ssh on global firmware 3.0.33 works with second openwrt router
So, with the help of great @458348 and after quite some time and struggles we were able to setup a second openwrt router and gain ssh on the damned global firmware as explained here https://openwrt.org/inbox/toh/xiaomi/ax9000 (thanks to @robimarko).
At this link https://bit.ly/3CzuUpA you can download the global images of 3.0.33 firmare we dumped to share them with you so that anyone who wants to understand the differences with chinese firmware can do it. For example, they are based on a different image format (HDR2).
Many thanks to everyone, sorry for the possible spam, this matter appears to be solved.
Thanks for sharing and well done!
We can now have (mostly) translated interface on CN firmwares thanks to /usr/lib/lua/luci/i18n/base.*.lmo from your rootfs
I also applied xqrepack+txpwr patches, they applied cleanly; however, kernel signature (ubinize.sh from xqrepack verifies it) changed from d00dfeed to 17000000. Not sure what it means, but I'm hesitant to try this on my CN router.
For anyone interested (and brave), here're the images: https://drive.google.com/drive/folders/1zaqAmhPJkou5Y9Fxd1pI6gOlkkHs5bcN?usp=sharing
It is for AX9000, created from global firmware dump by @Lenin9212. It's pretty similar to CN firmwares, except that ubinize.sh from xqrepack complains about invalid kernel img (unexpected signature (first 4 bytes): 17000000 over expected d00dfeed). Looking closer at the "new" kernel image, I see additional 40 bytes chunk before the expected d00dfeed:
17 00 00 00 03 00 00 00 00 00 00 00 28 00 00 42
98 15 5E 00 98 FC 5D 00 C0 FC 5D 42 00 01 00 00
C0 FD 5D 42 00 18 00 00_D0 0D FE ED_00 5D FC 98
...
We should end this discussion here, as it's clearly off-topic. If somebody wants to carry this on, please create a separate topic.
It looks like xiaomi is going to change the firmware image version from HDR1 to HDR2, so there are 2 versions of the script in the file, but create_exploit.js is suitable for most, and create_exploit_hdr2.js is still only for global ax9000 version 3.0.33. If similar firmware suddenly appears for other models (globalka on ax6000, for example), you will need to add support for that device to the script first, although you can try with ax9000 payload, but chances are slim.
Most likely, a router that is configured for the first version of images (HDR1) will not be able to display the image of the second version (HDR2) neither through the web nor with a tftp tool. In the opposite direction in the same way.
In general, if the first script doesn't work, we try to use the second one.
With respect to global 3.0.33 in ax9000
Use create_exploit_hdr2.js instead of create_exploit.js
Make a backup of the configuration if necessary, because telnet will require a factory reset to activate.
Go to the admin panel on the web muzzle (miwifi.com or by IP address)
Copy the content of the create_exploit.js file to the browser console and press enter.
If everything is ok, a window will appear where you can change the bdata region or leave it at that.
Wait 10-15 seconds for the patch file to be generated. Then it should download automatically, so if the browser has crashes on this, it is better to remove them.
Unpack the contents of the downloaded file.
After unpacking, there should be 3 files: 1.bin, 2.bin, 3.bin. In the same order, upload it to the webmord where the firmware for the update is manually uploaded. If everything is fine, after each load, the router should restart. If after the first filling you stop connecting via wifi, you need to connect via cable and continue (I never had this, but people write what happens).
Factory reset.
Go to the admin panel and run the script calc_passwd.js in the browser console to find out your password for telnet. (This step can be done once and at any time. The default password depends on the serial number and will not change if the serial number is not changed)
Try to connect via telnet, if it says the password is wrong, You can also repeat from step 7 until it works. (In ax3600, there is often a glitch that after factory reset the default password is not accepted and the router needs to be reset again.)
You can enable ssh:
Connect via telnet and enable ssh server:
sed -i 's / channel =. * / channel = \ "debug " / g' /etc/init.d/dropbear
/etc/init.d/dropbear start
sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
nvram set ssh_en=1
nvram commit
/etc/init.d/dropbear start
Guys, stop spamming about the stock FW or the INT FW, or whatever hacked one is in the wild.
This is about vanilla OpenWrt on the AX9000, on every reply I think that something useful has happened.
@luisabreuf83 There is a safe way to have it running but its not stable.
@robimarko can you please post about your setup here? I have a device with SSH enabled now, so what's next? what branch are you using, and how do you boot the device with openwrt? (I guess with the bootloader with UART enabled, but is this correct?). I hope I'm not asking for something already posted here, I tried to look for it.
I'm not asking for something ready to use, I want to help get this device supported officially.
If you have SSH, then make sure to enable UART as per Wiki instructions.
If you want to run OpenWrt, check out my IPQ807x-5.10-backports branch, its the latest one.
But note that WLAN is broken fully on it as I am working on the QCN9024 support, I need to get the prober BDF for it now
I was using that one as a hack to get it working but its not correct as it allows all of the channels which is incorrect.
Also, ath11k has no way of defining the board-id for PCI devices and most vendors did not put it in the caldata at all.
I didn't really have time today so I only packaged the stock BDF and ath11k is not liking that one, it will init the device but then error out on not receiving regulatory data/reply from the card.
So, its gonna take some experimentation
Just Firefox scream about it contain virus 
