Xiaomi AX3600 INT firmware

Looking at the code, it writes four bytes: A55A0000 (hex) to the beginning of /dev/mtd10, the crash partition, to unlock bdata, and restores the beginning to FFFFFFFF to lock it back. This unlocking is absolutely the same as writing the crash_unlock.img from https://oded.dev/2020/11/30/AX3600-1 tutorial (open it in the hex editor to see for yourself). So, from security perspective, there's no difference which method you use: we still don't know what these magic A55A0000 bytes mean.

A55A (hex) = 1010 0101 0101 1010 (bin)
this pattern is frequently used for memory tests, as 1 and 0 are alternating.

Thanks, it's interesting to know, however we still don't know what effects (if any), beyond making bdata writeable, writing this to crash partition, has.

Is this bug resolved? iwconfig shows the txpower properly but iw info shows txpower 42949607.96 dBm.

Pls reply what could be the issue

Thanks in Advance,


Since it seems like development on the OpenWRT firmware for the AX3600 has slowed - I've been hacking away to see if I could leverage the AIoT radio for other purposes (wl2 interface). It appears that I've made some headway. Thus far, I've managed to get the wl2 radio up with a custom SSID/pass as well as serving DHCP from the LAN. The trick here was that the /lib/wifi/qcawificfg80211.sh has an entry which disables wl2 during configuration of the raidos (thus making any changes to /etc/config/wireless on wl2 ineffective). As I'm using the geekman/xqrepack to push the INT firmware onto my CN AX3600 - I added a step in there to comment out the following from the /lib/wifi/qcawificfg80211.sh config script:

        if [ $ifname = "wl2" ]; then
               ifconfig $ifname down

Once I did this and flashed the new image - I was able to configure the wl2 interface with the following settings in the /etc/config/wireless file:

config wifi-device 'wifi2'
	option type 'qcawificfg80211'
	option channel 'auto'
	option hwmode '11ac'
	option macaddr 'xx:xx:xx:xx:xx:xx'
	option disabled '0'

config wifi-iface
	option device 'wifi2'
	option ifname 'wl2'
	option mode 'ap'
	option network 'lan'
	option ssid 'TestIoT'
	option key 'bbbbbbbbb'
	option encryption 'psk2+ccmp'
	option wpsdevicename 'XiaoMiRouter'
	option disabled '0'
	option hidden '0'

I haven't been running it for long and haven't put my various IoT things on it (tested with my iPhone 7 so far) but wanted to toss this up here in case others were looking for hacking the AIoT antenna for other purposes.


After some testing - I've managed to get my IoT-ish things operating on the AIoT radio. The bandwidth appears to max out around 6-10Mbps but this is more than sufficient for all the switches/etc. to run on. Below captures the changes (still need to edit the /lib/wifi/qcawificfg80211.sh as mentioned above):

config wifi-device 'wifi2'
        option type 'qcawificfg80211'
        option channel 'auto'
        option hwmode '11g'
        option htmode 'HT20'
        option txpwr '13'
        option macaddr 'xx:xx:xx:xx:xx:xx'
        option country 'CN'
        option disabled '0'

config wifi-iface
        option device 'wifi2'
        option ifname 'wl2'
        option mode 'ap'
        option network 'lan'
        option ssid 'TestIoT'
        option key 'bbbbbbbbb'
        option encryption 'psk2+ccmp'
        option disabled '0'
        option hidden '0'
1 Like

I've also created another 2.4 ghz wifi network for my iot devices with proper firewall setup (no internet access etc) but not on the wifi2 device. I'm not sure if there's much of a benefit in using the wifi2 device for that.

Yeah I'm not quite sure either at this point other than it's a totally separate radio and frees up the main 2.4 radio to talk to streaming devices/etc.

hey guys

this is my first post so please excuse me if I miss something.

I installed the EU firmware and changed CountryCode to CN as well as patched the bdata to be "CN" as well.

Now I can start Mi Wifi App login to my (german) mi account, change the region to CN and the router is found and I can login and the devices are shown however when I try to "do" anything with them it tells me it cant connect to the router, it also shows "offline" on the main screen.

How can I get my router back to work? I once havent "unpaired" it from my german account, might that be the issue? I checked my DNS and there isnt a block or sth to miui.

