Xiaomi ax3600 bricked

For Developers
107

hi thank you for reply

is this the first part upon hold and power on?

BOOTP broadcast 1
DHCP client bound to address 192.168.31.2 (19 ms)
*** Warning: no boot file name; using 'C0A81F02.img'
Using eth0 device
TFTP from server 192.168.31.100; our IP address is 192.168.31.2
Filename 'C0A81F02.img'.

mine only continous BootP broadcast 1- 99 nothing happens

what could be wrong?

108

You shouldn't have to configure the connection manually as the tool does it automagically and also don't set connection speed either. I've recovery mine many times without a serial connection.

Hold reset and then plug in power and keep holding it for about 30 seconds, then open up the MI tool.

You also have to use the official AX3600 Xiaomi firmware.

109

Also connect the computer directly to the AX3600 and use LAN port #1.

I use tftpd64 (with TFTP+DHCP) and not MI tool, it works for me in LAN1:
https://openwrt.org/toh/xiaomi/ax3600#tftp_recovery

110

ok so i try to leave it auto on all settings?

hold reset and plug power gives me bootp display and never ending count

this is the file im using miwifi_r3600_firmware_5da25_1.0.17.bin

111

if i leave it to auto

the ip i get is 192.254.33.0
255.255.0.0

112

Here my notes on TFTP recovery xiaomi factory FW:
(That I had wrote for someone else, following the wiki steps https://openwrt.org/toh/xiaomi/ax3600#tftp_recovery, maybe it helps):

Now with TFTP Server running:
(Note: you'll see a msg. in the app when the FW file is downloaded by the router)

  • Keep reset button pressed and power on your ax3600
    Keep it pressed until you see the system led blinking orange
  • If the led is blinking blue led it means the device was flashed (wait some time).
  • After xiaomi firmware is flashed, I think we need to power off and on again (can't remember), then the led will be solid orange for a few minutes (can't remember how long) while the xiaomi FW loads, when it is loaded it will blue, try connecting to it's web page.
  • Notes: bellow are the copied led instructions from the wiki, I don't remember how the lights went on mine:
    When the device finished loading the firmware, the led starts blink.
    Wait for until blue led get solid!
    It Might take some time for the Led go get to solid blue.
    If the recovery doesn't accept the downloaded file the led switches to solid white - if this is the case, restart the recovery process with other file.
    If the led is blinking blue led it means the device was flashed successfully and can be restarted.

I have serial/uart interface so I can see and access u-boot (I didn't use the terminal keyboard).
I used router LAN1 port, didn't try others.
I renamed the C0A81F02.img file to something else, so It would not load in this test bellow.

Power on the router while pressing reset, until orange led starts flashing, then release reset button.

Here the log part with the process:

BOOTP broadcast 1
DHCP client bound to address 192.168.31.2 (19 ms)
*** Warning: no boot file name; using 'C0A81F02.img'
Using eth0 device
TFTP from server 192.168.31.100; our IP address is 192.168.31.2
Filename 'C0A81F02.img'.
Load address: 0x44000000
Loading: *
TFTP error: 'File not found' (1)
Not retrying...
ipq807x_eth_halt: done
ipq807x_eth_halt: done

Here the logs from tftpd (I deleted the MACs):

image
image775×201 61.6 KB

image
image728×137 29.6 KB

3 Likes
113

If you bind it to an interface you need to have the permission (run as administrator) and the port has to be free (e. g. 2nd instance still running as zombie in background). Look into the log for errors like: "error socket ... " or "error bind ...". Be sure the firewall is open for port 69 or disabled at all.

115

hi firewall is off and only lan1 to laptop lan is connected, i don get any log on tftp64
i do get bootp broadcast while viewing putty
on wireshark what do i need to check? i can see source 192.168.31.100 then destination 192.168.31.255
on broadcast arp who has 192.168.31.100? arp probe

on the mi tool repair
i do get complex dns request ignored

what could be wrong here?

