2nd step

3d step

Thanks a lot for all the work and effort to this amazing community. I just discovered recently and I love it.

Somehow solved. After a few factory resets and following the same procedure... :confused:

https://www.oxygen7.cn/miwifi/ sometimes cannot be accessed, so I made a mirror: https://kopijahe.my.id/miwifi


Thanks for that.

There is also a python script that works https://github.com/YangWang92/AX6S-unlock/raw/master/unlock_pwd.py

FWIW lua has been removed from latest snapshot builds so the xqsystem.lua script won't work.
At the moment latest stable builds are still valid.

Most frustrating problem appreciate help:

• I set up B router, step 4 bullet 3 get {"msg":"connect succces!","code":0}
• Then point 4 bullet 4;stok=f939229610bc973d27ba82c216df279a/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx

I get message in chinses, the translation is {"msg":"Failed to request the peer interface during one-key switch","code":1643}

I tried with or without a password.
Any ideas about what is going wrong?

I somehow managed to get over error 1643 by resetting and redoing everything.

Now another challenge: I generate a password based on the serial number in two different ways and go the same one.
Nonetheless, when I log in as <[root@]> and type the password, permission is continuously denied.

Any hits?

Interestingly, using the site (typed in SN) and python script (directly looking up SN from bdata) both calculate the same password for my AX3600, but telnet doesn’t accept it in my case either.

Unfortunate as it would make life easier (wouldn’t have to go through setup with internet connected etc) to get token and then use the JS exploit),

Would also love to hear if anyone else has experienced that / if there’s an updated algorithm to calculate the password.

Thanks Eric, so what is the solution you found? Does the exploit work without having the root password?
On the AX6, Telnet is disabled in the first place, SSH could create connection but no password could go through.

I don’t have an AX6. The AX3600 has a browser exploit outlined in the wiki. You may try that to see if it works on AX6 as well.
With that exploit the SSH password is set via the JS.

1 Like

I had success gaining access to a AX6 using the Python script https://raw.githubusercontent.com/YangWang92/AX6S-unlock/master/unlock_pwd.py to calculate the root password.


This works sometimes but the wikipage has lots of problems in it and so does the script in OP
you can change every router's password by having a proper script, a simple addition is having the line:

    result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"


    result["token"] = "; nvram set ssh_en=1; nvram commit; echo -e 'password\npassword' | passwd root ; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"

instead.. but there are several other nvram things that should just be added into it instead.
Internet access & the app aren't really needed for this and the second router isn't if you have internet access can run the script directly off of github or any other webserver

The website was remade months ago, googling the old website for the pass generation shows the new one but these generated passwords aren't even correct some of the time (here's the new site) https://miwifi.dev/

they have a github and several other things dedicated to these. but as I said above, you can just change the password and anything else you want via the "xqsystem" script you add in the first place. Not doing this makes no sense and just adds more steps / breaks the possibility for other people.
Also you can enable dropbear on it by default by adding

echo "/etc/init.d/dropbear" >> /etc/sysupgrade.conf

to it too
This is a good idea since the wiki is wrong and tells you to do some boot flag that resets your nvram and will make people reboot 200 times before they find this thread that doesn't have that wrong command so your firmware actually sticks.

1 Like

I plan to upgrade my AX6 to OpenWrt. I wish to be sure on some issues before starting:

a) Is this good as daily driver for home use?
b) I read the "limitation list" and don't realy understand the meaning. should it have a real effect on near default settings use?
c) The install process is talking about the files openwrt-ipq807x-generic-xiaomi_ax6-initramfs-nand-factory.ubi & openwrt-ipq807x-generic-redmi_ax6-squashfs-sysupgrade.bin
where do I get them?
in https://downloads.openwrt.org/snapshots/targets/ipq807x/generic/ I found files with similar names, but not the same.
d) Any other stuff I beter know before starting?


i already use from jun22, no big issue for daily home use.
i just follow the guide work well.

@wthubhub, do you remember if you took the two needed fies from the download link I wrote (it's the one showing in the main page for the routher)?

U can follow this guide

I don't know file from your link. Just follow the guide and done.

1 Like

Just Curious what is max wifi speed throughput using AX6 official vs openwrt, as I know NSS is not support yet in openwrt. Anybody in here already do this test?

Pure wireless/ AP performance should be mostly the same - (wired networking and-) routing is what profits from NSS (most). In practical terms, the wired ethernet backhaul will limit you to 1 GBit/s (~940 MBit/s at most) anyways, but HE80 with 2x2 clients (the most common type) will get you 750-800 MBit/s in the same room, that's the maximum you will see with 'any' 802.11ax device (more is only possible with more rx/tx chains (3x3, 4x4, 8x8, ..., but that's rarely found in 'common' clients) or using HE160 (which opens yet another can of worms)).

1 Like

Hi i did the official guide at the wiki but I can't acsses to gui, I tray to back to mi official ver but I didn't seaside to.
The rater give me ip address and I have acsses by ssh.
Someone can help?