Support request for Xiaomi MiWifi HD R3D

The main problem of this router is that it does not have proper recovery functionality in U-Boot. So, you cannot make any mistake developing the kernel, rootfs etc. Even if you have perfectly working U-Boot that loads a kernel correctly, bugs occurring during next booting steps may result in actually bricked device. I really don't understand why cheaper Xiaomi routers have normal recovery but R3D doesn't! Anyway, if you are familiar with programming you know that it is impossible to port a rather complicated system having only one attempt.

Our router has OpenWRT on board (pretty twisted by Xiaomi developers). During a number of experiments I groped the way how to moderate its console behaviour.

2 Likes

UART - don't help in this situation?

Any update? I'm also looking forward for this router with OpenWRT.

1 Like

acdev from 4pda:

loven-doo @ (https://4pda.to/forum/index.php?act=findpost&pid=89612862)

After a series of experiments, I got a brick....
My problem is that I rolled OpenWRT from another device (I won't write which one yet, so that no one repeats it, it has the same percentage, wlan module and switch, there is sata) the kernel fits, but it can't find rootfs, because the NAND memory scheme is different: that device has 128 MB and other partitions (I got them from the download logs via UART). Unfortunately, I can't log in to the U-Boot console: it looks like the ability to abort booting in the config is disabled.

So it was necessary to correctly throw images into nand. I.e., the rootfs part of the OpenWRT image had to be filled at the rootfs address of the flashed image (you could look in dts for this device). Then the OpenWRT kernel would have found its own rootfs. And it is better to fill the kernel part at address 0xC00000, so that at address 0x800000 you can leave the stock kernel untouched!

And in a good way, it was necessary to build OpenWRT itself and register the correct partition addresses in dts (with bypassing the stock kernel0 and rootfs0 partitions).

RMNLRK @ (https://4pda.to/forum/index.php?act=findpost&pid=104989855)

In general, I read this - [https://forum.openwrt....miwifi-hd-r3d/32142/15](https://4pda.to/pages/go/?u=https%3A%2F%2Fforum.openwrt.%25E2%2580%25A6miwifi-hd-r3d%2F32142%2F15&e=110178006&f=https%3A%2F%2F4pda.to%2Fforum%2Findex.php%3Fshowtopic%3D827710%26st%3D1400%23entry110178006) and I understood why everything is so deaf with our ruther, in addition to the high cost.

The main problem of this router is that it does not have proper recovery functionality in U-Boot. So, you cannot make any mistake developing the kernel, rootfs etc.

Here the person is wrong. Yes, uboot for R3D is generally stripped down and does not contain any data recovery mechanisms on nand. However, for the recovery mechanism, you can use the stock kernel located in the kernel0 (0x800000) partition.

When the router starts with the reset button pressed, uboot should always load the kernel from the kernel0 section (for R3D, this should be checked, because uboot could be crooked).
When loading, the stock firmware checks for the miwifi file.bin on a USB flash drive inserted into the USB port and writes data from this image to the kernel1 and rootfs1 partitions (while uboot installs booting from the kernel1 partition in tinctures).

That is, with the reset button held down, the bootloader should load the OS from the kernel0 partition (address 0x800000). This is the most important condition that needs to be checked for R3D.

Therefore, all custom firmware kernels must be strictly written to the kernel1 section (address 0xC00000). And the rootfs partition (UBI) should be written to the rootfs1 partition (address 0x3800000). This is how the kernel0 and rootfs0 partitions that are needed to restore the system via the miwifi.bin file will remain intact.

Therefore, there would be a desire, and the rest is a matter of technology.

uboot output found on the internet


smem ram ptable found: ver: 0 len: 5
DRAM: 494 MiB
NAND: SF: Unsupported manufacturer 00
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
256 MiB
PCI0 Link Intialized
PCI1 Link Intialized
In: serial
Out: serial
Err: serial
cdp: get part failed for 0:HLOS
cdp: get part failed for rootfs
Net: MAC1 addr:40:31:3c:d8:b1:1a
athrs17_reg_init: complete
athrs17_vlan_config ...done
S17c init done
MAC2 addr:40:31:3c:d8:b1:1b
eth0, eth1

