小米AX9000折腾记录

您所在的位置：网站首页 › ax9000刷固件死机 › 小米AX9000折腾记录

小米AX9000折腾记录

2024-01-07 10:55| 来源: 网络整理| 查看: 265

前言

小米AX9000折腾记录, 官方固件版本为AX9000 1.0.108.bin不是全量文章，整合流程，挑出部分重点，防止重复踩坑。

正文通过虚拟机开启AX9000的SSH123456789101112131415161718192021222324252627# 比较重点的一个脚本下面会用到# /usr/lib/lua/luci/controller/admin/xqsystem.luamodule("luci.controller.admin.xqsystem", package.seeall)function index() local page = node("api") page.target = firstchild() page.title = ("") page.order = 100 page.index = true page = node("api","xqsystem") page.target = firstchild() page.title = ("") page.order = 100 page.index = true entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08)endlocal LuciHttp = require("luci.http")function getToken() local result = {} result["code"] = 0 result["token"] = "; nvram set ssh_en=1; nvram set uart_en=1; nvram set boot_wait=on; nvram commit; uci set wireless.@wifi-iface[0].key=\`mkxqimage -I\`; uci commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;" LuciHttp.write_json(result)end

重点是将OPENWRT路由器ip设置为169.254.31.1, 然后关闭DHCP。不然会出现各式报错。

AX9000和AX6000获取SSH的方法

重点是热点改成OpenWrt，密码12345678。以及热点网络适配器去掉ipv4的勾选项目。

0成本用Win10热点和openwrt的vm虚拟机开启AX6000和AX9000的ssh

重点是 wireless-ax9000.sh,也可以手动写入最上面的代码块。

小米 AX9000 解锁 SSH 安装 ShellClash 教程 123456# 注意URL的参数，按实际情况替换。# 05f18fc74244d28dea39a5b537765e92要替换成自己的# 如果ssid不是OpenWrt 或者密码不为12345678 也需要替换测试: http://192.168.1.1/cgi-bin/luci/api/xqsystem/token测试: http://192.168.31.1/cgi-bin/luci/;stok=05f18fc74244d28dea39a5b537765e92/api/xqsystem/tokenhttp://192.168.31.1/cgi-bin/luci/;stok=05f18fc74244d28dea39a5b537765e92/api/xqsystem/extendwifi_connect_inited_router?ssid=OpenWrt&password=12345678&encryption=WPA2PSKenctype=CCMP&channel=11&band=2g&admin_username=root&admin_password=admin&admin_nonce=xxx 虚拟机搭建OpenWrt 将OPENWRT路由器ip设置为169.254.31.1 关闭OpenWrt的DHCP 使用wireless-ax9000.sh 或者手动写入代码块 xqsystem.lua 成功后再次打开路由器后台查看 5G 频段 Wi-Fi 密码，这个 Wi-Fi 密码就是我们默认的 ssh 密码，

以上最好是都在2.4G频段进行。几个教程需要搭配使用，看重点，可以多阅读几遍。

永久获取SSH权限(固化SSH)

请注意有变砖风险，可以跳过这部分。

项目地址 paldier/ax3600_tool

12345678910111213141516# 提前备份(最好下载保存)$ nanddump -f /tmp/bdata_mtd9.img /dev/mtd9# 将项目文件传到/tmp目录给权限$ chmod +x /tmp/mitool*# 解锁分区锁$ /tmp/mitool.sh unlock# 自动重启并重新锁定分区锁$ /tmp/mitool.sh hack# 显示密码$ /tmp/mitool.sh password# 显示SN$ /tmp/mitool.sh sn# 如升级后ssh被禁用可以用telnet登录$ sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear$ /etc/init.d/dropbear start# 至此基本可以保证机器长期拥有root权限

