banner
阿闷

备忘录

HomeArchives

Redmi AX6 Flashing

58
AI Translation
This post is translated from Chinese into English through AI.View Original

Preparation#

  • A computer that can access the internet normally, with the necessary software installed and required files downloaded.
  • A wireless router with OpenWrt system (I have the Phicomm K2, firmware link), with wireless functionality working properly. If you don't have a router with OpenWrt, you can install OpenWrt on a virtual machine.
  • Redmi AX6*N, I have 2 units, so I tested this tutorial twice to confirm it works.
  • An Ethernet cable.
  • PowerShell, preferably launched in Windows Terminal for easy copy-pasting.
  • Xshell, used to execute SSH commands.
  • Unlock Redmi AX3000 complete source code.
  • MiWiFi 1.0.18 official firmware: miwifi_ra69_firmware_45a77_1.0.18.bin.
  • OpenWrt firmware used for AX6.
  • Two files used for expansion.
  1. Ensure the AX6 firmware is 1.0.18 or below.
    Connect to the AX6 via Ethernet or WiFi; I used Ethernet for stability during firmware upload. Open a browser and go to 192.168.31.1, log in, and check the Xiaomi official firmware version number in the system information under common settings. Choose manual upgrade, select the firmware, upload the firmware, and downgrade without keeping the configuration. After a successful downgrade, connect to the AX6 and set a management page login password, something simple like 12345678 will do.

There may be two issues at this step:

  1. If the firmware upload is successful, the AX6 may get stuck with a solid orange light during the downgrade reboot process for several minutes. You might find people saying it has bricked, but it hasn't; just be patient for a few more minutes, then power off and power on again to access the downgraded AX6 management page.

  2. If the upload fails with a message like "XXX space is full," check your computer's network connection to ensure that Ethernet and WiFi are not simultaneously connected to multiple routers or optical modems, then try uploading the firmware again.

  3. Connect the K2 with an Ethernet cable to prepare the environment for unlocking the AX6.

Connect the K2 with the Ethernet cable, open Control Panel\All Control Panel Items\Network Connections, and check the connection status of the Ethernet. Once the network name is recognized, execute ipconfig in PowerShell to check the specific IPv4 IP of the Ethernet. Mine is 192.168.5.1, username: admin, password: password. Unzip the downloaded Unlock Redmi AX3000 complete source code, right-click the folder and open it with Windows Terminal, then enter the following command:
scp wireless.sh [email protected]:/root/wireless.sh

The first prompt indicates that the key has changed; type "yes" to ignore it. The second prompt asks for the connection password, here I enter the password: password. There will be no display for these two inputs; just press Enter after typing.

Use Xshell to connect to the K2's SSH, username: root, I forgot if a password is needed; if prompted for a password, use: password.

Directly execute the command:
sh /root/wireless.sh

I forgot to take a screenshot here, so I used an online image. When you see "Restarting networking" on the last line of the image, it means the script has finished executing. Remove the Ethernet cable from the K2 and keep it powered on to the side.

  1. Connect to the AX6 again.

Plug the Ethernet cable into the AX6, wait for the Ethernet to be recognized successfully, then open 192.168.31.1 and log in to the management page homepage. Copy the link from the browser's address bar:
http://192.168.31.1/cgi-bin/luci/;stok=316a516d2835ce8cd6713e9bc324bfea/web/home#router
The part marked in red in the link is the STOK, which changes with each login; after copying this tab, leave it open.

Only take the red-marked part of the link and replace the in the link below, do not forget the <>:
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/extendwifi_connect?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK

ssid=MEDIATEK-ARM-IS-GREAT is the WiFi name automatically changed by wireless.sh for K2.
password=ARE-YOU-OK is the corresponding password, do not change either.
(If you're using a virtual machine setup, you might encounter issues at this step.)

After replacing the STOK, copy the entire link into the browser and wait about a minute; the browser will display the following, indicating success:

This indicates that the AX6 is now connected to the K2's WiFi: MEDIATEK-ARM-IS-GREAT. Replace the in the link below with the STOK, and do not modify anything else:
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx

The browser displays the following image, indicating that SSH has been successfully enabled:

Now refresh the AX6 management page: 192.168.31.1. Click the eye icon next to the 5GHz password, copy this WiFi password, and save it for later use. The task for the K2 is complete.

