I was able to gain ssh access using the exploit on #251 (global version). Use #179 if you have chinese version.
1 Like
IPQ807x-5.10-backports
Hi @trourance
I can return a favour:)
The situation with branches is a bit complicated ... IPQ807x-5.10-backports is kind of working for most of the things, and kernel 5.10.x is used for this branch with wifi drivers only backported from kernel 5.15.
But with the things that didn't work, robimarko hit a kind of dead-end and started his work afresh with a newer kernel 5.15.
So while branch IPQ807x-5.10-backports is ahead at the moment (so today's recommendation from Gingernut is correct for today), I think the situation will change in favour of ipq807x-5.15 soon ... 
Is the main 5Ghz radio working yet? Only thing stopping me from using OpenWrt. I miss it lol
Nope, ath11k is a pain that just keeps on giving.
Its got a stupid bug in which PCI card works if you dont load the AHB module
Do you think kernel 5.15.x has this bug fixed?
Its an ath11k bug
hmmm that's not promising when it comes to supporting AX9000
is kvalo aware?
I am sure that QCA is aware, and they will fix it as soon as some of their users require it.
Otherwise, good luck
4 Likes
I finally used that exploit to free my early Chinese model. Only thing I needed was a translator for their Chinese only UI. Otherwise, it worked without requiring anything else. Not even an Internet connection was required.
Dang that doesn't sound good. Hopefully its fixed sometime. The router isn't very good without the main 5Ghz radio. Please let us know when its working/fixed 
Hi!
I tested the 5.15 branch on a ax9000 and have several problems.
- Network does not respond, somehow I get a loop!?
- SOC wireless does not initialize as before with 5.10-restart.
Here are some logs:
tcpdump on eth0 shows an incoming packet multiple times.
01:38:56.274796 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274804 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274809 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274812 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274816 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274820 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274824 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274828 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
01:38:56.274832 9c:9d:7e:b5:ba:94 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.15 tell 10.0.0.240, length 28
After some time:
[ 181.995776] WARN: src_info_type:0x0. Drop skb:ffffff8004e25700
[ 182.001659] WARN: src_info_type:0xc0. Drop skb:ffffff800742d200
[ 182.007577] WARN: src_info_type:0x30. Drop skb:ffffff8006255400
[ 182.013717] WARN: src_info_type:0x0. Drop skb:ffffff8011c46f00
[ 182.019302] WARN: src_info_type:0x0. Drop skb:ffffff8009a04500
[ 182.025230] WARN: src_info_type:0x80. Drop skb:ffffff8006256f00
[ 182.030999] WARN: src_info_type:0x0. Drop skb:ffffff8006256100
[ 182.036822] WARN: src_info_type:0x0. Drop skb:ffffff801176d300
[ 182.042731] WARN: src_info_type:0x80. Drop skb:ffffff800504f400
[ 182.048599] WARN: src_info_type:0x30. Drop skb:ffffff8012ffcc00
[ 182.054542] WARN: src_info_type:0x0. Drop skb:ffffff8009cd7d00
[ 182.060623] WARN: src_info_type:0xe0. Drop skb:ffffff8012c83000
[ 182.066199] WARN: src_info_type:0x0. Drop skb:ffffff8006255400
[ 182.071982] WARN: src_info_type:0x80. Drop skb:ffffff800742d200
[ 182.077881] WARN: src_info_type:0x0. Drop skb:ffffff8004e25700
[ 182.083690] WARN: src_info_type:0x0. Drop skb:ffffff8009a1e800
[ 182.089630] WARN: src_info_type:0x0. Drop skb:ffffff8009ce3f00
[ 182.095428] WARN: src_info_type:0x80. Drop skb:ffffff8005117700
[ 182.101248] WARN: src_info_type:0xc0. Drop skb:ffffff8005112a00
I could not get ping working. I checked link speeds 1GB and 2.5G.
