Hello, I'm not a developer, just an ordinary user, but I would like to know: wouldn't it be possible to use a fake dns server to redirect the official OTA server to a local server with an official image? Then during the flash you can turn off the router and see if this recovery mode is activated
Also, for you who have already linked the router to an Mi account, have you tried to enter the website below and see if it is possible to get a development firmware and a binary to activate ssh? At least this is how to officially unlock the Mi Router 3G v1.
https://d.miwifi.com/rom/ssh
Ps: every time the site fails to connect, put https:// at the beginning of the URL and hit enter
till today there is no development firmware available for our router
Hey guys, is this an indication that the NAND is broken or do you think I can still use it with my hopefully soon arriving NAND flasher?
Is there any way to boot this device without uboot?
Maybe you can use percy's dump in this post
I've looked at what they've done to Lua, and I can see they've:
- Changed the header magic
- Changed the types enum (Add 3)
- Xor'd the strings by doing i ^= strlen * 0x0D + 0x37 to each byte
This is a non-exhaustive list by the way, they may have done more that I have not noticed. The scheme looks to be the same on both the 4a and on the AC2100 image posted.
I've also spotted a maybe command injection in the old lua files for the 3g, but it's hard to trigger because it's in their repeater firmware updater? (Ie. You'd have to either have one of their repeaters or emulate the api of one to trigger it)
3 Likes
Has anyone tried to decompile the Mi Router app apk to see if there is anything useful?
Thanks to @Percy I could recover my ac2100 and have now access to the serial connection.
I can boot the initramfs file from the Xiaomi mir3g.
What would be the next step to adopt the images (partition layout etc.) for this device? I have never done this, therefore any help would be highly appreciated!
utomatic boot of image at addr 0x80A00000 ...
## Booting image at 80a00000 ...
Image Name: MIPS OpenWrt Linux-4.14.169
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3429178 Bytes = 3.3 MB
Load Address: 80001000
Entry Point: 80001000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
commandline uart_en=0 factory_mode=0
No initrd
## Transferring control to Linux (at address 80001000) ...
## Giving linux memsize in MB, 128
Starting kernel ...
[ 0.000000] Linux version 4.14.169 (builder@buildhost) (gcc version 8.3.0 (OpenWrt GCC 8.3.0 r12238-dc145de4be)) #0 SMP Mon Feb 17 19:23:59 2020
[ 0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[ 0.000000] MIPS: machine is Xiaomi Mi Router 3G
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] VPE topology {2,2} total 4
[ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] HighMem empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x9c/0x4e0 with crng_init=0
[ 0.000000] percpu: Embedded 14 pages/cpu s26096 r8192 d23056 u57344
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00020431
[ 0.000000] Readback ErrCtl register=00020431
[ 0.000000] Memory: 120324K/131072K available (5007K kernel code, 252K rwdata, 1084K rodata, 2540K init, 260K bss, 10748K reserved, 0K cma-reserved, 0K highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] NR_IRQS: 256
[ 0.000000] CPU Clock: 880MHz
[ 0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[ 0.000009] sched_clock: 32 bits at 440MHz, resolution 2ns, wraps every 4880645118ns
[ 0.007804] Calibrating delay loop... 586.13 BogoMIPS (lpj=2930688)
[ 0.073967] pid_max: default: 32768 minimum: 301
[ 0.078772] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.085280] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.094297] Hierarchical SRCU implementation.
[ 0.099422] smp: Bringing up secondary CPUs ...
[ 0.121350] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.121358] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.121369] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.121497] CPU1 revision is: 0001992f (MIPS 1004Kc)
[ 0.164130] Synchronize counters for CPU 1: done.
[ 0.214699] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.214707] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.214716] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.214789] CPU2 revision is: 0001992f (MIPS 1004Kc)
[ 0.255078] Synchronize counters for CPU 2: done.
[ 0.302287] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.302295] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.302302] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[ 0.302375] CPU3 revision is: 0001992f (MIPS 1004Kc)
[ 0.340259] Synchronize counters for CPU 3: done.
