Ax3000 SSH / WIFI* Manual


image

image

STEP 1 (Create Bug) STEP 2 (FIRST INSTRUCTION) STEP 3 (SECOND INSTRUCTION) STEP 4 (THIRD INSTRUCTION) STEP 5 (FOURTH INSTRUCTION) STEP 6 (EXTRACT ROOT CODE) STEP 7 (AWAKEN TELNET) STEP 8 (INCREASE POWER)

MANUAL XIAOMI AX3000 root SSH / WIFI *

(Last edited on 12/06/2023)

Tutorial created by @Elchotovolador and edited by @JuanMa_89:


image

Product Information

image

Let's Get Started

  • You will need your Global AX3000 Router plus another Xiaomi router compatible with mesh (can be another Ax3000, AX3600, AX1800, AX3200 preferably with Global Rom). We will call the router that will be mesh "Xiaomi"
    You will also need 2 LAN cables and this tutorial MUST be done by cable since WIFI will not work when entering the commands.
  • Let's start, give a "button press or a factory reset to both routers"
  • Now once both are reset, we go to "Xiaomi" and configure it WITHOUT INTERNET from the mobile phone or from the PC (but without internet) with it we enter pressing the wifi and it will appear, it will tell us that there is no wan cable, we click under the big blue button and it will let us configure it with DHCP. Once the "Xiaomí" is configured.

    • image

    image

    image

    image

image

Step 1 (CREATE BUG)

!!!WARNING!!! EACH INSTRUCTION CHANGES THE STOCK

  • Factory reset the first AX3000(1) configure DHCP without connecting any cable to it and configure by wifi.
    - Reset the ax3000(1) without a cable to the PC is done by wifi

    image

    - Configure everything with the wifi until you do the dhcp (with no cable connected to anything)
  • Now connect the Lan 1 AX3000(1) to the Wan (blue button) of the AX3000(2), let them mesh and create the bug.
  • Connect the PC to Lan2 AX3000(1) and give it internet with the ONT or Router in bridge mode to the Wan (blue button) AX3000(1) so that the router breaks the protection of the ¨crash partition.
  • Enter the web 192.168.31.1 once you enter and log in, next step.
  • Reset the AX3000(2) and it will automatically perform the mesh.

image

Step 2 (FIRST INSTRUCTION)

  • A txt file with the instructions in plain format will be provided. http://192.168.31.1 search for {token} each instruction changes it.
    (Replace {token} with your stock number)
    - Warning, by entering this command the Router will lose wifi, you have been warned, this only works with a LAN cable.
    - ***verify netmode 4***
    - http://192.168.31.1/cgi-bin/luci/;stok={token}/api/xqnetwork/get_netmode
    - It would look like this with your STOCK:
    - http://192.168.31.1/cgi- bin/luci/;stok=7a92a180a3986a6d7fec16b555ebf09b/api/xqnetwork/get_netmode

    image

image

STEP 3 (SECOND INSTRUCTION)

  • DO NOT CHANGE {token} IN THIS INSTRUCTION. OPEN A NEW BROWSER TAB.
    - Be careful, after this command the Router will have no Wi-Fi, you are warned, this only works with a LAN cable.
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3B%20zz%3D%24%28dd%20if%3D%2Fdev%2Fzero%20bs%3D1%20count%3D2%202%3E%2Fdev%2Fnull%29%20%3B%20#printf%20%27%A5Z%25c%25c%27%20%24zz%20%24zz%20%7C%20mtd%20write%20-%20crash%20%3B%20
    - It would look like this with your STOCK:
    http://192.168.31.1/cgi-bin/luci/;stok=7a92a180a3986a6d7fec16b555ebf09b/api/misystem/set_sys_time?timezone=%20%27%20%3B%20zz%3D%24%28dd%20if%3D%2Fdev%2Fzero%20bs%3D1%20count%3D2%202%3E%2Fdev%2Fnull%29%20%3B%20#printf%20%27%A5Z%25c%25c%27%20%24zz%20%24zz%20%7C%20mtd%20write%20-%20crash%20%3B%20
    - Wait 10 seconds, and from the Router's web interface RESTART THE ROUTER, closing the previous two windows.
    - Once it has restarted, one light will not work and there will be no functional Wi-Fi: Proceed to the next step.

image

STEP 4 (THIRD INSTRUCTION)

