OpenWrt support for Xiaomi AX9000

Gained Telnet/Ssh access with the exploit, then:

Achieved the goal of flashing Openwrt without opening the AX9000 International device with version 3.4.48.

3 Sewing needles, arduino cables to UART:

No correct UART

Correct UART

Commands to disable secure boot:

setenv atf 1

saveenv

And the following process shared above:

Might be easier to just setup Solarwinds TFTP Server instead. Here is the direct link for download.

Just make sure that:

  • Ethernet cable is connected on LAN1 port of the router. This is adjacent to the WAN port;
  • Windows Defender is disabled (And any other active security software you might have);
  • Windows Firewall is disabled (And any other firewall software you might have);
  • Your Ethernet adapter is set like this (Only IPv4 checked):

Very important to set speed to 10MB Half-Duplex:

Double-check that the above settings are applied to the Ethernet card.

Start Solarwinds TFTP Server, go to File => Configure:

Set timeout to 20 (which is maximum) and retries to 6 and make sure it says "Started" under Status, then notice the server root directory (It's C:\TFTP-Root by default). This is where you need to place the file. You can even rename the file to something more easy like image.itb and put it there.

Now, in U-Boot, over UART, you need to set the vars (one line at a time and please type in manually instead of copy-paste since I had issues when doing copy-paste) and boot the image:

nvram set uart_en=1
nvram set atf=1
nvram set boot_wait=on
nvram commit
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.100
tftpboot 0x44000000 image.itb
bootm

This will boot into OpenWRT from RAM, so it's not yet installed. Once booted, you need to SSH in the router via Ethernet (ssh root@192.168.1.1 or use PuTTy).

Grab the latest sysupgrade file from here (xiaomi_ax9000-squashfs-sysupgrade.bin), use SCP or WinSCP to transfer it to the router on /tmp/ and use sysupgrade to flash OpenWRT on the router storage:

cd /tmp
sysupgrade -n openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-sysupgrade.bin

If this fails, then you might need to do:

uci set system.@system[0].compat_version="1.0"
uci commit system
sysupgrade -n -p -F openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-sysupgrade.bin

Router will reboot and you'll have OpenWRT installed on storage. Please note that this is a minimal installation, so it doesn't have LuCi installed and wireless is disabled by default. You will need to SSH into the router via Ethernet again after flashing and, while router is connected to the internet, do:

opkg update
opkg install luci
reboot

Once router is back, you should be able to access LuCi at 192.168.1.1 in the browser (through Ethernet). User is root with no password. After this you'll need to setup Wireless. Good luck!

The expected result.

I hope that even if it is very basic, someone can use it, so as not to lose the guarantee.

11 Likes