Xiaomi AX3600 INT firmware

I have the AX3600 version from European distribution.

I went back to version 1.0.17 to enable ssh (I used the tutorial https://openwrt.org/inbox/toh/xiaomi/xiaomi_ax3600) then uploaded @ alllexx88 https://www112.zippyshare.com/v/9Z0MFiYm/file.html using https://github.com/geekman/xqrepack#usage.

Everything worked out, I have version 3.0.22 (in English) with working SSH access, I turned off dns in dnsmasq to use the better smartdns software - it worked

I have a problem with "Activate NAT reflection for this redirect - applicable to DNAT targets.", I have redirected ports for openmediavault. I can access the domain from the external network and only via wifi on the internal network, access from the equipment connected via the cable does not work.

Do you know how to fix it?

As I keep seeing the same posts all the time and I don't think anyone has explained it yet, I will.

To anyone wondering why they are having either 30 dBm or 14 dBm / 16 dBm / 23 dBm TX-power values set on their wlX interfaces regardless of the country that they set - you can only blame the Xiaomi developers because of their laziness.

There is a script /lib/wifi/qcawificfg80211.sh that manages all the configurations for the wireless interfaces. Most of the code in the script was written by Qualcomm, but some parts were added by Xiaomi.

One of the parts, especially important in this case, is this one:

# for miwifi
if [ "$bdmode" = "24G" ]; then
		max_power=30
		wifitool "$ifname" setUnitTestCmd 67 3 16 1 1
		iwpriv "$ifname" 11ngvhtintop 1
else
		max_power=30
fi
if [ "$bd_country_code" = "EU" ]; then
		if [ "$bdmode" = "24G" ]; then
				max_power=14
		else
				if [ "$channel" -ge 100 ]; then
						max_power=23
				else
						max_power=16
				fi
		fi
		if [ $ifname = "wl2" ]; then
				max_power=13
		fi
fi
#miwifi: reduce 3db for Brazil band1
if [ "$nv_country_code" = "BR" ]; then
		if [ "$bdmode" = "5G" -a "$channel" -le 48 ]; then
				max_power=13
		fi
fi
#miwifi: we use band1 txpower for wifi ap mode
netmode=`uci get xiaoqiang.common.NETMODE`
if [ -n "$netmode" -a "$netmode" = "wifiapmode" -a "$bdmode" = "5G" ]; then
		max_power=16
		if [ "$nv_country_code" = "BR" ]; then
				max_power=13
		fi
fi
config_get txpwr "$device" txpwr
if [ "$txpwr" = "mid" ]; then
		txpower=`expr $max_power - 1`
elif [ "$txpwr" = "min" ]; then
		txpower=`expr $max_power - 3`
else
		txpower="$max_power"
fi

txpower="${txpower:-$vif_txpower}"
[ -z "$txpower" ] || iwconfig "$ifname" txpower "${txpower%%.*}"

$bd_country_code is a variable retrieved from bdata get CountryCode command
$nv_country_code from nvram get CountryCode

From reading the code, we can assume that there are only two valid values for bdata's CountryCode, which are either CN or EU. Setting it to CN will always result with TX-power set to 30 dBm for both 2.4 and 5 GHz (unless you set your nvram's CountryCode to Brazil or modify 'Signal Strength' value in Web GUI).

nvram's CountryCode is probably the value that we set in the Web GUI during our initial configuration of the router and in case of TX-power its value is not affecting us in most cases - unless you are from Brazil, where the power for 5 GHz would be set to 13 dBm.

So now we have few options:

1. Modify the script and hard code your preferred values - but it cannot be done directly on the router because of the read-only SquashFS filesystem.
2. Set the values manually every time your router is restarted.
3. Create some script that will be executed at boot and will do that for you.
4. Configure the interfaces according to the script above to get the most out of it, so if you are from Europe ($bd_country_code = "EU"):
   • For 2.4 GHz (wl1) you cannot do much, it will be limited to 14 dBm.
   • For 5 GHz (wl0), setting channel to 100 and below will result with TX-power 16 dBm and greater than 100 23 dBm.
5. Keep the bdata's CountryCode set to CN and keep 30 dBm, which is most likely illegal in your country.

