OpenWrt support for Xiaomi AX3000T

Considering that Version 2 is now what's almost 100% available on the market, trying to 'cheat fate' is just an act of masochism. There are other, even higher-quality routers with better technical specs available for roughly the same price.

Not sure which market you're referring to, but in the EU it's like 99.9% the Global RD23 version everywhere.

I agree that ordering from China (like AliExpress, etc) doesn't really make much sense now, since RD03v2 seems to have replaced the initial RD03 in production. But since the Global RD23 version (the OpenWrt supported one) is still widely available - it's still a valid and reasonable choice w/o a risk.

Regarding alternatives, that's correct - there are other options, but that's another topic I believe, and the best choice greatly depends on your region and what's actually available on your local market.

In this scenario, the cost is higher, and the trade-offs are even more obvious. Still, I'm not here to talk anyone out of it. It’s your money, not mine.

@dsouza Thank you for your help one more time!

Sadly following the instructions on the wiki I was not able to get ssh access to this router. Here are my steps:

I opened the box (which probably voided the "change of mind free return" option with router's seller, but not warranty).
Connected my computer and one of the middle ports of the router with the included Ethernet cable.
Plugged the router into the power.
Opened http://192.168.31.1/ in the browser.
Went through the installation steps setting up the admin password of the stock firmware.
After the router has restarted I opened http://192.168.31.1/ again, logged in with this admin password and copied the value of GET variable stok from the browser's address bar.
Saved the content of she shell script into ~/router-ssh.sh and made it executable chmod +x ~/router-ssh.sh
Run the script with xqsystem|misystem (I've tried both and the result doesn't depend on this choice) and the value of stok as parameters:

~/router-ssh.sh xqsystem 48408a4d6d1900ffc5929e8b8b0517cc

As a result the script outputs the following HTML text repeated 5 times:

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

and if I try to access via ssh I get ssh: connect to host 192.168.31.1 port 22: Connection refused.

My guess: on the stock firmware main page I can see the text System version: MiWiFi Stable version 1.0.103 (SV1.3) while the latest stock firmware version mentioned in wiki is 1.0.98. Could it be that my firmware version is not exploitable for ssh access? But the wiki says "In most cases, downgrading stock firmware on the AX3000T to install OpenWrt isn't necessary, as most stock firmware versions are exploitable".

Should I try to downgrade the stock firmware?

You can find the exact same situation described in several posts above, see: OpenWrt support for Xiaomi AX3000T - #3858 by alemoh1234

It's exploitable by xqsystem/get_icon method. My suggestion to you is the same:

yeah, that's why it uses the words "most cases" and not "almost". The wiki lacks information about your 1.0.103 firmware only because it is new. Someone needs to either create instructions for xqsystem/get_icon method that can be added to the wiki, or at least confirm that the downgrading process works with this firmware, so the wiki can be updated accordingly.

Can you help with this?

• Please check whether downgrading from stock RD23 firmware version 1.0.103 (INT) to version 1.0.76 (INT) works smoothly (because no one has confirmed it yet, and no one knows whether it is safe to downgrade this firmware version without bricking the router), and whether you are able to successfully install OpenWrt afterward using the installation method described in the wiki. Thank you!

Yes, I can try downgrading… But what about first trying to reproduce the exploit? I would try it with a little bit of help from the community and if it will work I'll write about in the wiki.

Here is what I've done:

On the computer's shell:

echo -e '#!/bin/sh\necho "hello world"\nexit 0' > helloworld
python3 -m http.server --bind 0.0.0.0 8000

In the browser navigated to:
https://192.168.31.1/cgi-bin/luci/;stok=a857e59d4614ce0ab6390d1afe988c6b/api/xqsystem/get_icon?ip=192.168.31.187:8000&name=helloworld

where 192.168.31.187 is the computer's address assigned by router's DHCP.

After that in the console I can see:
192.168.31.1 - - [30/Mar/2026 00:16:43] "GET /xiaoqiang/web/img/icons/helloworld HTTP/1.1" 404 -

So I've moved the file to the location the router asks for:

mkdir -p xiaoqiang/web/img/icons/
mv helloworld xiaoqiang/web/img/icons/

Restarted the python http server and navigated to the same link. I got the page with the content of the file helloworld, i.e. the shell code.

So looks like the exploit works. At least the router downloads the file from the python web server and it to the browser.

In the next step I supposed to write the file to /etc/diag_info/stat/firewall/ and execute it using xqsystem/upload_log. I don't know how to do this. I can't see any way to control where the file is saved on the router.

If I navigate to xqsystem/upload_log with the browser I get:
{"msg":"Couldn't upload file to server","code":1512}

I don't understand how to pass the name of the file I want to be exectuted to xqsystem/upload_log?

After all what file I should upload and execute on the router to get ssh access?

Nice progress!
It would be great if you could get it working and create a simple guide for the xqsystem/get_icon method for the wiki, so firmware downgrading wouldn't be needed anymore.

Unfortunately, I can't really help much with your questions, but I'd probably suggest feeding your progress into a Claude-like ai to help move forward.

I ordered two RD23 routers with firmware version 1.0.103.
Here are my flashing instructions:

1. Connect the WAN port of your RD23 to your old router.
2. Connect the LAN1 port of your RD23 to your PC/laptop.
3. Open the page 192.168.31.1, select your language and country, click Next, and then set a router password.
4. Set a WEP password.
5. Launch XMiR-Patcher and then enter your router password.

Everything worked without any problems for me.

@tot-to You don't have to make it so complicated.

Hi everyone, My Xiaomi AX3000T (RD23) with Winbond W25N01KV NAND is bricked after a failed ubootmod BL2 write. BROM is alive and responding via UART/mtkclient but I need a valid BL2 preloader from a working unit with the same Winbond W25N01KV chip to use as --preloader with mtkclient. If you have AX3000T with Winbond W25N01KV running OpenWrt or stock firmware, please run: dd if=/dev/mtd0 of=/tmp/BL2.bin and share the file. Thank you

Everything you need is at https://firmware-selector.openwrt.org/?version=SNAPSHOT&target=mediatek%2Ffilogic&id=xiaomi_mi-router-ax3000t-ubootmod ?

Hello,

I am a beginner, so sorry in advance if I am missing something obvious.

I need help recovering a Xiaomi AX3000T.

Hardware

• Xiaomi AX3000T
• SoC: MT7981
• Flash: ESMT F50L1G41LB
• RAM: 256 MB

Current situation

• UART works
• mtk_uartboot works
• I can boot OpenWrt initramfs and access SSH/LuCI
• The running system identifies as:
  xiaomi,mi-router-ax3000t-ubootmod
• LuCI shows:
  Xiaomi Mi AX3000T (layout OpenWrt U-Boot)

Main problem

I can boot the temporary system, but after reboot the router always ends in:

System halt! 

What I already did

Loaded temporary bootloader with:

• bl2-mt7981-bga-ddr3-ram.bin
• openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip

Booted initramfs recovery successfully

Tried:
sysupgrade -n /root/fw/openwrt-24.10.0-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb

and also with -F

The upgrade reports success, for example:
sysupgrade successful
reboot: Restarting system

but after reboot it still goes to:
System halt!

MTD layout

dev: size erasesize name
mtd0: 00100000 00020000 "BL2"
mtd1: 00040000 00020000 "Nvram"
mtd2: 00040000 00020000 "Bdata"
mtd3: 00200000 00020000 "Factory"
mtd4: 00200000 00020000 "FIP"
mtd5: 00040000 00020000 "crash"
mtd6: 00040000 00020000 "crash_log"
mtd7: 00040000 00020000 "KF"
mtd8: 07000000 00020000 "ubi"

UBI volumes

ubootenv
ubootenv2
fit
rootfs_data

Bootloader files available

• openwrt-24.10.0-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin

• openwrt-24.10.0-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip

Problem writing BL2

When I try:
mtd write /root/fw/openwrt-24.10.0-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin BL2

I get:
Could not open mtd device: BL2 Can't open device for writing!

Package issue

I tried to install kmod-mtd-rw, but:

• apk is not available
• opkg update fails with:
  Failed to send request: Operation not permitted

Questions

• What is the correct next step from here?

• Do I need kmod-mtd-rw before writing BL2 and FIP?

• Should I manually write:
  preloader.bin -> BL2
bl31-uboot.fip -> FIP
  and only then retry sysupgrade?

