Xiaomi AX3600 INT firmware

After installing the international firmware and doing a factory reset (obviously you can only do this safely, after modifying bdata to make telnet/ UART access persistent), you can configure the region - this covers UI language, allowed channels and the mi-wifi app region.

The chinese firmware is exclusively chinese.

Sorry for a potentially dumb question, but how do you calculate this "serial number derived root password"? Couldn't figure out from the link you posted.

hehe, I had exactly the same problem and had to search quite a while. There are two scripts (one in php, the other in python) somewhere in ax3600 labelled repos on github (sorry, I'm currently not at home and don't have the links on my phone), alternatively there is https://www.oxygen7.cn/miwifi/

2 Likes

Thanks a lot! Looks like here's the python script:
https://github.com/odedlaz/ax3600-files/blob/master/scripts/calc_passwd.py

And here's the php script:
https://blog.csdn.net/zhoujiazhao/article/details/102578244

2 Likes

Could you please also share 'AX3600 permanently open teleent-ssh.zip' from the article, which contains crash_unlock.img? Spent last hour+ trying to get myself a Baidu account without a Chinese cell phone in order to download it :unamused:

Xiaomi ax3600 ssh guide There is an alternative location on dropbox.

1 Like

Thanks again! And silly me, this file is also available on the same github repo with the calc_passwd.py script:
https://github.com/odedlaz/ax3600-files/raw/master/crash/crash_unlock.img

UPD: I followed the procedure, and was able to get in after web reset with the calculated password :+1:

Hey.. im planning to follow this guide and enable telnet permanently.. why we need to calculate password ... there is no default password ?

Default password (the one it's reset to during web reset) is calculated based on your router serial number (stored in bdata partition). I assume it's done this way for security's sake. Hence you need to derive it once for each router you have.

Okay and how to run that python script ? im giving bdata.img path as argument and it doesnt work ?

There's a simple mistake in the python script. I issued PR with a fix: https://github.com/odedlaz/ax3600-files/pull/1

Thanks. That worked and also i found this url which does calculation. https://www.oxygen7.cn/miwifi/

and it was present in this url referred in the script. https://www.wutaijie.cn/?p=254

I followed the guide and did everything but now i lost the SSH / Telnet access. What could be the reason ? wifi is working and im on international version

Hey... i followed the guide.. after reset on the INT firmware i lost both SSH and Telnet. Not sure what went wrong. will the permanent thing work only for Chinese version ?

No, it works fine with both.

Okay.. I thought of starting it again but after going to v17 and dumping bdata I see it's the one I modified. So yes it's permanent. Now I'm updating int version over UI once done I will use putty and connect using telnet to execute 3 steps right? To restore ssh?

Sorry I guess doing something wrong. After updating to int firmware in UI I'm losing telnet and ssh. I never used the calculated password anywhere. Feels strange

Do the basic configuration over the webinterface first, before trying to connect with telnet. This bdata procedure survives firmware upgrades and complete factory resets, it's permanent - but you do have to re-enable (and restart) ssh access, by editing /etc/init.d/dropbear (change release to something else, e.g. release2 in the corresponding if clause of that initscript) over telnet (and restart it afterwards).

Thanks. Even now when I dump bdata by going back to 17v and running those urls to get access to ssh. Bdata data is already modified.

Yes I did web interface setup first and then with putty telnet and port 22/23, I'm getting connection refused. I'm not able to execute those 3 commands without telnet. Is it some other port?

Is it some other port?

No, just standard ports. Could you possibly get CRC32 checksum wrong when patching bdata? Like a typo when reversing bytes order? It worked fine for me, and I did loose wifi signal after web reset, which was fixed after erasing crash and reboot.