Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200"

This hack looked easy but turned out to be very hard even for me, who had soldering and programmer experience.
I have purchased Chinese RB03 (1.0.13) version of router, purchased CH341A programmer (without 3.3v data-pins mod yet), soldered the wires and ... failed.

Right now I can read nand data but it contains data AND OOB chunks. OOB chunks make it impossible to calculate CRC-32.
Does anybody know how to disable OOB data in a dump made by Snander ?
I see @zfgeng had same problem and (probably) gave up haha.
I tried raw dump (-d), -I - nothing helps.
This looks like this -

I gave up on trying to be fancy with the imaging.

Just a big fat fit image with squashfs is so much leaner on the changes. 105mb for packages.

I succeeded,.. You should modify the crash partition and entery the factory mode. In the factory mode, telnet will be forced to be enable. Also you can login without password!

@zfgeng you have used method to make it without reading and modifying CRC-32, so you failed with that like me. I just want to clarify that snander-modify-crc32 instructions do not work at all. I tried to cut OOB data from the dump, but I failed with that too, OOB chunks locations are not consistent and I think it is programmer problem (or I just don't understand nand good enough).

You cannot delete the oob data directly. At the beginning, I did the same as you did. After flashing the nand, the data of the bdata partition could not be recognized. Later, I tried to dump the nvram partition data separately, delete the oob data, fill it with 0000, and calculate that the crc32 exactly matches the original data, so I set the parameters such as ssh and telnet, and recalculated the correct crc32 value. , and record it. I re-copied a copy of the original nvram partition data, directly modified the parameters and crc32 without deleting the oob data, and finally flash it! After the router reboot ,I modified wifi settings, the nvram partition crc32 is auto recalculated, and the data of telnet_en=1 and uart_en=1 are preserved.

@zfgeng thank you! Removing that nasty OOB chunks at the exact location helped calculating CRC-32. I got telnet and root, but this is not for the faint of heart :slight_smile:

Small guide to help newbies:

  1. dump first 0x200000 bytes of nand in raw mode:
    snander.exe -d -l 0x200000 -r dump.raw

  2. open hex editor and Find "ssh_en", there are multiple locations, look for the second one, it should be after 0x180000, in my case it was 0x195000. Locate start of this block (multiple of 0x22000). Let's suppose it starts at START

  3. Save block starting from START length 0x22000 into to two files - block.raw and fix.raw, yes, two copies
    3.1) Open block.raw and fill with zero everything starting from 0x200 length 0xffff to clear those nasty OOB chunks (OOB is internal nand error correction data, don't bother with it)

  4. Now you can calculate CRC-32 of a block starting from 0x4 and length 0xfffc, it should match to initial CRC-32 written at the beginning (look other guide up there if you don't understand)

  5. If CRC-32 matches you can continue (remember the order of bytes, it is reversed). Change telnet_en=0 to telnet_en=1

  6. recalculate CRC-32 checksum and remember it

  7. now open fix.raw, because you need those nasty OOB chunks again ...

  8. modify this fix.raw dump from telnet_en=0 to telnet_en=1 and write that new calculated CRC-32 checksum to the beginning (warning - order of bytes is reversed). Save file.

  9. use snander to write fix.raw into START location on your nand like this:
    erase block:
    snander.exe -e -d -a START -l 0x22000
    write new data:
    snander.exe -d -a START -l 0x22000 -w fix.raw

  10. start router, you got telnet

  11. use python script up there to calculate root password from serial

1 Like

I followed the instructions of the latest commit message to flash OpenWRT on my AX 3200 (RB01 with Telnet) using the .sysupgrade from Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200" - #134 by thorsten97

root@XiaoQiang:/tmp# nvram set flag_boot_success=1
root@XiaoQiang:/tmp# nvram set flag_try_sys1_failed=0
root@XiaoQiang:/tmp# nvram set flag_try_sys2_failed=0
root@XiaoQiang:/tmp# mtd -r write sysupgrade.bin firmware
Unlocking firmware ...

Writing from sysupgrade.bin to firmware ...
Rebooting ...
Connection to closed by remote host.
Connection to closed.

