OpenWrt support for Xiaomi AX9000

to implement this functionality on the firmware, or to enable it if hidden

Your questions are fully off topic here!!! Thread are about OpenWRT on AX9000!!!


I found and I gained SSH access not sure how you'd flash these. Sorry if I'm not supposed to post these/this

If possible. May I have all? Or just this one

I assume the instructions are similar to the ones for AX3600:

(except that it's /dev/mtd21 and /dev/mtd22 instead of /dev/mtd12 and /dev/mtd13, respectively: do cat /proc/mtd|grep rootfs to see for yourself)

1 Like

ssh on global firmware 3.0.33 works with second openwrt router

So, with the help of great @458348 and after quite some time and struggles we were able to setup a second openwrt router and gain ssh on the damned global firmware as explained here (thanks to @robimarko).

At this link you can download the global images of 3.0.33 firmare we dumped to share them with you so that anyone who wants to understand the differences with chinese firmware can do it. For example, they are based on a different image format (HDR2).

Many thanks to everyone, sorry for the possible spam, this matter appears to be solved.


Here are all :wink: Just Firefox scream about it contain virus :roll_eyes: :rofl:

Thanks for sharing and well done!
We can now have (mostly) translated interface on CN firmwares thanks to /usr/lib/lua/luci/i18n/base.*.lmo from your rootfs :slight_smile:
I also applied xqrepack+txpwr patches, they applied cleanly; however, kernel signature ( from xqrepack verifies it) changed from d00dfeed to 17000000. Not sure what it means, but I'm hesitant to try this on my CN router.
For anyone interested (and brave), here're the images:

Sorry for off-topic :wink:

1 Like

Thank you so much. This very kind of you :smiley:

we are waiting. you are our hope :laughing:
Is it for AX9000? The firmware version 3.xx seems for AX3660 INT

It is for AX9000, created from global firmware dump by @Lenin9212. It's pretty similar to CN firmwares, except that from xqrepack complains about invalid kernel img (unexpected signature (first 4 bytes): 17000000 over expected d00dfeed). Looking closer at the "new" kernel image, I see additional 40 bytes chunk before the expected d00dfeed:

17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 42
98 15 5E 00 98 FC 5D 00 C0 FC 5D 42 00 01 00 00
C0 FD 5D 42 00 18 00 00_D0 0D FE ED_00 5D FC 98

We should end this discussion here, as it's clearly off-topic. If somebody wants to carry this on, please create a separate topic.



I have a chinese version of AX9000.

How can I install the INT version and unlock some of the features written here?

I tried some files here but it fails to update.

Noob here! Sorry!


It looks like xiaomi is going to change the firmware image version from HDR1 to HDR2, so there are 2 versions of the script in the file, but create_exploit.js is suitable for most, and create_exploit_hdr2.js is still only for global ax9000 version 3.0.33. If similar firmware suddenly appears for other models (globalka on ax6000, for example), you will need to add support for that device to the script first, although you can try with ax9000 payload, but chances are slim.
Most likely, a router that is configured for the first version of images (HDR1) will not be able to display the image of the second version (HDR2) neither through the web nor with a tftp tool. In the opposite direction in the same way.
In general, if the first script doesn't work, we try to use the second one.

With respect to global 3.0.33 in ax9000
Use create_exploit_hdr2.js instead of create_exploit.js

  1. Make a backup of the configuration if necessary, because telnet will require a factory reset to activate.
  2. Go to the admin panel on the web muzzle ( or by IP address)
  3. Copy the content of the create_exploit.js file to the browser console and press enter.
  4. If everything is ok, a window will appear where you can change the bdata region or leave it at that.
  5. Wait 10-15 seconds for the patch file to be generated. Then it should download automatically, so if the browser has crashes on this, it is better to remove them.
  6. Unpack the contents of the downloaded file.
  7. After unpacking, there should be 3 files: 1.bin, 2.bin, 3.bin. In the same order, upload it to the webmord where the firmware for the update is manually uploaded. If everything is fine, after each load, the router should restart. If after the first filling you stop connecting via wifi, you need to connect via cable and continue (I never had this, but people write what happens).
  8. Factory reset.
  9. Go to the admin panel and run the script calc_passwd.js in the browser console to find out your password for telnet. (This step can be done once and at any time. The default password depends on the serial number and will not change if the serial number is not changed)
  10. Try to connect via telnet, if it says the password is wrong, You can also repeat from step 7 until it works. (In ax3600, there is often a glitch that after factory reset the default password is not accepted and the router needs to be reset again.)
  11. You can enable ssh:

Connect via telnet and enable ssh server:
sed -i 's / channel =. * / channel = \ "debug " / g' /etc/init.d/dropbear
/etc/init.d/dropbear start

sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
nvram set ssh_en=1
nvram commit
/etc/init.d/dropbear start

create_exploitPreformatted text


Thanks a lot @bruda !!!

I managed to make ssh working.

Is there a way to put everything in english?

There is a way to translate most of the web interface to English.
(taken from the global firmware)
Unzip, then scp base.en.lmo to /usr/lib/lua/luci/i18n/ on the router, and execute these:

uci set luci.languages.en='English'
uci set luci.main.lang='en'
uci commit

or similar with other languages (like for Russian etc.)

wow amazing thanks a lot!

I see talks about firmware 3.0.33 and mine is 1.0.108 .

Is it the same? Is there one better than the other?

Also what other things can I do with my AX9000 to unleash it's full power?

You should create a separate topic for this: this one is about OpenWrt on AX9000, not about unleashing stock firmware potential :wink:


Oh sorry! Is there a stable and safe way to run OpenWrt on my AX900 already?

Guys, stop spamming about the stock FW or the INT FW, or whatever hacked one is in the wild.
This is about vanilla OpenWrt on the AX9000, on every reply I think that something useful has happened.

@luisabreuf83 There is a safe way to have it running but its not stable.