Thanks for this thread, I was trying https://openwrt.org/toh/zte/mf286r with Step 1 - Method 3 and there were slight differences (I'm on MF286R, as I found out later it's using busybox 1.19.4 without telnetd support).
With the information on the above openwrt-side and the information here I found a way to get in via telnet:
Maybe it helps someone. So far I didn't get to step 2, too late here for now
Set up a telnet client (on Windows, for example, it can be enabled as a feature)
Note: The article recommends version 1.21.1, but since my router is likely version 1.19.4, that did not work for me. I was able to use version 1.16.1, and later 1.19.0 as well.
For example, in the TFTP base directory: wget https://busybox.net/downloads/binaries/1.16.1/busybox-mips -O telnetd
Set the connected PC to a fixed IP address of 192.168.0.22/24 and bind the TFTP server to it. Restart TFTP if necessary.
Advanced settings -> Firewall -> URL filtering
Note: There may be rules here that prevent adding a filter on the client side. These can be removed using DevTools in the browser, the following must be executed in the console: jQuery("#addURLFilter").rules("remove")
Now add the following filter: http://aa&zte_debug.sh 192.168.0.22 telnetd
You need to start the TFTP server if not already running! Restart the router and then open the router interface again in the browser. Now Telnetd will be loaded and started from the TFTP server.
Connect to 192.168.0.1 using telnet from the PC and enter admin/admin when asked. You should now be logged in the router interface via telnet.
That's correct, I've discovered that after the support got merged as well. Would be a good addition to the wiki. Busybox 1.16.1 is the latest not requiring the missing MIPS in-kernel FPU emulation, which caused the newer versions to fail.
Finally the 1.19.0 worked for me too (since busybox on my router ist 1.19.4), but at least 1.21.1 didn't work and the wiki-entry is misleading. I think I'll have a look into this.
Log in to telnet while still having the original image on your router
cat /proc/filesystems delivers filesystems the kernel of the router supports (shortened): nodev usbfs ntfs
Format a USB stick with the appropriate format (in my case ext3/ext4 was not possible, only fat/ntfs)
cat /proc/mtd should display the following (see wiki)
Plug in the USB stick
It should now be mounted under /var/usb_disk (verify with mount-command)
Execute the following command (partition 16 can also be skipped - firmware = kernel + rootfs and is therefore redundant): for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; do cat /dev/mtd$i > /var/usb_disk/mtd$i; done
umount /var/usb_disk; sync
Then remove the USB stick and store it securely/safe the content somewhere else.
What was different to the wiki article was that I needed to format with ntfs/fat (I choose fat), the wiki article states fat or ext4, but ext4 isn't supported (at least on my device)
Writing data to block 0 at offset 0x0
libmtd: error!: cannot write 2048 bytes to mtd16 (eraseblock 0, offset 0)
error 1 (Operation not permitted)
nandwrite: error!: /dev/mtd16: MTD write failure
error 1 (Operation not permitted)
Data was only partially written due to error
Any idea how I can get around this? Has this written anything, I was uncertain because of "partially written", so I did nandwrite -p /dev/mtd16 /var/usb_disk/original_firmware/mtd16.
At least I could reboot my router and original firmware starts and looks ok. Is there an alternative? I've seen sometimes people write with "mtd write ..." (haven't tried this yet)
I will edit the wiki, thanks, but didn't quite understand what changes to do on the step 1.3, i need to look a bit further. thanks for additions, stuff doesnt work the same with every firmware obviously.
The installation steps on the wiki specifically were taken straight from the git pull request written by the LeoPL himself here, the way I installed is to get a serial adapter and don't deal with ZTE's software bullshit. I will do my best to update them when I have some time from university stuff
I think that stock FW does lock the firmware MTD in software - this is probably done by the firmware update service. Try disabling it and rebooting. Otherwise, try to use the TFTP recovery method.
Well my case seems to be full of clamps and screws, I've read the description, it's a little bit different for my version. It seems doable for me, but I hoped the get it done without disassembling.
it is perhaps doable, and for me it was way easier to install with the adapter since i couldnt do it without it(perhaps thats why the problems in the steps on wiki wasnt obvious to me).
we should still provide the method for installing openwrt without buying extra equipment, don't get me wrong, but im just telling my experience.
It can be done from the web settings panel of stock firmware, however this just disables some behaviour. It's unlikely that you can just disable this via init system, the stock firmware runs on a bunch of scripts cobbled together, with no real control over services.
Ok turned that setting off in web-UI, but no change.
If I do a cat /sys/class/mtd/mtd16/flags it gives back 0x400, which seems to mean device is writeable: https://codebrowser.dev/linux/linux/include/uapi/mtd/mtd-abi.h.html (search for 0x400). So there must something different preventing this, maybe another part in the background I can't turn off.
Is there a difference to mtd (https://openwrt.org/docs/techref/mtd)?
Just thought if I could use mtd instead of nandwrite, don't know if it changes something, but it would be worth a try (if it can be used here)
So it seems to be dependent on vendor firmware. You still can trigger TFTP recovery by erasing kernel partition, or access the serial console and boot initramfs from there, then perform the installation as usual.
@Leo-PL I've decomplied update_control and found following line: echo 102 > /sys/devices/platform/ath79-spi/spi_master/spi0/spi0.1/change_speed
I don't know if it was by accident, but executing this writing seemed to work.
Unfortunately somehow I lost the connection and after reboot the router didn't start.
In the meantime I manged to open the router, but somehow I don't get in with a CP2102 based connector. Maybe I do something wrong: In wiki it says "Serial connection parameters
for ZTE MF286R -> 115200, ..." - Do I need some sort of flow-control enabled? (hardware/software?)
I'm uncertain with the wiring too, it says Vcc, Tx, Rx ,GND. I know i don't need the first wire (VCC), 4th (GND) is ok too. But do I need to connect the 2nd wire (TX) to TX on the adapter or to RX (cross over)? same applies for 3rd wire.
