Xiaomi AX3600 INT firmware

Some Xiaomi service

Hi there
I'm trying to enable ssh on downgraded firmware, but keep getting {"msg":"Parameter error","code":1523} errors (google translated). Have xiaomi patched firmware on their site quietly or I'm missing something?
Here's the last URL I've tried:;stok=074fbfb27d30410800a386e6b98bf0ad/api/misystem/set_config_iotdev?bssid=gallifrey&user_id=doctor&ssid=-h nvram%20set%20ssh_en%3D1


Pretty much confirmed: I flashed someone's private firmware backup, and exploit worked


What is needed to root/flash openwrt to this ax3600 if the ssh access is prevented with latest firmwares?

Read the device page and this thread (and Adding OpenWrt support for Xiaomi AX3600), it's all in there.

1 Like

As slh said: Look at the device page. Here it is:

The guide is spot on.

There is one caveat:
In the section "Installation/Installing OpenWrt/SSH Access" before step 1 (flash older version) I would do the basic setup in the OEM firmware. The password is the only thing you really need for later.

The 1.0.17 version is Chinese only, and unless you read Mandarin it might be difficult to understand what data you need to put in each box.

After that DO NOT select the reset data option when you flash the old firmware. This way, the password you've set on the first setup will be preserved and after entering the password on the Mandarin interface (which even I could manage) you can use the same password and the new STOK value from the URL for the following steps (2+) in the instruction.

I've flashed two devices this way, it takes about 15min if you've done it before. The "Debricking/TFTP recovery" section in the guide also works, as I can tell from the experience of having messed up twice on the first device.
Side note: You can also flash back to the European OEM version this way. And no, AFAIK the TFTP flash doesn't take an OpenWRT (...factory.ubi or ...sysupgrade.bin) flash directly. And YES, I,ve tried.

1 Like

Thank you! I managed to enable both SSH and telnet on 1.0.17 (CN). Thank you for the tip to NOT reset/clear my working 3.0.22 (EN) config when downgrading (Manual updating) to 1.0.17 (CN).

Question to anyone: how do I now update to 3.0.22 (EN) (the latest EN firmware) WITHOUT losing SSH/telnet?

I'm not certain updating to OEM 3.0.22 without losing SSH (and telnet) is possible. Maybe somebody else can help you with this.

To be honest, seriously consider flashing OpenWRT. Its interface isn't as designer pretty as the OEM, but OpenWRT is much more powerful. It supports bridging, VLANs, QoS, multiple DHCP address ranges, firewalling is extremely sophisticated, and there's almost anything you could want from a networking perspective available and it's all pretty easy. If you don't need all this, the simple presets will do fine, the only thing to do is set a password.

The section "Flashing OpenWRT" in the guide works precisely as advertised, and it's here (deeplink):

At the time of writing, the most current image you need for flashing OpenWRT to the AX3600 is here:

Don't be discouraged by the massive amount of information available on OpenWRT. If you need the expert stuff you can read up on it. If you don't, it's just plug and play (after flashing, obviously) and you don't need to give it a second thought.

Once you've got the SSH running it's only
scp downloads/openwrt-ipq807x-generic-xiaomi_ax3600-squashfs-nand-factory.ubi root@
(obviously add you own path to the image and the router's current IP address or use WinSCP if you're on a Windows machine)
Then follow the instructions in the link provided above.

After rebooting OpenWRT's default IP address will be and all you need to do is set up a password and for good measure flash the fallback partition as outlined in step 6. SSH is enabled by default.

It's really this simple!


Wow thank you. The showstopper to me going OpenWRT was the apparent need to compile the firmware/image myself. With this provided I'll continue with the guide and your outlined steps.

BTW, this is to EVERYONE: Don't go bothering the providers of the image I linked with every little problem that crops up. It's an ALPHA that really happens to work well.

If you do (bother them), they might remove it from public faster than you can blink.

Wait for the official release to complain.

For now, there's one problem I'm aware of: Memory leak on wireless (ath11k) driver.

My current workaround is to reboot every 8 hours. That takes ~15 seconds. I reboot at 4, 12, and 20 hours locally, I'm asleep at 04:00, at lunch at 12:00 and at dinner at 20:00.

If you have high bandwidth wireless traffic occurring naturally, you probably won't need this, because high bandwidth traffic on a wireless interface seems to clean up the memory, about 100MB worth.

This is the second option I'm aware of: Keep "iperf3 --server" running on the router and do "iperf3 --client YourRoutersIp --time 10" on a WIRELESS client every couple of hours. It won't do anything on a wired client.

By the time the official release is published I'm sure this will be handled. Right now, this is my solution.

1 Like

Bye bye stock firmware, OpenWrt lives! I followed the steps in the device page (and applied common sense) and it all went well. Thanks again.

I'm also pretty sure I'm not the only one who hates setting (and updating) static DHCP leases :angry:

1 Like

Welcome to the better (if somewhat immodest) community!

I hope you like it as much as I do!

1 Like

Is it possible to have also the full chinese txpower with openwrt?

Yes, that is possible.

On the OpenWRT GUI there is a setting in
Network/Wireless/YourWirelessNetworkName/Edit/Device Configuration/Advanced Settings/Country Code

This setting is in the setup for each wireless network, but can only be configured once for each of the three radios (nac, nacax, bgnax). I you have multiple wireless networks on the same radio a change in any one of them will affect all others on the same radio.

Be sure to select the country you live in. If you exceed regulatory limits fines can be very high. Think new middle class car ranges.

Which ever country you are in, power limits, frequency ranges and bandwith limits will likely be much broader than the preselected value "driver default", which seems to be the lowest common denominator of all regulatory domains.

In my home setting I have observed that allmost all stations in the surrounding area seem to be bunched up on band 36 in the 5GHz spectrum. I guess nobody bothers set their country code no matter what device they use. Everything else is only very lightly used.

Without much interference from other devices, ranges and data rates and connection stablilty are very good in my location without going outside the legal limits.

1 Like

Can somebody help me how I can get back to stock int 3022 firmware from openwrt?

To get back to stock, you need to locate a stock image. There is a link a previous post by @itay:
Xiaomi AX3600 INT firmware - #100 by itay

Then follow the instructions in "TFTP recovery" on the device's Wiki:

Don't know what happend these days.. but the 2,4 GHz band is not working propertly, neither in stock nor in the Openwrt... its SSID appears for a second and disconnect for a very long time..

Did it happen to any of you?

A thing I saw in this router is the division between WAN and LAN, with two subnets.. I would like to join them in the same subnet "192.168.0.x" All the original router ethernet devices and Wifi clients. With the original firmware I couldn't even ping the devices separated by the two subnets

In Network/Interfaces, tab Interfaces, WAN -> Edit, tab "General Settings", Device: Set to "unspecified" = remove "eth0". Do the same with interface WAN6.

In Network/Interfaces, tab Devices, br-lan -> Configure, tab "General device options", "Bridge ports": Add device "eth0".

In Network/Wireless use button "Add" or "Edit" for existing devices, set up as appropriate and in "Interface Configuration", Network: Select "LAN". Do this for all wireless networks you have defined or want to define.

Network/Interfaces, tab Interfaces, LAN -> Edit, tab "General Settings" set Protocol to "static address" and then set the address to In the tab DHCP Server check to see it it is enabled (it is by default).

That should be it, all wired an wireless devices in one subnet.

Maybe you want to make a backup before doing this.

About the problems with the 2.4G radio: I have no idea what that could be, I have three AX3600 devices, all radios on these work fine.