Custom Firmware for the Xiaomi AX3600 Wireless Router

As I have mentioned in the review, the stock firmware on the Xiaomi AX3600 wireless router is extremely limiting. On top of that, the firmware is also locked to install only authorized updates from the manufacturer. If you have been following the blog, you will know that I like the flexibility that ASUSWRT provides for customizing my router.

While there is currently an on-going effort to try and port vanilla OpenWRT for this router, I suspect that might take some time. In this post, I describe how to workaround the lousy firmware and configure the router with the advanced features I need.

Router Disassembly

It is recommended to have UART access handy, in case something bad happens and you need to recover your router, or if you want access to U-Boot, the bootloader. This would require you to crack open your router, so you might only want to do this if necessary. Feel free to skip this section if you are not interested in the hardware, or don’t need low-level access.

router top view, with cover opened

You need to unscrew 5 screws, 4 of which are hidden under the rubber feet, and one under the center sticker label. In the disassembled top view photo here, you can see the screw holes at the corners, as well as a missing chunk in the center of the heatsink for the mating screw post, directly aligned with the AIoT antenna and indicator LEDs.

Continue reading


Apple’s RAOP is Cracked

For a long time now, apps can stream high-quality audio to an Airport Express or an Apple TV using the RAOP protocol. However, the reverse cannot be done due to the fact that the protocol uses asymmetric encryption, which means the private key is baked into the firmware of the Apple (or Apple-licensed) device.

Finally, someone has done something about it. James Laird dumped the ROM of his Airport Express and extracted the private key. He posted the private key to the vlc-devel mailing list.

And now, the site on which he hosts his implementation called shairport is returning HTTP 500.

Update 13-Apr-2011: The link to shairport and his site is back up.

Reverse-engineering the Clicker

A few semesters back, our school started trial runs to use these “clickers” as well. At that time I was thinking of cracking it open to see what makes it tick, as well as evil plans like trying to impersonate other clickers or sniffing what other people’s responses were.

I only managed to peel back a bit of the plastic in front, but since the clicker was brand-new and I had to return it in a good condition, I didn’t dare to proceed any further than that.

[Photo stolen from Travis Goodspeed]

Last night I came across this blog entry to reverse-engineer it. Since all the hard work has been done, it looks quite feasible to just buy one of these Nordic RF chips and attempt to listen in on the responses.

At our institution, each of the venues have been allocated a particular channel and the signage is displayed prominently at the front or side of the lecture theatre or classroom. It’s not hard to find a session to sit in and start sniffing.