Problem: ssh won't connect (xiaomi AX3000T)

ynovka · November 16, 2025, 9:24am

I am trying to install openwrt on my xiaomi AX3000T.
Version 1.0.97
Bar 702479
SKU: DVB4441GL
Model RD23

The steps I followed:
curl -X POST cgi-bin/luci /;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Anvram%20set%20ssh_en%3D1'"
curl -X POST /cgi-bin/luci /;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Anvram%20commit'"
curl -X POST /cgi-bin/luci /;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear'"
curl -X POST /cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0A%2Fetc%2Finit.d%2Fdropbear%20start'"
curl -X POST /cgi-bin/luci/;stok=xxx/api/xqsystem/start_binding -d "uid=1234&key=1234'%0Apasswd%20-d%20root%0A'"
ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa root@192.168.31.1

ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa -v root@192.168.31.1
nanddump -f /tmp/BL2.bin /dev/mtd1
nanddump -f /tmp/Nvram.bin /dev/mtd2
nanddump -f /tmp/Bdata.bin /dev/mtd3
nanddump -f /tmp/Factory.bin /dev/mtd4
nanddump -f /tmp/FIP.bin /dev/mtd5
nanddump -f /tmp/ubi.bin /dev/mtd8
nanddump -f /tmp/KF.bin /dev/mtd12

mkdir C:\AX3000T_backup
scp -O -o HostKeyAlgorithms=+ssh-rsa -o StrictHostKeyChecking=no root@192.168.31.1:/tmp/*.bin C:/AX3000T_Backup/
ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa root@192.168.31.1

ubiformat /dev/mtd9 -y -f /tmp/openwrt-23.05.5-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=1
nvram set flag_last_success=1
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot

after that, I tried to connect via ssh, but it didn't work.

ssh root@192.168.1.1

What did I do wrong? Sorry, I'm new to this business.

frollic · November 16, 2025, 9:46am

Was firmware=0 ?

ynovka · November 16, 2025, 9:48am

Yes
cat /proc/cmdline
firmware=0

Wallbanger · November 16, 2025, 11:13am

pls use codetags, thx

brada4 · November 16, 2025, 1:24pm

You did not check it in your transcript. Please start from the beginning.

alexq · November 16, 2025, 2:17pm

Unfortunately, the xqsystem/xqsystem RCE method is not suitable for the 1.0.97 stock firmware on the RD23 (Xiaomi has fixed RCE for this method after 1.0.76 version). See https://openwrt.org/inbox/toh/xiaomi/ax3000t#api_rce_support_status :

note 2: the method is not described yet in the wiki. Please refer to the forum post.

So, the simplest option for you is:

Downgrade your RD23 to the 1.0.76 stock firmware version and try the xqsystem/xqsystem method again.
Or use a 3rd-party tool that has the RCE method xqsystem/get_icon implemented.

ynovka · November 16, 2025, 6:25pm

Well, it turns out that I was trying to install an old version of openwrt. I restored via TFTP and tried again with the new version, and it worked.

system · November 26, 2025, 6:25pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.