Firmware Change from Tower to Global

METHOD TO CHANGE FIRMWARE TO A CHINESE AX1800 (MORDOR TOWER) TO MAKE IT LIKE THE GLOBAL AX1800 WITH PERMANENT SSH AND UNLOCKED POWER

(Last edition on 02/06/2023)

(Xrepack Ax1800 method). Tutorial made by Zemerek and edited by @JuanMa_89:

IMPORTANT REQUIREMENTS:

The router must be VIRGIN. Without any configuration. Therefore:
- The router must have the IP, SSID that comes from the factory.
- The router must have the default administrative password (root), unique for each router.
- The router MUST HAVE INTERNET ACCESS VIA ETHERNET TO APPLY THIS METHOD, meaning, we must connect the WAN port of the AX1800 with an Ethernet cable to a LAN port of your operator's router.
It cannot be applied offline.

For this, reset it before starting (with the rear button) and do not make any configuration in it, except those necessary to enter the web environment for configuration.

These are the steps to follow, which will be explained in depth later:
- Locate the administrative password (root) of our AX1800 router.
- Reset our AX1800 router to factory settings (rear button press).
- Configure only what is necessary to enter the web environment for router settings. Flash and downgrade via the router's web to the vulnerable Chinese firmware 1.0.328.
- Flash again, via SSH, to the global1.bin firmware.

NECESSARY TOOLS:

• Root Password: through the website https://xiaohack.es
• Hackable Chinese firmware 1.0.328
• Xrepack Global1.bin firmware
• Putty
• WinSCP
• Temporary SSH Script

All necessary tools can be downloaded from here: https://xiaohack.es

STEP 1. (Let's find out your router's root password, and Flash/downgrade via web.)

• We need your router's unknown and unique root password. To find out the one corresponding to your router, visit the website: https://xiaohack.es

• Enter the SN (serial number) of your AX1800 to generate the root user password. Example: 266XX/E0P80XXXX

• Open NotePad or Block de Notas and save the password generated on the website

• With the AX1800 router turned on, press the rear button for a few seconds, until the blue lights on the front disappear (hard-reset). This will eliminate any strange configurations that could cause issues later.

• After the restart (it takes a couple of minutes), with the AX1800 turned on again, connect to the router's web environment via: http://192.168.31.1, and set the password to access the router's configuration with the root password obtained from http://xiaohack.es

• Now it asks you to configure the Wi-Fi network. Do not change the SSID of the Wi-Fi network (leave them default), and for the Wi-Fi password, again use the one from the website http://xiaohack.es

• Now, we are going to manually downgrade to the Firmware, Version 1.0.328 Hackable that we previously downloaded, and have safely on our PC's hard drive.

  To do this, go to:

  Settings > Status > Manually update

  Select the Firmware file, Version 1.0.328 that you previously downloaded to your PC's hard drive.

  The process will take a few minutes and the router will automatically restart. Do not disconnect the power during the process.

  Once restarted, reconnect to the router's web environment via: http://192.168.31.1, and you will see that everything is now in Chinese. Don't worry.

  Reconfigure the access password to the router again with the password from the website http://xiaohack.es

  Now it asks you to configure the Wi-Fi network. Do not change the SSID of the Wi-Fi network (leave them default), and for the Wi-Fi password, again use the one from the website http://xiaohack.es

  You should have the router working, but in Chinese, but with internet and Wi-Fi available.

STEP 2. (Achieve Temporary SSH with a Single Command)

Important notes:

• The AX1800 router must have internet access to apply this method. Connect the WAN port of the AX1800 with an Ethernet cable to any LAN port of your operator's router.

• Copy the text from the TEMPORARY SSH FILE THAT WE HAVE PREVIOUSLY DOWNLOADED.

• Go to http://192.168.31.1 and log in.

• Press (F12) to open the console on the right window.

• Inside the console, press Ctrl + V to paste the copied text.

• Press Enter and a window will open to enter the root password previously obtained on Xiaohack.es.

• With this, you will have TEMPORARY SSH.

---Information---

• REPACK AX1800 global 3.0.34 WITH ACTIVATED SSH AND MAX POWER
• Updating ath drivers to the same version as 1.0.49
• I dedicate myself to doing this using the Scripts of the AX3600 Repacks as a source, having to edit a lot of lines because they included junk code and the router became 'Paquito'.
• It's intended for those with a Chinese firmware but with temporary SSH and afraid to do the 'Permanent SSH' with hexadecimal.

Step 3 (FLASHING)

• Download the file:
  Xiaohack.es it's in / files / Ax1800
• Log in via SSH and execute the following command, to see in which partition we are on the router.

nvram get flag_boot_rootfs


• If it says 0, skip the next step. We want to start in partition 0.
• If it says 1, enter the following commands so that it starts in partition 0.



nvram set flag_last_success=0
nvram set flag_boot_rootfs=0
nvram commit
reboot


• Now from partition 0, we enter WinSCP and copy the file "global1.bin" to the tmp folder



• Once it's copied READ THIS:
  For safety, to clean the partition we insert this command twice to avoid this error:
  
  ubiformat: 99 eraseblocks are supposedly empty
ubiformat: warning!: only 189 of 288 eraseblocks have valid erase counter
  
  If we proceed with 'Y' to flash with that error, we might need to resort to 'bricking' to recover the router.
  That's why we will format twice so that the partition is 100% clean.
• CLEANING/FORMATTING:
  
  - Check that "rootfs_1" is really mtd13 if it's in another one, we will change the code in the next step to the number it's on.
  cat /proc/mtd
  

  

  - Continue with the cleaning.
  ubiformat /dev/mtd13 -y
  
  
• FLASHING:
  
  ubiformat /dev/mtd13 -f /tmp/global1.bin -s 2048 -O 2048
  
  
• And once finished, we can put the commands:
  
  nvram set flag_last_success=1
nvram set flag_boot_rootfs=1
nvram commit
reboot
  
  

  

• Now we need to erase the overlay, which is a partition where Xiaomi stores our configurations and will cause errors with the new ROM. So, after installing and rebooting into the repack partition, wait for 1 or 2 minutes for it to start, then press the "reset" button on the router and this partition will be deleted.

SSH is ACTIVATED, THERE IS NO NEED TO AWAKEN ANYTHING VIA TELNET, the password will be the one provided by the website Xiaohack.es by entering our serial number.

• Open Putty and connect directly via SSH:
  -192.168.31.1
  -user: root
  -password: (the one from Xiaohack)
  

  

  !!!ATTENTION!!!

  

  - SSH can be scrambled in the reset... if not, it wouldn't be the original firmware. IF THE XIAOHACK PASSWORD DOESN'T WORK,
  THE PASSWORD IS: password
  - Web Link to settings: 192.168.31.1, be careful if you connect it to another Xiaomi via DHCP as it may automatically end up as 192.168.28.1 or 29.1 etc. (You can see the router's IP in your network gateway settings).
  - Now you have 2 partitions, 0 with the vulnerable firmware that gave you SSH access, 1 with the GLOBAL Firm of Xiaomi with active SSH.
  Important: Coming from open, we have seen that firmware tends to make a mirror backup after days, hours, etc. (At least in the AX3600), disable automatic updates on both partitions.
  - Here, nothing has been deactivated, it behaves like a "virgin Xiaomi firmware" only with SSH turned on, I haven't deactivated anything.
  - Test: LAN OK, WAN: OK, WIFI OK, MESH: OK, APP MiWifi: OK
  - If we have reached this far, we have completed the firmware, permanent SSH, and max power, Enjoy and tinker.