Problem installing OpenWrt on ZTE MF287+/pro

Hello everyone,
i am a little frustrated at this point and would really appreciate if someone could help me getting at least one of the devices running in any way.

I have a MF287+ on wich I wanted to install openWrt on.
I followed the instructions and everything seemed to be ok, but I think I made the mistake to use the upgrade file instead of the install file (as the guideline says .bin file, the install file is .itb instead).
Also I did not manage to get the backup of the original system (was my fault, I used the macOS tftp server wrong).

After flashing, the router did not response to anything anymore, after powering on the blue lights on top flash up for a second, after several seconds it comes up in red and nothing more happened.
As there was no ethernet connection possible to the device, I soldered the uart interface where I managed to get a serial connection, but as it was already late I think I messed this one up (I managed to again flash something but used the same file, don't know what exactly happened but since then I can't connect to the router with serial interface anymore).

So I decided to get a pro model, as someone near me sold it for a view bucks.

I tried it again on the pro, this time managed to get a backup of the orininal software (the ubi0_0 and ubi0_1 files) and flashed the pro related install file, ending with .itb instead of .bin.

After deleting the partition and flashing the firmware, I made a reboot and.... again the same situation.
No connection, just the red light, no dhcp server, no access to anything by ethernet.

Here is the link I followed the instructions of (I did flash to mtd17 and doublechecked before doing so):
https://openwrt.org/toh/zte/mf287

And here I took the firmware file from:
https://openwrt.org/toh/hwdata/zte/zte_mf287pro

Can anyone tell me what I am doing wrong and if I can get this fixed again?
At least the pro, I think serial connection should still kind of work (if it is the same issue as the + has).

Thank you a lot and have a nice day!

Not without detailed info about what you did last time.

But if serial port still works on the new one, it can probably be brought back to life.

Any idea what I did wrong this time?
Was it again the wrong file?

How can we know ?

There are four files at https://openwrt.org/toh/hwdata/zte/zte_mf287pro, we have no idea which one you used.

Sorry, it was this one:
openwrt-23.05.3-ipq40xx-generic-zte_mf287pro-initramfs-zImage.itb

Placed it on the Tftp folder (and James it „zte.itb“) on my MacBook and followed These instructions installing it (as mentioned, Backup was successfull):

tftp -g -r zte.itb 192.168.0.22

Copied the file, worked fine

cat /proc/driver/sensor_id

No idea what Happens here, no response to that command

flash_erase /dev/mtd17 0 0

Deleted the Partition, Sems to have worked

dd if=zte.itb of=/dev/mtdblock17 bs=131072

Seemed to have worked, responded that 6.3m of data was written

reboot

Rebooted….

According to the wiki page, it shouldn't be used, unless you're going back to stock ?

1 Like

That interesting, I thought it should be the correct Version.
The snapshot files are Kind of Beta and not released Version, that are two of them and the install file is the one to Chose for First Installation, Update is for updating Running OpenWrt routers?
Thats why i ended using this file.

What file should i have used?

I will solider the hart Pins on the mainboard and Check of i can get serial Connection as the next step.

Ps: Sorry for the weird stuff that comes out of my Smartphone sometimes, it’s hard to fight against the german autocorrect of the iPhone :sweat_smile:

Put the OpenWrt factory.bin file to your TFTP directory as zte.bin

~ From your link https://openwrt.org/toh/zte/mf287#option_1install_from_oem_firmware

You mean the file:

openwrt-23.05.3-ipq40xx-generic-zte_mf287plus-initramfs-zImage.itb

is the correct one for the mf287pro as well?

I used the same file from the „pro“ Link, named:

openwrt-23.05.3-ipq40xx-generic-zte_mf287pro-initramfs-zImage.itb

Also, all as „Install“ declared files are .itb, Not .bin, the .bin files should be Updates?

the links on the wiki page aren't really for your device, the factory image you need, can be found at https://firmware-selector.openwrt.org/?version=23.05.4&target=ipq40xx%2Fgeneric&id=zte_mf287pro

Okay, didn’t know the files linked in the update guide, named after the device, are not correct.