[ 0.370122] smp: Brought up 1 node, 4 CPUs
[ 0.378377] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.388171] futex hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.394563] pinctrl core: initialized pinctrl subsystem
[ 0.401241] NET: Registered protocol family 16
[ 0.416753] pull PCIe RST: RALINK_RSTCTRL = 4000000
[ 0.722055] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.727088] ***** Xtal 40MHz *****
[ 0.730463] release PCIe RST: RALINK_RSTCTRL = 7000000
[ 0.735574] Port 0 N_FTS = 1b102800
[ 0.739011] Port 1 N_FTS = 1b102800
[ 0.742469] Port 2 N_FTS = 1b102800
[ 1.897797] PCIE2 no card, disable it(RST&CLK)
[ 1.902147] -> 21007f2
[ 1.904561] PCIE0 enabled
[ 1.907168] PCIE1 enabled
[ 1.909756] PCI host bridge /pcie@1e140000 ranges:
[ 1.914519] MEM 0x0000000060000000..0x000000006fffffff
[ 1.919706] IO 0x000000001e160000..0x000000001e16ffff
[ 1.924873] PCI coherence region base: 0xbfbf8000, mask/settings: 0x60000000
[ 1.941148] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.946981] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.952698] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 1.960422] PCI host bridge to bus 0000:00
[ 1.964456] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
[ 1.971313] pci_bus 0000:00: root bus resource [io 0xffffffff]
[ 1.977142] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 1.983898] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 1.992444] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[ 2.000377] pci 0000:00:01.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[ 2.009469] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[ 2.016031] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.022891] pci 0000:00:01.0: BAR 0: no space for [mem size 0x80000000]
[ 2.029476] pci 0000:00:01.0: BAR 0: failed to assign [mem size 0x80000000]
[ 2.036377] pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
[ 2.043129] pci 0000:00:01.0: BAR 8: assigned [mem 0x60100000-0x601fffff]
[ 2.049846] pci 0000:00:00.0: BAR 1: assigned [mem 0x60200000-0x6020ffff]
[ 2.056612] pci 0000:00:01.0: BAR 1: assigned [mem 0x60210000-0x6021ffff]
[ 2.063341] pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff 64bit]
[ 2.070622] pci 0000:00:00.0: PCI bridge to [bus 01]
[ 2.075511] pci 0000:00:00.0: bridge window [mem 0x60000000-0x600fffff]
[ 2.082276] pci 0000:02:00.0: BAR 0: assigned [mem 0x60100000-0x601fffff]
[ 2.088993] pci 0000:00:01.0: PCI bridge to [bus 02]
[ 2.093931] pci 0000:00:01.0: bridge window [mem 0x60100000-0x601fffff]
[ 2.101924] clocksource: Switched to clocksource GIC
[ 2.108521] NET: Registered protocol family 2
[ 2.113584] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 2.120455] TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
[ 2.126819] TCP: Hash tables configured (established 1024 bind 1024)
[ 2.133220] UDP hash table entries: 256 (order: 1, 8192 bytes)
[ 2.138988] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[ 2.145460] NET: Registered protocol family 1
[ 3.961919] 4 CPUs re-calibrate udelay(lpj = 2924544)
[ 3.968480] Crashlog allocated RAM at address 0x3f00000
[ 3.973893] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 3.984153] random: fast init done
[ 3.992400] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 3.998147] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 4.011790] io scheduler noop registered
[ 4.015674] io scheduler deadline registered (default)
[ 4.021828] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 4.031681] console [ttyS0] disabled
[ 4.035304] 1e000c00.uartlite: ttyS0 at MMIO 0x1e000c00 (irq = 19, base_baud = 3125000) is a 16550A
[ 4.044324] console [ttyS0] enabled
[ 4.044324] console [ttyS0] enabled
[ 4.051176] bootconsole [early0] disabled
[ 4.051176] bootconsole [early0] disabled
[ 4.061678] MediaTek Nand driver init, version v2.1 Fix AHB virt2phys error
[ 4.068803] Enable NFI Clock
[ 4.071672] # MTK NAND # : Use HW ECC
[ 4.075352] Device not found, ID: ecf1
[ 4.079079] Not Support this Device!
