小米 AX9000 破解 SSH 刷 OpenWrt 系统教程

标签：admin AX9000 echo SSH 033 font OpenWrt

AX9000破解过程与AX6相似但有不同，网上有关AX9000的教程不多，因此在成功后写一篇文章分享存档。

准备

1. 设备和文件

带网口的电脑一台，网线若干
辅助路由器：闲置的带无线功能的已刷 OpenWrt 的设备（因为要恢复出厂设置）
小米官方固件 1.0.108 版本
AX9000 OpenWrt 工厂快照固件¹
实际要刷入的系统升级.bin固件，推荐第三方维护的 NSS 硬件加速版本²

2. 设备预处理

2.1. 辅助路由器

将闲置的 OpenWrt 设备恢复出厂设置后用网线与电脑连接，直接用 SSH 登入控制台
```
ssh [email protected]
```
切换到/tmp目录下，新建文件run.sh
```
cd /tmp
vi run.sh
```

按i编辑，写入如下内容³，ESC退出，:wq保存

#!/bin/ash
# SPDX-License-Identifier: GPL-3.0-only
#
# Copyright (C) 2021 Robert Marko <[email protected]>
# Copyright (C) 2021 Tianling Shen <[email protected]>
# Copyright (C) 2024 Fumiama Minamoto <[email protected]>
#
# Original thread: https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax9000/98908/34

error_font="\033[31m[Error]\033[0m"
info_font="\033[36m[Info]\033[0m"
success_font="\033[32m[Success]\033[0m"
warning_font="\033[33m[Warning]\033[0m"

echo -e "${warning_font} Please make sure your router has wireless support!"
echo -e "${warning_font} Please make sure your router is restored to factory settings (not configured)!"
echo -e "${warning_font} Please make sure you've backed up the network and wireless settings!"
echo -e "${warning_font} Please make sure you've connected the router via *wired ethernet*!"
echo -e "${warning_font} Running this script will change your *network* settings!"
read -p "Use Ctrl+C to exit or press enter key to continue..."

echo -e ""
echo -e "${info_font} Adding xqsystem controller..."
cat > "/usr/lib/lua/luci/controller/admin/xqsystem.lua" <<EOF
module("luci.controller.admin.xqsystem", package.seeall)

function index()
    local page   = node("api")
    page.target  = firstchild()
    page.title   = ("")
    page.order   = 100
    page.index = true
    page   = node("api","xqsystem")
    page.target  = firstchild()
    page.title   = ("")
    page.order   = 100
    page.index = true
    entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08)
end

local LuciHttp = require("luci.http")

function getToken()
    local result = {}
    result["code"] = 0
    result["token"] = "; nvram set ssh_en=1; nvram set uart_en=1; nvram set boot_wait=on; nvram commit; uci set wireless.@wifi-iface[0].key=\`mkxqimage -I\`; uci commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;"
    LuciHttp.write_json(result)
end
EOF

echo -e "${info_font} Changing network settings..."
set -x
uci set dhcp.lan.ignore='1'
uci set network.lan.ipaddr='169.254.31.1'
uci set wireless.@wifi-iface[0].ssid='MEDIATEK-ARM-IS-GREAT'
uci set wireless.@wifi-iface[0].encryption='psk2+ccmp'
uci set wireless.@wifi-iface[0].key='ARE-YOU-OK'
uci set wireless.@wifi-iface[0].mode='ap'
uci set wireless.@wifi-iface[0].network='LAN lan'
uci -q commit
set +x

echo -e "${success_font} All settings are applied.\n"
echo -e "${info_font} Please now disconnect from this router, and connect to your Xiaomi AX9000."
echo -e "${info_font} Then open your browser, access the following URL:"
echo -e "       http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK&encryption=WPA2PSKenctype=CCMP&admin_username=root&admin_password=admin&admin_nonce=xxx"
echo -e "${info_font} If the return code is 0, now you can connect to your AX9000 via SSH."
echo -e "${info_font} SSH login password is 5GHz wireless connection password."
echo -e ""
echo -e "${success_font} Thanks for usage."
echo -e "          Staff: Robert Marko, Tianling Shen"

echo -e ""
echo -e "${warning_font} Restarting network..."
wifi reload >"/dev/null" 2>&1
/etc/init.d/network restart >"/dev/null" 2>&1

为文件添加可执行权限
```
chmod +x run.sh
```

2.2. 目标路由器

不保留配置刷入小米官方 1.0.108 版本固件，随意设置一个密码。

开启 SSH

在辅助设备上运行
```
./run.sh
```
此后 SSH 自行断开，不用理会，保持该设备通电，网线可以拔出。
登录待刷写设备网页管理，复制<STOK>码（网址栏;stok=与/web之间的十六进制码）

同浏览器访问下面的链接，记得替换<STOK>

http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/xqsystem/extendwifi_connect_inited_router?ssid=MEDIATEK-ARM-IS-GREAT&password=ARE-YOU-OK&encryption=WPA2PSKenctype=CCMP&admin_username=root&admin_password=admin&admin_nonce=xxx

成功会返回一个JSON字符串，其中code字段为0。此时SSH已打开且5G WiFi密码已被更改为SSH的root用户密码，可进入管理页查看

刷入工厂固件

使用上面获得的密码登入待刷写路由器
```
ssh [email protected]
```

确认可以登入后，使用scp拷贝工厂快照固件到路由器/tmp目录

scp openwrt-qualcommax-ipq807x-xiaomi_ax9000-initramfs-factory.ubi [email protected]:/tmp

查看当前系统所在分区，0代表rootfs，1代表rootfs_1
```
nvram get flag_boot_rootfs
```
查看分区对应mtd文件
```
cat /proc/mtd
```
注意：请确保mtd21对应rootfs，mtd22对应rootfs_1

如果第三步返回0，执行

ubiformat /dev/mtd22 -y -f /tmp/openwrt-qualcommax-ipq807x-xiaomi_ax9000-initramfs-factory.ubi -s 2048 -O 2048 && nvram set flag_boot_rootfs=1 && nvram set flag_last_success=1 && nvram commit

如果第三步返回1，执行

ubiformat /dev/mtd21 -y -f /tmp/openwrt-qualcommax-ipq807x-xiaomi_ax3600-initramfs-factory.ubi -s 2048 -O 2048 && nvram set flag_boot_rootfs=0 && nvram set flag_last_success=0 && nvram commit

重启路由器

刷入正式 OpenWrt 固件

如可以直接访问luci网页，在页面刷入即可。如无法访问，则还需要用scp拷贝对应sysupgrade.bin文件到/tmp，再用sysupgrade -n命令刷入后重启。

[OpenWrt WiKi] Xiaomi Mi Router AX9000 - https://openwrt.org/toh/xiaomi/ax9000 ↩︎
[OpenWrt WiKi] Xiaomi Mi AIoT Router AX3600 - https://openwrt.org/toh/xiaomi/ax3600 ↩︎
[知乎] 小米AX9000 安装OpenWrt双系统 - https://zhuanlan.zhihu.com/p/427734325 ↩︎

标签：admin,AX9000,echo,SSH,033,font,OpenWrt
From： https://blog.csdn.net/u011570312/article/details/141259096