NAND read: device 0 offset 0xc00000, size 0x400000
4194304 bytes read: OK
Image Name: ARM OpenWrt Linux-4.14.131
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2185323 Bytes = 2.1 MiB
Load Address: 42208000
Entry Point: 42208000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK

device nand0 nand, # parts = 9
#: name size offset mask_flags
0: Bdata 0x00080000 0x00600000 0
1: crash 0x00080000 0x00680000 0
2: crash_syslog 0x00080000 0x00700000 0
3: rsvd 0x00080000 0x00780000 0
4: kernel0 0x00400000 0x00800000 0
5: kernel1 0x00400000 0x00c00000 0
6: rootfs0 0x02800000 0x01000000 0
7: rootfs1 0x02800000 0x03800000 0
8: overlay 0x0a000000 0x06000000 0

active partition: nand0,0 - (Bdata) 0x00080000 @ 0x00600000

defaults:
mtdids : none
mtdparts: none
Setting up atags for msm partition: Bdata
Setting up atags for msm partition: crash
Setting up atags for msm partition: crash_syslog
Setting up atags for msm partition: rsvd
Setting up atags for msm partition: kernel0
Setting up atags for msm partition: kernel1
Setting up atags for msm partition: rootfs0
Setting up atags for msm partition: rootfs1
Setting up atags for msm partition: overlay
Using machid 0x1260 from environment

Starting kernel ...
1 Like

The stock bootloader does not react in any way to pressing any buttons (reset/wakeup).

After receiving the root access, it is necessary change nvram:

nvram set uart_en=1
nvram set boot_wait=on
nvram set bootdelay=5
nvram commit

After that, through uart, you can get the following list of stock bootloader commands:

?       - alias for 'help'
ar8xxx_dump- Dump ar8xxx registers
base    - print or set address offset
bootm   - boot application image from memory
bootmiwifi- boot MiWiFi boards from flash device
bootp   - boot image via network using BOOTP/TFTP protocol
bootz   - boot Linux zImage image from memory
chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
dhcp    - boot image via network using DHCP/TFTP protocol
echo    - echo args to console
env     - environment handling commands
ethspeed- Force ethernet speed to 10/100/autoneg
exit    - exit script
false   - do nothing, unsuccessfully
fdt     - flattened device tree utility commands
fuseipq - fuse QFPROM registers from memory

go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
iminfo  - print header information for application image
imxtract- extract a part of a multi-image
ipq_nand- Switch between SBL and Linux kernel page layout.
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
showvar - print local hushshell variables
smeminfo- print SMEM FLASH information
source  - run script from memory
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
true    - do nothing, successfully
uartrd  - uartrd from flash device
uartwr  - uartwr from flash device
ubi     - ubi commands
version - print monitor, compiler and linker version
3 Likes

Definitely, there is no firmware installation functionality in the stock bootloader! The bootloader code simply lacks firmware installation functionality.
In this regard, to restore the firmware via the stock bootloader, you must solder the UART. Also, you must configure the parameters in nvram:

nvram set uart_en=1
nvram set boot_wait=on
nvram set bootdelay=5
nvram commit

And you should NOT use the reset button at all, since pressing it will set the default values in nvram !
Restoring the firmware via the uboot console looks like this:

# load firmware image into memory (miwifi_r3d_firmware_973c1_2.29.5.bin)
tftp 44000000 fw.bin 

# flash kernel0
nand erase 0x800000 0x400000
nand write 0x45BD5AC0 0x800000 0x32D000

# flash kernel1
nand erase 0xC00000 0x400000
nand write 0x45BD5AC0 0xC00000 0x32D000

# flash rootfs0
nand erase 0x01000000 0x2800000
nand write 0x44000290 0x01000000 0x1BD5800

# flash rootfs1
nand erase 0x03800000 0x2800000
nand write 0x44000290 0x03800000 0x1BD5800

# erase overlay
nand erase 0x06000000 0x400000

reset

The addresses are specified strictly for the image miwifi_r3d_firmware_973c1_2.29.5.bin.

3 Likes

Somehow I managed to run the OpenWrt 21.02 system on this device:


Now I need to configure all internal devices and add drivers (fan, etc.)

2 Likes

https://4pda.to/forum/index.php?showtopic=827710&view=findpost&p=112213879
OpenWRT started on this router. And no problem with recovery stock firmware.

OpenWrt 21.02 for Xiaomi R3D

Download: https://drive.google.com/drive/folders/1um8w2zS9c3QwfrWulc_lncUi78sT0Rvv
Sources: https://github.com/openwrt-xiaomi

This firmware has been tested on a stock bootloader.

Before flashing OpenWRT, it is recommended to back up the stock firmware settings, as the "overlay" partition will be deleted.

To install any OpenWrt firmware, you should use these scripts: XMiR-Patcher.
Reboot your router before using these scripts.
The downloaded factory firmware should be placed in folder XMiR-Patcher\firmware.
Run file !START.bat (on *nix run python menu.py).
Follow the menu items: 1, 2, 3, 4, 7, 9

The official OpenWrt firmware uses the default IP address 192.168.1.1 (change the parameters of your network card).

After installing the firmware, you should change the settings in the sections System -> Fan Control (change temperatures and speed) and Services -> Disk devices (increase the logging interval).

3 Likes