Thanks you too.
1 Like
@minax007
Hello,
I have been following these steps one by one:
When it reached this level:
Wifi turned off, but the device was still working, I plugged off the router (big mistake, I guess) and now there's no lights whatsoever. I have zero experience with this 
Should I just get a replacement router? 
Thanks
No, the stock recovery working same. Run steps on recovery for replace stock rom on xiaomi.
YES. You don't power router on flashing firmware.
3 Likes
Stock recovery description:
https://visser.io/2018/01/xiaomi-mi-router-3c-recovery-from-system-error-orange-red-led/
1 Like
Thanks, will this still work even if led lights are not turning on at all?
I do not know.
I would give it a try.
In case it doesn't work you have to open the housing and have to flash the NAND with an SPI-flasher.
Hello, I have been using my Mi 3C on snapshots right now. When can we expect to have stable releases coming out?
I've been following the steps.
After running mtd erase OS1 I got a bus error.
root@XiaoQiang:/# mtd erase OS1
Unlocking OS1 ...
Erasing OS1 ...
root@XiaoQiang:/# mtd erase OS2
Bus error
λ telnet 192.168.31.1
Trying 192.168.31.1...
Connected to 192.168.31.1.
Escape character is '^]'.
Connection closed by foreign host.
λ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -m hmac-sha1-96 -o UserKnownHostsFile=/dev/null root@192.168.31.1
Shared connection to 192.168.31.1 closed.
I'm not able to telnet, or ssh in, or load the web UI anymore. I'm afraid to restart my router at this point. What do I do?
It seems that something went wrong.
In case you can't use your router anymore - than the only option I see is that you open the router and flash a dump on the chip with a programmer (e. g. CH341A).
I don't have any of these hardware tools, unfortunately. Surprisingly ftp still works.
Hi,
thanks to minax007 and eduardo010174 for the hard work 
Now, after many experiments, I'm an happy owner of a bricked 3C, with "stock" u-boot (uart only readable, and therefore not stoppable) and not working firmware. Bootloader try to start firmware, but an error occour (I don't remenber the error .. I will post the log shortly, I apologize).
I have some questions:
a) TFTP recovery not works, and web interface on 192.168.31.1 (obtained pressing reset button at power up) accept Xiaomi firmware (RSA key OK, etc.), but not write they on flash memory (tried more than one from, in chinese and international version).
So, only way will be CH341A and clamp?
b) flag_try_sys2_failed = 1 force bootloader to load firmware from OS1;
but what does it do flag_last_success = 1?
c) I have (or I guess I have ...) a copy of entire fw, obtained in the past by cat / dev / mtd0> /tmp/full_flash.bin, using OpenWRTInvasion exploit.
How I can obtain Firmware / ART file - from full_flash.bin file - to write it on right partition (once I have restarted my 3C)?
I guess extracting the file from position 0x50000 to position 0x5FFFF.
And I can use the file obtained also with BREED / EEPROM write function?
I'm looking for a Firmware/ART/EEPROM dump, to compare with mine (I not found it on https://www.lanzoux.com/b01hjjtzg)
Many and many thanks
In your case it seems that only a flash tool can help you in flashing a firmware on the device.
From the link you have posted above you can acquire a full dump which can be flashed via the flash tool.
In case you want to flash only a specific partition you can extract it from the full dump according to the following partition table of the stock rom:
[ 1.510000] 0x000000000000-0x000001000000 : "ALL"
[ 1.510000] 0x000000000000-0x000000030000 : "Bootloader"
[ 1.520000] 0x000000030000-0x000000040000 : "Config"
[ 1.530000] 0x000000040000-0x000000050000 : "Bdata"
[ 1.530000] 0x000000050000-0x000000060000 : "Factory"
[ 1.540000] 0x000000060000-0x000000070000 : "crash"
[ 1.550000] 0x000000070000-0x000000080000 : "cfg_bak"
[ 1.550000] 0x000000080000-0x000000140000 : "overlay"
[ 1.560000] 0x000000140000-0x0000008a0000 : "OS1"
Thanks @minax007 for fast reply!
