OpenWrt support for Xiaomi AX9000

qca8081 port require some delay to permit full reset... so any device with qca8081 is affected. But again this is not a brick... just that port malfunction... all the other port function correctly.

2 Likes

I opened a bug about this here. I am literally getting the same thing.

Used this command for Enable SSH Service

sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear start

for used command VIA ssh and upload 2 Firmware files to AX9000 via SFTP from your computer

if your restart AX9000 SSH Service will not start automatic please login via telnet and type command to enable ssh again

1 Like

did someone use 6.1 kernel version with nss build?

Sorry if this has been solved elsewhere in the thread, I have searched but I couldn't find anything (other than regulatory stuff, which I've tried)...

I'm on latest (23.05.2) release and cannot get either of the 5ghz bands (radio1 or radio3) working @ 80mhz. I have set country to US and replaced board-2.bin and still devices fail to pick up the channels and connect.

I can successfully scan for other networks with those radios from luci (haven't tried joining though)

Does anybody have any suggestions as to where I could start looking to resolve the issue?

Might sound like a stupid question, but did you reboot the router after replacing the board-2.bin file?

Not sure about the 23.05.2 version but I'm on SNAPSHOT and this board file works. It's only for QCN9074 though and only radio3 antenna can be set to 160MHz, while radio1 can only run at 80MHz. Please see config from my router as reference:

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ''
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '10.0.0.1/24'
	list dns '1.1.1.2'
	list dns '1.0.0.2'
	list ip6class 'wan6'
	option ip6assign '64'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '1.1.1.2'
	list dns '1.0.0.2'
	option broadcast '1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2606:4700:4700::1112'
	list dns '2606:4700:4700::1002'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	option mtu '1500'
	option macaddr '64:64:4A:A0:43:6C'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	list dns '1.1.1.3'
	list dns '1.0.0.3'
	list ipaddr '10.0.1.1/24'
	option auto '0'
	option ip6assign '64'
	list ip6class 'wan6'
	option delegate '0'

/etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/10000000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel 'auto'
	option channels '100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144'
	option band '5g'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '3'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi'
	option channel 'auto'
	option channels '165, 161, 157, 153, 149'
	option band '5g'
	option htmode 'HE80'
	option he_su_beamformee '1'
	option he_bss_color '11'
	option country 'US'
	option cell_density '3'
	option txpower '30'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi+1'
	option channel 'auto'
	option channels '13, 11, 6, 1'
	option band '2g'
	option htmode 'HE20'
	option he_su_beamformee '1'
	option he_bss_color '22'
	option country 'US'
	option cell_density '3'
	option txpower '15'

config wifi-device 'radio3'
	option type 'mac80211'
	option path 'soc/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channels '165, 161, 157, 153, 149, 64, 60, 56, 52, 48, 44, 40, 36'
	option channel '36'
	option band '5g'
	option htmode 'HE160'
	option he_su_beamformee '1'
	option he_bss_color '33'
	option country 'US'
	option cell_density '3'
	option txpower '30'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'WiFi'
	option encryption 'sae-mixed'
	option isolate '1'
	option ifname 'radio1'
	option key 'password'
	option skip_inactivity_poll '1'
	option disassoc_low_ack '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'WiFi'
	option encryption 'sae-mixed'
	option isolate '1'
	option ifname 'radio2'
	option key 'password'
	option skip_inactivity_poll '1'
	option disassoc_low_ack '0'

config wifi-iface 'default_radio3'
	option device 'radio3'
	option network 'lan'
	option mode 'ap'
	option ssid 'WiFi-5G'
	option encryption 'sae-mixed'
	option ifname 'radio3'
	option key 'password'
	option skip_inactivity_poll '1'
	option disassoc_low_ack '0'

The above would give you 2 Wi-Fi APs, one named WiFi which will be 2.4GHz/5GHz and one named WiFi-5G for 5GHz and this one will also be on 160MHz bandwidth. The other antenna (radio1) can only do 80MHz.

This can be easily edited either through an SSH session with vim or using WinSCP to connect to the router (it has built-in text editor).

If you make changes to these files and replace the board-2.bin file, you will need to reboot your router else you can get errors instead.

One other thing is that it can take up to 10 minutes for the Wi-Fi network to show up (usually takes no more than 1 minute) due to the antennas needing to scan for DFS channels. Hope this helps.

Thank you so much, it now appears to be working. The changes I had to make to /etc/config/wireless is below.

config wifi-device 'radio1'
	option channel 'auto'
	option band '5g'
	option he_su_beamformee '1'
	option he_bss_color '11'
	option cell_density '3'
	option txpower '30'


config wifi-device 'radio3'
	option channel 'auto'
	option band '5g'
	option he_su_beamformee '1'
	option he_bss_color '33'
	option cell_density '3'
	option txpower '30'

Having troubles trying to flash my second unit, wondering if I'm just being thick or something else is afoot.

I have followed the Wiki, everything runs as expected up to ubiformat /dev/mtd22 -y -f /tmp/openwrt-23.05.1-ipq807x-generic-xiaomi_ax9000-initramfs-factory.ubi && nvram set flag_boot_rootfs=1 && nvram set flag_last_success=1 && nvram commit and rebooting.

On reboot though it loads into stock firmware and none of my changes persist (even SSH access). Root Telnet access remains and I can confirm nvram get flag_boot_rootfs still returns 0.

What can I provide to diagnose the issue?

Hi

I just bought AX9000 in hope to use OpenWrt.
I have been running tomato forks for years.
Devices getting faster but firmware doesn't support old features like VLANs.

So I have a problem, my router is running on version 3.0.48, i tried downgrading but it failed (for "security" reasons)
I tried the exploit thing, but the router cannot verity the 1,2,3 files.

I ordered 1.8V UART, (I have some 3.3V/5V for ESP32), but if the RX pin is disabled, that wouldn't help.

To help others disassemble the device, the screws are under feet and sticker, and top part is hold by clips also, but the clips don't fight too much, take top part slowly, not to break LED connector wires, they are ridiculously thin.

So what can I do, how do I make OpenWrt on my AX9000?
I think I have international version, but I have no idea how to tell :slight_smile:

The generic rules of thumb are:

  • if you have Web User Interface in Chinese only, you probably have a Chinese version of the firmware,
  • If you have other languages available, then you probably have an international version of the firmware.

As far as I am aware, this has to be considered when upgrading/downgrading your Xiaomi firmware (so if you have Xiaomi 3.0.48 International firmware, you should upgrade to other International firmware).
The exploit approach with generating and uploading the "1,2,3 files" seems to be blocked on the international firmware ... for which the one-off UART flashing is needed.

thanks for this board file Any changes for led lights cant seem to disable them anymore in latest snapshot

Thanks for your answer.
So I have international firmware.
It doesn't allow me to downgrade it to 3.0.40, should I try to other version?
update_failure

And the exploit generates zip file with 1,2,3 files, but the zip file have 3KB, the size seems too small.

try XMiR-Patcher

1 Like

@remittor thanks, that's awesome
I have now SSH enabled, and I see the ridicules "ARE U OK" MOTD.

I set uart_en, didn't set boot_wait since I think it waits for uart to carry on?
Can I use this tool to flash the device without UART?
I see the options

 5 - Install EN/RU languages
 6 - Install Breed bootloader
 7 - Install firmware (from directory "firmware")

So if I put the openWRT firmware into the directory, will it work?, and do I need the Breed bootloader? And the languages, is it for Chinese versions, because I'm not sure why I would do that?

ok got leds out some options has changed apparently (better now) :grin:

I managed to flash my cylon looking AX9000 (even the name sounds like cylon model :P) with help of OpenWrt support for Xiaomi AX9000 - #1443 by rdlvm
I managed to brick it first with XMiR-Patcher, by pushing firmware that resulted boot loop... however I had UART enabled with XMiR-Patcher help, so I recovered.
But I may push wrong file, I see that there is:

  • ax9000-initramfs-factory.ubi
  • ax9000-initramfs-uImage.itb
  • ax9000-squashfs-factory.ubi
  • ax9000-squashfs-sysupgrade.bin

What exactly that means I don't know, I know you typically need kernel, kernel boot modules and OS. squashfs implies OS, initramfs implies kernel boot modules and scripts, I'm curious, can anyone explain the options?

I went into this in expectation that not everything works, but it seems that different things work than the OpenWrt website explains.
Take a look at this:


I see that IPQ8074, QCN6024/9024/9074 doesn't get up, I'm confused what should work, and what doesn't, the website mentions that this router has (QCN9024, QCN5024, QCN9024, QCA9889), none of those numbers match.

And how do you choose the channel number for WIFI in OpenWRT?, it seems to be automatic to me in LuCi.

I'm learning OpenWRT (transition from Tomato shibby or FreshTomato), And I'm starting to like it. As in all networking firmware, I struggle with making it acts in a way I want it too.

So to summarize, I would be grateful if someone could tell me/explain:

  • Flash images option explanation
  • Whether my WIFI works as they should, or can I add a driver?
  • How can I (or can I) choose the WIFI channel in LuCi?
  • What exactly IoT radio means, and which one is it, it seems to me from qualcom chip description of QCA9889, that it's normal WIFI?

