OpenWrt support for Xiaomi AX9000

Yes, the most probable explanation is that the AP mode has shortcomings. I'll try with an unused NUC, if it fails I'll have to buy a router. Do you know a cheap one, already tried and effective ?

I've used a Homehub 5, but the device was already modified to run vanilla Openwrt (serial access is quite difficult)

A cheap ath79 one will also do. https://openwrt.org/docs/techref/targets/ath79

For hardware recommendations please open a new topic in the Hardware Questions and Recommendations category of this forum.

Please see https://openwrt.org/faq/which_router_should_i_buy before asking for recommendations. This way you will get better recommendations and come to a quicker solution.

Xiomi AX9000 Firmware
:point_down::point_down:

Xiomi AX9000 Firmware:
AX9000 factory firmware package Mi router AX9000 (stable version)
Mi router AX9000 stable version:1.0.82

Mi router AX9000 (stable version)
Mi router AX9000 stable version:1.0.101

  1. Increase LAN port link aggregation function, bandwidth when NAS and switch support link aggregation function Double
  2. add firewall switch in IPv6 Native mode
  3. USB 3.0 newly supports extFAT format
  4. Fix the compatibility with some Mi TVs
  5. Other known problem fixes

Mi router AX9000 (stable version)
Mi router AX9000 stable version:1.0.108

  1. The upgrade supports simultaneous access of up to 1000 terminal devices. You can enter the WEB background-common settings-LAN settings for configuration
  2. The Mesh experience is further improved, and the initialization process, networking stability, configuration synchronization and other functions are optimized
  3. Fix other known issues and improve the overall stability of the firmware
1 Like

Thanks to all, got SSH access to AX6000 , for password used simplified https://github.com/odedlaz/ax3600-files/blob/master/scripts/calc_passwd.py script, where password need be entered from as parameter:

import sys
import hashlib

# credit goes to zhoujiazhao:
# https://blog.csdn.net/zhoujiazhao/article/details/102578244

salt = {'r1d': 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
        'others': 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'}

def get_salt(sn):
    if "/" not in sn:
        return salt["r1d"]
    return "-".join(reversed(salt["others"].split("-")))

def calc_passwd(sn):
    passwd = sn + get_salt(sn)
    m = hashlib.md5(passwd.encode())
    return m.hexdigest()[:8]

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <SN>")
        sys.exit(1)
    sn = sys.argv[1]
    print("Given SN: "+ sn)
    print("Calculated root password: "+calc_passwd(sn))
2 Likes

taken out russian forum 4pda, works correctly on ax9000, others not tested

The bdata patch to receive telnet and ssh (so far it only added ax3600, ax6000, ax9000, ax6)

create_exploit_ax_xioami.zip

  1. Make a backup of the configuration if necessary, because telnet will require a factory reset to activate.
  2. Go to the admin panel on the web muzzle (miwifi.com or by IP address)
  3. Copy the content of the create_exploit.js file to the browser console and press Enter.
  4. If everything is ok, a window will appear where you can change the bdata region or leave it at that.
  5. Wait 10-15 seconds for the patch file to be generated. Then it should download automatically, so if the browser has crashes on this, it is better to remove them.
  6. Unpack the contents of the downloaded file.
  7. After unpacking, there should be 3 files: 1.bin, 2.bin, 3.bin. In the same order, upload it to the webmord where the firmware for the update is manually uploaded. If everything is fine, after each load, the router should restart. If after the first filling you stop connecting via wifi, you need to connect via cable and continue (I never had this, but people write what happens).
  8. Factory reset.
  9. Go to the admin panel and run the script calc_passwd.js in the browser console to find out your password for telnet. (This step can be done once and at any time. The default password depends on the serial number and will not change if the serial number is not changed)
  10. Try to connect via telnet, if it says the password is wrong, You can also repeat from step 7 until it works. (In ax3600, there is often a glitch that after factory reset the default password is not accepted and the router needs to be reset again.)
  11. You can enable ssh:

Connect via telnet and turn on the ssh server:

sed -i 's / channel =. * / channel = \ "debug \" / g' /etc/init.d/dropbear
/etc/init.d/dropbear start
4 Likes

Thank you, this worked for me. Had to set ssh_en=1 and nvram commit.
Perfect.

