OpenWrt support for Xiaomi AX9000

Matezon · January 17, 2023, 2:08pm

The script provided above worked, thank you @a7ypically!

Now I hope the exploit still works, because I'm on 3.0.40 FW, the stock was 3.0.33 I think, but that can not be found online.

btw. sorry for off topic.

robimarko · January 17, 2023, 2:18pm

What is the model ID for the international version?

Matezon · January 17, 2023, 2:28pm

It's RA70 on the sticker

robimarko · January 17, 2023, 2:28pm

Well, that is the same for the Chinese one, but on the API endpoint they only publicly list CN FW

Matezon · January 17, 2023, 4:17pm

Its still not good..

Got OpenWRT working but when I try to flash the new partition layout initramfs image it fails to boot:

IPQ807x# tftpboot openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-uImage.itb
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :1000 Full duplex
eth0 PHY4 up Speed :1000 Full duplex
eth0 PHY5 Down Speed :10 Half duplex
ipq807x_eth_init: done
Using eth0 device
TFTP from server 192.168.1.100; our IP address is 192.168.1.1
Filename 'openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-uImage.itb'.
Load address: 0x42000000
Loading: *
Got TFTP_OACK: TFTP remote port: changes from 69 to 64374
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #############################################
         5 MiB/s
done
Bytes transferred = 12098548 (b89bf4 hex)
ipq807x_eth_halt: done
IPQ807x# bootm
## Loading kernel from FIT Image at 42000000 ...
   Using 'config@hk14' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-5.15.87
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x420000e8
     Data Size:    12051294 Bytes = 11.5 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41000000
     Entry Point:  0x41000000
     Hash algo:    crc32
     Hash value:   fe2bd010
     Hash algo:    sha1
     Hash value:   2b2f8646feda2b95d32c6db02fa3eb8151998cac
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 42000000 ...
   Using 'config@hk14' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt xiaomi_ax9000 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x42b7e588
     Data Size:    45349 Bytes = 44.3 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   002971e3
     Hash algo:    sha1
     Hash value:   f60a148d35ee1e95275bc3df963c22ac076ca05c
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x42b7e588
   Uncompressing Kernel Image ... OK
ERROR: new format image overwritten - must RESET the board to recover
resetting ...

Tried flashing the initramfs-factory.ubi but i get the same error, i can only switch back to the other rootfs to get it working again with my older 2 rootfs build..

What am I doing wrong?

robimarko · January 17, 2023, 4:57pm

Is this prebuilt or?

What is the size of image?

Matezon · January 17, 2023, 5:05pm

This is the image: https://feed.robimarko.eu/openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-factory.ubi 12.25 MB and tried the other one with tftpboot https://feed.robimarko.eu/openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-uImage.itb 11,53 MB

The image I built from openwrt master is 36 MB, that one resets without any error message (its too big?)

robimarko · January 17, 2023, 5:10pm

Yeah, you can only boot images to around 16MB in size because of the stupid bootloader, but the default works for me.

I hope they didn't mess with the bootloader completely.

Can you test one thing, your TFTP load address is way too low so I suspect there isn't enough space to unpack the image and boot it.

Can you tftpboot to 0x44000000 instead?

Matezon · January 17, 2023, 5:18pm

It worked!

Should I flash openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-factory.ubi now?

robimarko · January 17, 2023, 5:19pm

If you have initramfs booted then simply sysupgrade using the sysupgrade image, and please can you run fw_printenv before sysupgrade as well as capture the whole log.

Matezon · January 17, 2023, 5:52pm

Okay, it worked!

fw_printenv before:

root@OpenWrt:/# fw_printenv
CountryCode=HU
Router_unconfigured=0
SN=<hidden>
atf=1
boot_wait=on
bootargs=ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs rootwait
bootcmd=tftp
bootdelay=1
color=100
eth1addr=<hidden>
eth2addr=<hidden>
eth3addr=<hidden>
eth4addr=<hidden>
eth5addr=<hidden>
ethact=eth0
ethaddr=<hidden>
fdt_high=0x4A400000
fdtcontroladdr=4a977f90
flag_boot_success=1
flag_boot_type=2
flag_ota_reboot=0
flag_try_sys1_failed=0
flag_try_sys2_failed=0
flash_type=2
fsbootargs=ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs
ipaddr=192.168.31.1
machid=8010012
miot_did=<hidden>
miot_key=<hidden>
mode=Router
model=RA70
mtddevname=fs
mtddevnum=0
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x3800000@0x1180000(fs),
no_wifi_dev_times=0
nv_sys_pwd=<hidden>
nv_wan_type=dhcp
nv_wifi_enc=psk2
nv_wifi_enc1=psk2
nv_wifi_ssid=Xiaomi_<hidden>
nv_wifi_ssid1=Xiaomi_<hidden>_5G_Game
partition=nand0,0
restore_defaults=0
serverip=192.168.31.100
soc_hw_version=200d0200
soc_version_major=2
soc_version_minor=0
ssh_en=1
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000
telnet_en=1
uart_en=1
wl0_radio=1
wl0_ssid=xiaomi-router-ra70_miap<hidden>_5G
wl1_radio=1
wl1_ssid=xiaomi-router-ra70_miap<hidden>
wl2_ssid=xiaomi-router-ra70_<hidden>_Game
flag_boot_rootfs=0
flag_last_success=0
root@OpenWrt:/#

Sysupgrade log

Is the int. version this tricky, or I did something wrong?

Thank you for helping!

Thehobit · January 21, 2023, 12:04pm

I'm on AX6, Router A is able to connect to Router B.
I followed the instruction but still getting error code 1643, appreciate additional idea.

robimarko · January 21, 2023, 12:04pm

You can just use the JS exploit scripts instead of that original trick

mattimat · January 22, 2023, 1:32pm

Is there anything on going to enable to flash International version to a singe partition without uart ? I have got the impression that tftboot is the only option at the moment. I'm still waiting my uart adapter.

robimarko · January 22, 2023, 2:06pm

It should work the same as non international, only difference being the atf env variable.
If that doesn't work, then somebody has to catch what is going on

clark · January 22, 2023, 6:46pm

my ax9000..i bricked so many times..flashed fw img with so many versions as long as i can remember..now officially support by openwrt..there's no need to use uart..flash using file initramfs-factory.ubi then sysupgrade should work just fine..here my img overview and internet speed using immortalwrt(needed autocore)

mgibbons51 · January 22, 2023, 7:42pm

I see this router is showing on the official snapshot list now. Does the BDF file still require replacement?
Edit: BDF still needs to be replaced. I just flashed and checked.

mattimat · January 23, 2023, 1:25pm

You have also International version ?

clark · January 23, 2023, 2:08pm

my friend have

RobertP · January 23, 2023, 5:37pm

I must have missed the messages - could you remind us what's the benefit of replacing BDF and where to take them from?