Update : AX6000 FW version at exploit time 1.0.53
How is the status of this work, does openwrt support Xiaomi ax6000 already?
I have 3 Xiaomi AX6000, I really want that firmware on my routers. Any update ?
any updates on support?
There is no one working on ipq50xx so far, don't expect any progress to happen.
I got AX6000 running using QCN SDK and copying multiple files from the original xiaomi rom. Unfortunatley now I need to finish my university so I will not have time to publish that. If anyone would like to try the there are two ways:
- adjust xiaomi rom wiping most of the userspace and putting original openwrt. This works quite well except it leaves you with potential backdoors inside the xiaomi kernel.
- use qcn-sdk and copy firmware dts files for xiaomi rom - this takes quite some time but it's most safe way to do it.
I plan to publish mine by the end of december.
6 Likes
Thank you. I hope it works out for you.
Hi,
Anyone is working to support OpenWrt to Xiaomi ax6000.
I have been reading many threads but did not understand if there is or not a support.
Appreciate any help.
The short answer is no.
ipq50xx and ipq60xx depend on the basic infrastructure work being done for ipq807x first (but still require quite some unique efforts on top). There won't be much movement before ipq807x is merged and working. Also keep an eye on the system specifications of these devices, 512 MB RAM will be a hard minimum for devices with ath11k.
If you want something fully functional now, look at mt7622+mt7915 - if you're interested in QCA hardware, prefer ipq807x (ax3600, ax9000) which is at least somewhat in sight and being worked on (but far from ready as well).
2 Likes
As you are mentioning mt7622/7915 do you have a recommendation of an easily available device? All I can find is mt7621.
My ax3600 is currently collecting dust...
fully working:
early work in progress:
1 Like
Thanks for your quick reply.
Unfortunately there is no source available here. Maybe have to research if there is an ac only mt7622 version available here.
Hi @ss7pro , Happy new year 
wish you finish university with success .
Do you have any update for us ? I would like to try something .
I like idea of simple solution like replacing user space part with original OpenWRT part and live with possible kernel hack.
But ready to try QCN-SDK solution also.
Do you have information where to obtain QCN-SDK ?
Maybe any other guides ?
I believe the tool he mentioned is this:
OR
any news let me know please.
I'm out of time right now, but I'll try something soon too.
work in progress ... beware! note was able to boot qsdk previously ...
here's the ax6000 (chinese version) with firmware miwifi_ra72_firmware_d52f7_1.0.88.bin
pic of the board (no need to solder)
boot log
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1.1-378851
S - IMAGE_VARIANT_STRING=MAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002c5
B - 128 - PBL, Start
B - 1566 - bootable_media_detect_entry, Start
B - 3827 - bootable_media_detect_success, Start
B - 3830 - elf_loader_entry, Start
B - 9242 - auth_hash_seg_entry, Start
B - 9602 - auth_hash_seg_exit, Start
B - 103191 - elf_segs_hash_verify_entry, Start
B - 170774 - PBL, End
B - 140605 - SBL1, Start
B - 202154 - GCC [RstStat:0x0, RstDbg:0x600000] WDog Stat : 0x4
B - 210084 - clock_init, Start
D - 7442 - clock_init, Delta
B - 217709 - boot_flash_init, Start
D - 18910 - boot_flash_init, Delta
B - 236680 - boot_config_data_table_init, Start
D - 5551 - boot_config_data_table_init, Delta - (575 Bytes)
B - 245311 - Boot Setting : 0x00000618
B - 251503 - CDT version:2,Platform ID:8,Major ID:4,Minor ID:0,Subtype:1
B - 258426 - sbl1_ddr_set_params, Start
B - 260012 - Pre_DDR_clock_init, Start
B - 265685 - Pre_DDR_clock_init, End
B - 809073 - do ddr sanity test, Start
D - 30 - do ddr sanity test, Delta
B - 813740 - Image Load, Start
D - 244884 - QSEE Image Loaded, Delta - (523680 Bytes)
B - 1059478 - Image Load, Start
D - 15586 - DEVCFG Image Loaded, Delta - (13592 Bytes)
B - 1075094 - Image Load, Start
D - 197610 - APPSBL Image Loaded, Delta - (426832 Bytes)
B - 1272795 - QSEE Execution, Start
D - 30 - QSEE Execution, Delta
B - 1279261 - SBL1, End
D - 1141127 - SBL1, Delta
S - Flash Throughput, 2188 KB/s (965351 Bytes, 441146 us)
S - DDR Frequency, 800 MHz
S - Core 0 Frequency, 800 MHz
U-Boot 2016.01 (Apr 15 2021 - 06:03:31 +0000), Build: jenkins-common_router_openwrt_ota_publish-1078
DRAM: smem ram ptable found: ver: 1 len: 4
512 MiB
NAND: QPIC controller support serial NAND
ID = c1c8c1c8
Vendor = c8
Device = c1
Serial Nand Device Found With ID : 0xc8 0xc1
Serial NAND device Manufature:GD5F1GQ4RE9IG
Device Size:128 MiB, Page size:2048, Spare Size:128, ECC:8-bit
qpic_nand: changing oobsize to 80 from 128 bytes
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC: sdhci: Node Not found, skipping initialization
PCI Link Intialized
PCI Link Intialized
In: serial@78AF000
Out: serial@78AF000
Err: serial@78AF000
machid: 8040001
bootwait is on, bootdelay=5
main_loop: bootcmd="bootmiwifi"
Hit any key to stop autoboot: 0
trigger button release!
boot from rootfs 0
miwifi: check crash in rmem !