I hate my SPI programmer 
Now, my 3C is completely dead 
No luck for me, with SPI programmer and soldered chip.
The chip costs less than 2 USD on Aliexpress.
Just order a new one and flash it - to revive your router.
If you do not have a clamp just watch some videos on Youtube on how to desolder the chip without a desoldering station - just with a soldering iron.
I made this - as my chip on the MI-3C got defective.
Just bought a new one. Flashed it. And now it is working.
Oh, I already have desoldered, flashed and resoldered the chip. 2 times, one with original chip, one with new one chip. With no luck. Probably, at the beginning, when I used the clamp first time, did I do something wrong. Now board is lifeless: with or without flash chip, no LEDs light up.
Which software do you use? I used NeoProgrammer 2.2 (and AsProgrammer in the past) because the softwarer provided from SkyGz (ver. 1.34) do not support my flash chip that, if I right remember, is a Winbond 25Q128JVSQ.
I will can try another time, but I have a question:
When I switch on the board, I find 5V and 3.3V on right places. Without flash chip, the LED should light up? Because, if yes, means that the trouble isn't the chip flash.
Hypothesis: if OpenWrt check that flag_last_success=1, will try to start from OS1 or OS2, depending on value of flag_try_sys1_failed and flag_try_sys2_failed (to verify)
Your issues may be related to the fact that that programmer has a design-flaw: it supplies +5V on the SPI-pins. It requires modding the device a little to get it to use +3V3 instead, see e.g. https://www.youtube.com/watch?v=-ln3VIZKKaE
I had a couple of flash-chips that produced random bitflips because of the wrong voltage, but modding the device to use correct voltage fixed that and I have not had any issues with flashing chips with it afterwards.
Thanks for advice, in next days I will make the hack on programmer. But I guess that is the board damaged. For this reason I asked if the board without flash chip give some sign of life.
I also own a second 3C board, with OpenWrt 19 and BREAD bootloader. I would to change bootloader from BREED to original U-Boot, but:
a) original U-Boot is "armored" (no TFTP, UART not writeable, web interface accepts only Xiaomi signed firmware). Is enought a simply modify with an hex editor:
bootcmd=tftp bootdelay=5 baudrate=115200 ethaddr="00:AA:BB:CC:DD:10" ipaddr=192.168.31.1 serverip=192.168.31.20 model=R3L boot_wait=on uart_en=0 ssh_en=0 telnet_en=0 flag_boot_type=2 mode=Router wl1_radio=1
setting uart_en=1 to at least have access to uart console?
(note that also if serverip is setted to 192.168.31.20, TFTP not works...)
b) boot log:
[ 0.619113] 0x000000000000-0x000000020000 : "bootloader"
[ 0.625461] 0x000000020000-0x000000030000 : "config"
[ 0.631448] 0x000000030000-0x000000040000 : "factory"
[...]
so "bootloader" partition is 131072 bytes (0x000000020000 bytes) long, but U-Boot file is 196608 bytes long. What happens if I use dd command (or mtd command) to write U-Boot file on "bootloader" partition? Command overflow on "config" partition or cut off the file? Obviously, with second option, board will not boot
I can confirm that you do not need to change the CH341A flasher to 3,3V.
The 5,0 V are fine.
I have flashed two different chips on the Mi-3C about 10 times and have never had any issue regarding the 5,0 V.
@WereCatf
Applied the modifies that you suggested. The programmer not modified his behavior. Only a strange thing: when connected to an USB hub , isn't recognized (but it was before). Works fine only when directly connected to USB port. Maybe a power issue? I will try with a powered hub, next time
@minax007
de-soldered chip, compared content with that I programmed with modified CH341A, soldered this one on the board... no life signal from the board.
Waiting some new ideas, I will dedicate my efforts on second board