I'll also try to write directly the SPI flash. Just ordered a programmer. But here my experince ends. Wouldn't it possible to write a complete basic image with the right uboot and openwrt with the SPI programmer. Would be really great to have that with the right instructions.
Even with a dumped original image shouldn't it be possible to 'debrick' the router in case of problems?
I think I'm missing that the mac adress is stored in flash. Could that be a problem?
I believe that with the original dump one will always be able to debrick if needed, but this will be my first experiment with a flasher.
Anyway, once you "unlock" the bootloader, by setting it to be possible to interact, from then on you won't need to flash it again using the hardware flasher. From then on, you'll only flash the system partition where your custom ROM (e.g. openwrt) will be. So, unless something unlikely happens to the bootloader, all you'll need to debrick will be to connect to the console via TTL UART and have a TFTP server with your openwrt image at hand. That's trivial if you're comfortable with Linux and have it on your PC (a VM will also do).
And for normal sysupgrades, after the first openwrt install, you'll be able to do it from the web interface.
And just for the record, I was able to connect to the TTL UART without soldering anything. Just place 3 dupont 2.5mm connectors on the little holes (for TX, GND and RX), and as long as they make contact, it does the trick.
Thaks for the trick. I used something similar. Taking a three pin header and bending the central pin a little. The header than clamps itself in the holes. Makes a relatively safe contact. On the pins you can use whatever you want.
Use Roger's repo/branch, and instead of "Default Profile", select "Xiaomi Mi Router 4A Gigabit Edition". Be mindful that the official repo does not have that option (yet). The link to Roger's repo/branch is above on this thread.
The rest of the defaults should be enough for starters, but until I'm able to unlock my router, I can't advise much more.
After building, there should be a sysupgrade image somewhere inside the "bin" subfolder.
Good luck 
Thanks a lot for the quick reply. In the first attempt I didn't download the right version, so there were no menu items for the xiaomi R4A. After downloading the right version everything is ok (therefore deleted the post).
I'm able to generate the image, so far it looks good. Now just waiting for the flash writer.... It will arrive in 4 weeks...
Flashing OpenWrt from the stock firmware's CLI
I rebased my xiaomi-mi-router-4a-1000m-gigabit-edition_wip branch with the current master (as of 24th July 2019), you may want to give it a try. Still I haven't found any way to access the router other than modifying the bootloader and overwriting the SPI flash, though.
Anyway, once you can enter the router using the UART port, on the CLI, this is the simplest way I found to flash OpenWrt:
root@XiaoQiang:/# cd /tmp/
root@XiaoQiang:/tmp# wget http://your_server_address/openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin
root@XiaoQiang:/tmp# mtd -e OS1 -r write openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin OS1
Unlocking OS1 ...
Erasing OS1 ...
Writing from openwrt-ramips-mt7621-xiaomi_mir4a-gigabit-squashfs-sysupgrade.bin to OS1 ...
Rebooting ...
and you are good to go. But, yes, still you have to unlock the serial login by overwriting the bootloader. 
5 Likes
This is a complete shot in the dark, but on the Phillips Hue bridge we shorted the NOR enable pin to ground, disabling it while uboot was still booting. This halted uboot, and we were able to change the bootdelay and just saveenv. Maybe this trick would work here? (For reference : https://blog.andreibanaru.ro/2018/03/27/philips-hue-2-1-enabling-wifi/ )
That's an interesting idea. But we should know, which pins we should use. Some more background can be found found here:
https://carvesystems.com/news/pin2pwn-how-to-root-an-embedded-linux-box-with-a-sewing-needle/
So we need to interrupt uboot from loading the final image (by disabling the flash after uboot load). An advise for serial flash devices from the page linked above:
- Short between pins 1 (chip select) and 2 (data out)
Since the pins of the flash chip seem to be accessible it would be worth a try. But not this evening for me. Maybe one should look if that are the right pins, not to brick the device completely.
I dug it out for you, bridge Data Out and GND (source: https://forum.archive.openwrt.org/viewtopic.php?id=66346 4nd post by Pepe2k)
You mean pins 2 and 4? Or am I mistaken?
