OpenWrt support for Xiaomi AX9000

Thank you so much. This very kind of you :smiley:

we are waiting. you are our hope :laughing:
Is it for AX9000? The firmware version 3.xx seems for AX3660 INT

It is for AX9000, created from global firmware dump by @Lenin9212. It's pretty similar to CN firmwares, except that from xqrepack complains about invalid kernel img (unexpected signature (first 4 bytes): 17000000 over expected d00dfeed). Looking closer at the "new" kernel image, I see additional 40 bytes chunk before the expected d00dfeed:

17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 42
98 15 5E 00 98 FC 5D 00 C0 FC 5D 42 00 01 00 00
C0 FD 5D 42 00 18 00 00_D0 0D FE ED_00 5D FC 98

We should end this discussion here, as it's clearly off-topic. If somebody wants to carry this on, please create a separate topic.



I have a chinese version of AX9000.

How can I install the INT version and unlock some of the features written here?

I tried some files here but it fails to update.

Noob here! Sorry!


It looks like xiaomi is going to change the firmware image version from HDR1 to HDR2, so there are 2 versions of the script in the file, but create_exploit.js is suitable for most, and create_exploit_hdr2.js is still only for global ax9000 version 3.0.33. If similar firmware suddenly appears for other models (globalka on ax6000, for example), you will need to add support for that device to the script first, although you can try with ax9000 payload, but chances are slim.
Most likely, a router that is configured for the first version of images (HDR1) will not be able to display the image of the second version (HDR2) neither through the web nor with a tftp tool. In the opposite direction in the same way.
In general, if the first script doesn't work, we try to use the second one.

With respect to global 3.0.33 in ax9000
Use create_exploit_hdr2.js instead of create_exploit.js

  1. Make a backup of the configuration if necessary, because telnet will require a factory reset to activate.
  2. Go to the admin panel on the web muzzle ( or by IP address)
  3. Copy the content of the create_exploit.js file to the browser console and press enter.
  4. If everything is ok, a window will appear where you can change the bdata region or leave it at that.
  5. Wait 10-15 seconds for the patch file to be generated. Then it should download automatically, so if the browser has crashes on this, it is better to remove them.
  6. Unpack the contents of the downloaded file.
  7. After unpacking, there should be 3 files: 1.bin, 2.bin, 3.bin. In the same order, upload it to the webmord where the firmware for the update is manually uploaded. If everything is fine, after each load, the router should restart. If after the first filling you stop connecting via wifi, you need to connect via cable and continue (I never had this, but people write what happens).
  8. Factory reset.
  9. Go to the admin panel and run the script calc_passwd.js in the browser console to find out your password for telnet. (This step can be done once and at any time. The default password depends on the serial number and will not change if the serial number is not changed)
  10. Try to connect via telnet, if it says the password is wrong, You can also repeat from step 7 until it works. (In ax3600, there is often a glitch that after factory reset the default password is not accepted and the router needs to be reset again.)
  11. You can enable ssh:

Connect via telnet and enable ssh server:
sed -i 's / channel =. * / channel = \ "debug " / g' /etc/init.d/dropbear
/etc/init.d/dropbear start

sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
nvram set ssh_en=1
nvram commit
/etc/init.d/dropbear start

create_exploitPreformatted text


Thanks a lot @bruda !!!

I managed to make ssh working.

Is there a way to put everything in english?

There is a way to translate most of the web interface to English.
(taken from the global firmware)
Unzip, then scp base.en.lmo to /usr/lib/lua/luci/i18n/ on the router, and execute these:

uci set luci.languages.en='English'
uci set luci.main.lang='en'
uci commit

or similar with other languages (like for Russian etc.)

wow amazing thanks a lot!

I see talks about firmware 3.0.33 and mine is 1.0.108 .

Is it the same? Is there one better than the other?

Also what other things can I do with my AX9000 to unleash it's full power?

You should create a separate topic for this: this one is about OpenWrt on AX9000, not about unleashing stock firmware potential :wink:


Oh sorry! Is there a stable and safe way to run OpenWrt on my AX900 already?

Guys, stop spamming about the stock FW or the INT FW, or whatever hacked one is in the wild.
This is about vanilla OpenWrt on the AX9000, on every reply I think that something useful has happened.

@luisabreuf83 There is a safe way to have it running but its not stable.


@robimarko can you please post about your setup here? I have a device with SSH enabled now, so what's next? what branch are you using, and how do you boot the device with openwrt? (I guess with the bootloader with UART enabled, but is this correct?). I hope I'm not asking for something already posted here, I tried to look for it.
I'm not asking for something ready to use, I want to help get this device supported officially.

If you have SSH, then make sure to enable UART as per Wiki instructions.
If you want to run OpenWrt, check out my IPQ807x-5.10-backports branch, its the latest one.
But note that WLAN is broken fully on it as I am working on the QCN9024 support, I need to get the prober BDF for it now

1 Like

Hi Robimarko,

what about this bdf ?

