Adding OpenWrt support for ZTE MF282 aka 3 HuiTube

I received a couple of 3 HuiTube devices that are ZTE MF282 LTE routers. They have a QCA9563 SoC, 128MiB RAM and 128MiB NAND. The integrated LTE modem is in QMI mode.

Basically, this is a combination of MF281 and MF286, both already supported. The modem is the same as in the MF283+.

I don't know how much interest there is, but I've got initial support for it working. For now, I only tested UART installation, but with a root exploit it should work without disassembly.

Since the device is very compact, it can also be used as a simple, cheap WiFi AP.

PR: https://github.com/openwrt/openwrt/pull/12405

Hello, I don't know if this is the best place to post my question about the MF282. If not, I apologize.

My current situation:
I compiled OpenWrt 23.05.0-rc2 with LuCI.

Everything works except for the LTE modem that causes problems.

I am not sure if it is due to a carrier lock or if different LTE modules have been installed.

I tried a carrier unlock according to instructions from this page "https://www.lteforum.at/mobilfunk/dreineo-huitube-openwrt-und-carrier-unlock.21497/" with qcommand but I'm not sure if it worked there the program responds in Russian.

When I communicate with AT commands, I also have problems, e.g. when I enter ATI, information comes up when I enter a command with AT+... only confused stuff comes back. (I also have AT^... and AT%... and much more tried)

Here is a small excerpt from my log file

Thu Aug 10 09:48:24 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Thu Aug 10 09:48:25 2023 daemon.info [2175]: <info>  [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:00.0': not supported by any plugin
Thu Aug 10 09:48:26 2023 daemon.info [2175]: <info>  [base-manager] couldn't check support for device '/sys/devices/platform/ahb/18100000.wmac': not supported by any plugin
Thu Aug 10 09:48:26 2023 daemon.notice netifd: 4G (2586): SIM not initialized
Thu Aug 10 09:48:27 2023 daemon.notice netifd: 4G (3611): Stopping network 4G
Thu Aug 10 09:48:27 2023 daemon.notice netifd: 4G (3611): Command failed: ubus call network.interface notify_proto { "action": 0, "link-up": false, "keep": false, "interface": "4G" } (Permission denied)
Thu Aug 10 09:48:27 2023 daemon.notice netifd: Interface '4G' is now down
Thu Aug 10 09:48:28 2023 daemon.warn odhcpd[1917]: No default route present, overriding ra_lifetime!
Thu Aug 10 09:48:28 2023 daemon.warn odhcpd[1917]: No default route present, overriding ra_lifetime!
Thu Aug 10 09:48:29 2023 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Thu Aug 10 09:48:29 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Thu Aug 10 09:48:29 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Thu Aug 10 09:48:38 2023 daemon.warn [2175]: <warn>  [ttyUSB0/probe] failed to parse QCDM version info command result: -7
Thu Aug 10 09:48:38 2023 daemon.warn [2175]: <warn>  [ttyUSB0/probe] failed to parse QCDM version info command result: -7
Thu Aug 10 09:48:38 2023 daemon.info [2175]: <info>  [device /sys/devices/platform/ahb/1b000000.usb/usb1/1-1] creating modem with plugin 'zte' and '5' ports
Thu Aug 10 09:48:38 2023 daemon.warn [2175]: <warn>  [plugin/zte] could not grab port ttyUSB0: Cannot add port 'tty/ttyUSB0', unhandled port type
Thu Aug 10 09:48:38 2023 daemon.info [2175]: <info>  [base-manager] modem for device '/sys/devices/platform/ahb/1b000000.usb/usb1/1-1' successfully created
Thu Aug 10 09:48:38 2023 kern.err kernel: [   74.459717] qmi_wwan 1-1:1.3 wwan0: Cannot change a running device
Thu Aug 10 09:48:39 2023 daemon.warn [2175]: <warn>  [modem0] unhandled QMI radio interface '9'
Thu Aug 10 09:48:39 2023 daemon.warn [2175]: <warn>  [modem0] couldn't load power state: Unhandled power state: 'factory-test' (2)
Thu Aug 10 09:48:39 2023 daemon.warn [2175]: <warn>  [modem0] unhandled QMI radio interface '9'
Thu Aug 10 09:48:39 2023 daemon.warn [2175]: <warn>  [modem0] couldn't query SIM slots: QMI SIM slot switch operation not supported
Thu Aug 10 09:48:44 2023 daemon.warn odhcpd[1917]: No default route present, overriding ra_lifetime!

With
cat /sys/kernel/debug/usb/devices
returns (excerpt)

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=19d2 ProdID=1275 Rev=51.42
S:  Manufacturer=ZTE,Incorporated
S:  Product=ZTE Technologies MSM
S:  SerialNumber=P685M510ZTED0000CP&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&0
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
E:  Ad=87(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

now I'm at the end of my skills. Please help

Let's get AT commands working first: Please disable or delete the WWAN interface, so that uqmi doesn't interfere with us and reboot.