116

hi firewall is off and only lan1 to laptop lan is connected, i don get any log on tftp64
i do get bootp broadcast while viewing putty
on wireshark what do i need to check? i can see source 192.168.31.100 then destination 192.168.31.255
on broadcast arp who has 192.168.31.100? arp probe

117

@sqrwv has written very detailed how it has to be done.

You have to get something in the logs from tftp64. Look at the second to last picture from @sqrwv description. And forget wireshark we/you have to be sure about if the setup is correct first.

What is the output of the two command lines (open a windows shell (cmd/powershell):

Netsh Advfirewall show allprofiles

and

Ipconfig /all

Then show the setup of tft64 here for tftp tab and dhcp tab. Include the log log tab also if you tried again already.

118

here are the results logs or dhcp server of tftp only give if i set to auto dhcp
if i set the lan ip manual tftp does not give any ip and on putty there is no request of tftp

AX 3600 RESULT
AX 3600 RESULT1384×5444 602 KB

119

The 192.168.31.2 IP needs to be given from the DHCP server (tftpd) to the router. So the PC needs to have a fixed IP.

Note:I don't remember why I configured DHCP option - Def. router, opt3 and opt1, probably it didn't work without them.

Looks like your router LAN1 port is not communicating?
Can you check on PC the ethernet connection speed detected? Is it the max. speed between both ports?
In the router and PC the LAN ethernet port lights are on?

Maybe try another ethernet cable?
How your router got bricked? Maybe it affected the ethernet ports.

120

pc lan is ok gigabit if other router connected
but on this bricked ax3600 speed is only 10mbps regarldless of cable i use
after reading a few pages back someone said plying the speed duplex to full/half 10mbps solve their tftp but in my case it does not

router got bricked after new update then suddenly next day steady orange

im checking how would the tx be accepted as this router on the putty i cannot stop the auto reboot loop

it does not boot loop if under bootp status but all lan ports 10mbps

121

Y, this looks wired to me. But that's the only I can see.

The message: "Presviously allocated address ... acked ..." is there. But it does not request the file or comming through for request.

This application might stop listening on the local UDP port at the very moment that you need it, i.e. when the router at the other end of the network connection restarts. To work around this issue, do one of the following:

netsh interface ipv4 set global dhcpmediasense=disabled
netsh interface ipv6 set global dhcpmediasense=disabled
  • Use a switch between the TFTP host and the client router so that the network link of the Windows machine remains up while the router is rebooting.

EDIT:
If this does not help I would try the Linux approach.

122

already placed a hub in between and disable media sensing

still no reply log on tftp if i manual set ip
if auto dhcp it gives out ip but does not say tftp req
also i notice the lan gets up around BootP broadcast count 15-17

--

i dont know how to linux, is ubuntu easy or other way to linux approach?

123

Well, I'm not the Windows guy. But I will try to write it up for Linux. Give me bit time. I will edit in parts.

1.) Download an Ubuntu ISO and put it onto a USB stick and boot into it.

a) Ubuntu ISO: https://ubuntu.com/download/desktop/thank-you?version=22.10&architecture=amd64
b) Tool for writing ISO to USB e. g.: https://www.balena.io/etcher/
c) Reboot your PC into Ubuntu.

2.) Connect your system to the internet (if its not the case already).

3.) Open a terminal with: "CRTL + ATL + T" or by pressing the Windows key typing in "terminal" (without quotes " ")

4.) Install dnsmasq with the following command:

sudo apt update & sudo apt -y install dnsmasq

5.) Download firmware:

mkdir /tmp/tftp
chown -R ubuntu:ubuntu /tmp/tftp
cd /tmp/tftp
wget https://cdn.awsde0-fusion.fds.api.mi-img.com/xiaoqiang/rom/r3600/miwifi_r3600_all_6510e_3.0.22_INT.bin
mv miwifi_r3600_all_6510e_3.0.22_INT.bin C0A81F02.img

6.) Disconnect your PC from internet and connect it into the first lan port of your bricked router. Do not use any other port like wan or lan port 2, 3. Do not power up the unit yet.

