Accessing a locked down u-boot

I'm struggling with a Trendnet TEW-827DRU V2 (mt7621). My serial output shows u-boot going directly to option 3. No delay or response to repeated presses of "2".

Apparently, there are exploits and flash edits that others have used. See Xiaomi 4a thread:
https://forum.openwrt.org/t/xiaomi-mi-router-4a-gigabit-edition-r4ag-r4a-gigabit-fully-supported-and-flashable-with-openwrtinvasion/36685/1045

Outside of shooting blindly, is there any way to discern a safe approach? Ideally, I would like to arrive at the point where I can test initramfs images.

The screwdriver method works quite often, as long as you consider that a "safe approach" :sweat_smile:

Just carefully scratch along the SPI flash data pins a few seconds after power on (i.e. shorting them to neighbouring pins), this will corrupt the image checksum in RAM and make many bootloaders enter some sort of failsafe / recovery mode.

The exact timing may require a little trial and error though...

Thanks. Quick questions; screwdriver to which side? dot/pin 1 or opposite side? This will not permanently alter the flash content?

I'd prefer left side, e.g. shorting DO to CS (assuming the flash chip would allow for less gpio drive current than the SoC), but that's not scientifically proven; just try what works best for you :grinning:

(I haven't seen any real damage yet from doing this...)