Which tool do you use for sending AT commands? Usually, I use screen.

After unlocking, my modem wouldn't register on the network, I had to change that with AT commands.

You can check if unlocking was successful with AT+ZNET?

For the AT commands I go to the router with SSH or via the serial interface and then enter socat - /dev/ttyUSB2,crnl
I have also tried USB1 and USB3

root@OpenWrt:~# socat - /dev/ttyUSB2,crnl
ati

Manufacturer: ZTE CORPORATION
Model: ZM8630
Revision: BD_H3GATZM8630V1.0.0B08
IMEI: 868328020183261
+GCAP: +CGSM

OK
AT+ZNET?

ERROR

Is it possible that the problem is related to these lines

Fri Aug 11 12:26:39 2023 daemon.info [2164]: <info>  [device /sys/devices/platform/ahb/1b000000.usb/usb1/1-1] creating modem with plugin 'zte' and '5' ports
Fri Aug 11 12:26:40 2023 daemon.warn [2164]: <warn>  [plugin/zte] could not grab port ttyUSB0: Cannot add port 'tty/ttyUSB0', unhandled port type
Fri Aug 11 12:26:40 2023 daemon.info [2164]: <info>  [base-manager] modem for device '/sys/devices/platform/ahb/1b000000.usb/usb1/1-1' successfully created
Fri Aug 11 12:26:40 2023 kern.err kernel: [   74.489430] qmi_wwan 1-1:1.3 wwan0: Cannot change a running device

I will check on mine, but this takes a week until I have access to such a device.

ok thanks for your efforts

Hello, I'm relatively sure that something didn't work with qcommand and the carrier lock is still inside.

I unpacked the qcommand_mips.zip with 7zip and then copied the .bin file with ftp into the /tmp folder, then did

chmod +x qcommand

and then started the console with

./qcommand .bin

. I did all that in openWRT.

Is that correct or have I overlooked something.

the console? The instructions state two commands without using the console and without SIM card. In your case, that would be:

/tmp/qcommand.bin -e -c "c 27 40 1f 46 30 41 41"
/tmp/qcommand.bin -e -c "c 29 02 00"

To check with qcommand if it worked, please provide the output of the following command:

/tmp/qcommand.bin -e -c "c 26 40 1f"

And regarding AT+ZNET: My bad, it's AT+ZSEC? that gives the unlocking status.

This really got me a step further I've been running the qcommand incorrectly so far. ( I ran the .bin file with ./qcommand.bin ")

root@OpenWrt:/tmp# /tmp/qcommand.dat -e -c "c 27 40 1f 46 30 41 41"


 ---- ответ ---
00000000: 27 40 1f 46 30 41 41 00 00 00 00 00 00 00 00 00  *'@.F0AA.........*
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000080: 00 00 00 00 00 7e 49 7e                          *.....~I~        *

root@OpenWrt:/tmp# /tmp/qcommand.bin -e -c "c 29 02 00"
-ash: /tmp/qcommand.bin: not found
root@OpenWrt:/tmp# /tmp/qcommand.dat -e -c "c 29 02 00"


 ---- ответ ---
00000000: 29 02 00 59 6a 7e                                *)..Yj~          *

root@OpenWrt:/tmp# /tmp/qcommand.dat -e -c "c 26 40 1f"


 ---- ответ ---
00000000: 26 40 1f 46 30 41 41 00 00 00 00 00 00 00 00 00  *&@.F0AA.........*
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  *................*
00000080: 00 00 00 00 00 6b 79 7e                          *.....ky~        *

root@OpenWrt:/tmp#

AT+ZSEC?

+ZSEC: 3,0

OK

Now the whole thing looks different now the "LTE LEDs" also light up blue and no longer red.

Unfortunately, for some reason, the modem still does not connect. In LuCI / Network, no information is given as to why the connection is not established, only Protocol: QMI Cellular
RX: 0 B (0 pts)
TX: 0 B (0 pts).

The log says .

