Xiaomi Mi Router 4A Gigabit Edition (R4AG/R4A Gigabit): fully supported but requires overwriting SPI flash with programmer

Hi there,

A few days ago, a colleague from eXO pointed me to this new device by Xiaomi, which would be very nice to have it supported by OpenWrt to use it in our community network. I ordered it from a well-known on-line shop and I just received it, so I'll be posting here any updates on adding support for it.

Main specifications

  • SoC: MediaTek MT7621
  • RAM: 128 MB
  • Flash: 16 MB SPI flash
  • Ethernet: 3x10/100/1000 Mbps (2xLAN, 1xWAN)
  • WiFi: dual band, 802.11bgn + 802.11ac

Pictures

IMPORTANT NOTICE
This post is not a tutorial on how to flash OpenWrt on the device; I am just showing what I've discovered so far regarding this device. If you try anything on your device and void its warranty, break it, or if you injure yourself or someone else, I take no responsibility. You've been warned.

TTL UART
First thing I do is soldering some cables to the UART pins on the board and connect them to a TTL to USB adapter. I can see the usual Linux output from a router but, unfortunately, I can't interact with it: I can't stop U-Boot from booting automatically and I can't enter the command line interface once the stock firmware has booted.

Stock firmware bootlog
Here you can see the full bootloader and stock firmware bootlogs:

No SSH/Telnet on the stock firmware
The router has, by default, the address 192.168.31.1/24. I try to SSH or telnet it, but the connection is refused.

First OpenWrt support attempt
Based on the information I collect from the stock firmware bootlog, I add basic support for the device. You can see my git branch here: https://github.com/rogerpueyo/openwrt/tree/xiaomi-mi-router-4a-1000m-gigabit-edition_wip

The stock firmware's web interface is a heavily modified LuCI, with a section for updating the firmware. It can search and download an image from the vendor's website, but it also allows manually uploading a firmware file. I try to upload my recently created openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin, but the router refuses to flash it.

When the reset button is pressed during power-on, the stock bootloader starts a TFTP client to download and flash a firmware image. I set up a TFTP server on my computer and send an image file. Unfortunately, the bootloader does not like it:

Click here to see the stock U-Boot refusing the firmware image via TFTP log.
BOOTP broadcast 2
DHCPHandler: got packet: (src=67, dst=68, len=300) state: 3
Filtering pkt = 0
DHCPHandler: got DHCP packet: (src=67, dst=68, len=300) state: 3
DHCP: state=SELECTING bp_file: "test.bin"
TRANSITIONING TO REQUESTING STATE
*** Unhandled DHCP Option in OFFER/ACK: 28
Bootfile: test.bin
DhcpSendRequestPkt: Sending DHCPREQUEST
Transmitting DHCPREQUEST packet: len = 343
DHCPHandler: got packet: (src=67, dst=68, len=300) state: 4
Filtering pkt = 0
DHCPHandler: got DHCP packet: (src=67, dst=68, len=300) state: 4
DHCP State: REQUESTING
*** Unhandled DHCP Option in OFFER/ACK: 28
Bootfile: test.bin
DHCP client bound to address 192.168.31.100
TFTP from server 192.168.31.2; our IP address is 192.168.31.100
Filename 'test.bin'.

 TIMEOUT_COUNT=10,Load address: 0x82000000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:1e:00:1e:1e:b1)
Got it
#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################Got ARP REQUEST, return our IP
################################################
	 #################################################################
	 #################################################################
	 ###########
done
Bytes transferred = 4380578 (42d7a2 hex)
LoadAddr=82000000 NetBootFileXferSize= 0042d7a2
TRX MAGIC error!
Header check error!
Image verify failed!
========Upgrade fail!========

Nevertheless, I've noticed that if during the TFTP file loading process I hit CTRL+C, the process stops:

 TIMEOUT_COUNT=10,Load address: 0x82000000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:1e:00:1e:1e:b1)
Got it
#################################################################
	 ##################################
Abort
========Upgrade fail!========

This is good! It means the UART's RX port is active and U-Boot is receiving the command.

Dumping the SPI FLASH memory
Since I am unable to get access to the console or the bootloader, neither remotely (SSH/Telnet) nor using the UART, maybe it's time to see what's inside the FLASH memory.

With a CH341 USB SPI serial programmer and an SPI clamp, which you can both buy from a well-known on-line shop, I dump the whole content of the SPI FLASH memory to my computer. To do so, I use this very nice tool: ch341prog. Here is a picture of the whole thing i action:

A small detail: the SPI FLASH chip (or the whole router board, probably) draws too much power from the CH341, so I have to add some "extra" power by connecting the programmers' 3.3V pin to the USB to TTL's 3.3V pin to somehow "sum" the total amount of power on the 3.3V rail. It's a nasty trick from the formal point of view, but does the thing.