I managed to launch 3 out of 4 wifis by playing with settings
And figured out the channel change, now it's available in edit, but was not when I created the SSIDs, weird.

I noticed that when I try to launch Qualcomm Atheros IPQ8074 802.11ac/ax/n, something is crashy crashy

Crash of a module ath11k
[   66.565649] WARNING: CPU: 2 PID: 2535 at 0xffffffc000ea4754 [ath11k@0000000037d79594+0x6c000]
[   66.569303] Modules linked in: xt_connlimit pppoe ppp_async nf_conncount ath11k_pci ath11k_ahb ath11k ath10k_pci ath10k_core ath xt_state xt_helper xtt
[   66.569517]  ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_setc
[   66.700709] CPU: 2 PID: 2535 Comm: hostapd Not tainted 5.15.137 #0
[   66.722944] Hardware name: Xiaomi AX9000 (DT)
[   66.729191] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   66.733622] pc : 0xffffffc000ea4754 [ath11k@0000000037d79594+0x6c000]
[   66.740391] lr : 0xffffffc000e99708 [ath11k@0000000037d79594+0x6c000]
[   66.746989] sp : ffffffc00fbd39c0
[   66.753406] x29: ffffffc00fbd39c0 x28: ffffff8018187400 x27: ffffff80064f5020
[   66.756713] x26: 0000000000001003 x25: 0000000000000000 x24: ffffff80064f2020
[   66.763830] x23: ffffff80064f0508 x22: ffffff8004e20000 x21: ffffff80064f04d8
[   66.770949] x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000007
[   66.778067] x17: 0000000000000004 x16: 0000000000000031 x15: ffffff80064f3158
[   66.785185] x14: 0000000000000001 x13: ffffff8004e28794 x12: ffffff8004e287a0
[   66.792303] x11: 0000000000000002 x10: 000000000000000d x9 : ffffff80064f3138
[   66.799421] x8 : ffffff80064f5020 x7 : 0000000000000003 x6 : 00000000ffffffff
[   66.806539] x5 : 000000000000000c x4 : 0000000000000048 x3 : ffffff80064f0508
[   66.813659] x2 : ffffff8001dd3fec x1 : 0000000000080031 x0 : 0000000000000000
[   66.820777] Call trace:
[   66.827884]  0xffffffc000ea4754 [ath11k@0000000037d79594+0x6c000]
[   66.830148]  0xffffffc000e99708 [ath11k@0000000037d79594+0x6c000]
[   66.836397]  0xffffffc000cd6b84 [mac80211@000000005c69fe9f+0x85000]
[   66.842475]  0xffffffc000cedd7c [mac80211@000000005c69fe9f+0x85000]
[   66.848550]  0xffffffc000cee210 [mac80211@000000005c69fe9f+0x85000]
[   66.854800]  0xffffffc0085cc9c0
[   66.861044]  0xffffffc0085ccdc0
[   66.864169]  0xffffffc0085cce38
[   66.867294]  0xffffffc0086aa39c
[   66.870419]  0xffffffc0086ae084
[   66.873544]  0xffffffc00859cdc4
[   66.876669]  0xffffffc0081c60cc
[   66.879795]  0xffffffc008022f6c
[   66.882920]  0xffffffc008023080
[   66.886044]  0xffffffc008792c18
[   66.889170]  0xffffffc008793a38
[   66.892295]  0xffffffc0080115f4
[   66.895419] ---[ end trace 1af90947bff21263 ]---

Not likely to be helpful without the symbols

There are some limitations with ath10k (IoT/ac Wifi) and ath11k (2.4G Wifi/ax, lower band 5G/ax, upper band 5G band/ax) drivers.
I was only able to make them run if all radios were configured with the use of the US country code.
Any other country code for all wifi radios, or different county code for some radios and I saw similar kernel/ath1x crashes...

Thanks, setting everything to USA seems to boot all radios.
There are some differences with channel numbers with my country PL.
And US allows 1W of power for 2.4G, in PL is .1W.
But this can be adjusted in menu.

But for 5G the channel numbers rarely match with PL, I wounder if it matters for devices, will they connect regardless if the radio channel matches their radio channels, do you know?

What surprised me the most, is that I can switch Qualcomm Atheros QCA9887 802.11ac/b/g/n to 2.4G/5G

1 Like

If I remember correctly, the problem was with the IoT radio + ath11k PCI radio...
With them disabled, setting the country code to PL should work for the remaining two radios.

I am not in the US either; I have a lot of devices connected across all four radios and haven't had any problems with the connectivity.