OpenWrt support for Xiaomi AX9000

Dear Robert, from my point of view, if there there are two model, this thread have no sense because global version is difference from chinese version. We need to know if is possible to root or enable ssh in each version at same step or enable chinese firmware to enable full power tx

Let's agree to disagree.
First of all I think we can trust robimarko - usually he knows what he is talking about

Second of all ... even if there are two different firmware (global and Chineese), but the underlying hardware is the same this topic has a lot of sense as it focuses on how OpenWRT, when ready, could replace both.
Yes, there might be some subtle differences on how to root them (enable telnet or ssh) or how to install OpenWRT on them.
But right now, we are not yet there - guys here are discussing problems they experience while developing OpenWRT support for this device (i.e. 2.5Mbit LAN is not working, or remoteproc changes are crashing WLAN firmware loading)
So unless someone have a valuable information with a proof that there are two different hardware version, labelled as AX9000, could we please refrain from polluting this topic?


If there is a "global" version then its new to me, even if it exists its just the translated FW on top.
In the worst case that the SSH exploit doesnt work you can flash the chinese version using TFTP recovery.

But please, I dont care about Xiaomi reducing the power limit as its illegal to run these devices at the power levels they offer in the EU(ETSI) and FCC countries.


I was trying that but when i reach the point of loading the 1.bin file it still says "couldn't verify file", same thing of when i try to load chinese firmware. Really don't know what to do, many thanks anyway

The exploit worked for me, but that was with the 1.0.108 version. Could you retry using the ip address, ie ?

1 Like

same thing if i use or i'm able to load the exploit on the browser console and download the 3 bin files, but as soon as i try to load the first one i recive the same message that i recive when i upload the 1.0.108 bin file: "couldn't verify file".

this 3.0.33 firmware appears to be very annoying.


Dear Robimarko,
it can be as it can not be, there are devices, such as huawei ax6 routers that differs in hardware, the global version does not physically have the power amplifier chip on the motherboard as it has the China version. Given the premise, that mine are technical questions and I do not think like a newbie, has anyone verified and knows exactly if at the hardware level they are identical, China and global?
I honestly do not think so, since the whole issue has been raised now. If you could understand, in the first post at the top you should specify that the guide and thread is related to the Chinese version before buying a castrated version.
Regarding potency, I would say that we are all aware that it is illegal, but I do not think that all the owners, even in this forum, live in China, or are doing root and ssh to be able to lower the power, do you agree with me?

1 Like

Hello, since ssh exploit did not work on 3.0.33 firmware i tried using miwifi repair tool to flash 1.0.108 firmware following this method, however it did not work. it sends the firmware but nothing changes and 3.0.33 remains installed Xiaomi ax3600 recovery

Any suggestion?

@Giudi I can't tell if they are the same as before this one we didn't even know that there is a global version, but I would guess that they are the same as AX3600 and others had the same HW and just shipped a bit modified translated FW.

@Lenin9212 No ideas really

It seems that exploit was fixed in GL firmware or if not it needs new payload. So to be sure about that would nice to have dump of global firmware. Or you can try to brute force payload.

Sorry for continuing off-topic, but if someone has a global version with firmware update pending, they can extract the upgrade url, as described here: Xiaomi AX3600 INT firmware

Could you check the model of your device ? Is it a RA70 or something else ?

yes it is exactly RA70

When you tried the exploit, did it ask for a country code ?
What happens if you click "OK" on the "Couldn't verify file" popup ?

yes, it asked for a country code by hinting me "EU". i pressed ok and it gave me the 3 bin files, which as said i was not able to flash.

if i press "ok" at the couldn't verify file popup it goes back to the popup in which i can choose the update file and press "update now".

with the help of @458348 (a saint) we tried to flash 1.0.82 and 1.0.108 firmware again through webview interface, miwifirepairtool and tiny, but it appears only to load the firmware on the router, while it cannot flash. what i mean is that in all of these methods the loading works, but in the webview as said it gives me that damned popup "couldn't verify file", in the other two cases it loads, i wait 20-40 minutes and then i reboot, but the global firmware remains installed.

really don't know what is happening here, but many thanks to anyone who is trying to help

Would it be possible to see the output of strings 2.bin ? here you can find the 3 bin files and the router's log, need anything more?

The [123].bin files don't look malformed, either the loophole has been closed in this version or there is more checks of the downloaded files but without the 3.0.33 image it is hard to know.
You can try the wifi exploit explained at the beginning of this thread, maybe you'll have more luck.

We indeed need an INT firmware to have a look at it. I adapted script by @itay Xiaomi AX3600 INT firmware - #100 by itay to work with AX9000 (the commented out fields seem to make no difference):

import requests
#import datetime
import base64
import hashlib

DEFAULT_TOKEN = "8007236f-a2d6-4847-ac83-c49395ad6d65"
LINK = ''

def md5_base64(data):
	b64_data = base64.b64encode(data.encode())
	return hashlib.md5(b64_data).hexdigest()

def calculate_s(params_to_hash):
	params_sorted = {k: v for k, v in sorted(params_to_hash.items(), key=lambda item: item[0])} 

	params_str = ''
	for k, v in params_sorted.items():
		params_str += f'{k}={v}&'
	params_str += DEFAULT_TOKEN
	result = md5_base64(params_str)
	return result

def main():
	#now =

	params_to_hash = {
		"countryCode": 'EU',
		"rom": '3.0.31',
		#"serialNumber": 'your_sn',
		"rootfs": '0.0.1',
		"cfe": '1.0.2',
		#"deviceID": 'your_id', # `uci get messaging.deviceInfo.DEVICE_ID`
		#"ispCode": '',
		"linux": '4.4.16',
		"sqafs": '0.0.1',
		"hardware": 'RA70',
		#"locale": 'en_US',
		"ramfs": '0.0.1',
		"channel": 'release',
		#'time': now.strftime('%Y-%m-%d---%H:%M:%S')

	params_to_hash['s'] = calculate_s(params_to_hash)
	params_to_hash['token'] = DEFAULT_TOKEN	

	response = requests.get(LINK, params=params_to_hash)
	if response.ok:
		print("invalid token")

if __name__ == '__main__':

It gives no matches: {"code":"0","data":{"needUpgrade":false,"changelogUrl":"","description":""}}
I verified it works with CN firmwares, by changing LINK to,
countryCode to CN and rom to 1.0.101 I get {"code":"0","data":{"needUpgrade":true,"size":39715780,"changelogUrl":"","toVersionName":"1.0.108","link":"","description":"","weight":"1","upgradeId":"46392","hash":"77f560ae1d170be928b25639d7ed96a4","toVersion":"1.0.108"}

It appears as if we will have to wait for an INT firmware update to be rolled out, to be able to fetch respective .bin, since 3.0.33 is the initial INT fw, not available as OTA.

the ax9000 is being now sold in a blue colored box with english on the box these are the ones coming with the new global firmware. if you got the older solid black ones from china they should still have the normal firmware. i asked a few people i know in china to confirm this for me who are resellers of these. i know the ones i have and installed for friends so far even the one i just got last week in the black box still have the china firmware on them. might be something to watch for when you buy one of these if you can check before hand.