It doesn't have to be TinyPXE. It can be any TFTP server. Just make sure the IP address of the computer that runs TFTP Server is 192.168.1.100
TFTP Servers (Chose 1):
Solarwinds and TinyPXE have their own folder for serving files. Just make sure the openwrt-ipq807x-generic-xiaomi_ax9000-initramfs-uImage.itb is in that folder. TinyPXE has even a select for specific file.
TFTPd serves files from the same folder the TFTPd executable is ran.
@psevdo & @Xcat2008 => Uncheck the Filename if user-class=...
Might be easier to just setup Solarwinds TFTP Server instead. Here is the direct link for download.
Just make sure that:
Very important to set speed to 10MB Half-Duplex:
Double-check that the above settings are applied to the Ethernet card.
Start Solarwinds TFTP Server, go to File => Configure:
Set timeout to 20 (which is maximum) and retries to 6 and make sure it says "Started" under Status, then notice the server root directory (It's C:\TFTP-Root by default). This is where you need to place the file. You can even rename the file to something more easy like image.itb and put it there.
Now, in U-Boot, over UART, you need to set the vars (one line at a time and please type in manually instead of copy-paste since I had issues when doing copy-paste) and boot the image:
nvram set uart_en=1
nvram set atf=1
nvram set boot_wait=on
nvram commit
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.100
tftpboot 0x44000000 image.itb
bootm
This will boot into OpenWRT from RAM, so it's not yet installed. Once booted, you need to SSH in the router via Ethernet (ssh root@192.168.1.1 or use PuTTy).
Grab the latest sysupgrade file from here (xiaomi_ax9000-squashfs-sysupgrade.bin), use SCP or WinSCP to transfer it to the router on /tmp/ and use sysupgrade to flash OpenWRT on the router storage:
cd /tmp
sysupgrade -n openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-sysupgrade.bin
If this fails, then you might need to do:
uci set system.@system[0].compat_version="1.0"
uci commit system
sysupgrade -n -p -F openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-sysupgrade.bin
Router will reboot and you'll have OpenWRT installed on storage. Please note that this is a minimal installation, so it doesn't have LuCi installed and wireless is disabled by default. You will need to SSH into the router via Ethernet again after flashing and, while router is connected to the internet, do:
opkg update
opkg install luci
reboot
Once router is back, you should be able to access LuCi at 192.168.1.1 in the browser (through Ethernet). User is root with no password. After this you'll need to setup Wireless. Good luck!
I just made a mistake at the tftp stage) everything worked out! thanks for the help !
Thank you for your help, i'm stuck on the U-Boot... Just do not know what that is.. I even install Ubuntu on a VM and add the USB TTL there and nothing happends. I dont know do this 
I'm so sorry, but really not used to this sfuff. If you can show the the ligh i will be thankfull 
The rest of the step's looks strait forward 
Once again amazing job / explanation 
U-Boot is a special boot mode. You can reach it after you have applied the hack. Just connect to UART as serial connection and confirm if text appears on the terminal when router does something, like powering it on.
If text shows up, you should have about 3-5 seconds after you turn on the power to press any key and cancel booting (there is actually a message in the terminal). Pressing any keyboard button during that time (you need to have clicked inside the terminal to have it focused to receive keyboard input) will effectively give you a shell inside U-Boot where you type those commands. Please note that the commands must be typed manually and not copy-pasted. I had issues with copy paste and the U-Boot shell behaves like old Unix shell where deleting characters in the middle of the prompt won't shift the other text, but rather just clear the spot.
Hope this helps. Good luck.
What hack? I'm trying to follow everything correct, dunno what i'm missing So let's try explain, for my last attemp jezzz i'm 2 days around this So, first i have open my Web Browser to run the exploit's and get the 3 Bin's and SSH PW... OK, Flashed those 3 Bin's, 3 restarts and SSH enable, PW working. Now, ive setup this new app for the Server and store the file over there. Lan is setup as you show, i think everything is Ok until here. U-Boot is something i do not understand, what APP i need to use or terminal to get it working? I have this one called Tera Term, looks like connect's via UART to the router because when the RX blinks on the USB some letters/ caracter show on the console/screen.. Look here https://youtu.be/lL00Jb0vzKw
So i'm stuck on that part, U-Boot to set those commands and flash the OPenWrt. If you can show some kind of example i wil be thankfull, you have done a lot already and i will not ask anymore. Kinda tired and sad because i manage to not make it working The only thing i have is the lasttest firmware [Global 3.0.40].. Dunno if that can make the diference. Thanks mate.
Looks like i had some bad connection on the wires.. Fixed.. Now it show's some text, but pressing any key on the key board anything happends Any tips guys? Please 
You need to enable the serial, instructions in serial section in wiki.
