OpenWrt support for Xiaomi AX9000

For Developers
1119

Unfortunately, this does not work, please see below:

IPQ807x# printenv
CountryCode=HU
Router_unconfigured=0
SN=34289/F1S604517
atf=1
boot_wait=on
bootargs=ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs rootwait
bootcmd=tftp
bootdelay=5
color=100
eth1addr=64:64:4a:a0:5a:3c
eth2addr=64:64:4a:a0:5a:3c
eth3addr=64:64:4a:a0:5a:3c
eth4addr=64:64:4a:59:53:7c
eth5addr=64:64:4a:59:53:7c
ethact=eth0
ethaddr=64:64:4a:a0:5a:3c
fdt_high=0x4A400000
fdtcontroladdr=4a977f90
flag_boot_rootfs=1
flag_boot_success=1
flag_boot_type=2
flag_last_success=1
flag_ota_reboot=0
flag_try_sys1_failed=0
flag_try_sys2_failed=0
flash_type=2
fsbootargs=ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs
ipaddr=192.168.31.1
load_addr=44000000
machid=8010012
miot_did=444662168
miot_key=HdqqJZrwI8RxXHSQ
mode=Router
model=RA70
mtddevname=fs
mtddevnum=0
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x3800000@0x4980000(fs),
no_wifi_dev_times=0
nv_sys_pwd=a671b7ae34ff1ad9bc001f572e0648ef47fe6e0a
nv_wan_type=dhcp
nv_wifi_enc=psk2
nv_wifi_enc1=psk2
nv_wifi_pwd=12345678
nv_wifi_pwd1=12345678
nv_wifi_ssid=Xiaomi_537C
nv_wifi_ssid1=Xiaomi_537C_5G_Game
partition=nand0,0
restore_defaults=0
serverip=192.168.31.100
soc_hw_version=200d0200
soc_version_major=2
soc_version_minor=0
ssh_en=1
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000
telnet_en=1
uart_en=1
wl0_radio=1
wl0_ssid=xiaomi-router-ra70_miap537c_5G
wl1_radio=1
wl1_ssid=xiaomi-router-ra70_miap537c
wl2_ssid=xiaomi-router-ra70_537c_Game

Environment size: 1554/65532 bytes
IPQ807x# reset
resetting ...

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e5
B -       201 - PBL, Start
B -      2734 - bootable_media_detect_entry, Start
B -      3439 - bootable_media_detect_success, Start
B -      3444 - elf_loader_entry, Start
B -      6105 - auth_hash_seg_entry, Start
B -     43638 - auth_hash_seg_exit, Start
B -    105464 - elf_segs_hash_verify_entry, Start
B -    168320 - PBL, End
B -    266631 - SBL1, Start
B -    343613 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    353220 - pm_device_init, Start
B -    530578 - PM_SET_VAL:Skip
D -    175527 - pm_device_init, Delta
B -    532987 - pm_driver_init, Start
D -      5337 - pm_driver_init, Delta
B -    539301 - clock_init, Start
D -      2104 - clock_init, Delta
B -    543327 - boot_flash_init, Start
D -     12505 - boot_flash_init, Delta
B -    559614 - boot_config_data_table_init, Start
D -      3080 - boot_config_data_table_init, Delta - (575 Bytes)
B -    567086 - Boot Setting :  0x00000600
B -    571021 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:18
B -    578036 - sbl1_ddr_set_params, Start
B -    581757 - CPR configuration: 0x300
B -    585234 - cpr_init, Start
B -    588101 - Rail:0 Mode: 5 Voltage: 816000
B -    593194 - CL CPR settled at 768000mV
B -    596092 - Rail:1 Mode: 5 Voltage: 880000
B -    600270 - Rail:1 Mode: 7 Voltage: 912000
D -     16500 - cpr_init, Delta
B -    607163 - Pre_DDR_clock_init, Start
B -    611159 - Pre_DDR_clock_init, End
B -    614544 - DDR Type : PCDDR3
B -    620187 - do ddr sanity test, Start
D -      1067 - do ddr sanity test, Delta
B -    625036 - DDR: Start of HAL DDR Boot Training
B -    629672 - DDR: End of HAL DDR Boot Training
B -    635467 - DDR: Checksum to be stored on flash is -314266808
B -    645776 - Image Load, Start
D -    507063 - QSEE Image Loaded, Delta - (1381328 Bytes)
B -   1152930 - Image Load, Start
D -        61 - SEC Image Loaded, Delta - (0 Bytes)
B -   1160616 - Image Load, Start
D -    293776 - DEVCFG Image Loaded, Delta - (32548 Bytes)
B -   1454453 - Image Load, Start
D -    305031 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1759545 - Image Load, Start
D -    376949 - APPSBL Image Loaded, Delta - (583214 Bytes)
B -   2136616 - QSEE Execution, Start
D -        61 - QSEE Execution, Delta
B -   2142411 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   2148816 - SBL1, End
D -   1884473 - SBL1, Delta
S - Flash Throughput, 6726 KB/s  (2091397 Bytes,  310940 us)
S - DDR Frequency, 466 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 2016.01 (May 08 2021 - 02:53:50 +0000), Build: jenkins-common_router_openwrt_ota_publish-1177