  • Once it has restarted, one light will not work (the Wi-Fi light) and there will be no functional Wi-Fi:
    - Log in again at http://192.168.31.1 and wait for the bug to take effect.
    - Return with the {token} again as it will have changed.
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20mtd%20erase%20crash%20%3b%20
    - It would look like this with your STOCK:
    http://192.168.31.1/cgi-bin/luci/;stok=a1dd179f2807ee9d7940058017f088c8/api/misystem/set_sys_time?timezone=%20%27%20%3B%20mtd%20erase%20crash%20%3B%20
    - Now open a third tab in the browser without anything and put this instruction:
    http://192.168.31.1/cgi-bin/luci/;stok={token}/api/misystem/set_sys_time?timezone=%20%27%20%3b%20mtd%20erase%20crash%20%3b%20
    - It would look like this with your STOCK:
    http://192.168.31.1/cgi-bin/luci/;stok=a1dd179f2807ee9d7940058017f088c8/api/misystem/set_sys_time?timezone=%20%27%20%3b%20mtd%20erase%20crash%20%3b%20
    - You will have 3 windows open, 1 the router's and two with code 0 (if all goes well)
    - Count to 20 and restart the router from the web with the 3 windows open and then you can close them.

image

STEP 5 (FOURTH INSTRUCTION)

  • THIS ONE GOES WITHOUT {token}
    - Log in again at http://192.168.31.1
    - Enter the following command, which is the most important as it will tell us that we have root access on the AX3000:
    http://192.168.31.1/cgi-bin/luci/api/xqsystem/bdata
    - WRONG - CORRECT - If you see lines in the browser "ssh_en":"1"..."telnet_en":"1"..."uart_en":"1"…
    - Everything went well, now you need to reset the Router and you can wake up SSH via telnet.
    - YOU NOW HAVE ACCESS VIA TELNET.-

image

STEP 6 (GET ROOT CODE)

image

STEP 7 (WAKE UP TELNET)

  • Open PuTTY to wake up Telnet.
    - Username: root Password: rootcode
    - Now from Telnet to wake up SSH
    sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
    /etc/init.d/dropbear start
    - If SSH does not start but Telnet does, you will have to wake it up with these lines in Telnet
    sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear nvram set ssh_en=1
    nvram commit
    /etc/init.d/dropbear start
    - Username: root Password: root code
    - *******NOW IT'S TIME TO CONFIGURE IT FOR EACH HOME************* Now, RESET (be aware, you will have to reconfigure the router from scratch)

image

STEP 8 (INCREASE POWER)

  • *** CHANGE WIFI ANTENNAS POWER AX3000 ****
    - Parameters to know the power with PuTTY as standard
    iwinfo wl0 txpowerlist
    iwinfo wl1 txpowerlist

    - FACTORY POWER IN AX3000 ANTENNAS
  • CHANGING PARAMETERS TO INCREASE POWER IN AX3000
    - Open SSH -PuTTY
    uci set wireless.wifi0.country=EU
    uci set wireless.wifi1.country=EU
    uci commit wireless
     - Open WinSCP and modify the file with notepad *path- /etc/rc.local
    - Path WinSCP
    - /etc/rc.local rc.local
    - Modify rc.local (without country) as shown in the image:
    (sleep 60;iwconfig wl0 txpower 26;iwconfig wl1 txpower 28;uci commit wireless)&
    *******************YOU NEED TO RESTART WITH PUTTY BY SSH ***********************
  • METHOD:
    - Then, save the line and restart the router by typing the command Reboot
    (not a hard reset, nor a rear button reset)
    - After a couple of minutes, the system light turns white and you can enter the router with PuTTY.
    - Check if the power change of the WIFI antennas has been made from PuTTY.
    - Then, type the following commands, one by one, to verify that indeed, the powers are correct:
    iwlist wl0 txpower
    iwlist wl1 txpower
    - At this point, you should see 23 and 28 dBm respectively, which means our AX3000 is emitting at full power.
  • IMPORTANT NOTE:
    - This method withstands reboots and power outages (if your house's power goes out). If you flash, update the firmware, make a factory reset, or press the rear button, you will have to repeat the process.

image

image


Xiaohack Chatbot Asistente XiaoHack

Xiaohack V 3.2 | © Copyright 2023 | Musk Logo