Hi everyone, yesterday I flashed openwrt on my Mi Router 3G according to https://openwrt.org/toh/xiaomi/mir3g
I send the exploit to root the device which worked perfectly fine and continued over a ssh connection.
Copied kernel und rootfs data to /tmp folder on the router and wrote them with the following commands:
mtd write openwrt-18.06.2-ramips-mt7621-mir3g-squashfs-kernel1.bin kernel1
mtd write openwrt-18.06.2-ramips-mt7621-mir3g-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
Unfortunately, after a reboot the led from the router went from orange to blinking red. I wasn't able to connect to the router via ssh anymore. Tried to rescue it with the USB port and with a original firmware named to "miwifi.bin" which didn't load. It alway ended with with the orange led follewed by the red blinking one.
So I soldered an USB to TTL adapter to the serial port auf the router. rx - tx and tx - rx, also ground to ground.
Reading logs was possible. In the uboot menu I selected option two for flashing (Load system code then write to Flash via TFTP) and loaded the kernel0.bin data and flashed it. After this the router got stuck on status:
Starting kernel ...
After 5 Minutes I restarted the router. I see its loading up over serial but after 5 seconds it's getting stucked again on status "Starting kernel ...".
The led this time stays orange all the time. The lan ports gets uplink but I can't connect to via ssh or telnet. I can't also interrupt the boot process. Is there any way left I could unbrick my router? I guess my failure was to use a kernel0.bin of a wrong router (used this one https://drive.google.com/drive/folders/0B1VOQQ-_EIXKVTFmVWZHcFM4NGc)
Here is the whole log after starting it up:
OK!
relocate_code Pointer at: 8ffac000
Config XHCI 40M PLL
Allocate 16 byte aligned buffer: 8ffe0030
Enable NFI Clock
# MTK NAND # : Use HW ECC
NAND ID [C8 D1 80 95 42]
Device found in MTK table, ID: c8d1, EXT_ID: 809542
Support this Device in MTK table! c8d1
select_chip
[NAND]select ecc bit:4, sparesize :64 spare_per_sector=16
Signature matched and data read!
load_fact_bbt success 1023
load fact bbt success
[mtk_nand] probe successfully!
mtd->writesize=2048 mtd->oobsize=64, mtd->erasesize=131072 devinfo.iowidth=8
..============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=5 OCP Ratio=1/4
Flash component: NAND Flash
Date:Sep 25 2018 Time:12:07:27
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =256 Mbytes
#Reset_MT7530
set LAN/WAN LWLLL
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 3
0
Boot failure detected on both systems
Verifying kernel1 uImage CRC, addr: 0xbc200000
Image Name: MIPS OpenWrt Linux-2.6.36
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 2192675 Bytes = 2.1 MB
Load Address: 80000000
Entry Point: 80000000
.................................. Verifying Checksum ... OK
Booting System 1
..ranand_erase: start:80000, len:20000
..Done!
done
3: System Boot system code via Flash.
## Booting image at bc200000 ...
Image Name: MIPS OpenWrt Linux-2.6.36
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 2192675 Bytes = 2.1 MB
Load Address: 80000000
Entry Point: 80000000
.................................. Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
commandline uart_en=0 factory_mode=0 usb_u3=0
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 256
Starting kernel ...