Fri Aug 11 20:41:43 2023 daemon.warn [2173]: <warn>  [modem0] port cdc-wdm0 timed out 4 consecutive times
Fri Aug 11 20:41:43 2023 daemon.warn [2173]: <warn>  [modem0/sim0] couldn't load IMSI: QMI operation failed: Transaction timed out
Fri Aug 11 20:41:43 2023 daemon.warn [2173]: <warn>  [modem0/sim0] couldn't load list of emergency numbers: Failed to parse CRSM query result '+CRSM: 105,129,""'
Fri Aug 11 20:41:44 2023 daemon.warn [2173]: <warn>  [modem0/sim0] couldn't load GID1: Couldn't read data from UIM: QMI protocol error (16): 'NotProvisioned'
Fri Aug 11 20:41:44 2023 daemon.warn [2173]: <warn>  [modem0/sim0] couldn't load GID2: Couldn't read data from UIM: QMI protocol error (16): 'NotProvisioned'
Fri Aug 11 20:41:44 2023 daemon.warn [2173]: <warn>  [modem0] couldn't load list of own numbers: Couldn't get MSISDN: QMI protocol error (16): 'NotProvisioned'
Fri Aug 11 20:41:44 2023 daemon.warn [2173]: <warn>  [modem0] couldn't load IMEI: Device doesn't report a valid IMEI
Fri Aug 11 20:41:49 2023 daemon.err uhttpd[2038]: [info] luci: accepted login on /admin/network/network for root from 192.168.1.241
Fri Aug 11 20:42:04 2023 daemon.warn [2173]: <warn>  [modem0] port cdc-wdm0 timed out 2 consecutive times
Fri Aug 11 20:42:04 2023 daemon.warn [2173]: <warn>  [modem0] couldn't load SUPL server: QMI operation failed: Transaction timed out
Fri Aug 11 20:42:14 2023 daemon.warn [2173]: <warn>  [modem0] port cdc-wdm0 timed out 3 consecutive times
Fri Aug 11 20:42:14 2023 daemon.warn [2173]: <warn>  [modem0] couldn't load supported assistance data types: QMI operation failed: Transaction timed out
Fri Aug 11 20:42:19 2023 daemon.warn [2173]: <warn>  [modem0] port cdc-wdm0 timed out 4 consecutive times
Fri Aug 11 20:42:19 2023 daemon.info [2173]: <info>  [modem0] state changed (unknown -> disabled)

AT+COPS? returns.

root@OpenWrt:/etc/config# socat - /dev/ttyUSB2,crnl
at+cops?

+cops: 0,0,"bob",0

OK

Can you try with ModemManager instead of uqmi? See the Wiki on details.

I've already tried that and that's the result, I deleted the interface in LuCI. but that didn't change anything

root@OpenWrt:~# uqmi -d /dev/cdc-wdm0
root@OpenWrt:~# uqmi -d /dev/cdc-wdm0
root@OpenWrt:~# uqmi -d /dev/cdc-wdm0 --network-scan
^C"Failed to connect to service"
root@OpenWrt:~# uqmi -d /dev/cdc-wdm0 --list-messages
^C"Failed to connect to service"
root@OpenWrt:~# uqmi -d /dev/cdc-wdm0 --set-network-roaming any
^C"Failed to connect to service"
root@OpenWrt:~# uqmi -d /dev/cdc-wdm0 --get-versions
^C"Unknown error"

I've also tried a lot of other things.

root@OpenWrt:~# ls -l /dev/cdc-wdm0
crw-------    1 root     root      180, 176 Aug 11 23:49 /dev/cdc-wdm0
root@OpenWrt:~#

I've now invested five full days and have absolutely no plan what else I could do.

You might want to try a 23.05-RC2 build from https://downloads.openwrt.org/releases/23.05.0-rc2/targets/ath79/nand/ instead of your own build.

This is the log from my MF287+ using ModemManager, as mentioned, it's going to take a few more days until I have access to the MF282 again:

Aug 11 21:22:03 OpenWrt [30159]: <warn>  [ttyUSB0/probe] failed to parse QCDM version info command result: -7
Aug 11 21:22:03 OpenWrt [30159]: <info>  [device /sys/devices/platform/soc/8af8800.usb3/8a00000.dwc3/xhci-hcd.0.auto/usb2/2-1] creating modem with plugin 'zte' and '5' ports
Aug 11 21:22:03 OpenWrt [30159]: <info>  [base-manager] modem for device '/sys/devices/platform/soc/8af8800.usb3/8a00000.dwc3/xhci-hcd.0.auto/usb2/2-1' successfully created
Aug 11 21:22:04 OpenWrt ModemManager[30128]: hotplug: modem not detected at sysfs path
Aug 11 21:22:06 OpenWrt [30159]: <warn>  [modem0/sim1] couldn't load list of emergency numbers: Failed to parse CRSM query result '+CRSM: 148,8,""'
Aug 11 21:22:06 OpenWrt [30159]: <warn>  [modem0] couldn't load facility locks: QMI message Get Configuration failed: QMI protocol error (94): 'NotSupported'
Aug 11 21:22:07 OpenWrt [30159]: <info>  [modem0] state changed (unknown -> disabled)
Aug 11 21:22:09 OpenWrt ModemManager[30128]: hotplug: modem exported successfully at /sys/devices/platform/soc/8af8800.usb3/8a00000.dwc3/xhci-hcd.0.auto/usb2/2-1
Aug 11 21:22:09 OpenWrt ModemManager[30128]: hotplug: setting interface 'wwan' as available
Aug 11 21:22:09 OpenWrt netifd: Interface 'wwan' is setting up now
Aug 11 21:22:10 OpenWrt netifd: wwan (30755): modem available at /org/freedesktop/ModemManager1/Modem/0
Aug 11 21:22:10 OpenWrt netifd: wwan (30755): starting connection with apn 'webipaut'...
Aug 11 21:22:10 OpenWrt [30159]: <info>  [modem0] simple connect started...
Aug 11 21:22:10 OpenWrt [30159]: <info>  [modem0] simple connect state (3/10): enable
Aug 11 21:22:10 OpenWrt [30159]: <info>  [modem0] state changed (disabled -> enabling)
Aug 11 21:22:10 OpenWrt [30159]: <info>  [modem0] power state updated: on
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] simple connect state (4/10): wait to get fully enabled
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] state changed (enabling -> enabled)
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] simple connect state (5/10): wait after enabled
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] 3GPP registration state changed (unknown -> registering)
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] simple connect state (6/10): register
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] 3GPP registration state changed (registering -> home)
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] state changed (enabled -> registered)
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] simple connect state (7/10): wait to get packet service state attached
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] simple connect state (8/10): bearer
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] simple connect state (9/10): connect
Aug 11 21:22:12 OpenWrt [30159]: <info>  [modem0] state changed (registered -> connecting)
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0/bearer1] QMI IPv4 Settings:
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0/bearer1]     address: xx.xx.xx.xx
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0/bearer1]     gateway: xx.xx.xx.xx
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0/bearer1]     DNS #1: 213.162.70.25
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0/bearer1]     DNS #2: 213.162.70.9
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0/bearer1]        MTU: 1500
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0/bearer1] reloading stats is supported by the device
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0] state changed (connecting -> connected)
Aug 11 21:22:13 OpenWrt [30159]: <info>  [modem0] simple connect state (10/10): all done
Aug 11 21:22:13 OpenWrt netifd: wwan (30755): successfully connected the modem
Aug 11 21:22:13 OpenWrt netifd: wwan (30755): signal refresh rate is not set
Aug 11 21:22:13 OpenWrt netifd: wwan (30755): network operator name: 3-AT
Aug 11 21:22:13 OpenWrt netifd: wwan (30755): network operator MCCMNC: 23203
Aug 11 21:22:13 OpenWrt netifd: wwan (30755): registration type: home
Aug 11 21:22:14 OpenWrt netifd: wwan (30755): access technology: lte
Aug 11 21:22:14 OpenWrt netifd: wwan (30755): signal quality: 70%
Aug 11 21:22:14 OpenWrt netifd: wwan (30755): IPv4 connection setup required in interface wwan: static
Aug 11 21:22:14 OpenWrt netifd: wwan (30755): adding IPv4 address xx.xx.xx.xx, netmask 255.255.255.252
Aug 11 21:22:14 OpenWrt netifd: wwan (30755): adding default IPv4 route via xx.xx.xx.xx
Aug 11 21:22:14 OpenWrt netifd: wwan (30755): adding primary DNS at 213.162.70.25
Aug 11 21:22:14 OpenWrt netifd: wwan (30755): adding secondary DNS at 213.162.70.9
Aug 11 21:22:14 OpenWrt netifd: Interface 'wwan' is now up
Aug 11 21:22:14 OpenWrt netifd: Network device 'wwan0' link is up

I suspect something is wrong with the communication between qmi (uqmi) and the LTE modem

With the AT feedback, it looks as if it would be connected to the provider if I interpret it correctly.

AT+CREG=?
+CREG: (0-2)

AT+COPS?
+COPS: 0,0,"bob",2

AT+CEREG?
+CEREG: 0,4

I can also make a phone call to the router (when I do that even a phone icon flashes on the router )

What else I noticed cat ./dev/cdc-wdm0 is always empty, don't think it's supposed to be like that?

I also noticed that the status LEDs (blue ring) already change color from red to blue while the router is still booting, it will certainly take another 30 seconds for the LEDs on the RJ45 socket to start flashing

Unfortunately I don't quite understand how the communication between the modem and linux works (data traffic, modem commands, and much more?)

Therefore, troubleshooting is not the yellow of the egg

Hello,

Thank you for your effort! Unfortunately, that doesn't work for me as planned. The router always restarts when the LAN cable is plugged in or is connected.