参考教程:小米ax3600/ax6000/ax9000/ax5/ax6获取root权限ax9000永久获取ssh权限

刷QSDK&&OpenWrt的方法1234567891011121314151617181920212223242526272829# 1.这一部是设置env保证小米固件在分区rootfs里，为下一部把qsdk刷到rootfs_1做准备$ nvram set flag_last_success=0$ nvram set flag_boot_rootfs=0$ nvram set flag_try_sys1_failed=0$ nvram set flag_try_sys2_failed=0$ nvram commit$ reboot# 2.小米原版固件下ssh命令写入qsdk固件，把固件上传到/tmp目录$ . /lib/upgrade/platform.sh$ switch_layout linux$ ubiformat /dev/mtd22 -y -f /tmp/openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-nand-factory.bin$ nvram set flag_last_success=1$ nvram set flag_boot_rootfs=1$ nvram commit$ reboot# 这里刷固件就结束了，以下是切换分区。# 3.QSDK固件下恢复到原版固件$ fw_setenv flag_last_success 0$ fw_setenv flag_boot_rootfs 0$ reboot# 4.原版固件恢复到QSDK固件$ nvram set flag_last_success=1$ nvram set flag_boot_rootfs=1$ nvram commit$ reboot

这里刷完是两个分区，可以官方固件和openwrt来回切换。注意如果要重新刷，需要先执行3到原版固件，再执行2写入固件。

参考教程:

小米ax9000刷qsdk,openwrt的方法小米红米路由器AX6刷第三方openwrt固件第三方固件地址【Openwrt开发版每周五更新】新版AX6/AX3600/AX9000(QSDK),NSS,组网,jd,多播,小猫咪开发版 jingleijack/Openwrt_Beta 小米 AX9000 OpenWrt R21.7.1.10 最新源码、V兔出国海淘海淘、clash、打倒美帝、JD. AdGuardHome AdGuardHome去广告和DNS正确姿势 AdGuard Home设置指南 openwrt插件 AdGuardHome学习与分享 AdGuard Home正确使用姿势/去广告/防污/加速解析 121. AdGuardHome管理面板账号密码 root-admin 或者root-password2. 挂载U盘到/overlay

AX9000默认的分区大小不足以正常使用软件，所以需要挂载U盘扩容空间请注意要提前把U盘格式化成ext4

12345678910111213141516171819202122232425262728293031323334# 检测U盘是否插入$ cat /proc/scsi/usb-storage/0# 写入以下代码块$ vim /etc/init.d/miwifi_overlay # 这里使用AX6的一段代码来挂载overlay #!/bin/sh /etc/rc.commonSTART=00. /lib/functions/preinit.shstart() { [ -e /data/overlay ] || mkdir /data/overlay [ -e /data/overlay/upper ] || mkdir /data/overlay/upper [ -e /data/overlay/work ] || mkdir /data/overlay/work mount --bind /data/overlay /overlay fopivot /overlay/upper /overlay/work /rom 1 #Fixup miwifi misc, and DO NOT use /overlay/upper/etc instead, /etc/uci-defaults/* may be already removed /bin/mount -o noatime,move /rom/data /data 2>&- /bin/mount -o noatime,move /rom/etc /etc 2>&- /bin/mount -o noatime,move /rom/ini /ini 2>&- /bin/mount -o noatime,move /rom/userdisk /userdisk 2>&- return 0}# 给权限$ chmod 755 /etc/init.d/miwifi_overlay$ /etc/init.d/miwifi_overlay enable$ sync $ reboot

重启后浏览器登录luci界面，点击系统->挂载点。在挂载点的下方点击修改按钮。

挂载点选择作为外部overlay使用(/overlay)(不要选择其他选项)，点击保存，再点击保存&应用。

在命令行输入reboot执行路由器重启。重启后路由器可能会恢复出厂设置。重启后打开系统->软件包，可以看见空闲空间已经变大。

挂载完成，这里参考了OpenWrt挂载U盘OPENWRT | ESXI 下 OpenWrt扩容Overlay,增加安装插件空间

解决OpenWRT安装第三方包错误1234root@OpenWrt:~# opkg print-architecturearch all 1arch noarch 1arch aarch64_cortex-a53_neon-vfpv4 10