DRAM:  smem ram ptable found: ver: 1 len: 4
1 GiB
NAND:  Could not find nand_gpio in dts, using defaults
ONFI device found
ID = 1590aaef
Vendor = ef
Device = aa
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
256 MiB
MMC:   sdhci: Node Not found, skipping initialization

PCI Link Intialized
PCI Link Intialized
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
machid: 8010012
MMC Device 0 not found
bootwait is on, bootdelay=5
Hit any key to stop autoboot:  0
 trigger button release!
secure boot fuse is enabled
boot from rootfs 1
  miwifi: check crash in rmem !
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 56 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 448, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 1, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 4/2, WL threshold: 4096, image sequence number: 1048937200
ubi0: available PEBs: 313, total reserved PEBs: 135, PEBs reserved for bad PEB handling: 40
Read 0 bytes from volume kernel to 42000000
No size specified -> Using max size (11554816)
## Loading kernel from FIT Image at 42000000 ...
   Using 'config@hk14' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-5.15.90
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x420000e8
     Data Size:    11495888 Bytes = 11 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41000000
     Entry Point:  0x41000000
     Hash algo:    crc32
     Hash value:   870e77c0
     Hash algo:    sha1
     Hash value:   4103154b8920222bfbb2623e7ad4fedf556d0061
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 42000000 ...
   Using 'config@hk14' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt xiaomi_ax9000 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x42af6bf8
     Data Size:    45349 Bytes = 44.3 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   002971e3
     Hash algo:    sha1
     Hash value:   f60a148d35ee1e95275bc3df963c22ac076ca05c
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x42af6bf8
   Uncompressing Kernel Image ... OK
ERROR: new format image overwritten - must RESET the board to recover
resetting ...

Interestingly, the load_addr=44000000 was there from the beginning.

1120

Thanx. I built my own image with the change suggested. I tftpbooted the itb file and sysupgraded. It worked.

Now I can use the standard images for sysupgrade.

1121

Ok, so we could probably add the international model as a separate with only difference being the load address

1122

Which address did you put instead of 0x41000000 ?

Thanks.

1123

Confirming here, TFTPBOOT method works, I am on latest snapshot also with ax9000 international. With this, you dont even need to build your own image.

What I did, based on @Matezon's description:

Setup TinyPXE server at 192.168.1.100 (desktop), serving the openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-uImage.itb (latest from Robi's repo)

UART connected, boot into u-boot

setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.100
tftpboot 0x44000000 openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-uImage.itb
bootm

Once Openwrt booted, SCP the sysupgrade package

sysupgrade -n /tmp/openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-sysupgrade.bin

Now we should have openwrt booted with sysupgrade compat v 1.1

uci set system.@system[0].compat_version="1.0"
uci commit system

Sysupgrade to openwrt snapshot via LUCI

SSH or telnet again to install LUCI

opkg update
opkg install luci

This can be a good workaround untill the "international" version of packages are not built :slight_smile:

4 Likes
1124

I used 0x44000000, that was how I understood Robi's instructions :wink:

1125

Thanks, I wonder why the load address is set in the code to 0x41000000 for the CN version if its load address is 0x42000000?

And just to make sure we only need the address change for the first itb flash and then we can use the regular snapshots ?

1126

You are mixing the bootloaders load adress with the kernel load address, they are not the same.
Bootloaders load address is a place where it will load any image, while kernel load address is the address that bootloader will start the kernel from.

1127

I've recently got my hands on a CN AX9000, and have the same issues with flashing recent (post rootfs merge) releases: router unresponisve, status LED stuck on orange, WAN LED lights up permanently after a while. The 2023-01-03-1333 release works fine.

