Likewise... I can attempt it later on today, in a few hours.
3 Likes
I flashed @namidairo 's single image. Well, not his image, rather I compiled one from his ax6s branch directly, and flashed the sysupgrade.bin to firmware on a fresh router and it works.
I'm building a rich image now if you guys want I'll link it.
During the next days I'll try to upgrade from the old way to the new one.
I'll keep you posted.
So I've recovered my AX3200 from brick using TFTP (Xiaomi recovery tool) and I've used 1.0.50 fw for that (1.0.71 factory FW) and whenever I was trying to flash any openwrt image it was coming back to stock after a restart...
Then I decided to flash my original FW 1.0.71, restored to factory settings, did the initial setup once again and then whenever I tried flashing openwrt - it worked ¯_(ツ)_/¯ ...
I've already tested my image and it's working, so I will rebuild it with luci and I will let you know when it's ready.
1 Like
I've just bricked my router 
I use macbook, so I can't use xiaomi repair tool. I've connected via uart and i'm trying to use tftpboot but there is some issue
Bytes transferred = 17957820 (11203bc hex)
get filesize 0x11203bc
Automatic boot of image at addr 0x4007FF28 ...
bootm flag=0, states=70f
Wrong Image Format for tftpboot command
ERROR: can't get kernel image!
Update: looks like it worked with openwrt firmware instead of stock
1 Like
Nice! Which image did you use?
I still trying to make it work. I can boot namidairo's initramfs-kernel via tftpboot.
I used mikeeq repo and his guide.
root@OpenWrt:~# cat /proc/mtd
dev: size erasesize name
mtd0: 00080000 00020000 "Preloader"
mtd1: 00040000 00020000 "ATF"
mtd2: 00080000 00020000 "u-boot"
mtd3: 00040000 00020000 "u-boot-env"
mtd4: 00040000 00020000 "bdata"
mtd5: 00080000 00020000 "factory"
mtd6: 00040000 00020000 "crash"
mtd7: 00040000 00020000 "crash_log"
mtd8: 07300000 00020000 "firmware"
How can I flash openwrt the right way now?
Some logs at boot
[ 3.932802] mt7530 mdio-bus:00: Link is Up - 2.5Gbps/Full - flow control rx/tx
[ 3.936307] mtk-snand 1100d000.snfi: ECC: Uncorrectable bitflips in page 32128 sect 0
[ 3.950617] mtk-snand 1100d000.snfi: ECC: Uncorrectable bitflips in page 32128 sect 1
[ 3.958453] mtk-snand 1100d000.snfi: ECC: Uncorrectable bitflips in page 32128 sect 2
[ 3.966285] mtk-snand 1100d000.snfi: ECC: Uncorrectable bitflips in page 32128 sect 3
[ 3.974109] UBI error: unable to read from mtd10
[ 3.979459] /dev/root: Can't open blockdev
[ 3.983549] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[ 3.991029] Please append a correct "root=" boot option; here are the available partitions:
[ 3.999383] 1f00 512 mtdblock0
[ 3.999385] (driver?)
[ 4.005912] 1f02 256 mtdblock1
[ 4.005914] (driver?)
[ 4.012437] 1f04 512 mtdblock2
[ 4.012439] (driver?)
[ 4.018971] 1f06 256 mtdblock3
[ 4.018972] (driver?)
[ 4.025499] 1f08 256 mtdblock4
[ 4.025501] (driver?)
[ 4.032024] 1f0a 512 mtdblock5
[ 4.032026] (driver?)
[ 4.038552] 1f0c 256 mtdblock6
[ 4.038554] (driver?)
[ 4.045080] 1f0e 256 mtdblock7
[ 4.045081] (driver?)
[ 4.051604] 1f10 30720 mtdblock8
[ 4.051606] (driver?)
[ 4.058132] 1f12 30720 mtdblock9
[ 4.058134] (driver?)
[ 4.064660] 1f14 56320 mtdblock10
[ 4.064662] (driver?)
[ 4.071270] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[ 4.079524] SMP: stopping secondary CPUs
[ 4.083441] Kernel Offset: disabled
[ 4.086920] CPU features: 0x0000002,04002004
[ 4.091179] Memory Limit: none
[ 4.102862] Rebooting in 1 seconds..
mtd -r write sysupgrade.bin firmware
Should work just fine. I've already started a build with Luci backed-in, so it should be available in the releases section in 40mins 
Doesn't work, same boot log. Tried your sysupgrade and namidairo's
I have rb03
I've been following this thread for a while and just received my ax6s from aliexpress just this morning so the timing here couldn't have been better for me. I can confirm that telnet came disabled with the out of box 1.0.35 firmware. I have flashed to the image provided by @YangWang and I am able to telnet into the router now using the above provided root password generation tools.
