thank you for the reply
regarding telnet - do you mean you just entered root with an empty password ?
noticed you mentioned a link to init URL / reinitialise everything - do you have it at hand ?
thx again
I mean I just entered: telnet 192.168.31.1 and that's all.
The working URL I found to initialize the router was: http://192.168.31.1/cgi-bin/luci/;stok={STOCK}/web/init/guide
1 Like
well the /web/init/guide worked thank you so ... not the telnet though but at least I am not stuck anymore thank you again 
My bad, telnet password is disabled because ssh is enabled. Based on the original post, you should try to factory reset again if the password doesn't work. For me it worked on the first try.
1 Like
yes I think I need to rerun the steps as now I have ssh enabled (following the steps on the openwrt ax9000 wifi) but still the S/N based password is not working.
Any progress in flashing the router directly to openwrt without going through these steps ? i think going forward (from my experience so far after two days) it is of most importance to prioritise migrating seamsless to openwrt instead of these steps... as my experience with wrt3200acm tells me
before this though i want to try to xiaomi firmware as it seems much more solid than comments back when this thread started..
Xiaomi has long fixed all the simple vulnerabilities.
But user namidairo found a new (simple in his words) vulnerability. We are all waiting for it to be published in topic Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200" - #24 by namidairo
There is also an automatic version of obtaining SSH access through a vulnerability in mkxqimage (Xiaomi is already starting to fix this vulnerability).
Here are scripts that can be adapted to any Xiaomi device: https://github.com/openwrt-xiaomi/xmir-patcher
1 Like
yes i know that one .... the point is that we probably need to get xiaomi onboard of what we are trying to do here and that is (presumptous of me) not to hack their product but instead have an opensource version of their kit with an immediate value of being able to merchandise their product as a truly opensource product to worldwide? is this is a good pitch ? 
truly good hardware with tremendous value at half the cost ... just need sponsorship from xiaomi to make it truly opensource... and this has been the con of my experience with marvell + linksys which was made much better with the strenghth of this community
Yes. There is a possibility.
Since all Xiaomi routers have a bug in the mkxqimage module (except for RB01 and RB03), we can make a custom HDR1 image that will contain the kernel and rootfs from OpenWrt.
I plan to make such images for R3G and R3D.
2 Likes
just a last update on my progress to obtain ssh access
I changed /usr/lib/lua/luci/controller/admin/xqsystem.lua to include at the end of the command "result["token"]" the following ";passwd -d root" this way I don't need to run the calc passwd which is not working for me anyway
so I am thank you so much for everyones reply
There must be some networking security justification for newer kernels, right? I suppose important security fixes have been backported, but that doesn't mean the other various improvements are there. Also the networking efficiency improvements in recent kernels...
What justification is needed?
I don't know... The devs would have to answer. I realize they might not want to make the trade-off and break hardware, but I think there should be a way to run an more recent kernel via the pkg manager or similar. It would help them test to let us a group of us be on a more cutting edge / rolling release.
Its not a matter of breaking HW, the next stable will be on 5.10 and 5.15 will be merged after that is branched.
You cant do kernel updates via opkg in OpenWrt, there is no way that it could cover all of the methods of booting that are supported.
These are embedded devices that are meant to only do image based updates unlike desktop/server distributions that all utilize the same bootloader and booting process
2 Likes
so after a few noob errors (i am sure) I now connected via uar/serial to the ax9000
it is loading on u-boot ... I mtd wrote the mtd22 partition with the openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-nand-factory and set the the router to start from rootfs_1
printenv shows
bootargs=ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs rootwait
however it doesn't carry on
... I tried to change the bootargs to mtd21 and rootfs (instead of rootfs_1) and no luck
any hints on how to get from this ?
I also tried to tftpboot the original firmware but can't boot it either
here is what I get at the start
U-Boot 2016.01 (May 08 2021 - 02:53:50 +0000), Build: jenkins-common_router_openwrt_ota_publish-1177
DRAM: smem ram ptable found: ver: 1 len: 4
1 GiB
NAND: Could not find nand_gpio in dts, using defaults
ONFI device found
ID = 1590aaef
Vendor = ef
Device = aa
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
256 MiB
MMC: sdhci: Node Not found, skipping initialization
PCI Link Intialized
PCI Link Intialized
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
machid: 8010012
MMC Device 0 not found
bootwait is on, bootdelay=5
Hit any key to stop autoboot: 0
so I was able to restore the ax9000 by placing the xiaomi firmware on an usb stick with partition formatted with fat32, rename the bin file to xiaomi.bin and then on the uboot command line type in usbboot addr 0:1
1 Like
question to the forum - would the usbboot method work to boot the openwrt "openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-nand-factory.ubi" ? happy to have a go ... but don't want to brick the router again
Seems like a Xiaomi custom command to me which we would need to assess what exactly it does. E.g. whether it just loads and executes stuff from USB or also does some kind of flashing. It might also perform some kind of validation on those bin files, who knows?
this is a standard uboot command
Yes, you are right. Funny I never noticed this one before. However, given we do not have any sources from Xiaomi at all, we still do not know whether they might not do anything special.