Hi Xiaomi Mi 4A Gigabit owners,
NOTE: This only works with units that have the Gigaflash SPI chips, some later models of this router use an unknown flash chips that will brick your router!, you have been warned!!!
I have created a custom u-boot bootloader for the Chinese model, its possible to change global model, but will require more work!
Why have i created this?
Well, standard recovery method for this router is painful and its current u-boot is locked down via the vendor - they use some sort of ssl sha validation on bootp recover on the image.
So in essence, you can only fully recover a bricked firmware if you use their firmware image.
We currently have to use an exploit to change the uboot boot options so that we can install openwrt.
So, over the past few months i have found some mt7621 uboot source code ( easy to find), and set about modifying it to work for the xiaomi mi4ag router.
So the good news is that I have it working and can recover firmware bricks using the web feature when pressing the reset button on power up.
So, the following works:
- Recovery mode via HTTP when pressing reset button on power on
- Upgrade u-boot from same web recovery procedure
- Netconsole - access uboot from network
Firmware that has been tested and works so far:
- My old v19.07 firmware releases - https://gitlab.com/db260179/xiaomi-m4a/-/releases
- Latest source code - https://gitlab.com/db260179/openwrt-base
- araujorm - https://github.com/araujorm/openwrt/releases/
Snapshot and 21.02 release now work due to my recent upstream patch to lower the flash frequency to 50mhz.
IF YOU DO NOT have a programmer and not backed up the flash, DO NOT attempt this!
So, what you need to do first:
Using the fw_printenv command in the ssh shell of the router:
or from the uboot console - 'printenv ipaddr'
Look for the 'ipaddr', will show you the uboot ip address when in uboot mode, use this for the web interface later.
Backup the flash first!
The following is done from the ssh shell of the router:
1. Backup the mtd partitions - dd if=/dev/mtd0 of=/tmp/uboot.backup,dd if=/dev/mtd1 of=/tmp/bootconfig.backup , repeat for other partitions as per guide above, or use the web interface to download each partition.
2. You can then do a 'mtd verify uboot.backup "u-boot", to make sure the backup is the same
3.Copy my new uboot.bin to the router - scp uboot.bin root@routerip:/tmp
4.Write the new uboot - 'mtd write /tmp/uboot.bin "u-boot", then 'mtd verify uboot.bin "u-boot"'
Then reboot router. Ideally you will have the serial lead connected to the uart pins to watch it boot and interrupt and press 4 for uboot command line.
To test the web interface recovery:
You can enter the uboot command line and enter - 'httpd' or
Power off, then press and hold reset, then power on, wait for 10 seconds then, try and ping your ip address (ipaddr in uboot).
In there you can upload new openwrt firmware or a uboot image.
Currently the oem firmware will need to be repacked, if u want to use with this new uboot bootloader!
Here is the download link for the uboot.bin (md5sum as well):
My source code for this
Note to testers: You will need a programmer and have done this recovery procedure before as shown in the xiaomi article on the openwrt forum and website!
My firmware can fully backup the complete flash contents, so make sure to backup before attempting this procedure.