The whole process of Redmi AX6S router from openwrt custom compilation to flashing

Describe in detail the whole process of custom compiling openwrt, then cracking the Redmi AX6S router, and finally using the self-compiled openwrt to flash.

AX6S hardware configuration

CPU MediaTek MT7622B 2 cores A53
Flash 128MB NAND
Ram 256MB
https://www.mi.com/global/product/xiaomi-router-ax3200/

Openwrt custom compilation for AX6S

Install compilation dependencies

1
2
3
4
5
6
7
8
sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y ack antlr3 asciidoc autoconf automake autopoint binutils bison build-essential \
bzip2 ccache cmake cpio curl device-tree-compiler fastjar flex gawk gettext gcc-multilib g++-multilib \
git gperf haveged help2man intltool libc6-dev-i386 libelf-dev libglib2.0-dev libgmp3-dev libltdl-dev \
libmpc-dev libmpfr-dev libncurses5-dev libncursesw5-dev libreadline-dev libssl-dev libtool lrzsz \
mkisofs msmtp nano ninja-build p7zip p7zip-full patch pkgconf python2.7 python3 python3-pip libpython3-dev qemu-utils \
rsync scons squashfs-tools subversion swig texinfo uglifyjs upx-ucl unzip vim wget xmlto xxd zlib1g-dev

Download source code, update feeds and select configuration

1
2
3
4
5
git clone https://github.com/coolsnowwolf/lede
cd lede
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig
  1. Select Target Profile

  2. Select LuCI -> Applications ->

[ * ] 表示选中
[ ] 不选
< M > 编译成模块

Common applications

名称 菜单位置 说明
luci-app-adbyby-plus 服务 -> 广告屏蔽大师 Plus + 可以让同一网络环境下的设备,都能享受到去广告的效果
luci-app-aliddns 服务 -> 阿里DDNS 阿里的ddns解析
luci-app-ddns 服务 -> 动态域名 动态域名 , 不支持 阿里DDNS
luci-app-autoreboot 系统 -> 定时重启 可以设定定时重启
luci-app-arpbind 网络 -> IP/MAC 绑定 绑定IP/MAC
luci-app-filetransfer 系统 -> 文件传输 传输文件到openwrt的文件系统
luci-app-firewall 网络 -> 防火墙 防火墙
luci-app-frpc 服务 -> Frp 内网穿透 Frp内网穿透客户端
luci-app-frps 服务 -> Frps Frp内网穿透服务端
luci-app-guest-wifi 网络 -> 访客网络 WiFi访客网络
luci-app-nlbwmon 带宽监控 包括 带宽监控 菜单下的所有内容
luci-app-qos 网络 -> QoS 服务质量, 可以分类设置各种流量的优先级
luci-app-ssr-plus 服务 -> ShadowSocksR Plus+ 科学上网, 可以选择需要的plugin
luci-app-turboacc 网络 -> Turbo ACC 网络加速设置 网络加速
luci-app-unblockmusic 无菜单 解锁网易云音乐
luci-app-upnp 服务-> UPnP 通用即插即用(UPnP)
luci-app-vlmcsd 服务 -> KMS服务器 微软产品激活服务器
luci-app-wireguard 网络 -> 接口 菜单设置 状态 -> WireGuard 状态可以查看链接状态
luci-app-wol 服务 -> 网络唤醒 网络唤醒

Select the required functions and save them. Exit after selecting all.

1
2
make download -j8
make V=s -j1

After compilation is completed successfully, the compiled firmware is located at: ~/lede/bin/targets/mediatek/mt7622/

首次刷机使用 openwrt-mediatek-mt7622-xiaomi_redmi-router-ax6s-squashfs-factory.bin
在openwrt系统中升级使用 openwrt-mediatek-mt7622-xiaomi_redmi-router-ax6s-squashfs-sysupgrade.bin

Crack and flash AX6S

Flash the Redmi test firmware

Only after flashing the test firmware can you connect to AX6S through telnet for subsequent operations. The test firmware miwifi_rb03_firmware_stable_1.2.7.bin

Calculate telnet password

The SN number of the router is required to calculate the number, which can be found on the label on the back of the machine. You can also find the background management interface
Many websites that calculate numbers have expired. You can run the following python program to calculate by yourself:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python3
import sys
import hashlib

if sys.version_info < (3,7):
    print("python version is not supported", file=sys.stderr)
    sys.exit(1)

# credit goes to zhoujiazhao:
# https://blog.csdn.net/zhoujiazhao/article/details/102578244

salt = {'r1d': 'A2E371B0-B34B-48A5-8C40-A7133F3B5D88',
        'others': 'd44fb0960aa0-a5e6-4a30-250f-6d2df50a'}


def get_salt(sn):
    if "/" not in sn:
        return salt["r1d"]

    return "-".join(reversed(salt["others"].split("-")))


def calc_passwd(sn):
    passwd = sn + get_salt(sn)
    m = hashlib.md5(passwd.encode())
    return m.hexdigest()[:8]


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <S/N>")
        sys.exit(1)

    serial = sys.argv[1]
    print(calc_passwd(serial))
1
2
abc@openwrt-build:~$ python calc_ax6s_pwd.py SN
00d135eb

The output is the telnet password

Telnet to connect to AX6S

First determine the IP address of the router before you can connect to the router. The router’s LAN address can be viewed through the management interface of the network to which the router is connected. For example, my router’s IP address is: 192.168.0.121. Open a terminal and enter the following command.
telnet 192.168.0.121
Username: root Password: The password you just calculated

After successful login, execute:

1
2
3
nvram set ssh_en=1 && nvram set uart_en=1 && nvram set boot_wait=on && nvram set bootdelay=3 && nvram set flag_try_sys1_failed=0 && nvram set flag_try_sys2_failed=1
nvram set flag_boot_rootfs=0 && nvram set "boot_fw1=run boot_rd_img;bootm" && nvram set flag_boot_success=1 && nvram commit 
/etc/init.d/dropbear enable && /etc/init.d/dropbear start

After successful execution, the scp service will be opened, and the scp service will be used to upload the firmware to the router.

Upload firmware

Windows uses winscp software to connect to the router, upload the file openwrt-mediatek-mt7622-xiaomi_redmi-router-ax6s-squashfs-factory.bin compiled in the above steps to the /tmp/ directory, and rename it to the factory.bin file

Flash firmware

Use the following command in the telnet window to flash the firmware

1
mtd -r write /tmp/factory.bin firmware

After the flashing is completed, the router will restart. After the restart is completed, the default information is as follows:
IP address: 192.168.1.1
USER: root
Password: password

Recover after flashing problems

记录并分享
Built with Hugo
Theme Stack designed by Jimmy