Thanks :slight_smile:

Hello, Can you give me the lines to add to repack-squashfs.sh to use this IoT antenna. I want to create an Iot antenna visible on my network and then add a relay. Thank you

The lines are in my first post above on this matter. You will have to add them yourself or put a pause in the repack script so you can manually edit as I havenโ€™t built it in.

However, esfg has posted a custom Qualcomm build of the ax3600 which might be the better solution to all of this in another thread.

Is there any way to get permanent changes made by SSH in this firmware? I need to modify /etc/config/network in AX3600 but after rebooting a tagged port (wan) losses the tag in the configuration file.

A line like

	option ifname 'eth1.6'

is changed to

	option ifname 'eth1'

Many thanks in advance

1 Like

Hey folks,

I'm not sure if I understood right, but the stock Global firmware doesn't run at the device's maximum power over wifi, is that right?
I've noticed that my cellphone has a terrible time maintaining connection when it's on my lap, under the table. With my old TP-Link Archer AC1750 I had no issues on that regard.

I've read a couple of stuff regarding enabling SSH and editing a couple of files, but I couldn't figure if those actually made a difference, or if it's just tinkering.
Is there currently a way to use the chinese firmware in English, or use the global firmware with the chinese "unlocks"?

Hey, care to explain how you managed to use Global firmware and have AX3600 full performance?

I've looked at the link you listed, but I found it a bit confusing at times. Sometimes it seems he's instructing how to do something, other times it seems he's just proving that something is indeed what it is. Then he says to run stuff like if were as easy as turning on a light switch... I got lost quite a bit, and I consider myself pretty tech knowledgeable lol

Could you do a simple explanation about what's needed to be done?

I just ordered a second ax3600 to do mesh. I got the latest xiaomi1.1.12.ubi from right.com.cn. Could I create the mesh with this ?

I see that you are several to click on the link of "right-com-cn" I give you the complete link. To recover the files I used this . The link for download tuto download baidu without login. The baidu account link should be formatted this way with Chinese characters ้“พๆŽฅ: https://xxxxx.xx/s/xxxx ๆๅ–็ : xxxx

@efsg I have successfully completed the switch to QSDK.

  1. How to activate the IoT antenna?
  2. Do you have a xiaomi.3.0.22.ubi in stock?
  3. Last thing how to add a mesh node?

I'm also interested in that. Because as soon as I switch to INT firmware my max txpower is 16dBm, no matter what country I set up in nvram / wifi / iw reg set XX (tried multiple countries from CN, to DE). So on INT firmware following iwinfo wl0 txpowerlist always list max 16dBm, and as soon as I'm on China firmware (currently on latest 1.1.15) same command gives me max 30dBm for both 5GHz and 2.4GHz and signal is much stronger.

Likely, they actually do the right thing as that device most possibly never ever got any kind of FCC approval or anything. Well likely it didn't even get any Chinese approval either but those folks just don't care...

Yes, but it's strange because 1000 mW (30 dBm) should be allowed in EU on channels >100 and there isn't a way to achieve that with global firmware, at least I didn't find a way so for now I'm stuck with China version.

I have managed to fix that! I forgot to post back.

I followed this russian tutorial:

You can easily use google translate and follow the commands there.
I used a Ubuntu live-CD on a virtual machine to run the commands, because I felt more comfortable there, but you can run everything from Windows if you want.

Basically you will:

  • Connect through cable
  • Get SSH through the 1.1.17 firmware
  • Extract your bdata
  • Generate your stock root password
  • Change your extracted bdata country (I've used DE instead of CN, as it seems more powerful)
  • Flash the crash partition in order to allow modifications on the router's bdata partition
  • Flash the modified bdata partition to your router, reboot
  • Clear the crash partition in order to have wi-fi back
  • Reset the settings through the UI
  • Enable SSH access again through Telnet
  • Change SSH password for something you remember

Then, after that:

  • Update to Global
  • Select a country that allows high power (I'm using DE, as it's more powerful than CN)

I'm running that and I have powerful 5GHz wifi everywhere I go in my home, whereas previously, I'd lose 5GHz connectivity after two rooms, or even if I lowered my phone under the table a wall away from the router. It was shamefully weak.

If you need help following this tutorial I linked above, feel free to ask your questions.

1 Like