Xiaomi AX3600 INT firmware

Had enabled IPv6 and noticed that IPv6 LAN devices are accessible from the internet. AX3600 is not filtering and accepting all the IPv6 connections Internet to LAN, exposing all the IPv6 LAN devices to the Internet.

Traced and found the 'zone_wan_dest_REJECT' chain has a rule resulting in all forwards from WAN (before the reject rule). This rule is not in the vanilla OpenWRT and it exposes LAN to the Internet. It is added when IPv6 is enabled and the mode is not NAT (/etc/config/firewall include 'ipv6_masq' ->'/lib/firewall.sysapi.loader ipv6_masq' -> '/usr/sbin/sysapi.firewall ipv6_masq').

root@XiaoQiang:~# ip6tables -L zone_wan_dest_REJECT -n -v
Chain zone_wan_dest_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      eth1   *       ::/0                 ::/0                
    0     0 reject     all      *      eth1    ::/0                 ::/0                 /* !fw3 */

As a workaround to prevent LAN from being accessible, I had disabled the ipv6_masq and included firewall.user to delete the rule and restart odhcpd.

# Disable ipv6_masq (optional)
uci set firewall.ipv6_masq.enabled='0'

# include custom /etc/firewall.user rules
uci set firewall.firewall_user=include
uci set firewall.firewall_user.path='/etc/firewall.user'
uci commit

cat  << "EOF" >> /etc/firewall.user
### Delete the ip6tables rule which forwards WAN -> LAN. It will expose LAN to the global (internet)
ip6tables -D zone_wan_dest_REJECT -i eth1 -j ACCEPT
# need to restart odhcpd for IPv6 to work
/etc/init.d/odhcpd restart
EOF
5 Likes

anyone could please share patched 3.0.22 INT firmware with telnet/ ssh/ uart access ?

thank you

Anyway @otem @kokesan I opened a paypal moneybox. Don't know if it's right. (if its not I will remove the link and refund any money ASAP)

If someone wants to donate so I can help for the support of this router.
Me and @slh are still searching for a good and quick option to buy the router... If anyone can help us (Italy seems to be problematic for shipping)

2 Likes

Donated :slight_smile:

1 Like

7 day delivery to Italy from Spain for € 96,07 + € 6,58 shipping: https://www.aliexpress.com/item/4000955508260.html
There's only 2 left!
It might be € 87,33 + € 6,58 shipping on the 11th November, but there probably won't be any left by then.

(one of the reason i didn't post that offer here ahahha)

1 Like

https://drive.google.com/file/d/1dPoXDP9b9j9U3yOxp6qgCUTKthSt5SZR/view?usp=sharing

But still you have to install 1.0.17 first, get SSH access, after that update manually to this one.

Upd: new link. now it should not ask permission.
Upd2: forgot about declaimer :slight_smile: For your own risk and bla-bla-bla....
Upd3: The default root password is password.

1 Like

In case anyone needs Mi stock functionality:
https://www112.zippyshare.com/v/9Z0MFiYm/file.html
The same as miwifi_r3600_all_6510e_3.0.22_INT+SSH.zip above, geekman xqrepack scripts used here as well, but with this "cleaning" part commented out in the patching script:

# dont start crap services
for SVC in stat_points statisticsservice \
		datacenter \
		smartcontroller \
		plugincenter plugin_start_script.sh cp_preinstall_plugins.sh; do
	rm -f $FSDIR/etc/rc.d/[SK]*$SVC
done

# prevent stats phone home & auto-update
for f in StatPoints mtd_crash_log logupload.lua otapredownload wanip_check.sh; do > $FSDIR/usr/sbin/$f; done

rm -f $FSDIR/etc/hotplug.d/iface/*wanip_check

sed -i '/start_service(/a return 0' $FSDIR/etc/init.d/messagingagent.sh

# cron jobs are mostly non-OpenWRT stuff
for f in $FSDIR/etc/crontabs/*; do
	sed -i 's/^/#/' $f
done

# as a last-ditch effort, change the *.miwifi.com hostnames to localhost
sed -i 's@\w\+.miwifi.com@localhost@g' $FSDIR/etc/config/miwifi

P.S. I myself can't test it since my router is still in the process of shipping.
P.P.S. Use at your own risk as usual :slight_smile:

Donated too

1 Like

I ordered mine from here and arrived in 4 days, it seems to ship to Italy too. Give it a try!

On another note, I have a international version, is there any way to get ssh? I've been reading al ax3600 topics from the beginning and I believe you have nothing, right?

Thanks.

it's the European version

Isn't that better since you live in Europe?
Or you need the Chinese version because it's now unlocked?

Since i need to unlock it... i need the chinese version. Can't undestrand if the int version can be rooted.

Looks like the only difference between EU and CN is firmware and CountryCode stored within mtd9. Hence you can freely move from one to another.

So the idea is flash the chinese firmware and unlock? Can someone confirm this?

I believe @itay tried that too

Got international version with firmware 3.0.16, flashed chinese 1.0.17 to get SSH and "unlock" it.
It worked without problems.

1 Like

Anyway for now the best price i 125€ shipped to italy 13 nov. Will wait tomorrow if i'm lucky for more offer and I will buy it.

3 Likes

did you check tx power before changing the firmware to the INT version?

The original INT firmware was okay, at least I did not felt that the tx was weak. China firmware is also good. But the 3.0.22 INT firmware definitely had some problems with the max 16 dBm, which caused problems with my phone. Tried to work around with different regdomain country and nvram country, no success. Flashed back the latest chinese one, this one works the best to me.
I did not wiped the device config or reset the device between flashes.