OpenWrt support for Xiaomi AX9000

Let's move the Xiaomi AX9000 related discussion to a new thread to reduce off-topics in the AX3600 one.

@kirdes @sumo

4 Likes

UART

From left to right:

RX, GND, TX (I guess ;-), VCC

Did you have to remove the board in order to solder the header?

I did that, its better to solder the header from the other side.
But it should be also possible to solder wires from the top side i think.

Ok, I had to remove the board on AX3600 as well to properly solder.
Yeah, you could probably solder it from above but to me its like asking for the pads to get ripped off if the header has some pressure on it later.

Was it hard to remove the board?

No it's actually not that hard.

I've removed the fan and the screws from the heatsink (but not the heatsink itself) and the 4 screws from the board itself.
And you have to remove all the antenna pigtails of cause, don't forget the one for the IOT radio.

And to lift the board, press the power button to to get it out of the bottom shell.

1 Like

I did not but also used just wires even though I am usually a big fan of a proper header.

Before:

After:

that's cursed :frowning:

anyway can someone post some image of how much big it is?

The base is like 28 x 28 cm (with the antenna attached) and them antennas are 20 cm high.

For the rest I recommend watching the teardown video.

problem is that with a white background i can't really understand the real size of the product :frowning:

Finally got the damn thing opened and UART soldered, I have when they have so small pads around the hole.
Then I have to be extra carefull to make sure its soldered and I am not that good soldering.

BTW, I have a crazy idea to try and connect a USB keyboard.
Nah, they dont have USB HID driver packed.

I am looking at the AX6 SSH method, its documented only in chinese.

1 Like

Ahh, they are using old Samba but the one vulnerability I can try and exploit using metasploit is not working.

This is gonna be a painful experience as I dont usully do pen testing.

They have Samba with anonyimous credentials running, its sharing /tmp over it.
Nothing usefull unfortunately.

Anybody can explaint the AX6 SSH method?

@kirdes Have you tried anything?

unfortunately i don't have access to my AX9000 until Sunday.

The ax6 method is also described here:

basically it's using the extend_wifi api on the ax6. As far as i understand, you setup a second wifi-Router with a special xqsystem.lua file (including the nvram commands) and then connect to that router via wifi and the ax6 reads that file during the wifi connect.

And those extenwifi api's are also there in the AX9000 firmware. So i think it's worth a shot.

This is the URL to connect to the others router wifi (from the ax6 or AX9000:)

http://192.168.31.1/cgi-bin/luci/;stok={STOK}/api/misystem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWORD}

:slight_smile: I also had that USB keyboard idea.

Looks really cool for a router. Good luck guys!
ulpian

@robimarko how much did you get yours for again ?

As soon as I know that UART tx/rx can be enabled I'll probably get one.

If you try to abuse connect via mesh router path there's already some development with some code that "allows to bypass Singapure region select to create mesh wifi" and it uses Xiaomi API.

@Apache14 It was around 200 EUR with shipping.
It should probably be cheaper a bit now.

UART RX works, TX needs to be enabled via nvram(In reality its just U-boot env).

@adamhnat That looks like a potential route

@kirdes Hm, looks like the extend page is missing.

No page is registered at '/api/misystem/extendwifi_connect'.
If this url belongs to an extension, make sure it is properly installed.
If the extension was recently installed, try removing the /tmp/luci-indexcache file.

I have been poking for way too many hours now, and I just don't see an obvious vulnerability.
I just hate when I have to hope for our Chinese friends to find a vulnerability in order to run code on my HW.

1 Like

Yes it's frustrating, especially 'cause Xiaomi doesn't respect the GPL at all.

But i think time is on our side, sooner or later we or someone else will find a usable vulnerability.

What firmware version does your device have?

Mine has 1.0.82.

I only found the version 1.0.101 last time i checked (now they updated to .108)

So I'm looking in the .101 lua files, maybe they added that extendwifi_connect function at first in version .101?

I know it's just a lucky guess.

If I remember correctly, you wrote that you downloaded the firmware as well.
What version is that?