admin管理员组

文章数量:1574959

AX9000破解过程与AX6相似但有不同,网上有关AX9000的教程不多,因此在成功后写一篇文章分享存档。

准备

1. 设备和文件

  • 带网口的电脑一台,网线若干
  • 辅助路由器:闲置的带无线功能的已刷 OpenWrt 的设备(因为要恢复出厂设置)
  • 小米官方固件 1.0.108 版本
  • AX9000 OpenWrt 工厂快照固件1
  • 实际要刷入的系统升级.bin固件,推荐第三方维护的 NSS 硬件加速版本2

2. 设备预处理

2.1. 辅助路由器

  1. 将闲置的 OpenWrt 设备恢复出厂设置后用网线与电脑连接,直接用 SSH 登入控制台
    ssh root@192.168.1.1
  2. 切换到/tmp目录下,新建文件run.sh
    cd /tmp
vi run.sh
  3. i编辑,写入如下内容3,ESC退出,:wq保存
    #!/bin/ash
# SPDX-License-Identifier: GPL-3.0-only
#
# Copyright (C) 2021 Robert Marko <robimarko@gmail>
# Copyright (C) 2021 Tianling Shen <cnsztl@immortalwrt>
# Copyright (C) 2024 Fumiama Minamoto <fumiama@foxmail>
#
# Original thread: https://forum.openwrt/t/openwrt-support-for-xiaomi-ax9000/98908/34

error_font="\033[31m[Error]\033[0m"
info_font="\033[36m[Info]\033[0m"
success_font="\033[32m[Success]\033[0m"
warning_font="\033[33m[Warning]\033[0m"

echo -e "${warning_font} Please make sure your router has wireless support!"
echo -e "${warning_font} Please make sure your router is restored to factory settings (not configured)!"
echo -e "${warning_font} Please make sure you've backed up the network and wireless settings!"
echo -e "${warning_font} Please make sure you've connected the router via *wired ethernet*!"
echo -e "${warning_font} Running this script will change your *network* settings!"
read -p "Use Ctrl+C to exit or press enter key to continue..."

echo -e ""
echo -e "${info_font} Adding xqsystem controller..."
cat > "/usr/lib/lua/luci/controller/admin/xqsystem.lua" <<EOF
module("luci.controller.admin.xqsystem", package.seeall)

function index()
    local page   = node("api")
    page.target  = firstchild()
    page.title   = ("")
    page.order   = 100
    page.index = true
    page   = node("api","xqsystem")
    page.target  = firstchild()
    page.title   = ("")
    page.order   = 100
    page.index = true
    entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08)
end

local LuciHttp = require("luci.http")

function getToken()
    local result = {}
    result["code"] = 0
    result["token"] = "; nvram set ssh_en=1; nvram set uart_en=1; nvram set boot_wait=on; nvram commit; uci set wireless.@wifi-iface[0].key=\`mkxqimage -I\`; uci commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"
    LuciHttp.write_json(result)
end
EOF

echo -e "${info_font} Changing network settings..."
set -x
uci set dhcp.lan.ignore='1'
uci set network.lan.ipaddr='169.254.31.1'
uci set wireless.@wifi-iface[0].ssid='MEDIATEK-ARM-IS-GREAT'
uci set wireless.@wifi-iface[0].encryption='psk2+ccmp'
uci set wireless.@wifi-iface[0].key='ARE-YOU-OK'
uci set wireless.@wifi-iface[0].mode='ap'
uci set wireless.@wifi-iface[0]work='LAN lan'
uci -q commit
set +x

echo -e "${success_font} All settings are applied.\n"
echo -e "${info_font} Please now disconnect from this router, and connect to your Xiaomi AX9000."
echo -e "${info_font} Then open your browser, access the following URL:"
echo -e "       http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK&encryption=WPA2PSKenctype=CCMP&admin_username=root&admin_password=admin&admin_nonce=xxx"
echo -e "${info_font} If the return code is 0, now you can connect to your AX9000 via SSH."
echo -e "${info_font} SSH login password is 5GHz wireless connection password."
echo -e ""
echo -e "${success_font} Thanks for usage."
echo -e "          Staff: Robert Marko, Tianling Shen"

echo -e ""
echo -e "${warning_font} Restarting network..."
wifi reload >"/dev/null" 2>&1
/etc/init.d/network restart >"/dev/null" 2>&1
  4. 为文件添加可执行权限
    chmod +x run.sh

2.2. 目标路由器

不保留配置刷入小米官方 1.0.108 版本固件,随意设置一个密码。

开启 SSH

  1. 在辅助设备上运行
    ./run.sh
    此后 SSH 自行断开,不用理会,保持该设备通电,网线可以拔出。
  2. 登录待刷写设备网页管理,复制<STOK>码(网址栏;stok=/web之间的十六进制码)
  3. 同浏览器访问下面的链接,记得替换<STOK>
    http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK&encryption=WPA2PSKenctype=CCMP&admin_username=root&admin_password=admin&admin_nonce=xxx
  4. 成功会返回一个JSON字符串,其中code字段为0。此时SSH已打开且5G WiFi密码已被更改为SSHroot用户密码,可进入管理页查看

刷入工厂固件

  1. 使用上面获得的密码登入待刷写路由器
    ssh root@192.168.31.1
  2. 确认可以登入后,使用scp拷贝工厂快照固件到路由器/tmp目录
    scp openwrt-qualcommax-ipq807x-xiaomi_ax9000-initramfs-factory.ubi root@192.168.31.1:/tmp
  3. 查看当前系统所在分区,0代表rootfs1代表rootfs_1
    nvram get flag_boot_rootfs
  4. 查看分区对应mtd文件
    cat /proc/mtd
    注意:请确保mtd21对应rootfsmtd22对应rootfs_1
  5. 如果第三步返回0,执行
    ubiformat /dev/mtd22 -y -f /tmp/openwrt-qualcommax-ipq807x-xiaomi_ax9000-initramfs-factory.ubi -s 2048 -O 2048 && nvram set flag_boot_rootfs=1 && nvram set flag_last_success=1 && nvram commit
  6. 如果第三步返回1,执行
    ubiformat /dev/mtd21 -y -f /tmp/openwrt-qualcommax-ipq807x-xiaomi_ax3600-initramfs-factory.ubi -s 2048 -O 2048 && nvram set flag_boot_rootfs=0 && nvram set flag_last_success=0 && nvram commit
  7. 重启路由器

刷入正式 OpenWrt 固件

如可以直接访问luci网页,在页面刷入即可。如无法访问,则还需要用scp拷贝对应sysupgrade.bin文件到/tmp,再用sysupgrade -n命令刷入后重启。

  1. [OpenWrt WiKi] Xiaomi Mi Router AX9000 - https://openwrt/toh/xiaomi/ax9000 ↩︎

  2. [OpenWrt WiKi] Xiaomi Mi AIoT Router AX3600 - https://openwrt/toh/xiaomi/ax3600 ↩︎

  3. [知乎] 小米AX9000 安装OpenWrt双系统 - https://zhuanlan.zhihu/p/427734325 ↩︎

本文标签: 小米教程系统SSHOpenWRT

版权声明:本文标题:小米 AX9000 破解 SSH 刷 OpenWrt 系统教程 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dongtai/1727781146a1129328.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。