[ 4.082856] chip_mode=00000001
[ 4.085901] Support this Device in MTK table! ecf1
[ 4.090845] [NAND]select ecc bit:4, sparesize :64 spare_per_sector=16
[ 4.097328] nand: device found, Manufacturer ID: 0xec, Chip ID: 0xf1
[ 4.103674] nand: Samsung NAND 128MiB 3,3V 8-bit
[ 4.108270] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[ 4.115836] Scanning device for bad blocks
[ 4.195717] Bad eraseblock 332 at 0x000002980000
[ 4.357890] 10 fixed-partitions partitions found on MTD device MT7621-NAND
[ 4.364752] Creating 10 MTD partitions on "MT7621-NAND":
[ 4.370047] 0x000000000000-0x000000080000 : "Bootloader"
[ 4.376521] 0x000000080000-0x0000000c0000 : "Config"
[ 4.382657] 0x0000000c0000-0x000000100000 : "Bdata"
[ 4.388589] 0x000000100000-0x000000140000 : "factory"
[ 4.394768] 0x000000140000-0x000000180000 : "crash"
[ 4.400690] 0x000000180000-0x0000001c0000 : "crash_syslog"
[ 4.407317] 0x0000001c0000-0x000000200000 : "reserved0"
[ 4.413653] 0x000000200000-0x000000600000 : "kernel_stock"
[ 4.420193] 0x000000600000-0x000000a00000 : "kernel"
[ 4.426314] 0x000000a00000-0x000007f80000 : "ubi"
[ 4.433129] [mtk_nand] probe successfully!
[ 4.437905] Signature matched and data read!
[ 4.442189] load_fact_bbt success 1023
[ 4.446709] libphy: Fixed MDIO Bus: probed
[ 4.514494] libphy: mdio: probed
[ 5.929708] mtk_soc_eth 1e100000.ethernet: loaded mt7530 driver
[ 5.936383] mtk_soc_eth 1e100000.ethernet eth0: mediatek frame engine at 0xbe100000, irq 21
[ 5.947606] NET: Registered protocol family 10
[ 5.953634] Segment Routing with IPv6
[ 5.957389] NET: Registered protocol family 17
[ 5.961953] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 5.974869] 8021q: 802.1Q VLAN Support v1.8
[ 5.982157] UBI: auto-attach mtd9
[ 5.985489] ubi0: attaching mtd9
[ 6.226320] ubi0 error: ubi_attach: bad image sequence number 1106443240 in PEB 208, expected 1374678581
[ 6.235783] Erase counter header dump:
[ 6.239512] magic 0x55424923
[ 6.243257] version 1
[ 6.246206] ec 0
[ 6.249153] vid_hdr_offset 2048
[ 6.252378] data_offset 4096
[ 6.255586] image_seq 1106443240
[ 6.259312] hdr_crc 0x29c48b30
[ 6.263054] erase counter header hexdump:
[ 6.267142] ubi0 error: ubi_attach_mtd_dev: failed to attach mtd9, error -22
[ 6.274206] UBI error: cannot attach mtd9
[ 6.278222] hctosys: unable to open rtc device (rtc0)
[ 6.283513] usb_vbus: disabling
[ 6.296111] Freeing unused kernel memory: 2540K
[ 6.300636] This architecture does not have kernel memory protection.
[ 6.320303] init: Console is alive
[ 6.324062] init: - watchdog -
[ 6.337825] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 6.349006] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 6.362240] init: - preinit -
[ 6.518142] mtk_soc_eth 1e100000.ethernet: PPE started
[ 6.536145] random: procd: uninitialized urandom read (4 bytes read)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 7.506307] mtk_soc_eth 1e100000.ethernet eth0: port 3 link up
[ 10.656920] mtk_soc_eth 1e100000.ethernet: 0x100 = 0x6060000c, 0x10c = 0x80818
[ 10.671556] procd: - early -
[ 10.674587] procd: - watchdog -
[ 11.302069] procd: - watchdog -
[ 11.305558] procd: - ubus -
[ 11.313551] random: ubusd: uninitialized urandom read (4 bytes read)
[ 11.362507] random: ubusd: uninitialized urandom read (4 bytes read)
[ 11.369196] random: ubusd: uninitialized urandom read (4 bytes read)
[ 11.376449] procd: - init -
Please press Enter to activate this console.
[ 11.617164] kmodloader: loading kernel modules from /etc/modules.d/*
[ 11.629141] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 11.640805] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 11.652393] nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
[ 11.696871] xt_time: kernel timezone is -0000
[ 11.707354] PPP generic driver version 2.4.2
[ 11.713101] NET: Registered protocol family 24
[ 11.719796] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 11.802975] urngd: v1.0.2 started.