About the blocked channels, it is also hard coded in the script:

config wifi-iface
        option device   wifi$devidx
        option ifname   'wl$radioidx'
        option network  '$network'
        option mode     '$mode'
        option ssid     '$ssid'
        option encryption none
        option wpsdevicename 'XiaoMiRouter'

EOF
        if [ $devidx = 0 ]; then
                cat <<EOF
        option channel_block_list '52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,165'
        option miwifi_mesh '1'
EOF

@perceival the performance issue with channel 165 may comes from the script setting htmode on channel 165 to HT20: it just hit me today that channel 165 has very narrow range, therefore only this mode is available and the performance won't be good https://en.wikipedia.org/wiki/List_of_WLAN_channels#5_GHz_or_5.9_GHz_(802.11a/h/j/n/ac/ax)

if [ "$channel" = 165 ]; then
		htmode=HT20
fi

iw reg set fix can be done earlier in the boot process by specifying ieee80211_regdom, when loading cfg80211 module:

cat /etc/modules.d/30-cfg80211-linux
cfg80211 ieee80211_regdom=GB

As mentioned by @pbaclawski , /lib/wifi/qcawificfg80211.sh screws up everything. I am also under impression, that hostapd has its own understanding of the regulatory domain which can be different from kernel. For example, it ignores the message below from the kernel log and allows to run 5GHz AP on prohibited channels, e.g. channel 64 below.

Kernel log:

daemon.notice procd: /etc/init.d/network: [52] [56] [60] [64] [100] [104] [108] [112] [116] [120] [124] [128] [132] [136] [140] [144] [165]

I was stuck with my Mac, complaining about mis-matching country code, advertised by AX3600 (manually configured illegal channel):

/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport -s
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                            A091 88:c3:97:xx:xx:xa -52  64      Y  -- WPA2(PSK,SAE/AES/AES) 
                            A091 88:c3:97:xx:xx:x9 -33  6       Y  -- WPA2(PSK,SAE/AES/AES)

Finally, I've managed to fix it:

/usr/sbin/hostapd_cli -i wl0 -p /var/run/hostapd-wifi0 -P /var/run/hostapd_cli-wl0.pid set country_code GB
/usr/sbin/hostapd_cli -i wl0 -p /var/run/hostapd-wifi0 -P /var/run/hostapd_cli-wl0.pid set ieee80211d 1
/usr/sbin/hostapd_cli -i wl0 -p /var/run/hostapd-wifi0 -P /var/run/hostapd_cli-wl0.pid reload

/usr/sbin/hostapd_cli -i wl1 -p /var/run/hostapd-wifi1 -P /var/run/hostapd_cli-wl1.pid set country_code GB
/usr/sbin/hostapd_cli -i wl1 -p /var/run/hostapd-wifi1 -P /var/run/hostapd_cli-wl1.pid set ieee80211d 1
/usr/sbin/hostapd_cli -i wl1 -p /var/run/hostapd-wifi1 -P /var/run/hostapd_cli-wl1.pid reload

Happy Mac (manually configured legal channel):

/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport -s
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                            A091 88:c3:97:xx:xx:xa -51  48      Y  GB WPA2(PSK,SAE/AES/AES) 
                            A091 88:c3:97:xx:xx:x9 -35  6       Y  GB WPA2(PSK,SAE/AES/AES)

For some reason, uci doesn't allow 802.11d to be activated via any combination of options. And no, the above code doesn't work from /etc/rc.local either, because AP isn't yet initialised, when it fires up.

