Adding OpenWrt support for Xiaomi AX6000

yeah , sadly this stoping me to buy tree of them :frowning: but i'm crossing my fingers .

Just wanted to mention the devices not longer advertise itself as WiFi 6E as it does not support 6Ghz. So all reference of WiFi 6E has been stripped and is now replaced with WiFi 6 "Enhanced".

Good,
It seems the thing has cooled down .. and I need it ..

1 Like

I just got this router and I'm very disappointed with Ethernet ports on it. Seems like all 1Gb/s ports together max. at 1Gb/s!

For example, I had 2 NAS devices connected to 1Gb/s ports on AX6000. By Wi-Fi AX I was getting the maximum speed of ~980Mb/s while copying files from both NAS at the same time. When I changed one of the NAS to use the 2.5Gb/s I magically got 1.8Gb/s speed over Wi-Fi AX. I was repeating the tests with the WAN port set to use 2.5Gb/s port and got the same results. All devices connected to 1Gb/s ports have the shared speed...

EDIT: Oh God... Found more info: https://diypc.org/the-real-test-xiaomi-ax6000-2-5gbe-network-port-is-a-problem.html

1 Like

All of the gigabit ports are connected to the same switch which is connected just via a single gigabit port to the CPU, hence the Gigabit throughput.
It was just copy/paste from IPQ40xx.

1 Like

Just to add to the topic, the method posted in the AX9000 to get SSH access works with the AX6000.
https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax9000/

I have an AX6000 and you be really happy to see OpenWrt running in it, but I have zero experience in coding and porting a device, unfortunatelly. If a developer is interested in trying to add support for the AX6000, I can send any info from the device (I have ssh access) as well as build and test the firmware.
Thank you!

Its completely different SoC than AX3600 and AX9000 so its not easy.
Not to mention that IPQ5018 has no upstream support

1 Like

I understand, my mistake, I thought IPQ5018 had upstream support already.

Noticed news that there is now development board with the same CPU IPQ5018 aka DR5018 from Wallys Communication.
There is mentioned QSDK 11.4 for that board.
And I see AX3600 have used same QSDK and have updated 11.5 even.
It should speedup development of OpenWRT for AX6000 but where to start ?
I do have AX6000 , plan to disassemble it to connect serial cable and may be get SSH access.
Also noticed there is place for additional flash chip on AX6000 on opposit side of existing one, could try to solder it later.

1 Like

Most likely one can not just boot off any such as that would require changing SoC fuses or at least boot strapping which may or may not be easy or even possible.

Hi to all,
Need help to obtain SSH / Serial access for AX6000 , I tried follow AX9000 instruction but no success.
I do connect serial cable and see boot output and when trying execute exploit/hack link getting some messages on serial console, but nothing on webpage = timeout of web page loading.
So unclear things:

  • Do second / OpenWRT router is password protected (not WiFi but web/ssh) or not, and if yes does it affect exploit line ?
  • http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=<SSID>&password=<PASSWORD>&encryption=<ENCRYPTION>enctype=<ENCTYPE>&channel=<CHANNEL>&band=<BAND>&admin_username=root&admin_password=admin&admin_nonce=xxx and yes, <...> are replaced with correct values.
    -- encryption=<ENCRYPTION>enctype=<ENCTYPE> - is it correct that there is no ampersand (&) in between ?
    -- admin_username=root&admin_password=admin&admin_nonce=xxx - is it same for all routers or is it Xiaomi router credentials or second OpenWRT router credentials or ?
  • Does it metter how Xiaomi is connected (LAN/WiFi 2.4G/WiFi 5G) and logged in for exploit line ?
  • ̶ ̶I̶s̶ ̶i̶t̶ ̶p̶o̶s̶s̶i̶b̶l̶e̶ ̶t̶o̶ ̶c̶h̶e̶c̶k̶ ̶s̶e̶c̶o̶n̶d̶ ̶O̶p̶e̶n̶W̶R̶T̶ ̶r̶o̶u̶t̶e̶r̶ ̶f̶r̶o̶m̶ ̶P̶C̶ ̶s̶i̶d̶e̶ ̶s̶o̶ ̶t̶o̶ ̶b̶e̶ ̶s̶u̶r̶e̶ ̶i̶t̶ ̶p̶r̶o̶v̶i̶d̶e̶ ̶L̶U̶A̶ ̶s̶c̶r̶i̶p̶t̶ ̶?̶ ̶(̶W̶i̶F̶i̶ ̶c̶h̶e̶c̶k̶e̶d̶ ̶a̶l̶r̶e̶a̶d̶y̶,̶ ̶i̶t̶ ̶w̶o̶r̶k̶s̶)̶ found ix AX9000 thread http://169.254.31.1/cgi-bin/luci/api/xqsystem/token and it work
  • Which version of AX6000 firmware you used with exploit.

@Sanzium , could you help? You obtain SSH access successfully I saw.

Thanks to all, got SSH access to AX6000 . for password used simplified https://github.com/odedlaz/ax3600-files/blob/master/scripts/calc_passwd.py script, where password need be entered as parameter (will place at end) .

Answers to my questions:

  • Password on second OpenWPN router does not meter
  • Exploit line should be like in instruction.
  • Connection to Xiaomi I used LAN (could be that any)
  • To check second OpenWRT router used: http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
  • AX6000 fw verison - forgot, will report later :slight_smile:
  • Used FireFox

Simplified script:

import sys
import hashlib

# credit goes to zhoujiazhao:
# https://blog.csdn.net/zhoujiazhao/article/details/102578244

salt = {'r1d': 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
        'others': 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'}

def get_salt(sn):
    if "/" not in sn:
        return salt["r1d"]
    return "-".join(reversed(salt["others"].split("-")))

def calc_passwd(sn):
    passwd = sn + get_salt(sn)
    m = hashlib.md5(passwd.encode())
    return m.hexdigest()[:8]

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <SN>")
        sys.exit(1)
    sn = sys.argv[1]
    print("Given SN: "+ sn)
    print("Calculated root password: "+calc_passwd(sn))

You forgot to mention that one, not?

1 Like

Update : AX6000 FW version at exploit time 1.0.53

How is the status of this work, does openwrt support Xiaomi ax6000 already?

I have 3 Xiaomi AX6000, I really want that firmware on my routers. Any update ?

any updates on support?

There is no one working on ipq50xx so far, don't expect any progress to happen.

I got AX6000 running using QCN SDK and copying multiple files from the original xiaomi rom. Unfortunatley now I need to finish my university so I will not have time to publish that. If anyone would like to try the there are two ways:

  1. adjust xiaomi rom wiping most of the userspace and putting original openwrt. This works quite well except it leaves you with potential backdoors inside the xiaomi kernel.
  2. use qcn-sdk and copy firmware dts files for xiaomi rom - this takes quite some time but it's most safe way to do it.

I plan to publish mine by the end of december.

6 Likes