[ 11.939317] random: crng init done
[ 11.942720] random: 6 urandom warning(s) missed due to ratelimiting
[ 42.799841] mtk_soc_eth 1e100000.ethernet: PPE started
[ 42.811023] device eth0 entered promiscuous mode
[ 42.817135] br-lan: port 1(eth0.1) entered blocking state
[ 42.822726] br-lan: port 1(eth0.1) entered disabled state
[ 42.828774] device eth0.1 entered promiscuous mode
[ 42.836401] br-lan: port 1(eth0.1) entered blocking state
[ 42.841852] br-lan: port 1(eth0.1) entered forwarding state
[ 42.848003] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 43.842431] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
BusyBox v1.31.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r12238-dc145de4be
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
I build a version with included wifi drivers (mt7603 and mt7615) which leads to a reboot during startup.
Any help is welcome!
[ 12.889272] PCI: Enabling device 0000:00:01.0 (0004 -> 0006)
[ 12.895220] mt7603e 0000:02:00.0: ASIC revision: 76030010
[ 12.902992] mt7603e 0000:02:00.0: Invalid MAC address, using random address 86:62:f8:d1:13:49
[ 13.940782] mt7603e 0000:02:00.0: Firmware Version: ap_pcie
[ 13.946353] mt7603e 0000:02:00.0: Build Time: 20160107100755
[ 13.989875] mt7603e 0000:02:00.0: firmware init done
[ 14.154983] ------------[ cut here ]------------
[ 14.159674] WARNING: CPU: 3 PID: 519 at backports-4.19.98-1/net/wireless/core.c:821 wiphy_register+0x61c/0x9d4 [cfg80211]
[ 14.170604] Modules linked in: mt7603e(+) mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CT xt_CLASSIFY wireguard nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_netlink iptable_raw iptable_mangle iptable_filter ipt_ECN ip_tables compat sch_cake nf_conntrack sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_tcindex cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit
[ 14.241741] act_mirred xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 ifb ip6_udp_tunnel udp_tunnel leds_gpio gpio_button_hotplug
[ 14.285105] CPU: 3 PID: 519 Comm: kmodloader Not tainted 4.14.167 #0
[ 14.291429] Stack : 00000000 00000000 00000003 8007265c 805b0000 8054cf1c 00000000 00000000
[ 14.299761] 80518940 8e8f39bc 8ff17c9c 80586907 80513730 00000001 8e8f3960 1cc28247
[ 14.308092] 00000000 00000000 80a50000 00004930 00000000 000000eb 00000007 00000000
[ 14.316425] 00000000 80590000 000459b1 00000000 80000000 805b0000 00000000 8ea749f0
[ 14.324760] 8ea408f4 00000335 00000000 00000000 00000003 80299210 0000000c 80a5000c
[ 14.333092] ...
[ 14.335528] Call Trace:
[ 14.337985] [<8000c7b0>] show_stack+0x58/0x100
[ 14.342420] [<80455a24>] dump_stack+0xa4/0xe0
[ 14.346767] [<8002f5f8>] __warn+0xe0/0x138
[ 14.350846] [<8002f6e0>] warn_slowpath_null+0x1c/0x2c
[ 14.355899] [<8ea408f4>] wiphy_register+0x61c/0x9d4 [cfg80211]
[ 14.361841] [<8eb011c0>] ieee80211_register_hw+0x7d4/0xb30 [mac80211]
[ 14.368291] [<8ea32d08>] mt76_register_device+0x398/0x3c4 [mt76]
[ 14.374312] [<8ea026b0>] mt7603_register_device+0xa60/0xb94 [mt7603e]
[ 14.380746] [<8ea00188>] init_module+0x874188/0x875270 [mt7603e]
[ 14.386784] ---[ end trace 4cf81c911286b75d ]---
[ 14.391559] mt7603e: probe of 0000:02:00.0 failed with error -22
[ 14.399968] bus=0x1, slot = 0x0, irq=0x0
