Xiaomi Mi Router 3G - How to back to stock from PandoraBox?

I'm using Xiaomi Mi Router 3G (128MB NAND Flash)
I was back to stock firmware from OpenWRT, then flashed BREED bootloader and PandoraBox with this bootloader (just for testing SSL performance, they are mentioned in their website which their firmware uses a new driver for EIP-93 HW Crypto Accelerator and that chipset is part of MT7621A SoC. MediaTek's driver in OpenWRT only support IPSec HW crypto acceleration)
So I didn't see any improvements in PandoraBox firmware for HW acceleration and tried to back to OpenWRT. For this to achieve, it needs to back to stock firmware first. But it can't be done because I don't have a stock kernel in kernel partition

[root@PandoraBox_100F:/root]#cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "Bootloader"
mtd1: 00040000 00020000 "Config"
mtd2: 00040000 00020000 "Bdata"
mtd3: 00040000 00020000 "Factory"
mtd4: 00040000 00020000 "crash"
mtd5: 00040000 00020000 "crash_syslog"
mtd6: 00040000 00020000 "reserved0"
mtd7: 07e00000 00020000 "firmware"
mtd8: 00200000 00020000 "kernel"
mtd9: 07bc0000 00020000 "ubi"
mtd10: 00040000 00020000 "panic_oops"
mtd11: 00080000 00020000 "factory_bbt"

This is the first line of mtd7 and mtd8 partition's header which shows PandoraBox on both partitions

'..V.L..\T....b.........Q.^.....MIPS PandoraBox Linux-3.14.79...m....`.M.......o.......q...qy.k.d.m.K.2.

I have my stock partition backups but I can't use "mtd write" to flash stock kernel to mtd8 partition because my stock "kernel.bin" is larger than partition size (I think it's due to flashing PandoraBox to the wrong partition by mistake)
"fdisk" shows mtd7 and mtd8 partitions size:

Disk /dev/mtdblock7: 126 MiB, 132120576 bytes, 258048 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/mtdblock8: 2 MiB, 2097152 bytes, 4096 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

I currently on PandoraBox with stock bootloader (U-Boot), how can I back to stock firmware?
Should am I flash stock kernel to mtd7 (126MB) partition and then back to stock firmware by putting "miwifi.bin" in USB storage?
Is there any way to resize mtd8 partition size and then flash stock kernel to it?

  • I'm appreciated for any help

Looks like you have there a traditional combined partition and split details...
mtd7 = mtd8 + mtd9 + mtd10
firmware = kernel + ubi + panic_oops
07e0 = 0020 + 07bc + 0004
Sizes sum up nicely.

Likely you need to flash a normal/old-style combined image to mtd7 "firmware". The image should include kernel and rootfs (ubi), like usually. It will then be logically split into mtd areas for kernel, rootfs etc.

That panic_oops looks extra. Possibly something related to either breed or pandorabox, so no knowledge if that can be overwritten safely. But seeing that it is part of the total firmware, it likely relates to pandorabox.

Note: I have no knowledge in your specific router, breed of pandorabox, so this advice is purely based on that mtd partitioning.

1 Like

Thanks for reply,
Kernel's log confirm what you said

[    2.532000] Creating 9 MTD partitions on "MT762x-NAND":
[    2.536000] 0x000000000000-0x000000080000 : "Bootloader"
[    2.544000] 0x000000080000-0x0000000c0000 : "Config"
[    2.552000] 0x0000000c0000-0x000000100000 : "Bdata"
[    2.556000] 0x000000100000-0x000000140000 : "Factory"
[    2.564000] 0x000000140000-0x000000180000 : "crash"
[    2.572000] 0x000000180000-0x0000001c0000 : "crash_syslog"
[    2.576000] 0x0000001c0000-0x000000200000 : "reserved0"
[    2.584000] 0x000000200000-0x00000ff80000 : "firmware"
[    2.588000] mtd: partition "firmware" extends beyond the end of device "MT762x-NAND" -- size truncated to 0x7e00000
[    3.172000] 3 uimage-fw partitions found on MTD device firmware
[    3.180000] 0x000000200000-0x000000400000 : "kernel"
[    3.188000] 0x000000400000-0x000007fc0000 : "ubi"
[    3.192000] 0x000007fc0000-0x000008000000 : "panic_oops"
[    3.212000] mtdoops: ready 0, 1 (no erase)
[    3.212000] mtdoops: Attached to MTD device 10
[    3.216000] 0x000007f80000-0x000008000000 : "factory_bbt"

Is that mean I should flash the stock firmware .bin file (based on OpenWRT) on mtd7?
Is there no problem to flash mtd7 partition when using PandoraBox to do this flashing procedure? (because PandoraBox already running from this partition)
If anything goes wrong and the device doesn't boot any kernel can I still use U-Boot bootloader (with serial connection) to flash the firmware with this missed up MTD blocks?

Thanks to @ hnyman finally back to stock firmware!
First install "uboot-envtools" from PandoraBox website
Create "fw_env.config" file in (/etc) with "/dev/mtd1 0x0 0x1000 0x20000" content
After that run this: ("kernel0.bin" is my stock partition backup)

fw_setenv flag_try_sys1_failed 0
fw_setenv flag_try_sys2_failed 1
mtd write /tmp/kernel0.bin firmware
reboot

And attach USB storage with "miwifi.bin" to device and waiting for blinking red LED, then push reset button for flashing the stock firmware

Usefull links:
https://openwrt.org/docs/techref/flash.layout
https://openwrt.org/docs/techref/filesystems

I'm so stuck and wish you could help. I've got a Mi WiFi Pro that's stuck on Pandora too.
I've tried the instructions with uboot-envtools but I get the error

fw_setenv flag_try_sys1_failed 0
Cannot parse config file '/etc/fw_env.config': No such file or directory
Error: environment not initialized)

Then for the kernel0.bin file I pulled one from here Pandora Link but I'm not even sure if that's the right thing.

Everything I've tried just bricks the device - but then holding reset I can get back into the PandoraBox Recovery page, reupload pandora firmware and it works fine but only on Pandora.

I just want to get back to stock firmware on this device I've wasted hours and not got very far.

Sorry, I forget to mention that. You should create "fw_env.config" file in (/etc) directory with below content

/dev/mtd1 0x0 0x1000 0x20000

After doing this make sure of "Config" partition have changed (by downloading mtdblock with LuCi and open it with hex editor)


"kernel0.bin" must be the backup partition of your device which you should obtain that before flashing PandoraBox. And for the link you provide, I check the header of "kernel0.bin" and I think it's your default firmware which can be use for go back to stock firmware

Thanks for your help with this but I had no luck. After flashing it I was just stuck in the same position as before, PandoraBox recovery was still available to flash back to PandoraBox firmware though.

Is it right that kernel0.bin is a relatively small file compared to the stock firmware .bin, it's only 4mb compared to the 20something of the stock firmware.

what output did you give with this?

cat /proc/mtd

I gave up - I'm okay technically but it was too much for me. Plus I realised it can only run OpenWRT snapshot and not the current version so I've just got a R3G instead which will hopefully fare a bit better.

The Pandora firmware, whilst not in English, did seem to perform very well though I have to admit.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.