SOC 5g wifi does not initialize:
[ 11.800334] ath10k 5.15 driver, optimized for CT firmware, probing pci device: 0x50.
[ 11.800742] ath10k_pci 0001:01:00.0: enabling device (0000 -> 0002)
[ 11.807637] ath10k_pci 0001:01:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
[ 12.279763] ath10k_pci 0001:01:00.0: qca9887 hw1.0 target 0x4100016d chip_id 0x004000ff sub 0000:0000
[ 12.279812] ath10k_pci 0001:01:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[ 12.288081] ath10k_pci 0001:01:00.0: firmware ver 10.1-ct-87-__fH-022-ecad3248 api 2 features wmi-10.x,mfp,txstatus-noack,wmi-10.x-CT,ratemask-CT,txrate-CT,get-temp-CT,tx-rc-CT,cust-stats-CT,retry-gt2-CT,txrate2-CT,beacon-cb-CT,wmi-block-ack-CT crc32 c0004f11
[ 12.322187] ath10k_pci 0001:01:00.0: board_file api 2 bmi_id N/A crc32 dfee0d28
[ 13.187658] ath10k_pci 0001:01:00.0: 10.1 wmi init: vdevs: 16 peers: 127 tid: 256
[ 13.194642] ath10k_pci 0001:01:00.0: wmi print 'P 128 V 8 T 410'
[ 13.194684] ath10k_pci 0001:01:00.0: wmi print 'msdu-desc: 1424 sw-crypt: 0 ct-sta: 0'
[ 13.200413] ath10k_pci 0001:01:00.0: wmi print 'alloc rem: 25576 iram: 25068'
[ 13.248264] ath10k_pci 0001:01:00.0: htt-ver 2.2 wmi-op 2 htt-op 2 cal file max-sta 128 raw 0 hwcrypto 1
[ 13.248678] ath10k_pci 0001:01:00.0: NOTE: Firmware DBGLOG output disabled in debug_mask: 0x10000000
[ 13.387614] ath: EEPROM regdomain sanitized
[ 13.387626] ath: EEPROM regdomain: 0x64
[ 13.387632] ath: EEPROM indicates we should expect a direct regpair map
[ 13.387638] ath: Country alpha2 being used: 00
[ 13.387642] ath: Regpair used: 0x64
[ 13.396462] ath11k c000000.wifi: ipq8074 hw2.0
[ 13.396700] remoteproc remoteproc0: powering up cd00000.q6v5_wcss
[ 13.399939] remoteproc remoteproc0: Booting fw image IPQ8074/q6_fw.mdt, size 668
[ 14.676791] remoteproc remoteproc0: remote processor cd00000.q6v5_wcss is now up
[ 14.678268] ath11k c000000.wifi: qmi ignore invalid mem req type 3
[ 14.683800] ath11k c000000.wifi: chip_id 0x0 chip_family 0x0 board_id 0x294 soc_id 0xffffffff
[ 14.689282] ath11k c000000.wifi: fw_version 0x250584a5 fw_build_timestamp 2021-10-11 21:05 fw_build_id QC_IMAGE_VERSION_STRING=WLAN.HK.2.5.0.1-01201-QCAHKSWPL_SILICONZ-1
[ 14.689689] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 17.335767] nss-dp 3a001800.dp5 eth0: nss_dp_edma: Registering netdev eth0(qcom-id:5) with EDMA
hostapd gives me this error in dmesg later:
20.257327] ------------[ cut here ]------------
[ 20.257364] WARNING: CPU: 0 PID: 1601 at ath11k_reg_update_chan_list+0x24c/0x294 [ath11k]
[ 20.261019] Modules linked in: iptable_nat ath11k_ahb ath11k ath10k_pci ath10k_core ath xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQUERADE xt_CT nf_nat nf_conntrack mac80211 iptable_mangle iptable_filter ipt_REJECT ip_tables cfg80211 xt_time xt_tcpudp xt_multiport xt_mark xg
[ 20.308137] CPU: 0 PID: 1601 Comm: hostapd Not tainted 5.15.10 #0
[ 20.330371] Hardware name: Xiaomi AX9000 (DT)
