小米AX3600/红米AX6原厂固件解锁/刷机/挂载Overlay/硬改扩容1G

硬件参数

工具文件下载

AX6-AX3600

AX3600解锁SSH

• 降级1.0.17固件

• 登录192.168.31.1后台，复制STOK

• 构造第一个请求：

  http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B
  

• 构造第二个请求：

  http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B
  

• 此时SSH已打开，用户名root密码admin

• 固化SSH和Telnet可使用以下工具：mitool_arm64

  mitool_arm64 unlock //解锁mtd
  mitool_arm64 hack  //修改mtd9，固化ssh和telnet
  

AX3600无损扩容

参考：Xiaomi AX3600 免拆机搞事 - OpenWrt开发者之家

AX6解锁SSH和Telnet

• 准备另一台Openwrt路由器

• 下载工具和脚本：https://github.com/shell-script/unlock-redmi-ax3000

• 上传wireless.sh至Openwrt路由器并执行，成功后可以搜到MEDIATEK-ARM-IS-GREAT 这个WiFi SSID

• 使用有线网线连接AX6，登录192.168.31.1 ，复制STOK值

• 替换STOK值，构造URL并执行：

  192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/extendwifi_connect?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK
  

• 构造第二个URL：

  192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx
  

• 此时SSH已经打开，用户名root密码admin

• 固化SSH和Telnet需要上传fuckax3000和ax3000.sh到/etc目录，并执行

  sh /etc/ax3000.sh dump
  sh /etc/ax3000.sh unlock
  sh /etc/ax3000.sh hack
  

• 升级后丢失SSH，Telnet进入AX6后执行：

  sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
  /etc/init.d/dropbear start
  

AX6挂载OverlayFS

AX6硬件上搭载128MB NAND，可以直接挂载，无需像AX3600那样修改uboot：

sh /etc/ax3000.sh mount
sh /etc/ax3000.sh keep

⚠️注意：评论里有小伙伴反馈mount overlay之后可用空间只有20多M的问题，这是因为小米为了OTA采用AB分区的方式，且官方固件使用的空间较小，没有把整个NAND用起来，如果需要研究扩容分区表刷入更大的Openwrt或者QSDK固件，请参考：记一次红米AX6的解锁刷机扩容过程

AX3600 AX6硬改1G内存

• 颗粒类型：镁光D9STQ，单晶1G

• 工具：热风枪，助焊剂，镊子

• 方法：加一圈焊油，400度50%风速吹30s左右，轻轻取下原有512M内存，然后烙铁清理焊盘，加焊油，放上新的内存颗粒，再用热风枪吹至自动归位即可

开机后需要刷写cdt才可以识别1G内存，cdt刷写方法：

mtd write /tmp/cdt-AX6-AX3600-1G.bin /dev/mtd5

Misc

• ssh默认密码可从SN计算得到：ssh默认密码计算工具地址

• 小米官方系统基于Openwrt 18.06 SNAPSHOT版本构建，当前可用的opkg源：

  src/gz openwrt_base http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base 
  src/gz openwrt_luci http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci 
  src/gz openwrt_packages http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages 
  src/gz openwrt_routing http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing
  

  或者

  src/gz openwrt_base http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/base
  src/gz openwrt_luci http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/luci/
  src/gz openwrt_packages http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/packages/
  src/gz openwrt_routing http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/routing/
  

  opkg update && opkg install xxxx
  

  常用软件包：tmux iperf3 zerotier tailscale

• shellclash 安装：

  export url='https://cdn.jsdelivr.net/gh/juewuy/ShellClash@master' && sh -c "$(curl -kfsSl $url/install.sh)" && source /etc/profile &> /dev/null
  或者
  export url='https://cdn.jsdelivr.net/gh/juewuy/ShellClash@master' && wget -q --no-check-certificate -O /tmp/install.sh $url/install.sh  && sh /tmp/install.sh && source /etc/profile &> /dev/null
  

• Lucky 安装：

  curl -o /tmp/install.sh   http://www.daji.it:6/files/golucky.sh  && sh /tmp/install.sh http://www.daji.it:6/files 2.5.2