Extracting the SPI FLASH memory content using binwalk
I use binwalk to see what's inside the router's SPI FLASH now that I have it dumped on my computer:

binwalk -e spi_flash.dump 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
97696         0x17DA0         U-Boot version string, "U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)"
98248         0x17FC8         CRC32 polynomial table, little endian

WARNING: Extractor.execute failed to run external extractor 'jefferson -d '%%jffs2-root%%' '%e'': [Errno 2] No such file or directory: 'jefferson'
524288        0x80000         JFFS2 filesystem, little endian
1572864       0x180000        uImage header, header size: 64 bytes, header CRC: 0xD8422C49, created: 2019-01-24 07:54:52, image size: 1855537 bytes, Data Address: 0x81001000, Entry Point: 0x813ECCE0, data CRC: 0xC26BDD0D, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.10.14"
1572928       0x180040        LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5458688 bytes
2705694       0x29491E        COBALT boot rom data (Flat boot rom or file system)
3473408       0x350000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11348484 bytes, 2236 inodes, blocksize: 262144 bytes, created: 2019-01-24 07:54:48

WARNING: Extractor.execute failed to run external extractor 'jefferson -d '%%jffs2-root%%' '%e'': [Errno 2] No such file or directory: 'jefferson'
15204352      0xE80000        JFFS2 filesystem, little endian

I see that the Squashfs partition contains the usual Ralink SDK based on OpenWrt 12.09.1. For instance:

$ cat _spi_flash.dump.extracted/squashfs-root/etc/openwrt_release 
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="Attitude Adjustment"
DISTRIB_REVISION="unknown"
DISTRIB_CODENAME="attitude_adjustment"
DISTRIB_TARGET="ramips/mt7621"
DISTRIB_DESCRIPTION="OpenWrt Attitude Adjustment 12.09.1"

Modifying the U-Boot bootloader timeout with Bless
As the U-Boot bootlog above shows, the bootloader shows the usual options (booting from TFTP, flashing an image, etc.) but it does not wait for the user's command with a countdown, it boots straight ahead:

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.
 
   n3: System Boot system code via Flash.

Using the Bless hex editor I open the SPI FLASH dump and find the "bootdelay" parameter at 0x19690 is set to "off":

I can change the value to something more convenient, say 5 seconds to, hopefully, be able to interact with the bootloader:

Using the ch341prog tool I erase the router's SPI FLASH chip and write the modified dump. Fortunately, the result is satisfactory and I can now stop the bootloader's countdown and interact with it:

Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection 
DRAM_TYPE: DDR3 
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019  Time:07:46:43
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 880 MHZ #### 
 estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW

restore_defaults:1

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 
 2 
You choosed 4

 0 

   
4: System Enter Boot Command Line Interface.

U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
MT7621 # ?
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
dhcp	- invoke DHCP client to obtain IP/boot params
intena   - intena
intena   - intena
erase   - erase SPI FLASH memory
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
mt   - mt cnt start size
nm      - memory modify (constant address)
printenv- print environment variables
readcnt   - readcnt
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
spi	- spi command
tftpboot- boot image via network using TFTP protocol
trap_init   - trap_init
version - print monitor version

Amazing!

Booting an initramfs image via TFTP
Now that I can interact with U-Boot, I can send the initramfs image I generated to the device via TFTP:

Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection 
DRAM_TYPE: DDR3 
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019  Time:07:46:43
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 880 MHZ #### 
 estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW

restore_defaults:1

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 

You choosed 1

 0 

   
1: System Load Linux to SDRAM via TFTP. 
 Please Input new ones /or Ctrl-C to discard
	Input device IP (192.168.31.1) ==:192.168.31.1
	Input server IP (192.168.31.2) ==:192.168.31.2
	Input Linux Kernel filename (test.bin) ==:test.bin

 NetTxPacket = 0x87FE52C0 

 KSEG1ADDR(NetTxPacket) = 0xA7FE52C0 

 NetLoop,call eth_halt ! 

