Based on my previous longer post here is a short step-by-step flashing instruction for those who want to try flashing a BR01 model.
- Setup a UART console with RX and TX working (115200 Baud 8N1)
- Setup a BOOTP and TFTP server
2.1 I used bootp tftpd-hpa under Debian
2.2 Use the official 1.0.71 BR01 firmware image
2.3 The client mac address is set in step 4 - Start the router while pressing the RESET button for at least 5 seconds
- When the console shows that BOOTP broadcasts are sent, discover the MAC of the router in recovery mode using a tool like wireshark (this MAC is different to the one on the bottom of the device)
- Ensure by looking at the output on the UART console, that the the flashing process only touches one partition, otherwise if you cut the power while the bootloader is updated you need a NAND programmer (and an image of the right U-Boot image
)
5.1 If two partitions were flashed in the first run the second run should result in only one partition being flashed (my router from 11/2021 went from FW 1.0.35 --> 1.0.71) - Cut the power right after the erasing messages appear on the serial console
- Change the BOOTP/TFTP server to serve the
xiaomi_redmi-router-ax6s-initramfs-recovery.itbimage
7.1 I used the one from 22.03-SNAPSHOTS - Boot up the router without pressing the reset button and you should end up with a console like this
MT7622>where you can enterMT7622>tftpboot - Once you are in OpenWRT use scp to copy over the image
xiaomi_redmi-router-ax6s-squashfs-sysupgrade.binand executesysupgrade image.bin - The router should automatically reboot into a persistent OpenWRT
.
Remarks:
- The BOOTP server can potentially be committed if using the official recovery tool from Xiaomi in step 2 and specifying the TFTP IP and location in step 8 explicitly.
- Most important is step 5 where you check that only the firmware (kernel+ramfs+rootfs) partition and not the bootloader partition is touched during the recovery flashing