I have booted an initramfs image on an AX9000, compiled from the AX3600-5.10-restart branch. The uplink doesn't appear to work, the green led blinks every second on the 2.5G port but nothing comes back in.
The switch at the other end of the link reports only bad packets received, one for each DHCP request. I have checked the speed/duplex/... status at both ends they are the same.
May I have missed something in the configuration of the image ?

I know, after the last kernel update it happens to me as well but no time to debug it though.

FYI, with AX6 it works fine, so it is likely limited to the 2.5gig eth.

Haha thank you for the tip. I have forced the port to 100M/Full on the switch side and it works! At 1G it doesn't.

Interesting finding flebourse :slight_smile:
How do you find this router? (WiFi speed/range, memory leaks, etc.)
Please do share your observations :slight_smile:

I haven't much to say for the moment, I have used it very little. I have observed the same memory leak everyone is writing about. The wifi signal gives a very long range compared to the other devices I have.

Is there any unstable/betas you guys have made yet? I'm very interested in trying this out. As the stock firmware is extremely lacking. :crossed_fingers: I've used Openwrt on previous routers so it wouldn't be my first just usually stable builds

Got my AX9000 today. I tried the wiki method to obtain SSH, using AX3600 with QSDK-based Chinese "OpenWRT" with luci. Got a similar issue to the one @flebourse experienced. Finally, I gave up and attempted exploit OpenWrt support for Xiaomi AX9000 - #179 by bruda, and it worked like a charm.

I discovered we can use xqrepack to patch rootfs, we just need to append --data argument to ./ubinize.sh, just as described in the README.md for RM1800:

for RM1800:

 ./ubinize.sh ubifs-root/miwifi_rm1800_firmware.../...kernel.ubifs \
              ubifs-root/miwifi_rm1800_firmware.../...ubi_rootfs.ubifs.new \
              --data

xqflash also works fine (I didn't attempt a manual upgrade, just scp'ed xqflash along with the patched image to router's /tmp).

Maybe this will be useful for someone :slight_smile:

2 Likes

Thanks for sharing!
Could you share your observations how this device is behaving - range, stability, performance, etc... More details the merrier :slight_smile:
I am seriously considering purchasing it, and your feedback could help me making a decision

You're welcome :slight_smile:
AX9000 performance with Xiaomi FW is actually off-topic here: the thread is about adding OpenWRT support for the device. That being said, I can't tell you much, since I'm using the router as a wired AP, until proper OpenWRT support. As for wifi performance, it's really good, but I haven't tested it at max power, I patched the firmware and manually set txpower to 26db. I only need it to cover one room properly, other rooms have their own wired APs (actually AX3600) connected to the main router.

Ok, so I finally had some time to rebase this mess onto master.
The 2.5G port is still not working in 1G mode, 100M works fine.

I quite literary have no idea what broke it.

1 Like

From ethtool eth4, 100M works fine but it is in half duplex the switch at the other end is set to 100Full but reports 100MF and link down! Go figure ...
Just after "bootm" the serial line says "Starting kernel ... Jumping to AARCH64 kernel via monitor" then nothing during ~25 seconds followed by the normal boot messages.
This 25 seconds delay doesn't occur when booting the xiaoqiang firmware. Is there something specific to set in the kernel serial parameters ? I suspect many boot messages to be missing.

Hmm, now it magically worked at 1G.

Something is seriously broken if you are seeing that delay, for me, UART works immediately.
You shouldn't need to set anything as the UART port is set as default in the DTS itself.