OpenWrt support for Xiaomi AX9000

The mtd15 can be downloaded here:

@ReDaLeRt sent me the dumps. What we have is as follows:

  • 0:SBL1 is XBLLoader from QcomPkg. It does look like it authenticates U-Boot (given that Xiaomi configured it correctly, which is quite likely, this should be the case). U-Boot is loaded either from 0:APPSBL or from 0:APPSBL_1.
  • 0:APPSBL and 0:APPSBL_1 (contain same binaries) from the disassembly look like pretty much the same U-Boot 2016.01 from QCA QSDK and use a hardcoded bootipq command to load images.

I do not see a way to control this U-Boot from any writable and unsigned source tbh. There is a confusing part with ubootcmd being present in mtd14, but I do not think it is read by U-Boot. I will probably have a deeper look, but so far it feels like a dead end.

Actually board_init code in AX9000 is not different from the original QCA U-Boot and they apparently have:


In this case, if SMEM reports that NAND is in use (which I have doubts, but that is a chance), 0:APPSBLENV will be loaded as U-Boot environment. If true, one should be able to add atf=1 to 0:APPSBLENV, and U-Boot will use normal unsigned kernel loading (do_boot_unsignedimg).

1 Like

That is something that can be done from the stock FW to see if it works as Xiaomi does manipulate U-boot env from there

1 Like

Is there any certain way I should be doing a sysupgrade? Last time I did it. My router wouldn't start back up. Maybe I didn't wait long enough after flashing. I've used other routers with OpenWrt but not sure if something is different on this router. Seems when I flash through LuCI it says flashing and reboots but it doesn't actually update

To add atf=1 to the 0:APPSBLENV, just needs a nvram command from SSH?

Probably nvram from the OEM firmware, fw_setenv ftom OpenWrt.

I think that will work on IPQ50xx only, its guarded in the source

What would you suggest for this SoC?

Hard to tell, as Xiaomi probably modified the bootloader a bit and we dont have sources.
I can only refer to the generic QCA bootloader they all use

I was not able to confirm it is actually guarded despite the comments so far. Would you mind showing the lines which you believe protect this?

You are correct, it could actually work as they then think that its ATF that is gonna validate it

	|| if atf is enable in env ,do_boot_signedimg is skip.
	|| Note: This features currently support in ipq50XX.
	if (ret == 0 && buf == 1 && !getenv("atf")) {
		ret = do_boot_signedimg(cmdtp, flag, argc, argv);
	} else if (ret == 0 || ret == -EOPNOTSUPP) {
		ret = do_boot_unsignedimg(cmdtp, flag, argc, argv);

Yes, atf stands for ARM Trusted Firmware, but it does not seem to be implemented for this SoC.

1 Like

Yes, I know what ATF is, they only have it for IPQ50xx so far as they implement PSCI and stuff that ATF usually provides in QSEE which is QCA-s TrustZone implementation


IT WORKS! :smiley: :smiley: :smiley:

After enabling the SSH on the OEM firmware, the setup followed:

nvram set atf="1"
nvram set flag_last_success=1
nvram set flag_boot_rootfs=1
nvram commit
ubiformat /dev/mtd22 -y	-f /tmp/openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-nand-factory.ubi


Well, that is then the universal way to just avoid secure boot like it did not exist at all.

Perfect for all of the boards currently booting by manual bootcmd avoiding all of that

1 Like

Thanks for all the effort and help given!

The Wiki is now updated for the procedure:

1 Like

I am wondering if the documentation on the is up to date?
With robi's patch to the ath11k driver, both 5G ax bands should now be able to run simultaneously (built-in QCN5054 + PCIe-based QCN9024)
Could anyone confirm, and if so, maybe we should add this to that device's toh section?

Could you also update the wiki with this way of rooting? It feels much simpler.

1 Like

It's up to date because is following the first post on this thread, as the experimental firmware is currently on the @robimarko 's github repo.

I'm open to any given contributions for the wiki. If the info is not correct or updated, please, would you point the info source too?