Xiaomi r3g bricked - help me

Hi guys. My Xiaomi R3G router was running OpenWrt and suddenly stopped working on Friday. I was using the Breed bootloader. I tried reinstalling the OpenWrt firmware and others(PandoraBox, Padavan) but none would boot. I then reinstalled the stock bootloader and now I think the situation is worse.

I have attached a TTL cable to the board and can see the boot messages(as seen below). But the bootloader will not allow me to interrupt it to enter a selection when booting. It just jumps straight to 'Option 3'. I have tried pressing the reset button while the routers boots but that did not help either. Can you guys offer any advice? How do I get to accept any input from me? Thanks in advance.

===================================================================
                MT7621   stage1 code 10:33:11 (ASIC)
                CPU=50000000 HZ BUS=12500000 HZ
==================================================================
Change MPLL source from XTAL to CR...
do MEMPLL setting..
MEMPLL Config : 0x11100000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-1200Mhz ===
PLL2 FB_DL: 0xf, 1/0 = 582/442 3D000000
PLL4 FB_DL: 0xf, 1/0 = 635/389 3D000000
PLL3 FB_DL: 0x11, 1/0 = 656/368 45000000
do DDR setting..[00320381]
Apply DDR3 Setting...(use customer AC)
          0    8   16   24   32   40   48   56   64   72   80   88   96  104  112  120
      --------------------------------------------------------------------------------
0000:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0001:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0002:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0003:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0004:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0005:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000E:|    0    0    0    0    0    0    0    0    0    1    1    1    1    1    1    1
000F:|    0    0    0    0    1    1    1    1    1    1    1    1    1    1    1    0
0010:|    1    1    1    1    1    1    1    1    1    0    0    0    0    0    0    0
0011:|    1    1    1    1    0    0    0    0    0    0    0    0    0    0    0    0
0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0013:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0014:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0015:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0016:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0017:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0018:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0019:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
rank 0 coarse = 15
rank 0 fine = 72
B:|    0    0    0    0    0    0    0    0    0    0    1    1    1    0    0    0
opt_dle value:11
DRAMC_R0DELDLY[018]=00001F20
==================================================================
                RX      DQS perbit delay software calibration
==================================================================
1.0-15 bit dq delay value
==================================================================
bit|     0  1  2  3  4  5  6  7  8  9
--------------------------------------
0 |    10 5 8 7 7 7 8 5 4 6
10 |    6 8 7 9 6 8
--------------------------------------

==================================================================
2.dqs window
x=pass dqs delay value (min~max)center
y=0-7bit DQ of every group
input delay:DQS0 =32 DQS1 = 31
==================================================================
bit     DQS0     bit      DQS1
0  (1~62)31  8  (1~58)29
1  (1~58)29  9  (1~61)31
2  (1~61)31  10  (1~61)31
3  (1~58)29  11  (1~57)29
4  (1~61)31  12  (2~60)31
5  (1~63)32  13  (1~60)30
6  (1~61)31  14  (1~62)31
7  (1~60)30  15  (0~60)30
==================================================================
3.dq delay value last
==================================================================
bit|    0  1  2  3  4  5  6  7  8   9
--------------------------------------
0 |    11 8 9 10 8 7 9 7 6 6
10 |    6 10 7 10 6 9
==================================================================
==================================================================
     TX  perbyte calibration
==================================================================
DQS loop = 15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqsdly_pass[0]=15,  finish count=1
dqs_perbyte_dly.last_dqsdly_pass[1]=15,  finish count=2
DQ loop=15, cmp_err_1 = ffff00a2
dqs_perbyte_dly.last_dqdly_pass[1]=15,  finish count=1
DQ loop=14, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=14,  finish count=2
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,8)
20,data:88
[EMI] DRAMC calibration passed

===================================================================
                MT7621   stage1 code done
                CPU=50000000 HZ BUS=12500000 HZ
===================================================================


U-Boot 1.1.3 (Apr 17 2017 - 17:00:02)

Board: Ralink APSoC DRAM:  256 MB
Power on memory test. Memory size= 256 MB...OK!
relocate_code Pointer at: 8ffac000

Config XHCI 40M PLL
Allocate 16 byte aligned buffer: 8ffdffd0
Enable NFI Clock
# MTK NAND # : Use HW ECC
NAND ID [C8 D1 80 95 42]
Device not found, ID: c8d1
Not Support this Device!
chip_mode=00000001
Support this Device in MTK table! c8d1
select_chip
[NAND]select ecc bit:4, sparesize :64 spare_per_sector=16
Signature matched and data read!
load_fact_bbt success 1022
load fact bbt success
[mtk_nand] probe successfully!
mtd->writesize=2048 mtd->oobsize=64,    mtd->erasesize=131072  devinfo.iowidth=8
ranand_read: skip reading a fact bad block 80000 -> a0000
.*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=5 OCP Ratio=1/4
Flash component: NAND Flash
Date:Apr 17 2017  Time:17:00:02
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 880 MHZ ####
 estimate memory size =256 Mbytes
#Reset_MT7530
set LAN/WAN LWLLL

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.

Booting System 1
ranand_read: skip reading a fact bad block 80000 -> a0000
..Erasing NAND Flash...
ranand_erase: start:80000, len:20000
ranand_erase: attempt to erase a fact bad block at 0x00080000
.
3: System Boot system code via Flash.
## Booting image at bc200000 ...
   Image Name:   Breed MT7621
   Image Type:   MIPS Linux Standalone Program (uncompressed)
   Data Size:    105350 Bytes = 102.9 kB
   Load Address: a0201000
   Entry Point:  a0201000
..   Verifying Checksum ... OK
OK

Guess, I'm on my own. Thanks anyway, guys.

