OpenWrt support for Xiaomi AX9000

Yes, they are all DWC based.

Any progress on this? The AX9000 would be so much better with OpenWRT! Hoping it's something that'll happen.

Not really, been really busy at work.
I am on vacation till August and after that I will start again.
Biggest issue is lack of QCN9074 support.


I am trying to perform the exploit above without success. The second router is a PI3 running OpenWrt I have tried using either the native wifi interface or an Alpha USB adapter the pi doesn't even see incoming attempts, the AX9000 http request always ends in timeout. Is there something subtle required in the radio parameters or this is hopeless and I need a "true" router ? If so which one could be usable ?

Hm, Pi3 should work just fine as long as there is LuCI installed.
Have you tried connecting to the URL via another device to see what gets returned?

Yes, with a phone for example. Frames are exchanged up to the CONNECTED state. With the AX9000 I can only see probe request/probe response/ack on the wifi sniffer. As if the device didn't switch to AP mode and didn't try to connect.

I don't really have an idea what could be wrong.
Only thing could be that the config passed in the URL is incorrect

Last one, tried both with and without an & beteween WPA2PSK and enctype.;stok=23eb8f7a6481360bcb93ffa6d0cd9bd4/api/xqsystem/extendwifi_connect_inited_router?ssid=pi3owrt&password=azerty12&band=2g&channel=1&encryption=WPA2PSK&enctype=CCMP&admin_username=root&admin_password=admin&admin_nonce=xxx

What Luci is installed on the PI?
Just Luci or Luci SSL?

Luci. I was aware of the Luci-SSL issue.
From the wifi sniffer, I see the AX broadcasting probe requests every 100ms it never tries to switch to sta mode and reply to the pi3 probes. I have tried a disable all wifi, downgraded to 1.0.82 same result. The firmware is the Chinese version not the international one. May this be the root cause / origin ? returns {"token":"; nvram set ssh_en=1; nvram set uart_en=1; nvram set boot_wait=on; nvram commit; sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;","code":0}
So the issue is not luci itself but either an arcane wifi option on the Pi3 side is missing or this AX model/version doesn't go in sta mode as I suspect because it doesn't stop broadcasting probe requests with its own SSID. Using channel 11 doesn't give better results.

The extender API is using WDS which needs hardware compatibility?

Good point. Neither "option wds '1'" nor "option mode 'wds'" work, no authentication performed.

It was working for me with the chinese firmware.

Do you have any other Wifi-Router you can try?

I'd assume an issue with the AP-Mode on the PI.

Yes, the most probable explanation is that the AP mode has shortcomings. I'll try with an unused NUC, if it fails I'll have to buy a router. Do you know a cheap one, already tried and effective ?

I've used a Homehub 5, but the device was already modified to run vanilla Openwrt (serial access is quite difficult)

A cheap ath79 one will also do.

For hardware recommendations please open a new topic in the Hardware Questions and Recommendations category of this forum.

Please see before asking for recommendations. This way you will get better recommendations and come to a quicker solution.

Xiomi AX9000 Firmware

Xiomi AX9000 Firmware:
AX9000 factory firmware package Mi router AX9000 (stable version)
Mi router AX9000 stable version:1.0.82

Mi router AX9000 (stable version)
Mi router AX9000 stable version:1.0.101

  1. Increase LAN port link aggregation function, bandwidth when NAS and switch support link aggregation function Double
  2. add firewall switch in IPv6 Native mode
  3. USB 3.0 newly supports extFAT format
  4. Fix the compatibility with some Mi TVs
  5. Other known problem fixes

Mi router AX9000 (stable version)
Mi router AX9000 stable version:1.0.108

  1. The upgrade supports simultaneous access of up to 1000 terminal devices. You can enter the WEB background-common settings-LAN settings for configuration
  2. The Mesh experience is further improved, and the initialization process, networking stability, configuration synchronization and other functions are optimized
  3. Fix other known issues and improve the overall stability of the firmware
1 Like

Thanks to all, got SSH access to AX6000 , for password used simplified script, where password need be entered from as parameter:

import sys
import hashlib

# credit goes to zhoujiazhao:

salt = {'r1d': 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
        'others': 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'}

def get_salt(sn):
    if "/" not in sn:
        return salt["r1d"]
    return "-".join(reversed(salt["others"].split("-")))

def calc_passwd(sn):
    passwd = sn + get_salt(sn)
    m = hashlib.md5(passwd.encode())
    return m.hexdigest()[:8]

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <SN>")
    sn = sys.argv[1]
    print("Given SN: "+ sn)
    print("Calculated root password: "+calc_passwd(sn))

taken out russian forum 4pda, works correctly on ax9000, others not tested

The bdata patch to receive telnet and ssh (so far it only added ax3600, ax6000, ax9000, ax6)

  1. Make a backup of the configuration if necessary, because telnet will require a factory reset to activate.
  2. Go to the admin panel on the web muzzle ( or by IP address)
  3. Copy the content of the create_exploit.js file to the browser console and press Enter.
  4. If everything is ok, a window will appear where you can change the bdata region or leave it at that.
  5. Wait 10-15 seconds for the patch file to be generated. Then it should download automatically, so if the browser has crashes on this, it is better to remove them.
  6. Unpack the contents of the downloaded file.
  7. After unpacking, there should be 3 files: 1.bin, 2.bin, 3.bin. In the same order, upload it to the webmord where the firmware for the update is manually uploaded. If everything is fine, after each load, the router should restart. If after the first filling you stop connecting via wifi, you need to connect via cable and continue (I never had this, but people write what happens).
  8. Factory reset.
  9. Go to the admin panel and run the script calc_passwd.js in the browser console to find out your password for telnet. (This step can be done once and at any time. The default password depends on the serial number and will not change if the serial number is not changed)
  10. Try to connect via telnet, if it says the password is wrong, You can also repeat from step 7 until it works. (In ax3600, there is often a glitch that after factory reset the default password is not accepted and the router needs to be reset again.)
  11. You can enable ssh:

Connect via telnet and turn on the ssh server:

sed -i 's / channel =. * / channel = \ "debug \" / g' /etc/init.d/dropbear
/etc/init.d/dropbear start

Thank you, this worked for me. Had to set ssh_en=1 and nvram commit.