把返回的回显复制到opkg的设置里倒数第二行加一行，修改后如下

12345root@OpenWrt:~# opkg print-architecturearch all 1arch noarch 1arch aarch64_cortex-a53 8arch aarch64_cortex-a53_neon-vfpv4 10

但是因为ipq807x并没有适配，所以一些包最好是手动下载安装，手动安装依赖。

换国内源123456# 注意 19.07-SNAPSHOThttps://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/19.07-SNAPSHOT/packages/# 注意 ipq807xhttps://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/19.07-SNAPSHOT/targets/ipq807x/# 注意 aarch64_cortex-a53https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/19.07-SNAPSHOT/packages/aarch64_cortex-a53/ 额外的插件解锁网易云灰色歌曲 UnblockNeteaseMusic luci-app-unblockmusic（二次修改） UnblockNeteaseMusic(在用) sirpdboy-package 安装额外软件 Python3 1234567# 软件包界面手动安装或者命令# Python$ opkg install python3$ opkg install python3-pip# gcc$ opkg install gcc automake autoconf libtool make Nodejs 别名12# 或者写入/etc/profile$ alias pq3='pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple $1' 额外命令123456789# 安装用户相关$ opkg install shadow-groupadd shadow-groupdel shadow-useradd shadow-userdel shadow-usermod# 添加普通用户并且设置密码$ echo "testuser:*:1000:65534:testuser:/tmp:/bin/ash" >> /etc/passwd$ passwd testuser# 删除用户$ userdel -r testuser 安装libcap*

安装libcap libcap-bin, 因为新版本变成了libcap-ng libcap-ng-bin

12345678910# 手动https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/libcap_2.51-1_aarch64_cortex-a53.ipkhttps://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/libcap-bin_2.51-1_aarch64_cortex-a53.ipk# 修改下快照源，替换自己架构$ src/gz snapshots https://downloads.openwrt.org/snapshots/packages/{architecture}/base# $ opkg update$ opkg install libcap libcap-bin --force-depends AX9000(开发版)1.0.140 挂载/overlay

给U盘分区，ext4格式。分两个或者多个以上，第一个分区要大，给Docker用的 ,第二个分区给/overlay。

注意要关闭docker

1234567# 查看挂载的U盘分区$ df -h/dev/sda1 55.0G 4.7G 47.5G 9% /extdisks/sda1/dev/sda1 55.0G 4.7G 47.5G 9% /mnt/docker_disk/dev/sda2 2.5G 43.6M 2.3G 2% /extdisks/sda2/dev/sda1 55.0G 4.7G 47.5G 9% /mnt/docker_disk/mi_docker/lib/docker

把分区好挂载到mount /sda3

1234# 如果报错不存在文件夹可能需要手动创建/mnt/sda2$ mount /dev/sda2 /mnt/sda2# 如果上面报错使用这个$ mount -o rw /dev/sda2 /mnt/sda2

挂载检测是否完成

1$ ls /mnt/sda2

迁移Overly

123$ cd /overlay$ cp -r /overlay/* /mnt/sda2$ ls /mnt/sda2

设置开机自动挂载123456# /etc/rc.localecho 1 > /sys/fs/cgroup/memory/memory.use_hierarchy#添加以下这句挂载命令mount /dev/sda2 /overlay exit 0

AX9000(开发版)1.0.140 Docker创建macvlan(这个版本暂时不支持)12345678# 开启网卡混杂模式$ ip link set br-lan promisc on$ docker network create -d macvlan \ --subnet=192.168.31.0/24 --gateway=192.168.31.1 \ -o parent=br-lan \ -o macvlan_mode=bridge \ macnet AX9000(开发版)1.0.140 Docker安装使用AdGuard Home

