Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200"

gbenamy · January 27, 2022, 6:44pm

Now it is trying to push 1.0.71

Version 1.0.71 2022.1.19

Xiaomi Router AX3200

What's New

New supported languages for web management page: Czech, Greek, Polish, Serbian, Swedish, Hungarian, Romanian
Fixed the problem: after enabling WPA3 encryption, some devices could not be connected

gbenamy · January 27, 2022, 6:55pm

Need to order the Chinese version and sell this one

remittor · January 28, 2022, 4:43am

Why did you make it so complicated?
I suggested that you make one image that would contain the kernel and rootfs.
Did I offer a bad option?
My version simplifies everything and provides more NAND space for data.

PS. My variant: https://github.com/openwrt/openwrt/pull/4810#discussion_r771177210

quibo · January 28, 2022, 8:04pm

Until now I only flashed a redmi router over scp. Now I want to have an ax Router with OpenWRT, but I am little bit confused about the steps I have to do for flashing an AX6s router.

Therefore, I want to ask, if the following steps are correct:

Buy a China version of the AX6S Router
Buy a CH341A Programmer
Dump the firmware from the Router with the CH341A Programmer
Edit the dump with a HEX Editor to activate telnet, ssh, uart according to the description of cliobrando
Flash the edited file on the memory of the router
Connect a UART-USB Converter to the Router
Make a tftp boot with the file «openwrt-mediatek-mt7622-xiaomi_redmi-router-ax6s-initramfs-recovery.itb»
Connect to luci and install the image file «openwrt-mediatek-mt7622-xiaomi_redmi-router-ax6s-squashfs-factory»

Is that correct?

sumo · January 28, 2022, 8:26pm

You just need the right clip.

https://www.aliexpress.com/item/1005001633856995.html

Rongrong · January 29, 2022, 7:52am

OK, but, you still need to cut the VCC on the PCB. After that, re-connecting it still need some soldering (or use a silver conductive pen? I won't try).

PS: With a special solder tip, you can (de)solder the chip easily even if you don't have a heat gun.

PolynomialDivision · January 29, 2022, 12:47pm

Which Pin Version?

Rongrong · January 29, 2022, 1:18pm

WSON-8 (8*6mm)

sumo · January 29, 2022, 1:18pm

Disclaimer: I do not own an AX6S as of yet.

If I'm not mistaken it's an 8-pin 8x6mm WSON package. And whether or not it's VCC needs to be cut for this to work depends on various factors. That said, I know that such clips/needles work just fine on a bunch of other similar devices without the need of cutting/lifting any VCC. But then, yeah, on others it just won't...

blackzafiqz · February 1, 2022, 7:35pm

Hello, my device has telnet_en=1, so I tried to flash using telnet but it won't boot up. I already tried your build and also mine but still the same. Can you confirm my steps is correct?

connect to telnet
nvram set uart_en=1;nvram commit;reboot
mtd flash ???_factory.bin firmware
mtd flash ???_factory.bin firmware1
mtd flash ???_rootfs.??? rootfs
reboot

exponentialverteilt · February 8, 2022, 1:31pm

I'm also interested.

thorsten97 · February 11, 2022, 9:33am

Using this on my AX3200 (the international version of AX6S which comes with telnet enabled)

github.com/openwrt/openwrt

[WIP] mediatek: Add support for Xiaomi Redmi Router AX6S

openwrt:master ← namidairo:ax6s

opened 11:40AM - 01 Dec 21 UTC

namidairo

+406 -1

mediatek: Add support for Xiaomi Redmi Router AX6S Also known as the …"Xiaomi Router AX3200" in western markets. SoC: MediaTek MT7622B RAM: DDR3 256 MiB (ESMT M15T2G16128A) Flash: SPI-NAND 128 MiB (ESMT F50L1G41LB) WLAN: 2.4/5 GHz 4T4R 2.4 GHz: MediaTek MT7622B 5 GHz: MediaTek MT7915E Ethernet: 4x 10/100/1000 Mbps Switch: MediaTek MT7531B LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin) UART: Marked J1 on board VCC RX GND TX, beginning from "1". 3.3v, 115200n8 Power: 12 VDC, 1.5 A Notes: Ethernet mac addresses exist in both u-boot-env and bdata Only u-boot-env is used here. Installation: 1. Complete initial device setup 2. Login to device and make requests to endpoint http://<PLACEHOLDER1><COMMAND> Replacing the <stok> with the session token from your login, and the <COMMAND> with the following commands to "unlock" the device. nvram set ssh_en=1 nvram set uart_en=1 nvram set boot_wait=on nvram commit sed -i '/flg_ssh.*release/ { :a; N; /fi/! ba };/return 0/d' /etc/init.d/dropbear (Replace <PASSWORD> below with desired password do not execute this line) echo -e “<PASSWORD>/n<PASSWORD>” | passwd root /etc/init.d/dropbear enable /etc/init.d/dropbear start 3. Login to the device over ssh with root and the password chosen 4. SCP the images over to /tmp 5. 'mtd write factory.bin firmware', 'mtd write factory.bin firmware1', 'mtd write -r rootfs overlay' Device should reboot at this point. Reverting to stock: Typical Xiaomi tftp that accepts their signed images. Triggered by holding reset pin on powerup. A simple implementation of this would be via dnsmasq's dhcp-boot option or using the vendor's (Windows only) recovery tool available on their website. Signed-off-by: Richard Huynh <voxlympha@gmail.com> TODO: - [x] Figure out why the ethernet macs aren't getting set - [ ] Installation testing - [x] Double check if I need to shorten ubi partition, it's complaining and getting truncated to 0x370000 - [ ] Add to luci-app-advanced-reboot for switching.

I was able to enable and start ssh and install OpenWrt!
Fantastic work, thanks a lot!

cenzor · February 11, 2022, 12:10pm

Can you share builds?

thorsten97 · February 11, 2022, 12:19pm

just building fresh ones with current master. Will share them later when they are ready.

Timbo · February 11, 2022, 5:23pm

I'm envious of all you guys that have that have the RB01/international version. I have the telnet disabled RB03 version. I really didn't care/pay attention when I ordered back in December, because at the time it was not apparent that RB01 had telnet enabled.

I've been combing through the files looking for obvious exploits, but I think I'll hop back over to some chinese forums to see what I can find.

I have a flasher so could reflash it, but I guess I'm in the mood for doing it the hard way.

cenzor · February 11, 2022, 5:53pm

Great work! Managed to flash without issues.
So far so good!

l4pa · February 11, 2022, 7:29pm

a quick, stupid question. did anyone check pppd for [CVE-2020-8597] exploit? would it be possible to attack the router this way and get a shell? version 2.4.7 is probably buggy?

Timbo · February 11, 2022, 9:50pm

It looks like that was fixed a couple of years ago in OpenWRT, and since Xiaomi uses a customized version of OpenWRT... It's been fixed.

namidairo · February 12, 2022, 2:11am

Fixed long before even the first firmware. I don't think it would work regardless, one of the models had ASLR on. I did have fun writing it up last year though.

If you're building off master, don't forget to add the switch irq.

As far as I can tell from the stock dts, it should be exactly the same.

cenzor · February 12, 2022, 8:07am

silly questionm
I wanted to install sqm but I can see


The installed version of package kernel is not compatible, require 5.10.96-1-a8d91634… while 5.10.96-1-6170da09… is installed.

does it mean I need to build myself everything to be able to install other packages from official repo?