Return to Windows Terminal and confirm that you are still in the Unlock Redmi AX3000 folder. Transfer the ax3000.sh and fuckax3000 files from the folder to the AX6 in two separate transfers:

scp ax3000.sh [email protected]:/etc/ax3000.sh

scp fuckax3000 [email protected]:/etc/fuckax3000

Return to Xshell, create a new SSH connection with the information: 192.168.31.1, root, and the 5GHz password you copied earlier as the SSH password. After logging in, execute the following command:
sh /etc/ax3000.sh dump

At the end of the image, it will prompt you to download the backup.

Open the link: http://192.168.31.1/backup/log/bdata_mtd9.img

After downloading, label it clearly (if you have multiple AX6 units) for safekeeping, just in case. I haven't fully understood its specific function yet.

  1. Retain SSH permissions.

If you've ever jailbroken iOS, you can think of this step in terms of the differences between imperfect and perfect jailbreaks. By default, when the router is reset to factory settings or upgraded, SSH permissions will be lost, so we need additional steps to retain them. Continue executing commands in Xshell:
sh /etc/ax3000.sh unlock

After this, the AX6 will automatically restart. Once the System light turns blue, reconnect to SSH and execute:
sh /etc/ax3000.sh hack

The device will automatically restart.

  1. Mount overlay space for easier installation of various software packages and desired functionalities.
    Reconnect to the AX6 via SSH and execute:
    sh /etc/ax3000.sh mount

The AX6 will automatically restart. After reconnecting via SSH, execute the command:
sh /etc/ax3000.sh keep

At this point, unlocking SSH and retaining permissions is complete. Now you can start flashing your preferred OpenWrt firmware.

========

Download the two essential files: xiaomimtd12.bin, a6minbib.bin.

  1. First, expand the partition (the principle behind this part is not yet clear).
    By default, the AX6's partition is about 30MB. If you want to install more plugins, considering the space required for various plugins, the available space becomes quite limited. Although expansion is not mandatory, it is recommended.

First, set the system environment env for nvram. If you're unfamiliar, execute the commands one by one:

nvram set flag_last_success=0
nvram set flag_boot_rootfs=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram set boot_wait=on
nvram set uart_en=1
nvram set telnet_en=1
nvram set ssh_en=1
nvram commit

Return to Windows Terminal and transfer xiaomimtd12.bin to the AX6 to flash the QSDK transitional firmware.

Then go to Xshell, connect to the AX6, and execute the command:
mtd write /tmp/xiaomimtd12.bin rootfs

Then power off for a few seconds and power on to restart the AX6. After rebooting, the AX6 will not light up, but it is not broken; you can open 192.168.1.1 to confirm whether it has successfully booted. Username: root, no password, then ignore this management page. In WT, transfer a6minbib.bin to the AX6's /tmp directory:
scp a6minbib.bin [email protected]:/tmp

Note the IP has changed to 1.1. Return to Xshell to reconnect SSH and execute the command:
. /lib/upgrade/platform.sh
switch_layout boot; do_flash_failsafe_partition a6minbib "0:MIBIB"

Again, power off for a few seconds and power on to restart the AX6.

Skipping the reboot in the fifth step means no expansion will occur, leading to errors like "file too large."

This completes the expansion, and you can start flashing the firmware.

  1. Flash the OpenWrt firmware.

Download the firmware, noting the differences between the two files in the firmware:
openwrt-ipq807x-generic-redmi_ax6-squashfs-nand-factory.ubi
openwrt-ipq807x-generic-redmi_ax6-squashfs-nand-sysupgrade.bin
factory.ubi is used for command flashing of the firmware.
sysupgrade.bin is used in the OpenWrt settings, under: System → Backup/Upgrade. Whether to keep the configuration is up to personal preference.

In Windows Terminal, transfer the firmware package:
scp openwrt-ipq807x-generic-redmi_ax6-squashfs-nand-factory.ubi [email protected]:/tmp

In Xshell, execute the command to flash the system:
ubiformat /dev/mtd13 -y -f /tmp/openwrt-ipq807x-generic-redmi_ax6-squashfs-nand-factory.ubi
fw_setenv flag_last_success 1
fw_setenv flag_boot_rootfs 1
reboot

Finally, open 192.168.10.1 to set up the router, username: root, password: admin.

The entire process is complete!

Reference links, some steps were not captured in screenshots, image sources ↓:

Redmi AX3000 (AX6) Unlock SSH Tutorial

Xiaomi Redmi Router AX6 Flashing Third-Party OpenWrt Firmware

Redmi AX6 OpenWrt Firmware (Stable, No Reboots) and Flashing Experience

Some online firmware may reboot irregularly, reason.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.