• Is there anything special about ESMT F50L1G41LB in this ubootmod migration path?

Thank you very much, and sorry again if I am overlooking something basic.

APK is available if you're on 25.12.
The opkg issue is related to your network config, router can't reach internet.

Hi @frollic,

Thank you for your previous reply and for the clarification about apk on 25.12 and the likely WAN/network configuration issue behind the opkg error. I appreciate your help.

I would like to ask for further guidance on a different, but possibly related, issue with my Xiaomi AX3000T.

Device / current state

• Model: Xiaomi AX3000T
• SoC: MT7981
• Flash: ESMT F50L1G41LB
• Layout: OpenWrt U-Boot layout / ubootmod

I had previously recovered the router via UART + mtk_uartboot after boot issues, including a System halt! condition.
That part is now solved:

• BL2 and FIP were written successfully
• the router now boots persistently on its own
• boot chain appears stable

Main problem now

The router boots correctly, but Wi-Fi does not come up.

On both:

• OpenWrt 24.10.0
• OpenWrt 25.12.2 initramfs-recovery (booted in RAM via tftpboot + bootm)

I get essentially the same Wi-Fi error:

mt798x-wmac 18000000.wifi: eeprom load fail, use default bin
mt798x-wmac 18000000.wifi: Direct firmware load for mediatek/mt7981_eeprom_mt7976_dbdc.bin failed with error -2
mt798x-wmac 18000000.wifi: Falling back to sysfs fallback for: mediatek/mt7981_eeprom_mt7976_dbdc.bin
mt798x-wmac: probe with driver mt798x-wmac failed with error -12

Also:

• iw dev shows nothing
• no wlan / phy interfaces appear
• wifi config creates logical wireless config, but radios do not actually probe successfully

What I already tested

I tried to be careful and systematic before posting:

1. Recovered the device boot path via UART / mtk_uartboot

2. Confirmed persistent boot is stable

3. Compared current Factory partition with my original backup

4. Restored the original Factory backup to NAND successfully via U-Boot:

   • nand write 0x46000000 0x180000 0x200000

5. Booted again after restoring Factory

6. Tested official 25.12.2 initramfs in RAM (without permanently flashing it)

Result: same Wi-Fi failure

So at this point it seems the issue is not just:

• corrupted Factory
• old 24.10.0 image
• wireless config / country code
• bootloader instability

My current understanding

It looks like the driver is expecting an external EEPROM blob:

mediatek/mt7981_eeprom_mt7976_dbdc.bin

and is not successfully obtaining valid calibration / EEPROM data from the normal flow.

My questions

1. For AX3000T ubootmod, is it expected that the system needs an external
   mt7981_eeprom_mt7976_dbdc.bin file?

2. Should this EEPROM/caldata be derived from the Factory partition somehow?

3. Is there any known patch, DTS difference, or special handling for this exact model/layout that explains this behavior?

4. Does this suggest that my unit is missing a required calibration blob, or that the current OpenWrt support path for this specific setup is not matching the board data correctly?

If useful, I can also provide:

• full boot log
• /proc/mtd
• board name / model output
• hashes / comparison details of old vs restored Factory backup

Thanks again for your help.

Probably related GL.iNet GL-X3000/ Spitz AX support - #30 by dohseven.

See this post or this one.

If you have a backup of your router, simply restore the Factory.bin partition.

Thanks, this is very helpful.

From your explanation and the GL-X3000 PR, I now suspect my AX3000T ubootmod issue is not just a missing file in /lib/firmware, but rather that the WiFi driver may not be getting the EEPROM from the Factory partition through the correct DTS/nvmem binding.

In my case, I already restored my own original Factory partition from backup, but the error still remains exactly the same, so restoring Factory alone was not enough.

Would it make sense that AX3000T ubootmod needs something similar to the GL-X3000 approach, where &wifi points to an EEPROM cell inside the Factory partition (for example offset 0x0, size 0x1000)?

did the wifi work while running stock ?

Hi just ask before i upgrade to openwrt, can my ax3000t use simple way upgrade to openwrt?

below the detail from the factory firmware, model RD03

if can which version i can use

image1111×272 10.8 KB

thanks

thanks

done with no issue

image658×445 13 KB