[ 14.403932] PCI: Enabling device 0000:00:00.0 (0004 -> 0006)
[ 14.411835] mt7615e 0000:01:00.0: Invalid MAC address, using random address 66:45:4a:31:a7:32
[ 14.440298] mt7615e 0000:01:00.0: HW/SW Version: 0x8a108a10, Build Time: 20180518100604a
[ 14.440298]
[ 14.464419] mt7615e 0000:01:00.0: N9 Firmware Version: _reserved_, Build Time: 20190103180756
[ 14.479376] mt7615e 0000:01:00.0: CR4 Firmware Version: _reserved_, Build Time: 20181207140436
[ 22.141680] CPU 3 Unable to handle kernel paging request at virtual address 00000000, epc == 80472274, ra == 80472248
[ 22.152280] Oops[#1]:
[ 22.154562] CPU: 3 PID: 519 Comm: kmodloader Tainted: G W 4.14.167 #0
[ 22.162103] task: 8ff17920 task.stack: 8e8f2000
[ 22.166612] $ 0 : 00000000 00000001 00000000 8e8f3aa0
[ 22.171836] $ 4 : 8ea0e2a8 00000000 805a4ba0 8e1e4000
[ 22.177057] $ 8 : 00000000 8046cbf0 00000000 80a86000
[ 22.182277] $12 : 00000000 69028a41 5e10cbeb 9a8eadf3
[ 22.187498] $16 : 8ea0e2a8 00000001 8ea0e2a4 00000002
[ 22.192719] $20 : 8ea0e2ac 00000000 00000000 00000000
[ 22.197939] $24 : 00000000 9ed712c4
[ 22.203161] $28 : 8e8f2000 8e8f3a90 00000003 80472248
[ 22.208383] Hi : 0012dca4
[ 22.211250] Lo : f2b97770
[ 22.214132] epc : 80472274 __down_write_common+0x6c/0x224
[ 22.219682] ra : 80472248 __down_write_common+0x40/0x224
[ 22.225227] Status: 11007c02 KERNEL EXL
[ 22.229143] Cause : 4080000c (ExcCode 03)
[ 22.233132] BadVA : 00000000
[ 22.236000] PrId : 0001992f (MIPS 1004Kc)
[ 22.240075] Modules linked in: mt7615e(+) mt7603e mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CT xt_CLASSIFY wireguard nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_netlink iptable_raw iptable_mangle iptable_filter ipt_ECN ip_tables compat sch_cake nf_conntrack sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_tcindex cls_route cls_matchall cls_fw cls_flow cls_basic
[ 22.310951] act_skbedit act_mirred xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 ifb ip6_udp_tunnel udp_tunnel leds_gpio gpio_button_hotplug
[ 22.355382] Process kmodloader (pid: 519, threadinfo=8e8f2000, task=8ff17920, tls=77f46efc)
[ 22.363692] Stack : 8e878444 8006e060 805a4b2c 804720b8 8ea0e2ac 00000000 8ff17920 00000000
[ 22.372045] 8ea0e22c 8ea0d3cc 8ea0e2a4 805a4b20 805a0000 0000000e 00000000 00000000
[ 22.380396] 00000003 80318128 8eb60000 00000000 00000001 00000001 8ea0cbc0 00000000
[ 22.388745] 00000000 00000001 00000001 8eb4bb58 8eb63170 0000000e 00000000 8ea0cbc0
[ 22.397093] 8ea0cbc0 8eb012b0 8ea0c1a0 8ea6ee28 8ea989e0 802ab170 00000000 8e0c4880
[ 22.405445] ...
[ 22.407887] Call Trace:
[ 22.410329] [<80472274>] __down_write_common+0x6c/0x224
[ 22.415557] [<80318128>] led_trigger_register+0xf0/0x18c
[ 22.420998] [<8eb4bb58>] ieee80211_led_init+0x3c/0x160 [mac80211]
[ 22.427145] [<8eb012b0>] ieee80211_register_hw+0x8c4/0xb30 [mac80211]
[ 22.433620] [<8ea32d08>] mt76_register_device+0x398/0x3c4 [mt76]
[ 22.439655] [<8ea90968>] mt7615_register_device+0x434/0x4b0 [mt7615e]
[ 22.446104] [<8ea90188>] 0x8ea90188
[ 22.449595] Code: afb40010 afa20014 32750101 <ac430000> 32760001 8e420000 10400019 8fa30010 12a0000c
[ 22.459343]
[ 22.461057] ---[ end trace 4cf81c911286b75e ]---
[ 22.467428] Kernel panic - not syncing: Fatal exception
[ 22.474111] Rebooting in 1 seconds..
