OpenWrt support for Xiaomi AX3000T

Mile-Lile · September 28, 2024, 6:05pm

@alexq thank you very much for helping me.
I followed wiki, then I bricked it... then I founded your post on the forum and unbricked it with UART. Now I have problem to reproduce steps from wiki because when I do cat /proc/cmdline I get

console=ttyS0,115200n8 console_msg_format=syslog root=/dev/fit0 rootwait

when I try to detach mtd8 and try to install on that partitition I get:

ubiformat: error!: please, first detach mtd8 (/dev/mtd8) from ubi0
root@OpenWrt:~# ubidetach -p /dev/mtd8
ubidetach: error!: cannot detach "/dev/mtd8"
           error 16 (Resource busy)
root@OpenWrt:~#

when I try it on mtd9 I get:

root@OpenWrt:~# ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
libmtd: error!: cannot get information about "/dev/mtd9"
        error 2 (No such file or directory)
ubiformat: error!: cannot get information about "/dev/mtd9"
           error 2 (No such file or directory)

my partitition table looks like this:

root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00100000 00020000 "BL2"
mtd1: 00040000 00020000 "Nvram"
mtd2: 00040000 00020000 "Bdata"
mtd3: 00200000 00020000 "Factory"
mtd4: 00200000 00020000 "FIP"
mtd5: 00040000 00020000 "crash"
mtd6: 00040000 00020000 "crash_log"
mtd7: 00040000 00020000 "KF"
mtd8: 07000000 00020000 "ubi"
root@OpenWrt:~#

and to answer to the other member I even switched uboot to openwrt u-boot because it is more clear for understanding....

erayrafet · September 28, 2024, 6:58pm

Try the immortal u-boot is all I can say. The only thing that worked for me.

Cthulhu88 · September 28, 2024, 8:07pm

These steps you're following are for flashing from stock/a different bootloader.
You're not following them correctly, so I suggest you to just use the stock bootloader with OpenWrt and forget about it.

Just follow the easy method on the first post. Note that snapshot initramfs doesn't have LuCI, so replace this:

Using LuCI flash sysupgrade image openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin

With:

Build your firmware here: https://firmware-selector.openwrt.org/?version=SNAPSHOT&target=mediatek%2Ffilogic&id=xiaomi_mi-router-ax3000t
Login into SSH root@192.168.1.1
cd /tmp; wget "sysupgrade file from firmware selector"
sysupgrade -n -v "sysupgrade file from firmware selector"

If you've actually flashed OpenWrt U-Boot, build the firmware from https://firmware-selector.openwrt.org/?version=SNAPSHOT&target=mediatek%2Ffilogic&id=xiaomi_mi-router-ax3000t-ubootmod instead.

r33tom · September 29, 2024, 12:58am

where is everyone buying the global version of the AX3000T from? Pretty much all of the aliexpress ones are china version RD03 running firmware 1.0.47. Wouldn't it be easier to return the global one you got and get one of the RD03 models?

ad8 · September 29, 2024, 1:47am

I just got a RD03 with firmware 1.0.47. Unsure which chip it has come with, but I will be checking that next.

I am confused after reading *note: this method is not supported by stock firmware version 1.0.47 (CN). under SSH Exploit Method. That is because under Firmware downgrade method it says 1.0.47 is the one that's vulnerable. Is this a documentation error?

Also, given my device info (RD03, 1.0.47), what are my options to install OpenWRT if my device has Winbond chips, and what would differ it is ESMT?

ad8 · September 29, 2024, 2:13am

Does this mean I have Winbond?

root@XiaoQiang:~# dmesg | grep nand
[    0.074432] spi-nand spi0.0: GigaDevice SPI NAND was found.
[    0.074445] spi-nand spi0.0: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
[    0.102764] nmbm nmbm_spim_nand: Signature found at block 1023 [0x07fe0000]
[    0.103637] nmbm nmbm_spim_nand: First info table with writecount 0 found in block 960
[    0.106198] nmbm nmbm_spim_nand: Second info table with writecount 0 found in block 963
[    0.106211] nmbm nmbm_spim_nand: NMBM has been successfully attached
[    0.106389] 12 fixed-partitions partitions found on MTD device nmbm_spim_nand
[    0.106395] Creating 12 MTD partitions on "nmbm_spim_nand":

Cthulhu88 · September 29, 2024, 2:44am

That's a GigaDevice chip. You are going to have to check which model it's and if Linux supports it:

And yes, someone edited the wiki recently and added the incorrect info that 1.0.47 is not vulnerable to the SSH exploit.

Are you sure this isn't the AX3000 instead of AX3000T? I am pretty sure the AX3000 is the one that comes with a GigaDevice NAND.

ad8 · September 29, 2024, 3:00am

It is definitely AX3000T, sticker at the bottom of the router says that too, and the same label has RD03 mentioned on it - also the Web UI is in chinese language. And I looked through the holes at the bottom, and can see "ESMT" written on the small black chip. So decided to go with the stable release (fingers crossed).

Thank you for your response!

Cthulhu88 · September 29, 2024, 3:32am

Does dmesg | grep -i esmt print anything?

erayrafet · September 29, 2024, 4:16am

https://lore.kernel.org/lkml/20240125200108.24374-2-ezra@easyb.ch/T/
Could be this ID clash bug.

erayrafet · September 29, 2024, 4:17am

Local e-shops sell global Xiaomi gadgets in Europe. EU models, to be precise. I have multiple Xiaomi gadgets that state to be EU variants.

r33tom · September 29, 2024, 4:32am

If it doesn't load you can always recover back to Xiaomi firmware and flash again with the snapshot.

It's very easy to recover if you stuff up the flash. Just don't flash the uboot if it's a winbond nand

ad8 · September 29, 2024, 4:34am

I didn't check with -i esmt, but I just successfully flashed the latest release of OpenWRT, without any issues - so it must be ESMT (as I saw through the bottom of the router)

ad8 · September 29, 2024, 4:35am

Everything seems to have gone well!

Now I will need to learn how exactly configure OpenWRT for best and safe use. Feel free to share pointers / links for a newbie to this!

erayrafet · September 29, 2024, 5:24am

https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm

Build your own firmware images with the packages you need integrated. Using opkg to update things is more or less not recommended.
https://firmware-selector.openwrt.org/

Mile-Lile · September 29, 2024, 6:16am

it worked!!! THANK YOU very much...

alexq · September 29, 2024, 7:24am

The Wiki doesn't say "not vulnerable". It states: "this method is not supported". This is because commands to exploit the the start_binding, used for both rd03 and rd23, are not supported by rd03 ver. 1.0.47:

For the rd03 1.0.47, there is a separate section in Wiki ("Firmware downgrade method") with another commands to exploit the arn_switch.

Does it make sense? Do you see how Wiki can be updated to be more clear about this, please?

alexq · September 29, 2024, 7:34am

This is interesting. So, actually you have ESMT NAND chip, but in the console, it returns the GigaDevice NAND chip...

Since you have OpenWrt is already installed, could you please run dmesg | grep nand again to reconfirm the results from OpenWrt?

Cthulhu88 · September 29, 2024, 7:48am

The wiki entry is very poorly worded about this, neither of these are SSH exploits, they are exploits targeting two different APIs that are not related to SSH. Once exploited, RCE is used to start dropbear.

alexq · September 29, 2024, 8:06am

Could you please update this in the Wiki to be more clear, and to prevent confusion for others? (If you don't have access, please share your suggested text here, and someone who has access will assist in moving it to the Wiki.).

Thank you for your contribution!