If you're getting text out of the serial port, the bootloader should be OK and you probably will not need to use hardware and write directly to flash. But it is still not simple.
I can only write this next week because I'm away from home. It's a national holiday in my country.
I am at home. I tried to turn on the router. When I plug in the power, the lights flash for half a second and then go out.
Whelp, it turns out I had misunderstood the instructions for returning to stock from PandoraBox (I had finally gotten around to this), since it looks like PandoraBox's bootloader prevents mtd from even reading the Bootloader (mtd0) partition.
Now I have a bootlooping router (every few seconds it turns off and then on), unless I press the reset button, in which case the LED glows and fades slowly (in both cases, the color is orange).
Nor is the router even attempting to read miwifi.bin from my flashdrive.
No access via RJ-45, and when I try hooking up a USB-to-TTL converter, I just get an error message that /dev/ttyUSB0 cannot be opened since it does not exist (dmesg tells me that is the console that now exists for the USB-to-TTL converter).
I have tried three so far, a PL2303, a CP210X and a CH341a, all with the same results.
Any ideas?
Does your user account actually have permissions to use the serial-device?
I believe it does, however adding sudo did not really help me.
Using FlashROM with my CH341a requires sudo to actually read and/or write directly to attached chips and since I don't really have any need to run it as a standard user I haven't tried giving my user the necessary permissions to so without adding sudo, so I am well aware of that.
I am using Solus, and the only time I managed to get serial working, was with my Netgear DM200 (unfortunately, it's DSL modem appears to have been fried, so it was replaced with an ISP T&W DSL699U5 (Broadcom chipset) in bridge mode) in between of me putting OpenWrt dev for playing around and putting the stable version for actual production use, however no one else running Solus has had any issues with serial connections when attempting to do so.
The error shown is with picocom, and Putty just does nothing at all.
Update: It turns out that it was not a CH341a (my CH341a needs to be repaired due to a well known issue), but a CH341b, however for all intents and purposes they are precisely the same, since the only difference is that the CH341a requires an external crystal and oscillation capacitor, while the CH341b can either use that or it's built-in clock, and my unit (arrived a few hours ago) is wired up to an external crystal and it's corresponding capacitor (the same exact models as on my CH341a).
Well, it's irrelevant what the adapter is connected to or if it's connected to anything at all, so that unfortunately says absolutely nothing useful. I'm also not familiar with this 'Solus' thingamabob, so I have no idea if there are some issues with it or whatever.
That said, if dmesg claims e.g. /dev/ttyUSB0 should be available and there are no messages that e.g. the USB-device was disconnected or anything like that, then a simple ls /dev/ttyUSB* should show the corresponding character device there. If there is no such, then there is clearly something wrong, either with Solus or specifically your installation.
Yeah, sorry about that. I had just meant that whatever the issue is, it is not due to distro quirks.
Perhaps something is wrong with my installation, however as I had not messed around with this part of the OS, I don't think that is the issue either.
I do have a ThinkPad T22 running Windows FLP (meant for extreme situations, and never connected to the Internet), I'll try from there.
Ah, wait. I forgot to check ls /dev/ttyUSB0, just a moment.
Update: It appears that I needed to put the full path for Picocom to work. Just "ttyUSB0" was not enough.
It looks like the router is starting up a standard OpenWrt bootloader, then PandoraBox's bootloader, which has a kernel panic, which causes it to send a reboot command, with the whole cycle going on endllesly.
Update 2: It looks like it is still behaving as PandoraBox is supposed to do, booting PandoraBox's recovery environment when pressing and holding the reset button (hence the fading and glowing orange light), however flashing stock OpenWrt is not working, I'll have to try flashing PandoraBox again, and this time properly follow the instructions to get back to stock, and then properly move over to OpenWrt.
Not to be a jackass or anything, but you probably mean uboot. There is no such a thing as "standard OpenWrt bootloader" -- just mentioning so as to avoid any misunderstandings in the future.
Thanks, you are right. I had forgotten that OpenWrt relies on uBoot, too much confusion due to using generalized terms as a result of people calling things what they are not (like calling UEFI or uBoot BIOS).
1 Like
Thankfully, I am on stock now.
I just need to refresh my memory of adding SSH support, and then it's off to the OpenWrt races.
Update: Somehow PandoraBox's recovery environment has remained, so I cannot use the official method of adding SSH to the stock firmware. I guess I need to go serial again.
And... It appears that I am unable to get rid of PandoraBox's uBoot, and anything I try just ends up failing, since the necessary commands are not there.
Can someone help me? It looks like the device is first booting PandoraBox's uBoot, before handing control to Xiaomi's OpenWrt implementation.
Update: With the root exploit I can access the router via telnet, but not via SSH. Additionaly, whatever I do via telnet is not persistent (and telnet access is also lost upon reboot), despite me setting nvram commit.
Update 2: Attempting to overwrite the bootloader partition from the stock firmware went very, very wrong.
Unlocked, erased, failed to flash due partition being locked (somehow).
Now I truly have a brick, with the LED not even turning on, and the ethernet interface getting up, but never connecting (static IP address did not help me here). No serial either.
My Mi R3G also died suddenly out of nowhere. No lights, no serial, no nothing. Tried a lot of things, checked all the voltage rails, replaced cpu, replaced ram but ultimately found that NAND was somehow dead.
So I got a 16MB NOR chip, downloaded a dump compatible with R3G 16MB from 4pda. Flashed dump into the nor chip with a bios programmer. Then shorted 2 jumpers in motherboard then removed the nand chip (removing nand chip was not necessary) and soldered the nor chip (there are empty pads for nor chip).
Router booted up with openwrt 18.x and had breed bootloader.
Then i compiled latest openwrt and made some modifications so that it can run properly from 16MB nor chip. It was running very stable for months.
Later after a few months i bought a Xgecu T48 universal programmer (which i wanted for a long time).
When i read the nand chip i found that the chip had developed around 500 bad blocks!! I erased the nand and surprisingly all the bad blocks were gone (dont ask me how). Then i flashed r3g nand dump i found on github and soldered the nand chip back to the motherboard. Removed the jumpers and nor flash and it booted up official mi firmware. Then i unlocked bootloader, flashed breed bootloader, changed mac to official and now my router runs official openwrt and Mi firmware in dual boot.
Here i would like to say that it was not at all easy, had a steep learning curve. I also possess excellent bga and micro soldering skills and have necessary tools without which this would be very difficult. Yes i know i would have been better off with a new router but there's no fun in that. Lots of time and money spent but it was well worth the knowledge i gained.
I think for most people the NOR mod would be easily doable.
If u need any help feel free to ask, i would provide all files and necessary info.
2 Likes
R3G seems a good router on second hand, but maybe it has a thermo issue for long-time use, do you know why?
Definately the cpu gets uncomfortably hot with normal usage but other routers with same processor remain much cooler. Some one more knowledgeable might know why.
However the heat has not hindered its operation for me. Mine is running 24x7 from 2017, so far so good except the NAND issue.
What i have noticed that the r3g has one big heat sink which is shared by the processor, ram, 2g and 5g wifi chips. Except for the processor, all other chips remain much cooler even under heavy load. As they share same heat sink, heat from the processor spreads to other chips as well. So i removed all thermal pads except for the processor. I know its not needed but it makes me comfortable that some of my little chips run cooler 
1 Like