How did you manage to access serial connection ?
desoldering the NAND and dump the content, change the bits (was done by @Percy) and resoldering the NAND.
unfortunately so far it is NOT possible without changing the NAND content.
obviously it should be more resilient (and not crash) but my guess is you didn't properly configure the NAND layout for this device. it's looking for the partition that has wifi configuration data, but it can't find it. and the wireless driver is misbehaving. (random guess)
my suggestion is to leave the wifi until later. just get something that boots first 
I finally have a booting build. Unfortunately wifi is not working, as I am a total noob regarding debugging this, I would need some help.
here the log part of the wifi drivers:
[ 13.740858] random: 6 urandom warning(s) missed due to ratelimiting
[ 14.605551] mt7603e 0000:02:00.0: Firmware Version: ap_pcie
[ 14.611121] mt7603e 0000:02:00.0: Build Time: 20160107100755
[ 14.654386] mt7603e 0000:02:00.0: firmware init done
[ 14.819806] ------------[ cut here ]------------
[ 14.824519] WARNING: CPU: 2 PID: 577 at backports-5.4-rc8-1/net/wireless/core.c:864 wiphy_register+0x6a8/0xb9c [cfg80211]
[ 14.835435] Modules linked in: mt7603e(+) mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 leds_gpio gpio_button_hotplug
[ 14.891048] CPU: 2 PID: 577 Comm: kmodloader Not tainted 4.14.169 #0
[ 14.897372] Stack : 00000000 00000000 00000004 80077524 805f0000 8058d574 00000000 00000000
[ 14.905707] 80557de0 8f07d9a4 8fe3d30c 805c69c7 80552b20 00000001 8f07d948 1cc28249
[ 14.914039] 00000000 00000000 80740000 00000000 807384a0 000000f9 00000007 00000000
[ 14.922370] 00000000 00000000 000d98a8 ffffffff 80000000 805f0000 00000000 8f14097c
[ 14.930704] 8f17a2d0 00000360 00000000 00000000 00000003 802d0928 00000008 80730008
[ 14.939039] ...
[ 14.941476] Call Trace:
[ 14.943931] [<8000c4d4>] show_stack+0x58/0x100
[ 14.948379] [<8048f084>] dump_stack+0xa4/0xe0
[ 14.952725] [<8002fd60>] __warn+0xe0/0x140
[ 14.956804] [<8002fa04>] warn_slowpath_null+0x1c/0x28
[ 14.961856] [<8f14097c>] wiphy_register+0x6a8/0xb9c [cfg80211]
[ 14.967796] [<8f2011ac>] ieee80211_register_hw+0x770/0xbe8 [mac80211]
[ 14.974246] [<8e9f2d14>] mt76_register_device+0x2c4/0x2f0 [mt76]
[ 14.980262] [<8f1826c8>] mt7603_register_device+0xa5c/0xb94 [mt7603e]
[ 14.986696] [<8f180188>] init_module+0x784188/0x785278 [mt7603e]
[ 14.992745] ---[ end trace 3e26fba59f17e92a ]---
[ 14.997510] mt7603e: probe of 0000:02:00.0 failed with error -22
[ 15.006147] bus=0x1, slot = 0x0, irq=0x0
[ 15.010096] PCI: Enabling device 0000:00:00.0 (0004 -> 0006)
[ 15.017964] mt7615e 0000:01:00.0: Invalid MAC address, using random address 42:4d:8b:16:96:fa
[ 15.036823] PPP generic driver version 2.4.2
[ 15.042508] NET: Registered protocol family 24
[ 15.050079] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 15.105684] mt7615e 0000:01:00.0: HW/SW Version: 0x8a108a10, Build Time: 20180518100604a
[ 15.105684]
[ 15.321028] mt7615e 0000:01:00.0: N9 Firmware Version: 2.0, Build Time: 20200131181812
[ 15.392433] mt7615e 0000:01:00.0: CR4 Firmware Version: _reserved_, Build Time: 20190121161307
In case you want to try my build:
first flash the "openwrt-ramips-mt7621-xiaomi_ac2100-initramfs-kernel.bin" via "u-boot option 1", after booting do a "sysupgrade -n" installing the "ac2100-squashfs-sysupgrade-mt76.bin" file.
any help is highly appreciated! 