Tried to build openwrt with KERNEL_LOADADDR = 0x44000000, but that just boot loops.

Anything else I could try before getting in with UART?

The openwrt build process was strange too: it failed multiple times on qca-ssdk with errors like this:

make[5]: *** No rule to make target '/home/bulkin/src/remote/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/qca-ssdk-2022-09-12-628b22bc/build/linux/KSLIB/api_access.d', needed by 'api_access.o'.  Stop.

as if the *.d files got generated after make tried compiling object files. This happened even with -j1.

1 Like
1128

same i also have CN AX9000 and i flashed the latest openwrt release by robimarko and its stuck on orange led.
and also did build openwrt with KERNEL_LOADADDR = 0x44000000 and it just bootloops.

1129

Thaks Robi, I understand that but still not sure what is the correct kernel load address for international. For CN the bootloader is 0x42000000 and you set the kernel load address to 0x41000000.
You said that the international bootloader is at 0x44000000 so shouldn't we set the kernel to load at 0x43000000?

And can you please confirm that this change only applies to flashing the initial itb file (which updates uboot?) and the first sysupgrade can use the same image as the CN version?
Thanks!

1 Like
1130

Turns out it was a stupid mistake on my part: I was flashing the *squashfs* variant instead of *initramfs* for the initial rootfs merge. Also, you should get the release from https://downloads.openwrt.org/snapshots/targets/ipq807x/generic/, the feed with kmods for the releases on github is down.

1131

Anyone able to help/advise?
My SOC wifi is stuck in a disabled state and I have no idea what to change in configs to bring it back to life :slight_smile:
Kernel's log:

[110355.614375] ------------[ cut here ]------------
[110355.614420] WARNING: CPU: 0 PID: 2047 at ath11k_reg_update_chan_list+0x26c/0x2a0 [ath11k]
[110355.618076] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 nf_flow_table_inet ath11k_pci ath11k_ahb ath11k ath10k_pci ath10k_core ath pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_counter nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mac80211 cfg80211 slhc qrtr_smd qrtr_mhi qrtr qmi_helpers ns nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mhi libcrc32c hwmon crc_ccitt compat seqiv jitterentropy_rng drbg michael_mic hmac cmac leds_gpio xhci_plat_hcd xhci_pci xhci_hcd dwc3 dwc3_qcom qca_nss_dp qca_ssdk gpio_button_hotplug crc32c_generic
[110355.674741] CPU: 0 PID: 2047 Comm: hostapd Tainted: G        W         5.15.90 #0
[110355.696978] Hardware name: Xiaomi AX9000 (DT)
[110355.704439] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[110355.708870] pc : ath11k_reg_update_chan_list+0x26c/0x2a0 [ath11k]
[110355.716072] lr : ath11k_wmi_sta_keepalive+0x3094/0x4210 [ath11k]
[110355.722062] sp : ffffffc00fd539c0
[110355.728219] x29: ffffffc00fd539c0 x28: ffffff801b66dc00 x27: ffffff800647d020
[110355.731526] x26: 0000000000001003 x25: 0000000000000000 x24: 0000000000000001
[110355.738732] x23: ffffff800647a020 x22: ffffff8006478508 x21: ffffff80064784d8
[110355.745935] x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000004
[110355.753141] x17: ffffff8004e8874c x16: ffffff8004e8874c x15: 0000000000000067
[110355.760346] x14: 000000000000000d x13: ffffff800647b138 x12: ffffff8004e88798
[110355.767550] x11: 0000000000000018 x10: 0000000000000066 x9 : 0000000000000007
[110355.774754] x8 : 0000000000000004 x7 : ffffff800647b158 x6 : 00000000ffffffff
[110355.781960] x5 : 000000000000000c x4 : 0000000000000040 x3 : ffffff8006478508
[110355.789164] x2 : ffffff8004054ecc x1 : 0000000000000031 x0 : 0000000000000000
[110355.796371] Call trace:
[110355.803567]  ath11k_reg_update_chan_list+0x26c/0x2a0 [ath11k]
[110355.806262]  ath11k_wmi_sta_keepalive+0x3094/0x4210 [ath11k]
[110355.811906]  drv_start+0x34/0x60 [mac80211]
[110355.817718]  ieee80211_do_open+0x228/0x6e0 [mac80211]
[110355.822059]  ieee80211_do_open+0x6b0/0x6e0 [mac80211]
[110355.827007]  __dev_open+0x110/0x1b0
[110355.832127]  __dev_change_flags+0x140/0x194
[110355.835861]  dev_change_flags+0x24/0x6c
[110355.840114]  devinet_ioctl+0x398/0x69c
[110355.844019]  inet_ioctl+0x250/0x260
[110355.847579]  sock_ioctl+0x240/0x49c
[110355.851398]  __arm64_sys_ioctl+0x598/0x108c
[110355.854958]  invoke_syscall.constprop.0+0x5c/0x104
[110355.859213]  do_el0_svc+0x6c/0x15c
[110355.863811]  el0_svc+0x18/0x54
[110355.867282]  el0t_64_sync_handler+0xe8/0x114
[110355.870409]  el0t_64_sync+0x184/0x188
[110355.874922] ---[ end trace 178df93dc1731d95 ]---
[110355.882010] br-lan: port 8(phy1-ap0) entered blocking state
[110355.883353] br-lan: port 8(phy1-ap0) entered disabled state
[110355.889441] device phy1-ap0 entered promiscuous mode
[110355.896008] device phy1-ap0 left promiscuous mode
[110355.899984] br-lan: port 8(phy1-ap0) entered disabled state
1132