We're playing with generating a hardware failure to force uboot to fall back to console (if it really does?). This in generally can cause other hardware failures.
Be careful. The pins stated in that post were not mentioned in the original post. Always be careful when connecting pins, not to draw too much current and damage a chip.
In general putting a communication pin of the flash to ground should do it. Maybe with a resistor to limit current, but it has to be small enough to pull down the signal at the pin.
I think I'll wait for my flasher to arrive, I won't take the chance to damage the flash chip...
Actually tested the approach. I worked on pin1 and pin2 of the SPI-Flash.
Summary: No success!
My findings:
- You really have to short circuit pin1 and pin 2. Resistor of 380Ohm or higher has no effect during boot.
- I had some success interrupting the boot procedure:
- You can see an effect during the kernel boot with some errore messages, but wasn't able to get to some console of the kernel. Maybe I wasn't patient enough.
- I could stop uboot from loading the image. (corrupted CRC, see logs below) in most casses it results in reboot. In some cases the boot halted, but no interaction possible.
Regarding my link pin2pwnd the developer seems to followed all suggestions:
- Quick boot, so hard to interact.
- Failure handling and not going to some console
- They even rewrite some parts of the flash and know at the next boot, that something happened.
Maybe somone else might be successful. My next try is reading the flash like described above. The box is still working, so I don't want to stress it too much. Router is still living an working, hope that I haven't damaged anything.
Log of initial boot and bad CRC for Linux Kernel:
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xXXXX
***************************
Board power on Occurred
***************************
flash manufacture id: XX, device id XX XX
find flash: GD25Q128C
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jan 24 2019 Time:07:46:43
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW
restore_defaults:0
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
n3: System Boot system code via Flash.
Booting System 1
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
## Booting image at bc180000 ...
Image Name: MIPS OpenWrt Linux-3.10.14
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1855537 Bytes = 1.8 MB
Load Address: 81001000
Entry Point: 813ecce0
Verifying Checksum ... Bad Data CRC
Erasing SPI Flash...
raspi_erase: offs:30000 len:10000
.
Writing to SPI Flash...
.
done
Now an automatic reboot:
U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
Board: Ralink APSoC DRAM: 128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xc0030004
******************************
Software System Reset Occurred
******************************
...
Sometimes I could couse even more "trouble", which is also handled:
U-Boot 1.1.3 (Jan 24 2019 - 07:46:43)
Board: Ralink APSoC DRAM: 128 MB
Power on memory test. Memory size= 128 MB...OK!
relocate_code Pointer at: 87fb0000
Config XHCI 40M PLL
RT2880_RSTSTAT_REG 0xc0030004
******************************
Software System Reset Occurred
******************************
flash manufacture id: XX, device id XX XX
find flash: GD25Q128C
*** Warning - bad CRC, using default environment
Hi,
I also tested short-circuiting the SPI flash chip to force U-Boot to stop. The device actually halted, not reaching any type of interaction with the bootloader. Basically, the same as @frahe got.
So sad 
My flasher arrived. Used Roger's method, worked like a charm
Only that I compiled the image without Luci... but I can SSH to 192.168.1.1. Oh well, gonna recompile with the stuff I want, configure it my way and do some performance tests. Will post back results.
Thanks Roger!
So far so good, performance wise. Iperf3 (router as server, cable connected gigabit) between 500 to 900 Mbps, averaging 700. Speed tests to a well know site get stuck on my ISP limit (100 Mbps), both with cable and 5g WiFi, and vary between 45 to 50 mbps on 2.4ghz. All as I hoped, so far. Thanks again.
That's great, @araujorm. Thanks for testing it.
Maybe we should open a PR to have it officially support, although the flashing method is quite difficult...
2 Likes
Yes, I think it makes sense. The method is not that hard to apply with a bit of patience.
1 Like
@araujorm
How you config wifi? I got the problem 'Wireless is not associated' in both 2.4 Ghz and 5 Ghz.
1 Like
Via Luci web interface, the usual stuff... Did you include it when compiling? Also ensure you have included or installed the wpad package (I used wpad basic variant). Nothing else comes to mind