OpenWrt support for Xiaomi AX9000

For Developers
251

FOR THE INTERNATIONAL VERSION 3.0.33 in ax9000

It looks like xiaomi is going to change the firmware image version from HDR1 to HDR2, so there are 2 versions of the script in the file, but create_exploit.js is suitable for most, and create_exploit_hdr2.js is still only for global ax9000 version 3.0.33. If similar firmware suddenly appears for other models (globalka on ax6000, for example), you will need to add support for that device to the script first, although you can try with ax9000 payload, but chances are slim.
Most likely, a router that is configured for the first version of images (HDR1) will not be able to display the image of the second version (HDR2) neither through the web nor with a tftp tool. In the opposite direction in the same way.
In general, if the first script doesn't work, we try to use the second one.

With respect to global 3.0.33 in ax9000
Use create_exploit_hdr2.js instead of create_exploit.js

  1. Make a backup of the configuration if necessary, because telnet will require a factory reset to activate.
  2. Go to the admin panel on the web muzzle (miwifi.com or by IP address)
  3. Copy the content of the create_exploit.js file to the browser console and press enter.
  4. If everything is ok, a window will appear where you can change the bdata region or leave it at that.
  5. Wait 10-15 seconds for the patch file to be generated. Then it should download automatically, so if the browser has crashes on this, it is better to remove them.
  6. Unpack the contents of the downloaded file.
  7. After unpacking, there should be 3 files: 1.bin, 2.bin, 3.bin. In the same order, upload it to the webmord where the firmware for the update is manually uploaded. If everything is fine, after each load, the router should restart. If after the first filling you stop connecting via wifi, you need to connect via cable and continue (I never had this, but people write what happens).
  8. Factory reset.
  9. Go to the admin panel and run the script calc_passwd.js in the browser console to find out your password for telnet. (This step can be done once and at any time. The default password depends on the serial number and will not change if the serial number is not changed)
  10. Try to connect via telnet, if it says the password is wrong, You can also repeat from step 7 until it works. (In ax3600, there is often a glitch that after factory reset the default password is not accepted and the router needs to be reset again.)
  11. You can enable ssh:

Connect via telnet and enable ssh server:
sed -i 's / channel =. * / channel = \ "debug " / g' /etc/init.d/dropbear
/etc/init.d/dropbear start

sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
nvram set ssh_en=1
nvram commit
/etc/init.d/dropbear start

create_exploitPreformatted text

7 Likes