What are they doing then or what are they for? And do you know what flashing them into the router actually does to it?

I will remove the mainboard and solider the uart pins as soon as I have time for doing so.

Thank you so far

to be clear, the files at https://openwrt.org/toh/hwdata/zte/zte_mf287pro are for your device.

the ones at https://openwrt.org/toh/zte/mf287 are for the Plus, judging by the file names.

But these are exactly the files I Refer to?
I used the Install file from this link and the one not declared as snapshot.
Still the wrong one?
Do you have any idea what could have happened when I flashed this one?

correct, as in for your device.
you still used the initramfs, when you shouldn't have ?

It looks like the wiki pages have been restructured (AFAICT, this was some automated process) and the links to the firmware image are plain wrong. I will fix the page.

Meanwhile, I'm afraid, you need serial console. Only the correct factory image can be flashed when using the exploit, the other images won't boot. Since we exploit the OEM firmware, there is no firmware check / safeguarding in place and once you've executed the flash_erase command, there is no going back.

This unlocks writing to flash in the OEM firmware. ZTE implemented some kind of write-protection and this disables it. Yes, that's a bit weird - took me quite some time to figure that one out.

Now, this all doesn't help you much at this point. Once you've got serial access (you don't need to solder - just hold a pin header in place, either by hand or with a rubber band), follow the instructions to install via UART. This involves uploading the initramfs image and then running sysupgrade from there - so that's the files you already have.

Edit: I updated the dataentry pages and the wiki page to clarify the installation procedure.

1 Like

Hello,
thank you all for your support so far.
I've managed to get serial connection to the router (the pro now).

This is what I get at boot:

D -        60 - QSEE Execution, Delta
B -   1379382 - SBL1, End
D -    684840 - SBL1, Delta
S - Flash Throughput, 2010 KB/s  (775270 Bytes,  385684 us)
S - DDR Frequency, 672 MHz


U-Boot 2012.07 [Chaos Calmer 15.05.1,IPQ4019.ILQ.6.1.0.r2-00006-P-1] (Aug 19 2021 - 19:50:43)

smem ram ptable found: ver: 1 len: 3
DRAM:  256 MiB
machid : 0x8010001
NAND:  spi_nand: spi_nand_flash_probe SF NAND ID ff:ef:aa:21
SF: Detected W25N01GV with page size 2 KiB, total 128 MiB
SF: Detected GD25Q16 with page size 4 KiB, total 2 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x200000
130 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
machid: 8010001
flash_type: 0
Uaztemain: enter into ! 
ZTE_InitFotaFlashPara: nand_curr_device=1
zte_getHandOffState: read data=0x20 from 0x0
Press ESC to abort autoboot in 0 seconds
Creating 1 MTD partitions on "nand1":
0x000001800000-0x000003500000 : "mtd=0"
UBI: attaching mtd2 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI error: ubi_read_volume_table: the layout volume was not found
UBI error: ubi_init: cannot attach mtd2
UBI error: ubi_init: UBI error: cannot initialize UBI, error -22
UBI init error 22
(IPQ40xx) #

Can anyone give me advice how to install openwrt (or maybe the original firmware) from here?
Basic Linux commands don't work here (like "ls", "cd" and so on).

Thanks!

the link to the git commit is on the tech/hwdata page from your 1st post.

You are in a U-Boot console, there are only a limited number of commands available. Type "help" to see them.

The commit containing the instructions can be found at

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=edfe91372adfdaf5ee4e294fb0f5860a16adc551

Hello,
finally I got it running on OpenWRT.
It was pretty straight forward, except the Adress needed to be increased by 2000 (tftpboot 0x84000000, received an „access denied“ error on the address 0x82000000), maybe this is a difference between normal / plus and the Pro?
Anyway, it is working now.
Thank you once again.

Probably related to the growing Openwrt image size.