Assuming the baudrate and other settings are correct, you could try using a wired keyboard.
I had similar issues with wireless keyboard not responding fast enough to stop uboot, the issue was resolved by using a laptop with built in keyboard.
I still never use a wireless keyboard with putty until this day.
Anyone has by any chance the Firmware 3.0.33 ( The router is at 3.0.40) ? Not sure, but maybe is the firmware?! Decided to start over, and now i cannot even enable SSH.. Always a error on putty about the command to enable SSH.. jezz i'm going crazy.. The U-Boot was "working", but at some point the Terminal/console stop showing stuff.... We got like 5 seconds to press anykey correct? After that, no input.. nothing happends, cannot write any commands because looks like it freezes...
EDIT!!!! I was unable to enable SSH because i was following WIKI! Some commands missing on WIKI! First command will give error, but will work in the same with those all:
//
Connect via telnet and enable ssh server:
sed -i 's / channel =. * / channel = \ "debug " / g' /etc/init.d/dropbear
/etc/init.d/dropbear start
sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
nvram set ssh_en=1
nvram commit
/etc/init.d/dropbear start
Working again after input all those.
EDIT2: Same thing.. Connect UART, turn on Router freeze the "terminal", show some text and stops at "random places"... Dunno what do more.. Only can be the firmware! I think i have everything ok, only can be the firmware
3.0.33 is not available in wild a.f.a.i.k. 3.0.40 works just fine. Check the connections, keep your calm
Most likely not fw version, UART should be fw agnostic, provided that you have enabled UART.
Are your baudrate, parity, etc... correctly set in accordance with the screenshot below, what about RX->TX, TX->RX cross connection, sure you have it right?
Can you share a screenshot of the text printed when the router starts up.
If using wireless keyboard, it may not be fast enough to stop uboot.
Hopefully you've never connected the router to 3.3/5v UART adapter? but you could try a different 1.8V USB UART adapter to eliminate the possible of a damaged UART adapter
Hello mate, i got the same USB TTL someone purchase or post on this thread. I had the caution of mesure the output pin's and it's 1.8V. The problem is the when we turn on the router, sometimes post the entire boot porcess, sometimes not. Using putty with those exacly settings. The router is working 100%, i was able to see the message of Press anykey to stop boot like 2 or 3 times, now i'm getting hard time to even see the beginning of the boot lol I even soldder a thik wire directly on the router and USB TTL to dispite bad connections. I have no problems about soldering. About the Keyboard, i got a secondary PC, i'm using the PC only for this, it's a usb keyboard and works on the terminal. The problems is looks like the terminal is not working properly, maybe is the USB TTL damage?! Dunno. I'm gonna record a video, so you can see better. I dont know what do more honestly.
Hi, I am currently on 3.0.40. And I tried the hdr2 version, it does the work. After I connect to telnet, it shows me "XiaoQiang login". I try to use username root and password from calc_passwd.js. It always show me Login incorrect. I had tried reset factory many times. seems not really helpful. Do you have any idea about the problem?
I have been like 2 days around my router lol Still nothing from UART.. purchase a new USB TTL for second try and last try.. For the Login and Password work over telnet, you need at start select your contry and be on the Admin Page... After restoring default's will not work, at least for me never worked... restored many many times, and got into that conclusion.. will not work after restore defaults, only after select COuntry and continue with the setup on the web page.
I had a similar issue, solved by first accessing the admin GUI @192.168.31.1 and performing the initial setup until it is possible to login into the GUI.
After that, do telnet using password from calc_passwd stage. It should work, except something else has gone wrong.
This is what happends.. I can mount the Image to RAM, SSH to install image from WinSCP.. After that, router reboots and nothings happends.. I mean, router is on Boot Loop.. Anyone has an idea to fix?! Follow everything what @Soromeister said.. I'm out of ideias Even if is possible, someone tell me to flash again the original Firmware please? Looks like openwrt will not work here! Video, from me mounting and installing the image.. And still boot loop.. https://youtu.be/p8T3KTe0-Ug
@3:49 it shows "Kernel image authentication failed".
Can you double check you've (successfully) set atf=1
in u-boot
printenv atf
should show it set to 1
Hey thank you for the reply.. Those commands over UART / U-Boot does not work:
nvram set uart_en=1
nvram set atf=1
nvram set boot_wait=on
nvram commit
After you reply, ive tested a lot of combinations, and yes it work only if i tipe like this : set atf 1
Typing NVRAM or set atf**=**1 will give an error, syntax or something. After typing set atf 1 follow by printenv atf will show 1.
But still no luck, even with atf 1 boot loop