AX9000 Docker介绍

以下大部分bash命令需要在ssh里操作

Docker国内镜像源名称路径网易 http://hub-mirror.c.163.com 中国官方镜像 https://registry.docker-cn.com 中国科技大学 https://docker.mirrors.ustc.edu.cn 阿里云镜像 https://[xxx].mirror.aliyuncs.com 拉取镜像12345# Portainer UI界面搜索并拉取adguard/adguardhome# 命令行$ docker pull adguard/adguardhome 部署镜像 Name, 随意 Image, adguard/adguardhome Always pull the image, 可以关掉 Volumes, 设置挂载目录持久化(可选) e.g /root/workspace/adguard/workdir:/opt/adguardhome/work /root/workspace/adguard/confdir:/opt/adguardhome/conf Publish all exposed network ports to random host ports, (随机暴露端口)打开 Manual network port publishing, 手动添加 5553:53 tcp|5553:53 udp|3000:3000 tcp Network, bridge Restart policy, Always

等待部署完成, 设置地址访问192.168.31.1:3000, 根据需求设置(可百度设置教程)。

汉化Portainer1234567$ cd /tmp$ curl -sL https://ghproxy.com/https://github.com/eysp/public/archive/public.tar.gz | tar xz$ rm -rf public$ mv public-public public$ docker stop portainer$ docker cp public portainer:/$ docker start portainer

刷新页面即可

Dnsmasq转发到AdgHome1234567# vim /etc/dnsmasq.conf 最后添加# port=53server=127.0.0.1#5553 server=192.168.31.1#5553no-resolv dns-forward-max=100000

重启后即可使用AdgHome，注意这里使用的是转发，所以Adg里的客户端显示的都是本地地址。不要尝试使用Adg的53端口来替换dnsmasq的53，会有大问题。也不要尝试再DCHP里设置DNS，会有大问题。

