I bought a used Xiaomi Mi Router 4A 100m international Model R4AC Product date 12/2021 few weeks ago. I wanted to have a backup device for my x86 opnsense powered router in case of maintenance. I need VLAN support so that's why I needed OpenWRT.
I checked that the device worked, and it dit with a Xiaomi firmware version 3.xx from my brain memory.
I followed without checks some tutorials and flashed a stock Xiaomi 2.18.28.bin firmware in order to use the OpenWRTInvasion root shell. The flashing process was too long and the blue light didn't came withi 20 minutes so I decided to shutdown the device.
After connecting with the serial console I saw the bootloader in infinite loop trying to boot with a menu offering some boot options.
Disclamer : I'm not a developper neither a specialist of embedded devices so I'am walking now in troubled waters. Maybe my actions are now not the good or best ones.
The bootloader U-Boot complains about a bad JDEC flash identifier :
flash manufacture id: 1c, device id 71 18
Warning: un-recognized chip ID, please update bootloader!
So when digging around I understood that the flash chip wasn't recognized by U-Boot. I don't know the consequences of this in term of boot operation. I tried a lot of operations but the most successful operation was this one :
built the openwrt firmware for my router with this addition
uploaded the firmware via TFTP and loaded it with the intitramfs firmware
checked with /proc/mtd that the partions were found and they were ! the flash chip is now recognized under OpenWRT started on RAM
flashed the sysupgrade firmware either with mtd or sysupgrade command. There were no blocking error flashing the device, it takes 50 secondes to flash and then reboot. But the device stays in infinite loop.
root@OpenWrt:/# sysupgrade -v /tmp/openwrt-ramips-22.03-sysupgrade.bin
Cannot save config while running from ramdisk.
Sat Sep 3 02:58:23 UTC 2022 upgrade: Commencing upgrade. Closing all shell sessions.
Watchdog handover: fd=3
- watchdog -
Watchdog does not have CARDRESET support
Sat Sep 3 02:58:24 UTC 2022 upgrade: Sending TERM to remaining processes ...
Sat Sep 3 02:58:24 UTC 2022 upgrade: Sending signal TERM to ntpd (2107)
Sat Sep 3 02:58:24 UTC 2022 upgrade: Sending signal TERM to ntpd (2110)
Sat Sep 3 02:58:28 UTC 2022 upgrade: Sending KILL to remaining processes ...
[ 194.762247] stage2 (3196): drop_caches: 3
Sat Sep 3 02:58:34 UTC 2022 upgrade: Switching to ramdisk...
Sat Sep 3 02:58:37 UTC 2022 upgrade: Performing system upgrade...
[ 197.385781] do_stage2 (3196): drop_caches: 3
Unlocking firmware ...
Writing from <stdin> to firmware ...
Appending jffs2 data from /tmp/sysupgrade.tgz to firmware..
.File /tmp/sysupgrade.tgz does not exist
Sat Sep 3 02:59:08 UTC 2022 upgrade: Upgrade completed
Sat Sep 3 02:59:09 UTC 2022 upgrade: Rebooting system...
umount: can't unmount /dev: Resource busy
umount: can't unmount /tmp: Resource busy
[ 230.103636] reboot: Restarting system
[03080D09][03080C0F][7F880000][28243F48][00282448]
DU Setting Cal Done
U-Boot 1.1.3 (Oct 23 2018 - 13:31:19)
Board: Ralink APSoC DRAM: 64 MB
Power on memory test. Memory size= 64 MB...OK!
relocate_code Pointer at: 83fb0000
RT2880_RSTSTAT_REG 0xc0030204
******************************
Software System Reset Occurred
******************************
flash manufacture id: 1c, device id 71 18
Warning: un-recognized chip ID, please update bootloader!
env is right!
***********************************
!!!flashing system accidental shutdown!!!
***********************************
============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Oct 23 2018 Time:13:31:19
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 575 MHZ ####
estimate memory size =64 Mbytes
RESET MT7628 PHY!!!!!!
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
9: Load Boot Loader code then write to Flash via TFTP. 0
n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:20000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc160000 ...
Bad Magic Number,85190320, try to reboot
Erasing SPI Flash...
raspi_erase: offs:20000 len:10000
.
Writing to SPI Flash...
