I'm not talking about Smart QOS bandwidth limit. It is on the same page and either you have to do speed test in the router page itself (as with chinese stock firmware) or you have to manually give those values. If you feed wrong values (lower values) than what your internet provider is giving, that the router speed will be throttle to those value.
I bought the ax3600 from European distribution. Due to the relatively poor range, I want to change CoutryCode to CN or SG and stay with the Global software. As per the forum instructions, I downgraded to 1.0.17 to access SSH and changed CountryCode using the command:
nvram set CountryCode = XX
nvram commit
As a result, the transmission power increased to 30 dBm. Then I installed the Global software in the latest version. Poor coverage returned with the update. However, the CN / SG region was still in the settings. I also tried resetting the router to factory settings and setting the country via the GUI.
After reinstalling1.0.17 and checking in SSH with the command below
nvram get CountryCode
CountryCode was showing EU.
Could you plese give me a step by step instruction on how change CountryCode in bdata to CN / SG permanently? So I would be able to use Global software and keep the 30dBm.
1 Like
There are a lot of instructions around, but basically they are just few, but posted on different sources. Use search, Google etc 
I guess there was link to in this thread. And follow instructions very strictly and carefully!!! Otherwise you will run back and wiii... why it doesn't work or even will brick your router.
I bought the ax3600 as well. I'm sorry that I spam a little bit a thread, but I tried to use Uncle Google (as Aivarss suggested), however I couldn't find any guide steps by step regarding CN or SG region code. Have you found any useful link with a step by step guide? Thanks in advance.
I actually tried every available instruction that you can find via Google. Like this one:
Non of them worked. CountryCode was switching back to EU every time I was installing Global firmware. I tried a few times - no luck. I guess there is now way to change region to SG, use Global and Mi WiFi app. I'll try to gain permanent SSH and change CountryCode in Global, but I guess this gonna crash Mi WiFi app. The best way is to buy a chinese one.
Thank you, but the guide which you linked is a step-by-step instruction on how to gain SSH access and change CountryCode in early Chinese firmware. Definitely, it's not an instruction we are looking for.
1 Like
https://4pda.ru/forum/index.php?showtopic=983152&st=3440
Here are very active thread, but in Russian. Use Google If there was any tweak or hack around for AX3600, it is discussed there. But all of that are mentioned on this forum as well.
mjuter, as I said, looks like you do something wrong. People around got all permanent, even after reset.
I managed to change EU to CN using @odedlaz tutorial:
https://oded.dev/2020/11/30/AX3600-1
It's clear and describes everything step-by-step. It's finally working as it should, taking into account that I'm not the "Terminal" guy. Now I'm able to use Global firmware and get use of AX3600 full performance.
If you are on macOS, remember to add python3 before executing any script. Wasted a lot of time on this - I need to read the log carefully next time. To get telnet access you will need Homebrew app, since macOS no longer supports this protocol.
I found ax3600_tool fairly straightfoward and easy to use. From security point of view, it's better to review the original code and compile it, rather than trust unverified crash partition downloads. AX3600 is already sending a lot of stuff back to China.
Once mt9 partition is unlocked, CountryCode can be changed from the command line:
bdata set CountryCode=CN
bdata commit
Don't forget to lock mt9 partition aftewards and reboot, otherwise Wi-Fi will disappear. When this happens, the only way to access the router will be the Ethernet port at the back.
1 Like
Looking at the code, it writes four bytes: A55A0000 (hex) to the beginning of /dev/mtd10, the crash partition, to unlock bdata, and restores the beginning to FFFFFFFF to lock it back. This unlocking is absolutely the same as writing the crash_unlock.img from https://oded.dev/2020/11/30/AX3600-1 tutorial (open it in the hex editor to see for yourself). So, from security perspective, there's no difference which method you use: we still don't know what these magic A55A0000 bytes mean.
A55A (hex) = 1010 0101 0101 1010 (bin)
this pattern is frequently used for memory tests, as 1 and 0 are alternating.
Thanks, it's interesting to know, however we still don't know what effects (if any), beyond making bdata writeable, writing this to crash partition, has.
Hi,
Is this bug resolved? iwconfig shows the txpower properly but iw info shows txpower 42949607.96 dBm.
Pls reply what could be the issue
Thanks in Advance,
All,
Since it seems like development on the OpenWRT firmware for the AX3600 has slowed - I've been hacking away to see if I could leverage the AIoT radio for other purposes (wl2 interface). It appears that I've made some headway. Thus far, I've managed to get the wl2 radio up with a custom SSID/pass as well as serving DHCP from the LAN. The trick here was that the /lib/wifi/qcawificfg80211.sh has an entry which disables wl2 during configuration of the raidos (thus making any changes to /etc/config/wireless on wl2 ineffective). As I'm using the geekman/xqrepack to push the INT firmware onto my CN AX3600 - I added a step in there to comment out the following from the /lib/wifi/qcawificfg80211.sh config script:
if [ $ifname = "wl2" ]; then
ifconfig $ifname down
fi
Once I did this and flashed the new image - I was able to configure the wl2 interface with the following settings in the /etc/config/wireless file:
config wifi-device 'wifi2'
option type 'qcawificfg80211'
option channel 'auto'
option hwmode '11ac'
option macaddr 'xx:xx:xx:xx:xx:xx'
option disabled '0'
config wifi-iface
option device 'wifi2'
option ifname 'wl2'
option mode 'ap'
option network 'lan'
option ssid 'TestIoT'
option key 'bbbbbbbbb'
option encryption 'psk2+ccmp'
option wpsdevicename 'XiaoMiRouter'
option disabled '0'
option hidden '0'
I haven't been running it for long and haven't put my various IoT things on it (tested with my iPhone 7 so far) but wanted to toss this up here in case others were looking for hacking the AIoT antenna for other purposes.
2 Likes
After some testing - I've managed to get my IoT-ish things operating on the AIoT radio. The bandwidth appears to max out around 6-10Mbps but this is more than sufficient for all the switches/etc. to run on. Below captures the changes (still need to edit the /lib/wifi/qcawificfg80211.sh as mentioned above):
config wifi-device 'wifi2'
option type 'qcawificfg80211'
option channel 'auto'
option hwmode '11g'
option htmode 'HT20'
option txpwr '13'
option macaddr 'xx:xx:xx:xx:xx:xx'
option country 'CN'
option disabled '0'
config wifi-iface
option device 'wifi2'
option ifname 'wl2'
option mode 'ap'
option network 'lan'
option ssid 'TestIoT'
option key 'bbbbbbbbb'
option encryption 'psk2+ccmp'
option disabled '0'
option hidden '0'
1 Like
I've also created another 2.4 ghz wifi network for my iot devices with proper firewall setup (no internet access etc) but not on the wifi2 device. I'm not sure if there's much of a benefit in using the wifi2 device for that.
Yeah I'm not quite sure either at this point other than it's a totally separate radio and frees up the main 2.4 radio to talk to streaming devices/etc.
hey guys
this is my first post so please excuse me if I miss something.
I installed the EU firmware and changed CountryCode to CN as well as patched the bdata to be "CN" as well.
Now I can start Mi Wifi App login to my (german) mi account, change the region to CN and the router is found and I can login and the devices are shown however when I try to "do" anything with them it tells me it cant connect to the router, it also shows "offline" on the main screen.
How can I get my router back to work? I once havent "unpaired" it from my german account, might that be the issue? I checked my DNS and there isnt a block or sth to miui.
Thanks 
Rob
Hello, Can you give me the lines to add to repack-squashfs.sh to use this IoT antenna. I want to create an Iot antenna visible on my network and then add a relay. Thank you