Hi
I have a new Xiaomi ax3000t that got bootloader erased without any recovery. Now the UART would show only kernel halt message. The bootloader is erased and cannot program or rewrite the firmware.
I am wondering if anyone knows that this particular router has JTAG port that I can use to recover it by flashing bootloader on NAND flash chip.
There should be usually some way to mass program them. Usually in the manufacturing, the NAND flash would NOT have been programmed and soldered after.
Assume you mean 3000t, not 300t ?
Yes...this is 3000t
I speculate the recovery process would be something along the lines of...
For which you'll need the correct BL2 payload with the uart download option enabled...
(Likely candidate being bl2-mt7981-bga-ddr3-ram.bin)
And then the u-boot image from snapshot...
(openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip)
From which I suppose you would then tftpboot the initramfs recovery image and then proceed to make backups + vaguely follow the installation process?
Thanks for the reply. I went through the link and I understand what you are saying. I did not knew Mediatek processors have that function. I thought JTAG or NAND removal and reflashing was the only option.
I am trying to find more information about this. Just do not know if anything needs to be done on router side for this to work as there is very little documentation about it.
Have u ever recovered this way ??
mtk_uartboot --payload bl2.bin --fip uboot.fip
mtk_uartboot - 0.1.1
Using serial port: COM3
Handshake...
hw code: 0x7981
hw sub code: 0x8a00
hw ver: 0xca00
sw ver: 0x1
Baud rate set to 460800
sending payload to 0x201000...
Checksum: 0x8f29
Setting baudrate back to 115200
Jumping to 0x201000 in aarch32...
Waiting for BL2. Message below:
==================================
==================================
Timeout waiting for specified message.
While trying to run this..I am getting this message. I might be wrong but maybe the CPU may be asking for different address other than 0x201000.
This is automatically done by either the script or the CPU itself but after this there is no activity and when I restart the router, I get the same "SYSTEM HALT" message
F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
F5: 480A 0031
00: 1005 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
01: 102A 0001
02: 1005 0000
BP: 2000 00C0 [0001]
EC: 0000 0000 [1000]
T0: 0000 00ED [010F]
System halt!
Would u think of anything else on this ??
You missed the --aarch64 option which tells the utility to execute bl2 in armv8, not armv7
Thank u ...That did help made the progress. I moved 1 step forward.
This is new output which means the bl2 is getting flashed OR loaded in RAM. The front light comes on for a second then goes off. If I unplug the router and load the uart again, I recieve the same System Halt message.
I am lost as to what would be next step after this.
mtk_uartboot - 0.1.1
Using serial port: COM3
Handshake...
hw code: 0x7981
hw sub code: 0x8a00
hw ver: 0xca00
sw ver: 0x1
Baud rate set to 460800
sending payload to 0x201000...
Checksum: 0x8f29
Setting baudrate back to 115200
Jumping to 0x201000 in aarch64...
Waiting for BL2. Message below:
==================================
NOTICE: BL2: v2.10.0 (release):v2.10.0-mtk
NOTICE: BL2: Built : 13:17:06, Mar 1 2024
NOTICE: WDT: Cold boot
NOTICE: WDT: disabled
NOTICE: EMI: Using DDR3 settings
NOTICE: EMI: Detected DRAM size: 256MB
NOTICE: EMI: complex R/W mem test passed
NOTICE: CPU: MT7981 (1300MHz)
NOTICE: Starting UART download handshake ...
==================================
BL2 UART DL version: 0x10
Baudrate set to: 921600
FIP sent.
==================================
NOTICE: Received FIP 0xba609 @ 0x40400000 ...
==================================```I was able to recover the router. The Above solution works to load booloader temporary in RAM and let u recover or flash bootloader and system through tftp recovery process.
However I am unable to see the Wifi interfaces. Looking at the logs, it is complaining about missing EEPROM. Gotta do more search.
Thanks everyone !!
@jessydm , how this story ends? Did you recover it completly?
I was able to recover the router however I am still not able to restore the wifi ART partition fully yet. I was able to get wifi working but somehow I feel it is not working 100%. I was able to get original dump from another same model router and figuring out a way to restore back. This I knew because I tried to flash xiaomi firmware and it cannot see the SN information either.
But the router is alive.
Could you clarify the steps you took and what you flashed? Same problem here...
Hi! How do you recover the router with tftp recovery process? I have the same issue: System halt on router startup (seems that I damage bootloader), but I'm able to load bl2 with mkt_uartboot.
So, what are the steps to recovery (flash bootloader?) from System halt through tftp?
I just fixed up this messy, you can follow OpenWrt support for Xiaomi AX3000T - #1311 by KhetagAb
You do not need JTAG for recovery. You can fix by connecting through UART. It is must if you have erased or corrupted bootloader.
Also try xiaomi recovery tool. I had to use both to recover.
The hardware is never dead. Only needs to fix software. You can recover everything except wifi calibration partition which you will need to restore it from backup.
So, the fix for the softbricked RD23 with the "System halt!" boot message is this?
Or something additional?