One more thingy: the xqrepack crontab mod doesn't survive the factory reset, and needs an update.

crontab -e

#*/1 * * * * /usr/sbin/ap_mode.sh check_gw

xqrepack logic seems to be missing two more services to disable, at least in miwifi_r3600_all_6510e_3.0.22_INT.bin:

service xiaoqiang_sync stop
service xiaoqiang_sync disable

service wan_check stop
service wan_check disable

Mine is not stable with 5 GHz for many frequency bands in AC and AX mode, it does not connect with devices and I have to connect with 2.4GHz and go to menu to try the bands, sometime it works with a band but next time doesn't. I decided to return the router if possible, I brought it in all the hype but this router doesn't have many functions along with all the instability. Price is not low, it doesn't even come with power on/off button, usb port, VLAN, different firewall options, openvpn, can't run openwrt etc...long list.

My CounrtyCode is GB in bdata and nvram. txpower runs at 1,000 mW on both radios (illegally) - without any tweaking from my side. The artificial option channel_block_list seems to be ignored by qca-hostapd. In my reading of wikipedia's WLAN channels, option channel_block_list doesn't correspond to the list of prohibited 5 GHz channels either.

The higher the channel number, the higher the frequency. High frequency signal is more affected by the obstacles, such as walls and ceilings. Channel 100 seems to be the lowest to operate at 1,000 mW txpower here, in the UK.

I live in a densely populated area, radio frequency-wise. Out of 21 broadcasting devices nearby, I am responsible for eight. Virgin Media Hub 3 is over-heating, while serving a single client device. The rest of the wireless devices are connected via AirPort Time Capsule (PN5S). It shows signs of age, and, with ever increasing number of devices, it seems to be barely coping for now. AX3600 (A091) is a beauty, and it's reasonably priced. The connection is stable and fast, and it has some potential.

Check with the list of the neighbouring channels. Chances are your AX3600 is picking up a saturated channel. Monitor your airspace for some time and select a channel, less frequently taken by others.

It's also important to know are you iOS or Android, and whether any of your devices use Intel wireless chipset. Neither of the mods takes care of 802.11d which may affect older Apple devices.

Power on/off button is normally part of the power socket here, in the UK ;o). Your home automation needs Wi-Fi 24x7 anyways.

USB port is out of fashion. Everything is streaming via subscriptions these days.

Different firewall options and OpenVPN are all built-in. Switch from bridged to routed mode. VLAN is here.

An illustration of the saturated 2.4 GHz and 5 GHz channels:

<hidden ESSID>  7A:A2:22:xx:xx:xx 59%, -69 dBm, ch   1, 2412 MHz	53% chan	
A091			88:C3:97:xx:xx:xx 91%, -46 dBm, ch   1, 2412 MHz	ESS, Radio Measure	
BT-JCA6QG		04:A2:22:xx:xx:xx 49%, -76 dBm, ch   1, 2412 MHz	53% chan, Radio Measure	
BTWi-fi			7A:A2:22:xx:xx:xx 54%, -72 dBm, ch   1, 2412 MHz	53% chan	
PLUSNET-6QHX	64:66:24:xx:xx:xx 81%, -53 dBm, ch   1, 2412 MHz	ESS	
PN5S			60:33:4B:xx:xx:xx 64%, -65 dBm, ch   6, 2437 MHz	ESS, Radio Measure	
TALKTALK759F4F	5C:B1:3E:xx:xx:xx 41%, -81 dBm, ch   6, 2437 MHz	6 sta, 76% chan, Spectrum Mgmt
QAmMwGNF		20:91:48:xx:xx:xx 77%, -56 dBm, ch  11, 2462 MHz	ESS	
SKYIRVDE		04:81:9B:xx:xx:xx 46%, -78 dBm, ch  11, 2462 MHz	28% chan, Radio Measure	
Virgin Media	F6:57:40:xx:xx:xx 84%, -51 dBm, ch  11, 2462 MHz	ESS	
VM4236202		E4:57:40:xx:xx:xx 86%, -50 dBm, ch  11, 2462 MHz	ESS, Radio Measure	
SSE Broadband9  20:B0:01:xx:xx:xx 37%, -84 dBm, ch  11, 2462 MHz	78% chan, Radio Measure
<hidden ESSID>	72:A2:22:xx:xx:xx 24%, -93 dBm, ch  36, 5180 MHz	39% chan, Spectrum Mgmt	
BT-JCA6QG		04:A2:22:xx:xx:xx 24%, -93 dBm, ch  36, 5180 MHz	2 sta, 14% chan, Radio Measure, Spectrum Mgmt
BTWi-fi			72:A2:22:xx:xx:xx 26%, -92 dBm, ch  36, 5180 MHz	39% chan, Spectrum Mgmt	
BTWifi-X		72:A2:22:xx:xx:xx 24%, -93 dBm, ch  36, 5180 MHz	39% chan, Spectrum Mgmt	
TALKTALK759F-5G	5C:B1:3E:xx:xx:xx 27%, -91 dBm, ch  40, 5200 MHz	2 sta, 21% chan, Spectrum Mgmt
PN5S			60:33:4B:xx:xx:xx 69%, -62 dBm, ch  44, 5220 MHz	ESS, Radio Measure, Spectrum Mgmt
VM4236202		E4:57:40:xx:xx:xx 74%, -58 dBm, ch  44, 5220 MHz	ESS, Radio Measure, Spectrum Mgmt
PLUSNET-6Q_5GHz	64:66:24:xx:xx:xx 61%, -67 dBm, ch  48, 5240 MHz	ESS, Spectrum Mgmt	
A091			88:C3:97:xx:xx:xx 70%, -61 dBm, ch 100, 5500 MHz	ESS, Radio Measure, Spectrum Mgmt

Here in a German city, both bands have many wifi running in my neighborhood. Interestingly, I have success on channel 40 where most of other hidden ssid wifis are located, strange. I did change from version 1.0.17 and using xqrepack upgraded to 1.0.67, it is not running MI process as xqrepack remove many of them as per their page, not sure if that is the issue though without upgrade I won't be getting 160Mhz band or other improvement as told by other. Version 1.0.17 seems stable to me though.

I've a laptop running AX200 wifi card and an android phone, the phone connect with 866 Mbps but PC connect with 1.7Gbps in AC mode though in other channel other than 40, it drops to 6Mbps and then comes up at 1.7 Mbps but never run with stability. Same in AX mode where PC connect with 2.4 Gbps.
Other device from other people in house, mostly latest iPhone. Not asked them if they have any problem yet. In this channel, it is working fine in our 60 sq m home. I did not change the country code yet to Germany which I honest not sure if I can do it without bricking it.

Yes, this has potential and I hope that OpenWRT will be ported to this router. I thought that with this memory, we can install many useful apps once OpenWRT is ported including OpenVPN or Wireguard..Maybe I am right, experts on the topic may tell us more if that will/may be the case.

I don't see any Firewall options in interface, there is just DMZ. No option to OpenVPN in web interface either. You may set it up with SSH but I have not seen any guide if that is possible or not with this router. I use NordVPN, I tried that with TP-Link which was running OpenWRT but process required setting a profile in gui and some tweak to network config file which I did not try with this router yet.

USB can be quite handy sometimes, I have an older printer with USB port and could connect that to TP-Link USB port, and can share files with other members of family.

Though if this router could run OpenWRT, I can forget USB or some other functions. Only advantage I can see so far, for me, I can get wifi working in some spots with full speed which were very weak with older router.

could you please post system logs with txpowerlist and wifi channels ?

You should test it with iperf3. I saw similar behavior a while back but still iperf was all the time running at Gigabit Ethernet wire speeds regardless what speed AX200 reported.