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 36 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 288, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 1283499581
ubi0: available PEBs: 58, total reserved PEBs: 230, PEBs reserved for bad PEB handling: 20
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (3809280)
Loading kernel from FIT Image at 44000000 ...
Using 'config@mp03.1' configuration
Trying 'kernel@1' kernel subimage
Description: ARM64 OpenWrt Linux-4.4.60
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x440000e8
Data Size: 2678561 Bytes = 2.6 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x41080000
Entry Point: 0x41080000
Hash algo: crc32
Hash value: 7f1b7101
Hash algo: sha1
Hash value: 71c106afa3fb4378bafe3154b13e406583b92454
Verifying Hash Integrity ... crc32+ sha1+ OK
Loading fdt from FIT Image at 44000000 ...
Using 'config@mp03.1' configuration
Trying 'fdt@mp03.1' fdt subimage
Description: ARM64 OpenWrt qcom-ipq50xx-mpxx device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x443930c4
Data Size: 56368 Bytes = 55 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: f3f203c6
Hash algo: sha1
Hash value: aaf8ca7cc762ecd94d2b6308cd8387d733d084cc
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x443930c4
Uncompressing Kernel Image ... OK
Loading Device Tree to 4a3ef000, end 4a3ffc2f ... OK
Using machid 0x8040001 from environment
etc ...
compiled robi's ax9000 branch after a few mods the most are related to IPQ5018 is not yet on kernel therefore I copied the necessary code from qsdk to the kernel image on openwrt
not working yet -- boot log below
tftpb openwrt-ipq50xx-generic-xiaomi_ax6000-initramfs-fit-uImage.itb
IPQ5018# tftpb openwrt-ipq50xx-generic-xiaomi_ax6000-initramfs-fit-uImage.itb
Port1 Up Speed :1000M Full duplex
Port4 Up Speed :1000M Full duplex
eth0 up Speed :1000 Full duplex
Using eth0 device
TFTP from server 192.168.31.100; our IP address is 192.168.31.1
Filename 'openwrt-ipq50xx-generic-xiaomi_ax6000-initramfs-fit-uImage.itb'.
Load address: 0x44000000
Loading: *
Got TFTP_OACK: TFTP remote port: changes from 69 to 60772
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
##############################################
8.3 MiB/s
done
Bytes transferred = 9251464 (8d2a88 hex)
IPQ5018# bootm
Loading kernel from FIT Image at 44000000 ...
Using 'config@hk14' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-5.15.19
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x440000e8
Data Size: 9207312 Bytes = 8.8 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x41000000
Entry Point: 0x41000000
Hash algo: crc32
Hash value: 93386828
Hash algo: sha1
Hash value: 020f8f3b0ee29f02a7428c8566e37bdabcb1a7b4
Verifying Hash Integrity ... crc32+ sha1+ OK
Loading fdt from FIT Image at 44000000 ...
Using 'config@hk14' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt xiaomi_ax6000 device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x448c8038
Data Size: 42249 Bytes = 41.3 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: ea6f2f1e
Hash algo: sha1
Hash value: 2fca2832656203e3d240988d8ff013e2ed78c707
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x448c8038
Uncompressing Kernel Image ... OK
Loading Device Tree to 4a3f2000, end 4a3ff508 ... OK
Using machid 0x8040001 from environment
Starting kernel ...
Jumping to AARCH64 kernel via monitor
it gets stuck on the above ... will look at the "vanilla boot" I assuming is still getting the ax9000 parameters...
for those that want to look at qsdk (quickly) there is a good repo - https://github.com/Leo357449107/qsdk_cmiot-ax6 use the qsdk_12 branch ... just change the profile to ipq5018 & compile
however no wifi nor ethernet at the start
what can be the issue with the start of the kernel being stuck ?
it loads the kernel from fit & fdt with the same parameters as qsdk and xiaomi ? how to debug
There could be anything:
- is serial port correct one ?
- did you use original .dts / .dtb extracted from firmware ?
- memory configuration and speed ?
I understand that this router and CPU are not the priority right know, as stated by slh
However I would like to know if it's likely this router will eventually be supported in the next few years
This information can be crucial to people buying this router
I myself bought two routers running on IPQ5018 without thinking too much and now I am considering selling them and buying AX3600 that very likely is going to have official support
Thanks
I wouldn't bet on it, the device simply doesn't make any sense. The ipq8071a based ax3600 and the ipq8072a based ax9000 just steal its limelight from both directions; not to mention the already supported mt7622bv+mt7915 based ax3200. It doesn't help that barely any devices apart from this one are using the ipq50xx SOC, even support for the cheaper/ more common ipq601x SOCs is probably quite a bit away (and financially ipq8071a is its fiercest competitor for those as well).
1 Like