[ 20.336358] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 20.340703] pc : ath11k_reg_update_chan_list+0x24c/0x294 [ath11k]
[ 20.347473] lr : ath11k_wmi_scan_prob_req_oui+0x28e0/0x3570 [ath11k]
[ 20.353724] sp : ffffffc0151bb9c0
[ 20.360140] x29: ffffffc0151bb9c0 x28: ffffff8003fd9800 x27: 0000000000000000
[ 20.363360] x26: 0000000000001003 x25: 0000000000000000 x24: ffffff80066827e0
[ 20.370477] x23: ffffff80066844a0 x22: ffffff8006680c60 x21: ffffff8006680c38
[ 20.377596] x20: 0000000000000000 x19: ffffff80066827e0 x18: 0000000000000014
[ 20.384714] x17: 0000000000000004 x16: ffffff80066834c0 x15: 000000000000000d
[ 20.391831] x14: ffffff8004e6859c x13: 0000000000000067 x12: ffffff8004e685e8
[ 20.398950] x11: 0000000000000018 x10: 0000000000000066 x9 : 0000000000000007
[ 20.406068] x8 : 0000000000000004 x7 : ffffff80066834e0 x6 : 00000000ffffffff
[ 20.413186] x5 : 000000000000000c x4 : 0000000000000040 x3 : ffffff8006680c60
[ 20.420304] x2 : ffffff80043b4ecc x1 : 0000000000000031 x0 : 0000000000000000
[ 20.427422] Call trace:
[ 20.434531] ath11k_reg_update_chan_list+0x24c/0x294 [ath11k]
[ 20.436795] ath11k_wmi_scan_prob_req_oui+0x28e0/0x3570 [ath11k]
[ 20.442697] drv_start+0x34/0x60 [mac80211]
[ 20.448770] ieee80211_do_open+0x258/0x854 [mac80211]
[ 20.452679] ieee80211_do_open+0x810/0x854 [mac80211]
[ 20.457887] __dev_open+0xf4/0x17c
[ 20.462918] __dev_change_flags+0x13c/0x190
[ 20.466217] dev_change_flags+0x24/0x64
[ 20.470296] devinet_ioctl+0x638/0x6d0
[ 20.474116] inet_ioctl+0x24c/0x260
[ 20.477936] sock_ioctl+0x230/0x4bc
[ 20.481320] __arm64_sys_ioctl+0x5c8/0x1180
[ 20.484795] invoke_syscall.constprop.0+0x5c/0x104
[ 20.488962] do_el0_svc+0x6c/0x15c
[ 20.493820] el0_svc+0x18/0x54
[ 20.497206] el0t_64_sync_handler+0xb0/0xb4
[ 20.500246] el0t_64_sync+0x184/0x188
[ 20.504326] ---[ end trace 229a32490f43ec74 ]---
It may be the the soc wifi caldata has been borked by the javascript root method.
Does somebody has a caldata for test?
5.15 branch is pretty much wip. There is a problem with the firewall3 and on the ax9000 ath11k has a problem if ath11k_ahb and ath11k_pci loaded at the same time.
Thats why wifi isn't working.
If you just want to use the ax9000, it's better to use the backports-5.10 branch.
Hi!
I tried that 5.10-restart hours before but I get a similar error with wireless there. That's why I wanted to give 5.15 a try. I think my caldata is broken somehow. Could you give me your's for a try?
I doubt its the caldata, this warning should only happen when doing regulatory things.
But it seems I'm the only one with this problem. And I can remember that the javascript unlock method wanted a Country code and changed things on the flash, including radio. Perhaps something went wrong.
Am I correct that the caldata is the only "radio" information stored on the flash?
Thanks!
I kind of doubt it as even if you changed the regulatory domain in the caldata that is ignored completely.
The rest of regulatory is inside of the FW and BDF.