I do not have much idea but I guess TTL cable I guess a data-sending cable is not making good contact on mainboard

i buy the router. and test but not sure if can make the task... " route xip alsa upnp reciver mpd + airport.. Stable WFI 5g or 3.4g..
i'm out.

Thanks for the reply. I don't think it has anything to do with the connection. Apparently the serial console is disabled in the boot loader. The only other option it seems is to replace the Nand flash memory. Unfortunately, this is not something I can really try at this time. So for all intents and purposes, this router is permanently bricked. It is just dead paper weight now. Why would Xiaomi deliberately disable the console in the bootloader? Shame, shame, shame!

I think on the typical Ralink bootloader you would press '4' at just the right time.

Test your cable unplugged from the router, jump Tx to Rx then you should see what you type. Unplugged it should not loop back what you type.

The cable is fine. Problem is the serial console is disabled in the stock uboot bootloader. I don't know of anyway to enable it.

with the stock bootloader , you just have to download official firmware, rename it to miwifi.bin, unplug mains,plug usb, press reset until i say so, plug mains , keep presing reset until led flashes orange , leave reset button, wait until led is blue. and your router is recovered

Thank you @jesusvallejo. I think your method only works if you still have the "kernel0" partition intact. Mine was replaced with other firmware a long time ago.

i''ve read all the thread, are you sure your tx is working ?? i first flashed openwrt with option 2 connect only tx and gnd , turn on router and press 2 on youi kb while u plug the rx, i had some problems back in that day(it would rx but not tx) with my ftdi ttl and had to use the serial ttl of an arduino by bridging gnd and rst.(if you r asking yourself wich arduino , nodemcu 1)

As a matter of fact, I am actually using an Arduino as my serial controller. I have a standalone 3.3 volt serial adapter which for some reason will not work with the Xiaomi R3G but the Arduino does. But I believe the bootloader on the R3G is restricted, similar to the Xiaomi Mi WiFi R3 as is explained here:

The serial port of the router can be accessed using the TTL pins. A voltage level converter (such as a CP2102 TTL-USB dongle) is required. Writing to the console is disabled in the factory U-Boot. Writing to the console in the factory firmware is only possible during first boot; afterwards it is disabled by the firmware.

To enable writing to the console, you must use the following commands:

nvram set uart_en=1
nvram commit

If I had only known this prior to it bricking, I would have enabled the uart. Maybe someone will find a a way to activate the serial console without replacing the NAND flash.

lol , ive bought last weekend a new r3g , a teensy++ and a tsop45 socket to flash the one i have because i bricked it do to an outage (lmao , never ever before had one) right after deleting the booloader to return to stock from breed, any way if you cant recover it i could upload the nand read for u.

u can check this , it looks like it should be posible
https://openwrt.org/toh/xiaomi/mir3g

Debricking

→ generic.debrick

Using Serial Interface

Use this if failsafe etc fail..

You need

• usb 3.3v to serial adapter

• tftp server (preferably on 192.168.31.100)

• kernel0.bin (https://mega.nz/#!PI0VUKhA!OVoBm8rj6m9mMrpKfRDPzXEldGN8VzG8lLpjoMU9s3A)

• stock firmware (http://bigota.miwifi.com/xiaoqiang/rom/r3g/miwifi_r3g_firmware_c2175_2.25.122.bin) renamed to miwifi.bin on fat32 formatted usb stick

To debrick

1. Access serial console (use 3.3v adapter) and terminal emulator such as putty

2. Flash the kernel0.bin file using option 2 flash using TFTP option in the U-Boot menu. Note: when selecting the boot source (2 for firmware flashing), it may be necessary to not send any line ending.

3. Connect usb stick press reset button and router will flash itself with stock firmware. The progress will be shown in the serial console.

4. You can re-install openwrt as per original procedure

Wow. How unlucky. Would have been interesting to see the outcome of returning to the stock bootloader. I was on Breed myself and then decided to return to stock - and that was the end. As I have already noted, the Debricking method you posted above does not work for me, as the bootloader is restricted and does not accept any input from the serial adapter.

Btw, how are you going remove the NAND chip to re-program it? That looks like a difficult task.

I am going to try to replace the NAND with a 16MB NOR chip(just 8 pins and really cheap). Will try to follow the procedure I saw here on the Russian site 4pda. What do you think?

i saw that 4pda while reseaching a solution , and ive bought nor spi also in case it does not work, the nand in bricked one is already remove succesfully , not that difficult , ive got some soldering skils but not extremly complicated , just being carefull not to overheat , also it is a pretty good quality board , i did it with some solder,flux and a soldering iron,just bridge all pins with a lot of solder , heat up all pins evenly on one side and when the solder is flowing nice a little pull on the chip , carefully and one side should be detached and with the
other side the same a lot of solder on all the pins heat evely and gravity will do the rest, then add some flux to the board to remove any excess solder & the same with the chip, then clean both of them with alcohol and you are done .

also i saw some adapters , called 360, that were in the past used to hack ps3 and xbox360 that didnt require to remove the nand from the board, they were more pricey and having the nand attached can make some trouble so i decide to stick with nand remove.

@jesusvallejo, were you successful in recovering your router. I have 16MB NOR flash and the programmer which I imported from China but I can't find any ROMs for the NOR flash for the R3G. All the links on 4pda seem to be broken. Can you help?

yes i was succesful, but not replacing the nand with a nor , but flashing a dump from a good mir3g flash , https://github.com/jesusvallejo/MIR3G_RECOVERY here ive uploaded anything you need. 4pda method might be cheaper but with the method ive posted youll be factory like.