This is a complete shot in the dark, but on the Phillips Hue bridge we shorted the NOR enable pin to ground, disabling it while uboot was still booting. This halted uboot, and we were able to change the bootdelay and just saveenv. Maybe this trick would work here? (For reference : https://blog.andreibanaru.ro/2018/03/27/philips-hue-2-1-enabling-wifi/ )
That's an interesting idea. But we should know, which pins we should use. Some more background can be found found here:
https://carvesystems.com/news/pin2pwn-how-to-root-an-embedded-linux-box-with-a-sewing-needle/
So we need to interrupt uboot from loading the final image (by disabling the flash after uboot load). An advise for serial flash devices from the page linked above:
- Short between pins 1 (chip select) and 2 (data out)
Since the pins of the flash chip seem to be accessible it would be worth a try. But not this evening for me. Maybe one should look if that are the right pins, not to brick the device completely.
I dug it out for you, bridge Data Out and GND (source: https://forum.archive.openwrt.org/viewtopic.php?id=66346 4nd post by Pepe2k)
You mean pins 2 and 4? Or am I mistaken?
We're playing with generating a hardware failure to force uboot to fall back to console (if it really does?). This in generally can cause other hardware failures.
Be careful. The pins stated in that post were not mentioned in the original post. Always be careful when connecting pins, not to draw too much current and damage a chip.
In general putting a communication pin of the flash to ground should do it. Maybe with a resistor to limit current, but it has to be small enough to pull down the signal at the pin.
I think I'll wait for my flasher to arrive, I won't take the chance to damage the flash chip...
Actually tested the approach. I worked on pin1 and pin2 of the SPI-Flash.
Summary: No success!
My findings:
- You really have to short circuit pin1 and pin 2. Resistor of 380Ohm or higher has no effect during boot.
- I had some success interrupting the boot procedure:
- You can see an effect during the kernel boot with some errore messages, but wasn't able to get to some console of the kernel. Maybe I wasn't patient enough.
- I could stop uboot from loading the image. (corrupted CRC, see logs below) in most casses it results in reboot. In some cases the boot halted, but no interaction possible.
Regarding my link pin2pwnd the developer seems to followed all suggestions:
- Quick boot, so hard to interact.
- Failure handling and not going to some console
- They even rewrite some parts of the flash and know at the next boot, that something happened.
Maybe somone else might be successful. My next try is reading the flash like described above. The box is still working, so I don't want to stress it too much. Router is still living an working, hope that I haven't damaged anything.
Log of initial boot and bad CRC for Linux Kernel:
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xXXXX
***************************
Board power on Occurred
***************************
flash manufacture id: XX, device id XX XX
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019 Time:07:46:43
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW
restore_defaults:0
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc180000 ...
Image Name: MIPS OpenWrt Linux-3.10.14
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1855537 Bytes = 1.8 MB
Load Address: 81001000
Entry Point: 813ecce0
Verifying Checksum ... Bad Data CRC
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
Now an automatic reboot:
U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
Board: Ralink APSoC DRAM: 128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xc0030004
******************************
Software System Reset Occurred
******************************
...
Sometimes I could couse even more "trouble", which is also handled:
U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
Board: Ralink APSoC DRAM: 128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xc0030004
******************************
Software System Reset Occurred
******************************
flash manufacture id: XX, device id XX XX
find flash: GD25Q128C
*** Warning - bad CRC, using default environment
Hi,
I also tested short-circuiting the SPI flash chip to force U-Boot to stop. The device actually halted, not reaching any type of interaction with the bootloader. Basically, the same as @frahe got.
So sad 
My flasher arrived. Used Roger's method, worked like a charm 
Only that I compiled the image without Luci... but I can SSH to 192.168.1.1. Oh well, gonna recompile with the stuff I want, configure it my way and do some performance tests. Will post back results.
Thanks Roger!
So far so good, performance wise. Iperf3 (router as server, cable connected gigabit) between 500 to 900 Mbps, averaging 700. Speed tests to a well know site get stuck on my ISP limit (100 Mbps), both with cable and 5g WiFi, and vary between 45 to 50 mbps on 2.4ghz. All as I hoped, so far. Thanks again.
That's great, @araujorm. Thanks for testing it.
Maybe we should open a PR to have it officially support, although the flashing method is quite difficult...
2 Likes
Yes, I think it makes sense. The method is not that hard to apply with a bit of patience.
1 Like
@araujorm
How you config wifi? I got the problem 'Wireless is not associated' in both 2.4 Ghz and 5 Ghz.
1 Like
Via Luci web interface, the usual stuff... Did you include it when compiling? Also ensure you have included or installed the wpad package (I used wpad basic variant). Nothing else comes to mind
Thanks for your tips. I tried to install hostpad and then the wifi connection work now.
1 Like
Hello Guys,
I've just registered to thank you with all your job.
I've found this cheap AP on chinese MI store without knowing nothing at all about compatibility.
With your informations I figured out how to flash the firmware, so I compiled it.
Wifi seems pretty fast but I'll check it better as soon as I can, the link speed seems to be beetwen 650-800Mbps.
I want to share my personal version of the fw, maybe could be helpful for someone. 
