23 / 12 / 20

小米AX3600/红米AX6原厂固件解锁/刷机/挂载Overlay/硬改扩容1G

硬件参数

工具文件下载

AX6-AX3600

AX3600解锁SSH

  • 降级1.0.17固件

  • 登录192.168.31.1后台,复制STOK

  • 构造第一个请求:

    http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B

  • 构造第二个请求:

    http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B

  • 此时SSH已打开,用户名root密码admin

  • 固化SSH和Telnet可使用以下工具:mitool_arm64 

    mitool_arm64 unlock //解锁mtd
mitool_arm64 hack  //修改mtd9,固化ssh和telnet

AX3600无损扩容

参考:Xiaomi AX3600 免拆机搞事 - OpenWrt开发者之家

AX6解锁SSH和Telnet

  • 准备另一台Openwrt路由器

  • 下载工具和脚本:https://github.com/shell-script/unlock-redmi-ax3000

  • 上传wireless.sh至Openwrt路由器并执行,成功后可以搜到MEDIATEK-ARM-IS-GREAT 这个WiFi SSID

  • 使用有线网线连接AX6,登录192.168.31.1 ,复制STOK

  • 替换STOK值,构造URL并执行:

    192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/extendwifi_connect?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK

  • 构造第二个URL:

    192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/oneclick_get_remote_token?username=xxx&password=xxx&nonce=xxx

  • 此时SSH已经打开,用户名root密码admin

  • 固化SSH和Telnet需要上传fuckax3000ax3000.sh到/etc目录,并执行

    sh /etc/ax3000.sh dump
sh /etc/ax3000.sh unlock
sh /etc/ax3000.sh hack

  • 升级后丢失SSH,Telnet进入AX6后执行:

    sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear start

AX6挂载OverlayFS

AX6硬件上搭载128MB NAND,可以直接挂载,无需像AX3600那样修改uboot:

sh /etc/ax3000.sh mount
sh /etc/ax3000.sh keep

⚠️注意:评论里有小伙伴反馈mount overlay之后可用空间只有20多M的问题,这是因为小米为了OTA采用AB分区的方式,且官方固件使用的空间较小,没有把整个NAND用起来,如果需要研究扩容分区表刷入更大的Openwrt或者QSDK固件,请参考:记一次红米AX6的解锁刷机扩容过程

AX3600 AX6硬改1G内存

  • 颗粒类型:镁光D9STQ,单晶1G

  • 工具:热风枪,助焊剂,镊子

  • 方法:加一圈焊油,400度50%风速吹30s左右,轻轻取下原有512M内存,然后烙铁清理焊盘,加焊油,放上新的内存颗粒,再用热风枪吹至自动归位即可

开机后需要刷写cdt才可以识别1G内存,cdt刷写方法:

mtd write /tmp/cdt-AX6-AX3600-1G.bin /dev/mtd5

Misc

  • ssh默认密码可从SN计算得到:ssh默认密码计算工具地址

  • 小米官方系统基于Openwrt 18.06 SNAPSHOT版本构建,当前可用的opkg源:

    src/gz openwrt_base http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base 
src/gz openwrt_luci http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci 
src/gz openwrt_packages http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages 
src/gz openwrt_routing http://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing

    或者

    src/gz openwrt_base http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/base
src/gz openwrt_luci http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/luci/
src/gz openwrt_packages http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/packages/
src/gz openwrt_routing http://downloads.openwrt.org/releases/18.06.9/packages/aarch64_cortex-a53/routing/

    opkg update && opkg install xxxx

    常用软件包:tmux iperf3 zerotier tailscale

  • shellclash 安装:

    export url='https://cdn.jsdelivr.net/gh/juewuy/ShellClash@master' && sh -c "$(curl -kfsSl $url/install.sh)" && source /etc/profile &> /dev/null
或者
export url='https://cdn.jsdelivr.net/gh/juewuy/ShellClash@master' && wget -q --no-check-certificate -O /tmp/install.sh $url/install.sh  && sh /tmp/install.sh && source /etc/profile &> /dev/null

  • Lucky 安装:

    curl -o /tmp/install.sh   http://www.daji.it:6/files/golucky.sh  && sh /tmp/install.sh http://www.daji.it:6/files 2.5.2
技术记录
Powered by Gridea