However, now just the orange LED lights up. I can only get the Ethernet interface working when I hold down "RESET" at power on. Do you have any suggestion how to proceed? eg. what image for recovery via TFTP?

Would be glad if you could give me a hint.

I think you forgot to rebase before building your fork.

here it says that you need a t least this one commit from master, but I just rebased when building.

@thorsten97 build is made so you have to flash both firmware, firmware1 and overlay. It's not the build using a single partition. You need to step back and write all 3 partitions in order for it to work

1 Like

Hi, I have a ax3200 router with telnet enable. I get telnet password from with SN of my router. Then, I enable SSH as describe in
I download de firmware of @thorsten97. On the first try, I bricked the router and had to recover it via tftp.
I can see three files. I upload factory.bin and rootfs.ubi to router and I have executed the following commands:

mtd write factory.bin firmware
mtd write factory.bin firmware1
mtd write -r rootfs.ubi overlay
File sysupgrade.bin not used. 
With this, the router stay on orange light and no boot up. How do I have to do it to make it work?

Hey @jupesag,
what image have you used to unbrick the router? Are you using the xiaomi recovery tool? Was telnet still activated after recovery?

Strange, Iā€™m my case it worked ā€¦
I can try to build new images tomorrow and test them before.

Yeah I used your image on a fresh router just yesterday and it worked. We did had to sysupgrade from cli after the reboot tho.

Makes sense,
I just attached a serial console. to see what's going on:

[PART] load "lk" from 0x00000000000C0200 (dev) to 0x41E00000 (mem) [SUCCESS]
[PART] load speed: 16581KB/s, 356560 bytes, 21ms
load lk (ret=0)
[PART] Image with part header
[PART] name : atf
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 57936
[PART] magic: 58881688h

[PART] load "tee1" from 0x0000000000080200 (dev) to 0x43000DC0 (mem) [SUCCESS]
Erasing NAND...
[mtk_nand_erase_hw] mtk_nand_erase_hw @4249, ret:0x40. page:0x280
Erasing at 0x140000 -- 100% complete.
Writing to NAND... OK
Booting System 0

NAND read: device 0 offset 0x2c0000, size 0x2000
 8192 bytes read: OK
[do_read_image_blks] Image format error,neither FIT image nor old image.
Bad Magic Number.

NAND read: device 0 offset 0x2c0000, size 0x0
 0 bytes read: OK
bootm flag=0, states=70f
Wrong Image Format for bootm command
ERROR: can't get kernel image!

Unfortunately, the second option of the bootloader (boot firmware 1) also doesn't work, so I cannot reflash the remaining necessary partitions. So from what I've read, the next convenient option would be to recover a firmware via TFTP. Does anyone have a suggestion what FW to use with TFTP to recover without locking myself out from installing OpenWRT (telnet blocked, etc.)?

Those instructions are only for the single firmware partition builds...

You have serial console attached, go to the u-boot console and use tftpboot with an initramfs image.

1 Like

Success! I built the images myself and was able to install the image via the commands provided in your commit message. Thank you for the support.

you can re-generate the ecc data with mtk NAND_ECC_TOOL, which can be found in mtk-sdk:

for example:
make nvram.bin without ecc data, pad nvram.bin to 256K(2 blocks), then use sbch tool to generate ecc data:

# pad nvram.bin to 256K(2 blocks)
./sbch h 1Gb_2K_64 nvram.bin nvram.pad 0 0 2

# page size 2K, oob size 64b, for ESMT F50L1G41LB
./sbch e 1Gb_2K_64 nvram.pad nvram.ecc 0 0 0

# page size 2K, oob size 128b, for GD5F1GQ5UEYIG
./sbch e 1Gb_2K_128 nvram.pad nvram.ecc 0 0 0
1 Like

Did you build a new sysupgrade? thanks

Hi, the image that I used is this
You must set the ip address on your pc, and you can use Xiaomi Recovery Tool.
If you use other tftp software, you need rename the firmware by C0A81F02.img and setup dhcp server with

1 Like

also bricked mine :rofl: give me some time ...