 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!! 
TFTP from server 192.168.31.2; our IP address is 192.168.31.1
Filename 'test.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80a00000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:1e:00:1e:1e:b1)
Got it
#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #######################################################Got ARP REQUEST, return our IP
##########
	 #################################################################
	 #################################################################
	 ###########
done
Bytes transferred = 4380578 (42d7a2 hex)
LoadAddr=80a00000 NetBootFileXferSize= 0042d7a2
Automatic boot of image at addr 0x80A00000 ...
## Booting image at 80a00000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.115
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    4380514 Bytes =  4.2 MB
   Load Address: 80001000
   Entry Point:  80001000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
commandline uart_en=0 factory_mode=0 mem=128m root=/dev/mtdblock9
No initrd
## Transferring control to Linux (at address 80001000) ...
## Giving linux memsize in MB, 128

Starting kernel ...

[    0.000000] Linux version 4.14.115 (chumba@wamba) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r9945-bc85640cdc)) #0 SMP Wed May 8 19:40:47 2019
[    0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[    0.000000] MIPS: machine is Xiaomi Mi Router 4A Gigabit Edition
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] VPE topology {2,2} total 4
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[etc.]

Please press Enter to activate this console.



BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r9946-7c970cba98
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# cat /tmp/sysinfo/board_name 
xiaomi,mir4a-gigabit

That's very good!

Summary: what's working, what's missing

  • Working
    • SoC/RAM/FLASH detection
    • Ethernet
    • Wireless
    • Reset button
    • LEDS (1x blue, 1x orange)
  • Missing
    • Sysupgrade
    • Factory image
7 Likes

Enabling the UART on the stock firmware
Now that U-boot waits for 5 seconds for the user's input, I can stop the autoboot and go to the command line interface:

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 

You choosed 4

 0 

   
4: System Enter Boot Command Line Interface.

U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
MT7621 # 

The printenv command shows interesting information:

MT7621 # printenv
bootcmd=tftp
bootdelay=5
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=192.168.31.1
serverip=192.168.31.100
model=R4A
restore_defaults=0
flag_boot_type=2
mode=Router
SN=XXXXX/YYYYMMDD
uart_en=0
telnet_en=0
wl0_ssid=Xiaomi_AAAA_5G
flag_ota_reboot=0
wl1_ssid=Xiaomi_AAAA
wl0_radio=1
wl1_radio=1
flag_last_success=0
boot_wait=off
no_wifi_dev_times=0
CountryCode=CN
color=101
nv_wan_type=dhcp
flag_boot_success=1
flag_try_sys1_failed=0
flag_try_sys2_failed=0
normal_firmware_md5=e7fd515ea6aab94b4baaaaaaaaaaaaaa
Router_unconfigured=0
nv_sys_pwd=c86d918318312245aaaaaaaaaaaaaaaaaaaaaaaa
nv_wifi_ssid=My_own_SSID
nv_wifi_enc=mixed-psk
nv_wifi_pwd=My_WiFi_Password
nv_wifi_ssid1=My_own_SSID_5G
nv_wifi_enc1=mixed-psk
nv_wifi_pwd1=My_WiFi_Password
flag_boot_rootfs=0
stdin=serial
stdout=serial
stderr=serial

Environment size: 778/4092 bytes

Bear in mind I am posting manually edited values for SN, wl0_ssid. wl1_ssid, normal_firmware_md5, nv_sys_pwd, nv_wifi_ssid, nv_wifi_pwd, nv_wifi_ssid1 and nv_wifi_pwd1 values.

It's worth noticing the uart_en and telnet_en settings, set to zero. These two settings appear a few times along the firmware, in the settings' backup partitions, together with the ssh_en option (which is not in U-Boot's environment). I try set the three of them to 1:

MT7621 # setenv uart_en 1
MT7621 # setenv telnet_en 1
MT7621 # setenv ssh_en 1
MT7621 # saveenv
Saving Environment to SPI Flash...
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done

and reboot.

With the U-Boot settings modified, I boot to the stock firmware and the UART is enabled and displays a nice welcome message:

Thu Jan 24 15:54:46 CST 2019 boot_check[6116]: Booting up finished.



BusyBox v1.19.4 (2019-01-24 07:43:07 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 -----------------------------------------------------
       Welcome to XiaoQiang!
 -----------------------------------------------------
  $$$$$$\  $$$$$$$\  $$$$$$$$\      $$\      $$\        $$$$$$\  $$\   $$\
 $$  __$$\ $$  __$$\ $$  _____|     $$ |     $$ |      $$  __$$\ $$ | $$  |
 $$ /  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ /  $$ |$$ |$$  /
 $$$$$$$$ |$$$$$$$  |$$$$$\         $$ |     $$ |      $$ |  $$ |$$$$$  /
 $$  __$$ |$$  __$$< $$  __|        $$ |     $$ |      $$ |  $$ |$$  $$<
 $$ |  $$ |$$ |  $$ |$$ |           $$ |     $$ |      $$ |  $$ |$$ |\$$\
 $$ |  $$ |$$ |  $$ |$$$$$$$$\       $$$$$$$$$  |       $$$$$$  |$$ | \$$\
 \__|  \__|\__|  \__|\________|      \_________/        \______/ \__|  \__|