备份AdGuardHome.yaml

仅供参考

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292bind_host: 0.0.0.0bind_port: 3000beta_bind_port: 0users: - name: root password: $2y$10$FfeQavihMUiXCuJhHuQwy.6EOXDvkXb/S50qI5fXizqarNT/ShhQmauth_attempts: 5block_auth_min: 15http_proxy: ""language: ""rlimit_nofile: 0debug_pprof: falseweb_session_ttl: 720dns: bind_hosts: - 0.0.0.0 port: 5553 statistics_interval: 7 querylog_enabled: true querylog_file_enabled: true querylog_interval: 1 querylog_size_memory: 1000 anonymize_client_ip: false protection_enabled: true blocking_mode: nxdomain blocking_ipv4: "" blocking_ipv6: "" blocked_response_ttl: 10 parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com ratelimit: 0 ratelimit_whitelist: [ ] refuse_any: false upstream_dns: - 221.7.92.98 - 221.5.203.98 - 114.114.114.114 - 223.5.5.5 - 114.114.115.115 - 119.29.29.29 - 8.8.8.8 - 1.1.1.1 - 2408:8663::2 - 2408:8662::2 - https://dns.alidns.com/dns-query - https://doh.pub/dns-query - https://doh.360.cn/dns-query - https://doh.pub/dns-query - https://dns.google/dns-query - https://dns.adguard.com/dns-query - https://dns.quad9.net/dns-query upstream_dns_file: "" bootstrap_dns: - 221.7.92.98 - 221.5.203.98 - 2408:8663::2 - 2408:8662::2 - 114.114.114.114 - 223.5.5.5 - 119.29.29.29 - 1.1.1.1 - 8.8.8.8 all_servers: true fastest_addr: false allowed_clients: [ ] disallowed_clients: [ ] blocked_hosts: - version.bind - id.server - hostname.bind cache_size: 4194304 cache_ttl_min: 0 cache_ttl_max: 0 bogus_nxdomain: [ ] aaaa_disabled: false enable_dnssec: false edns_client_subnet: false max_goroutines: 300 ipset: [ ] filtering_enabled: true filters_update_interval: 24 parental_enabled: false safesearch_enabled: false safebrowsing_enabled: false safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576 parental_cache_size: 1048576 cache_time: 30 rewrites: [ ] blocked_services: [ ] local_domain_name: lan resolve_clients: true local_ptr_upstreams: [ ]tls: enabled: false server_name: "" force_https: false port_https: 443 port_dns_over_tls: 853 port_dns_over_quic: 784 port_dnscrypt: 0 dnscrypt_config_file: "" allow_unencrypted_doh: false strict_sni_check: false certificate_chain: "" private_key: "" certificate_path: "" private_key_path: ""filters: - enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard Simplified Domain Names filter id: 1 - enabled: false url: https://adaway.org/hosts.txt name: AdAway id: 2 - enabled: false url: https://hosts-file.net/ad_servers.txt name: hpHosts - Ad and Tracking servers only id: 3 - enabled: false url: https://www.malwaredomainlist.com/hostslist/hosts.txt name: MalwareDomainList.com Hosts List id: 4 - enabled: false url: https://raw.githubusercontent.com/vokins/yhosts/master/data/tvbox.txt name: tvbox id: 1575018007 - enabled: false url: https://cdn.jsdelivr.net/gh/neoFelhz/neohosts@gh-pages/full/hosts.txt name: neoHosts full id: 1575618240 - enabled: false url: https://hosts.nfz.moe/basic/hosts name: neoHosts basic id: 1575618241 - enabled: false url: http://sbc.io/hosts/hosts name: StevenBlack host basic id: 1575618242 - enabled: false url: http://sbc.io/hosts/alternates/fakenews-gambling-porn-social/hosts name: StevenBlack host+fakenews + gambling + porn + social id: 1575618243 - enabled: true url: https://anti-ad.net/easylist.txt name: anti-AD 命中率高、兼容性强 id: 1632419612 - enabled: true url: https://gitee.com/halflife/list/raw/master/ad.txt name: halflife合并乘风 id: 1632419613 - enabled: true url: https://banbendalao.coding.net/p/adgk/d/ADgk/git/raw/master/ADgk.txt name: adgk手机去广告规则 id: 1632419619 - enabled: true url: https://cdn.jsdelivr.net/gh/zsakvo/AdGuard-Custom-Rule@master/rule/zhihu.txt name: Zhihu App 广告屏蔽 id: 1632824652 - enabled: true url: https://www.i-dont-care-about-cookies.eu/abp name: I don't