Construction:
1.) Router disassembled and serial interface soldered. Rectangular pad is 3.3V, next to it RX, TX and Ground. end of the cable to a USB converter.
2.) I use Linux, USB recognized under /dev/ttyUSB0 by means of screen and 115200 connection established (LAN cable direct connection to PC, manual address I set to 192.168.1.100 and tftp-hpa is also installed and openwrt.bin is located in /srv/tftp)
3.) that works fine until he asks me to press a button otherwise the thing just starts again (I think that's normal)
4.) Entering the commands
setenv serverip 192.168.1.100
setenv ipaddr 192.168.1.1
tftpboot 0x82000000 openwrt.bin
bootm 0x82000000

So far so good, now the following 2 scenes.
A) before I type bootm I remove the LAN cable. Then the router starts and when I press very quickly when prompted, I get to openwrt (root@openwrt) as soon as I plug in the LAN cable and it reboots
B) I leave the LAN cable plugged in and the router doesn't boot openwrt at all but back to the starting position (where you have to press a key so that it doesn't restart over and over again)

I somehow searched for error, can find two

1.) Flash: 8MB
*** Warning - bad CRC, using default environment

2.) Net: ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address

Now I've tried 81000000 instead of 82000000 and other numbers but nothing works.

Now my question how do you get to the 82000000? Maybe these are different numbers? Can you imagine what else could be?

Thanks in advance for your answer,
Martin

Here is the procedure for plugging in the LAN cable

BusyBox v1.36.1 (2023-06-26 11:20:39 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0-rc2, r23228-cd17d8df2a
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# [   35.768823] br-lan: port 1(eth0) entered blocking state
[   35.774244] br-lan: port 1(eth0) entered disabled state
[   35.779954] device eth0 entered promiscuous mode

root@OpenWrt:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master br-lan state DOWN qlen 1000
    link/ether d0:5b:a8:7c:02:4c brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether d0:5b:a8:7c:02:4c brd ff:ff:ff:ff:ff:ff
4: br-lan: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether d0:5b:a8:7c:02:4c brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdd0:4f13:21a7::1/60 scope global tentative noprefixroute
       valid_lft forever preferred_lft forever
root@OpenWrt:/# [   88.819838] eth0: link up (1000Mbps/Full duplex)
[   88.824658] br-lan: port 1(eth0) entered blocking state
[   88.830103] br-lan: port 1(eth0) entered forwarding state
�

U-Boot 1.1.4 (Sep  2 2015 - 10:08:50)

ap152_ar8033 - Dragonfly 1.0DRAM: 
sri
ath_ddr_initial_config(278): (ddr2 init)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xe, 0xe, 0xe, 0xe)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 413k for U-Boot at: 87f98000
Reserving 192k for malloc() at: 87f68000
Reserving 44 Bytes for Board Info at: 87f67fd4
Reserving 36 Bytes for Global Data at: 87f67fb0
Reserving 128k for boot params() at: 87f47fb0
Stack Pointer at: 87f47f98
Now running in RAM - U-Boot at: 87f98000
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x15
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
athr_mgmt_init (MDC/MDIO config)::done
Dragonfly ---->8033 PHY*
AR8033 PHY init
athrs_ar8033_reg_init: Done 8111 (phyid: 0)
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:ff:ff:ff
ath_gmac_phy_setup
eth0 up
eth0
Qualcomm Atheros SPI NAND Driver, Version 0.1 (c) 2014  Qualcomm Atheros Inc.
ath_spi_nand_ecc: furture feat = 0x10
ath_spi_nand_ecc: middle feat = 0x10
ath_parse_read_id: SPI NAND M.Id: 0xc8 D.Id: 0xd1
====== NAND Parameters ======
sc addr = 0x87ff8000 page(write size) = 0x800 (erase size) block = 0x20000
Setting 0x181162c0 to 0x4b962100
Uaztemain: enter into !
zte_getHandOffState: read data=0x20 from 0x0
Uaztemain: no need to update ''
Hit any key to stop autoboot:  0
ath>

