AX6S hardware configuration

CPU MediaTek MT7622B 2 cores A53
Flash 128MB NAND
Ram 256MB
https://www.mi.com/global/product/xiaomi-router-ax3200/

Openwrt custom compilation for AX6S

First install the Linux system, Ubuntu LTS is recommended

Install compilation dependencies

1
2
3
4
5
6
7
8

sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y ack antlr3 asciidoc autoconf automake autopoint binutils bison build-essential \
bzip2 ccache cmake cpio curl device-tree-compiler fastjar flex gawk gettext gcc-multilib g++-multilib \
git gperf haveged help2man intltool libc6-dev-i386 libelf-dev libglib2.0-dev libgmp3-dev libltdl-dev \
libmpc-dev libmpfr-dev libncurses5-dev libncursesw5-dev libreadline-dev libssl-dev libtool lrzsz \
mkisofs msmtp nano ninja-build p7zip p7zip-full patch pkgconf python2.7 python3 python3-pip libpython3-dev qemu-utils \
rsync scons squashfs-tools subversion swig texinfo uglifyjs upx-ucl unzip vim wget xmlto xxd zlib1g-dev

Download source code, update feeds and select configuration

1
2
3
4
5

git clone https://github.com/coolsnowwolf/lede
cd lede
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig

1. Select Target Profile
   

2. Select LuCI -> Applications ->

Common applications

Select the required functions and save them. Exit after selecting all.

Download the dl library and compile the firmware (-j is followed by the number of threads. It is recommended to use single thread for the first compilation)

1
2

make download -j8
make V=s -j1

After compilation is completed successfully, the compiled firmware is located at: ~/lede/bin/targets/mediatek/mt7622/

Crack and flash AX6S

Flash the Redmi test firmware

Only after flashing the test firmware can you connect to AX6S through telnet for subsequent operations. The test firmware miwifi_rb03_firmware_stable_1.2.7.bin

Calculate telnet password

The SN number of the router is required to calculate the number, which can be found on the label on the back of the machine. You can also find the background management interface
Many websites that calculate numbers have expired. You can run the following python program to calculate by yourself:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

#!/usr/bin/env python3
import sys
import hashlib

if sys.version_info < (3,7):
    print("python version is not supported", file=sys.stderr)
    sys.exit(1)

# credit goes to zhoujiazhao:
# https://blog.csdn.net/zhoujiazhao/article/details/102578244

salt = {'r1d': 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
        'others': 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'}


def get_salt(sn):
    if "/" not in sn:
        return salt["r1d"]

    return "-".join(reversed(salt["others"].split("-")))


def calc_passwd(sn):
    passwd = sn + get_salt(sn)
    m = hashlib.md5(passwd.encode())
    return m.hexdigest()[:8]


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <S/N>")
        sys.exit(1)

    serial = sys.argv[1]
    print(calc_passwd(serial))

1
2

abc@openwrt-build:~$ python calc_ax6s_pwd.py SN
00d135eb

The output is the telnet password

Telnet to connect to AX6S

First determine the IP address of the router before you can connect to the router. The router’s LAN address can be viewed through the management interface of the network to which the router is connected. For example, my router’s IP address is: 192.168.0.121. Open a terminal and enter the following command.
telnet 192.168.0.121
Username: root Password: The password you just calculated

After successful login, execute:

1
2
3

nvram set ssh_en=1 && nvram set uart_en=1 && nvram set boot_wait=on && nvram set bootdelay=3 && nvram set flag_try_sys1_failed=0 && nvram set flag_try_sys2_failed=1
nvram set flag_boot_rootfs=0 && nvram set "boot_fw1=run boot_rd_img;bootm" && nvram set flag_boot_success=1 && nvram commit 
/etc/init.d/dropbear enable && /etc/init.d/dropbear start

After successful execution, the scp service will be opened, and the scp service will be used to upload the firmware to the router.

Upload firmware

Windows uses winscp software to connect to the router, upload the file openwrt-mediatek-mt7622-xiaomi_redmi-router-ax6s-squashfs-factory.bin compiled in the above steps to the /tmp/ directory, and rename it to the factory.bin file

Flash firmware

Use the following command in the telnet window to flash the firmware

1

mtd -r write /tmp/factory.bin firmware

After the flashing is completed, the router will restart. After the restart is completed, the default information is as follows:
IP address: 192.168.1.1
USER: root
Password: password

Recover after flashing problems

• Download Xiaomi Router Repair Tool
  https://bigota.miwifi.com/xiaoqiang/tools/MIWIFIRepairTool.x86.zip

• How to use
  There is no ax6s among the supported models, but it is available for personal testing. The PC-side repair tool requires system permissions to change the network card configuration, and the anti-virus application must be closed before it can be used.
  https://web.vip.miui.com/page/info/mio/mio/detail?postId=19134127&app_version=dev.20051