care about cookies id: 1636012831 - enabled: true url: https://cdn.jsdelivr.net/gh/Goooler/1024_hosts@master/hosts name: 1024_hosts id: 1636012832 - enabled: true url: https://cdn.jsdelivr.net/gh/jdlingyu/ad-wars@master/hosts name: 大圣净化 id: 1636012833 - enabled: true url: https://cdn.jsdelivr.net/gh/cjx82630/cjxlist@master/cjx-annoyance.txt name: CJX's Annoyance List id: 1636012834 - enabled: true url: https://cdn.jsdelivr.net/gh/Moexin/AdGuardHome/AdGuardHome.list name: AdGuardHome.list id: 1636012836 - enabled: true url: https://cdn.jsdelivr.net/gh/Moexin/AdGuardHome/Neo-Dev-Host.list name: Neo-Dev-Host.list id: 1636012837whitelist_filters: [ ]user_rules: - '||active.tc.skysrt.com^' - '||ad.3.cn^' - '||admaster.com.cn^' - '||alog.umeng.com^' - '||amdcopen.m.taobao.com^' - '||api.app.skysrt.com^' - '||api.device.skysrt.com^' - '||api.hoisin.hw.coocaatv.com^' - '||api.home.skysrt.com^' - '||api.skyworthiot.com^' - '||api.upgrade.skysrt.com^' - '||api-app.coocaa.ottcn.com^' - '||api-home.coocaa.ottcn.com^' - '||api-home.skysrt.com^' - '||api-upgrade.coocaa.ottcn.com^' - '||app.snm0516.aisee.tv^' - '||btrace.play.t002.ottcn.com^' - '||business.video.tc.skysrt.com^' - '||cl-dl.cc0808.com^' - '||clog.skysrt.com^' - '||conf-darwin.xycdn.com^' - '||connect.play.aiseet.atianqi.com^' - '||data-dl.skysrt.com^' - '||data-hoisin.coocaa.com^' - '||dl.skysrt.com^' - '||dp3.play.t002.ottcn.com^' - '||gs.getui.com^' - '||hoisin.coocaa.com^' - '||hoisin.coocaatv.com^' - '||irs01.com^' - '||kaola.com^' - '||livep.l.t002.ottcn.com^' - '||log.skysrt.com^' - '||mdp-at.geely.com^' - '||member.coocaa.com^' - '||miaozhen.com^' - '||mtrace.play.t002.ottcn.com^' - '||ocsp.int-x3.letsencrypt.org^' - '||p.tencentmind.com^' - '||play.t002.ottcn.com^' - '||push.tc.skysrt.com^' - '||push.tvos.skysrt.com^' - '||puui.qpic.cn^' - '||qr.coocaa.com^' - '||res.hoisin.coocaatv.com^' - '||rpc-tc.skysrt.com^' - '||rpt-gdt.play.t002.ottcn.com^' - '||s.jpush.cn^' - '||sdk1xyajs.data.p2cdn.com^' - '||sis.jpush.io^' - '||sky.tvos.skysrt.com^' - '||skyworthdigital.com^' - '||skyworthiot.com^' - '||stats.jpush.cn^' - '||status.tvos.skysrt.com^' - '||status2.tvos.skysrt.com^' - '||sv.video.qq.com^' - '||taps.net^' - '||tq.skysrt.com^' - '||tracker.appadhoc.com^' - '||tvapp.hpplay.cn^' - '||tvos.skysrt.com^' - '||tx.ctrmi.cn^' - '||umengacs.m.taobao.com^' - '||uop.umeng.com^' - '||update01.skyworth-cloud.com.wswebpic.com^' - '||update01.skyworth-cloud.com^' - '||vqq.admaster.com.cn^' - '||webapp.skysrt.com^' - '||bak.bajintech.com^$important^' - '||iwd.skysrt.com^$important^' - '||ipv4only.arpa^$important^' - '||api.bajintech.com^$important^' - '||wifimodule.doubimeizhi.com^$important^' - '||msy59wz.mqtt.iot.gz.baidubce.com^$important^' - '||i.ytimg.com^$important^' - '# 百家号' - '||baijiahao.baidu.com^' - '@@||apisoft.df0535.com^' - ""dhcp: enabled: false interface_name: "" dhcpv4: gateway_ip: "" subnet_mask: "" range_start: "" range_end: "" lease_duration: 86400 icmp_timeout_msec: 1000 options: [ ] dhcpv6: range_start: "" lease_duration: 86400 ra_slaac_only: false ra_allow_slaac: falseclients: [ ]log_compress: falselog_localtime: falselog_max_backups: 0log_max_size: 100log_max_age: 3log_file: ""verbose: falseschema_version: 10 OpenWrt关闭LED灯(暂未测试)1$ vim /etc/rc.d/S99turnoffled 1234567#!/bin/ashfor i in ` ls /sys/class/leds `docd /sys/class/ledscd $iecho 0 > brightnessdone 安装lsusb命令12$ opkg update$ opkg install usbutils OpenWrt关闭OPKG检查签名1$ vi /etc/opkg.conf 12# 注释掉这一行#option check_signature 注意事项只有QSDK固件里面有CPU调速软件 QSDK网络好，OpenWrt插件多信道36~48，149~161 … 相关项目

除了文章中引用的项目，还有以下可能会用到的关联:

AX9000和AX6000已经可以获取SSH了使用虚拟机解锁红米ax6-ssh并刷入qsdk固件 OpenWrt support for Xiaomi AX9000 Xiaomi router AX9000 OpenWrt_Build openwrt-autobuild 小米路由器修复工具 7.8.9.

END.

【本文地址】

公司简介

联系我们