root@XiaoQiang:/# cat /tmp/sysinfo/board_name 
generic
root@XiaoQiang:/# uname -a
Linux XiaoQiang 3.10.14 #1 MiWiFi-R4A-2.28.37 SMP Thu Jan 24 07:53:59 UTC 2019 mips GNU/Linux

More to come soon, hopefully.

3 Likes

Unable to upgrade to OpenWrt from the stock firmware's web GUI nor from U-Boot TFTP recovery function
The stock firmware checks that the binary firmware files that are uploaded to the router are properly signed with the manufacturer's RSA key. No signature, no upgrade. :frowning:

Right now, the only option to install OpenWrt is to dump the SPI flash contents, change the bootloader's settings so that it waits a few seconds for the user's input, and flash it back to the device (e.g., using an SPI programmer). Once there, a regular sysupgrade image can be loaded via option 2: Load system code then write to Flash via TFTP., which does not check for the image's RSA signature.

Therefore, the router is, as per https://github.com/rogerpueyo/openwrt/tree/xiaomi-mi-router-4a-1000m-gigabit-edition_wip, fully supported by OpenWrt but not [easily] upgradable.

4 Likes

Awesome job ! The 1st real significative step forward about that router !
The check against RSA key is done in bootloader if I understand it well, and that ROM could not be modified. So, that mean you should put the UART port outside the router case and when you need to update the firmware, you should put the new firmware into a TFTP server, connect to UART, reboot the router and choose option 2... Not really fun.

What have you changed in your OpenWRT repository ?

Hi @Singman33,

Thanks! :slight_smile: Let's see if somebody can go beyond this now.

Yes, the RSA signature is done in the bootloader, and also on the stock firmware. Therefore, if you try to modify the manufacturer's firmware image (there is an updated one at miwifi.com), or if you try to upload a custom one using the TFTP recovery method or via the web interface, the router refuses to flash it.

Once you dump the firmware directly from the SPI memory chip, modify to allow stopping the bootloader and write it back using the SPI flasher, you have the following options:

  • From the bootloader, select option "1" to upload an OpenWrt initramfs image to RAM, boot it and perform a sysupgrade
  • From the bootloader, select option "2" to upload an OpenWrt sysupgrade image to RAM, write it to the SPI memory and boot it normally
  • From the bootloader, select option "4" to enter U-boot's console and modify the "uart_en" parameter to enable the UART on the stock firmware. Boot the stock firmware and, using the UART, download a sysupgrade image and write it to the flash memory (I haven't tried it)

Bear in mind that the stock firmware, I think, when you recover the factory default settings, overwrites the bootloader's bootdelay=5 option and sets it back to 0, so you have to start the whole thing from scratch. :woman_facepalming:

You can check the commits (actually, it's just one) here: https://github.com/rogerpueyo/openwrt/commits/xiaomi-mi-router-4a-1000m-gigabit-edition_wip

I've opened my Xiaomi wifi router 4 and, surprise ! it's not the same as yours !
I will post some pictures later but the PCB is marked "M41_R0202 2018/03/27".
Major problem is I can't find the SPI chip :slight_smile:

@Singman33, may we see the pics? :slight_smile:

Xiaomi Mi WiFi Router 3G [1] looks very similar to Xiaomi Mi Router 4A Gigabit Edition [2]

Would they share the same procedure to install openwrt? [3]

[1] https://www.aliexpress.com/item/32923946559.html
[2] https://www.aliexpress.com/item/33001460205.html
[3] https://openwrt.org/toh/xiaomi/mir3g#installation

Please look at the specs. They differ in the type of memory they use (MiR3G has NAND flash, Mi4A GbE has SPI flash).

No, so far. None of the methods for the former can be applied to the latter:

  • There is no such "development" image with SSH enabled for the Mi4A GbE
  • The Mi4A GbE has no USB
  • The UART is read-only on the Mi4A GbE

Hi. I have new router with global firmware (english language). (example https://ru.aliexpress.com/item/33043866005.html)
How can I copy the global firmware to the Chinese version of the router?

