Xiaomi Mi Router 4A Gigabit Edition (Gigaflash SPI models only) u-boot update

Hi Xiaomi Mi 4A Gigabit owners,

NOTE: This only works with units that have the Gigaflash SPI chips, some later models of this router use an unknown flash chips that will brick your router!, you have been warned!!!

From my previous message in - Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit) -- fully supported and flashable with OpenWRTInvasion - #1772 by db260179

I have created a custom u-boot bootloader for the Chinese model, its possible to change global model, but will require more work!

Why have i created this?

Well, standard recovery method for this router is painful and its current u-boot is locked down via the vendor - they use some sort of ssl sha validation on bootp recover on the image.

So in essence, you can only fully recover a bricked firmware if you use their firmware image.

We currently have to use an exploit to change the uboot boot options so that we can install openwrt.

So, over the past few months i have found some mt7621 uboot source code ( easy to find), and set about modifying it to work for the xiaomi mi4ag router.

So the good news is that I have it working and can recover firmware bricks using the web feature when pressing the reset button on power up.

So, the following works:

  • Recovery mode via HTTP when pressing reset button on power on
  • Upgrade u-boot from same web recovery procedure
  • Netconsole - access uboot from network

Firmware that has been tested and works so far:

Snapshot and 21.02 release now work due to my recent upstream patch to lower the flash frequency to 50mhz.

Instructions:

IF YOU DO NOT have a programmer and not backed up the flash, DO NOT attempt this!

So, what you need to do first:

Using the fw_printenv command in the ssh shell of the router:

or from the uboot console - 'printenv ipaddr'

Look for the 'ipaddr', will show you the uboot ip address when in uboot mode, use this for the web interface later.

Backup the flash first!

https://openwrt.org/docs/guide-user/installation/generic.backup

The following is done from the ssh shell of the router:

1. Backup the mtd partitions - dd if=/dev/mtd0 of=/tmp/uboot.backup,dd if=/dev/mtd1 of=/tmp/bootconfig.backup , repeat for other partitions as per guide above, or use the web interface to download each partition.

2. You can then do a 'mtd verify uboot.backup "u-boot", to make sure the backup is the same

3.Copy my new uboot.bin to the router - scp uboot.bin root@routerip:/tmp

4.Write the new uboot - 'mtd write /tmp/uboot.bin "u-boot", then 'mtd verify uboot.bin "u-boot"'

Then reboot router. Ideally you will have the serial lead connected to the uart pins to watch it boot and interrupt and press 4 for uboot command line.

To test the web interface recovery:

You can enter the uboot command line and enter - 'httpd' or

Power off, then press and hold reset, then power on, wait for 10 seconds then, try and ping your ip address (ipaddr in uboot).

In there you can upload new openwrt firmware or a uboot image.

Currently the oem firmware will need to be repacked, if u want to use with this new uboot bootloader!

Here is the download link for the uboot.bin (md5sum as well):

https://workupload.com/archive/YJe6gB2g

My source code for this

https://gitlab.com/db260179/u-boot-mt7621

Note to testers: You will need a programmer and have done this recovery procedure before as shown in the xiaomi article on the openwrt forum and website!
My firmware can fully backup the complete flash contents, so make sure to backup before attempting this procedure.

6 Likes

Nice work.

Could you explain why global units aren't supported?

I have one which I bought bricked and was able to recover it thx to tinypxe and the Chinese firmware.

I wasn't able to get to the breed recovery interface.

Hi,

I can only guarantee the chinese model as i don't have the global version to test.

Also from what i have seen, the breed layout is slightly different.

But if anyone can give me an output - 'cat /proc/mtd' from a global version.

Xiaomi seem to lock both uboot and breed bootloader, so reason you cant access the web interface.

Yes the bootp method will work with the original firmware but not openwrt, with the manufacturer bootloader. Reason i've doing my own bootloader.

Output from my global unit:

BusyBox v1.33.0 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r16355-571aedbc6c
 -----------------------------------------------------
root@4A_Gigabit:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00030000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00010000 00010000 "Bdata"
mtd3: 00010000 00010000 "factory"
mtd4: 00010000 00010000 "crash"
mtd5: 00010000 00010000 "cfg_bak"
mtd6: 00100000 00010000 "overlay"
mtd7: 00e80000 00010000 "firmware"
mtd8: 0027a397 00010000 "kernel"
mtd9: 00c05c69 00010000 "rootfs"
mtd10: 00810000 00010000 "rootfs_data"

I would be willing to test if you want.

Ok, can you private message me your dmesg output.

You will need to use my new v19.07.7 sysupgrade image to easily update the uboot and backup your whole flash.

You should be ok but advisable to have a ch341 or spi programmer at hand to restore the flash if need be.

I will send a link for the sysupgrade file.

I've submitted a two pull requests to get this lowered.

https://github.com/openwrt/openwrt/pull/4049 - 21.02 branch

https://github.com/openwrt/openwrt/pull/4048 - master branch

In terms of progress:

Still figuring out the netconsole respond commands issue.

What has been added and just a bonus:

  • Most of the uboot commands are available - memory test, board info etc
  • Large uImage kernel images can be used and wont overlap
  • SPI read speed has Double and Quad speed running at 44mhz, so noticeable boot up speed

The main feature of a web server is working well and can be used to update the main firmware and the uboot.

The led works when doing the upgrade process. No more bricks and easy recovery.

2 Likes

I'm willing to test your new bootloader.
I've got 3 of these routers and programmer to read/write the eeprom.

Let me know if my help is useful:)

1 Like

Hi all,

IF YOU DO NOT have a programmer and not backed up the flash, DO NOT attempt this!

