[Solved] Need some help to unbrick my Xiaomi Mi Router 4A 100m international Model R4AC

Hello,

I bought a used Xiaomi Mi Router 4A 100m international Model R4AC Product date 12/2021 few weeks ago. I wanted to have a backup device for my x86 opnsense powered router in case of maintenance. I need VLAN support so that's why I needed OpenWRT.
I checked that the device worked, and it dit with a Xiaomi firmware version 3.xx from my brain memory.
I followed without checks some tutorials and flashed a stock Xiaomi 2.18.28.bin firmware in order to use the OpenWRTInvasion root shell. The flashing process was too long and the blue light didn't came withi 20 minutes so I decided to shutdown the device.
After connecting with the serial console I saw the bootloader in infinite loop trying to boot with a menu offering some boot options.
Disclamer : I'm not a developper neither a specialist of embedded devices so I'am walking now in troubled waters. Maybe my actions are now not the good or best ones.
The bootloader U-Boot complains about a bad JDEC flash identifier :
flash manufacture id: 1c, device id 71 18
Warning: un-recognized chip ID, please update bootloader!
So when digging around I understood that the flash chip wasn't recognized by U-Boot. I don't know the consequences of this in term of boot operation. I tried a lot of operations but the most successful operation was this one :

  • modified the eon.c file to include the the declaration of en25qx128a chip that Ansuel pushed some days ago here : https://github.com/openwrt/openwrt/commit/9a30edd5697cd145856606fb6ce7e40ba9b659f8.
  • built the openwrt firmware for my router with this addition
  • uploaded the firmware via TFTP and loaded it with the intitramfs firmware
  • checked with /proc/mtd that the partions were found and they were ! the flash chip is now recognized under OpenWRT started on RAM
  • flashed the sysupgrade firmware either with mtd or sysupgrade command. There were no blocking error flashing the device, it takes 50 secondes to flash and then reboot. But the device stays in infinite loop.

here is the flash layout seen by OpenWRT :

dev:    size   erasesize  name
mtd0: 00020000 00010000 "bootloader"
mtd1: 00010000 00010000 "config"
mtd2: 00010000 00010000 "factory"
mtd3: 00010000 00010000 "crash"
mtd4: 00010000 00010000 "cfg_bak"
mtd5: 00200000 00010000 "overlay"
mtd6: 00da0000 00010000 "firmware"
mtd7: 00218153 00010000 "kernel"
mtd8: 00b87ead 00010000 "rootfs"
mtd9: 00800000 00010000 "rootfs_data"

Here is the log and the U-boot loop following :

root@OpenWrt:/# sysupgrade -v /tmp/openwrt-ramips-22.03-sysupgrade.bin
Cannot save config while running from ramdisk.
Sat Sep  3 02:58:23 UTC 2022 upgrade: Commencing upgrade. Closing all shell sessions.
Watchdog handover: fd=3
- watchdog -
Watchdog does not have CARDRESET support
Sat Sep  3 02:58:24 UTC 2022 upgrade: Sending TERM to remaining processes ...
Sat Sep  3 02:58:24 UTC 2022 upgrade: Sending signal TERM to ntpd (2107)
Sat Sep  3 02:58:24 UTC 2022 upgrade: Sending signal TERM to ntpd (2110)
Sat Sep  3 02:58:28 UTC 2022 upgrade: Sending KILL to remaining processes ...
[  194.762247] stage2 (3196): drop_caches: 3
Sat Sep  3 02:58:34 UTC 2022 upgrade: Switching to ramdisk...
Sat Sep  3 02:58:37 UTC 2022 upgrade: Performing system upgrade...
[  197.385781] do_stage2 (3196): drop_caches: 3
Unlocking firmware ...

Writing from <stdin> to firmware ...
Appending jffs2 data from /tmp/sysupgrade.tgz to firmware..
.File /tmp/sysupgrade.tgz does not exist
Sat Sep  3 02:59:08 UTC 2022 upgrade: Upgrade completed
Sat Sep  3 02:59:09 UTC 2022 upgrade: Rebooting system...
umount: can't unmount /dev: Resource busy
umount: can't unmount /tmp: Resource busy
[  230.103636] reboot: Restarting system

[03080D09][03080C0F][7F880000][28243F48][00282448]
DU Setting Cal Done


U-Boot 1.1.3 (Oct 23 2018 - 13:31:19)

Board: Ralink APSoC DRAM:  64 MB
Power on memory test. Memory size= 64 MB...OK!
relocate_code Pointer at: 83fb0000
RT2880_RSTSTAT_REG 0xc0030204
******************************
Software System Reset Occurred
******************************
flash manufacture id: 1c, device id 71 18
Warning: un-recognized chip ID, please update bootloader!
env is right!
***********************************
!!!flashing system accidental shutdown!!!
***********************************
============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Oct 23 2018  Time:13:31:19
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 575 MHZ ####
 estimate memory size =64 Mbytes
RESET MT7628 PHY!!!!!!
Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP.                                                                               0
   n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:20000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc160000 ...
Bad Magic Number,85190320, try to reboot
Erasing SPI Flash...
raspi_erase: offs:20000 len:10000
.
Writing to SPI Flash...
.
done

[04010D09][04010D08][88890000][25254849][00252548]
DU Setting Cal Done


U-Boot 1.1.3 (Oct 23 2018 - 13:31:19)
...

