If you have previously modified the bootloader to have a bootdelay, then recovery by serial is possible.
It can't be modified now since the OpenWrt that is loaded can't access the flash chip at all.
As shipped from Xiaomi, the serial bootloader menu is inaccessible since bootdelay is set to zero. The only way to recover that is by writing direct to the flash chip with a SPI programmer.
Yup! 
Read the flash multiple times, do checksums and continue if they are the same!
Then take a copy of it and copy the sysupgrade.bin into it, skipping the first 0x00180000 bytes, e.g. with dd:
cp full16MBdump.bin full16MBdump-copy01.bin
dd if=openwrt-22.03.3-sysupgrade.bin bs=1536k skip=1 conv=notrunc of=full16MBdump-copy01.bin`
Oh ha ... the adventure continues and even more to learn here. 
I will definitely need help on this because this is the first time for me to practise things like that. I'm more familiar with programming ESP32s and stuff, so new territory here ... Anyway, I will let you all know as soon as I have the SPI. This thread could be helpful for many users btw.
Okay, Jeff B. has delivered. Connected after watching numerous yt-videos. First, second and third readout are all identical files. Everything done under Windows10. Now trying to insert sysupgrade.bin (22.03.3) with HxD. Stay tuned ...
IT WORKED GUYS IT WORKED!!! I'am not stuck anymore. Good job everbody, for coaching me through all this. What a journey. Looking back it was easy, but some sidenotes here:
Windows 10: no driver neccessary for the CH341A SPI programmer, just plug it in. First I tried to detect the chip without connecting to it, just to see what NeoProgrammer will tell me. At this point I got the message: CH341A not detected, so I thought maybe I need a driver? But as soon I put the clamp on it found a chip, so obviously no driver needed.
As you can see on my picture above the chip is labeled QX128A but NeoProgrammer detected a QF128 chip. Then I readout the chip using different settings (F or N whatever) but the result was always an identical file so it obviously doesn't make a big difference there, or the X is just a placeholder for any letter you find on your chip, idk.
HxD under Windows did a fantastic job inserting (Paste insert) the sysupgrade.bin. Just open it, select all, copy it and then in the file I got from the SPI programmer insert it at the hex position @xabolcs mentioned above. (0x00180000) overwriting whatever there was.
I saved the new file and tried to write it back, but forgot to erase the chip first. Yeah, you have to do that, then a verify and I was done.
Again, thanks everbody for all the help. So, whatelse could I flash now?
You do this in the openwrtinvastion shell the part where you have initially cracked with the exploit, you will have to use the 0.1 version and not the latest!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.