chinese version.

robimarko · June 9, 2021, 12:14pm

My guess is that you messed up the partition table and now it cant find the overlay partition.
But without UART its just a guess

hugomon · June 9, 2021, 12:19pm

It's a very likely possibility, I just ordered the TTL a while ago so when it arrives I can dig around.

In the meantime ye olde netgear R7000 will have to take over.

robimarko · June 9, 2021, 1:29pm

@Apache14 I got really annoyed and frustrated with ath11k so I tried getting the NSS crypto engine working.
Got the DTS node added, nss-crypto package with the patches required, enabled NSS-DRV crypto stuff and added a heper package to install the EIP FW.

Unfortunately, when I try to benchmark it with the benchmark kernel module that comes with nss-crypto it will cause the NSS FW to crash.
Only good thing out of that was that I fixed NSS-DRV to actually print the coredump and not crash the kernel with NULL pointer exceptions.

So, I pushed everything to nss-crypto branch of nss-packages.

Could be NSS firmware version mishmatch issues

felipejfc1 · June 9, 2021, 1:32pm

@hugomon and @1715173329 I actually ended up bricking mine once as well after flashing the Chinese QSDK and then flashing the stock firmware with MiRepairTool. The router bootlooped, I managed to fix it with serial access. I think it had to do with uboot not finding a valid kernel to load. I fixed it by using uboot's memory write command to write a original firmware packaged as a .ubi to rootfs

And btw you did mess up the partition table if you used the chinese firmware... It does change the layout.

Ansuel · June 9, 2021, 1:40pm

why use the uboot memory write when you can simply load a initramfs image and fix from there? (that should actually be the advised method to install the image with serial access)
also a brick is when you need advanced tool... A simple serial should fix the problem (if you enabled serial access with the vulnerability)

Apache14 · June 9, 2021, 1:42pm

This is a must for anyone wanting to test this device out I wouldn't do anything without validating you have TTY TX & RX until things are more stable

Apache14 · June 9, 2021, 1:45pm

You used 11.4 branches along with the 11.4 FW ?

Im having a rest from ath11k for a day or so, its too much to read and understand Still think we are missing some responses from WMI so free doesnt get called. I was looking at the copy engine pipe clear down tasklet, so that may be where we see the clean up under load.

Ansuel · June 9, 2021, 1:47pm

You know that the solution will be rework the code and convert it to a tasklet logic with some timeout so that after some time if the wmi response will be freed anyway if the firmware never actually respond ?
just telling you how messy it will be at the end... for now that is the only way practical way to fix this

Considering every command will have their own cleanup process, we can drop the cleanup part on the copyengine

Apache14 · June 9, 2021, 1:49pm

Yeah i was looking at wait_for_completion_timeout, issue is you dont 100% know what WMI responses your looking for

Ansuel · June 9, 2021, 1:50pm

but i honestly think that we should really track what wmi response are failing and actually add the logic only for them... (or the other way... add a list of wmi that are always handled) but again putting a cleanup function in the copyengine that are triggered on load seems fundamentally wrong... can't understand why they designed it that way

again would love to work on that but NO TIME hope next week i will have some so i can have some fun with many ath11k kernel panic

felipejfc1 · June 9, 2021, 1:53pm

Because when I tried the initramfs image approach I had 2 problems, 1 there wasn't sufficient disk space for me to scp the image I wanted to flash and 2 I then scp'ed it to /tmp but the router would reboot as soon as the transfer ended for some reason... This was before we started with the "reboot" branches, so the images were not nearly as usable as they're now

Apache14 · June 9, 2021, 1:55pm

github.com

torvalds/linux/blob/9d31d2338950293ec19d9b095fbaa9030899dcb4/drivers/net/wireless/ath/ath11k/ahb.c#L406

    
      
          	for (i = 0; i < ab->hw_params.ce_count; i++) {
          		if (ath11k_ce_get_attr_flags(ab, i) & CE_ATTR_DIS_INTR)
          			continue;
          		irq_idx = ATH11K_IRQ_CE0_OFFSET + i;
          		free_irq(ab->irq_num[irq_idx], &ab->ce.ce_pipe[i]);
          	}
          
          
	ath11k_ahb_free_ext_irq(ab);
          }
          
          
static void ath11k_ahb_ce_tasklet(struct tasklet_struct *t)
          {
          	struct ath11k_ce_pipe *ce_pipe = from_tasklet(ce_pipe, t, intr_tq);
          
          
	ath11k_ce_per_engine_service(ce_pipe->ab, ce_pipe->pipe_num);
          
          
	ath11k_ahb_ce_irq_enable(ce_pipe->ab, ce_pipe->pipe_num);
          }
          
          
static irqreturn_t ath11k_ahb_ce_interrupt_handler(int irq, void *arg)
          {

This is what im looking at now, the ath11k_ce_per_engine_service looks to clear down things on send callback

robimarko · June 9, 2021, 2:08pm

@Apache14 Yeah, I tried 11.4 FW as well, unfortunatelly core 1 which is the crypto one will panic anyway.

Ansuel · June 9, 2021, 2:10pm

just to make sure, the nss core have the required flags enabled correct?

robimarko · June 9, 2021, 2:12pm

Yes, I enabled the crypto feature as without it, nss-crypto cant be compiled at all.

@quarky Was CFI also required for this?

vit0r · June 9, 2021, 2:12pm

@hugomon @1715173329 Did that brick happen after flashing one of the *.ubi files (as expected) or did you attempt to revert to stock using the regular *.bin from Xiaomi? (you have both types in this folder)

I am currently running one of those QSDK builds (with surprisingly nice wireless performance), but I am eagerly awaiting the day I can run OpenWRT. It's not so nice to know that I may face an imminent brick the day I try to move out of that QSDK build.

hugomon · June 9, 2021, 2:41pm

My guess is that it was when I try to revert it to the original Xiaomi firmware with MiRepairTool; this happened also to @felipejfc1 as he wrote on Adding OpenWrt support for Xiaomi AX3600 - #3450 by felipejfc1, and it seems the same case.

Right now I can only wait for the arrival of a 1.8v TTL.

felipejfc1 · June 9, 2021, 4:18pm

It wont break if you ubiformat mtd12 or 13 with openwrt image if you're running the QSDK version already. You will be just fine. Still, I won't do it (for now) without serial access, just in case.

But it will break for sure if you use MiRepairTool after using QSDK version, so don't do it!

McGiverGim · June 9, 2021, 4:35pm

I don't know if I have the correct partition, but I simply booted into the Xiaomi partition, updated the firmware from UI to latest version, this replaced the QSDK partition and booted ok. After that I upgraded from the UI again, in theory this updated the Xiaomi partition to latest version too.
As I say I don't know if all is ok, but I'm on official without problem.