Can you try just changing the regulatory domain with iw reg set ALPHA2
Obviously replace the ALPHA2 with your country 2 letter code
iw reg set DE makes no problems. BTW, a wifi config gives this result:
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/10000000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/c000000.wifi'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/c000000.wifi+1'
option channel '1'
option band '2g'
option htmode 'HE20'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
So by default it is somehow wrongly configured.
Even if I beginn with no wifi config, then iw reg set DE, configure default wifi , it starts and than gives me that again:
[ 217.199927] WARNING: CPU: 3 PID: 1599 at ath11k_reg_update_chan_list+0x24c/0x294 [ath11k]
[ 217.203584] Modules linked in: iptable_nat ath11k_ahb ath11k ath10k_pci ath10k_core ath xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQUERADE xt_CT nf_nat nf_conntrack mac80211 iptable_mangle iptable_filter ipt_REJECT ip_tables cfg80211 xt_time xt_tcpudp xt_multiport xt_mark xg
[ 217.250701] CPU: 3 PID: 1599 Comm: hostapd Tainted: G W 5.15.10 #0
[ 217.272937] Hardware name: Xiaomi AX9000 (DT)
[ 217.280311] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 217.284655] pc : ath11k_reg_update_chan_list+0x24c/0x294 [ath11k]
[ 217.291425] lr : ath11k_wmi_scan_prob_req_oui+0x28e0/0x3570 [ath11k]
[ 217.297676] sp : ffffffc01549b9c0
[ 217.304093] x29: ffffffc01549b9c0 x28: ffffff801305d600 x27: 0000000000000000
[ 217.307311] x26: 0000000000001003 x25: 0000000000000000 x24: ffffff80065aa7e0
[ 217.314429] x23: ffffff80065ac4a0 x22: ffffff80065a8c60 x21: ffffff80065a8c38
[ 217.321548] x20: 0000000000000000 x19: ffffff80065aa7e0 x18: 0000000000000014
[ 217.328666] x17: 0000000000000004 x16: ffffff80065ab4c0 x15: 000000000000000d
[ 217.335784] x14: ffffff800512859c x13: 0000000000000067 x12: ffffff80051285e8
[ 217.342901] x11: 0000000000000018 x10: 0000000000000066 x9 : 0000000000000007
[ 217.350019] x8 : 0000000000000004 x7 : ffffff80065ab4e0 x6 : 00000000ffffffff
[ 217.357137] x5 : 000000000000000c x4 : 0000000000000040 x3 : ffffff80065a8c60
[ 217.364256] x2 : ffffff8004b5aecc x1 : 0000000000000031 x0 : 0000000000000000
[ 217.371374] Call trace:
[ 217.378484] ath11k_reg_update_chan_list+0x24c/0x294 [ath11k]
Mon Jan 3 01:56:37 2022 daemon.notice netifd: bridge 'br-lan' link is up
Mon Jan 3 01:56:37 2022 daemon.notice netifd: Interface 'lan' has link connectivity
Mon Jan 3 01:56:37 2022 daemon.notice hostapd: Frequency 5180 (primary) not allowed for AP mode, flags: 0x10851
Mon Jan 3 01:56:37 2022 daemon.err hostapd: Primary frequency not allowed
Mon Jan 3 01:56:37 2022 daemon.warn hostapd: wlan1: IEEE 802.11 Configured channel (36) or frequency (5180) (secondary_channel=0) not found from the channel list of the current mode (2) IEEE 802.11a
Mon Jan 3 01:56:37 2022 daemon.warn hostapd: wlan1: IEEE 802.11 Hardware does not support configured channel
Mon Jan 3 01:56:37 2022 daemon.err hostapd: Could not select hw_mode and channel. (-3)
Mon Jan 3 01:56:37 2022 daemon.notice hostapd: wlan1: interface state UNINITIALIZED->DISABLED
What could I else try?
Perhaps try another BDF?
This makes no sense, the default config is sane