Here the firmware i tried

-rw-r--r-- 1 emka81 users  5795701 13. Aug 22:03 openwrt-23.05.0-rc1-ath79-nand-zte_mf282-initramfs-kernel.bin
-rw-r--r-- 1 emka81 users  6635810 13. Aug 22:03 openwrt-23.05.0-rc1-ath79-nand-zte_mf282-squashfs-sysupgrade.bin
-rw-r--r-- 1 emka81 users  5795051 14. Aug 10:14 openwrt-23.05.0-rc2-ath79-nand-zte_mf281-initramfs-kernel.bin
-rw-r--r-- 1 emka81 users 11141120 14. Aug 10:14 openwrt-23.05.0-rc2-ath79-nand-zte_mf281-squashfs-factory.bin
-rw-r--r-- 1 emka81 users  6932770 14. Aug 10:14 openwrt-23.05.0-rc2-ath79-nand-zte_mf281-squashfs-sysupgrade.bin
-rw-r--r-- 1 emka81 users  5794957 13. Aug 22:03 openwrt-23.05.0-rc2-ath79-nand-zte_mf282-initramfs-kernel.bin
-rw-r--r-- 1 emka81 users  6635810 13. Aug 22:03 openwrt-23.05.0-rc2-ath79-nand-zte_mf282-squashfs-sysupgrade.bin
-rw-r--r-- 1 emka81 users  5795041 14. Aug 10:14 openwrt-23.05.0-rc2-ath79-nand-zte_mf286-initramfs-kernel.bin
-rw-r--r-- 1 emka81 users  7096610 14. Aug 10:14 openwrt-23.05.0-rc2-ath79-nand-zte_mf286-squashfs-sysupgrade.bin
-rw-r--r-- 1 emka81 users  4905143 14. Aug 10:26 openwrt-23.05.0-rc2-ramips-rt305x-zte_mf283plus-initramfs-kernel.bin
-rw-r--r-- 1 emka81 users  5112113 14. Aug 10:26 openwrt-23.05.0-rc2-ramips-rt305x-zte_mf283plus-squashfs-sysupgrade.bin
-rw-r--r-- 1 emka81 users  5702948 14. Aug 00:11 openwrt-ath79-nand-zte_mf282-initramfs-kernel2.bin
-rw-r--r-- 1 emka81 users  9754567 14. Aug 00:10 openwrt-ath79-nand-zte_mf282-initramfs-kernel.bin
-rw-r--r-- 1 emka81 users  6512927 14. Aug 00:12 openwrt-ath79-nand-zte_mf282-squashfs-sysupgrade.bin

And the start of the serial console with screen

Loading from device 0: ath-spi-nand (offset 0x1300000)
   Image Name:   Linux Kernel Image
   Created:      2016-12-09   1:01:15 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1279682 Bytes =  1.2 MB
   Load Address: 80002000
   Entry Point:  802929b0
ath_spi_nand_page_read :status=0x10

## Booting image at 81000000 ...
   Image Name:   Linux Kernel Image
   Created:      2016-12-09   1:01:15 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1279682 Bytes =  1.2 MB
   Load Address: 80002000
   Entry Point:  802929b0
   Verifying Checksum at 0x81000040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802929b0) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

Booting QCA956x
Linux version 2.6.31 (fanxy@SCL_XA241_154) (gcc version 4.3.3 (GCC) ) #1 Mon Dec 5 14:53:18 CST 2016
flash_size passed from bootloader = 8
arg 1: console=ttyS0,115200
arg 2: root=31:9
arg 3: rootfstype=cramfs
arg 4: init=/sbin/init
arg 5: mtdparts=ath-nor0:512k(uboot),128k(uboot-env);ath-spi-nand:1280k(fota-flag),1280k(caldata),1280k(mac),6m(cfg-param),1280k(oops),8m(web),3m(kernel),31m(rootfs),25m(data),50m(fota)
arg 6: mem=128M
CPU revision is: 00019750 (MIPS 74Kc)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS0,115200 root=31:9 rootfstype=cramfs init=/sbin/init mtdparts=ath-nor0:512k(uboot),128k(uboot-env);ath-spi-nand:1280k(fota-flag),1280k(caldata),1280k(mac),6m(cfg-param),1280k(oops),8m(web),3m(kernel),31m(rootfs),25m(data),50m(fota) mem=128M
PID hash table entries: 512 (order: 9, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 111544k/131072k available (2660k kernel code, 19356k reserved, 893k data, 172k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
r4k_clockevent_init: Ignoring int_usable failure
Console: colour dummy device 80x25
Calibrating delay loop... 387.07 BogoMIPS (lpj=774144)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 803c14c0 (0xe00000 bytes)
********************************************

NET: Registered protocol family 16
qca956x_gpio_init() done: GPIO_BASE = 0xB8040000
ath_pcibios_init: bus 0