Would IT be possible to use this approach: https://d13ht01.tk/engineering/20190601/hacking-mi-router-4/
Seems Like the router allows to access the uboot console on the first boot (after reset to factory settings). Then uboot can be flashed and we schould be ready to install openwrt. My mi4a router ist on the way, so no possibility to test at the moment.

I've tried that approach but had no success. Pressed the reset button and watched the boot process connected with UART adapter but no chance to interact. Still I might have missed something, would be great if others could confirm.

Unfortunately I also wasn't able to interrupt boot process. Maybe nothing new: Holding reset button during power on let the router obtain an IP and search for a boot image (see log below). Could that help?

U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)

Board: Ralink APSoC DRAM:  128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000

Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xXXXXXXX
***************************
Board power on Occurred
***************************
flash manufacture id: XX, device id XX XX
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019  Time:07:46:43
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 880 MHZ ####
 estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW

restore_defaults:0


 NetTxPacket = 0xXXXXXXX

 KSEG1ADDR(NetTxPacket) = 0xXXXXXXX

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
BOOTP broadcast 1
DHCPHandler: got packet: (src=XXXXX, dst=XXXX, len=174) state: 3
Filtering pkt = -1

 NetOurIP
....

Crtl-C will interrupt the process. So interaction works, but no possibility to interact further or during boot. Pretty sad...

Yes, pretty much what Roger described. That process is to flash an official firmware image, that must be in a proprietary format and RSA signed with a private key that only Xiaomi has. I confirm you can use it to downgrade the firmware, but not to a custom one like openwrt. So it's basically useless for us at the moment.

I'm waiting for a SPI flasher to arrive to use Roger's method, but may still take some weeks until I can say if I'm successful installing openwrt on mine. On the positive side, these flashers are pretty cheap... unless I bought the wrong one... let's see later.

I'll also try to write directly the SPI flash. Just ordered a programmer. But here my experince ends. Wouldn't it possible to write a complete basic image with the right uboot and openwrt with the SPI programmer. Would be really great to have that with the right instructions.
Even with a dumped original image shouldn't it be possible to 'debrick' the router in case of problems?
I think I'm missing that the mac adress is stored in flash. Could that be a problem?

I believe that with the original dump one will always be able to debrick if needed, but this will be my first experiment with a flasher.

Anyway, once you "unlock" the bootloader, by setting it to be possible to interact, from then on you won't need to flash it again using the hardware flasher. From then on, you'll only flash the system partition where your custom ROM (e.g. openwrt) will be. So, unless something unlikely happens to the bootloader, all you'll need to debrick will be to connect to the console via TTL UART and have a TFTP server with your openwrt image at hand. That's trivial if you're comfortable with Linux and have it on your PC (a VM will also do).

And for normal sysupgrades, after the first openwrt install, you'll be able to do it from the web interface.

And just for the record, I was able to connect to the TTL UART without soldering anything. Just place 3 dupont 2.5mm connectors on the little holes (for TX, GND and RX), and as long as they make contact, it does the trick.

Thaks for the trick. I used something similar. Taking a three pin header and bending the central pin a little. The header than clamps itself in the holes. Makes a relatively safe contact. On the pins you can use whatever you want.

Use Roger's repo/branch, and instead of "Default Profile", select "Xiaomi Mi Router 4A Gigabit Edition". Be mindful that the official repo does not have that option (yet). The link to Roger's repo/branch is above on this thread.

The rest of the defaults should be enough for starters, but until I'm able to unlock my router, I can't advise much more.

After building, there should be a sysupgrade image somewhere inside the "bin" subfolder.

Good luck :slight_smile:

Thanks a lot for the quick reply. In the first attempt I didn't download the right version, so there were no menu items for the xiaomi R4A. After downloading the right version everything is ok (therefore deleted the post).
I'm able to generate the image, so far it looks good. Now just waiting for the flash writer.... It will arrive in 4 weeks...

Flashing OpenWrt from the stock firmware's CLI

I rebased my xiaomi-mi-router-4a-1000m-gigabit-edition_wip branch with the current master (as of 24th July 2019), you may want to give it a try. Still I haven't found any way to access the router other than modifying the bootloader and overwriting the SPI flash, though.

Anyway, once you can enter the router using the UART port, on the CLI, this is the simplest way I found to flash OpenWrt:

root@XiaoQiang:/# cd /tmp/
root@XiaoQiang:/tmp# wget http://your_server_address/openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin
root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin OS1
Unlocking OS1 ...
Erasing OS1 ...

Writing from openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin to OS1 ...     
Rebooting ...

and you are good to go. But, yes, still you have to unlock the serial login by overwriting the bootloader. :man_shrugging:

1 Like