PS. Do not test it from kernel 5.9+. There are a lot of retries with AX200 firmware and newer kernels.

Dear.

I received today mi AX3600, downgrade, obtained ssh, patched bdata and upgraded to 3.0.22 int firmware (unpatched).

When I configure VLAN in /etc/config/network, every time i reboot the Xiaomi system overwrite the file, the section overried is:

config interface 'wan'
option proto 'pppoe'
option mtu '1480'
option special '1'
option ifname 'eth1.603'
Last line, is override every time i reboot with 'eth1' only.

I try putting the file as readonly, symbolic link, but all times was overwriten. The only way is manual change and restart /etc/network for get internet working.

I found the following script:

/usr/sbin/ap_mode.sh

The interesting section is:

bridgeap_close_r3600_default() {
echo "#######################bridgeap_close_r3600_default###############"
uci -q batch <<-EOF >/dev/null
delete network
set network.@switch[0]=switch
set network.@switch[0].name='switch0'
set network.loopback=interface
set network.loopback.ifname='lo'
set network.loopback.proto='static'
set network.loopback.ipaddr='127.0.0.1'
set network.loopback.netmask='255.0.0.0'
set network.lan=interface
set network.lan.type='bridge'
set network.lan.ifname='eth2 eth3 eth4'
set network.lan.proto='static'
set network.lan.ipaddr='192.168.31.1'
set network.lan.netmask='255.255.255.0'
set network.eth1=interface
set network.eth1.ifname='eth1'
set network.eth1.keepup='1'
set network.wan='interface'
set network.wan.proto='dhcp'
set network.wan.ifname='eth1'
commit network

delete dhcp.lan.ignore;                                                   
commit dhcp                                                

EOF

I tried the comment the section set network.eth1.ifname='eth1' but system is read only.

What is the correct way to make my changes persistent?

I don't recall seeing much on txpower and channels on the logs .

My setup (miwifi_r3600_all_6510e_3.0.22_INT with mods from my first post):

root@XiaoQiang:~# uci show wireless|grep -e country
wireless.wifi0.country='GB'
wireless.wifi1.country='GB'
wireless.wifi2.country='GB'
root@XiaoQiang:~# nvram show| grep -i country
CountryCode=GB
root@XiaoQiang:~# bdata show| grep -i country
CountryCode=GB

Power (oops! I need to do something about it):
root@XiaoQiang:~# iwlist wl0 txpower

wl0       8 available transmit-powers :
          0 dBm         (1 mW)
          6 dBm         (3 mW)
          10 dBm        (10 mW)
          14 dBm        (25 mW)
          18 dBm        (63 mW)
          22 dBm        (158 mW)
          26 dBm        (398 mW)
          30 dBm        (1000 mW)
          Current Tx-Power=30 dBm       (1000 mW)

root@XiaoQiang:~# iwlist wl1 txpower
wl1       8 available transmit-powers :
          0 dBm         (1 mW)
          6 dBm         (3 mW)
          10 dBm        (10 mW)
          14 dBm        (25 mW)
          18 dBm        (63 mW)
          22 dBm        (158 mW)
          26 dBm        (398 mW)
          30 dBm        (1000 mW)
          Current Tx-Power=30 dBm       (1000 mW)

root@XiaoQiang:~# iwlist wl2 txpower
wl2       8 available transmit-powers :
          0 dBm         (1 mW)
          7 dBm         (5 mW)
          11 dBm        (12 mW)
          15 dBm        (31 mW)
          19 dBm        (79 mW)
          23 dBm        (199 mW)
          27 dBm        (501 mW)
          31 dBm        (1258 mW)
          Current Tx-Power=31 dBm       (1258 mW)