7.) Copy and paste the following commands into the shell (block by block):

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
sudo mv /etc/dnsmasq.d/ /etc/dnsmasq.d.bak/
sudo systemctl stop dnsmasq

sudo systemctl stop systemd-resolved
sudo systemctl stop systemd-networkd
sudo systemctl stop NetworkManager
sudo sed -i d /etc/resolv.conf
echo 'nameserver 127.0.0.1' | sudo tee -a /etc/resolv.conf

IPT4="/usr/sbin/iptables"
netdevname=$(ls /sys/class/net | grep enp)

sudo ${IPT4} -I INPUT 1 -m conntrack --ctstate NEW,ESTABLISHED -p tcp --dport 69 -j ACCEPT
sudo ${IPT4} -I INPUT 2 -m conntrack --ctstate NEW,ESTABLISHED -p udp --dport 69 -j ACCEPT
sudo ${IPT4} -I INPUT 3 -m conntrack --ctstate NEW,ESTABLISHED -p udp -m multiport --dport 67:68 -j ACCEPT

sudo ip address flush dev ${netdevname}
sudo ip address add 192.168.31.100/24 dev ${netdevname}
sudo ip link set ${netdevname} up

sudo dnsmasq --no-daemon --listen-address=192.168.31.100 --bind-interfaces --dhcp-range=192.168.31.2,192.168.31.2 --enable-tftp --tftp-root=/tmp/tftp

8.) Follow the usual procedure:

Hold the reset button pressed and plug in the power cable. Keep the reset button pressed until the orange system light starts blinking. You can release the reset button after blinking has started.

Output should look like:

sudo dnsmasq --no-daemon --listen-address=192.168.31.100 --bind-interfaces --dhcp-range=192.168.31.2,192.168.31.2 --enable-tftp --tftp-root=/tmp/tftp
dnsmasq: gestartet, Version 2.87, Zwischenspeichergröße 150
dnsmasq: Optionen bei Übersetzung: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
dnsmasq-dhcp: DHCP, IP-Bereich 192.168.31.2 -- 192.168.31.2, Leasezeit 1h
dnsmasq-tftp: TFTP Wurzel ist /tmp/tftp
dnsmasq: lese /etc/resolv.conf
dnsmasq: Benutze Namensserver 127.0.0.1#53
dnsmasq: /etc/hosts gelesen - 10 Adressen
dnsmasq-dhcp: DHCPDISCOVER(eth0) 02:68:b3:29:da:98
dnsmasq-dhcp: DHCPOFFER(eth0) 192.168.31.2 02:68:b3:29:da:98
dnsmasq-dhcp: DHCPREQUEST(eth0) 192.168.31.2 02:68:b3:29:da:98
dnsmasq-dhcp: DHCPACK(eth0) 192.168.31.2 02:68:b3:29:da:98
dnsmasq-tftp: /tmp/atftp/C0A81F02.img an 192.168.31.2 verschickt

9.) Wait until the system light starts blinking blue. Now you can remove the power plug and restart the router.

EDIT: Reorganized. Now final.

1 Like
124

thank you for the guide this is a long shot to try ill keep you posted on the result, awhile ago i lredy installed ubuntu on usb for live, do i got straight to 3? install dnsmasq? and so on?

125

I've finished it now. I think I've covered all.

Sure. If you have a live system handy already.

126

hi there are some errors, should i see something on the screen? i think not doing something bec lan light not blinking

mv cannot stat /etc/dnsmasq.conf no such file or directory

127

This is ok. Was not sure if it exist at all. But if it would have existed it would have interfered.

You should see dhcp request on screen and a message about the file is sent.

Well as it turns out I've forgot the part with the ethernet device naming.

For this part:

sudo ip address flush dev eth0
sudo ip address add 192.168.31.100/24 dev eth0
sudo ip link set eth0 up

You have to replace the "eth0" with your interface name.
You can get it with:

nmcli dev status | grep ethernet | awk '{print $1}'
or
ls /sys/class/net | grep enp