Now I have 2 leads to follow :

  • The first one is to update the bootloader to have the support of en25qx128a. I downloaded U-Boot source code and build it for a generic mt7628 device and modified the file ./drivers/mtd/spi/spi-nor-ids.c to gain support for the en25qx128a flash chip from the bootloader. My goal is to flash the bootloader from my initramfs openwrt image supporting the chip. This lead is a one way ticket because I can brick my device. And that's why I'm asking for a community advice, maybe there is other leads.
  • The second one is about the boot adress specified in U-boot. we can see that it tries to boot at the adress space 0xbc160000. I don't know if this adress is aligned with flash chip or ram and i don't know how to verify that this adress is aligned with the flash layout.

Am I wrong somewhere in my attempts to debrick my Xiaomi router ?

Please try to back factory 2.18.28 first, check:

and

for the EN25QX128A chip, refer to my patch:
https://forum.openwrt.org/t/new-xiaomi-4c-cannot-install-openwrt-flash-chip-changed-to-en25qx128a/

I wonder why your R4AC has the old bootloader which is not for the new chip.
Anyway, please donot try to distroy the original bootloader except you have a SPI programmer and backuped your bootloader.

Thanks a lot for your help !
I changed the eon.c with your patch, then according to your first link, I tried to install the non international version. First I boot on the initramfs image for non international version the memory layout was different :

dev:    size   erasesize  name
mtd0: 00020000 00010000 "bootloader"
mtd1: 00010000 00010000 "config"
mtd2: 00010000 00010000 "factory"
mtd3: 00010000 00010000 "crash"
mtd4: 00010000 00010000 "cfg_bak"
mtd5: 00100000 00010000 "overlay"
mtd6: 00ea0000 00010000 "firmware"

Then i flashed the sysupgrade image and reboot. The router is working now. It's not in an infinite loop. The flash memory layout was the good lead.

Please check the serial log of your R4AC now, the bootloader still the same as above?
If yes, that means even the bootloader not recognized the new IC, but still can boot the openwrt with a correct pateched fw.

Yes, I have the same warning but it's booting :

U-Boot 1.1.3 (Oct 23 2018 - 13:31:19)

Board: Ralink APSoC DRAM:  64 MB
Power on memory test. Memory size= 64 MB...OK!
relocate_code Pointer at: 83fb0000
RT2880_RSTSTAT_REG 0xc0030000
***************************
Board power on Occurred
***************************
flash manufacture id: 1c, device id 71 18
Warning: un-recognized chip ID, please update bootloader!
env is right!
***********************************
!!!flashing system accidental shutdown!!!
***********************************
============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Oct 23 2018  Time:13:31:19
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 575 MHZ ####
 estimate memory size =64 Mbytes
RESET MT7628 PHY!!!!!!
Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP.                                                                              0
   n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:20000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc160000 ...
   Image Name:   MIPS OpenWrt Linux-5.10.138
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
...

I understood before that the flash was usable by the bootloader despite this warning message. It was able to read and store some env data when you select to download an image via TFTP it stored a successfull IP address configuration and a filename.

I think I have this bootloader version because when I first flashed back the firmware I downloaded an image with the firmware and the booloader. It was a mistake, i didn't know what I was doing exactly at this moment. I will keep this bootloader, it is able to boot a correct firmware image. I'm just not able to directly flash a firmware from the bootloader :

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP.                                                                              4
You choosed 2
                                                                                                                                       0


2: System Load Linux Kernel then write to Flash via TFTP.
 Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)
 Please Input new ones /or Ctrl-C to discard
        Input device IP (192.168.10.204) ==:192.168.10.204
        Input server IP (192.168.10.221) ==:192.168.10.190
        Input Linux Kernel filename (openwrt-ramips-22.03-3.bin) ==:openwrt-ramips-22.03-3.bin

 netboot_common, argc= 3

 NetTxPacket = 0x83FE6000

 KSEG1ADDR(NetTxPacket) = 0xA3FE6000

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
TFTP from server 192.168.10.190; our IP address is 192.168.10.204
Filename 'openwrt-ramips-22.03-3.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:15:5d:0a:80:04)
Got it
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##############Got ARP REQUEST, return our IP
###################################################
         #################################################################
         ###############################################################
done
Bytes transferred = 5643909 (561e85 hex)
NetBootFileXferSize= 00561e85
 Writing OS1 to 0x160000
raspi_erase_write: offs:160000, count:561e85
Abort: image size larger than 1835008!

I need to do it from an initramfs firmware with the correct memory layout

1 Like

Thanks. You make me to know the use of initramfs.bin file.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.