It's the same board_id (160) that xiaomi is using in the dts for the qcn9000

I was using that one as a hack to get it working but its not correct as it allows all of the channels which is incorrect.
Also, ath11k has no way of defining the board-id for PCI devices and most vendors did not put it in the caldata at all.
I didn't really have time today so I only packaged the stock BDF and ath11k is not liking that one, it will init the device but then error out on not receiving regulatory data/reply from the card.
So, its gonna take some experimentation


@kirdes Finally got around to booting gain.
Here is the error:

[   11.156676] ath11k_pci 0000:01:00.0: chip_id 0x0 chip_family 0x0 board_id 0xff soc_id 0xffffffff
[   11.156715] ath11k_pci 0000:01:00.0: fw_version 0x2506844c fw_build_timestamp 2021-07-13 10:24 fw_build_id 
[   11.587059] ath11k_pci 0000:01:00.0: No regulatory rules available in the event info
[   11.587093] ath11k_pci 0000:01:00.0: failed to extract regulatory info from received event
[   11.593968] ------------[ cut here ]------------
[   11.601948] WARNING: CPU: 0 PID: 1975 at ath11k_hal_rx_reo_ent_buf_paddr_get+0x3238/0x431c [ath11k]
[   11.606714] Modules linked in: pppoe ppp_async iptable_nat ath11k_pci ath11k_ahb ath11k ath10k_pci ath10k_core ath xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQUERADE xt_FLOWOFFLOAD pppox ppp_generic nf_nat nf_flow_table nf_conntrack mac80211 ipt_REJECT cfg80211 xt_time xt_tcpudp xt_multiport xt_mark xt_mac xtg
[   11.656785] CPU: 0 PID: 1975 Comm: dropbearkey Tainted: G        W         5.10.72 #0
[   11.679021] Hardware name: Xiaomi AX9000 (DT)
[   11.686915] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
[   11.691261] pc : ath11k_hal_rx_reo_ent_buf_paddr_get+0x3238/0x431c [ath11k]
[   11.697338] lr : ath11k_hal_rx_reo_ent_buf_paddr_get+0x3238/0x431c [ath11k]
[   11.704019] sp : ffffffc01138bbe0
[   11.710957] x29: ffffffc01138bc10 x28: ffffffc008c37f24 
[   11.714433] x27: ffffff8004cd4740 x26: ffffffc008aecec4 
[   11.719816] x25: 0000000000000000 x24: ffffff8006d80000 
[   11.725111] x23: ffffff8006d81d78 x22: 000000000003a001 
[   11.730406] x21: ffffff800559a880 x20: ffffff8006d80000 
[   11.735700] x19: ffffff8004c75100 x18: 0000000000000165 
[   11.740996] x17: 0000000000000000 x16: 0000000000000000 
[   11.746291] x15: ffffffc011277cc8 x14: 000000000000042f 
[   11.751585] x13: 0000000000000165 x12: ffffffc01138b7d8 
[   11.756881] x11: ffffffc0112cfcc8 x10: 00000000fffff000 
[   11.762175] x9 : ffffffc0112cfcc8 x8 : 0000000000000000 
[   11.767471] x7 : ffffffc011277cc8 x6 : 0000000000000001 
[   11.772766] x5 : 0000000000000000 x4 : 0000000000000000 
[   11.778061] x3 : 0000000000000000 x2 : 0000000000000000 
[   11.783357] x1 : ffffff8005bf5c00 x0 : 000000000000004e 
[   11.788652] Call trace:
[   11.793947]  ath11k_hal_rx_reo_ent_buf_paddr_get+0x3238/0x431c [ath11k]
[   11.796124]  ath11k_htc_rx_completion_handler+0x4c8/0x690 [ath11k]
[   11.802720]  ath11k_ce_per_engine_service+0x304/0x424 [ath11k]
[   11.808966]  ath11k_mhi_resume+0x5a4/0xc94 [ath11k_pci]
[   11.814785]  tasklet_action_common.constprop.0+0x15c/0x194
[   11.819903]  tasklet_action+0x2c/0x3c
[   11.825455]  _stext+0x124/0x290
[   11.829186]  irq_exit+0x70/0xa0
[   11.832140]  __handle_domain_irq+0x84/0xe0
[   11.835266]  gic_handle_irq+0x7c/0xa4
[   11.839431]  el0_irq_naked+0x4c/0x54
[   11.843162] ---[ end trace 033bd3e52faeb04c ]---
[   11.848101] ath11k_pci 0000:01:00.0: failed to receive default regd during init

No idea how the hell does a BDF do this

Can anybody provide a full bootlog with latest stock FW?
I think I used the wrong BDF, probably for 2G band and I don't have a stock bootlog anymore.

It is here:

Thanks for the bootlog, no luck with it as it doesn't print which one it loads.
I checked some docs and bdwlan.ba0 should be the one, it's the one to use for 4x4 in 5GHz mode, it's also the same as bdwlan.bin so that should be it but it fails with the regulatory message.
Unless Xiaomi is doing some crazy regulatory runtime patching which I cannot find.

Even if you put it as the plain board.bin it complains, so its gotta be a really outdated format or something as the BDF format and features get updated with each release.