Adding OpenWrt support for ZTE MF286 3g/4g wifi router

I find that everything is working quite peachy otherwise, but, for me, enabling signal statistics sometimes causes the modem to stop working. I forget what the exact error message was, but something about a command not being cancelable. Perhaps a 30 seconds refresh-rate for signal statistics is too often, I don't know -- I haven't used any LTE-stuff with OpenWRT before.

This is great news, thank you! I haven't had a chance to give it a try yet, I'm sorry about that..

Works fine in last snapshot except(or i messed around official firmware layout) we need two options set
" Either way, if there is a partition named rootfs and MTD_ROOTFS_ROOT_DEV kernel config option is set to yes, this partition is automatically used for the root filesystem.

After that, if MTD_ROOTFS_SPLIT is enabled, the kernel adjusts the rootfs partition size to the minimum required by the particular SquashFS image and automatically adds rootfs_data to the list of the available mtd partitions setting its beginning to the first appropriate address after the SquashFS end and size to the remainder of the original rootfs partition. The resulting list is stored in RAM only, so no partition table of any kind gets actually modified."

Could you explain why do you think all that is needed? I haven't had any issue with the layout as-is, I haven't had to enable any extra kernel settings.

@sunnydrake, this should not be needed. UBI is used for rootfs_data on this family of devices, and is stored on the ubiconcat thing, with label "ubi" causing userspace to mount overlay there automatically.

i wiped my factory layout accidently and sysupgrade does not create squashfs or ubi filesystem correctly
so at boot time i get

[ 0.544346] spi-nand spi0.1: Winbond SPI NAND was found.
[ 0.549848] spi-nand spi0.1: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
[ 0.560702] 4 fixed-partitions partitions found on MTD device spi0.1
[ 0.567310] Creating 4 MTD partitions on "spi0.1":
[ 0.572268] 0x000000000000-0x000000080000 : "art"
[ 0.578465] 0x000000080000-0x000000100000 : "mac"
[ 0.585456] 0x000002000000-0x000008000000 : "rootfs"
[ 0.672227] mtd: device 2 (rootfs) set to be root filesystem
[ 0.679886] mtdsplit: no squashfs found in "rootfs"
[ 0.685031] 0x000001800000-0x000002000000 : "nand_kernel"
[ 0.703411] spi-nor spi0.0: mx25l1606e (2048 Kbytes)
[ 0.708632] 2 fixed-partitions partitions found on MTD device spi0.0
[ 0.715214] Creating 2 MTD partitions on "spi0.0":
[ 0.720169] 0x000000000000-0x0000000a0000 : "u-boot"
[ 0.726925] 0x0000000a0000-0x0000000c0000 : "u-boot-env"

so when i enter firstboot -y i usually get no rootfs_data device and that's it .. im stuck with tmpfs
check... looks like MTD_ROOTFS_SPLIT and MTD_ROOTFS_ROOT_DEV kicked out of kernel config somehow... So i found another cultprit it is missing uvol mounter and not mounting at all .. investigating
@Leo-PL thanks for suggestion

@sunnydrake this is 286, not R nor A version, right?
For me, it looks like this:

[    0.387340] spi-nand spi0.1: GigaDevice SPI NAND was found.
[    0.393112] spi-nand spi0.1: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 128
[    0.403941] 6 fixed-partitions partitions found on MTD device (null)
[    0.410558] Creating 6 MTD partitions on "(null)":
[    0.415522] 0x000000000000-0x000000140000 : "fota-flag"
[    0.423651] 0x000000140000-0x000000280000 : "caldata"
[    0.432375] 0x000000280000-0x0000003c0000 : "mac"
[    0.440788] 0x0000003c0000-0x000001300000 : "ubiconcat0"
[    0.468951] 0x000001300000-0x000001700000 : "kernel"
[    0.481348] 0x000001700000-0x000008000000 : "ubiconcat1"
[    0.638013] spi-nor spi0.0: mx25l1606e (2048 Kbytes)
[    0.643193] 2 fixed-partitions partitions found on MTD device spi0.0
[    0.649811] Creating 2 MTD partitions on "spi0.0":
[    0.654761] 0x000000000000-0x000000080000 : "u-boot"
[    0.661810] 0x000000080000-0x0000000a0000 : "u-boot-env"
[    0.669211] Concatenating MTD devices:
[    0.673098] (0): "ubiconcat0"
[    0.676159] (1): "ubiconcat1"
[    0.679285] into device "ubi-concat"
[    0.683011] 1 fixed-partitions partitions found on MTD device ubi-concat
[    0.689945] Creating 1 MTD partitions on "ubi-concat":
[    0.695252] 0x000000000000-0x000007840000 : "ubi"

I see that your flash layout is totally different from upstream one.

In upstream, rootfs partition is in UBI as well, as typical for NAND devices. Maybe you're missing the right Kconfig for mtd-concat or UBI, or the right label?