I find it interesting that both http://192.168.31.1/cgi-bin/luci/api/xqsystem/bdata and http://192.168.31.1/cgi-bin/luci/api/xqsystem/fac_info list telnet as not enabled.
3 Likes
I think I did something wrong by this cmd...
mtd write -r rootfs.ubi overlay
Indeed flashing that 1.2.7 firmware enables telnet on my RB03! Nice!
I didn't have time to do anything beyond checking if telnet was enabled, but I'm sure the login and the rest will be just fine.
3 Likes
Yup, just adding a third confirmation here. Flashing 1.2.7 from @YangWang's github site enabled telnet just fine.
3 Likes
That is good news!
Only issue now is for RB01 (global) units that comes with telnet disabled.
I hope we find an internal test firmware from Xiaomi that does the same for RB01. Much easier than using a flash programmer or try to find an exploit.
I'm having good vibes about this device, this can potentially be one of the most common OpenWRT AX device (behind RT3200/EA8450).
1 Like
And just to follow up on this, I was able to use telnet to successfully enable ssh, uart, etc. based on @namidairo's guide and then I was also able to build an image based on his PR and flash it onto my device successfully. It is now running OpenWRT 
3 Likes
Updated Readme and a build with Luci preinstalled is released.
Thanks everyone!
EDIT: Does anyone else has an issue when using namidairo's latest build from google drive that whenever you save the settings, i.e. wireless and do the reboot, the settings are not restored after the device restart? (only shadow/passwd files seems to be properly saved/restored after a restart, as I can still use my previously set root password, but all modifications made in files in /etc/config/ seem to disappear)
root@OpenWrt:~# logread | grep -i jffs
Wed Feb 16 02:32:52 2022 kern.info kernel: [ 0.039456] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
Wed Feb 16 02:32:59 2022 daemon.err mount_root: no jffs2 marker found
Wed Feb 16 02:33:00 2022 kern.notice kernel: [ 20.293433] jffs2: notice: (3135) jffs2_build_xattr_subsystem: complete building xattr subsystem, 8 of xdatum (0 unchecked, 1 orphan) and 9 of xref (1 dead, 0 orphan) found.
Wed Feb 16 02:33:00 2022 daemon.err mount_root: failed to sync jffs2 overlay
I've tried to reset the jffs2 by executing umount /overlay && jffs2reset && reboot now but after the reboot the issue persists.
1 Like
Yea, i've been hitting my head with that for the past 3 hours, just found the issue. If you do mtd write from openwrt, you need to do a sysupgrade -u after reboot with the same bin file After that, it'll work.
1 Like
@mikeeq, the latest readme doesn't appear to work on my RB03. Possibly the same issue as @panton.
After the "mtd -r write sysupgrade.bin firmware" reboot, it is still xiaomi.
I will troubleshoot/try different things later today, but wanted to give a heads-up.
So, I've successfully used dev firmware to get telnet on my RB03 (GD5F1GQ5UEYIG flash)
My first try was: older @mikeeq guide with mtd write -r rootfs.ubi overlay command.
Firmwares:
- New (v20220303) @mikeeq guide and firmware.
- @namidairo firmware from Google Drive (afaik)
- My own build from @namidairo ax6s branch
Tried to flash them using:
- Dev firmware
- initramfs loaded (tftpboot)
It kinda works after sysupgrade -u, but I only have 2.4G radio available and I need to manually choose firmware to boot via UART
firmware0 boot after flash via dev firmware:
NFI, flag byte: ff NFI, flag byte: ff NFI, This page is empty!
[mtk_nand_exec_read_page]mtk_snand_check_bch_error() FAIL!!!
[mtk_snand_check_bch_error] ECC-U, PA=2532, S=0
[mtk_snand_check_bch_error] ECC-U, PA=2532, S=1
[mtk_snand_check_bch_error] ECC-U, PA=2532, S=2
[mtk_snand_check_bch_error] ECC-U, PA=2532, S=3
OpenWRT initramfs bootlog
https://pastebin.com/FnkVMmCU
You probably haven't selected the right driver for the 5G radios.
@namidairo any chance you have a non release firmware for RB01 to share with us?