Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200"

namidairo · March 5, 2022, 12:03pm

Yeah, about that... I'm changing the layout YET AGAAAAAAIN.

So don't sysupgrade from new images you build, if you're following my branch.

I really need to stop waffling between partition layouts. If you're on an older image built after I push yet another indecisive partition/image change (4mb kernel and a ubifs straight after), you'll probably have to mtd write the factory.bin in order not to soft-brick. Or better yet just go back to stock and start from the beginning.

The problem being that depending on that old beta image is a bit , since Xiaomi could in theory go around waving the takedowns, in true hypocritical manner.

Bit of an oopsie for that image to leak though. They probably shouldn't have signed it with the same key, but then they wouldn't be able to upgrade their test users to full version.

Feels bad for the AX3200 buyers though. I don't think anyone would be looking too hard for a way in on their images anymore.

Anyway, how do we feel about these installation instructions for the AX6S? I avoided linking directly to the whole password calculator and leaked image though, as it would be pretty hard to guarantee keeping those both up somewhere.

I did however do a run-through from the stock image with these instructions and it worked, so it should be the last time... Probably...

Installation:
    1. Flash stock Xiaomi "closed beta" image labelled
    'miwifi_rb03_firmware_stable_1.2.7_closedbeta.bin'.
    (MD5: 5eedf1632ac97bb5a6bb072c08603ed7)
    
    2. Calculate telnet password from serial number and login
    
    3. Execute commands to prepare device
    nvram set ssh_en=1
    nvram set uart_en=1
    nvram set boot_wait=on
    nvram set flag_boot_success=1
    nvram set flag_try_sys1_failed=0
    nvram set flag_try_sys2_failed=0
    nvram commit
    
    4. Download and flash image
    On computer:
    python -m http.server
    On router:
    cd /tmp
    wget http://<IP>:8000/factory.bin
    mtd -r write factory.bin firmware
    
    Device should reboot at this point.

It's probably a bit presumptive with only putting the python3 http.server in there, but on the other hand it is 2022...

dekomote · March 5, 2022, 12:25pm

Will mtd write work for routers flashed with the old images (single or 2 image)?

Edrikk · March 5, 2022, 12:35pm

Just one thought…

Most other device instructions that I’ve seen, after enabling ssh use SCP to copy the files over.

Would including the “setting ssh password” and then SCPing be better I wonder if only for consistency?

—-
The last update because I noticed the main OpenWRT commit has old instructions in first post vs PR branch.

RHBH · March 5, 2022, 2:50pm

Amazing result.

Which client was used? How many streams?

Timbo · March 5, 2022, 3:14pm

Thanks @panton...

You can set it via nvram set "boot_fw1=run boot_rd_img;bootm" && nvram commit
or via uboot

That was was the piece I was concerned about, the ability to set it from OpenWRT. I didn't want to get into a situation where I needed to crack the case and go back to UART to change something in uboot.

Feels bad for the AX3200 buyers though. I don't think anyone would be looking too hard for a way in on their images anymore.

It makes me wonder if the availability of the test was deliberate. Keeping people from looking too hard sounds like a great way to keep known issues from being found. I'm thinking of the ~2013 backdoor debacle with Cisco Linksys D-Link + + +.

Timbo · March 5, 2022, 3:20pm

Should nvram set "boot_fw1=run boot_rd_img;bootm" be in hose instructions for RB03 users?

panton · March 5, 2022, 3:26pm

Hmm. I've just flashed latest @namidairo ax6s branch (mtd factory.bin via previous OpenWRT firmware).
It looks like configuration is persistent now, I did several config changes and reboots.

upd: eth mac address is also correct now

CCA2878 · March 5, 2022, 3:32pm

Yes, i have a RB03, and need to do this.

CCA2878 · March 5, 2022, 3:49pm

Could you describe the patch in detail? So others can easily write and apply similar patch on some third party sources like lede for extra plugins needed.
Respect.

exponentialverteilt · March 5, 2022, 4:42pm

As written: AX200. Can you point me to some documentation where I can find out how many streams, etc?

dekomote · March 5, 2022, 4:43pm

ax200 is 2x2, so 2 streams. https://www.intel.com/content/www/us/en/products/sku/189347/intel-wifi-6-ax200-gig/specifications.html check the RX/TX spec.

The router is 4x4.

exponentialverteilt · March 5, 2022, 4:55pm

That means the Wifi speed is limited by the 1 Gbits uplink. Probably it won't help to aggregate multiple links since the internal switch is 1 Gbits only, right?

RHBH · March 5, 2022, 5:01pm

dekomote · March 5, 2022, 5:01pm

As I understand, the internal switch is 2.5Gbits. If anyone cares to correct me, by all means...

dekomote · March 5, 2022, 6:57pm

Built a new image with the latest partition changes and flashed it with

mtd -r write factory.bin firmware

on a router that had the previous single image setup on it.

Works and it keeps the settings this time around.
Great job @namidairo

I need to switch this router for the one I have with 2 images and test it out as well.

For anyone needing a rich openwrt image with SQM, PPPOE, Adblock, kernel modules etc, you can get the images here:

https://drive.google.com/drive/folders/1fp9PLvn5__fD0Nn_99y-PaIOI66q-r43

cenzor · March 6, 2022, 9:34am

I have still the 2 images version. I would like to know if writing single image will corrupt my router.
also, what is the procedure to flash stock firmware?

mikeeq · March 6, 2022, 3:59pm

Has anyone tried to do sysupgrade on the image built with the latest @namidairo changes?

It's failing for me, but the router safely restarts to the OpenWRT.

root@OpenWrt:/tmp/xiaomi_openwrt_images# sysupgrade -u -n sysupgrade.bin
Invalid sysupgrade file.
Sun Mar 6 15:51:18 UTC 2022 upgrade: Commencing upgrade. Closing all shell sessions.
Command failed: Connection failed
root@OpenWrt:/tmp/xiaomi_openwrt_images# Connection to 192.168.1.1 closed by remote host.

mtd -r write factory.bin firmware executed on the OpenWRT version with the previous partition layout worked like a charm

dekomote · March 6, 2022, 5:01pm

Is this after the initial mtd write of the new image?

Timbo · March 6, 2022, 5:05pm

@mikeeq, it did not work for me. I thought it was just me because I've been all over the map with images and builds in the pat 24 hours.

I went back to using @panton GD5F1GQ5xExxG-sysupgrade image.

@cenzor, I have the 2 image RB03. After a lot exploration & attempts trying different images, sequences, partitions, and recovery to stock, I would say it is very hard to permanently corrupt your router by following the most common instructions floating around. Recovery always seems possible but there is no such thing as zero risk. That being said, I would say UART access is a must. A change is required to boot from the first image, not the second (which is default). Recovery does not appear to change this back when reverting to stock. (Meaning if your first image/openwrt is bad, recovery will still not work as it will never boot into the recovered xiaomi image.) Having UART access solves this by allowing you to boot the right image and/or change the boot settings back to original.

dekomote · March 6, 2022, 6:10pm

I think I found the culprit. I'll update soon.