OpenWrt support for Xiaomi AX9000

rmandrad · January 11, 2022, 3:48pm

@robimarko would you mind to share your openwrt .config + the kernel .config ? thx

robimarko · January 11, 2022, 4:59pm

Sure, here is my .config:

gist.github.com

https://gist.github.com/robimarko/99c1c9f71e20bd9e12ee27ec02ea4088

gistfile1.txt

#
# Automatically generated file; DO NOT EDIT.
# OpenWrt Configuration
#
CONFIG_MODULES=y
CONFIG_HAVE_DOT_CONFIG=y
CONFIG_HOST_OS_LINUX=y
# CONFIG_HOST_OS_MACOS is not set
# CONFIG_TARGET_sunxi is not set
# CONFIG_TARGET_apm821xx is not set

This file has been truncated. show original

Kernel config is the default one from the target

RobertP · January 16, 2022, 10:03am

Any progress on this?

robimarko · January 16, 2022, 10:38am

Not really, I was traveling for last couple of days and before that I couldn't figure out why SSDK isn't calling registering the clocks correctly and calling enable on them as its the SSDK that sets up clock parenting so they get enabled together

RobertP · January 21, 2022, 3:58pm

Is there any hope for fixing the issues and restoring support for ax9000 soon with kernel 5.15 ?
Even in a partial form - i.e. without PCIe QCN?

robimarko · January 21, 2022, 4:36pm

It's hard to tell really, I have spent numerous hours don't it and I don't really have a clue.
It's something to do with SSDK from what I can tell, it's not setting up clocks properly.

My free time is quite limited and there is nobody who would like this thing to just finally work more then me, but I cannot really tell you when

RobertP · January 22, 2022, 10:15am

Yes, you did spent a lot of time...
I wish I could help more, but I don't have enough knowledge to even check if clocks are set up correctly not to mention tweaking Qualcomm's SSDK
Maybe there is someone here who could give you a hand with that who has enough knowledge and a bit of free time?

robimarko · January 22, 2022, 10:23am

It would be awesome if there was another person willing to do some development

rmandrad · January 25, 2022, 4:32am

Hi Everyone

so I got the ax9000 and run the create_exploit_hdr2.js which worked however after doing the factory reset I know get at the init.html webpage after setting up the country and submit 500 http code trying to set the location

http://192.168.31.1/cgi-bin/luci/;stok=4f71985d0f0dda22ade42241ea9c62fe/api/misystem/set_location

as anyone got this error ?

also, telnet is now enabled but the root password given by calc_passwd.js is wrong or doesn't work ...

any help appreciated thank you

trourance · January 25, 2022, 9:44am

Yes, I had the same issue, see #429.
The key point is that the password works with ssh and I was able to login through telnet without any password at all.

rmandrad · January 25, 2022, 11:09am

thank you for the reply

regarding telnet - do you mean you just entered root with an empty password ?

noticed you mentioned a link to init URL / reinitialise everything - do you have it at hand ?

thx again

trourance · January 25, 2022, 1:04pm

I mean I just entered: telnet 192.168.31.1 and that's all.

The working URL I found to initialize the router was: http://192.168.31.1/cgi-bin/luci/;stok={STOCK}/web/init/guide

rmandrad · January 25, 2022, 1:32pm

well the /web/init/guide worked thank you so ... not the telnet though but at least I am not stuck anymore thank you again

trourance · January 25, 2022, 3:09pm

My bad, telnet password is disabled because ssh is enabled. Based on the original post, you should try to factory reset again if the password doesn't work. For me it worked on the first try.

rmandrad · January 25, 2022, 3:14pm

yes I think I need to rerun the steps as now I have ssh enabled (following the steps on the openwrt ax9000 wifi) but still the S/N based password is not working.

Any progress in flashing the router directly to openwrt without going through these steps ? i think going forward (from my experience so far after two days) it is of most importance to prioritise migrating seamsless to openwrt instead of these steps... as my experience with wrt3200acm tells me

before this though i want to try to xiaomi firmware as it seems much more solid than comments back when this thread started..

remittor · January 25, 2022, 5:34pm

Xiaomi has long fixed all the simple vulnerabilities.
But user namidairo found a new (simple in his words) vulnerability. We are all waiting for it to be published in topic Adding OpenWrt support for Xiaomi "Redmi Router AX6S"/"Xiaomi Router AX3200" - #24 by namidairo

There is also an automatic version of obtaining SSH access through a vulnerability in mkxqimage (Xiaomi is already starting to fix this vulnerability).
Here are scripts that can be adapted to any Xiaomi device: https://github.com/openwrt-xiaomi/xmir-patcher

rmandrad · January 25, 2022, 5:45pm

yes i know that one .... the point is that we probably need to get xiaomi onboard of what we are trying to do here and that is (presumptous of me) not to hack their product but instead have an opensource version of their kit with an immediate value of being able to merchandise their product as a truly opensource product to worldwide? is this is a good pitch ?

rmandrad · January 25, 2022, 5:46pm

truly good hardware with tremendous value at half the cost ... just need sponsorship from xiaomi to make it truly opensource... and this has been the con of my experience with marvell + linksys which was made much better with the strenghth of this community

remittor · January 26, 2022, 5:17am

Yes. There is a possibility.
Since all Xiaomi routers have a bug in the mkxqimage module (except for RB01 and RB03), we can make a custom HDR1 image that will contain the kernel and rootfs from OpenWrt.
I plan to make such images for R3G and R3D.

rmandrad · January 26, 2022, 7:00am

just a last update on my progress to obtain ssh access

I changed /usr/lib/lua/luci/controller/admin/xqsystem.lua to include at the end of the command "result["token"]" the following ";passwd -d root" this way I don't need to run the calc passwd which is not working for me anyway

so I am thank you so much for everyones reply