Frequencies:

root@XiaoQiang:~# iwlist wl0 freq
wl0       258 channels in total; available frequencies :
          Channel 36 : 5.18 GHz
          Channel 40 : 5.2 GHz
          Channel 44 : 5.22 GHz
          Channel 48 : 5.24 GHz
          Channel 52 : 5.26 GHz
          Channel 56 : 5.28 GHz
          Channel 60 : 5.3 GHz
          Channel 64 : 5.32 GHz
          Channel 100 : 5.5 GHz
          Channel 104 : 5.52 GHz
          Channel 108 : 5.54 GHz
          Channel 112 : 5.56 GHz
          Channel 116 : 5.58 GHz
          Channel 120 : 5.6 GHz
          Channel 124 : 5.62 GHz
          Channel 128 : 5.64 GHz
          Channel 132 : 5.66 GHz
          Channel 136 : 5.68 GHz
          Channel 140 : 5.7 GHz
          Current Frequency:5.5 GHz (Channel 100)

root@XiaoQiang:~# iwlist wl1 freq
wl1       88 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Current Frequency:2.412 GHz (Channel 1)

root@XiaoQiang:~# iwlist wl2 freq
wl2       166 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Channel 36 : 5.18 GHz
          Channel 40 : 5.2 GHz
          Channel 44 : 5.22 GHz
          Channel 48 : 5.24 GHz
          Channel 52 : 5.26 GHz
          Channel 56 : 5.28 GHz
          Channel 60 : 5.3 GHz
          Channel 64 : 5.32 GHz
          Channel 100 : 5.5 GHz
          Channel 104 : 5.52 GHz
          Channel 108 : 5.54 GHz
          Channel 112 : 5.56 GHz
          Channel 116 : 5.58 GHz
          Channel 120 : 5.6 GHz
          Channel 124 : 5.62 GHz
          Channel 128 : 5.64 GHz
          Channel 132 : 5.66 GHz
          Channel 136 : 5.68 GHz
          Channel 140 : 5.7 GHz
          Current Frequency:2.412 GHz (Channel 1)

@acubino, check with xqrepack author's post. He is describing VLAN tweaks to much extent, including MTU tuning.

And yes, root filesystem (including /usr) is read-only. There should be a very rare need to modify it

Hi,

I'm looking for an AX3600 and I'd like it to be in English. The simplest would be to find a global version but otherwise, I can buy any chinese version on AliExpress and flash the latest international firmware, correct? Will I be able to set language to English and use the full dBm, regardless of the country it's in?

Has there been a version with EU plug or will I need an adapter in every case?

yes to both of your questions

Thank you!

Any advice on a version with the EU plug that would be available on AliExpress?
(I have a coupon to use)

And for the max dBm, I should state during the first start that I live in China/The Philipine or something like that, right?

I got Chinese version with EU adapter 2 week ago delivered from France to Germany.

If it's Chinese variant, it will run with max dB no matter which version it is running or what version you update to. You need to patch it to reduce it power as running at Chinese dB limit may not be legal in your country.

tt2g shared a workaround in a previous post by updating /etc/rc.local:

uci set network.wan.ifname='eth1.7'
uci commit
/etc/init.d/network reload
exit 0

Care to share the Aliexpress listing?
(You had to flash it to get the english interface, right?)

Almost in my case, the rc.local is in /etc

I don't know why, but i need to change the reload of network to restart. With reload dont have connectivity, but this fix works like a charm.

/etc/rc.local

uci set network.wan.ifname='eth1.7'
uci commit
/etc/init.d/network reload
exit 0

Finally VLAN working, i remove my fibber operator router.

Search for the shop called Xiaomi TookFun Tech Store. They have delivery from Poland, France and Spain in the EU. If page doesn't show these countries active, that means it is out of stock from these locations and you have to wait for few days for the restock. Keep checking and once available, order without wait. That what happened to me too, luckily the item was restocked within 3 days.

Yes, you have to reflash it with INT version. If you want ssh then you have to use xqrepack method plus many have uploaded the rom in the forum, you can use that too though you will need ssh so you have to first flash 1.0.17 version and follow other steps to get ssh.