An idea struck me, that it would indeed be possible to use uImage split, to combine kernel and rootfs dynamically on single MTD, but then there is no equivalent of "squashfs-split" parser used on NOR devices, for UBI, so we would probably lose more space than just allocating 4MB for kernel itself statically.

as i see layout was changed from my version to different in qca9563_zte_mf286.dts

&system_flash {
        partitions {
                partition@0 {
                        label = "fota-flag";
                        reg = <0x000000 0x140000>;

                partition@140000 {
                        label = "caldata";
                        reg = <0x140000 0x140000>;

                        compatible = "nvmem-cells";
                        #address-cells = <1>;
                        #size-cells = <1>;

                        cal_caldata_1000: cal@1000 {
                                reg = <0x1000 0x440>;

                        cal_caldata_5000: cal@5000 {
                                reg = <0x5000 0x844>;

                partition@280000 {
                        label = "mac";
                        reg = <0x280000 0x140000>;

                        compatible = "nvmem-cells";
                        #address-cells = <1>;
                        #size-cells = <1>;

                        macaddr_mac_0: macaddr@0 {
                                reg = <0x0 0x6>;

                /* This encompasses stock cfg-param, oops, web partitions,
                 * which can be overwritten safely
                ubiconcat0: partition@3c0000 {
                        label = "ubiconcat0";
                        reg = <0x3c0000 0xf40000>;

                /* Kernel MTD size is increased to 4MB from stock 3MB */
                partition@1300000 {
                        label = "kernel";
                        reg = <0x1300000 0x400000>;

                /* This encompasses stock rootfs, data, fota partitions,
                 * which can be overwritten safely
                ubiconcat1: partition@1600000 {
                        label = "ubiconcat1";
                        reg = <0x1700000 0x6900000>;

problem is openwrt sysupdate does not create new partitions :frowning:

OMG used erase command from uboot now flash is empty device is brick... need to reprogramm flash somehow

Erased NOR flash as well? If that's only NAND, U-boot will attempt TFTP recovery by itself, as detailed in the commit message:
If not, you can find it here: - in the CPE_boot_file subdirectory.
BTW, I don't see the reason for fiddling with flash layout and not using upstream one, it makes the most space available to the user already.

please i need help on getting SSH access on zte mf 286c router .
i tried adding "http://hostname/&&telnetd&&" to the url filter then attempted SSH/telnet access with putty but i am still getting " Fatal error connection refused" response.
@Leo-PL @faloyeh


Try the method 2 from this commit:
Your router is more similar to MF286A/R than plain MF286, however I didn't have a chance to get one yet.

This works if busybox does not have telnetd compiled in. Notably, this
is the case in firmware.
If this does not work, try method 3.

- Set IP of your computer to (or appropriate subnet if
- Have a TFTP server running at that address
- Download MIPS build of busybox including telnetd, for example from:
  and put it in it's root directory. Rename it as "telnetd".
- As previously, login to router's web UI and navigate to "URL
- Using "Inspect" feature, extend "maxlength" property of the input
  field named "addURLFilter", so it looks like this:
  <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332"
    class="required form-control">
- Stay on the page - do not navigate anywhere
- Enter "http://aa& telnetd" as a filter.
- Save the settings. This will download the telnetd binary over tftp and
  execute it. You should be able to log in at port 23, using
  "admin/admin" as credentials.

I changed the URL to busybox, because 1.21.1 wasn't working on MF286A I had on hand, and 1.16.1 did.
If it does not work, there is a chance that this exploit was fixed - it for sure was fixed in MF286D.

If you manage to get in, please post contents of /proc/mtd, /sys/kernel/debug/gpio and the kernel log.

Any support for the version U?

Thanks for the assistance.
sorry i have been trying to carry out the method 2, however after setting up the tftp and copying the file i am unable to carry out the part above. Attach is my web ui interface. No "inspect"

i dont know if this will be helpful...
I found from the UI that my model uses busybox-1.15.0 and the open source file provided has this link

Huh, so it seems, that they modified Javascript as well, as they did in MF286D, which has additional validation of the field. You can try to execute this in your javascript console - the next tab to "Inspector":


in your Javascript console of that page. Or, to avoid reactivation, set the timer:

setInterval(() => {$('#addURLFilter').rules('remove')}, 200)

However this doesn't guarantee the success, in MF286D the underlying bug in NVRAM implementation was patched as well.

I'll take a quick look into MF286C opensource code, maybe it is similar enough to 286A/R.

Edit: this code bundle is byte-by-byte the same as for MF286A and MF286R. And I could not dig out anything meaningful from it w.r.t. the hardware configuration, the same as previously for both 286A and 286R.

@mf286c once you get in, could you get kernel log using 'dmesg, contents of /proc/mtd` and /sys/kernel/debug/gpio? I'd greatly appreciate full flash dump as well.

My nose is telling me that MF286A initramfs will run on this device just fine. Do not venture with installation just yet, though. The board is different and we have yet to figure it out.

The timer code was executed however the first code for removing the rules failed to execute, it gave this error

" Uncaught TypeError: jQuery(...).rules is not a function
debugger eval code:2"

i want to keep playing with the different options around there ....may be i will be lucky.

As I don't have access to the device, I'm afraid I can't help with web interface, so you'll have to proceed with the serial console. According to pictures here: - the console port location matches previous devices.

i finally got the cp2102, however i was unable to get proper console access, it is requesting for
" OpenWrt user" and "password"

i have tried the combinations below but no success
admin admin,
root admin,
root root ,
superuser admin,
superuser superuser
empty space admin

kindly suggest other options.

Is there any other way i can reset the user and password or override that default OpenWrt password?

That is quite a surprise! Have you tried using your actual web admin password, or one printed on the device label? On MF286D, that one was working for Telnet access, however on serial console, there was no login prompt, just an instant shell.

even those ones failed.
It seems they have activated "extreme difficulty/ wickedness mode" on the mf286c model :thinking:

do you think i should try this via the failsafe soft reset mentioned here?

i noticed these during the booting , i dont know if any of them
can be utilised

Please choose the operation:
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.