1 Like
the partition layout was wrong!
Now mt7615 5G network works, will upload images after some testing.
4 Likes
You can kind of tell they went a little cheap on the redmi version if you compare the board pictures of both models 
Swapped out the UFL connectors for soldered leads, replaced the finned aluminium heatsink with a more or less flat metal plate, possibly forgot to put the RF shield on the 7615? (That might just be the picture though, might have fallen off...)
They'll both perform almost identically I suspect, unless something really horribly wrong with the antenna config on one of them. (Down to both probably being able to take the same image most likely...)
Im guessing the same image will probably work on both models, but you should probably see if the GPIO leds, reset, switch config are compatible. (Also upload the dts and whatnot to github, in case someone wants to build their own)
I finally have a working image that supports both both wifi systems (5g and 2.4g) .
You need uart_en =1 and boot_wait =on, which is currently only possible by reprograming the NAND (see New Xiaomi Router AC2100 and New Xiaomi Router AC2100)
First boot the initramfs file via u-boots tftp (option "1") and afterwards flash the sysupgrade file from Luci.
In case you want to build it by yourself, apply the ac2100_support.patch by using
patch -p2 < ac2100_support.patch from within the root directory of a current master openwrt build environment.
# patch -p2 < ac2100_support.patch
patching file target/linux/ramips/dts/mt7621_xiaomi_ac2100.dts
patching file target/linux/ramips/image/mt7621.mk
patching file target/linux/ramips/mt7621/base-files/etc/board.d/01_leds
patching file target/linux/ramips/mt7621/base-files/etc/board.d/02_network
patching file target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh
or use my GitHub repository:
edit: fixed the patch
https://gofile.io/?c=84D9HW
Issues/ things to consider / things where help is needed:
1. GPIO stuff
I have no idea wether the GPIO stuff is working like it is supposed, therfore any help / advice regarding this is highly appreciated.
2. strange VLAN entries
Another issue I found, is that I get strange VLAN entries from time to time. I have no clue how and why they show up (hardware failure, bug, or even a normal reaction???).
root@OpenWrt:/# swconfig dev mt7530 show
.
.
.
VLAN 1:
vid: 1
ports: 2 3 4 6t
VLAN 2:
vid: 2
ports: 0 6t
VLAN 2202:
vid: 2202
ports:
these VLANs (except VLAN 1 and VLAN 2) appear and disappear with changing numbers, sometimes multiple of them show up.
3. vlan egress tag control neither untag nor tag
In addition I get a lot of these messages on the console:
[ 294.166619] vlan egress tag control neither untag nor tag.
[ 299.116651] vlan egress tag control neither untag nor tag.
[ 303.296601] vlan egress tag control neither untag nor tag.
[ 304.616613] vlan egress tag control neither untag nor tag.
edit: I figured out that these messages only appear when you open the switch control page in Luci. Is it supposed to be like that??
Maybe somebody can shed some light on that?
1 Like
This page says that the Breed Bootloader image for Mi Router 3G v1 also works on Mi Router 4. Has anyone of you (who can recover the router in case of a brick) already tested it on the Xiaomi AC2100 or Redmi AC2100?
Great job guys!
I would go with this router rather than with 4AG, but cost of the programmer is equal to price of the router...and compare to SPI for three bucks...
I was playing with 4AG on openwrt 19.07 and had problems with VLANs also - error on luci switch page but never got it resolved.
nit: you're actually not "flashing" the initramfs, but only booting to it
i think it's a good idea to put this on github ... you're going to need that anyhow if you want to "push" it to openwrt.
have you looked at this:
? you'll need to figure out the gpios for the lan/wan lights and the reset button at a minimum. testing is easy: if the wan/lan lights turn on/off you've got it
yeah i've seen the same. i think they're harmless. "not a bug".
see this too. also when looking at luci page (hadn't correlated the two before).. never seen any bad side effects. "not a bug"
1 Like
you are right - the NAND reprogramming is an obstacle for most of the people, lets hope for an exploit ...