Adding OpenWrt support for Xiaomi AX3600 (Part 1)

teardown
complete ttl contact
connect
copy boot log

1 Like

secure boot fuse is not enabled :laughing:

5 Likes

Perhaps a dumb question, but I'm in the market for a new router/ap. I don't trust Xiaomi enough to make it my main device if I can't put OpenWRT on it. I am however, willing to run it temporarily behind my current router and block all traffic in their direction, until I can actually do so.

Does this finding mean that an OpenWRT build has a good chance of happening in the next 6-12months?

Thanks!

It is way too early to answer this question, a lot can still go wrong and I haven't seen anyone even started working on a port for it. While chances aren't too bad, you won't know until someone at least submits a first approach as a pull request (even that won't give you any guarantees, until the patch set has actually been merged, but it would at least show you what would be possible - right now, it's still a va banque game).

1 Like

LonGDikE,

Thanks for the tips to lead to getting SSH. On the unit I just received and downgraded to 1.0.17 - none of your commands as written worked. This appears to be due to the fact that this firmware performs some auto-filtering of characters that could lead to escape. Specifically ; & $ appear to not be permitted. After searching around a bit I came across this article:

In there it details that you can use newlines (%0A) [percent zero capital-A] instead of semicolons with some Xiaomi routers. With that, I was able to confirm escape via the following URL:

http://192.168.31.1/cgi-bin/luci/;stok=/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=%0Areboot%0A

Which, happily, rebooted the router. From there I was able to enable nvram SSH and then deleted the IF in /etc/init.d/dropbear by piping the dropbear contents to sed '135d' three times (which deleted the IF, the return 0, and the FI to stop the init file from keeping SSH off). I then used your command to change admin password, however, there is a password length requirement (8 characters seemed to do the trick).

I have confirmed that the %0Areboot%0A does not work on the 1.0.50 firmware (which is the latest as of this post).

Let me know if anyone would like more specifics or details. Happy to help to bring OpenWRT to this puppy.

You can take a look here: Xiaomi AX3600 DTS
Someone is already trying to gather the necessary information (slh and efsg).

I gave the AX3600 to zhiping, soon...

1 Like

esfg,

As you have serial port access, do you need anything from a persistent SSH perspective?

I do not know...
(MiWiFi/HiWiFi)Xiaomi can block at any time

Correct - the exploit I leveraged only works via downgrading to 1.0.17. As of 1.0.50 - it cannot be used as the method has been patched.

Yes, but we could still use 1.0.17 as a vector to get in the router and flash openwrt. Even as an install instruction it shouldn't be something difficult to do(as long as Xiaomi doesn't release firmwares that blocks downgrade-ing to 1.0.17).

What we need now is a openwrt build for this device, right?

Hello new in openwrt because following this router as i see movement for a posible future openwrt firmware i buyed today one!

Hope can we get this ax3600 router!!

we can win!

3 Likes

Alex - as has been mentioned before it's risky as Xiaomi could patch to prevent downgrade (and then users would be stuck with having to wire up to the serial port). I think with the amount of product out there currently - we are likely safe for now. I've also seen some other research going on around decoding the Xiaomi FW update bin's which could lead being able to craft a Xiaomi compliant update bin.

From an exploit perspective - I think the next step would be to figure out how to modify the uboot config in order to enable RW access to all the partitions. At that point you would have similar access as to what efsg has with his serial port access. It seems to me like you could potentially do a sysupgrade to patch the currently writable partitions to get OpenWRT on there (the ax3600 does a custom process pulling various images out of the uploaded bin and then deploying directly to partitions). However, that would still require all the drivers to be in place and from my reading would only put you in a one off hack jobbed OpenWRT.

1 Like

A big thank you to the people posting great information in this thread and the ax3600 DTS thread. I've ordered one and with the info posted here should get root access.

If any developers want to get one for less than 90 EUR, see https://www.aliexpress.com/item/4000869725283.html with coupon 20SS10.

Looking forward to a OpenWRT port, or at least English translated interface.

1 Like

Hm, for me 20SS10 is not working.
Its complaining about order amount being below the limit.
Order needs to be 100 USD excluding shipping

Just tested and it seems to be working for me.

image

Then it does not work for Croatia as I get:
The order amount (excluding shipping fee) is under the minimum spend of this promo code.

esfg - are you leverage the work done on the 8074 reference kit? I stumbled across this pastebin showing the bootlog of an IPQ8074-HK01:
https://pastebin.com/j43AhxAh

But I can't seem to dig up the snapshot that is listed in the release further down in the pastebin:

  1. root@OpenWrt:/# cat /etc/openwrt_release

  2. DISTRIB_ID='OpenWrt'

  3. DISTRIB_RELEASE='SNAPSHOT'

  4. DISTRIB_REVISION='r11690-ca7ed17'

  5. DISTRIB_TARGET='ipq807x/ipq807x_64'

  6. DISTRIB_ARCH='aarch64_cortex-a53'

  7. DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r11690-ca7ed17'

I lives in China, and maybe I can help to ship it for you as you have a really good reputation. :laughing: