Adding OpenWrt support for Xiaomi AX6000

Xiaomi just released their sucessor to the AX3600, the AX6000. With the main difference being WiFi 6e support and 2.5 Gbit WAN-port.

https://www.mi.com/r6000/specs

Specs seems to be:

Qualcomm IPQ5018
1.0GHz NPU
512MB

Any hope on getting OpenWRT support for this unit?

1 Like

Looks like the firmware is availaible: https://github.com/kvalo/ath11k-firmware

Took a quick look and it looks like their support to WiFi 6e is just for the high MCS (1024 QAM for 4x4, 4096QAM for 2x2).

I don't see any reference to 6GHz

IPQ5018

That thing is so spanking brand new it hasn't even landed in mainline yet. However, an initial patch got posted:

So it might be a little while...

2 Likes

6ghz spectrum might not be approved in China yet.

AX3600 is already going as high as 5.8 GHz in some of the band, I think this is just market hype as both router going around 6 GHz.

yeah , sadly this stoping me to buy tree of them :frowning: but i'm crossing my fingers .

Just wanted to mention the devices not longer advertise itself as WiFi 6E as it does not support 6Ghz. So all reference of WiFi 6E has been stripped and is now replaced with WiFi 6 "Enhanced".

Good,
It seems the thing has cooled down .. and I need it ..

1 Like

I just got this router and I'm very disappointed with Ethernet ports on it. Seems like all 1Gb/s ports together max. at 1Gb/s!

For example, I had 2 NAS devices connected to 1Gb/s ports on AX6000. By Wi-Fi AX I was getting the maximum speed of ~980Mb/s while copying files from both NAS at the same time. When I changed one of the NAS to use the 2.5Gb/s I magically got 1.8Gb/s speed over Wi-Fi AX. I was repeating the tests with the WAN port set to use 2.5Gb/s port and got the same results. All devices connected to 1Gb/s ports have the shared speed...

EDIT: Oh God... Found more info: https://diypc.org/the-real-test-xiaomi-ax6000-2-5gbe-network-port-is-a-problem.html

1 Like

All of the gigabit ports are connected to the same switch which is connected just via a single gigabit port to the CPU, hence the Gigabit throughput.
It was just copy/paste from IPQ40xx.

Just to add to the topic, the method posted in the AX9000 to get SSH access works with the AX6000.
https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax9000/

I have an AX6000 and you be really happy to see OpenWrt running in it, but I have zero experience in coding and porting a device, unfortunatelly. If a developer is interested in trying to add support for the AX6000, I can send any info from the device (I have ssh access) as well as build and test the firmware.
Thank you!

Its completely different SoC than AX3600 and AX9000 so its not easy.
Not to mention that IPQ5018 has no upstream support

1 Like

I understand, my mistake, I thought IPQ5018 had upstream support already.

Noticed news that there is now development board with the same CPU IPQ5018 aka DR5018 from Wallys Communication.
There is mentioned QSDK 11.4 for that board.
And I see AX3600 have used same QSDK and have updated 11.5 even.
It should speedup development of OpenWRT for AX6000 but where to start ?
I do have AX6000 , plan to disassemble it to connect serial cable and may be get SSH access.
Also noticed there is place for additional flash chip on AX6000 on opposit side of existing one, could try to solder it later.

1 Like

Most likely one can not just boot off any such as that would require changing SoC fuses or at least boot strapping which may or may not be easy or even possible.

Hi to all,
Need help to obtain SSH / Serial access for AX6000 , I tried follow AX9000 instruction but no success.
I do connect serial cable and see boot output and when trying execute exploit/hack link getting some messages on serial console, but nothing on webpage = timeout of web page loading.
So unclear things:

  • Do second / OpenWRT router is password protected (not WiFi but web/ssh) or not, and if yes does it affect exploit line ?
  • http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=<SSID>&password=<PASSWORD>&encryption=<ENCRYPTION>enctype=<ENCTYPE>&channel=<CHANNEL>&band=<BAND>&admin_username=root&admin_password=admin&admin_nonce=xxx and yes, <...> are replaced with correct values.
    -- encryption=<ENCRYPTION>enctype=<ENCTYPE> - is it correct that there is no ampersand (&) in between ?
    -- admin_username=root&admin_password=admin&admin_nonce=xxx - is it same for all routers or is it Xiaomi router credentials or second OpenWRT router credentials or ?
  • Does it metter how Xiaomi is connected (LAN/WiFi 2.4G/WiFi 5G) and logged in for exploit line ?
  • ̶ ̶I̶s̶ ̶i̶t̶ ̶p̶o̶s̶s̶i̶b̶l̶e̶ ̶t̶o̶ ̶c̶h̶e̶c̶k̶ ̶s̶e̶c̶o̶n̶d̶ ̶O̶p̶e̶n̶W̶R̶T̶ ̶r̶o̶u̶t̶e̶r̶ ̶f̶r̶o̶m̶ ̶P̶C̶ ̶s̶i̶d̶e̶ ̶s̶o̶ ̶t̶o̶ ̶b̶e̶ ̶s̶u̶r̶e̶ ̶i̶t̶ ̶p̶r̶o̶v̶i̶d̶e̶ ̶L̶U̶A̶ ̶s̶c̶r̶i̶p̶t̶ ̶?̶ ̶(̶W̶i̶F̶i̶ ̶c̶h̶e̶c̶k̶e̶d̶ ̶a̶l̶r̶e̶a̶d̶y̶,̶ ̶i̶t̶ ̶w̶o̶r̶k̶s̶)̶ found ix AX9000 thread http://169.254.31.1/cgi-bin/luci/api/xqsystem/token and it work
  • Which version of AX6000 firmware you used with exploit.

@Sanzium , could you help? You obtain SSH access successfully I saw.

Thanks to all, got SSH access to AX6000 . for password used simplified https://github.com/odedlaz/ax3600-files/blob/master/scripts/calc_passwd.py script, where password need be entered as parameter (will place at end) .

Answers to my questions:

  • Password on second OpenWPN router does not meter
  • Exploit line should be like in instruction.
  • Connection to Xiaomi I used LAN (could be that any)
  • To check second OpenWRT router used: http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
  • AX6000 fw verison - forgot, will report later :slight_smile:
  • Used FireFox

Simplified script:

import sys
import hashlib

# credit goes to zhoujiazhao:
# https://blog.csdn.net/zhoujiazhao/article/details/102578244

salt = {'r1d': 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
        'others': 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'}

def get_salt(sn):
    if "/" not in sn:
        return salt["r1d"]
    return "-".join(reversed(salt["others"].split("-")))

def calc_passwd(sn):
    passwd = sn + get_salt(sn)
    m = hashlib.md5(passwd.encode())
    return m.hexdigest()[:8]

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <SN>")
        sys.exit(1)
    sn = sys.argv[1]
    print("Given SN: "+ sn)
    print("Calculated root password: "+calc_passwd(sn))

You forgot to mention that one, not?

1 Like