Xiaomi ax3600 ssh guide

Gustavo · February 27, 2021, 10:37am

@odedlaz thank you for tutorial. But how can I import and run your postman_collection script?

odedlaz/ax3600-files/blob/master/scripts/AX3600.postman_collection.json

{
	"info": {
		"_postman_id": "fda2354c-c7fd-46bb-8db2-9a61b8023f34",
		"name": "AX3600",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
	},
	"item": [
		{
			"name": "check_rom_update",
			"request": {
				"method": "GET",
				"header": [],
				"url": {
					"raw": "http://{{gateway_ip}}/cgi-bin/luci/;stok={{stok}}/api/xqsystem/check_rom_update",
					"protocol": "http",
					"host": [
						"{{gateway_ip}}"
					],
					"path": [
						"cgi-bin",

This file has been truncated. show original

Paspas · March 27, 2021, 8:13pm

Hi! I’ve tried to get permanent ssh on my router Ax3600, once I get ssh, I modify the file data_mtd9.img with the script fuckax3600, when I run “/tmp/fuckax3600 lock” the router resets and I still have ssh, but if I update the firmware I can’t or I don’t know how to proceed since I can’t connect via telnet, the connection is rejected. I’ve done it more than 5 times, but to no avail. Will you please tell me what am I doing wrong? Thanx in advance.

slh · March 27, 2021, 8:43pm

The checksum for bdata needs to be correct, or the ax3600 will ignore it.

After factory resets (or potentially also version upgrades), the ax3600 will forget your manually set password and do enable ssh (dropbear), but telnet will be on and accept the default password calculated from the serial number of your device.

Paspas · March 27, 2021, 9:22pm

I made all the process with the password generated with the sn, but the main problem is that I don’t get access either telnet nor ssh. Thanx for you soon reply.

Double-G · March 27, 2021, 9:38pm

Hat the same Problem.
Hard reboot. If it doesn't help, factory reset and start over. It worked the second time in my case.

Paspas · March 27, 2021, 9:56pm

I did it every time I started again, but nothing, again after updating the firmware, no connection via telnet nor ssh. Just in case it helps, every time I upgrade, the device name changes to Xiaomi_0, I change it back to the one in the label of the router.

juppin · March 28, 2021, 9:28pm

This looks like your bdata is invalid. Most probably the checksum wasn't updated on your modification.

barnamacko · March 29, 2021, 9:19am

Hi,

Are you used all the required switch in order as described here: XiaoMi AX3600 Hack SSH & Telnet forever (lowyat.net)?

Paspas · March 29, 2021, 6:23pm

Yes, I've followed all the steps, actually, having a look to the bdata_mtd9.img, I can see that all the necessary items to be changed are already changed, we need telnet_en=1, ssh_en=1, uart_en=1 Sin título2
If you see there is no change between get and set. I think the problem is on Telnet, because I could never connect via telnet with this router, it refuses the connection.
I have also tried telnet in MacOS
I just wanted to have mesh with my AX6 but I need to have a Vlan to change my ISP router, so I need international firm in the AX3600 to have the Vlan and change the country code to CN to have mesh with the Xiaomi AX6.
I think everything is fine but I can’t use telnet, even before uploading the latest firm, still having ssh access, I can’t connect via telnet.

Paspas · March 31, 2021, 10:40pm

I could happily get access via telnet, I tried many times repeating the same steps but, obviously the same happened, so I started different ways to get permanent ssh access, so I can’t really say what was what made the difference. I remember that I tried these lines:
nvram set flag_last_success=0
nvram set flag_boot_rootfs=0
nvram set telnet_en=1
nvram set boot_wait=on
nvram commit
Then I tried to follow the same steps but trying telnet almost after every step, and before locking bdata with fuckax3600, I could connect via telnet, so I left it open, I upgraded to the global firm, but I didn’t have wifi, so I got ssh again change country code and lock bdata to recover wifi. I happily have it as desired and with everything working as I wanted.
Thanks everybody for trying to help me.
Edit: if I restore to factory default, I must start form the beginning since I don’t have telnet access. I have also noticed that when I downgrade to 1.0.17 and after having telnet access, the web info of the router says I’ve got 3.0.22 not having uploaded it.

imyelmo · April 30, 2021, 10:57am

Is there any way to get permanent changes made by SSH? I need to modify /etc/config/network in AX3600 but after rebooting a tagged port (wan) losses the tag in the configuration file.

A line like

	option ifname 'eth1.6'

is changed to

	option ifname 'eth1'

Many thanks in advance

Paspas · May 7, 2021, 7:04pm

I downloaded a firmware already patched, and I upgraded via ssh, I work with vlans too and it’s working fine since I did it. If you don’t find the firm, let me know and I will tell you where to find it.

humza820 · July 19, 2021, 9:40pm

Hi I bought a global version AX3600 with 3.0.22 firmware. I just installed chinese firmware 1.1.15 latest one on my global version router. My signal coverage is increased very significantly and now I have decided to keep the chinese firmware. But a little problem I am facing. now I can only access my router through web interface and on my miwifi app it got paired in germany region of the app but showing "Router is offline". please guide?

Ejak · January 22, 2022, 7:53am

i wrote mtd9 modified, now i get telnet and ssh .
but wifi is bricked, wifi is not visible.
the only way to access is via ethernet
What is wrong?
What should I do now?
Please help me!

Gingernut · January 22, 2022, 12:31pm

Yeah sorry, mtd erase crash was the one.

Don't erase the bdata.

Edrikk · January 22, 2022, 3:20pm

Do NOT erase bdata; and don’t go around doing random things…. That’s how you get a device you can’t recover from.

Follow these instructions. They are extremely well written and is all you need.

https://oded.dev/2020/11/30/AX3600-1/

ariehmar · December 29, 2022, 3:49pm

I have received a new Redmi AX3000
Tried to follow the instructions starting with downgrading FW.
Problem is that the FW downgrade fails with a 'file verification failed'.

I am trying to downgrade using the miwifi_r3600_firmware_5da25_1.0.17.bin image.

Is there something that can be done to gain ssh access ?

andywob · April 14, 2023, 9:57am

Hi folks,
tried to get SSH access as described. Downgrade to the chinese firmware went well. But I'm not able to set a root/admin password, while the device is:

in a chinese language set
could not access the menue for admin, because the router is not connect to a WAN Inteface so far
So, not a technical issue, more a language problem. So my question;
How could I reach the menue where I can set the admin password to get the stock-value??
thanks and best
Andreas