OpenWrt support for Xiaomi AX9000

When you tried the exploit, did it ask for a country code ?
What happens if you click "OK" on the "Couldn't verify file" popup ?

yes, it asked for a country code by hinting me "EU". i pressed ok and it gave me the 3 bin files, which as said i was not able to flash.

if i press "ok" at the couldn't verify file popup it goes back to the popup in which i can choose the update file and press "update now".

with the help of @458348 (a saint) we tried to flash 1.0.82 and 1.0.108 firmware again through webview interface, miwifirepairtool and tiny, but it appears only to load the firmware on the router, while it cannot flash. what i mean is that in all of these methods the loading works, but in the webview as said it gives me that damned popup "couldn't verify file", in the other two cases it loads, i wait 20-40 minutes and then i reboot, but the global firmware remains installed.

really don't know what is happening here, but many thanks to anyone who is trying to help

Would it be possible to see the output of strings 2.bin ?

https://bit.ly/2VwJxKA here you can find the 3 bin files and the router's log, need anything more?

The [123].bin files don't look malformed, either the loophole has been closed in this version or there is more checks of the downloaded files but without the 3.0.33 image it is hard to know.
You can try the wifi exploit explained at the beginning of this thread, maybe you'll have more luck.

We indeed need an INT firmware to have a look at it. I adapted script by @itay Xiaomi AX3600 INT firmware - #100 by itay to work with AX9000 (the commented out fields seem to make no difference):

import requests
#import datetime
import base64
import hashlib


DEFAULT_TOKEN = "8007236f-a2d6-4847-ac83-c49395ad6d65"
LINK = 'http://eu.api.miwifi.com/rs/grayupgrade'

def md5_base64(data):
	b64_data = base64.b64encode(data.encode())
	return hashlib.md5(b64_data).hexdigest()

def calculate_s(params_to_hash):
	params_sorted = {k: v for k, v in sorted(params_to_hash.items(), key=lambda item: item[0])} 

	params_str = ''
	for k, v in params_sorted.items():
		params_str += f'{k}={v}&'
	
	params_str += DEFAULT_TOKEN
	
	result = md5_base64(params_str)
	print(result)
	return result



def main():
	#now = datetime.datetime.now()

	params_to_hash = {
		"countryCode": 'EU',
		"rom": '3.0.31',
		#"serialNumber": 'your_sn',
		"rootfs": '0.0.1',
		"cfe": '1.0.2',
		#"deviceID": 'your_id', # `uci get messaging.deviceInfo.DEVICE_ID`
		#"ispCode": '',
		"linux": '4.4.16',
		"sqafs": '0.0.1',
		"hardware": 'RA70',
		#"locale": 'en_US',
		"ramfs": '0.0.1',
		"channel": 'release',
		#'time': now.strftime('%Y-%m-%d---%H:%M:%S')
	}

	params_to_hash['s'] = calculate_s(params_to_hash)
	params_to_hash['token'] = DEFAULT_TOKEN	

	response = requests.get(LINK, params=params_to_hash)
	if response.ok:
		print(response.text)
	else:
		print("invalid token")


if __name__ == '__main__':
	main()

It gives no matches: {"code":"0","data":{"needUpgrade":false,"changelogUrl":"","description":""}}
I verified it works with CN firmwares, by changing LINK to http://api.miwifi.com/rs/grayupgrade,
countryCode to CN and rom to 1.0.101 I get {"code":"0","data":{"needUpgrade":true,"size":39715780,"changelogUrl":"https://cdn.cnbj1.fds.api.mi-img.com/miwifi/6787ba0e-fd22-4bb1-81ec-1b60c4727b83.html","toVersionName":"1.0.108","link":"http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/ra70/miwifi_ra70_firmware_d96a4_1.0.108.bin","description":"","weight":"1","upgradeId":"46392","hash":"77f560ae1d170be928b25639d7ed96a4","toVersion":"1.0.108"}

It appears as if we will have to wait for an INT firmware update to be rolled out, to be able to fetch respective .bin, since 3.0.33 is the initial INT fw, not available as OTA.

the ax9000 is being now sold in a blue colored box with english on the box these are the ones coming with the new global firmware. if you got the older solid black ones from china they should still have the normal firmware. i asked a few people i know in china to confirm this for me who are resellers of these. i know the ones i have and installed for friends so far even the one i just got last week in the black box still have the china firmware on them. might be something to watch for when you buy one of these if you can check before hand.

Could you elaborate on how to turn up the txpower? I have sshed into the router.

Could somebody download these file and share me?
https://4pda.to/forum/index.php?s=&showtopic=1021385&view=findpost&p=109244229

Which one, there are bunch of files...

Dear all,
I managed to get the AX9000 with Chinese firmware, is there any chance of being able to set the settings "vlan bridge: id vlan 1036 priority 0" with this firmware for direct internet connection?

Hi Giudi,
I am sorry for sounding like a broken record.
But how this off topic question regarding Chinese firmware could help with adding OpenWRT for AX9000?

2 Likes

to implement this functionality on the firmware, or to enable it if hidden

Your questions are fully off topic here!!! Thread are about OpenWRT on AX9000!!!

3 Likes

I found https://github.com/jingleijack/Openwrt_Beta and I gained SSH access not sure how you'd flash these. Sorry if I'm not supposed to post these/this

If possible. May I have all? Or just this one https://4pda.to/forum/dl/post/23747659/miwifi_ra70_firmware_d96a4_1.0.108%2BSSH%2BMI%2Btxpwr.zip

I assume the instructions are similar to the ones for AX3600:

(except that it's /dev/mtd21 and /dev/mtd22 instead of /dev/mtd12 and /dev/mtd13, respectively: do cat /proc/mtd|grep rootfs to see for yourself)

1 Like

ssh on global firmware 3.0.33 works with second openwrt router

So, with the help of great @458348 and after quite some time and struggles we were able to setup a second openwrt router and gain ssh on the damned global firmware as explained here https://openwrt.org/inbox/toh/xiaomi/ax9000 (thanks to @robimarko).

At this link https://bit.ly/3CzuUpA you can download the global images of 3.0.33 firmare we dumped to share them with you so that anyone who wants to understand the differences with chinese firmware can do it. For example, they are based on a different image format (HDR2).

Many thanks to everyone, sorry for the possible spam, this matter appears to be solved.

2 Likes

https://mega.nz/file/eOxW2azZ#g3p0iWx6W8KB4yMtirC_hLYDGj-ORSOXaIS5AXtfs3c

Here are all :wink: Just Firefox scream about it contain virus :roll_eyes: :rofl:

Thanks for sharing and well done!
We can now have (mostly) translated interface on CN firmwares thanks to /usr/lib/lua/luci/i18n/base.*.lmo from your rootfs :slight_smile:
I also applied xqrepack+txpwr patches, they applied cleanly; however, kernel signature (ubinize.sh from xqrepack verifies it) changed from d00dfeed to 17000000. Not sure what it means, but I'm hesitant to try this on my CN router.
For anyone interested (and brave), here're the images:
https://drive.google.com/drive/folders/1zaqAmhPJkou5Y9Fxd1pI6gOlkkHs5bcN?usp=sharing

Sorry for off-topic :wink:

1 Like