Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200"

For Developers
1096

Hey, at first this is my very first Post in this Forum :slight_smile:

Today i receive two AX3200 (RB01) with the “netmode: 4” method i was able to enable telnet. So far so good. My Problem is now that i cant log in via Telnet, "Login incorrect"

i dont know what the Problem is, in this step: "python3 unlock_pwd.py <S/N>" i also tried the SN with the "/" and without the "/"

any Ideas?? thanks for helping :slight_smile:

1 Like
1097

Try "XMiR patcher" utility

1098

Without the <>, right?

1 Like
1099

glad to see confirmation that this method works, and really allow enable telnet for the devices with telnet disabled from factory :+1:

as mentioned above, you don't need to use <> characters. It should be like this python3 unlock_pwd.py 8585955754

1100

I was able to get root access with uart method RB01 FW 1.0.71.
Not sure how this was enabled, I was playing with different variables

but basically with

set uart_en 1
env save

Then I can see in logs

[    0.000000] Kernel command line: console=ttyS0,115200n1 loglevel=8 swiotlb=512 rootfstype=squashfs firmware=1 uart_en=1

Instead of sysupgrade openwrt I've just boot machine and hit enter and gain root access on serial console. :slight_smile:

Not sure, but I think on my machine sysupgrade leads to bricking so I will be trying to use factory.bin instead of sysupgrade method.

1101

at first, i dont type the <> characters.. i try the netmode method again and now it works..

but only with one device at the time, for the second device i have to reset with the button, after that telnet is disabled again on the first device. But i want of course enable telnet on both devices..

1102

if you will be able to enable telnet for both devices using “netmode: 4” method, please share the details that would be useful to add/update in the ax3200 wiki page.

1103

I tried to dump the same partition from original firmware and from OpenWrt and got interesting results.

Original:

00000000: 2276 0200 8cde f9bf affa 0000 0000 0000  "v..............
00000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 4400 0020 0000 0000 1000 2000  ....D.. ...... .
00000040: 0000 4400 0400 0000 0000 0000 0000 0000  ..D.............
00000050: 2000 00b3 40b6 c3c3 2600 0082 41c4 26c1   ...@...&...A.&.
00000060: c100 41c4 26c1 0000 c0c5 2600 8182 0000  ..A.&.....&.....
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 c4c4  ................
000000c0: c3c3 c2c1 00c3 00c3 0082 8282 85c2 c2c2  ................
000000d0: 8282 8282 0000 0000 0000 0000 0000 0000  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 8600 2e00 a000 cb87 8b00 0000 0000 0000  ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000120: 0b00 0009 0000 0000 0000 0000 0000 0000  ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000150: 0000 0000 0000 0000 0000 0000 0000 7707  ..............w.
00000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000200: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000210: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000220: fa00 fc9d fa00 fd9c fb00 fd9d fa00 fc9d  ................
00000230: 885f 386f 5532 a971 4200 0000 0000 0000  ._8oU2.qB.......
00000240: 0000 0000 0000 0000 0000 0000 0000 0000  ................
...

OpenWrt 22.03.2/kernel 5.10.146:

00000000: 2276 2276 0200 8cde f9bf affa 0000 0000  "v"v............
00000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 4400 0020 0000 0000 1000  ......D.. ......
00000040: 2000 0000 4400 0400 0000 0000 0000 0000   ...D...........
00000050: 0000 2000 00b3 40b6 c3c3 2600 0082 41c4  .. ...@...&...A.
00000060: 26c1 c100 41c4 26c1 0000 c0c5 2600 8182  &...A.&.....&...
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000c0: c4c4 c3c3 c2c1 00c3 00c3 0082 8282 85c2  ................
000000d0: c2c2 8282 8282 0000 0000 0000 0000 0000  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 0000 8600 2e00 a000 cb87 8b00 0000 0000  ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000120: 0000 0b00 0009 0000 0000 0000 0000 0000  ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000160: 7707 0000 0000 0000 0000 0000 0000 0000  w...............
00000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000200: f8ff 0000 0000 0000 0000 0000 0000 0000  ................
00000210: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000220: 0000 fa00 fc9d fa00 fd9c fb00 fd9d fa00  ................
00000230: fc9d 885f 386f 5532 a971 4200 0000 0000  ..._8oU2.qB.....
00000240: 0000 0000 0000 0000 0000 0000 0000 0000  ................

