Please make sure you are running a chinese model of the AX9000 router.
This can be determined by checking under the advanced system settings.
Your routers homepage is generally located at 192.168.31.1.
If your version starts with 1. your router is suitable for this tutorial.
May sound simple, yet often overseen: When working on your internet connection, you will lose it inbetween steps. So have all files prepared and ready in advance.
In order to gain access to the router, first do a factory reset to avoid any conflicts. After, perform the setup while the router is disconnected from the WAN.
Now visit the manual firmware upgrade page and downgrade to the provided firmware file. Make sure your options are set, so all current data is overwritten. This step may not work on first attempt, if so, try again after reloading the page and logging in again.
If you have sucessfully started the downgrade, the router will start to pulse red. Do not disturb the router during this process. After completion, it will turn back to solid red or solid orange.
Visit 192.168.31.1 again, log in, and execute exploits/create_exploit.js from your browsers console.
When asked for a region, leave it as CN or type CN if no value is given.
This exploit does not work on international models, hence typing US e.g. won't work.
It will start a download of exploit_images.zip - save this folder and unpack it into any desired location.
Now refresh the page, and paste the exploit/calc_password.js into your browser.
It will ask for a serial number - input your full serial number including symbols like /.
The serial number is printed on the bottom of your device.
When done, the script will fire an alert box containing your root password.
Store the password in a moderately secure place - you need this later.
Now go back to the firmware upgrade page.
Upload 1.bin from exploit_images.zip - this step may fail, or create an error.
If the error is anything BUT "invalid token" you are free to proceed.
Wait 1 minute between uploads, as the router will restart each time.
Now refresh the page and upload 2.bin, and again, wait 1 more minute.
In most cases, an eror message like "disk is full" will appear - do not mind those.
Now refresh again and upload 3.bin.
Wait one more minute and after this your device has been modified to the first stage: Telnet is activated.
When completing all prior steps, you can now connect to your router using PuTTy. Connect to 192.168.31.1 using TELNET mode and default port. Username is "root" and password is our previously generated password. Et voila - you're in :)
Now we will enable SSH:
nvram set ssh_en=1
sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear
/etc/init.d/dropbear start
And again - you have now rooted your router and made it your slave - congratz. From now on, SSH is available under 192.168.31.1 using the same credentials.
If you desire to do so, you can now install OpenWRT with or without LuCI.
cd /tmp
curl -k -O https://downloads.openwrt.org/snapshots/targets/qualcommax/ipq807x/openwrt-qualcommax-ipq807x-xiaomi_ax9000-initramfs-factory.ubi
Proceed by following the steps in the official wiki: https://openwrt.org/toh/xiaomi/ax9000#for_the_chinese_oem_firmware_model_only
Parts of the information here was provided by the sources below:
https://blog.kevingu.net/xiaomi-ax9000-router-ssh-shellclash
https://forum.openwrt.org/t/openwrt-support-for-xiaomi-ax9000/98908/1646
https://openwrt.org/toh/xiaomi/ax9000#for_the_chinese_oem_firmware_model_only