   
====== NAND Parameters ======
sc = 0x87962200 page = 0x800 block = 0x20000 oobsize=0x80,oobavail=0x30

lan_ip: 192.168.0.1, lan_netmask: 255.255.255.0..........
SIOCGIFFLAGS: Noathr_gmac_ring_alloc Allocated 2048 at 0x8718a000
 such device
sram_desc_cnt 1536,mac Unit 0,Tx r->ring_desc 0xbd000000
athr_gmac_ring_alloc Allocated 3584 at 0x87249000
sram_desc_cnt 4224,mac Unit 0,Rx r->ring_desc 0xbd000600
956x_GMAC: eth0 in SGMII MODE
Dragonfly -----> 8033 PHY
athrs_ar8033_reg_init
athrs_ar8033_reg_init: close 802.3az by write register for fix packet loss issue 20150826
read reg vale: [4007], [0], [1000]
athrs_ar8033_reg_init: Done
955x_SGMIIMax resets limit reached exiting...
955x_SGMII::athr_gmac_sgmii_setup  Done
Setting Drop CRC Errors, Pause Frames and Length Error frames
read reg value on function qca956x_gmac_hw_setup(): [0]
Setting PHY...
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ADDRCONF(NETDEV_UP): eth0: link is not ready
brctl: iface eth1: No such devicdevice eth0 entered promiscuous mode
e
brctl: iface ath0: No such device
opms_wan_ifname=usb0
opms_wan_ifname=usb0
LanIfName=br0
killall: udhcpd: no process killed
killall: dnsmasq: no process killed
the mac_ip_list is null
the mac_ip_list is null
Password for 'admin' changed
ath_ahb: 10.2.r2-00013-4 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
Enterprise mode: 0x03bda000
Reading Flash for Calibraton data from 0x1000 and partition name is caldata
ar9300:Find mac MTD, MTD type = 4
Read mtd device successful,length = 0x6
ar9300_get_mac_address,ah_bustype is AHB.Green-AP : Green-AP : Attached

ar9300:Find mac MTD, MTD type = 4
Read mtd device successful,length = 0x6
ar9300_get_mac_address,ah_bustype is AHB.ath_get_caps[6166] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[6141] tx chainmask mismatch actual 3 sc_chainmak 0
ath_attach_dfs[12593] dfsdomain 1
####zte debug:zte_dfs_netlink_init zte_dfs_netlink_init success
SC Callback Registration for wifi0
wifi0: Atheros 956X: mem=0xb8100000, irq=2
ath_pci: 10.2.r2-00013-4 (Atheros/multi-bss)
ath_pci_probe
PCI device id is 003c :003c
ath_pci 0000:00:00.0: ath DEBUG: sc=0x861f5400

 ol_ath_pci_configure : num_desired MSI set to 0


ol_ath_attach() Download FW.
ol_ath_attach() HT Create .
ol_ath_attach() HIF Claim.
ol_ath_attach() BMI Done.
ol_ath_attach() WMI attached. wmi_handle 86970000
+HWT
SOC_RESET_CONTROL_ADDRESS : 800
CPU_INTR_ADDRESS = [0]
SOC_GLOBAL_RESET_ADDRESS = [0]
Rx_Filter : [0]
CE_per_engine_handler_adjust, base=861f5400 offset=57400
CE_per_engine_handler_adjust, base=861f5400 offset=57800
CE_per_engine_handler_adjust, base=861f5400 offset=57c00
CE_per_engine_handler_adjust, base=861f5400 offset=58000
CE_per_engine_handler_adjust, base=861f5400 offset=58400
CE_per_engine_handler_adjust, base=861f5400 offset=58800
CE_recv_buf_enqueue 653 Populate last entry 512 for CE 5
CE_recv_buf_enqueue 662 CE 5 wi 511 dest_ptr 0x86fce0 nbytes 0 recv_ctxt 0x869c94c0
-HWT
normal mode!
starting pid 1654, tty '/dev/ttyS0': '/bin/sh'


BusyBox v1.15.0 (2016-12-09 09:00:36 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # /etc_ro/rc.d/rcS: line 165: zte_tcm: not found
HTC Service:0x0300 ep:1 TX flow control disabled
CE_pkt_dl_len_set CE 4 Pkt download length 64
ol_txrx_pdev_attach: 1424 tx desc's allocated ; range starts from 86b50000
HTC Service:0x0100 ep:2 TX flow control disabled
wmi_service_ready_event_rx:  WMI UNIFIED SERVICE READY event
num_rf_chain : 00000002
ht_cap_info: : 0000085b
vht_cap_info : 338001b2
vht_supp_mcs : 0000fffa
LARGE_AP enabled. num_peers 144, num_vdevs 16, num_tids 256
idx 0 req 1  num_units 0 num_unit_info 2 unit size 444 actual units 145
chunk 0 len 64380 requested ,ptr  0x6b70000
Sat Jan  ��

U-Boot 1.1.4 (Sep  2 2015 - 10:08:50)

ap152_ar8033 - Dragonfly 1.0DRAM: 
sri
ath_ddr_initial_config(278): (ddr2 init)
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0x10, 0x10, 0x10, 0x10)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 413k for U-Boot at: 87f98000
Reserving 192k for malloc() at: 87f68000
Reserving 44 Bytes for Board Info at: 87f67fd4
Reserving 36 Bytes for Global Data at: 87f67fb0
Reserving 128k for boot params() at: 87f47fb0
Stack Pointer at: 87f47f98
Now running in RAM - U-Boot at: 87f98000
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x15
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
athr_mgmt_init (MDC/MDIO config)::done
Dragonfly ---->8033 PHY*
AR8033 PHY init
athrs_ar8033_reg_init: Done 8111 (phyid: 0)
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:ff:ff:ff
ath_gmac_phy_setup
eth0 up
eth0
Qualcomm Atheros SPI NAND Driver, Version 0.1 (c) 2014  Qualcomm Atheros Inc.
ath_spi_nand_ecc: furture feat = 0x10
ath_spi_nand_ecc: middle feat = 0x10
ath_parse_read_id: SPI NAND M.Id: 0xc8 D.Id: 0xd1
====== NAND Parameters ======
sc addr = 0x87ff8000 page(write size) = 0x800 (erase size) block = 0x20000
Setting 0x181162c0 to 0x4b962100
Uaztemain: enter into !
zte_getHandOffState: read data=0x20 from 0x0
Uaztemain: no need to update ''
Hit any key to stop autoboot:  0
ath>

Please do not cross-post in other forums. I'll reply here and add a similar comment to https://www.lteforum.at/mobilfunk/dreineo-huitube-openwrt-und-carrier-unlock.21497/

Do you have another USB-TTL adapter? Since your stock firmware exhibits the same behavior (judging from your last log, it rebooted right after startup), my bet is on this cable.

So let's get the pinout and the connections right first: 3.3V is never connected, only Rx, Tx and GND. On my device, Rx and Tx are swapped, but since you get output on serial, it's connected correctly.

I have an FTDI FT232 converter which completely prevents booting on one particular device (not tested on this one). I have to connect the TTL converter only after power is applied, then it starts working. Similar reports can be found in the ZyXEL WSM20 thread for yet another cheap converter.

Starts again as in "it continues booting the stock firmware" or as in "it reboots"? If it reboots, something is wrong.

This is harmless on this device and also happens on mine.

That looks realted to the MAC address and the lazyness of ZTE to fix it for U-Boot.

This is the memory address the image is loaded to via TFTP. RAM starts at 0x80000000 and ends at 0x88000000. In this case, the last few MB are occupied by U-Boot (you can see this in your U-Boot log) and we must not overwrite this area. Then, however, the Linux kernel is decompressed to 0x80000000 so we need some space for the Linux kernel - this is the area 0x80000000 to 0x82000000. Via TFTP, it should work with 0x81000000 as well if the image is not too big.

Only the -initramfs-kernel.bin images for the MF282 can be booted via TFTP. The sysupgrade image for the MF282 will be flashed once the boot via TFTP has succeeded.

As mentioned in my previous post to @mucke1985, I don't have access to the device at the moment. I will test the current RC images on my device in a few days.

I would be interested to know if you always use a 3 SIM card,
Have you ever used BOB or something else where roaming is necessary.

My other LTE router is from Huawei (without branding) so I only have to activate Auto APN and the connection to bob works.
But if I set the APN and authentication as announced by the provider, nothing works.

It could be that the problem lies here. Unfortunately there is no Auto APN setting in QMI cellular.

You might want to try a 23.05-RC2 build from https://downloads.openwrt.org/releases/23.05.0-rc2/targets/ath79/nand/ instead of your own build.

Oh, I've only just noticed that the link goes to a finished sysupgrade for the MF282, which I'll test today.

I've now tried the release. The modem behaves identically to my build

THANK you!

now nearly everything (turn of the blue led light is not working) !!!

The only mistake i made was to connect the 3.3V!!

screen /dev/ttyUSB0 115200 was not working for me (i touchted keys but i didn't stop like before) but instead picocom -b 115200 /dev/ttyUSB0 made the job then via ssh copied the sysupgrade to the routers tmp directory and voila all finished.

i didn't try the qcommand because i don't need to insert a SIM for me its only an access point.

Thank you for your help an the right tipp with the 3.3V !

Greets Martin

I only use HoT, that's why I had to find a way for unlocking it. I can check tomorrow.

Ok, I've done a few more tests

I was busy with the AT+ commands and was able to register the modem in the LTE network, but I had to disconnect it from the LTE network first because it always registers itself, but no matter what I run with the AT cammands QMI Cellular doesn't register at all.

Which is also very strange, even if I set it in QMI Cellular not to start the modem when booting, it does it anyway, and at the same time the status LED switches from red to blue (indicates that the modem is registered in the network is) the system still needs 30-40 seconds until eth0 starts to work.

It is interesting that the modem takes over the settings from QMI Cellular (APN/password/username otherwise it would not register itself in the network) but after that it is as if it would no longer be able to communicate.

Here is a link to a really clear list of AT commands