It looks like OpenWrt's kernel reads all data with 2-byte offset and also duplicates the first pair of bytes.

Dump of another partition from OpenWrt confirms the duplication:

00000000: 424f 424f 4f54 4c4f 4144 4552 2100 5630  BOBOOTLOADER!.V0
00000010: 3036 4e46 4949 4e46 4f00 0000 0008 0500  06NFIINFO.......
00000020: 4000 4000 0008 1000 1600 0000 0000 0000  @.@.............
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 b111 3964 db22 23de c524  ........9d."#..$
00000070: e5fe 2c7f bad0 2aba e5b2 2e08 0141 f124  ..,...*......A.$
00000080: 0000 424f 4f54 4c4f 4144 4552 2100 5630  ..BOOTLOADER!.V0
00000090: 3036 4e46 4949 4e46 4f00 0000 0008 0500  06NFIINFO.......
000000a0: 4000 4000 0008 1000 1600 0000 0000 0000  @.@.............
...

Any ideas on what may cause this and how to fix this?

1105

Try snapshot with kernel 5.15: https://downloads.openwrt.org/snapshots/targets/mediatek/mt7622/

1106

dmesg contents are different with 5.15, but it still fails:

...
[    0.717858] mtk-ecc 1100e000.ecc: probed
[    0.722698] spi-nand spi0.0: ESMT SPI NAND was found.
[    0.727792] spi-nand spi0.0: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
[    0.735902] mtk-snand 1100d000.spi: ECC strength: 4 bits per 512 bytes
[    0.845161] nand: found bad block 0x1
[    0.849236] nand: found bad block 0x4
[    0.853165] nand: found bad block 0x6
[    0.856959] nand: found bad block 0x7
...

Full log: https://gist.github.com/im-0/16bebce2976b421755dd577a80c1cd15

1107

hi,@remittor , i'm trying to help a friend to flash the device, with your exploit, but he get this error:
ERROR: It is necessary to reorganize the device into "whc_cap" mode!
not sure what that means?
he only have one device, will this work?

1108

You need a second Xiaomi router (with Mesh) to switch to whc_cap mode.

1 Like
1109

thanks, so i ll flash it with uart

1110

MTK wifi drivers for 22.03.2 https://mega.nz/folder/eYFzkCLZ#iVPXwKfTDVCv1HirtduzAg

6 Likes
1111

i noted that 2.4 ghz radio does not scan from web interface, mabie we need fix that in luci-app-mtkwifi?

1112

thanks for sharing, used 22.03.2, I see some errors in logs:

  254.561587] wb_sys 18000000.wmac: Direct firmware load for mt7622_patch_e2_hdr.bin failed with error -2
[  254.576471] wb_sys 18000000.wmac: Falling back to sysfs fallback for: mt7622_patch_e2_hdr.bin

Are these error critical?
Any special configuration is needed after install file with opkg, because I see wifi on the list, but can't connect and receive ip.

1113

Greetings to all.
Since kernel version 5.15.72 don't work the monitor mode in WiFi drivers.
(iw phy phy0 interface add mon0 type monitor)
The last working kernel is 5.15.71. Does anyone know what the reason is?
Thanks.

1 Like
1114

i'm trying to improve this device,and i 'm on the right way, i have made luci app mtkwifi way better, now mt7622 is able to scan and find other networks, also now we have a the list of connected station and the level/signal . but i'm tired to open the case every time i make a little mistake to flash back openwrt. does anybody know a way to tftp openwrt when the device is softbricked?
the reason of my softbrick is that sometime i need touch the dts

1115

Greetings,

Just flashed 22.03.2 using the UART flash method from https://github.com/mikeeq/xiaomi_ax3200_openwrt
Use 4 x 10cm Breadboard Jumper Cables with the plastic tip removed - work a charm as I did not have to open the case.
image

image
image1920×2541 424 KB

Used Tiny PXE Server on Win 10 to do the flashing.

All good so far.
Thanks everyone.

1 Like
1116

I think uboot would need to be modified to be able to achive that.