Same here. " iw phy phy1 info " shows that all the frequences are disabled...

 Frequencies:
                        * 5180 MHz [36] (disabled)
                        * 5200 MHz [40] (disabled)
                        * 5220 MHz [44] (disabled)
                        * 5240 MHz [48] (disabled)
                        * 5260 MHz [52] (disabled)
                        * 5280 MHz [56] (disabled)
                        * 5300 MHz [60] (disabled)
                        * 5320 MHz [64] (disabled)
                        * 5500 MHz [100] (disabled)
                        * 5520 MHz [104] (disabled)
                        * 5540 MHz [108] (disabled)
                        * 5560 MHz [112] (disabled)
                        * 5580 MHz [116] (disabled)
                        * 5600 MHz [120] (disabled)
                        * 5620 MHz [124] (disabled)
                        * 5640 MHz [128] (disabled)
                        * 5660 MHz [132] (disabled)
                        * 5680 MHz [136] (disabled)
                        * 5700 MHz [140] (disabled)
                        * 5720 MHz [144] (disabled)
                        * 5745 MHz [149] (disabled)
                        * 5765 MHz [153] (disabled)
                        * 5785 MHz [157] (disabled)
                        * 5805 MHz [161] (disabled)
                        * 5825 MHz [165] (disabled)
                        * 5845 MHz [169] (disabled)
                        * 5865 MHz [173] (disabled)
type or paste code here
1133

Yes - I also have them disabled
What's even more strange is:

image
image1978×679 86.4 KB

It worked previously, but after upgrade to the SNAPSHOT r21965-6f89a0ca20 this happened.

1134

This is a known bug of current master: https://github.com/openwrt/openwrt/issues/11902

2 Likes
1135

Soft debrick works with the same method as AX3600:
TFTP recover with C0A81F02.img (miwifi_ra70_firmware_d96a4_1.0.108.bin)
tested with
https://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/ra70/miwifi_ra70_firmware_d96a4_1.0.108.bin

If any of you takes care of the wiki please add it - I was unable to edit https://openwrt.org/inbox/toh/xiaomi/ax9000

1 Like
1136

I'm updating my snapshot to the latest version and I'm getting this error. I'm currently running OpenWrt SNAPSHOT r21885-f86658e269 but I did restore my configurations from before so maybe that's why? Is it safe to force upgrade?

Mon Feb 6 11:39:26 EST 2023 upgrade: The device is supported, but this image is incompatible for sysupgrade based on the image version (2.0->1.0). Image check failed.
The uploaded image file does not contain a supported format. Make sure that you choose the generic image format for your platform.

1137

I was not caught by the 2.0/1.0 issue so I can't advise.
I do remember this was being discussed on the AX3600 support page though (i.e. General OpenWrt support for Xiaomi AX3600 (Part 2) - #165 by marcin-admin)
Maybe you get answers there?

On that note (just in case you aren't aware) - with the most recent snapshots we have a regression with SOC 5 GHz radio ... not working at all due to potential problems with the txpower.

I think Ansuel is getting very close to finding a good way out of this problem...
The same bug seems to affect the ax3600 devices

1138

My upper 5ghz is showing the 255dBm issue on SNAPSHOT r21885 but it's working correctly. Is that the issue you're referring to? I'm assuming the 2.0/1.0 issue is because I restored files from Robi's build. Just hoping to not brick my router again lol