So, what you need to do first:

Using the fw_printenv command in the ssh shell of the router:

or from the uboot console - 'printenv ipaddr'

Look for the 'ipaddr', will show you the uboot ip address when in uboot mode, use this for the web interface later.

Backup the flash first!

The following is done from the ssh shell of the router:

  1. Backup the mtd partitions - dd if=/dev/mtd0 of=/tmp/uboot.backup,dd if=/dev/mtd1 of=/tmp/bootconfig.backup , repeat for other partitions as per guide above, or use the web interface to download each partition.

  2. You can then do a 'mtd verify uboot.backup "u-boot", to make sure the backup is the same

3.Copy my new uboot.bin to the router - scp uboot.bin root@routerip:/tmp

4.Write the new uboot - 'mtd write /tmp/uboot.bin "u-boot", then 'mtd verify uboot.bin "u-boot"'

Then reboot router. Ideally you will have the serial lead connected to the uart pins to watch it boot and interrupt and press 4 for uboot command line.

To test the web interface recovery:

You can enter the uboot command line and enter - 'httpd' or

Power off, then press and hold reset, then power on, wait for 10 seconds then, try and ping your ip address (ipaddr in uboot).

In there you can upload new openwrt firmware or a uboot image.

Currently the oem firmware will need to be repacked, if u want to use with this new uboot bootloader!

Here is the download link:

https://workupload.com/file/22jUYLEZ5r5

My source code for this

1 Like

Hello @db260179,

I just bought a Xiaomi Mi Router 4A gigabit edition.
It is the international version, shipped with 3.0.9 ROM.
According to mtd1, my bootloader is U-Boot 1.1.3 (Ralink UBoot Version: 5.0.0.0).

I would like to know if I can replace my bootloader by your new one ?
Is there any differences between the INT and CN version of the U-Boot bootloader ?

Thank you.

$ uname -a
Linux XiaoQiang 3.10.14 #1 MiWiFi-R4A-3.0.9 SMP Mon May 11 10:49:51 UTC 2020 mips GNU/Linux
$ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Bdata"
mtd4: 00010000 00010000 "Factory"
mtd5: 00010000 00010000 "crash"
mtd6: 00010000 00010000 "cfg_bak"
mtd7: 00100000 00010000 "overlay"
mtd8: 00e80000 00010000 "OS1"
mtd9: 00cb0000 00010000 "rootfs"
$ du -b mtd*
16777216 mtd0.ALL
  196608 mtd1.Bootloader
   65536 mtd2.Config
   65536 mtd3.Bdata
   65536 mtd4.Factory
   65536 mtd5.crash
   65536 mtd6.cfg_bak
 1048576 mtd7.overlay
15204352 mtd8.OS1
13303808 mtd9.rootfs
$ binwalk mtd0.ALL
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
97696         0x17DA0         U-Boot version string, "U-Boot 1.1.3 (May 11 2020 - 10:41:20)"
98248         0x17FC8         CRC32 polynomial table, little endian
458752        0x70000         gzip compressed data, maximum compression, from Unix, last modified: 2021-04-05 11:57:34
524288        0x80000         JFFS2 filesystem, little endian
1572864       0x180000        uImage header, header size: 64 bytes, header CRC: 0x2C301AA6, created: 2020-05-11 10:50:41, image size: 1856493 bytes, Data Address: 0x81001000, Entry Point: 0x813ECCE0, data CRC: 0x9021056, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.10.14"
1572928       0x180040        LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5458688 bytes       
3473408       0x350000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 12440182 bytes, 2312 inodes, blocksize: 262144 bytes, created: 2020-05-11 10:50:36

I also have an international version and flashed @db260179 U-Boot mod and even though I haven't actually tested much yet it does boot perfectly fine.

If you can send me this bootloader, so i can test it.

I don't know what differences there are, mine will work regardless of uboot version.

You can upgrade the uboot to my version from the oem ssh shell after exploit or from installing openwrt first, then from there. BUT ideally backup the flash contents first!

I have uploaded the bootloader of my international version at this temp URL : mtd1.Bootloader (U-Boot 1.1.3 R4AG 3.0.9 INT)

@db260179

Just had time to test your U-Boot mod on my international unit runnnig OpenWRT and have had no problems flashing a fresh built snapshot sysupgrade image. Haven't tested anything else atm.

Nice work and thx for your free time :ok_hand:

*Just to let users know that when flashing an image from the U-Boot mod recovery UI all settings are lost.

A few screenshots:



Thanks for the feedback Gingernut!

What do you mean by?

Just to let users know that when flashing an image from the U-Boot mod recovery UI all settings are lost.

Because I flashed a sysupgrade image and it wiped OpenWRT settings which is normal but it was just to let user know and to create a backup before hand.

OK, i see. Yes the web recovery from uboot, when flashing the 'firmware' update (main page) will lose the settings as its only used for emergency reinstall of openwrt or snapshot images.

Updating the uboot bootloader image from the web recovery, wont lose the uboot settings - just so everyone knows.

1 Like

Quick question,

I saw you mentioned something about getting your U-Boot mod inline with upstream, is that possible without official support?

Its possible more so now, due to recent mediatek patches coming onto the uboot scene.

With my current hack setup (im using a Xiaomi MIR4AG as a guinea pig), to test some of new patches and reference from the old source code.

Im sure one of the mediatek engineers would contact me, if they can see the current work being done. I suspect they cant be bothered and happy to carry on releasing 17 year old uboot code.

My current uboot code can be adapted to other mt7621 boards, just need to compile the correct memory settings and add flash ids and size support. Not much too it really, but needs someone to test on hardware and confirm it.

Luckly for Xiaomi MIR4AG owners, i have the router and can hack around and test.

2 Likes

How would one go about doing this?