Mt7986 router bricked, secure boot stops uartboot, need help

Hardware Questions and Recommendations
1

Screenshot From 2025-07-17 20-05-49 (Copy)
Screenshot From 2025-07-17 20-05-49 (Copy)985×681 70.6 KB

hello everyone,
i tried flashing my own bl2 via uart uboot on a mediatek mt7986 router (uses winbond W25N02KVZEIR spi nand). after flash, board shows "System halt" on serial output.

then tried using mtk_uartboot to reflash original bl2 + fip (from same router backup), but it stops with “secure boot enabled” panic.

mtk_uartboot detects hw code 0x7986 fine, but still blocks.

any way to force into brom? maybe disable nand? i heard removing or lifting CE# might force brom. just want to write back bl2 if possible.

attached screenshots and output of uart and mtk_uartboot tool here:

  • uart showing halt:
F0: 102B 0000  
FA: 1040 0000  
FA: 1040 0000 [0200]  
F9: 3903 0041  
F3: 1001 0000  
F3: 1001 0000 [0200]  
F5: 1026 0000  
F5: 1026 0000  
00: 1005 0000  
FA: 1040 0000  
F9: 3903 0041  
F3: 1001 0000 [0200]  
F3: 1001 0000  
F6: 102C 0001  
01: 102A 0001  
02: 1005 0000  
BP: 2000 02C0 [0001]  
EC: 0000 0000 [1000]  
TO: 0000 00AE [000F]  
System halt!
  • mtk_uartboot secure boot panic: Screenshot From 2025-07-17 20-05-49.png
    Secure boot enabled
    thread 'main' panicked at src/main.rs:56:9

pls suggest if anyone faced this or knows if pulling nand helps. trying to recover without spi programmer for now. thanks.

2

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Please edit your post accordingly. Thank you! :slight_smile:

3

I'm in the exact same position. Trying to recover from a brick I caused. I didn't have access to the correct bootloader but I just tried with the closest I could find:

unitywifi:mtk_uartboot-v0.1.1-x86_64-apple-darwin root#
unitywifi:mtk_uartboot-v0.1.1-x86_64-apple-darwin root# ./mtk_uartboot -s /dev/tty.usbserial-0001 --aarch64 -p mt7986-ram-ddr4-bl2.bin -f openwrt-23.05.5-mediatek-filogic-xiaomi_redmi-router-ax6000-ubootmod-bl31-uboot.fip
mtk_uartboot - 0.1.1
Using serial port: /dev/tty.usbserial-0001
Handshake...
hw code: 0x7986
hw sub code: 0x8a00
hw ver: 0xca01
sw ver: 0x1
thread 'main' panicked at src/main.rs:56:9:
Secure boot enabled.
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Abort trap: 6
unitywifi:mtk_uartboot-v0.1.1-x86_64-apple-darwin root#

Did you ever find a way to get around secure boot?

4

Unfortunately there is no way to bypass secure boot , but you have to reflash NAND chip with some working programmer like CH341A with the correct dump of the firmware.