.
done
[04010D09][04010D08][88890000][25254849][00252548]
DU Setting Cal Done
U-Boot 1.1.3 (Oct 23 2018 - 13:31:19)
...
Now I have 2 leads to follow :
The first one is to update the bootloader to have the support of en25qx128a. I downloaded U-Boot source code and build it for a generic mt7628 device and modified the file ./drivers/mtd/spi/spi-nor-ids.c to gain support for the en25qx128a flash chip from the bootloader. My goal is to flash the bootloader from my initramfs openwrt image supporting the chip. This lead is a one way ticket because I can brick my device. And that's why I'm asking for a community advice, maybe there is other leads.
The second one is about the boot adress specified in U-boot. we can see that it tries to boot at the adress space 0xbc160000. I don't know if this adress is aligned with flash chip or ram and i don't know how to verify that this adress is aligned with the flash layout.
Am I wrong somewhere in my attempts to debrick my Xiaomi router ?
I wonder why your R4AC has the old bootloader which is not for the new chip.
Anyway, please donot try to distroy the original bootloader except you have a SPI programmer and backuped your bootloader.
Thanks a lot for your help !
I changed the eon.c with your patch, then according to your first link, I tried to install the non international version. First I boot on the initramfs image for non international version the memory layout was different :
Please check the serial log of your R4AC now, the bootloader still the same as above?
If yes, that means even the bootloader not recognized the new IC, but still can boot the openwrt with a correct pateched fw.
U-Boot 1.1.3 (Oct 23 2018 - 13:31:19)
Board: Ralink APSoC DRAM: 64 MB
Power on memory test. Memory size= 64 MB...OK!
relocate_code Pointer at: 83fb0000
RT2880_RSTSTAT_REG 0xc0030000
***************************
Board power on Occurred
***************************
flash manufacture id: 1c, device id 71 18
Warning: un-recognized chip ID, please update bootloader!
env is right!
***********************************
!!!flashing system accidental shutdown!!!
***********************************
============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Oct 23 2018 Time:13:31:19
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 575 MHZ ####
estimate memory size =64 Mbytes
RESET MT7628 PHY!!!!!!
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
9: Load Boot Loader code then write to Flash via TFTP. 0
n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:20000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc160000 ...
Image Name: MIPS OpenWrt Linux-5.10.138
Image Type: MIPS Linux Kernel Image (lzma compressed)
...
I understood before that the flash was usable by the bootloader despite this warning message. It was able to read and store some env data when you select to download an image via TFTP it stored a successfull IP address configuration and a filename.
I think I have this bootloader version because when I first flashed back the firmware I downloaded an image with the firmware and the booloader. It was a mistake, i didn't know what I was doing exactly at this moment. I will keep this bootloader, it is able to boot a correct firmware image. I'm just not able to directly flash a firmware from the bootloader :
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
9: Load Boot Loader code then write to Flash via TFTP. 4
You choosed 2
0
2: System Load Linux Kernel then write to Flash via TFTP.
Warning!! Erase Linux in Flash then burn new one. Are you sure?(Y/N)
Please Input new ones /or Ctrl-C to discard
Input device IP (192.168.10.204) ==:192.168.10.204
Input server IP (192.168.10.221) ==:192.168.10.190
Input Linux Kernel filename (openwrt-ramips-22.03-3.bin) ==:openwrt-ramips-22.03-3.bin
netboot_common, argc= 3
NetTxPacket = 0x83FE6000
KSEG1ADDR(NetTxPacket) = 0xA3FE6000
NetLoop,call eth_halt !
NetLoop,call eth_init !
Trying Eth0 (10/100-M)
Waitting for RX_DMA_BUSY status Start... done
ETH_STATE_ACTIVE!!
TFTP from server 192.168.10.190; our IP address is 192.168.10.204
Filename 'openwrt-ramips-22.03-3.bin'.
TIMEOUT_COUNT=10,Load address: 0x80100000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:15:5d:0a:80:04)
Got it
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
##############Got ARP REQUEST, return our IP
###################################################
#################################################################
###############################################################
done
Bytes transferred = 5643909 (561e85 hex)
NetBootFileXferSize= 00561e85
Writing OS1 to 0x160000
raspi_erase_write: offs:160000, count:561e85
Abort: image size larger than 1835008!
I need to do it from an initramfs firmware with the correct memory layout