AX9000破解过程与
AX6相似但有不同,网上有关AX9000的教程不多,因此在成功后写一篇文章分享存档。
准备
1. 设备和文件
- 带网口的电脑一台,网线若干
- 辅助路由器:闲置的带无线功能的已刷 OpenWrt 的设备(因为要恢复出厂设置)
- 小米官方固件 1.0.108 版本
- AX9000 OpenWrt 工厂快照固件
- 实际要刷入的系统升级
.bin固件,推荐第三方维护的 NSS 硬件加速版本
2. 设备预处理
2.1. 辅助路由器
- 将闲置的 OpenWrt 设备恢复出厂设置后用网线与电脑连接,直接用 SSH 登入控制台
ssh [email protected] - 切换到
/tmp目录下,新建文件run.sh``````cd /tmpvi run.sh - 按
i编辑,写入如下内容,ESC退出,:wq保存#!/bin/ash# SPDX-License-Identifier: GPL-3.0-only## Copyright (C) 2021 Robert Marko <[email protected]># Copyright (C) 2021 Tianling Shen <[email protected]># Copyright (C) 2024 Fumiama Minamoto <[email protected]>## Original thread: https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax9000/98908/34error_font="\033[31m[Error]\033[0m"info_font="\033[36m[Info]\033[0m"success_font="\033[32m[Success]\033[0m"warning_font="\033[33m[Warning]\033[0m"echo-e"${warning_font} Please make sure your router has wireless support!"echo-e"${warning_font} Please make sure your router is restored to factory settings (not configured)!"echo-e"${warning_font} Please make sure you've backed up the network and wireless settings!"echo-e"${warning_font} Please make sure you've connected the router via *wired ethernet*!"echo-e"${warning_font} Running this script will change your *network* settings!"read-p"Use Ctrl+C to exit or press enter key to continue..."echo-e""echo-e"${info_font} Adding xqsystem controller..."cat>"/usr/lib/lua/luci/controller/admin/xqsystem.lua"<<EOFmodule("luci.controller.admin.xqsystem", package.seeall)function index() local page = node("api") page.target = firstchild() page.title = ("") page.order = 100 page.index = true page = node("api","xqsystem") page.target = firstchild() page.title = ("") page.order = 100 page.index = true entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08)endlocal LuciHttp = require("luci.http")function getToken() local result = {} result["code"] = 0 result["token"] = "; nvram set ssh_en=1; nvram set uart_en=1; nvram set boot_wait=on; nvram commit; uci set wireless.@wifi-iface[0].key=\`mkxqimage -I\`; uci commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;" LuciHttp.write_json(result)endEOFecho-e"${info_font} Changing network settings..."set-xuci setdhcp.lan.ignore='1'uci setnetwork.lan.ipaddr='169.254.31.1'uci set wireless.@wifi-iface[0].ssid='MEDIATEK-ARM-IS-GREAT'uci set wireless.@wifi-iface[0].encryption='psk2+ccmp'uci set wireless.@wifi-iface[0].key='ARE-YOU-OK'uci set wireless.@wifi-iface[0].mode='ap'uci set wireless.@wifi-iface[0].network='LAN lan'uci -q commitset +xecho-e"${success_font} All settings are applied.\n"echo-e"${info_font} Please now disconnect from this router, and connect to your Xiaomi AX9000."echo-e"${info_font} Then open your browser, access the following URL:"echo-e" http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK&encryption=WPA2PSKenctype=CCMP&admin_username=root&admin_password=admin&admin_nonce=xxx"echo-e"${info_font} If the return code is 0, now you can connect to your AX9000 via SSH."echo-e"${info_font} SSH login password is 5GHz wireless connection password."echo-e""echo-e"${success_font} Thanks for usage."echo-e" Staff: Robert Marko, Tianling Shen"echo-e""echo-e"${warning_font} Restarting network..."wifi reload >"/dev/null"2>&1/etc/init.d/network restart >"/dev/null"2>&1 - 为文件添加可执行权限
chmod +x run.sh
2.2. 目标路由器
不保留配置刷入小米官方 1.0.108 版本固件,随意设置一个密码。
开启 SSH
- 在辅助设备上运行
./run.sh此后 SSH 自行断开,不用理会,保持该设备通电,网线可以拔出。 - 登录待刷写设备网页管理,复制
<STOK>码(网址栏;stok=与/web之间的十六进制码) - 同浏览器访问下面的链接,记得替换
<STOK>``````http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK&encryption=WPA2PSKenctype=CCMP&admin_username=root&admin_password=admin&admin_nonce=xxx - 成功会返回一个
JSON字符串,其中code字段为0。此时SSH已打开且5G WiFi密码已被更改为SSH的root用户密码,可进入管理页查看
刷入工厂固件
- 使用上面获得的密码登入待刷写路由器
ssh [email protected] - 确认可以登入后,使用
scp拷贝工厂快照固件到路由器/tmp目录scp openwrt-qualcommax-ipq807x-xiaomi_ax9000-initramfs-factory.ubi [email protected]:/tmp - 查看当前系统所在分区,
0代表rootfs,1代表rootfs_1``````nvram get flag_boot_rootfs - 查看分区对应
mtd文件cat /proc/mtd注意:请确保mtd21对应rootfs,mtd22对应rootfs_1 - 如果第三步返回
0,执行ubiformat /dev/mtd22 -y-f /tmp/openwrt-qualcommax-ipq807x-xiaomi_ax9000-initramfs-factory.ubi -s2048-O2048&& nvram setflag_boot_rootfs=1&& nvram setflag_last_success=1&& nvram commit - 如果第三步返回
1,执行ubiformat /dev/mtd21 -y-f /tmp/openwrt-qualcommax-ipq807x-xiaomi_ax3600-initramfs-factory.ubi -s2048-O2048&& nvram setflag_boot_rootfs=0&& nvram setflag_last_success=0&& nvram commit - 重启路由器
刷入正式 OpenWrt 固件
如可以直接访问
luci
网页,在页面刷入即可。如无法访问,则还需要用
scp
拷贝对应
sysupgrade.bin
文件到
/tmp
,再用
sysupgrade -n
命令刷入后重启。
本文转载自: https://blog.csdn.net/u011570312/article/details/141259096
版权归原作者 源文雨 所有, 如有侵权,请联系我们删除。
版权归原作者 源文雨 所有, 如有侵权,请联系我们删除。