What is included:
Luci https interface with classic and material theme (English and Italian interface)
OpenVPN Client
MJPEG server (useless)
QoS
DDNS
Statistics Graphs
AdBlock and Simple AdBlock
Notes:
Luci is very slow with chrome, use firefox instead.
The classic theme is not allowing to modify the wifi parameters, use material theme instead.
Hope it helps.
Enjoy!
Hi guys, what I am doing wrong?
added the 4 pin header and used a fdti ft232rl 1232-c but i get no output in putty. The comm port is correct. if I swap Rx and TX I get junk appear in putty
I flashed a D1 mini nodeMCU as USB to TTL debuger as here https://www.cnx-software.com/2017/04/07/transform-your-esp8266-board-into-a-usb-to-serial-board-easily-with-arduino-serial-bypass-sketch/
but the same happen. With RX and TX the correct way round all I get is a blank screen in putty however if I reverse RX and TX then I get junky output in putty.
Tried a second computer and teraterm just in case.
Any idea? Baud rate maybe, at present it is 9600?
example of the output from putty when I reverse the TX and RX
▒Т;▒▒;;#▒
▒#7#▒▒▒3▒"3*";6#'▒▒"▒""2▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒R▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒R▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒&.▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒j7#+▒▒▒▒▒"3*f
▒:&▒7▒*:***▒::▒***:**▒▒"32:&:▒▒▒3▒"▒▒▒#""r+"▒"▒;▒>▒▒▒▒▒▒W▒R▒▒▒▒W▒�_▒b▒_▒Gf�▒/W▒b7
bwk
▒rgg▒k▒▒kGc▒G▒K▒^▒nf▒▒▒▒kWkWã▒&▒wʋ▒▒▒Z▒ZW▒▒▒f.fKZZ▒▒Bg▒~Sk▒kSZC▒RV▒i▒N▒oZ▒▒▒Q▒▒▒▒GRo▒▒PR▒
▒_▒nk▒s▒oWZ▒#▒▒▒▒Zc▒Zg▒R▒oK"fkcW▒Z▒▒wZ▒▒g▒oo▒vsZ_▒Z/'Z▒▒w▒F▒W▒▒F▒▒Ɨ▒w▒▒▒G▒Rw▒F▒G▒▒grZ▒▒Fw▒▒CGV▒▒w▒F▒W▒▒GVo▒▒▒Z▒kSZo▒Z▒k▒▒▒ZbR▒▒o▒n^�So^R▒▒▒▒▒JRg^▒^[▒R^▒R▒{▒^#▒▒^7c▒[w▒^7▒^▒
3▒SK▒▒^▒▒R^3S▒s^▒wZ▒▒
RғwSӷZ▒▒Z▒^▒R▒▒▒R▒Z▒wS▒▒R▒▒ZWZS▒cGGZZbW*W▒W6▒▒W6▒66_▒_6_cSW6WXWW▒WV▒VX▒8X_X_6▒V▒WRWbZ6▒6W6▒W6▒6_6▒▒_6߆▒▒WR▒b^W^▒▒^WV▒6:▒V6▒Z▒▒Vc▒▒▒c▒bcbsccG▒Z▒k▒gқZ▒n▒▒S▒▒KZ▒oB▒r▒2B
rwVVwDVZ▒JVZ▒#ZGVG▒VZ▒▒cKoӐW▒k▒▒RV
▒Z▒RjҜZ▒R▒Z▒f▒▒ZnRV▒cZ3Z▒ZZ▒▒▒▒▒Z▒VZ3▒G▒Z▒BR▒▒k▒▒▒Z▒▒J▒c▒▒rZ▒Z▒g▒2Z▒2gZ▒"▒▒G▒▒co▒▒oc[▒Rco▒oZ▒▒B▒kF▒▒k{▒h▒#ZV▒kc▒Kcߑ▒_cocc▒▒g▒F^▒▒▒
▒g▒▒[
▒w▒▒g▒*^^▒^▒▒^▒k▒^k▒^w▒^▒R^▒^�r▒Z▒ZZ
▒Z▒2Z▒▒▒ZGS▒▒▒ZZ▒▒S▒Z▒k▒▒Kי▒▒^Gw▒kGw▒▒▒wg▒^▒▒O▒Z▒b▒b▒c▒▒Z▒▒^3{▒▒_▒^▒'▒S▒▒^▒▒[^▒'k▒▒^^▒Z▒▒Z▒▒Z2▒▒▒gZ▒Zh▒▒▒RZ▒▒▒Z▒▒▒▒▒▒SSO▒S▒ώ▒S▒▒ӐO▒SC▒S▒O▒SOnSS▒S▒▒▒▒ƑS▒▒ӐC▒▒▒▒nS▒▒^▒▒▒S▒C▒S▒▒▒S▒▒▒▒▒jS▒▒▒S▒▒SO▒S▒▒
Your adapter RX must be the board's TX, and your adapter TX must be the board's RX, that's why you only see output that way - that is the correct way.
Baud rate that worked for me was 115200. Can you try that?
1 Like
hahaha, I just figured out exactly what you said then come back to post my success and saw your answer.
baud 115200
that was scare got to u-boot and did setenv uart, telenet,SSH and then reboot and it kernal paniced everytime
In the end I used option 1 and uploaded image from TFTP.
This is certainly not for the faint of heart