Xiaomi AX3200 Boot loop after sysupgrade (solved)

jamestien · November 19, 2022, 12:13pm

Hello everyone, please help me to sort this out, I've been search & read in this forum but didn't find the solution.

After several attempts to flash AX3200 RB01 (telnet disabled) with OpenWrt followed by mikeeq's guidelines in this forum, I was able to sever & boot OpenWrt recovery image by using TFTPD and I've been successfully running OpenWrt by using U-Boot Console.

However, when I tried to make OpenWrt persistent by flash "sysupgrade.bin" the process completed and rebooted the router lead to infinite boot loop complaining that "mage format error,neither FIT image nor old image.
Bad Magic Number.", "can't get kernel image!"...etc. under UART terminal.

I was also not able to do Power Plug + 5sec Reset method and sever OEM recovery fw anymore, looks like soft bricked?

Please see the log.

Fri Oct 14 23:04:08 UTC 2022 upgrade: Sending TERM to remaining processes ...
Fri Oct 14 23:04:08 UTC 2022 upgrade: Sending signal TERM to ntpd (2509)
Fri Oct 14 23:04:08 UTC 2022 upgrade: Sending signal TERM to ntpd (2525)
Fri Oct 14 23:04:12 UTC 2022 upgrade: Sending KILL to remaining processes ...
Fri Oct 14 23:04:12 UTC 2022 upgrade: Sending signal KILL to ntpd (2509)
Fri Oct 14 23:04:12 UTC 2022 upgrade: Sending signal KILL to ntpd (2525)
[ 1185.679962] stage2 (7976): drop_caches: 3
Fri Oct 14 23:04:18 UTC 2022 upgrade: Switching to ramdisk...
Fri Oct 14 23:04:19 UTC 2022 upgrade: Performing system upgrade...
Unlocking kernel ...

Writing from <stdin> to kernel ...
ubiattach: error!: strtoul: unable to parse the number '10 mtd11'
ubiattach: error!: bad MTD device number: "10 mtd11"
ubiformat: error!: more then one MTD device specified (use -h for help)
ubiattach: error!: strtoul: unable to parse the number '10 mtd11'
ubiattach: error!: bad MTD device number: "10 mtd11"
libubi: error!: "/dev[ 1188.261579] reboot: Restarting system
/"▒
F0: 102B 0000
F6: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
BP: 0000 0041 [0000]
G0: 0190 0000
T0: 0000 036E [000F]
Jump to BL

UNIVPLL_CON0 = 0xFE000000!!!
mt_pll_init: Set pll frequency for 25M crystal
RAM_CONSOLE preloader last status: 0x0 0x0 0x0 0x0 0x0 0x0
[PMIC_WRAP]wrap_init pass,the return value=0.
[pmic_init] Preloader Start..................
[pmic_init] MT6380 CHIP Code, reg_val = 0, 1:E2  0:E3
[pmic_init] Done...................
Chip part number:7622B
MT7622 Version: 1.2.8, (iPA)
SSC OFF
mt_pll_post_init: mt_get_cpu_freq = 1350000Khz
mt_pll_post_init: mt_get_mem_freq = 1600000Khz
mt_pll_post_init: mt_get_bus_freq = 279980Khz
[PLFM] Init I2C: OK(0)

[BLDR] Build Time: 20210316-161525
==== Dump RGU Reg ========
RGU MODE:     14
RGU LENGTH:   FFE0
RGU STA:      40000000
RGU INTERVAL: FFF
RGU SWSYSRST: 8000
==== Dump RGU Reg End ====
RGU: g_rgu_satus:2
 mtk_wdt_mode_config  mode value=10, tmp:22000010
PL RGU RST: ??
SW reset with bypass power key flag
Find bypass powerkey flag
WDT NONRST=0x20000000
WDT IRQ_EN=0x340003
RGU mtk_wdt_init:MTK_WDT_DEBUG_CTL(590200F3)
[EMI] MDL number = 2
[EMI] DRAMC calibration start

[DDR] Gating glitch patched (0<cnt<=6)
[EMI] DRAMC calibration end

[EMI]rank size auto detect
[EMI]start_addr[0x40000000]=0x12345678, test_addr[0x48000000]= 0xEDCBA987
[EMI]start_addr[0x40000000]=0xEDCBA987, test_addr[0x50000000]= 0xEDCBA987
[EMI]rank0 size: 0x10000000
[MEM] complex R/W mem test pass
RAM_CONSOLE wdt status (0x2)=0x2
mtk_snand_get_device_info
2-Recognize NAND: ID [C8 51 ], Device Name [GD5F1GQ5UEYIG], Page Size [2048]B Spare Size [128]B Total Size [128]MB
[BBT] BMT.v2 is found at 0x3FF
[PLFM] Init Boot Device: OK(0)

[PART] blksz: 2048B
[PART] [0x0000000000000000-0x000000000007FFFF] "PRELOADER" (256 blocks)
[PART] [0x0000000000080000-0x00000000000BFFFF] "tee1" (128 blocks)
[PART] [0x00000000000C0000-0x000000000013FFFF] "lk" (256 blocks)

Device APC domain init setup:

Domain Setup (0x0)
Domain Setup (0x0)
Device APC domain after setup:
Domain Setup (0x0)
Domain Setup (0x0)
[PART] Image with part header
[PART] name : U-Boot
[PART] addr : 41E00000h mode : -1
[PART] size : 356560
[PART] magic: 58881688h

[PART] load "lk" from 0x00000000000C0200 (dev) to 0x41E00000 (mem) [SUCCESS]
[PART] load speed: 16581KB/s, 356560 bytes, 21ms
load lk (ret=0)
[PART] Image with part header
[PART] name : atf
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 57936
[PART] magic: 58881688h

[PART] load "tee1" from 0x0000000000080200 (dev) to 0x43000DC0 (mem) [SUCCESS]
[PART] load speed: 14144KB/s, 57936 bytes, 4ms
load tee1 (ret=0)
[BLDR] bldr load tee part ret=0x0, addr=0x43001000
[BLDR] boot part. not found
[BLDR] part_load_images ret=0x0
[BLDR] Others, jump to ATF

[BLDR] jump to 0x41E00000
[BLDR] <0x41E00000>=0xEA00000F
[BLDR] <0x41E00004>=0xE59FF014


U-Boot 2014.04-rc1 (Aug 07 2021 - 08:08:31)

auto detection g_total_rank_size = 0x F000000
DRAM:  240 MiB
Turn on power orange!
NAND:  Recognize SNAND: ID [c8 51 ], Device Name [GD5F1GQ5UEYIG], Page Size [2048]B Spare Size [128]B Total Size [128]MB
[mtk_snand] probe successfully!
Not found in UBOOT NAND flash list
[BBT] BMT.v2 is found at 0x3ff
128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   mtk_eth
Uip activated

  *** U-Boot SPI NAND ***

     1. Load firmware 0 and bootup.
     2. Load firmware 1 and bootup.
     3. Load firmware selected by Xiaoqiang and bootup.
     U-Boot console

 restore_defaults is set, enlarge xqup detect time
 trigger button release!or Press 1~3 to choose, ENTER to select
Erasing NAND...
[mtk_nand_erase_hw] mtk_nand_erase_hw @4249, ret:0x40. page:0x280
Erasing at 0x140000 -- 100% complete.
Writing to NAND... OK
Booting System 1

NAND read: device 0 offset 0x20c0000, size 0x2000
 8192 bytes read: OK
[do_read_image_blks] Image format error,neither FIT image nor old image.
Bad Magic Number.

NAND read: device 0 offset 0x20c0000, size 0x0
 0 bytes read: OK
bootm flag=0, states=70f
Wrong Image Format for bootm command
ERROR: can't get kernel image!
MT7622>

SKL_H · December 22, 2022, 11:44pm

Hi I am getting same issue how did you solve.

jamestien · December 23, 2022, 3:16am

Power On + Reset button (15 sec) to flash Xiaomi OEM image to unbrick.

SKL_H · December 23, 2022, 9:53am

Thanks, I did that I mean installing openWRT did you manage to do that

jamestien · December 23, 2022, 11:12am

Flash Openwrt image after log in Xiaomi firmware using ssh was better method for me. I will try to give details when I reach home.

jamestien · December 23, 2022, 3:53pm

I am assume that you already "jailbreak" the Xiaomi OEM firmware and have telnet access.

# Create telnet terminal session, use TELNET_PASSWORD from script output from the previous point
telnet 192.168.31.1
******

# Enable SSH
nvram set ssh_en=1

# Add flags which allow you to recover from bad flashes without going back to the OEM firmware.
nvram set uart_en=1
nvram set boot_wait=on
nvram commit
sed -i '/flg_ssh.*release/ { :a; N; /fi/! ba };/return 0/d' /etc/init.d/dropbear

# Set password for root user. 
passwd root

# After changing root password it will be a persistent change even after restart, so if you'll be trying to telnet after reboot use this password instead of generated one from above

# Start SSHd (dropbear)
/etc/init.d/dropbear enable
/etc/init.d/dropbear start

# cat /proc/mtd

#============================================================
#AFTER COPY FILES OVER SSH or SCP, prepare to flash firmware.
#============================================================
# Set NVRAM flags
## Run also first commented two lines if after flashing sysupgrade.bin image router restarts to stock firmware instead of OpenWRT
# ====>>>>> **nvram set flag_boot_rootfs=0**
# ====>>>>> **nvram set "boot_fw1=run boot_rd_img;bootm"**
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit

# Flash image
mtd -r write factory.bin firmware

You can read more details here...

tmomas · January 6, 2023, 6:33am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.